The Weekly #4

August 8, 2021

Pixel 6 Tensor and the secure element

After many years of rumors Google finally unveiled their custom silicon, though details won’t be known until Pixel 6 devices go on sale. Dieter Bohn wrote:

Tensor is an SoC, not a single processor. And so while it’s fair to call it Google-designed, it’s also still unclear which components are Google-made and which are licensed from others. Two things are definitely coming from Google: a mobile TPU for AI operations and a new Titan M2 chip for security. The rest, including the CPU, GPU, and 5G modem, are all still a mystery.

Ever since Pixel 3 models went on sale in Japan with Mobile FeliCa support, inbound Pixel users have been pining for the same global NFC feature that iPhone and Apple Watch have, but it hasn’t happened. Here’s why.

On the NFC hardware side everything has been ready to go on all smartphone hardware for years because NFC A-B-F support is a requirement for NFC certification. The problem has been on the SE side, the black box where all the transaction magic happens. From GlobalPlatform the SE certification organization:

A SE is a tamper-resistant platform (typically a one chip secure microcontroller) capable of securely hosting applications and their confidential and cryptographic data (for example cryptographic keys) in accordance with the rules and security requirements set by well-identified trusted authorities.

There are different form factors of SE: embedded and integrated SEs, SIM/UICC, smart microSD as well as smart cards. SEs exist in different form factors to address the requirements of different business implementations and market needs.

GlobalPlatform Introduction to Secure Elements

SE Wars
In the pre-Apple Pay mobile carrier hardware era, carriers used SE SIM or a embedded Secure Element (eSE) + carrier SIM combo that chained customers to service contracts for the privilege of using mobile payments. This is the classic Osaifu Keitai model pioneered by NTT DOCOMO: an overpriced carrier SIM contract to use mobile payments only with select carrier handsets.

This carrier lock in model is one reason why Mobile FeliCa ended up being ridiculed as ‘galapagos technology’ even though everybody else copied it. This carrier SE SIM hostage situation, i.e. the Mobile Wallet SE Wars, led Apple and Google to follow different strategies to address the problem.

The Apple Pay Way
Apple’s answer of course was Apple Pay. A unique in-house strategy of putting a GlobalPlatform certified Secure Element in Apple Silicon. Most eSE go on the NFC controller, but doing it the Apple in-house way has advantages over a NFC chip vendor bundle: control of the eSE applets and ability to update them and the Apple eSE for new protocols in iOS updates. We saw this in action with the addition of FeliCa in 2016, PBOC in 2017 and MIFARE in 2018. We are seeing it again with the addition of Ultra Wideband (UWB) Touchless in iOS 15.

The Google Pay Way
Google’s answer to the carrier owned SE problem was a convoluted evolution from Google Wallet (2011) to Android Pay (2015) and finally Google Pay (2018). Google’s first salvo was Host Card Emulation (HCE): “NFC card emulation without a hardware secure element” a virtual secure element hosted on Google’s cloud or in an app. Later on Google attempted to do the same for FeliCa with HCE-F.

The HCE strategy was quietly abandoned when Google decided to get into the hardware business and Android Pay turned into Google Pay. Now we have Google Pay running on Google Pixel with its own embedded Secure Element (eSE). With Pixel and Google Pay, Google decided they didn’t want to be the Secure Element provider for every Android OEM out there especially when the Chinese OEMS are all rolling their own eSE based digital wallet services anyway, completely ignoring HCE. Sure, HCE/HCE-F is still there in Android developer documentation but it’s a vestigial relic of the SE wars. From an industry standpoint it’s eSE or nothing now.

Google Pixel models up to now have used vendor bundled eSE + NFC controllers with the Pixel JP models using the Osaifu Keitai software stack. This makes global NFC support more complicated because Google doesn’t ‘own’ the eSE and the software stack, at least not in the Apple sense of making their own all in one solution. As we have seen, Mobile FeliCa is installed on all Pixel 5 models but the Osaifu Keitai stack only loads on JP models.

Will a Tensor SoC that contains a Titan M2 and a custom eSE solve this? It all depends on whether Google goes deep instead of cheap by stripping Google Pay of its dependency on the Osaifu Keitai stack and create their own region free support stack. If so, inbound Pixel 6 users will have the ability to add Suica and other FeliCa cards out of the box.


The PASPY organ transplant

As pointed out previously, the PASPY transit card transition from NFC to QR is not going to be easy. Not only does HIroden have to swap out the basic technology infrastructure, they also have to swap out their IT system integrator partners. The PASPY system was built and is currently managed by NEC with the last server upgrade completed in 2014. A quick look at the system map illustrates the pain points that including swapping out the NFC reader infrastructure in trolleys and buses and replacing it with QR readers with mobile connectivity, a requirement because of central processing. There will also be a lot of pain for wide area commuters because going QR means cutting the cross compatibility cord with ICOCA, Suica, etc.

The mobile connection means a mobile operator has to be involved to make it work. The likely IT system candidate here is the same one behind all the QR transit systems in Japan so far: SoftBank backed QUADRAC. The PASPY QR replacement is expected to be closed loop, similar to the QR + smartphone app closed loop system being tested by Nankai. Too bad JR West can’t come to the rescue with a localized version of the Suica 2 in 1 Region Affiliate Transit Card, but that’s another story for another time.


To eSIM or not to eSIM

eSIMs are great in theory, unfortunately the current reality for Japanese customers is less than ideal even thought the Japanese Ministry of Internal Affairs and Communications (MIC) is promoting them over traditional physical carrier SIMS and issued eSIM guidance. In addition to this carrier SIM locked devices will not be allowed from October. Of the big three carrier budget brands: NTT DOCOMO (ahamo), au KDDI (povo), SoftBank (LINEMO), only LINEMO and povo offer eSIM options. DOCOMO says they are thinking about it but for now ahamo is a physical SIM service because DOCOMO says eSIMS are not as secure as physical SIMS.

A recent article by Masao Sano outlined the eSIM situation in Japan and current obstacles for customers. The online signup process and device setup isn’t always smooth going and first time customers sometimes have to deal with unlocking their carrier device, APN settings, network authentication codes, profile installations and so-on. The eSIM process needs to be easier and user friendly. The good news is that unlocked carrier phones will be standard soon along with better eSIM option plans and migration setup. Once ahamo adds an eSIM option the next step will be taking it mainstream for major brand carrier contracts.


Apple Music finally sorts Japanese artist names correctly

Congratulations Naoko! You and all your fellow Japanese artists on Apple Music were finally liberated from the # sorting section and now live in 五十音 (Gojūon) splendor in iOS Music App. A very long wait though wasn’t it? Six years!

Seriously though I wonder what took Apple so long to fix most, but not all, of their Japanese music metadata mess. Not a moment too soon as the old reliable iTunes Match service seems to be on its last legs and the macOS Music app replacement for the old reliable iTunes app is completely useless for organizing a digital music collection: Apple Music and iCloud Music library have a mind of their own.

Truth be told, I had more fun collecting and listening to music on iTunes + iPod than discovering music on Apple Music + iPhone. For some strange reason, less is sometimes more.


The Weekly will be taking a summer break the weeks of August 9 and 16 and resume the week of September 1. Take care and enjoy the rest of the summer.

The Weekly #3

August 3, 2021

Busy week for Apple Pay and Mobile FeliCa

Since last week’s Australian Parliamentary Joint Committee on Corporations and Financial Services hearings regarding the so called Apple Pay monopoly and the pointless debate of Android only Host Card Emulation (HCE) ‘virtual secure element’ vs. a hardware embedded secure element (eSE), Apple has been busy rolling out new Apple Pay Wallet services: Australian health insurance Wallet card support and digital vaccination certificates, ING Belgium and FNB South Africa additions, and today’s Student ID expansion to more universities in America including the first international addition in Canada. The last item was particularly interesting as Apple issued a press release that included new partners beyond Blackboard: Transact, CBORD, TouchNet, Atrium, HID Global, and Allegion. MIFARE and FeliCa are the 2 big protocols used for ID cards, both fully supported in iPhone and Apple Watch. Hopefully we’ll see more international Student ID card support going forward.

Japanese IT reporters have been writing about the recent addition of Xiaomi Redmi Note 10 JE (Japan Edition) to the KDDI au lineup. All the Chinese manufacturers have been bringing new models with Mobile FeliCa Osaifu Keitai support as more or less standard, but like most Android smartphones including Google Pixel, even though the hardware is the same everywhere, Mobile FeliCa is only activated for Japanese models.

The Xiaomi product manager interview casually mentions that only 20% or so of Android Osaifu Keitai device holders actually use the feature. Why bother adding it then? I suspect Osaifu Keitai usage rates vary widely depending on the region, much higher for Tokyo and other metro areas, less in rural areas. It would be really interesting to compare Osaifu Keitai usage rates with Apple Pay as I also suspect Apple Pay Japan usage rates likely leave Osaifu Keitai in the dust. As for the real reason why Chinese smartphones manufacturers are adding Mobile FeliCa support: the digital My Number ID card launching in 2022 requires it. One out of ten people living in Tokyo and other metropolitan areas is a Chinese national…do the math.

Digital My Number: First Summary Toward the Realization of Electronic Certificates for Smartphones

Delete me

The American bred internet cancel culture that started during the Obama years and went ballistic during the Trump years shows no signs of abating as battle lines are constantly redrawn to silence a somebody that somebody else wants silenced. And it has become an entrenched issue thanks to AI driven SNS content. As Tim Pool adroitly points out, and long term surveys confirm, the current American racial crisis didn’t happen until the Reddit and YouTube generation raised on endlessly looping AI driven police brutality video content came of age perceiving their virtual world as the real one. That’s the unfolding tragedy as perceptions based on virtual life replace real ones.

As bad as this is, evil players and big tech use virtual life to intimidate, blackmail and destroy real ones. That’s exactly what happened evidently when eBay’s supervisor of security operations decided to cancel the EcommerceBytes blog and carried out a cyberstalking campaign (including surveillance), against the husband and wife blogging team. Their astonishing story was published by the Boston Globe. It’s reads like the script of Michael Clayton (I prefer the Japanese title: The Fixer). eBay conducted an investigation, pushed out the CEO with a golden parachute and issued a statement that, of course, acknowledged the wrong but said ‘it’s okay now because the baddies are gone.’ Until next time, that is. eBay, of course, didn’t offer any compensation.


The Buddha’s face isn’t seen a fourth time

When the 3rd Tokyo State of Emergency (SOE) was announced, I predicted it would’t go well. Sure enough, infections started to rise before the end of SOE 3. Now we are in SOE 4 and infection rates are skyrocketing, well, skyrocketing compared to rates that were low to begin with. So life goes on as usual, the commuter time trains are crowded as usual, people go shopping as usual, there is nothing remotely panic-like despite media hysteria narratives of a ‘medical system breakdown.’

As always, it’s complicated. Few people are actually dying from COVID (and don’t forget that hospitals get a Japanese government subsidy when they report a COVID death, other deaths don’t pay). Influenza and pneumonia are much more real long term threats. Lockdowns and vaccination mandates will be impossible to implement as all the government tools to do so were locked away by the GHQ occupation and restructuring of Japan. Any attempt to invoke those kinds of centralized powers requires changing the American created Japanese constitution and nobody wants to do that (fun fact: the English language constitution of Japan is the official one, the Japanese language one a fake). Not that the situation is dire, a little context helps. And don’t forget the overall Japanese death rate dropped in 2020 YOY thanks to all that mask wearing and hand sanitizing.

Given the utter lack of useful long term planning demonstrated by Tokyo Governor Yuriko Koike, the most likely course of action will be: attempting real fines for restaurants, bars, etc. that don’t follow SOE requests. Good luck with that.

The Weekly #2

July 27, 2021

The ‘Apple Pay is a monopoly’ soap opera continues

ZDNet reports Australian Parliamentary Joint Committee on Corporations and Financial Services hearings that are focused on, yet again, forcing Apple to ‘open up’ their NFC chip. Actually they should be talking about the secure element in Apple Silicon because that’s what Apple devices use and it’s not just about NFC anymore, it’s Ultra Wideband too.

The Apple Pay monopoly debate isn’t new and isn’t about being ‘open’, it’s about banks getting what they want from politicians. What I found interesting was the back and forth between Apple and Google regarding the hardware embedded secure element (eSE) vs. the virtual secure element in the cloud Host Card Emulation (HCE), a topic that confuses many ‘experts’.

Google is playing both ends here because they have different flavors of Google Pay for different kinds of Android devices. Google Pixel Google Pay uses eSE while everybody else use HCE Google Pay. One very important thing not mentioned in tech blog coverage is that Samsung Galaxy and the Chinese smartphones (Huawei, OPPO, Xiaomi) all use a custom eSE with their own XX-Pay. In other words, everybody on the Android side outside of low end junk is doing exactly what Apple Pay is doing.

Apple
Host Card Emulation (HCE) is a less secure implementation, which was adopted by Android … Apple did not implement HCE because doing so would lead to less security on Apple devices.

Google
Our payments apps are immensely secure…we would refute the suggestion our HCE environment is in any way insecure … I would argue the user experience on Google Pay is equal to that of Apple Pay.

Let’s see what GlobalPlatform has to say about HCE:

GlobalPlatform
HCE solutions can be a great option for issuers to get to market cost-effectively for their Android customers. However, they aren’t without their complexities. Rooted in the NFC device OS, HCE apps can be more vulnerable than the ‘Giant Pays’.

So HCE security is up to the payment app, shitty app = shitty security without Apple Pay Secure Intent. The whole HCE debate is nonsense, like FeliCa Dude says it’s eSE or nothing. If the committee thinks that HCE means open and good, they are showing their incompetence.

Apple Pay Wallet has a very simple rule: any card that loads a Java Card applet into the secure element has to reside in Wallet. Any card or developer that wants to loads applets and use the secure element has to have a PassKit Secure Element Certificate Pass. This is covered by NDA but a company called PassKit (not Apple) gives us an idea what Apple’s NFC/Secure Element Pass guidelines are:

Apple care a great deal about the user experience. Before granting NFC certificate access they will ensure that you have the necessary hardware, software and capabilities to develop or deploy an ecosystem that is going to deliver an experience consistent with their guidelines.

Yeah, the end to end user experience, the whole reason behind the success of Apple Pay. Banks don’t want to be told they need to improve their ecosystem for a better user experience, and they don’t want to pay a transaction cut to Apple that they are used to keeping for themselves. What else is new?

The whole ‘Apple Pay is a monopoly’ soap opera is overrated.


PASPY transit IC card migrating to QR

After thinking out loud recently about dumping their PASPY transit IC card in favor of a QR Code smartphone app, Hiroshima Electric Railway Co. Ltd (Hiroden) CEO Masao Mukuda announced that Hiroden would indeed junk NFC and migrate to a QR Code app over an unspecified period of time. Running their own transit IC card is too expensive, so old folks, school children and everybody else will have to use smartphone to ride Hiroden light rail trains in Hiroshima.

PASPY is just the tip of the iceberg. There are many transit IC cards out there with the same problem: fixed infrastructure costs supporting a small region transit IC card and declining ridership. Add the COVID crisis that has decimated public transit use and you have a business crisis. All the small transit cards outside of the Transit IC card standard (the pink box) are in the same boat: they can only be used in their respective regions, they don’t have e-money functions, they don’t have the resources to go mobile.

This is exactly the problem JR East is addressing with their 2 in 1 Suica MaaS soution. JR East hosts the hardware, the local operator issues a ‘localized’ Suica that offers both special local MaaS services (discounts and extras, etc.) and seamlessly plugs into the larger Suica and Transit IC map.

Suica 2 in 1 region cards are the keystone of JR East’s MaaS strategy

Unfortunately PASPY is in the JR West region which doesn’t have anything similar to the JR East MaaS program. It would be a perfect solution: customers would get a new card that works just like it does now but works everywhere with e-money and ICOCA benefits, Hiroden is freed from the costs of hosting and issuing their own card.

QR is not going to be the salvation that Hiroden hopes it will be. QR isolates Hiroden from the wider transit IC network of Mobile Suica, PASMO, ICOCA. Even if Hiroden gets rid of their card issuing business cost, they still have to host a system to run the QR Code app and manage accounts. The real rub is that instead of anybody buying an IC card out of a machine, Users will have to sign up for the app or buy a QR paper ticket. They also have to worry about where and how their account data is stored. My prediction: it’s going to be a messy money losing transition.


Heraiza down but not out

Poor little Heraiza, one of my favorite Japanese YouTubers, has been copyright claim ‘hacked’ from a fake account pretending to be Dentsu and now has 2 bogus strikes against her YouTube account. As an independent 17 year old high school student with 150,000 followers, she doesn’t have the resources of a YouTuber managment agency like UUUM, who she likes to badmouth (and I won’t put it past UUUM using fake accounts to take her out). Dentsu or whoever the real copyright holder is has confirmed to her that her content does not violate said copyrights.

Hopefully she’ll get it all worked out and unlock all her previous videos, though YouTube being YouTube, if they don’t like you they ban you…AND keep your ad revenue. In her most recent post about one of her favorite YouTubers having their account hijacked, she has her confidence back. Good thing, in these dark times we all need to laugh.

Have a good week and enjoy the Olympics.

The Weekly #1

July 27, 2021

With so little real news to write about these days, I’m trying out a weekly digest format instead of individual itty bitty posts. Sticking with a mundane regular schedule is also good practice, we’ll see how it goes.

Tokyo 2020 TP Transit Card
Foreign media (already in Japan as opposed to those coming for the event who are limited by protocols for the first 14 days) covering the Tokyo Olympics were issued a special ‘TP Card’ limited transit pass covering Tokyo region transit July 10~ August 11. Dan Orlowitz who covers sports for the Japan Times tweeted some pictures of the pass. Look carefully at the transit gate display screen, there are some very interesting things going on: (1) The display language is English (nice touch), (2) The card balance is 0. The card itself is issued by JR East and is a Suica commuter card with a 1 month pass and the balance turned ‘off’, that is to say that TP Card numbers are ‘block listed’ for any recharge function.

The TP Card shows a way forward for Transit IC (Suica, PASMO, etc.) that started with Welcome Suica: more flexible options, discount and special passes for all kinds of users and uses. The next important step will be getting these, along with 2 in 1 Region cards, on mobile.


Is Apple Pay Overrated?
What technology works and doesn’t work for people in everyday life is always a fascinating subject. Mike at Tech702 asks a good question: is Apple Pay overrated? For Mike in daily Las Vegas life, yes Apple Pay is completely overrated. I saw much of the same during my Salt Lake City summer stay in 2018, although Smiths grocery had just started taking Apple Pay at the time. Did they pull the plug? It’s a good reminder that retail chains and banks in America switch loyalties without notice and the payments infrastructure is all over the place, witness Targets changing their accepted credit card lineup when I was in Salt Lake.

Some snobby Europeans like to look down on America and other places they perceive as not being up to speed with contactless payments. The truth is when Japanese journalists like Junya Suzuki take a good look at state of European contactless payments, it’s not so great either. The state of contactless payments around the world is still very much a touch and go thing.


iOS 15 Beta 3 Score Card
iOS 15 reached beta 3 last week. Here’s how it’s panning out:

Apple Maps new cartography continues to evolve. Japanese roads were decolorized, railway lines are different and drawn in harder to see light blue. Overall I think dark mode is works better than light mode (better contrast, easier to pick out details, etc.). See Justin O’Beirne‘s page for details. Transit Notifications are also improved slightly but still only work for surface transit. Forget about using it on the subway. Despite the fancy redecoration Apple still refuses to label the Sea of Japan (since 2020). Unnecessary, dumb and insulting.

Weather App: still only shows temperature maps which I think are useless. Forget about precipitation which is the killer feature for any weather app worth using. Air Quality doesn’t apply to Japan as there is no national standard.

Last but not least, Apple Music and Apple TV are basically useless in iOS 15 b3, more 3rd party app are crashing too. Hopefully b4 will be stable.


Ossan’s Love in Hong Kong?
Just when I thought the Ossan’s Love franchise had run out of gas, it seems the Hong Kong version of the Japanese series is also a hit and making waves instead of giggles, although calling it “sugar-coated marijuana” is pretty funny. If the Hong Kong version is anything like the Japanese one, it is sugar-coated silliness. For my money the other Japanese hit gay themed series ‘What did you eat yesterday?‘ was not only a lot more engaging, funny, serious and thought provoking, it was also useful as a cooking show. Kinda like Shinya Shokudo (Midnight Diner) with better interior decorating and worth the time investment.

Have a good week and enjoy the Olympics.