Android 12 early impressions: improvement via imprecision

Two weeks after I installed Android 12 on my aging, yet well-maintaned Pixel 3a smartphone, the biggest selling point of this release is not the self-tinting interface colors that Google talked up this summer. Instead, I’m appreciating a new option to leave apps a little fuzzier about my whereabouts.

In adding the ability to deny an app access to your precise location, Android 12 returns to the earliest days of Google’s mobile operating system, when an app could ask for either “fine” or “coarse” location. But it also reflects what we’ve learned since then about how location-data brokers will embed location-tracking code in other apps, often without disclosure, and then exploit that harvested info to build vast databases.

Photo shows the Android 12 Settings app open to a page denying the Today Weather access to my precise location; in the background, the print edition of the Nov. 12, 2021 Washington Post reveals a bit of the weather forecast.

So my first move after my phone rebooted into Android 12 was to take the GPS keys away from some apps. I started with one I already paid for, Today Weather. Why bother depriving a paid-for and therefore ad-free app of my exact location? Because the forecast shouldn’t change that much between here and a mile away–but keeping my precise coordinates from a third party means they can’t get exposed if that firm suffers a data breach later on.

My second move was much less exciting, in that I swapped out some of the default screen widgets: I like scallops and I like having a large display of the time on my home screen, but I don’t like the scallop-shaped clock widget that comes standard in Android 12.

My first software-update-induced moment of confusion, meanwhile, came a day after I installed this update when I mashed down the power button to invove the Google Pay shortcut to choose a different stored credit card for a purchase–and nothing happened. That’s because Android 12 moved that from the power-button menu to the Quick Settings menu. Broken muscle memory aside, I get that relocating this setting from a non-obvious spot to a menu that people use all the time should make it more discoverable.

Finally, one Android 12 detail that’s gotten less attention than the others in press coverage just might save me from waking up with a phone at 10% of a charge: When you plug a phone into a charger, a wave of sparkles washes up the screen to confirm that current is flowing to the device. Considering my own record of inattentive device charging, that’s a feature I could have used 10 years ago.

Not cool: freezing my credit after yet another data breach

The text message I was especially uninterested in receiving hit my phone Sunday morning. “T-Mobile has determined that unauthorized access to some business and/ or personal information related to your T-Mobile business account has occurred,” it read. “This may include SSN, names, addresses, phone numbers and dates of birth.”

T-Mobile’s texted non-apology for a data breach affecting tens of millions of subscribers went on to note that “we have NO information that indicates your business or personal financial/ payment information were accessed,” as if those data points were the ones I couldn’t reset with a phone call or three.

Instead, I got to spend part of an evening at the sites of the three major credit bureaus to freeze my credit, just in case any recipient of the stolen T-Mobile data was going to try to go to town on my data. In the exceedingly-likely event that you, too, will have to clean up after a corporation’s carelessness with your data, here’s how that went down.

At Experian, at least I didn’t have to clutter my password manager with another saved login. After providing my name, address, complete Social Security Number, birth date and e-mail, the site asked me to verify my identity by answering a personal-data pop quiz (for example, picking previous cities of residence or a cost range for my monthly mortgage payment). After passing that test and starting the credit freeze, Experian generated a 10-digit PIN I could use for subsequent access.

Things were not quite as easy at TransUnion. I had to create an account and provide almost as much personal information as Experian demanded, except that TransUnion only required the last four digits of my SSN. On the other hand, the sign-up workflow included a tacky invitation to sign up for marketing spam: “Please send me helpful tips & news about my service, including special offers from TransUnion and trusted partners!” The site asked me to pick a security question from a preset menu, none of which would have been too difficult for a stranger to research had I answered them truthfully, and then verify my identity in another personal-data quiz.

The company that had itself lost my data before, Equifax, offered the easiest on-ramp. After coughing up another mouthful of personal data–including my full SSN as well as a mobile number–I was able to create an account and, after clicking through a link sent in an account-confirmation e-mail, put a freeze in place. I did not have vouch for my identity by picking a ballpark figure for my mortgage payment or identifying a phone number I’d used before… and I’m not sure that’s a good thing.

I do know it’s not a good thing that T-Mobile kept information like Social Security Numbers that it could not have needed after checking my credit–a failure its apologies have yet to acknowledge. Firing them for that data hoarding, compounded by weak security, might offer a certain emotional closure. But I have no reason to think that switching to AT&T or Verizon and then handing over the same personal data wouldn’t open me to the same risk, because I’m struggling to see anybody at the giant telcos who gives a shit about data minimization.

Lessons from transatlantic travel during the never-ending pandemic

Returning to Europe for the first time in close to two years reminded me of some aspects of EU life that had faded from my mind, like the endless series of GDPR-mandated privacy dialogs marring familiar news sites.

But my visit to Estonia on a sponsored press trip this week also exposed a newer difference between life here and on the other side of the Atlantic: how people are responding to the pandemic that’s now nearing its third year.

While I did not have to show proof of vaccination or a negative test result to board my flight (I took a PCR test two days prior to departure anyway and got a negative result the evening prior), I didn’t take too many steps after landing in Frankfurt before being asked for those documents to get into a Lufthansa lounge.

In Estonia–where the positive-test rate is lower than here in Virginia, while the vaccination rate is also lower but rising rapidly–I had to present my vaccination card once again to check into the hotel in Tallinn.

I faced more documentation requests to get into restaurants, a museum and a government office building. I’d call it a papers-please ritual except the Europeans among me could display EU-spec digital certificates on their phones that could be verified with a scan of a QR code, while I was left showing my paper card or a photo of it. This left me feeling like a health-tech hick, especially when one official looked at that image and said something like “I’ll have to trust you.”

(I’m told there’s an effort to build out a digital-vaccination-certificate standard across U.S. states, with California already supporting it; yes, consider the story assignment received.)

Mask compliance, however, did not seem great in the few mostly-empty restaurants and bars I ducked into; I did not linger in any crowded indoor spaces unmasked because I felt like I was pushing my luck enough already.

(For the same reason, I bought a BinaxNow antigen test at a CVS this morning and got yet another negative result.)

I had to present a negative test to board my flight home Thursday morning. That itself got checked twice, once before I could get a boarding pass and again before the gate for my flight back to the States from Munich.

And then after a long day of travel, I returned to a United States in which most people never have to produce any sort of confirmation of vaccination or a recent negative test–and some people seem violently opposed to any such mandate, even if that rugged individualism in the face of a pandemic just might put them in the grave.

My next in-person tech conference will have to wait a little longer

Next week was going to feature a conference badge and triple-digit temperatures, and now the only way I’ll get any of those things is if the forecast for D.C. turns out to be completely off.

Barely a month after I’d booked flights and a (refundable) hotel room for the Black Hat security conference, convinced that this security gathering in Las Vegas would represent my first in-person conference since February of 2020, I cancelled those bookings this week. Instead of flying to Nevada to take notes in the middle of a physical audience and then network in person at a series of receptions, I’ll follow the briefings online and then connect with nobody new as I have dinner at home.

It wasn’t any one thing about this conference happening in the middle of a not-yet-over pandemic that led me to bag this trip, even though I’ve been fully vaccinated since late May; it was all the things.

First, while I would expect most information-security professionals to evaluate their risks intelligently and therefore have gotten vaccinated long ago, there’s always going to be the exceptions.

Second, Black Hat is like everything else in Vegas in August in that it must exist in a series of air-conditioned bubbles. And while I wouldn’t have a problem wearing a mask while watching briefings, staying masked-up is a lot harder at a conference reception.

Third, Vegas has a giant tourist demographic that self-selects for poor risk management, raising the odds of me sharing an elevator or check-in line with some hard-partying idiot who has made pandemic denial part of his personal political brand.

Fourth, the city itself has a depressingly low vaccination rate, with only 41% of Clark County residents fully vaccinated. Seeing that many people spend that many months declining to use the best tool we have against the pandemic does not make me want to go to their city and spend my money.

The odds remain pretty low, as I understand them, that I would pick up the Delta variant of the novel coronavirus over those two days and change in Vegas. But when one of the people I’d see afterwards would be my not-yet-vaccine-eligible 11-year-old daughter, I can’t justify the risk posed by what strikes me as an especially bad scenario compared to any of the events I’m contemplating for later this year.

So even while I have resumed some business travel, it’s going to be a little while longer before I come home with a new conference badge to add to the collection that’s now been collecting dust for a year and a half.

Two ways your mailing list could be less terrible

Monday’s USA Today column on cleaning out an overloaded Gmail inbox required me to spend an unpleasant amount of time scouring my own inbox to find the most prolific senders. The experience left me mostly convinced of the grotesque selfishness of many e-mail marketing types, but it also yielded some grounds for optimism.

Photo shows a series of bulk-mail stamps

As in, the user experience with some of these companies’ mailing lists let me at least think that they recognized concepts like cognitive load, limited attention span and finite storage space. Here are two practices in particular that I liked:

  • Don’t send promotional e-mails from the same address as order confirmations. This makes it so much easier to find and bulk-delete the sales pitches that no longer carry any relevance–or, if you use Microsoft’s Outlook.com, to set up a “sweep” filter that automatically deletes those messages after a set period of time. Ecco, Macy’s and Staples all seemed to follow this polite, filter-friendly custom.
  • Let me choose how often to get emails–a message a day is often just clingy, but one a week could be less obnoxious–and let me specify what kind of pitches might interest me. Best Buy (“Receive no more than one General Marketing email per week”) and Macy’s (“Let’s Take It Down A Notch—Send Me Fewer Emails, Please”) get the frequency thing right, while L.L. Bean not only lets people choose between weekly, monthly or twice-monthly frequencies but invites them to request only messages about departments like Men’s, Home, or Fishing.

I’d like to close by writing something like “see, it doesn’t have to be this hard”–but a look at my Gmail inbox shows that some of my visits to the mail-preference pages of some retailers hasn’t led to them putting a smaller dent in my inbox. I guess they’d prefer I click their unsubscribe link–or use Gmail’s “block” command.

Secondary thoughts on working yet another primary election

Tuesday had a lot in common with the four days I spent last year working as an election officer for Arlington County. Just as in March, June, July and then November, I staggered through a sleep-deprived day that started with a 5 a.m. arrival at the polling place and didn’t end until around 8:30 p.m. As in all of those elections except last March’s Democratic presidential primary, the day left me with a fair amount of downtime to fill with reading a book and chatting with my fellow poll workers. And once again, it felt deeply fulfilling to help my fellow citizens do their part to hire candidates for temporary, taxpayer-funded jobs.

Lillies bloom in the foreground, while the background shows election signs in front of a community center in Arlington, Va.

But since November 3, the subject of election security–a topic I’ve been covering on and off for most of the last two decades–has fallen prey to fever-dream conspiracy theories among Donald Trump followers who refuse to believe that the former president was fired by the largest electorate in American history.

I am tempted to give this post over to yet another rant denouncing those advocates of Trump’s Big Lie–as well as the sedition sympathizers in Congress who kept pandering to those dead-enders after the deadly riot at the Capitol January 6.

But instead, I will talk about my workday Tuesday. Here are some things you should know about how we did our part in Virginia’s primary elections, which I hope map with how elections are run wherever you may read this:

• Trust paper. Arlington uses hand-marked paper ballots that each voter feeds into a scanner that will read the ballot if it’s upside-down, right-side up, forwards or backwards. (We also have ballot-marking devices for voters with disabilities.) That paper trail then becomes part of the risk-limiting audit that Virginia now conducts after each election; the audit run after November’s election (but not reported out until March) confirmed that the votes as scanned accurately recorded how people marked their ballots. If your state is among the minority to still use “direct-recording” machines that leave no paper trail (hello, Texas), direct your ire at the elected officials who haven’t fixed that problem.

• Don’t confuse voter identification with TSA Pre. I checked in one voter who did not have a Virginia driver’s license but did appear in our poll-book app as a registered voter, and I saw other voters show up with the same scenario. That was understandable, as the Virginia DMV is struggling to catch up with a pandemic-inflicted backlog. It would be unconscionable to kick those people out of polling places when one government bureaucracy can’t issue ID cards fast enough while another has already confirmed their eligibility. I should note here that this voter brought their voter registration card; should you get stuck in this situation, bringing that other piece of paper will save a tired poll worker a little time.

• Expect software to fail; design for resilience. The most reassuring paper product I saw Tuesday was the printout of the entire pollbook for our precinct, which meant that we did not have to rely on our pollbook app to stay up all day. Fortunately, that software did work, by which I mean it functioned aside from the feature that was supposed to scan the bar code on the back of a Virginia driver’s license but instead failed at least nine out of 10 times in my experience.

• Check everything at least twice. My day started with opening packs of ballots and counting them, 10 at a time. Each shrink-wrapped pack should have held 100 ballots and did, but we checked that anyway–so that there would be no discrepancy between the number of ballots handed out and the number of voters checked in. We also verified each total at the end of every hour; each time, there was no surplus of voters or ballots. And then we made one last check after polls closed to confirm that we had handed out exactly one ballot per voter.

If the above sounds inefficient, you read this right. Election administration has to suffer some inefficiency to accommodate the conflicting demands of allowing voters secret ballots and yielding an auditable paper record. Deal with it.

Google’s useless-to-the-self-employed “External” label: another tiny bit of freelancer erasure

The Gmail app on my phone and in my browser looks a lot more yellow when I switch to my work account, and it’s all Google’s fault. Sometime in the last week or so, Google began slapping an “External” label in a shade of deep yellow on every message sent from somebody not in my organization.

Which, since I am self-employed, constitutes the rest of the population of Earth, plus every bot and script capable of sending me e-mail. Google describes the security measure it began enforcing in late April for Google Workspace accounts–the business accounts it once gave away for free as Google Apps, then turned into a paid service in 2012, then renamed to G Suite in 2016, and then renamed once again in 2020 to Workspace–as its way to help employees “avoid unintentionally sharing confidential information with recipients outside of their organization.”

Photo shows a spam message purporting to be from Comcast with Gmail's yellow "External" label, as seen on a Pixel 3a phone in front of graph paper.

But for solo practitioners who have no employees, it’s useless. It cannot teach me anything except that even when self-employed, I can still fall victim to IT department control-freakery–and that freelancers remain invisible to many business app and service developers.

(Fun fact about the obvious phishing message in the image here: Gmail’s spam filter did not catch it.)

A support note from Google indicates that Workspace users can turn off this warning. It does not explain why I don’t see that in my own admin console. But in a Reddit thread–once again, that site proved to be an underrated source of tech supportanother Workspace user said legacy free accounts don’t get that opt-out. A frequent Twitter correspondent with a grandfathered free account has since confirmed that he doesn’t have this setting either.

I suppose Google would like me to upgrade to a paid account, but I’m already paying: $19.99 a year for 100 GB of storage. The cheapest Workspace plan would only give me 30 GB and cost almost four times as much. Since Google apparently can’t be bothered to document this new limit to free accounts, the answer there is a hard nope.

All the time I’ve sunk into investigating this problem has not, however, been without benefits. Thanks to some hints from my fave avgeek blogger Seth Miller, I figured out how to disable the also-useless default warning about replying to external e-mails. To do that, sign into your admin console’s apps list page, click Calendar, click its “Sharing Settings” heading, click the pencil icon that will appear to the right of “External Invitations,” click to clear that checkbox, and click “Save.”

Although Calendar is clearly not Gmail, this settings change seems to apply in the mail app too. At some point while I was futzing around with Workspace settings, I also found an off switch for the comparable warning about sharing Google Docs with outsiders–but now I can’t find it, so maybe that opt-out is now yet another feature reserved for paying users but not documented accordingly.

Smartphone spring cleaning: delete some apps, pay for others

By keeping me at home for so much of the past year, the pandemic has prolonged the life of my 2019-vintage Pixel 3a phone to an unnatural degree. But the cushy, stay-home lifestyle this Android device has enjoyed has not prevented one sign of smartphone age: a dwindling amount of available storage.

The easiest way to free up a bunch of space is to get rid of apps you haven’t been using. In any version of Android, the Play Store should let you sort your list of installed apps by when they were last used, but the current Android 11 provides a more direct reminder: If you don’t use an app for long enough, the system will automatically reset its permissions to zero.

Screenshot of Android's list of apps with automatically-removed permissions

The resulting lists of apps with removed permissions reminded me of how long I’d used a bunch of travel apps, but they’ve also spotlighted apps that I had lost interest in using even before the pandemic.

But as I’ve been removing various apps from smartphone, I’m also not only adding some but paying for them.

That’s not a matter of storage space but privacy. As I’ve realized in covering privacy fears over phone apps–as in, the evidence-starved assertion that TikTok is uniquely dangerous–ad-supported apps can allow for the collection and subsequent resale of more data than you might imagine.

The simplest way to solve that concern is to pay for the app–either by upgrading to an ad-free version with in an-app payment (as I did last year with Flightradar24), or by switching to a competing app if the title in question doesn’t allow that option.

And that’s why I finally have a new weather app: After years of relying on Yahoo Weather and then starting to get grumpy over the space devoted in its interface to ads, I finally deleted it. In its place, I installed Today Weather, the pick of multiple reviewers, and then paid the $6.99 lifetime fee for ad-free operation with premium features enabled. Now I have a better set of forecasting tools without any ads and the tracking that goes on behind them.

And yes, this app takes up about a third of the space than Yahoo Weather did. On an aging device like my Pixel 3a, every little byte counts.

Reminder: Don’t overlook Reddit for crowdsourced tech support

Two weeks ago, I spent too much time on T-Mobile’s site because I didn’t go to Reddit’s first. I was trying to opt out of my wireless carrier’s new targeted-advertising scheme, but I could not find any way to do so when logged into my business account–and like any dummy perplexed by an unintuitive interface, I kept trying the same thing over and over instead of asking for help.

Screenshot of the icon for Reddit's r/tmobile subreddit: Snoo the alien, but wearing a magenta T-Mobile t-shirt under a jacket while holding a cell phone.

The answer I needed was waiting in a thread on Reddit’s r/tmobile subreddit, in which one T-Mo customer replied to a comment about the unhelpfulness of the carrier’s site for this opt-out by saying “I had to use the app and eventually found it in the privacy section.” As in, the T-Mobile app I’d had on my phone all long but had forgotten about, and which coverage I’d read about this issue had not clarified would be the only way for a business customer to adjust this setting.

(In case you’re still puzzling this through, open the app, sign in, tap the “More” button at the bottom right, and then tap “Advertising & Analytics.”)

This wasn’t the first time I’ve found Reddit’s company- or service-specific forums exceptionally useful for tech support. While smart companies maintain their own forums where people can sort out problems and share tips, Reddit has three things going for it that many other discussion boards lack: scale, a search that works, and crowdsourced measures of the value of a comment and its author.

Reddit upvotes, downvotes and the karma score they feed into can be abused like any other social-media system to protect toxic behavior–it was only last June that Reddit nuked r/The_Donald and some 2,000 other subreddits for repeated hate-speech violations. (Of course, there’s a subreddit on which you can debate those risks of abuse at length.) But in the context of a subreddit set up for users of the same app, service or gadget to solve each other’s problems, these collective accountability features seem to function well enough. I also keep wondering if Twitter could use some version of a karma score–and that, decades ago, Usenet could have had one as well.

Plus, many of these product-specific subreddits also feature wikis maintained by their more-frequent contributors, something you almost never see at the forums a company maintains for its customers.

In addition to T-Mobile tech support, I’ve found Reddit a good resource for help with my HP laptop, and some of my earlier smartphones. Reddit’s also proved useful as a journalistic resource when I’ve needed to find people using a service with limited availability, like Verizon’s 5G Home fixed-wireless service or SpaceX’s Starlink satellite broadband. I try to pay that assistance back by showing up in threads other people have started about my own stories–yes, “robpegoraro” there is me–and offering to answer whatever questions people have.

Writing this post made me realize I’ve probably neglected Reddit’s potential to help me puzzle through one app I use all the time: this blogging platform. Maybe r/Wordpress can help me feel less grumpy about the Block Editor?

Is it iPadOS 14 or iPadOS 13.8?

It’s been almost a month since I installed iPadOS 14 on my iPad mini 5, and not much about my tablet-computing experience since has reminded me of that.

Why? Compare Apple’s list of new iPadOS 14 features with its brag list for iOS 14: Apple tablets don’t get home-screen widgets or the App Library, even though their larger displays might better fit those interface changes. Apple’s new Translate app, a privacy-optimizing alternative to Google’s? iPhone only for now. Even emoji search in the keyboard is confined to Apple’s smaller-screen devices.

Like earlier iPad releases, iPadOS 14 omits the basics of weather and calculator apps. I guess Apple still couldn’t find a way “to do something really distinctly great,” as its software senior vice president Craig Federighi told tech journalist Marques Brownlee in the least-persuasive moments of a June interview.

There’s also still no kid’s mode that would let a parent hand over their iPad to a child and have it locked to open only designated apps. The continued absence of this fundamental feature–even the Apple TV supports multiple user accounts!–is especially aggravating after so many American parents have spent the last eight months mostly cooped up at home with their offspring.

Apple did add a bunch of fascinating new features in iPadOS 14 for Apple Pencil users–but my iPad mini 5 and my wife’s iPad mini 4 don’t work with that peripheral.

This new release has brought lesser benefits that I do appreciate. Incoming calls in FaceTime, Google Voice, and other Internet-calling apps now politely announce themselves with a notification at the edge of the screen instead of indulging in the interface misanthropy of a full-screen dialog, and Siri shares this restraint with screen real estate. Safari catches up to Chrome by offering automated translation of their text and surpasses Google’s browser with a privacy-report summary, both available with a tap of the font-size button. I can finally set default mail and browser apps–but not navigation, the area in which Apple remains farthest behind Google. And a set of new privacy defenses include the welcome option of denying an app access to my precise location.

But as nice as those things are, they don’t feel like the stuff of a major annual release–more like the pleasant surprises of an overperforming iPadOS 13.8 update. And they certainly don’t square with what you might reasonably expect from a company that reported $33.4 billion in cash and cash equivalents on hand in its most recent quarter.