Yeah, this entire article is pretty transparent that it's from the sender perspective, and worried about platforms taking over "sender control".
Who is he kidding? The vast majority of apps have absolutely proven they can't be trusted to respect your attention. From my perspective, the more roadblocks the platforms put between unnecessary notifications and my phone, the better. And I don't think Apple or Google are some sort of heroes here, but I do believe their incentives better align with mine than the marketing department of some app I was forced to download because I bought a ticket once or something like that.
Notification categories are like mailing lists now. You may have unsubscribed from the daily deals email but you're still going to be auto subscribed to every new slightly modified category in perpetuity. Unless you fully disable notifications for an app (in Android at least, in my experience), new enabled by default notification categories are added all the time.
When they exist at all. Many apps that provide important notifications (like delivery tracking, drop-off time etc) put them under the same category as marketing stuff. You can't have just the transactional tracking, you have to opt-in for the marketing notifications as well.
The ridesharing apps are the most annoying about this. Yes I want to be notified when my uber driver is almost here to pick me up. No, I don't want a notification about yet another sale.
It baffles me that they do this. I have to disable push notifications from Lyft entirely, so instead they send me ride updates as text messages, which surely must cost them way more money. Why not just introduce a "ride updates only" push notification category and stop this madness?
It needs to be enforced by the OS or by law. Like how you get transactional emails without getting marketing spam. I want the same for notifications.
> It needs to be enforced by the OS or by law. Like how you get transactional emails without getting marketing spam.
What glorious universe do you live in where email is respected enough to have transactions separate from marketing, and that this is not only required by law but also enforced?
There's a pretty healthy regulatory environment around it, though I have noticed a resurgence of opt-out marketing communications on signup forms, which is unwelcome (I don't know if some legal decision changed, but it seemed like for a while this was not allowed, and maybe something has made companies think that it is again).
(I decided to look it up, here's the UK rules: https://ico.org.uk/for-organisations/direct-marketing-and-pr... . It looks like it is allowed to be opt-out if you buy something from them, which I do dislike, but there are rules and the ICO does have teeth)
Not sure about your experience, I’ve almost never encountered a marketing email that didn’t have an unsubscribe link, as is mandated by law in some countries. So I’m not really sure what you’re talking about.
In the past, yeah. But today? Never.
> I’ve almost never encountered a marketing email that didn’t have an unsubscribe link
Have you encountered a "marketing email" that you didn't sign up for? That's called phishing.
Have you clicked on links in phishing emails? That's called getting pwned.
That’s also not relevant to the topic, which was transactional vs marketing app notifications, and making a correlation to email.
Have you looked at the Uber app recently? 90% of it is promotionshit.
I am just looking for a fucking taxi.
Are there any VCs looking to give away a few billion dollars to disrupt the ossified, wasteful, poor customer experience taxi app market?
> Are there any VCs looking to give away a few billion dollars to disrupt the ossified, wasteful, poor customer experience taxi app market?
Waymo are rolling out, slowly. No one'll be in a real position to compete against them.
I had to disable from Android settings all LinkedIn notifications. I check it from time to time but I haven't missed anything, nowadays LinkedIn is mostly garbage
On iOS atleast, Live Activities are separate from Notifications. So I can still monitor food or grocery delivery even though I have turned off their notifications.
Now a few apps have started sending notifications through WhatsApp because they have my phone number. e.g. Amazon
Yeah, but I still see apps that don't implement those features. Mostly React Native/Flutter apps that don't bother implementing native features. On Android it's even more depressing.
I'm not worried about missing food notifications because they send me an email and a text (... and a fax and a hardcopy confirmation letter in the mail.)
On iOS atleast, Live Activities are separate from Notifications.
Should be, but not always. There are plenty of apps that still mix marketing and functional notification.
Hell, even Apple does this, especially on new devices.
[Settings]: Log in to your iCloud account to sync data.
Three minutes later…
[Settings]: You qualify for three free months of Apple Music!
Tbf both of those are promotional. If I'm not logged into iCloud, it's for a reason.
That's one of the reasons I simply do not allow anything on my phone to auto-update. 98% of app updates these days are effectively malicious. I'll only update individual apps when and if I deem it to be actually necessary.
Except F-Droid. I trust their moderation enough to allow auto updates.
There’s the other direction too. You only get a couple toggles, and something you actually need is behind both, so you can’t not get all notifications
Another sneaky behavior in Android is that categories that have yet to send a notification, which of course includes newly added auto-enabled channels, are collapsed under the 'show unused categories' button.
iOS asks you if you want to allow notifications when each new app is started. You can just say no there and you're done.
It would be better if they were totally opt-in of course (1), but that's not bloody likely to happen.
(1) As in off by default with no questions.
On iOS Scheduled Summaries are really great. That's become my personal default on my phone. Scheduled Summaries roughly every 4 hours during waking hours and the default choice every time the question pops up for a new app is "In Scheduled Summary". I could see with some modest UX improvements Scheduled Summaries becoming the default for more people.
Heavy use of Scheduled Summaries does also lead to me wondering why there isn't a "default notifications to Ask/On/Scheduled Summaries/Off" global setting, though I would want that choice between Scheduled and Off at least.
I can see a certain category of people screaming that WhatsApp calls are broken if that were to pass… but I do agree that no one would scream louder than app makers wanting to retain their share of human brain attention.
As far as i know my Whatsapp is muted and the mute is muted again. But it still rings for voice calls.
It's integrated somehow with the phone app on iOS, whatsapp calls show alongside GSM calls.
[dead]
I recently had to setup Microsoft Authenticator. It refused to register a code unless I enabled notifications.
You are a two factor app. I should never be in a situation where there is an unexpected login I need to verify.
I want scopes like Graphene has for storage scopes. I want this on my phone and browser - let the site/app think it has everything (cookies, storage, microphone, camera, notifications, whatever it wants) but it's all empty and does nothing.
Apps can know whether you granted permission?? That sounds like a security flaw.
This is basically required for clueless (and even not so clueless) users.
If there's a chat app I installed 3 years ago, with no intention of giving it camera access, and I suddenly need to use that app for a video call, I don't want to be stuck debugging broken camera issues for two hours. I'd much rather have the app tell me that it doesn't have camera access.
This is fair for permissions. But for notifications, the app shouldn't need to know. It can just send them into the void for all the app cares. If the notification doesn't work then it should never break critical app functionality and apps should be built with the assumption that users will never see/interact with notifications.
> This is basically required for clueless (and even not so clueless) users.
I can actually confess that this hit me. Almost nothing on my phone has permission to use my camera, including my web browser (why???). I assume this was done in a fit of pique upon discovering that the setting even existed.
Roll on (god knows how many years later) and I cannot get into the gym with the link I was emailed to have my browser read a QR because my browser is just a grey screen. It was only when the member of staff suggested permissions that I realised what was going on.
I'm the problem, it's me
The OS could tell you instead. If it is a camera app, the OS could tell you on install, that you can't start the app without given camera access, because that's what the app is.
They can, but there's an OS option that basically is "I'm going to say yes, but then effectively do no". Basically it'll pretend to the application that a permission is granted, but then just keep returning empty information or doing nothing with it. So notification perms would then be seen as enabled, but nothing is actually being send to the user.
Unfortunately Google isn't really exposing this to users, so you need something like App Ops or adb to set it up.
Of course, that way they can so they can refuse to work until you uninstall or give in to their demands. There are other operating systems that present fake data at least.
Yep. Just today I had a tram/bus ticket purchase app refuse to work unless I grant it Phone access.
Tip: The iPhone Passwords App has basic TOTP functionality (manually create a password entry and click “Set Up Code”). I have a few dummy passwords which are effectively just labels for some login codes - it’s one less App to install.
Unfortunately Microsoft Authenticator does more than TOTP and usually its not up to the user to decide which two factor implementation is accepted.
Some Microsoft setups ONLY allow Authenticator - can’t use 1pass etc. I have recently fallen into this pit
I believe this is also a consequence of iOS gating background processing and scheduled timers allowed by an app based on whether or not notifications are enabled by the user. I believe Microsoft Authenticator also wants notifications enabled for the same reason most Banking apps on iOS want notifications enabled, so that it can register a ~10-minute background timer to run any backups, securely clear program memory, and safely "logout" from any active "session".
On the one hand it helps avoid "permissions fatigue" that the user just has the one permission to manage ("enable notifications"), but on the other hand it does lead to these questions about why an entire class of applications (banking apps and security apps) whose role should be mostly never to send notifications (because that can be a FUD/fear/fraud vector) need notifications enabled to work securely.
Okta has push as an option. Maybe msft has that too.
Key word there being 'option'. If you choose to use push as your mechanism then enabling it is obvious. If you choose not to the app should still work. You don't need push notifications enabled on an MFA app.
AFAICT any TOTP app (FreeOTP+, Aegis...) works just fine with Microsoft services (or Google, etc). You don't actually need to install several TOTP apps.
Microsoft Authenticator is not standard TOTP, but their own private flavor.
I've used FreeOTP+ to connect to my customers' Microsoft Teams for years without any trouble.
> I should never be in a situation where there is an unexpected login I need to verify.
Isn't that kind of the point? If someone else is trying to login somewhere with your credentials, your two factor will ping up?
Why would I want that? If it is not me, I am not going to allow the login. Making it a notification makes it more likely I could fat finger an approval.
I guess you can make the argument that you are then made aware of login attempts, but that feels more like something the host service should control.
> Why would I want that?
Because to get that far they entered your password? Which you might like to change?
You did mention: "You are a two factor app."
If they've got past your first factor, you might want to know.
I recently got an unsolicited OTP email from Microsoft, which led me to fear that someone had entered my password, but no: I eventually was able to confirm that the arrival of an OTP does not, in fact, require that someone enter anything beyond my email address. This is rather insane (I should not be having a blood pressure event due to Microsoft) but on the other hand I do understand the passwordless concept which is just a password-reset flow sans password-change. Perhaps a nice middle ground would be if the OTP email explicitly stated that my password was not entered.
This also happened to me about a week ago and I had the same reaction/discovery process you did. OT but I wonder if there was a recent ramp up in these attacks. It was done against an email I do not regularly use that was attached to my account as an alternate and haveibeenpwned confirmed was in a data breach back in 2020.
Some providers (looking at you, Intuit) don't seem to understand TWO factor authentication and will allow someone to bypass your password if they can intercept the SMS or email, and treat it as a normal login.
Our Okta is setup so that it usually does the two-factor before asking for password.
I would, but I don't need to know immediately. Plus you have the other vector of my phone sitting on a table and showing the notification to a person who can see it when they are trying to login as me.
I find it to be a poor default that sensitive data is shown on the lock screen. I change that setting as a first order of business whenever I'm setting up a new phone.
I saw a new marketing strategy recently: Someone tried to sign into something with my email. I didn't have an account, so they took the excuse to send me an email asking me to create an account.
I saw a new marketing strategy recently: Someone tried to sign into something with my email. I didn't have an account, so they took the excuse to send me an email asking me to create an account.
This has been going on since at least 2006.
Startups will "growth hack" by buying e-mail lists and feeding them into their password recovery tools.
A certain percentage of people will then follow the links and end up creating a new account on a service they had no interest in that now has their confirmed contact information, a new user, and a plausible reason to bombard them with marketing email.
I recently started getting emails from a company warning me that "I only had x days left to verify your account."
The account was supposedly registered for an organization whose name was somewhat similar to mine, so I thought somebody fat-fingered their coworker's email (the initial email was an invitation to create an account and join the org), but it might have very well been the tactic you described.
huh, is that why my google authenticator app pops up randomly? i always figured it was a bug in the app or in android.
Worse it's from a marketing perspective if you read the guys bio.
> From my perspective, the more roadblocks the platforms put between unnecessary notifications and my phone, the better.
I know lots of apps behave badly when it comes to notifications but I'd still prefer if the apps controlled the level of notifications they sent. I could, of course, reduce that client-side, but I don't see why I'd want Google or Apple or any other intermediary see or control the notifications.
If an app behaves inappropriately, I could uninstall it. If a gatekeeper like Google or Apple prevent an app from sending me notifications, I'd have to change my OS, usually my hardware, too.
This forces millions of users to individually monitor and fix dozens or hundreds of apps all the time - something most don't have time for and leads to an awful experience. Centralized controls are better for the user.
TFA discusses at-length how APNs and FCM are necessary intermediaries regardless, effectively creating a technical duopoly on 'push'. We all agree it would've been preferable for things not to have gotten this way, but here we are.
This is all a consequence from running software that doesn't respect you and notification are just one of many symptoms.
I'd rather choose better software than let Google/Apple decide what software running on my device is allowed to do.
Usually you don't have any choice of the software if you need to use a particular product or service.
Yeah, the worst kind of software is the kind that interacts with the real world, particularly when chosen by clueless people at non-tech, real-world companies.
Conferences are great examples. You do want to submit your paper and go to a conference. To do that, they need your email address(understandable). That email ends up on dozens of email lists run by people who are doing "outreach" or something of the sort.
You can usually choose to "need" to use a particular product or service though. It's not always worth it, but there's a choice.
You mean it's a consequence of very large amounts of people refusing to pay for software, at essentially any other cost ...
Of course you could describe almost all of the internet that way.
It's a consequence of having platforms instead of protocols.
Suppose you want delivery notifications for your packages. The seller, by contrast, wants to spam you with marketing.
If getting the notifications requires you to install their app, they're going to shovel any spam into it that they can, and then they're writing the code that runs on your device. Whereas if the software on your device is controlled by you and the notifications are received using a standard protocol, you (or someone like uBlock) can create filters to only show the notifications you actually want and discard the spam.
But for that to actually work you need the software running on the client to be under the control of the user independent of which device or service they're using, and subject to competitive pressure. Otherwise the platform uses is as a means for lock-in and then filters your notifications in the ways that benefit them rather than you, or just does a lazy job because they know you've been deprived of having a lot of other alternatives.
Unless the task is extremely well defined, protocols don't really work.
Imagine you're a shipping company and lock yourself into a parcel tracking protocol. You then decide to offer the innovative feature of parcel lockers, which need a code (or an action on your device) to open. How are you going to make the thousands of weird homebrew clients that people are using on their jailbroken Nintendo Switches or whatever to behave?
That's easy. You publish the API documentation and supply a reference implementation. Anyone can use your reference implementation immediately and the person who wants to use their own code on a jailbroken Switch can do that as soon as they implement the API, or their own fork of the reference implementation.
The service doesn't have to maintain every implementation, they just have to document a stable API and not actively impede third party code.
> But for that to actually work you need the software running on the client to be under the control of the user independent of which device or service ...
In other words, you need the user of the software to pay for it's development. Since that won't happen ...
That isn't the only way.
I don't pay for most of my software and yet it still respects me. Of course it also isn't made by large corporations with marketing and sales departments.
The vast majority of spammers aren't large corporations but really small ones. Scammy ones. At least judging by my spam folder.
> I do believe their incentives better align with mine than the marketing department of some app I was forced to download because I bought a ticket once or something like that.
Align better for now. It will get enshittified.
I try very hard to avoid installing apps specific to a particular business or organisation. So far I have only had to install a government app and some from banks. Even those are avoidable (but it would be very inconvenient to do so).