Another part of the world where I need to use a VPN

I spent last week in London with my family–yes, actual vacation-esque time! It was great, except for when I was trying to keep up with news from back home.

My first stay across the Atlantic since the European Union’s General Data Protection Regulation went into force May 25 brought home the unpleasant reality of some U.S. sites’ continued struggles with this privacy law. And instead of experiencing this only briefly in a Virtual Private Network session on my iPad, I got a full-time dose of it.

The biggest problem is sites such as the Chicago Tribune and the Los Angeles Times that have blocked all European access instead of providing the privacy controls required by the GDPR.

That’s not the fault of the GDPR–its provisions were set two years ago–but is the fault of Tronc, the long-mismanaged news firm formerly known as Tribune Publishing. Tronc could afford to pay $15 million to former chairman Michael Ferro after he quit facing charges of sexual abuse but apparently couldn’t afford to hire any GDPR-qualified developers. I hope the LAT can fix that now that Tronc has sold the paper, but it may be a while before I can link to any Tribune stories without annoying European readers.

With my client USA Today, the issue isn’t as bad: It provides EU readers with a stripped-down, ad- and tracking-free version of the site, which you can see at right in the screenshot above. What’s not to like about such a fast, simple version? Well, I can’t see comments on my own columns, and simply searching for stories requires switching to Google… by which I mean, Bing, since right-clicking a Google search result doesn’t let you copy the target address, and clicking through to a Google result will yield an EU-specific USAT address.

The simplest fix for these and other GDPR-compliance glitches was to fire up Private Internet Access on my laptop and connect to one of that VPN service’s U.S. locations–yes, as if I were in China. It seems a violation of the Web’s founding principles to have to teleport my browser to another continent for a task as simple as reading the news, but here we are.

Advertisements

Bandwidth battles in China

SHANGHAI–Crowded gadget trade shows like CES and Mobile World Congress usually entail connectivity complaints. But when you put the gadget show in China, you level up the complexity, thanks to the need to run a Virtual Private Network app to preserve access to U.S. sites blocked by China’s Internet filters.

In theory–and in every PR pitch from a VPN service advertising itself as the surefire way to stop your ISP from tracking your online activity–that should add no difficulty to getting online. You connect, the VPN app automatically sets up an encrypted link to the VPN firm’s servers, and then you browse as usual.

PIA VPN exit-server menu

The reality that I’ve seen at CES Asia this week while using the Private Internet Access Windows and Android apps has been a good deal less elegant.

  • Often, the PIA app will connect automatically to the best available server (don’t be like me by wasting selecting a particular U.S. server when the app usually gets this right) to provide a usable link to the outside world. But it’s never clear how long that link will stay up; you don’t want to start a long VoIP call or Skype conference in this situation.
  • On other occasions, the app has gotten stuck negotiating the VPN connection–and occasionally then falls into a loop in which it waits increasingly longer to retry the setup. Telling it to restart that process works sometimes; in others, I’ve had to quit the app. For whatever reason, this has been more of a problem on my laptop than on my phone.
  • The WiFi itself has been exceedingly spotty whether I’ve used my hotel WiFi, the Skyroam Solis international-roaming hotspot I took (a review loaner that I really, really need to send back), the press-room WiFi or, worst of all, the show-floor WiFi. Each time one of those connections drop, the VPN app has to negotiate a new connection.

If you were going to say “you’re using the wrong VPN app”: Maybe I am! I signed up for PIA last year when the excellent digital-policy-news site Techdirt offered a discounted two-year subscription; since then, my client Wirecutter has endorsed a competing service, IVPN (although I can’t reach that site at the moment). Since I don’t have any other trips to China coming up, I will wait to reassess things when my current subscription runs out next April.

Also, it’s not just me; my friend and former Yahoo Tech colleague Dan Tynan has been running into the same wonkiness.

To compound the weirdness, I’ve also found that some connectivity here seems to route around the Great Firewall without VPN help. That was true of the press-room WiFi Thursday, for instance, and I’ve also had other journalists attending CES Asia report that having a U.S. phone roam here–free on Sprint and T-Mobile, a surcharge on AT&T or Verizon–yielded an unfettered connection.

At the same time, using a VPN connection occasionally left the CES Asia site unreachable. I have no idea why that is so.

What I do know is that I’ll very much appreciate being able to break out my laptop somewhere over the Pacific in a few hours and pay for an unblocked connection–then land in a country where that’s the default condition.

Yes, I still use Flickr

My oldest social-media hangout is no longer the property of my biggest client’s corporate parent, and I am okay with that.

Flickr Android appLast night brought word that Verizon’s Oath division had sold Flickr to the photo-sharing site SmugMug. Jessica Guynn’s USA Today story breaking the news calls Flickr a “faded social networking pioneer,” which is both uncomplimentary and correct.

My Flickr account dates to 2005, and over the subsequent 13 years I’ve seen Flickr suffer a lot of neglect–especially during Yahoo’s pre-Marissa Mayer years, when a succession of inept CEOs let Instagram run away with the mobile market.

Yet not only have I kept on uploading, editing and captioning pictures on Flickr (edit: with the occasional lag in sharing anything), since 2011 I’ve paid for a Flickr Pro membership. That first got me out from under the free version’s 100-megabyte monthly upload cap, but since Yahoo ditched that stingy limit in 2013… well, it’s a tiny monthly cost, and I like the idea of having a social-media account on which I’m not an advertising target with eyeballs to monetize.

Meanwhile, Flickr has continued to do a few things well: welcome both pictures taken with a standalone camera and those shot with a phone; make it easy to present and browse albums of photos (“photosets” if you’re old); support Creative Commons licensing so I can permit non-commercial sharing but prohibit commercial reuse (which required USA Today to pay me for one Flickr photo); and let people share their work in pools (for instance, Greater Greater Washington’s, which has occasionally resulted in my shots getting featured on that blog).

Instagram, where my active presence only dates to February of 2017, is easy, fun and great for engagement–slap #travel on a shot and you’ll get 15 likes in an hour. But it doesn’t do those things. And it’s a Facebook property, which raises the question of just how much of my online identity I need on that company’s servers.

Google Photos offers a fantastic private-backup service, but it, too, belongs to a company that already hosts much of my digital life.

SmugMug hasn’t said much about its plans for Flickr beyond promising not to merge Flickr and SmugMug. But unlike Oath, it has no other lines of business besides photo sharing. And as a privately-owned firm that hasn’t taken outside investments, SmugMug doesn’t need to meet impatient expectations from Wall Street or Silicon Valley. I feel pretty good about this transition, and I doubt I’ll have any big hangups about paying for my next Flickr Pro bill.

My Facebook-apps privacy audit

At some point, I was going to revisit my Facebook-privacy settings, but this weekend’s news about Cambridge Analytica’s exfiltration of some 50 million Facebook users’ data via a personality-quiz app moved up that timetable a bit.

That also sped up my overdue reacquaintance with my Facebook app settings–something I hadn’t paid much attention to since I last added any apps to my profile. The how-to I wrote in late 2013 about Facebook privacy waved away that angle: “Most of the options under the ‘Apps’ heading only apply if you add applications to your profile.”

Alas, I had added a few apps to my profile, especially in the first few years I had an account. Make that a few dozen apps. They fell into a few categories:

  • Apps or site logins (Facebook lists both on the same page) that I didn’t remember adding but could imagine reasons to have done so.
  • Apps that I had once appreciated but hadn’t touched in years (and which, per the new policy Facebook CEO Mark Zuckerberg announced Wednesday, would now be cut off).
  • Apps that I still appreciated but which had more access to my data than I recalled granting.
  • Apps that I recognized and which didn’t demand information beyond the public-on-Facebook aspects of my profile.

The last category aside, it was an embarrassing exercise. How had I allowed so many apps to see my friends list? Aren’t I supposed to know this stuff?

After that humbling moment, I removed about two-thirds of the apps, with those offering discernable utility cut down to seeing only my basic profile information. I should have done that years ago. But so should most of us.

Bear in mind that I’ve never treated Facebook as a friends-only space. I know that screenshots exist; I hadn’t had a Facebook account for more than a year and change before a now-defunct D.C.-journalism-gossip site posted a sceengrab of it. If I post an update, I try to write it so it won’t look too incriminating when quoted elsewhere out of context.

During this overdue investigation, I also looked at the “Apps Others Use” category that Facebook vaguely explains as a way for friends to bring your info to apps they use. I’d unchecked all 13 of those options, but after seeing most activated in a dummy account I keep for fact-checking purposes–and having people ask if this didn’t mean that Facebook apps could still grab data from friends–I had to ask Facebook to clear this up.

The less-than-conclusive answer I got over two e-mails: That cluster of settings dates to “before we made significant changes to how developers build apps on Facebook” that eliminated its functionality, except that it “still addresses some limited situations like photo sharing.”

So it appears that this absurdly wealthy company has trouble updating and documenting its privacy interface. That’s yet another problem Facebook needs to solve.

How I screwed up a Strava story

A story I wrote weeks ago started to go bad last Saturday, before it had even been published and posted.

That’s when an Australian student named Nathan Ruser tweeted out an interesting discovery: The Global Heatmap provided by the activity-tracking social network Strava revealed the locations of both documented and secret foreign military bases, as outlined by the running and walking paths of service members that Strava’s apps had recorded.

The feature I had filed for the U.S. Geospatial Intelligence Foundation’s Trajectory Magazine–posted Wednesday and landing in print subscribers’ mailboxes this week–also covered Strava, but in a different light.

As part of an overview of interesting applications of “geoint,” I wrote about Strava Metro, the database of activities over time available to local governments and cyclist-advocacy organizations (but not commercial buyers). In that part of the story, I quoted Strava executive Brian Devaney explaining the company’s efforts to keep its users anonymous in both Metro and the heatmap.

Looking at Strava from the perspective of “will this show where people live?”, I didn’t even think about how Strava users might unwittingly map temporary workplaces abroad. I had my chance to clue in on Strava’s military user base from looking around D.C.–that’s Joint Base Andrews precisely outlined southeast of the District in the screengrab above–but I failed to draw any conclusions from that.

Apparently, so did everybody else in the months after the Nov. 1 debut of the heatmap, heralded in a post by Strava engineer Drew Robb that touted how “our platform has numerous privacy rules that must be respected.”

You can blame Strava for making it difficult to set a geofence around a sensitive area. But it’s less fair to hound a privately-run service built to share workout data–remember, it calls itself “the social network for athletes”–for not maintaining a database of classified military locations to be blacked out on its heatmap.

After Ruser’s first tweets, however, developer Steve Loughran poked around Strava’s system and found that he could correlate the heatmap with the records of individual people by uploading a fabricated GPS file of a workout to spoof the site into thinking he’d jogged along the same path. That’s a deeper problem, and one that appears to be Strava’s fault.

After I asked Strava to explain these new findings, spokesman Andrew Vontz pointed me to a Jan. 29 post by CEO James Quarles pledging action to make privacy a simpler choice in its system.

I hope that they do so forthwith. Meanwhile, a fourth of a magazine feature with my name on it (at least it’s the last fourth!) looks dumb. It’s true that every other journalist to write about Strava between November and last week also missed these angles–but I may be unique in having a positive piece about Strava land this week. That’s not a great feeling.

Another experiment in spending Facebook’s money on a Facebook ad

Last week, Facebook offered me a chance to play with the house’s money: a $10 ad credit to boost my ode to RFK Stadium, which the social network’s algorithms had seen drawing an outsized audience on my page there.

Facebook RFK-post ad reportLike the last time I got this freebie, I could target people for the ad by geography, interests (as perceived by Facebook), age range and gender. Unlike the last time, I got this warning, Facebook’s belated response to learning that its self-service ad system was not magically bigotry-proof: “Ad sets that use targeting terms related to social, religious or political issues may require additional review before your ads start running.”

The logical demographic to target for a post about RFK would have been the greater Washington area–but Facebook didn’t present any such option. In a hurry and on my phone, I told it to target users in D.C., Bethesda, Silver Spring, Alexandria, Arlington and Fairfax.

Then I stuck with the default age range of 21 to 65+ and added the following interests: music festivals, Washington Redskins, Washington Nationals, D.C. United and local history. RFK being its dilapidated self, it’s too bad “peeling paint” wasn’t a choice.

Three days later, I got my results: The ad reached 847 people and yielded all of 26 clicks through to my post here. That leaves me nowhere near Russian propagandists in using money to get people’s attention on Facebook–even if in terms of reach I fared about as well as Sens. Mark Warner (D.-Va.) and Amy Klobuchar (D.-Minn.) did in their test purchase of ads to lure Hill staffers and reporters to a fake Facebook group.

But while I still see no reason to spend my own money on Facebook ads, I hope the site continues to throw out these freebies. It’s fascinating to see how the marketing machinery works from the inside; that alone easily justifies the time I put into my Facebook page.

A Safari upgrade I like: accountability for resource-hogging pages

Apple is a few days away from shipping its next big update to its desktop operating system, but people running its current and previous macOS releases can already benefit from one of macOS High Sierra’s components.

Yes, I’m writing something nice about Safari for a change.

The browser that I’ve spent much of the past few years cursing at for its weak memory management and general inability to let me run the computer instead of the other way around got a welcome, pre-High Sierra update Tuesday.

The most talked-about feature in Safari 11.0 may have been its ability to automatically silence sites that without invitation play videos with audio on (yes, I know that includes some of my freelance clients), followed by its blocking of cross-site ad tracking. But the option I’m enjoying most at the moment is Safari 11’s ability–stashed in a new “Websites” tab of its preferences window–to open every page at a given site in the minimalist Reader view.

Where ad blockers are often clumsy and random, Reader can be an elegant weapon against sites that demand attention with junky ads and auto-playing media. It might also spare you from a particularly piggy page locking up your Mac with a demand for more memory than the system can allocate.

“Isn’t that the system’s damn job,” you say? Yes, it is. Fortunately, Safari 11 also now seems able to quash a site in the middle of a memory binge, to judge from the banner I saw atop a page advising me that Safari had reloaded it “because it was using significant memory.”

I’m not going to tell the Safari developers to kick back with a nice vacation – since this update, the browser has already forced a reboot when it somehow refused to restart or fully quit–only a week after I’d had to go through the same routine with Google’s Chrome. But at least I don’t feel like this app is conspiring against me.