Category Archives: Privacy

I remain a WhatsApp curmodgeon

Posted on by
3

My six days in Barcelona for MWC had me using one app far more than usual: WhatsApp. But while I often delight in seeing people route their communications out from under the control of incumbent telecom operators, every time somebody asked me to message or call them in that Meta-owned app, I felt a little more grumpy.

That’s because WhatsApp continues to lack a feature found on any 1970s Trimline phone or on a turn-of-the-century, five-line-display cell phone: You cannot text or call a random set of digits unless you first let this app ingest your entire contacts list.

My phone's screen shows the Android system permissions dialog asking if WhatsApp should have access to my contacts, with MWC attendees in the background.

As WhatsApp says in two of the more shameful dialogs around: “To make a call, allow WhatsApp access to your contacts” and “To help you message friends and family on WhatsApp, allow WhatsApp access to your contacts.”

I got tired years ago of apps making sweeping demands for my data and don’t see any reason for contacts upload to be a prerequisite to pinging somebody I just met and may never run into again, so I keep declining that request.

WhatsApp’s FAQ item about contact upload makes a respectable argument for its stewardship of this data, saying it doesn’t collect non-phone-number contact details and deletes the numbers of non-WhatsApp-using people after saving a cryptographic hash of their digits for future cross-referencing should they join later.

But WhatsApp’s parent firm has racked up quite a list of privacy violations, some of which led to the Federal Trade Commission hitting it with a $5 billion fine in 2019 that still stands as a record penalty.

And that WhatsApp FAQ item doesn’t even try to answer why without contacts permission, the app won’t let you punch in any random phone number to start a chat or call. Or how if you revoke that permission, it will stop showing the names of contacts–a creepy move that in 2019 Fast Company’s Michael Grothaus called “one of the most manipulative things Facebook does with WhatsApp.”

In the U.S., being a WhatsApp contacts-access refusenik isn’t so bad, because most people still use carrier texting services. But in the rest of the world, historically higher carrier prices for messaging have made WhatsApp far more widely used. And at MWC that led to some awkward moments.

Most of the time, I could socially engineer my way out of them by asking my new acuaintance to message me from their copy of WhatsApp, at which point I could reply from my copy. One MWC attendee then pointed me to the option to have WhatsApp show a QR code that other people can scan to add you to their contacts lists.

And after coming home, I learned of the click-to-chat option in which you can type in a wa.me Web address in your phone’s browser that ends with a contact’s number (no dashes or spaces) to have the app open a chat thread with that individual.

It’s good, I guess, that WhatsApp provides workarounds for its own demand for the data of people who may have zero interest in seeing their numbers get uploaded even briefly. It would be better if WhatsApp would show a little humility and end this gropey, growth-hacking nonsense.

Late or never Android updates remain a problem

Posted on by
Reply

Here’s yet another unintentional benefit of my shattering my Pixel 5a’s screen last weekend: an opportunity to reacquaint myself with how slowly many Android smartphone manufacturers still ooze out Google’s system updates.

This is not a new problem, as I can see from re-reading a piece I wrote almost 10 years ago that’s aged a little too well. I had thought that architectural changes Google made to Android starting back in 2017 would have put a dent into this problem by removing much of the recoding work from manufacturers. But dusting off the budget-priced Android phones I reviewed for CNN Underscored early this year (most of which I had not yet returned to the companies responsible, because my desk is a mess) revealed the error of that thought.

Photo shows Android phones stacked on a wooden floor, each showing their software-information screen. The Samsung Galaxy A13's screen is most visible, showing it's running Android 12 with the July 1 security patch.

After multiple cycles of checking for updates on these six phones, installing these updates, rebooting these phones, and checking for updates again until every device reported it was current, here’s where they wound up:

  • Moto G Power: Android 11, August 1 security update
  • Nokia X100: Android 11, August 1 security update
  • OnePlus Nord N200 5G: Android 12, September 5 security update
  • Samsung Galaxy A13 5G: Android 12, July 1security update
  • TCL 20 SE: Android 11, August 1 security update
  • TCL 20 Pro 5G: Android 11, April security update

The current month is October and the current Android version is 13, so the problem should be immediately obvious. And not only did none of these devices have the Android release that I installed on my beloved, now battered Pixel 5a in the middle of August, only one of these devices had Google’s latest security fixes–and only two had the Android release that Google shipped a year ago.

The good news, such as it may be, is that a low price doesn’t condem an Android phone to obsolescence. The A13 sells for $250 and the N200 $240, but both have aged better, software-wise, than the pricier Android devices in that review. You may want to consider that a factor in favor of OnePlus and Samsung if you’re shopping for a low-cost Android phone–while the lagging performance of those other vendors should rate as a serious strike against them.

Conference VOD: one half-decent thing we’ve gotten out of the pandemic

Posted on by
2

LAS VEGAS

The Black Hat security conference that wrapped up here once again left me wishing I could clone myself for a few days. Its info-dense schedule put as many as nine briefings in the same timeslot, requiring me to make some tough choices and hope that I’d picked a presentation that would yield enough news and insights to turn into an article.

(Spoiler alert: I did not always choose wisely.)

In the Before Times, the panels that I had to skip would have been lost to me until the event organizers uploaded video of them to Black Hat’s YouTube channel, often months later. But this year’s conference, run like last year’s as a hybrid in-person/online event, came with both streaming access to panels as they happened and video-on-demand playback 48 hours later for attendees.

This conference, unlike too many I’ve attended, also continues to post the presentations of speakers, so attendees don’t need to take pictures of every statistic-filled slide for posterity.

So I can treat my conference FOMO and see what I missed much sooner than I could have before. That’s one small side benefit of conferences having to make themselves open to remote attendees, a welcome democratization of events that in a better world would have happened without the pressure of a worldwide pandemic. It’s also personally convenient today because I’m already getting asked on Twitter about Black Hat briefings that I did not get to.

I do, however, still need to remember to catch up on these briefings before the 30-day window to watch them expires–the mistake I made last summer, when I had a much less busy schedule.

8/14/2022: I updated this to add a compliment to the Black Hat organizers for posting speakers’ presenations.

Black Hat pitches increasingly resemble CES pitches

Posted on by
Reply

When I’m spending a sunny Saturday in front of my computer, the usual reason is that it’s beastly hot outside. But today I have an additional, also seasonally-specific reason: I’m overdue to look over and make some decisions about all of the Black Hat meeting requests that have been piling up in my inbox.

A view of the Las Vegas Strip from the Foundation Room atop the Mandalay Bay hotel--a common event venue for both CES and Black Hat receptions.

Unlike last summer, I actually am going to this information-security conference in Las Vegas. And many more infosec companies seem to have made the same decision, leading to a flood of e-mails from their publicists asking if I’d like to set up a meeting while I’m in Vegas. How many? Over the last month, I’ve received 134 messages mentioning Black Hat, a number that makes me think of the annual deluge of CES PR pitches.

(Sorry, the total is now 135.)

Just like at CES, accepting even half of these invitations would leave me almost no time to do anything else at the conference. But where at CES I need to save time to gawk at gadgets on and off the show floor–and to get from venue to venue at that sprawling event–at Black Hat I want to save time to watch this conference’s briefings.

In the two prior years I’ve gone to Black Hat, I’ve found that the talks there have an exceptionally high signal-to-noise ratio. And since a coherent and entertaining explanation of a vulnerability in a widely used app, service or device is something that’s relatively easy to sell as a story, I also have an economic incentive to hold off on taking any meeting requests until the organizers post the briefings schedule–which this year only happened barely two weeks ago.

In other words, now I’m out of excuses to deal with these pitches. Which I could have done this afternoon had I not waited until this afternoon to write this post…

8/24/2022: Fixed the typo in the headline that nobody seems to have noticed until my wife asked about it today.

Amazon Fresh first look: Just Walk Out, then wait for the receipt and hope it’s accurate

Posted on by
Reply

Friday morning started with me driving to a grocery store in a neighorhood in which I’m sure I’d last bought milk in the 1990s, and it was all Amazon’s fault. The tech giant opened one of its Amazon Fresh stores in Crystal City Thursday–and while technological curiosity alone would have pushed me to try this establishment’s Just Walk Out surveillance-checkout system, the analog lure of a $10-off-$20 coupon mailed to our house sealed the deal.

Plus, that mailing promised an Amazon gift card, from $5 to $50, for the first 50 customers in the store on the first three days. How could I not?

Alas, finding a street parking spot–more of an issue then when I lived in a less lively Crystal City from 1993 to 1994–ate up too much time for me to get that Amazon bonus. But the shopping trip was enlightening in other ways.

After waiting in line to enter the store after its 7 a.m. opening (during which my 11-year-old and I each got a free bag of “chocolate truffle snacks” from a cheerful greeter), I authenticated myself to the store by opening my phone’s Amazon app and showing its QR code to a turnstile scanner that could have fit into any cutting-edge subway system.

(Amazon also offers Amazon One palm scanning as a store check-in method. But while I accept the inevitability of governments collecting my biometrics at national borders, I don’t have to help every for-profit company build its own biometric database.)

At about 16,000 square feet, this Amazon Fresh location was even smaller than the compact Safeway in the Crystal City Underground that I relied on in a previous century. Its selection made me think of a miniaturized Whole Foods that had gone to the dark side by stocking such forbidden-at-WF items as various flavors of Coke–a more useful Whole Foods, if you will.

The place also soundly beat Whole Foods in some categories by stocking Amazon house-brand “Happy Belly” items. For example, while a gallon of 2% milk at Whole Foods now goes for $4.99, Amazon Fresh matched the Trader Joe’s price of $3.69.

After checking the prices of everything I’d deposited in a reusable shopping bag to verify that I’d cleared $20, I checked out. By which I mean I did not “Just Walk Out” but instead scanned the QR code in that paper coupon and then scanned the QR code in the Amazon app for a second time at an exit faregate of sorts.

And then I waited for a receipt to arrive. That documentation did not land until more than five hours later, when it reported a total about $10 more than I’d expected. Somehow, the cameras and machine vision that drive Just Walk Out had decided that my picking up four individual kiwi fruits really represented me picking up one of what people once called a Chinese gooseberry, followed by two bundles or packages of those fruits.

Amazon’s app provides a “Request item refund” option for Fresh shoppers that lets you select “item not taken” as the reason why. But selecting that on my phone–and then in the Amazon app on my iPad–yielded a “We’re sorry” dialog. It apologized: “An error has occurred, but rest assured, we’re working to resolve it as quickly as possible.”

I resorted to a common coping mechanism when dealing with indifference from a giant multinational corporation: tweeting about the problem, then diverting my attention to other things. And then about four hours later, I got an e-mail from Amazon saying (“Reason for refund: Item billing error”) that they would refund the sum in question.

Will I return to that store? Absolutely! There’s a $20-off-$40 offer for Amazon Prime subscribers who shop there Tuesday and Wednesday. I may, however, use an old-school checkout on my next visit.

A long wait for an app notification

Posted on by
Reply

Twenty-one months ago, I installed the Virginia Department of Health’s COVIDWISE app on my smartphone and urged everybody reading that post in Virginia to go and do likewise. Back in August of 2020, I expected that this app developed with the Apple-Google COVID-19 exposure notifications framework would soon be warning me that I’d been near somebody else who had tested positive and had then used this app or another built on that foundation to send a thoroughly anonymized warning.

But the notifications of possible exposures didn’t appear, even as the U.S. suffered repeated waves of novel-coronavirus variants and the positive-test rate in Northern Virginia shot up above 30 percent at the start of this year. And as I got my first vaccination, second vaccination and booster shot, the continued silence of this app bothered me less and less–to the point that I briefly forgot to activate it after moving from my Pixel 3a to my Pixel 5a.

That silence ended Thursday morning, when my smartphone greeted me with a notification of a probable exposure. “You have likely been exposed to someone who has tested positive for COVID-19,” the app told me. “COVIDWISE estimates that you were last exposed 5 days ago.”

The app further informed me that “Most people who are fully vaccinated and free of COVID-like symptoms do not need to quarantine or be tested after an exposure.” Fortunately, I had already self-tested negative on an antigen at-home kit Wednesday morning to verify my health before heading to the Hack the Capitol security conference.

Because this app and others built on the Apple/Google code don’t store location data, I can only wonder when this possible exposure happened. And since five days ago was Saturday, when I flew home from Latvia via Munich and then Boston, I’m looking at thousands of miles of possibility. A second notification from COVIDWISE referencing North Carolina’s SlowCOVIDNC app suggests that my possible exposure source lives there, but the privacy-preserving design of this system ensures I’ll never know for sure.

A five-day turnaround, however, now seems quick after seeing three people reply to my tweet about this notification to report that they didn’t get their own heads-up from one of these exposure-notification apps until 10 days after the possible exposure–a uselessly long lag. My conclusion from those data points: Get vaccinated and boosted, because that will do more than anything else you could possibly undertake to ensure that receiving one of these exposure alerts remains a drama-free experience.

E-mail like it’s 2012: revisiting my Gmail filters

Posted on by
Reply

Several months ago, I spent too many hours hacking away at the 18 years’ worth of messages piled up in my Gmail account–because while I could live with paying for extra storage for Google’s backups of my own photos, I’d be damned if I was going to pay to warehouse random companies’ marketing pitches that were eating up far more of my free storage.

Screenshot of Gmail's filter, showing a menu of options that

That experience evidently wasn’t enough fun for me, because over the last couple of weeks I’ve dived into a corner of the Gmail interface I hadn’t spent any sustained time in since… 2012? Fortunately for me, Gmail’s filter interface hasn’t sustained any notable changes in at least that long, judging from how rarely it’s earned a mention in Google’s Gmail blog over the last decade.

Much as in 2012, this dialog lets me choose a message by factors like sender, recipient, subject, content, size and the presence of an attachments. Its next pane allows me to amplify the message’s importance by starring it or marking it as important, apply a label or file it under a category tab, or forward it to to an outside address registered with your Gmail account using an even more fossilized interface.

Those are the basics of e-mail management, and they did suffice to help me craft updated message rules that make my Gmail inbox less chaotic and keep my more consequential correspondence filed away neatly. Less e-entropy is a good outcome.

But the limits of the filtering user experience loom large among Gmail’s missing features. The one I keep coming back to is an equivalent to the “sweep” function in the Microsoft’s Outlook.com that automatically whisks matching messages into the trash 10 days after they arrive. But it’s also crazy that the entire filter UX is imprisoned in Gmail’s Web app–you can neither create nor edit nor view filters in Gmail’s Android and iOS apps, as if the last 10 years of mobile-first computing never reached whatever Googleplex building houses the Gmail developers.

Compare that thin gruel to the thoughtful mail-management tools surfacing in apps that actually have to win customers–I’m thinking here of a new Gmail front end called Shortwave that a team of former Google developers just shipped, but also of the Hey mail service. It’s not hard to think that Google could do a lot more with Gmail if it put serious effort into that work. It’s also not hard to think that Google must feel as comfortable in the e-mail market as Microsoft and Yahoo did before Gmail showed up in 2004.

Google-induced mail migration malaise

Posted on by
9

A week ago, I learned that one of my longest-running online freebies would end this summer. The seven days since haven’t been enough time for me to decide how to replace the no-charge Google account that’s hosted my home e-mail since early 2010–but they have allowed me to find a reason to dislike each obvious alternative.

Yes, I should have seen this coming. The Google that launched “Google Apps for Your Domain” as a free service in 2006 was a much scrappier firm that could not assume potential customers’ attention. Even in 2010, when I moved my home e-mail to a Google Apps account under a custom domain and set up (just in case!) a work e-mail address under a different custom domain at another Google Apps account, Google hadn’t risen to become an obvious choice for business collaboration.

The Gmail logo under an "Apps" banner, taken from a 2008 Google presentation.

Google did end signups for this free option in December of 2012, but it let existing Apps customers keep their free accounts. That grandfathered, privileged status continued as Google Apps became G Suite in 2016 and then Google Workspace in 2020.

The Google of 2022, however, is a different entity that’s been unplugging other free services. So I was not too surprised to learn that starting July 1, I’d have to pay to keep these two mail accounts hosted–just annoyed to read about this at the 9to5Google blog instead of in an e-mail from Google to me.

I’m fine with paying Google for my work account–make that, paying more on top of what I’ve been spending for extra storage since 2016. A Google Workspace Business Starter account will cost another $6 a month, which is reasonable considering how many other Google services I have tied to this account and how $72 a year would still rank among my cheaper business expenses.

But my home account is just an e-mail account. I don’t use it with Google’s other “workspace” tools; because I keep a separate, standard Gmail account for shopping, banking and other non-work stuff, my home account barely gets used as an e-mail service. Paying $72 a year makes a lot less sense, much less spending that much on addresses I’ve set up for family members who use them even less.

But the options I’ve evaluated first have their own issues:

iCloud+: Since my wife is already paying for extra storage on Apple’s cloud service, I could set up a custom domain there for free. But by associating my home e-mail address with iCloud, I would revive the problem of iPhone-using friends who think they’re using the Messages app to text me on my phone and instead have Apple’s iMessage system silently divert that to the Messages app on my iPad.

Microsoft 365: I already pay for Microsoft’s cloud storage to back up my Windows laptop, and adding multiple e-mail accounts by upgrading to Microsoft 365 Family would add only $30 to my yearly cost. Except Microsoft, for some inane reason that probably looked sharp on a marketing PowerPoint, limits this option to domains hosted with GoDaddy, and that’s not the registar I’ve been content with using for this domain. (One thing I don’t like about this registrar: Their own mail hosting only covers 1 gigabyte of storage per address, which is why they don’t make this list.)

Fastmail: This mail-first service isn’t tied to any larger cloud platform, a simplicity of mission that I appreciate. I also like how I could use this with 1Password to generate “masked,” disposable e-mail addresses for individual services. But with pricing for a custom domain starting at $50 a year per user for 30 GB of storage, this, too, feels like overkill for my own little use case.

Meanwhile, Google may have realized the foolishness of treating every user as one type of business customer. Wednesday afternoon, Ars Technica’s Ron Amadeo flagged an addition to Google’s support note inviting input from people who don’t use legacy Google Apps accounts for work.

Will Google offer a cheaper tier for personal use, and how long will we have to wait to find out? The May 1 deadline Google set for ex-Apps users to choose between upgrading to Workspace or moving their mail elsewhere leaves plenty of time for the indecision-making process to grind on at this company. And among perplexed customers like me.

Android 12 early impressions: improvement via imprecision

Posted on by
11

Two weeks after I installed Android 12 on my aging, yet well-maintaned Pixel 3a smartphone, the biggest selling point of this release is not the self-tinting interface colors that Google talked up this summer. Instead, I’m appreciating a new option to leave apps a little fuzzier about my whereabouts.

In adding the ability to deny an app access to your precise location, Android 12 returns to the earliest days of Google’s mobile operating system, when an app could ask for either “fine” or “coarse” location. But it also reflects what we’ve learned since then about how location-data brokers will embed location-tracking code in other apps, often without disclosure, and then exploit that harvested info to build vast databases.

Photo shows the Android 12 Settings app open to a page denying the Today Weather access to my precise location; in the background, the print edition of the Nov. 12, 2021 Washington Post reveals a bit of the weather forecast.

So my first move after my phone rebooted into Android 12 was to take the GPS keys away from some apps. I started with one I already paid for, Today Weather. Why bother depriving a paid-for and therefore ad-free app of my exact location? Because the forecast shouldn’t change that much between here and a mile away–but keeping my precise coordinates from a third party means they can’t get exposed if that firm suffers a data breach later on.

My second move was much less exciting, in that I swapped out some of the default screen widgets: I like scallops and I like having a large display of the time on my home screen, but I don’t like the scallop-shaped clock widget that comes standard in Android 12.

My first software-update-induced moment of confusion, meanwhile, came a day after I installed this update when I mashed down the power button to invove the Google Pay shortcut to choose a different stored credit card for a purchase–and nothing happened. That’s because Android 12 moved that from the power-button menu to the Quick Settings menu. Broken muscle memory aside, I get that relocating this setting from a non-obvious spot to a menu that people use all the time should make it more discoverable.

Finally, one Android 12 detail that’s gotten less attention than the others in press coverage just might save me from waking up with a phone at 10% of a charge: When you plug a phone into a charger, a wave of sparkles washes up the screen to confirm that current is flowing to the device. Considering my own record of inattentive device charging, that’s a feature I could have used 10 years ago.