“Congress shall make no law re­spect­ing an es­tab­lish­ment of re­li­gion, or pro­hibit­ing the free ex­er­cise thereof; or abridg­ing the free­dom of speech, or of the press; or the right of the peo­ple peace­ably to as­sem­ble, and to pe­ti­tion the Government for a re­dress of griev­ances.” -U. S. Constitution, First Amendment.

In an ad­dress to Congress this month, President Trump claimed he had “brought free speech back to America.” But barely two months into his sec­ond term, the pres­i­dent has waged an un­prece­dented at­tack on the First Amendment rights of jour­nal­ists, stu­dents, uni­ver­si­ties, gov­ern­ment work­ers, lawyers and judges.

This story ex­plores a slew of re­cent ac­tions by the Trump ad­min­is­tra­tion that threaten to un­der­mine all five pil­lars of the First Amendment to the U. S. Constitution, which guar­an­tees free­doms con­cern­ing speech, re­li­gion, the me­dia, the right to as­sem­bly, and the right to pe­ti­tion the gov­ern­ment and seek re­dress for wrongs.

The right to pe­ti­tion al­lows cit­i­zens to com­mu­ni­cate with the gov­ern­ment, whether to com­plain, re­quest ac­tion, or share view­points — with­out fear of reprisal. But that right is be­ing as­saulted by this ad­min­is­tra­tion on mul­ti­ple lev­els. For starters, many GOP law­mak­ers are now heed­ing their lead­er­ship’s ad­vice to stay away from lo­cal town hall meet­ings and avoid the wrath of con­stituents af­fected by the ad­min­is­tra­tion’s many fed­eral bud­get and work­force cuts.

Another ex­am­ple: President Trump re­cently fired most of the peo­ple in­volved in pro­cess­ing Freedom of Information Act (FOIA) re­quests for gov­ern­ment agen­cies. FOIA is an in­dis­pens­able tool used by jour­nal­ists and the pub­lic to re­quest gov­ern­ment records, and to hold lead­ers ac­count­able.

The biggest story by far this week was the bomb­shell from The Atlantic ed­i­tor Jeffrey Goldberg, who re­counted how he was in­ad­ver­tently added to a Signal group chat with National Security Advisor Michael Waltz and 16 other Trump ad­min­is­tra­tion of­fi­cials dis­cussing plans for an up­com­ing at­tack on Yemen.

One over­looked as­pect of Goldberg’s in­cred­i­ble ac­count is that by plan­ning and co­or­di­nat­ing the at­tack on Signal — which fea­tures mes­sages that can auto-delete af­ter a short time — ad­min­is­tra­tion of­fi­cials were ev­i­dently seek­ing a way to avoid cre­at­ing a last­ing (and po­ten­tially FOIA-able) record of their de­lib­er­a­tions.

“Intentional or not, use of Signal in this con­text was an act of era­sure—be­cause with­out Jeffrey Goldberg be­ing ac­ci­den­tally added to the list, the gen­eral pub­lic would never have any record of these com­mu­ni­ca­tions or any way to know they even oc­curred,” Tony Bradley wrote this week at Forbes.

Petitioning the gov­ern­ment, par­tic­u­larly when it ig­nores your re­quests, of­ten re­quires chal­leng­ing fed­eral agen­cies in court. But that be­comes far more dif­fi­cult if the most com­pe­tent law firms start to shy away from cases that may in­volve cross­ing the pres­i­dent and his ad­min­is­tra­tion.

On March 22, the pres­i­dent is­sued a mem­o­ran­dum that di­rects heads of the Justice and Homeland Security Departments to “seek sanc­tions against at­tor­neys and law firms who en­gage in friv­o­lous, un­rea­son­able and vex­a­tious lit­i­ga­tion against the United States,” or in mat­ters that come be­fore fed­eral agen­cies.

The POTUS re­cently is­sued sev­eral ex­ec­u­tive or­ders rail­ing against spe­cific law firms with at­tor­neys who worked le­gal cases against him. On Friday, the pres­i­dent an­nounced that the law firm of Skadden, Arps, Slate, Meager & Flom had agreed to pro­vide $100 mil­lion in pro bono work on is­sues that he sup­ports.

Trump is­sued an­other or­der nam­ing the firm Paul, Weiss, Rifkind, Wharton & Garrison, which ul­ti­mately agreed to pledge $40 mil­lion in pro bono le­gal ser­vices to the pres­i­den­t’s causes.

Other Trump ex­ec­u­tive or­ders tar­geted law firms Jenner & Block and WilmerHale, both of which have at­tor­neys that worked with spe­cial coun­sel Robert Mueller on the in­ves­ti­ga­tion into Russian in­ter­fer­ence in the 2016 elec­tion. But this week, two fed­eral judges in sep­a­rate rul­ings froze parts of those or­ders.

“There is no doubt this re­tal­ia­tory ac­tion chills speech and le­gal ad­vo­cacy, and that is qual­i­fied as a con­sti­tu­tional harm,” wrote Judge Richard Leon, who ruled against the ex­ec­u­tive or­der tar­get­ing WilmerHale.

President Trump re­cently took the ex­tra­or­di­nary step of call­ing for the im­peach­ment of fed­eral judges who rule against the ad­min­is­tra­tion. Trump called U. S. District Judge James Boasberg a “Radical Left Lunatic” and urged he be re­moved from of­fice for block­ing de­por­ta­tion of Venezuelan al­leged gang mem­bers un­der a rarely in­voked wartime le­gal au­thor­ity.

In a rare pub­lic re­buke to a sit­ting pres­i­dent, U. S. Supreme Court Justice John Roberts is­sued a state­ment on March 18 point­ing out that “For more than two cen­turies, it has been es­tab­lished that im­peach­ment is not an ap­pro­pri­ate re­sponse to dis­agree­ment con­cern­ing a ju­di­cial de­ci­sion.”

The U. S. Constitution pro­vides that judges can be re­moved from of­fice only through im­peach­ment by the House of Representatives and con­vic­tion by the Senate. The Constitution also states that judges’ salaries can­not be re­duced while they are in of­fice.

Undeterred, House Speaker Mike Johnson this week sug­gested the ad­min­is­tra­tion could still use the power of its purse to keep courts in line, and even floated the idea of whole­sale elim­i­nat­ing fed­eral courts.

“We do have au­thor­ity over the fed­eral courts as you know,” Johnson said. “We can elim­i­nate an en­tire dis­trict court. We have power of fund­ing over the courts, and all these other things. But des­per­ate times call for des­per­ate mea­sures, and Congress is go­ing to act, so stay tuned for that.”

President Trump has taken a num­ber of ac­tions to dis­cour­age law­ful demon­stra­tions at uni­ver­si­ties and col­leges across the coun­try, threat­en­ing to cut fed­eral fund­ing for any col­lege that sup­ports protests he deems “illegal.”

A Trump ex­ec­u­tive or­der in January out­lined a broad fed­eral crack­down on what he called “the ex­plo­sion of an­ti­semitism” on U. S. col­lege cam­puses. This ad­min­is­tra­tion has as­serted that for­eign stu­dents who are law­fully in the United States on visas do not en­joy the same free speech or due process rights as cit­i­zens.

Reuters re­ports that the act­ing civil rights di­rec­tor at the Department of Education on March 10 sent let­ters to 60 ed­u­ca­tional in­sti­tu­tions warn­ing they could lose fed­eral fund­ing if they don’t do more to com­bat anti-semi­tism. On March 20, Trump is­sued an or­der call­ing for the clo­sure of the Education Department.

Meanwhile, U. S. Immigration and Customs Enforcement (ICE) agents have been de­tain­ing and try­ing to de­port pro-Pales­tin­ian stu­dents who are legally in the United States. The ad­min­is­tra­tion is tar­get­ing stu­dents and aca­d­e­mics who spoke out against Israel’s at­tacks on Gaza, or who were ac­tive in cam­pus protests against U.S. sup­port for the at­tacks. Secretary of State Marco Rubio told re­porters Thursday that at least 300 for­eign stu­dents have seen their visas re­voked un­der President Trump, a far higher num­ber than was pre­vi­ously known.

In his first term, Trump threat­ened to use the na­tional guard or the U. S. mil­i­tary to deal with pro­test­ers, and in cam­paign­ing for re-elec­tion he promised to re­visit the idea.

“I think the big­ger prob­lem is the en­emy from within,” Trump told Fox News in October 2024. “We have some very bad peo­ple. We have some sick peo­ple, rad­i­cal left lu­natics. And I think they’re the big — and it should be very eas­ily han­dled by, if nec­es­sary, by National Guard, or if re­ally nec­es­sary, by the mil­i­tary, be­cause they can’t let that hap­pen.”

This term, Trump acted swiftly to re­move the top ju­di­cial ad­vo­cates in the armed forces who would al­most cer­tainly push back on any re­quest by the pres­i­dent to use U. S. sol­diers in an ef­fort to quell pub­lic protests, or to ar­rest and de­tain im­mi­grants. In late February, the pres­i­dent and Defense Secretary Pete Hegseth fired the top le­gal of­fi­cers for the mil­i­tary ser­vices — those re­spon­si­ble for en­sur­ing the Uniform Code of Military Justice is fol­lowed by com­man­ders.

Military.com warns that the purge “sets an alarm­ing prece­dent for a cru­cial job in the mil­i­tary, as President Donald Trump has mused about us­ing the mil­i­tary in un­ortho­dox and po­ten­tially il­le­gal ways.” Hegseth told re­porters the re­movals were nec­es­sary be­cause he did­n’t want them to pose any “roadblocks to or­ders that are given by a com­man­der in chief.”

President Trump has sued a num­ber of U. S. news out­lets, in­clud­ing 60 Minutes, CNN, The Washington Post, The New York Times and other smaller me­dia or­ga­ni­za­tions for un­flat­ter­ing cov­er­age.

In a $10 bil­lion law­suit against 60 Minutes and its par­ent Paramount, Trump claims they se­lec­tively edited an in­ter­view with for­mer Vice President Kamala Harris prior to the 2024 elec­tion. The TV news show last month pub­lished tran­scripts of the in­ter­view at the heart of the dis­pute, but Paramount is re­port­edly con­sid­er­ing a set­tle­ment to avoid po­ten­tially dam­ag­ing its chances of win­ning the ad­min­is­tra­tion’s ap­proval for a pend­ing multi­bil­lion-dol­lar merger.

The pres­i­dent sued The Des Moines Register and its par­ent com­pany, Gannett, for pub­lish­ing a poll show­ing Trump trail­ing Harris in the 2024 pres­i­den­tial elec­tion in Iowa (a state that went for Trump). The POTUS also is su­ing the Pulitzer Prize board over 2018 awards given to The New York Times and The Washington Post for their cov­er­age of pur­ported Russian in­ter­fer­ence in the 2016 elec­tion.

Whether or not any of the pres­i­den­t’s law­suits against news or­ga­ni­za­tions have merit or suc­ceed is al­most be­side the point. The strat­egy be­hind su­ing the me­dia is to make re­porters and news­rooms think twice about crit­i­ciz­ing or chal­leng­ing the pres­i­dent and his ad­min­is­tra­tion. The pres­i­dent also knows some me­dia out­lets will find it more ex­pe­di­ent to set­tle.

Trump also sued ABC News and George Stephanopoulos for stat­ing that the pres­i­dent had been found li­able for “rape” in a civil case [Trump was found li­able of sex­u­ally abus­ing and de­fam­ing E. Jean Carroll]. ABC par­ent Disney set­tled that claim by agree­ing to do­nate $15 mil­lion to the Trump Presidential Library.

Following the at­tack on the U. S. Capitol on Jan. 6, 2021, Facebook blocked President Trump’s ac­count. Trump sued Meta, and af­ter the pres­i­den­t’s vic­tory in 2024 Meta set­tled and agreed to pay Trump $25 mil­lion: $22 mil­lion would go to his pres­i­den­tial li­brary, and the rest to le­gal fees. Meta CEO Mark Zuckerberg also an­nounced Facebook and Instagram would get rid of fact-check­ers and rely in­stead on reader-sub­mit­ted “community notes” to de­bunk dis­in­for­ma­tion on the so­cial me­dia plat­form.

Brendan Carr, the pres­i­den­t’s pick to run the Federal Communications Commission (FCC), has pledged to “dismantle the cen­sor­ship car­tel and re­store free speech rights for every­day Americans.” But on January 22, 2025, the FCC re­opened com­plaints against ABC, CBS and NBC over their cov­er­age of the 2024 elec­tion. The pre­vi­ous FCC chair had dis­missed the com­plaints as at­tacks on the First Amendment and an at­tempt to weaponize the agency for po­lit­i­cal pur­poses.

According to Reuters, the com­plaints call for an in­ves­ti­ga­tion into how ABC News mod­er­ated the pre-elec­tion TV de­bate be­tween Trump and Biden, and ap­pear­ances of then-Vice President Harris on 60 Minutes and on NBC’s “Saturday Night Live.”

Since then, the FCC has opened in­ves­ti­ga­tions into NPR and PBS, al­leg­ing that they are break­ing spon­sor­ship rules. The Center for Democracy & Technology (CDT), a think tank based in Washington, D. C., noted that the FCC is also in­ves­ti­gat­ing KCBS in San Francisco for re­port­ing on the lo­ca­tion of fed­eral im­mi­gra­tion au­thor­i­ties.

“Even if these in­ves­ti­ga­tions are ul­ti­mately closed with­out ac­tion, the mere fact of open­ing them — and the im­plicit threat to the news sta­tions’ li­cense to op­er­ate — can have the ef­fect of de­ter­ring the press from news cov­er­age that the Administration dis­likes,” the CDT’s Kate Ruane ob­served.

Trump has re­peat­edly threat­ened to “open up” li­bel laws, with the goal of mak­ing it eas­ier to sue me­dia or­ga­ni­za­tions for un­fa­vor­able cov­er­age. But this week, the U. S. Supreme Court de­clined to hear a chal­lenge brought by Trump donor and Las Vegas casino mag­nate Steve Wynn to over­turn the land­mark 1964 de­ci­sion in New York Times v. Sullivan, which in­su­lates the press from li­bel suits over good-faith crit­i­cism of pub­lic fig­ures.

The pres­i­dent also has in­sisted on pick­ing which re­porters and news out­lets should be al­lowed to cover White House events and par­tic­i­pate in the press pool that trails the pres­i­dent. He barred the Associated Press from the White House and Air Force One over their re­fusal to call the Gulf of Mexico by an­other name.

And the Defense Department has or­dered a num­ber of top me­dia out­lets to va­cate their spots at the Pentagon, in­clud­ing CNN, The Hill, The Washington Post, The New York Times, NBC News, Politico and National Public Radio.

“Incoming me­dia out­lets in­clude the New York Post, Breitbart, the Washington Examiner, the Free Press, the Daily Caller, Newsmax, the Huffington Post and One America News Network, most of whom are seen as con­ser­v­a­tive or fa­vor­ing Republican President Donald Trump,” Reuters re­ported.

Shortly af­ter Trump took of­fice again in January 2025, the ad­min­is­tra­tion be­gan cir­cu­lat­ing lists of hun­dreds of words that gov­ern­ment staff and agen­cies shall not use in their re­ports and com­mu­ni­ca­tions.

The Brookings Institution notes that in mov­ing to com­ply with this anti-speech di­rec­tive, fed­eral agen­cies have purged count­less tax­payer-funded data sets from a swathe of gov­ern­ment web­sites, in­clud­ing data on crime, sex­ual ori­en­ta­tion, gen­der, ed­u­ca­tion, cli­mate, and global de­vel­op­ment.

The New York Times re­ports that in the past two months, hun­dreds of ter­abytes of dig­i­tal re­sources an­a­lyz­ing data have been taken off gov­ern­ment web­sites.

“While in many cases the un­der­ly­ing data still ex­ists, the tools that make it pos­si­ble for the pub­lic and re­searchers to use that data have been re­moved,” The Times wrote.

On Jan. 27, Trump is­sued a memo (PDF) that paused all fed­er­ally funded pro­grams pend­ing a re­view of those pro­grams for align­ment with the ad­min­is­tra­tion’s pri­or­i­ties. Among those was en­sur­ing that no fund­ing goes to­ward ad­vanc­ing “Marxist eq­uity, trans­gen­derism, and green new deal so­cial en­gi­neer­ing poli­cies.”

According to the CDT, this or­der is a bla­tant at­tempt to force gov­ern­ment grantees to cease en­gag­ing in speech that the cur­rent ad­min­is­tra­tion dis­likes, in­clud­ing speech about the ben­e­fits of di­ver­sity, cli­mate change, and LGBTQ is­sues.

“The First Amendment does not per­mit the gov­ern­ment to dis­crim­i­nate against grantees be­cause it does not like some of the view­points they es­pouse,” the CDT’s Ruane wrote. “Indeed, those groups that are chal­leng­ing the con­sti­tu­tion­al­ity of the or­der ar­gued as much in their com­plaint, and have won an in­junc­tion block­ing its im­ple­men­ta­tion.”

On January 20, the same day Trump is­sued an ex­ec­u­tive or­der on free speech, the pres­i­dent also is­sued an ex­ec­u­tive or­der ti­tled “Reevaluating and Realigning United States Foreign Aid,” which froze fund­ing for pro­grams run by the U. S. Agency for International Development (USAID). Among those were pro­grams de­signed to em­power civil so­ci­ety and hu­man rights groups, jour­nal­ists and oth­ers re­spond­ing to dig­i­tal re­pres­sion and Internet shut­downs.

According to the Electronic Frontier Foundation (EFF), this in­cludes many free­dom tech­nolo­gies that use cryp­tog­ra­phy, fight cen­sor­ship, pro­tect free­dom of speech, pri­vacy and anonymity for mil­lions of peo­ple around the world.

“While the State Department has is­sued some lim­ited waivers, so far those waivers do not seem to cover the open source in­ter­net free­dom tech­nolo­gies,” the EFF wrote about the USAID dis­rup­tions. “As a re­sult, many of these pro­jects have to stop or se­verely cur­tail their work, lay off tal­ented work­ers, and stop or slow fur­ther de­vel­op­ment.”

On March 14, the pres­i­dent signed an­other ex­ec­u­tive or­der that ef­fec­tively gut­ted the U. S. Agency for Global Media (USAGM), which over­sees or funds me­dia out­lets in­clud­ing Radio Free Europe/Radio Liberty and Voice of America (VOA). The USAGM also over­sees Radio Free Asia, which sup­port­ers say has been one of the most re­li­able tools used by the gov­ern­ment to com­bat Chinese pro­pa­ganda.

But this week, U. S. District Court Judge Royce Lamberth, a Reagan ap­pointee, tem­porar­ily blocked USAGM’s clo­sure by the ad­min­is­tra­tion.

“RFE/RL has, for decades, op­er­ated as one of the or­ga­ni­za­tions that Congress has statu­to­rily des­ig­nated to carry out this pol­icy,” Lamberth wrote in a 10-page opin­ion. “The lead­er­ship of USAGM can­not, with one sen­tence of rea­son­ing of­fer­ing vir­tu­ally no ex­pla­na­tion, force RFE/RL to shut down — even if the President has told them to do so.”

The Trump ad­min­is­tra­tion re­scinded a decades-old pol­icy that in­structed of­fi­cers not to take im­mi­gra­tion en­force­ment ac­tions in or near “sensitive” or “protected” places, such as churches, schools, and hos­pi­tals.

That di­rec­tive was im­me­di­ately chal­lenged in a case brought by a group of Quakers, Baptists and Sikhs, who ar­gued the pol­icy re­ver­sal was keep­ing peo­ple from at­tend­ing ser­vices for fear of be­ing ar­rested on civil im­mi­gra­tion vi­o­la­tions. On Feb. 24, a fed­eral judge agreed and blocked ICE agents from en­ter­ing churches or tar­get­ing mi­grants nearby.

The pres­i­den­t’s ex­ec­u­tive or­der al­legedly ad­dress­ing an­ti­semitism came with a fact sheet that de­scribed col­lege cam­puses as “infested” with “terrorists” and “jihadists.” Multiple faith groups ex­pressed alarm over the or­der, say­ing it at­tempts to weaponize an­ti­semitism and pro­mote “dehumanizing anti-im­mi­grant poli­cies.”

The pres­i­dent also an­nounced the cre­ation of a “Task Force to Eradicate Anti-Christian Bias,” to be led by Attorney General Pam Bondi. Never mind that Christianity is eas­ily the largest faith in America and that Christians are well-rep­re­sented in Congress.

The Rev. Paul Brandeis Raushenbush, a Baptist min­is­ter and head of the pro­gres­sive Interfaith Alliance, is­sued a state­ment ac­cus­ing Trump of hypocrisy in claim­ing to cham­pion re­li­gion by cre­at­ing the task force.

“From al­low­ing im­mi­gra­tion raids in churches, to tar­get­ing faith-based char­i­ties, to sup­press­ing re­li­gious di­ver­sity, the Trump Administration’s ag­gres­sive gov­ern­ment over­reach is in­fring­ing on re­li­gious free­dom in a way we haven’t seen for gen­er­a­tions,” Raushenbush said.

A state­ment from Americans United for Separation of Church and State said the task force could lead to re­li­gious per­se­cu­tion of those with other faiths.

“Rather than pro­tect­ing re­li­gious be­liefs, this task force will mis­use re­li­gious free­dom to jus­tify big­otry, dis­crim­i­na­tion, and the sub­ver­sion of our civil rights laws,” said Rachel Laser, the group’s pres­i­dent and CEO.

Where is President Trump go­ing with all these bla­tant at­tacks on the First Amendment? The pres­i­dent has made no se­cret of his af­fec­tion for au­to­cratic lead­ers and “strongmen” around the world, and he is par­tic­u­larly en­am­ored with Hungary’s far-right Prime Minister Viktor Orbán, who has vis­ited Trump’s Mar-a-Lago re­sort twice in the past year.

A March 15 es­say in The Atlantic by Hungarian in­ves­tiga­tive jour­nal­ist András Pethő re­counts how Orbán rose to power by con­sol­i­dat­ing con­trol over the courts, and by build­ing his own me­dia uni­verse while si­mul­ta­ne­ously plac­ing a stran­gle­hold on the in­de­pen­dent press.

“As I watch from afar what’s hap­pen­ing to the free press in the United States dur­ing the first weeks of Trump’s sec­ond pres­i­dency — the ver­bal bul­ly­ing, the le­gal ha­rass­ment, the buck­ling by me­dia own­ers in the face of threats — it all looks very fa­mil­iar,” Pethő wrote. “The MAGA au­thor­i­ties have learned Orbán’s lessons well.”

Until a few years ago, any app you in­stalled on an Android de­vice could see all other apps on your phone with­out your per­mis­sion.

Since 2022, with Android 11, Google re­moved this ac­cess from app de­vel­op­ers. Under their new pack­age vis­i­bil­ity pol­icy, apps should only see other in­stalled apps if it’s es­sen­tial to their core func­tion­al­ity. Developers must also ex­plic­itly de­clare these apps in the AndroidManifest.xml file - a re­quired con­fig­u­ra­tion file for all Android apps.

For ex­tremely spe­cific use cases such as file man­agers, browsers or an­tivirus apps, Google grants an ex­cep­tion by al­low­ing QUERY_ALL_PACKAGES per­mis­sion, which pro­vides full vis­i­bil­ity into in­stalled apps.

I don’t use Android as my pri­mary phone, but I have a spare one and I was re­ally cu­ri­ous to find out which apps from Indian com­pa­nies had checks to see what other apps I had in­stalled.

So I down­loaded a few dozen Indian apps I could think of on top of my head and started read­ing their man­i­fest files. Surely they will be re­spect­ful of my pri­vacy and will only query apps es­sen­tial to their ap­p’s core func­tion­al­ity? 🙃

It’s worth ac­knowl­edg­ing that there are some le­git­i­mate rea­sons for an app to check which other apps are in­stalled on your phone. For ex­am­ple, an app might check which UPI apps are in­stalled to show rel­e­vant pay­ment op­tions. Most of the man­i­fest files I ex­am­ined in­cluded checks for these apps. Some also looked for app cloning or multi-ac­count apps, likely for se­cu­rity and fraud de­tec­tion. All ac­cept­able use cases.

But a few Indian com­pa­nies went above and be­yond with these checks. Let’s start with Swiggy. It has a stag­ger­ing 154 pack­age names listed in its man­i­fest file, al­low­ing it to query those apps on my phone. Here’s the full list:

I don’t even know where to be­gin un­pack­ing this mad­ness. How is know­ing whether I have the Xbox or the Playstation app in­stalled on my phone es­sen­tial to their Swiggy’s core func­tion­al­ity? How will know­ing if I have the Naukri or Upstox app help them de­liver gro­ceries to my doorstep?

The wide range of cat­e­gories of apps in this list strongly sug­gests Swiggy is col­lect­ing in­stalled apps data for user pro­fil­ing and to build a be­hav­ioural pro­file of their cus­tomers. This seems to be against Play Store’s poli­cies which con­sid­ers the list of in­stalled apps to be per­sonal and sen­si­tive user data.

This re­minded me of that ppt from Blume Ventures - the one that blue tick twit­ter ac­counts liv­ing in cer­tain pin codes of Bengaluru pas­sion­ately dis­cuss amongst them­selves for a week every year. It had this in­ter­est­ing slide on apps used by dif­fer­ent Indias:

Swiggy queries most of these apps and more on your phone. It not only knows which India you be­long to, but it can pin­point ex­actly where you fall within it.

Let’s talk about an­other app now, and it’s the usual sus­pect, the undis­puted cham­pion of ass­hole de­sign - Zepto. They have listed 165 apps to check for on your de­vice.

From Netflix to Bumble to Binance, the list in­cludes nearly every pop­u­lar app across all cat­e­gories. There were re­cent re­ports of Zepto dis­play­ing dif­fer­ent prices for iOS and Android users. With the help of this data, they can also show dif­fer­ent pric­ing for dif­fer­ent Android phones, which some cus­tomers are al­ready see­ing.

Even though Swiggy and Zepto have to de­clare these apps to query in the man­i­fest file, as a user, you have no vis­i­bil­ity into this list when you down­load their apps from the Play Store.

I also an­a­lyzed Swiggy and Zepto’s apps for their de­liv­ery rid­ers. The app query list is dif­fer­ent from their con­sumer apps. Both in­clude checks to see which other com­pa­nies their rid­ers work for. Here’s Zepto’s list:

But Swiggy takes it a step fur­ther - it also checks for per­sonal loan apps, per­sonal fi­nance apps, and even keeps tabs on apps like like Ludo King or Carrom Pool on their de­liv­ery rid­ers’ phones.

Can’t we even play Ludo in peace with­out be­ing spied on by our em­ploy­ers? Does even down­time need to be tracked by Swiggy? It’s em­bar­rass­ing that Swiggy feels the need to in­clude these ridicu­lous app queries on their de­liv­ery rid­ers’ phones.

Speaking of per­sonal loan apps in India, their preda­tory prac­tices are well doc­u­mented. A cou­ple of years ago, there was a ma­jor crack­down that led to the re­moval of thou­sands of such apps from the Play Store. I took a look at some that still ex­ist.

Kreditbee is listed as one of the top apps in the per­sonal loans space on the play store with over 50 mil­lion down­loads. And can you be­lieve their app checks for 860 apps in­stalled on your phone? 860!!! I am sorry you may have to squint or zoom in a lit­tle to view this list.

I only skimmed through this list - there are just too many apps. I hope some­one read­ing this can do a thor­ough analy­sis. It’s prob­a­bly be­cause of the bub­ble I live in, but I had­n’t even heard of most of these apps. Even though most of them have tens of mil­lions of down­loads.

Beyond the usual cat­e­gories, I see there are checks for apps like Tamil Calendar, Odia Calendar, Qibla Direction Finder, mandir apps, as­trol­ogy apps. They know what they’re do­ing.

There is “Jodii for Diploma, +2,10 be­low”, a mat­ri­mony app for those who haven’t grad­u­ated high school. It has 10M+ down­loads.

Then there is also “गाय भैंस खरीदें बेचें Animall” (cow buy/​sell mar­ket­place?) which also has more than 10M down­loads.

This list of apps is a win­dow into how a large part of India uses their phones - their daily lives, habits, and pri­or­i­ties.

Another lead­ing per­sonal loan app, Moneyview, with over 50 mil­lion down­loads, has in­cluded checks for a stag­ger­ing 944 apps in its man­i­fest file - the high­est among all the apps I ex­am­ined. I am not in­clud­ing it in this post, you can read the full list here.

I’m sur­prised KreditBee and Moneyview apps passed the Play Store’s re­view. Play Store pol­icy ex­plic­itly re­stricts per­sonal loan apps from us­ing the QUERY_ALL_PACKAGES per­mis­sion. But these apps are by­pass­ing this re­stric­tion by in­di­vid­u­ally list­ing every app they want to de­tect in their man­i­fest file in­stead.

I found only one man­i­fest file which had the high-risk and sen­si­tive QUERY_ALL_PACKAGES per­mis­sion - it was Cred’s. Play Store grants a “temporary ex­cep­tion” to in­clude this per­mis­sion if apps have “a ver­i­fi­able core pur­pose fa­cil­i­tat­ing fi­nan­cial-trans­ac­tions in­volv­ing fi­nan­cially reg­u­lated in­stru­ments”.

But none of the other apps in the same seg­ment as Cred I an­a­lyzed like PhonePe or PayTM had this per­mis­sion in their man­i­fest files. In fact, Cred of­fers per­sonal loans too which as per Play Store’s Personal loans pol­icy, is not el­i­gi­ble for this ex­cep­tion. Not sure how Cred is still al­lowed to keep this per­mis­sion, which lets it see all the apps on your phone with­out any dis­clo­sures.

I read the man­i­fest files of around 50 pop­u­lar apps from Indian com­pa­nies. Apart from Swiggy, Zepto, Cred, and a cou­ple of per­sonal loan apps, most had fairly rea­son­able and re­spect­ful app query lists.

Guess I ex­pected worse. Maybe I am too cyn­i­cal about these apps - could they ac­tu­ally be the good guys? 🙃

As I was about to con­clude this ex­er­cise, I no­ticed a cou­ple of in­ter­est­ing lines when I was skim­ming through the man­i­fest file of one of the apps:

I am no ex­pert in Android de­vel­op­ment, but from what I un­der­stand, the “ACTION_MAIN” fil­ter in the con­fig­u­ra­tion above al­lows vis­i­bil­ity to all in­stalled apps that, sim­ply put, have a screen.

Since most in­stalled apps run in the fore­ground and have a user in­ter­face, this fil­ter grants de­vel­op­ers ac­cess to see all the apps on your phone - with­out need­ing the QUERY_ALL_PACKAGES per­mis­sion!

To be sure, I vibe co — I can’t say it with­out winc­ing — I vibe coded a ba­sic an­droid app and added the same “ACTION_MAIN” fil­ter in my man­i­fest file. And when I queried for in­stalled pack­ages, just as ex­pected, this lit­tle hack re­turned a list of all the apps on my phone!!!

This seems like a mas­sive pri­vacy loop­hole in Android. Surely Play Store would re­ject apps that use this hack as this is a bla­tant vi­o­la­tion of their store’s user data pol­icy?

Out of 47 Indian apps I ran­domly an­a­lyzed, 31 of them used the “ACTION_MAIN” fil­ter - giv­ing them ac­cess to see all the apps on your phone with­out any dis­clo­sure. That’s 2 out of 3 apps.

Apps that don’t use this hack:

Even fuck­ing Ludo King has this in its man­i­fest file. So most Indian com­pa­nies can ac­tu­ally see all the apps on your phone - they’re just sneakier about it than the likes of Swiggy and Zepto. So much for be­ing the good guys.

In fact, Swiggy has got this fil­ter con­fig too, yet it still chooses to ex­plic­itly lists the apps it queries when it could just as eas­ily do this dis­creetly be­hind closed doors like oth­ers. But I’m not com­plain­ing. This over­sight from them gives a glimpse into Swiggy’s data col­lec­tion prac­tices. If Google had en­forced this pol­icy prop­erly, we might have had sim­i­lar vis­i­bil­ity into other com­pa­nies as well.

All the man­i­fest files I read are in my Github. The ma­jor­ity were down­loaded on March 18 or 19.

This hack is­n’t ex­clu­sively used by apps from Indian com­pa­nies. I checked the man­i­fest files of some other pop­u­lar apps. Facebook, Instagram, Snapchat, Subway Surfers, and Truecaller all have this con­fig. Meanwhile, Amazon, Spotify, X, Discord, and WhatsApp did­n’t. I did­n’t in­ves­ti­gate fur­ther be­yond these.

This makes me won­der, what was the whole pur­pose of Google’s pack­age vis­i­bil­ity pol­icy? It was sup­posed to pro­tect users, yet most apps seem to have found ways around it any­way.

And in­stalled app data is very sen­si­tive and per­sonal. In 2022, Vice re­ported that a data mar­ket­place called Narrative was sell­ing data on users who had down­loaded pe­riod-track­ing apps right af­ter news emerged that Roe v. Wade (which had fed­er­ally pro­tected abor­tion rights in the U. S.) could be over­turned. This is fright­en­ing to even think about.

Installed apps data is one data point. The ex­ten­sive set of per­mis­sions each and every one of these apps have in­cluded in their man­i­fest files, of­ten far be­yond what’s nec­es­sary is an­other can of worm for some­one else to open.

I’ll con­clude this post with a tiny ex­am­ple from Zepto. They ask for READ_SMS per­mis­sion. You can deny it, but it’s manda­tory if you sign up for Zepto Postpaid.

When you grant the per­mis­sion, this is the list of sender IDs they check for in your in­box:

Most of them are TRAI sender IDs of banks. They’re likely read­ing these for their Postpaid plan el­i­gi­bil­ity check. They can still read this even if you never opt for it. And look how they’ve sneaked in SMSes from Blinkit, Swiggy, Bigbasket, Flipkart too.

Their com­peti­tors are prob­a­bly do­ing the same, they just did­n’t leave be­hind such an ob­vi­ous trail of ev­i­dence in the app it­self.

The point is when any app gets per­mis­sions like READ_SMS, as users, we have no vis­i­bil­ity over when or what it’s ac­cess­ing.

Please re­mem­ber the next time you ca­su­ally in­stall an app on your Android de­vice, this in­for­ma­tion is be­ing broad­cast to the whole world. Data bro­kers will use it to pro­file you, cross-ref­er­ence it with data about you from other ad net­works and even­tu­ally it will be used to de­cide how much you’ll be asked to pay the next time you or­der a samosa.

Thank you for read­ing. In case you sub­scribed to this newslet­ter af­ter read­ing the “What’s in­side this QR code menu at this cafe?” post and can’t find it any­more. Here’s my tweet about it.

I am also on Bluesky.

A promi­nent com­puter sci­en­tist who has spent 20 years pub­lish­ing aca­d­e­mic pa­pers on cryp­tog­ra­phy, pri­vacy, and cy­ber­se­cu­rity has gone in­com­mu­ni­cado, had his pro­fes­sor pro­file, email ac­count, and phone num­ber re­moved by his em­ployer, Indiana University, and had his homes raided by the FBI. No one knows why.

Xiaofeng Wang has a long list of pres­ti­gious ti­tles. He was the as­so­ci­ate dean for re­search at Indiana University’s Luddy School of Informatics, Computing and Engineering, a fel­low at the Institute of Electrical and Electronics Engineers and the American Association for the Advancement of Science, and a tenured pro­fes­sor at Indiana University at Bloomington. According to his em­ployer, he has served as prin­ci­pal in­ves­ti­ga­tor on re­search pro­jects to­tal­ing nearly $23 mil­lion over his 21 years there.

He has also co-au­thored scores of aca­d­e­mic pa­pers on a di­verse range of re­search fields, in­clud­ing cryp­tog­ra­phy, sys­tems se­cu­rity, and data pri­vacy, in­clud­ing the pro­tec­tion of hu­man ge­nomic data. I have per­son­ally spo­ken to him on three oc­ca­sions for ar­ti­cles here, here, and here.

In re­cent weeks, Wang’s email ac­count, phone num­ber, and pro­file page at the Luddy School were qui­etly erased by his em­ployer. Over the same time, Indiana University also re­moved a pro­file for his wife, Nianli Ma, who was listed as a Lead Systems Analyst and Programmer at the uni­ver­si­ty’s Library Technologies di­vi­sion.

As re­ported by the Bloomingtonian and later the Herald-Times in Bloomington, a small fleet of un­marked cars dri­ven by gov­ern­ment agents de­scended on the Bloomington home of Wang and Ma on Friday. They spent most of the day go­ing in and out of the house and oc­ca­sion­ally trans­ferred boxes from their ve­hi­cles. TV sta­tion WTHR, mean­while, re­ported that a sec­ond home owned by Wang and Ma and lo­cated in Carmel, Indiana, was also searched. The sta­tion said that both a res­i­dent and an at­tor­ney for the res­i­dent were on scene dur­ing at least part of the search.

The same year Apple launched the iPhone, it un­veiled a mas­sive up­grade to Mac OS X known as Leopard, sport­ing “300 New Features.” Two years later, it did some­thing al­most un­heard of: it re­leased Snow Leopard, an up­grade all about how lit­tle it added and how much it took away. Apple needs to make it snow again.

Snow Leopard did what it was made to do. It was one of the most solid soft­ware re­leases Apple ever put out. I’d say one of the best mod­ern op­er­at­ing sys­tem re­leases, pe­riod.

After Apple’s fre­netic run of over­haul­ing and quickly it­er­at­ing on the en­tire Mac plat­form in the early 2000s, be­com­ing a ma­jor tech­nol­ogy player again with the iPod, mov­ing the Mac to a new proces­sor ar­chi­tec­ture (for the sec­ond of three times) and re­leas­ing the iPhone, it was time for de­tail work. 2009’s Snow Leopard was un­der­stated, but im­proved the un­der­ly­ing sys­tem while shrink­ing it in size by re­mov­ing out­dated ac­cre­tions.

In an era when peo­ple still paid money for op­er­at­ing sys­tem up­grades every few years (anyone else re­mem­ber stand­ing in line for Windows 95?), re­leas­ing an OS up­grade with­out huge new fea­tures was un­usual. But, it was the right idea and ce­mented one of the best eras of the Mac.

Nowadays, Apple in­cludes the sys­tem up­grades in the up­front cost of its com­put­ers, so the in­cen­tive to con­stantly roll out ten or twenty or three hun­dred “new fea­tures” should be lower. Inexplicably, since the com­pany adopted that no ex­tra charge, yearly re­lease ca­dence, it has seem­ingly been more ret­i­cent to do a dis­ci­plined “Snow” re­lease, no mat­ter how nec­es­sary.

The lat­est re­leases — MacOS Sequoia and iOS/​iPa­dOS 18 — are scream­ing for such a re­set. Yes, they work and are still smoother and less glitchy than Windows 11, but they feel like soft­ware de­vel­oped by peo­ple who don’t ac­tu­ally use that soft­ware. In the 22 years since I be­came a “switcher”, this is the worst state I can re­mem­ber Apple’s plat­forms be­ing in.

Some bugs are in­evitable with ma­jor re­leases, sure. The trou­bling as­pect is that many are eas­ily re­pro­ducible across de­vices and show up in high-traf­fic ar­eas, not just for­got­ten nooks. How do Apple’s en­gi­neers not no­tice these prob­lems?

Take Messages. Apple’s iMes­sage and SMS tool is an es­sen­tial app for com­mu­ni­ca­tion for me and, I sus­pect, the vast ma­jor­ity of Apple users. Since the re­lease of Sequoia last fall, one can no longer re­li­ably cut or copy text from the Mac app. Attempting to copy a mes­sage bub­ble is a game of roulette: the mes­sage may copy or it may not. Who knows un­til you try to paste! Select text in a mes­sage and at­tempt to copy a spe­cific part and it will copy… the whole mes­sage, not the se­lected por­tion. This is ba­sic, nailed-down-in-the-1980s func­tion­al­ity even my first PC could get right every time.

Surface-level prob­lems like this are joined by deeper struc­tural is­sues, such as how slow and bloated Messages is. Compared to other end-to-end en­crypted mes­sag­ing tools, Messages takes for­ever to syn­chro­nize if the com­puter has been off or with­out Internet for even a day. Nor does it give any in­di­ca­tion of an in­com­plete sync while it takes an hour or more to catch up. Meanwhile, I reg­u­larly catch it con­sum­ing 20-40% of a proces­sor core when idling.

This is not good.

On my lap­top, Mail, and any other tool that de­pends on MacOS’s se­cure net­work­ing li­braries, will at times refuse to con­nect to the nec­es­sary servers. Because the prob­lem is with some as­pect of the un­der­ly­ing sys­tem, noth­ing less than a full restart of my Mac will al­low con­nec­tions to flow again. Separately, Safari reg­u­larly has in­ter­nal com­po­nents jam up and silently pre­vent a tab or the whole browser from load­ing pages.

Neither are the glitches con­fined to the Mac. UI bugs are strewn across Apple’s mo­bile plat­forms, too. Messages on iPad, for ex­am­ple, will reg­u­larly lose its top nav­i­ga­tion bar, re­quir­ing a force quit of the app to get things work­ing again. The emoji picker on both the iPad and Mac reg­u­larly comes up blank or fails to pass through a se­lec­tion.

Then there are de­sign de­ci­sions that aren’t bugs, they’re just bad. System Settings is a per­fect case. For most of MacOS’s ex­is­tence, you could re­arrange a sec­ond dis­play’s lo­ca­tion in re­la­tion to the pri­mary dis­play sim­ply by go­ing into the System Preferences, click­ing on Displays and drag­ging the pic­tured dis­plays around. Now, coun­ter­in­tu­itively, the pic­ture of the dis­plays on this main screen are im­mov­able, with re­arrange­ment func­tion­al­ity hid­den be­hind a but­ton that leads to an­other win­dow.

That’d be an an­noy­ing step back­ward in the olden days, but it is worse in an era when an iPad can share the Mac’s mouse pointer and even dou­ble as a sec­ondary dis­play. Am I the only one who some­times has his iPad on the left of the Mac and some­times the right? Why make it harder to re­arrange dis­plays now?

I could walk item by item through System Settings and point out many equally in­ex­plic­a­ble de­ci­sions. Did any­one at Apple re­ally be­lieve a Mac user’s life would be bet­ter if com­mon fea­tures were buried deep in menus? Or that those menus would be bet­ter if de­signed with odd, glitchy in­ter­face arrange­ments more akin to web pages than a proper Mac app?

Then there’s the abom­i­na­tion that is the iOS and iPa­dOS Photos app. The pre­vi­ous re­lease was not per­fect, but it was good. The new re­lease buried quick ac­cess to func­tions such as fa­vorites. The first re­lease also de­faulted to show­ing all pho­tos and videos with huge mar­gins around them rather than us­ing the full screen. When is the last time you heard some­one say, “I sure hate when pho­tos fill my whole screen, I wish they’d put a big bor­der around them in­stead”? Meanwhile, nav­i­ga­tion items are non-stan­dard and rid­dled with in­con­sis­ten­cies — some­times there’s a back nav­i­ga­tion but­ton, some­times an “X,” some­times in one place, some­times in an­other — more akin to an Android app than a core part of iOS.

A year fo­cused on clean­ing up these and a thou­sand sim­i­lar is­sues big and small is the sin­gle step Apple could take that would most en­hance its prod­ucts.

This decade old video from Apple’s WWDC con­fer­ence sum­ma­rizes Steve Jobs’ phi­los­o­phy that “Innovation is say­ing no to 1,000 things.” This has ex­em­pli­fied Apple’s best mo­ments and been ab­sent dur­ing their worst.

This is not to say Apple’s plat­forms are with­out the need for up­dates. Apple is clearly be­hind on the AI arms race and the re­cent an­nounce­ment that Apple Intelligence’s most ex­cit­ing fea­tures are in­def­i­nitely de­layed in­stills lit­tle con­fi­dence the com­pany will soon catch up. John Gruber is right that Apple now seems to be pro­duc­ing con­cept videos of va­por­ware.

The com­pa­ny’s strug­gle to re­lease its most im­por­tant new fea­tures in years may be more than tan­gen­tially re­lated to every­thing I’ve be­moaned in this col­umn. Reports sug­gest Siri is ac­tu­ally di­vided into two dif­fer­ent sys­tems — the old, core, lim­ited Siri and a newer one for the lat­est fea­tures — be­cause they haven’t been able to pull off in­te­grat­ing them.

You can put beau­ti­ful new win­dows on your house when the wood is solid; when it is rot­ten, you need to re­place the rot­ted-out struc­ture first. Snow Leopard’s clean-up paved the way for years of solid, re­li­able up­grades to MacOS, in­clud­ing many of the flashy fea­tures we now take for granted.

I am not sug­gest­ing Apple has fallen be­hind Windows or Android. Changing a set­ting on Windows 11 can of­ten in­volve a jour­ney through three or four dif­fer­ent in­ter­face de­signs, ar­ti­facts of half-im­ple­mented changes dat­ing back to the last cen­tury. Whenever I find my­self stuck out­side of Appleland, I am ea­ger to re­turn “home,” flaws and all.

Yet, Apple’s prod­ucts gained loyal sup­port­ers like me be­cause their prod­ucts were pol­ished and “just worked.” They are mid­dle of the road to pre­mium of­fer­ings; it is no com­pli­ment when they are the “least bad” in­stead of the “best.” They should be bet­ter than the ex­pe­ri­ence on a $200 PC.

Apple is a com­pany with enor­mous re­sources. Apple has not wisely di­rected some, sig­nif­i­cant por­tion of those re­sources in re­cent years. An ill-ad­vised fo­cus on the far-fetched Vision Pro oc­cu­pied Apple when it should have seen AI rac­ing into the main­stream. I lamented that nearly two years ago. Having squan­dered its lead go­ing the wrong di­rec­tion, Apple’s temp­ta­tion could now be to ig­nore the in­fra­struc­ture rot and sim­ply keep try­ing to bolt on catchup fea­tures with­out fix­ing what’s al­ready bro­ken.

With the com­pa­ny’s size and re­sources, though, this need­n’t be a call to fall even fur­ther be­hind on AI. Apple could eas­ily have its core op­er­at­ing sys­tem team fo­cused on clean up re­leases of its op­er­at­ing sys­tems even while its AI team tried to find its foot­ing.

AI or no-AI, spring clean­ing would make the Mac, iPhone and iPad re­ally shine. If Apple Intelligence can get caught up, so much the bet­ter: the soft­ware around it won’t get in the way.

Full Disclosure: Tim does own some Apple (AAPL) and Microsoft (MSFT) stock.

In just a few months, de­vel­op­ers fixed over 700 re­ported is­sues, re­vis­ited old bug re­ports, and ad­dressed un­re­ported prob­lems.

Alongside bug fixes, Winter of Quality also in­cluded tack­ling tech­ni­cal debt and im­prov­ing doc­u­men­ta­tion.

The Model con­text pro­to­col (aka MCP) is a way to pro­vide tools and con­text to the LLM. From the MCP docs:

MCP is an open pro­to­col that stan­dard­izes how ap­pli­ca­tions pro­vide con­text to LLMs. Think of MCP like a USB-C port for AI ap­pli­ca­tions. Just as USB-C pro­vides a stan­dard­ized way to con­nect your de­vices to var­i­ous pe­riph­er­als and ac­ces­sories, MCP pro­vides a stan­dard­ized way to con­nect AI mod­els to dif­fer­ent data sources and tools.

The Agents SDK has sup­port for MCP. This en­ables you to use a wide range of MCP servers to pro­vide tools to your Agents.

Currently, the MCP spec de­fines two kinds of servers, based on the trans­port mech­a­nism they use:

stdio servers run as a sub­process of your ap­pli­ca­tion. You can think of them as run­ning “locally”.

HTTP over SSE servers run re­motely. You con­nect to them via a URL.

You can use the MCPServerStdio and MCPServerSse classes to con­nect to these servers.

For ex­am­ple, this is how you’d use the of­fi­cial MCP filesys­tem server.

MCP servers can be added to Agents. The Agents SDK will call list_­tools() on the MCP servers each time the Agent is run. This makes the LLM aware of the MCP server’s tools. When the LLM calls a tool from an MCP server, the SDK calls cal­l_­tool() on that server.

Every time an Agent runs, it calls list_­tools() on the MCP server. This can be a la­tency hit, es­pe­cially if the server is a re­mote server. To au­to­mat­i­cally cache the list of tools, you can pass cache_­tool­s_list=True to both MCPServerStdio and MCPServerSse. You should only do this if you’re cer­tain the tool list will not change.

If you want to in­val­i­date the cache, you can call in­val­i­date_­tool­s_­cache() on the servers.

Calls to the MCP server to list tools

On this re­lease, we’re show­ing what hap­pens when you push mod­ern web stan­dards — HTML, CSS, and JS — to their peak:

This en­tire app is lighter than a React/ShadCN but­ton:

See bench­mark and de­tails here ›

Here’s the same app, now with a Rust com­pu­ta­tion en­gine and Event Sourcing for in­stant search and other op­er­a­tions over 150,000 records — far past where JS-version of the en­gine choked on re­cur­sive calls over the records.

This demo is here ›

Nue crushes HMR and build speed records and sets you up with a mil­lisec­ond feed­back loop for your every­day VSCode/Sublime file-save op­er­a­tions:

Immediate feed­back for de­sign and com­po­nent up­dates, pre­serv­ing app state

This is a game-changer for Rust, Go, and JS en­gi­neers stuck wrestling with React id­ioms in­stead of lean­ing on time­less soft­ware pat­terns. Nue em­pha­sizes a model-first ap­proach, de­liv­er­ing mod­u­lar de­sign with sim­ple, testable func­tions, true sta­tic typ­ing, and min­i­mal de­pen­den­cies. Nue is a lib­er­at­ing ex­pe­ri­ence for sys­tem devs whose skills can fi­nally shine in a sep­a­rated model layer.

This is an im­por­tant shift for de­sign en­gi­neers bogged down by React pat­terns and 40,000+ line de­sign sys­tems. Build rad­i­cally sim­pler sys­tems with mod­ern CSS (@layers, vari­ables, calc()) and take con­trol of your ty­pog­ra­phy and white­space.

This is a wake-up call for UX en­gi­neers tan­gled in React hooks and util­ity class walls in­stead of own­ing the user ex­pe­ri­ence. Build apps as light as a React but­ton to push the web — and your skills — for­ward.

Nue is a web frame­work fo­cused on web stan­dards, cur­rently in ac­tive de­vel­op­ment. We aim to re­veal the hid­den com­plex­ity that’s be­come nor­mal­ized in mod­ern web de­vel­op­ment. When a sin­gle but­ton out­weighs an en­tire ap­pli­ca­tion, some­thing’s fun­da­men­tally bro­ken.

Nue dri­ves the in­evitable shift. We’re re­build­ing tools and frame­works from the ground up with a cleaner, more ro­bust ar­chi­tec­ture. Our goal is to re­store the joy of web de­vel­op­ment for all key skill sets: fron­tend ar­chi­tects, de­sign en­gi­neers, and UX en­gi­neers.

In a short

note to the Reproducible Builds

mail­ing list, Debian de­vel­oper Roland Clobus an­nounced that live im­ages for Debian 12.10 (“bookworm”) are now 100% re­pro­ducible. See the re­pro­ducible

live im­ages and Debian Live todo

pages on the Debian wiki for more in­for­ma­tion on the im­ages.

Copyright © 2025, Eklektix, Inc.

Comments and pub­lic post­ings are copy­righted by their cre­ators.

Linux is a reg­is­tered trade­mark of Linus Torvalds

Or why peo­ple pre­tend­ing CSV is dead are wrong

Every month or so, a new blog ar­ti­cle de­clar­ing the near demise of CSV in fa­vor of some “obviously su­pe­rior” for­mat (parquet, new­line-de­lim­ited JSON, MessagePack records etc.) find its ways to the read­er’s eyes. Sadly those ar­ti­cles of­ten of­fer a very nar­row and bi­ased com­par­i­son and of­ten fail to un­der­stand what makes CSV a seem­ingly un­kil­l­able sta­ple of data se­ri­al­iza­tion.

It is there­fore my in­ten­tion, through this ar­ti­cle, to write a love let­ter to this data for­mat, of­ten crit­i­cized for the wrong rea­sons, even more so when it is some­how deemed “cool” to hate on it. My point is not, far from it, to say that CSV is a sil­ver bul­let but rather to shine a light on some of the for­mat’s some­times over­looked strengths.

The spec­i­fi­ca­tion of CSV holds in its ti­tle: “comma sep­a­rated val­ues”. Okay, it’s a lie, but still, the spec­i­fi­ca­tion holds in a tweet and can be ex­plained to any­body in sec­onds: com­mas sep­a­rate val­ues, new lines sep­a­rate rows. Now quote val­ues con­tain­ing com­mas and line breaks, dou­ble your quotes, and that’s it. This is so sim­ple you might even in­vent it your­self with­out know­ing it al­ready ex­ists while learn­ing how to pro­gram.

Of course it does not mean you should not use a ded­i­cated CSV parser/​writer be­cause you will mess some­thing up.

No one owns CSV. It has no real spec­i­fi­ca­tion (yes, I know about the con­tro­ver­sial ex-post RFC 4180), just a set of rules every­one kinda agrees to re­spect im­plic­itly. It is, and will for­ever re­main, an open and free col­lec­tive idea.

Like JSON, YAML or XML, CSV is just plain text, that you are free to en­code how­ever you like. CSV is not a bi­nary for­mat, can be opened with any text ed­i­tor and does not re­quire any spe­cial­ized pro­gram to be read. This means, by ex­ten­sion, that it can both be read and edited by hu­mans di­rectly, some­how.

CSV can be read row by row very eas­ily with­out re­quir­ing more mem­ory than what is needed to fit a sin­gle row. This also means that a triv­ial pro­gram that any­one can write is able to read gi­ga­bytes of CSV data with only some kilo­bytes of RAM.

By com­par­i­son, col­umn-ori­ented data for­mats such as par­quet are not able to stream files row by row with­out re­quir­ing you to jump here and there in the file or to buffer the mem­ory clev­erly so you don’t tank read per­for­mance.

But of course, CSV is ter­ri­ble if you are only in­ter­ested in spe­cific columns be­cause you will in­deed need to read all of a row only to ac­cess the part you are in­ter­ested in.

Column-oriented data for­mat are of course a very good fit for the dataframes mind­set of R, pan­das and such. But crit­ics of CSV com­ing from this set of prac­tices tend to only care about use-cases where every­thing is ex­pected to fit into mem­ory.

It is triv­ial to add new rows at the end of a CSV file and it is very ef­fi­cient to do so. Just open the file in ap­pend mode (a+) and get go­ing.

Once again, col­umn-ori­ented data for­mats can­not do this, or at least not in a straight­for­ward man­ner. They can ac­tu­ally be re­garded as on-disk dataframes, and like with dataframes, adding a col­umn is very ef­fi­cient while adding a new row re­ally is­n’t.

Please don’t flee. Let me ex­plain why this is some­times a good thing. Sometimes when deal­ing with data, you might like to have some flex­i­bil­ity, es­pe­cially across pro­gram­ming lan­guages, when pars­ing se­ri­al­ized data.

Consider JavaScript, for in­stance, that is un­able to rep­re­sent 64 bits in­te­gers. Or what lan­guages, frame­works and li­braries con­sider as null val­ues (don’t get me started on pan­das and null val­ues). CSV lets you parse val­ues as you see fit and is in fact dy­nam­i­cally typed. But this is as much of a strength as it can be­come a po­ten­tial foot­gun if you are not care­ful.

Note also, but this might be hard to do with higher-level lan­guages such as python and JavaScript, that you are not re­quired to de­code the text at all to process CSV cell val­ues and that you can work di­rectly on the bi­nary rep­re­sen­ta­tion of the text for per­for­mance rea­sons.

Having the head­ers writ­ten only once at the be­gin­ning of the file means the amount of for­mal rep­e­ti­tion of the for­mat is nat­u­rally very low. Consider a list of ob­jects in JSON or the equiv­a­lent in XML and you will quickly see the cost of re­peat­ing keys every­where. That does not mean JSON and XML will not com­press very well, but few for­mats ex­hibit this level of nat­ural con­cise­ness.

What’s more, strings are of­ten al­ready op­ti­mally rep­re­sented and the over­head of the for­mat it­self (some com­mas and quotes here and there) is kept to a min­i­mum. Of course, sta­t­i­cally-typed num­bers could be rep­re­sented more con­cisely, but you will not save up an or­der of mag­ni­tude there nei­ther.

This one is not of­ten re­al­ized by every­one but a re­versed (byte by byte) CSV file, is still valid CSV. This is only made pos­si­ble be­cause of the ge­nius idea to es­cape quotes by dou­bling them, which means es­cap­ing is a palin­drome. It would not work if CSV used a back­slash-based es­cap­ing scheme, as is most com­mon when rep­re­sent­ing string lit­er­als.

But why should you care? Well, this means you can read very ef­fi­ciently and very eas­ily the last rows of a CSV file. Just feed the bytes of your file in re­verse or­der to a CSV parser, then re­verse the yielded rows and their cells’ bytes and you are done (maybe read the header row be­fore though).

This means you can very well use a CSV out­put as a way to ef­fi­ciently re­sume an aborted process. You can in­deed read and parse the last rows of a CSV file in con­stant time since you don’t need to read the whole file but only to po­si­tion your­self at the end of the file to buffer the bytes in re­verse and feed them to the parser.

It clearly means CSV must be do­ing some­thing right.

Late last year the pop­u­lar Chrome ex­ten­sion Honey (owned by PayPal) was re­vealed for em­ploy­ing a few shady tac­tics, and the ex­ten­sion has since lost around 4 mil­lion users on Google’s browser alone.

To re­cap the sit­u­a­tion thus far, Honey has amassed mil­lions of users over the past sev­eral years on the promise of find­ing coupon codes for var­i­ous on­line stores. The free ex­ten­sion saw wide ad­ver­tise­ments and was even­tu­ally pur­chased by PayPal in 2020 for $4 bil­lion.

In December 2024, a video on YouTube by the chan­nel MegaLag ex­posed Honey for two shady prac­tices. The first was how the ex­ten­sion took ad­van­tage of af­fil­i­ate codes. Honey has al­ways used af­fil­i­ate pro­grams to sub­si­dize its ser­vice, but the video re­vealed that the ex­ten­sion would hi­jack these pro­grams — re­mov­ing af­fil­i­ate codes from other ref­fer­ers such as on­line cre­ators and web­site — even if it did­n’t have coupon codes or cash back to of­fer in re­turn. The prac­tice was work­ing be­hind the scenes with busi­nesses to con­trol which codes would ap­pear to Honey users, ef­fec­tively di­rectly ly­ing about its promise of find­ing the “best” coupon codes on the web.

That video amassed over 17 mil­lion views, and Honey has now lost over 4 mil­lion users on Chrome.

As we re­ported in early January, Honey had lost around 3 mil­lion users im­me­di­ately af­ter the video went vi­ral, but ended up gain­ing back around 1 mil­lion later on. Now, as of March 2025, Honey is down to 16 mil­lion users on Chrome, down from its peak of 20 mil­lion.

This drop comes af­ter new Chrome pol­icy has taken ef­fect which pre­vents Honey, and ex­ten­sions like it, from prac­tices in­clud­ing tak­ing over af­fil­i­ate codes with­out dis­clo­sure or with­out ben­e­fit to the ex­ten­sion’s users. Honey has since up­dated its ex­ten­sion list­ing with dis­clo­sure, and we found that the be­hav­ior shown in the December video no longer oc­curs.

Are you still us­ing Honey?