When your old laptop dies at the perfect time

My old MacBook Air is now not only retired but dead. And it could not have happened at a better time.

I had resolved to donate the 2012-vintage laptop I’d finally replaced with an HP Spectre x360 last fall by donating it to the local Apple user group Washington Apple Pi, whose MacRecycleClinic refubishes still-functional Macs for reuse and scavenges the rest for parts. And since I’m speaking at Saturday’s Pi meeting about the state of computer security–the gathering runs from 9:30 a.m. to noon-ish in Enterprise Hall room 178 at George Mason University’s main campus in Fairfax, with my spot a little after 11 a.m.–I could bring the old Air with me to hand over.

So yesterday afternoon, I made one last backup of the Air’s files, signed it out of its Web services as per Apple’s advice, and rebooted it into macOS Recovery to wipe the drive and re-install macOS High Sierra from that hidden partition. Then I followed the counsel of experts for a USA Today column earlier this month and used Apple’s FileVault software to encrypt its solid state drive all over again.

Several hours later, High Sierra wrapped up that chore. I once again rebooted into Recovery, used Disk Utility to wipe the SSD–and then couldn’t install High Sierra, because the installer reported that the drive’s Self-Monitoring, Analysis, and Reporting Technology (SMART) software had found a problem that left the volume unusable.

After a moment’s irritation, I realized that this timing was perfect. It followed not just five years of trouble-free drive performance but a complete erasure, re-encryption and re-erasure of the volume, so there could be nothing left to recover–and therefore no need to apply physical force to destroy the drive. This Mac has failed me for the last time, and I am okay with that.

Advertisements

An occupational risk of freelancing: zero words on topic A

The European Commission socked Google with a €4.34 billion fine Wednesday over its treatment of Android device vendors, and I have had zero words published to my name about that blockbuster ruling.

It happens. When you’re not on staff and not in the newsroom as a major story breaks, you can get left aside as staff writers jump on that topic and editors scurry to get their copy posted. That collective rush to publish–and the glut of hot takes about whatever tech issue tops a day’s headlines–may then result in you not being able to sell anything about said storyline before everybody’s moved on to the next breaking topic.

So, yes, I have not opined at length over the EC’s judgment that Google abused its market power in requiring Android vendors to ship its Chrome browser and set its own search as the default if they wanted to bundle the Play Store. I haven’t even gone on radio or TV to spout off on Google getting this roughly $5 billion haircut, leaving only my initial, skeptical tweets as my comments.

I feel like I’ve put my tech-pundit status in jeopardy, especially considering the shameful lack of even unpaid broadcast exposure.

On the other hand, I should appreciate being able to think through this matter instead of having to file 800 words of first-few-hours analysis.

On the other other hand, my self-employed status also means I don’t have to crank out four posts in a day every time Apple commits news. And not being beholden to a single newsroom lets me self-assign less-obvious coverage, as long as I can find a willing client. That occupational flexibility may yet allow me to get back to Topic A in tech news this week, if I can just find the right angle to pitch to the right editor…

Another part of the world where I need to use a VPN

I spent last week in London with my family–yes, actual vacation-esque time! It was great, except for when I was trying to keep up with news from back home.

My first stay across the Atlantic since the European Union’s General Data Protection Regulation went into force May 25 brought home the unpleasant reality of some U.S. sites’ continued struggles with this privacy law. And instead of experiencing this only briefly in a Virtual Private Network session on my iPad, I got a full-time dose of it.

The biggest problem is sites such as the Chicago Tribune and the Los Angeles Times that have blocked all European access instead of providing the privacy controls required by the GDPR.

That’s not the fault of the GDPR–its provisions were set two years ago–but is the fault of Tronc, the long-mismanaged news firm formerly known as Tribune Publishing. Tronc could afford to pay $15 million to former chairman Michael Ferro after he quit facing charges of sexual abuse but apparently couldn’t afford to hire any GDPR-qualified developers. I hope the LAT can fix that now that Tronc has sold the paper, but it may be a while before I can link to any Tribune stories without annoying European readers.

With my client USA Today, the issue isn’t as bad: It provides EU readers with a stripped-down, ad- and tracking-free version of the site, which you can see at right in the screenshot above. What’s not to like about such a fast, simple version? Well, I can’t see comments on my own columns, and simply searching for stories requires switching to Google… by which I mean, Bing, since right-clicking a Google search result doesn’t let you copy the target address, and clicking through to a Google result will yield an EU-specific USAT address.

The simplest fix for these and other GDPR-compliance glitches was to fire up Private Internet Access on my laptop and connect to one of that VPN service’s U.S. locations–yes, as if I were in China. It seems a violation of the Web’s founding principles to have to teleport my browser to another continent for a task as simple as reading the news, but here we are.

Bandwidth battles in China

SHANGHAI–Crowded gadget trade shows like CES and Mobile World Congress usually entail connectivity complaints. But when you put the gadget show in China, you level up the complexity, thanks to the need to run a Virtual Private Network app to preserve access to U.S. sites blocked by China’s Internet filters.

In theory–and in every PR pitch from a VPN service advertising itself as the surefire way to stop your ISP from tracking your online activity–that should add no difficulty to getting online. You connect, the VPN app automatically sets up an encrypted link to the VPN firm’s servers, and then you browse as usual.

PIA VPN exit-server menu

The reality that I’ve seen at CES Asia this week while using the Private Internet Access Windows and Android apps has been a good deal less elegant.

  • Often, the PIA app will connect automatically to the best available server (don’t be like me by wasting selecting a particular U.S. server when the app usually gets this right) to provide a usable link to the outside world. But it’s never clear how long that link will stay up; you don’t want to start a long VoIP call or Skype conference in this situation.
  • On other occasions, the app has gotten stuck negotiating the VPN connection–and occasionally then falls into a loop in which it waits increasingly longer to retry the setup. Telling it to restart that process works sometimes; in others, I’ve had to quit the app. For whatever reason, this has been more of a problem on my laptop than on my phone.
  • The WiFi itself has been exceedingly spotty whether I’ve used my hotel WiFi, the Skyroam Solis international-roaming hotspot I took (a review loaner that I really, really need to send back), the press-room WiFi or, worst of all, the show-floor WiFi. Each time one of those connections drop, the VPN app has to negotiate a new connection.

If you were going to say “you’re using the wrong VPN app”: Maybe I am! I signed up for PIA last year when the excellent digital-policy-news site Techdirt offered a discounted two-year subscription; since then, my client Wirecutter has endorsed a competing service, IVPN (although I can’t reach that site at the moment). Since I don’t have any other trips to China coming up, I will wait to reassess things when my current subscription runs out next April.

Also, it’s not just me; my friend and former Yahoo Tech colleague Dan Tynan has been running into the same wonkiness.

To compound the weirdness, I’ve also found that some connectivity here seems to route around the Great Firewall without VPN help. That was true of the press-room WiFi Thursday, for instance, and I’ve also had other journalists attending CES Asia report that having a U.S. phone roam here–free on Sprint and T-Mobile, a surcharge on AT&T or Verizon–yielded an unfettered connection.

At the same time, using a VPN connection occasionally left the CES Asia site unreachable. I have no idea why that is so.

What I do know is that I’ll very much appreciate being able to break out my laptop somewhere over the Pacific in a few hours and pay for an unblocked connection–then land in a country where that’s the default condition.

Yes, I still use Flickr

My oldest social-media hangout is no longer the property of my biggest client’s corporate parent, and I am okay with that.

Flickr Android appLast night brought word that Verizon’s Oath division had sold Flickr to the photo-sharing site SmugMug. Jessica Guynn’s USA Today story breaking the news calls Flickr a “faded social networking pioneer,” which is both uncomplimentary and correct.

My Flickr account dates to 2005, and over the subsequent 13 years I’ve seen Flickr suffer a lot of neglect–especially during Yahoo’s pre-Marissa Mayer years, when a succession of inept CEOs let Instagram run away with the mobile market.

Yet not only have I kept on uploading, editing and captioning pictures on Flickr (edit: with the occasional lag in sharing anything), since 2011 I’ve paid for a Flickr Pro membership. That first got me out from under the free version’s 100-megabyte monthly upload cap, but since Yahoo ditched that stingy limit in 2013… well, it’s a tiny monthly cost, and I like the idea of having a social-media account on which I’m not an advertising target with eyeballs to monetize.

Meanwhile, Flickr has continued to do a few things well: welcome both pictures taken with a standalone camera and those shot with a phone; make it easy to present and browse albums of photos (“photosets” if you’re old); support Creative Commons licensing so I can permit non-commercial sharing but prohibit commercial reuse (which required USA Today to pay me for one Flickr photo); and let people share their work in pools (for instance, Greater Greater Washington’s, which has occasionally resulted in my shots getting featured on that blog).

Instagram, where my active presence only dates to February of 2017, is easy, fun and great for engagement–slap #travel on a shot and you’ll get 15 likes in an hour. But it doesn’t do those things. And it’s a Facebook property, which raises the question of just how much of my online identity I need on that company’s servers.

Google Photos offers a fantastic private-backup service, but it, too, belongs to a company that already hosts much of my digital life.

SmugMug hasn’t said much about its plans for Flickr beyond promising not to merge Flickr and SmugMug. But unlike Oath, it has no other lines of business besides photo sharing. And as a privately-owned firm that hasn’t taken outside investments, SmugMug doesn’t need to meet impatient expectations from Wall Street or Silicon Valley. I feel pretty good about this transition, and I doubt I’ll have any big hangups about paying for my next Flickr Pro bill.

My Facebook-apps privacy audit

At some point, I was going to revisit my Facebook-privacy settings, but this weekend’s news about Cambridge Analytica’s exfiltration of some 50 million Facebook users’ data via a personality-quiz app moved up that timetable a bit.

That also sped up my overdue reacquaintance with my Facebook app settings–something I hadn’t paid much attention to since I last added any apps to my profile. The how-to I wrote in late 2013 about Facebook privacy waved away that angle: “Most of the options under the ‘Apps’ heading only apply if you add applications to your profile.”

Alas, I had added a few apps to my profile, especially in the first few years I had an account. Make that a few dozen apps. They fell into a few categories:

  • Apps or site logins (Facebook lists both on the same page) that I didn’t remember adding but could imagine reasons to have done so.
  • Apps that I had once appreciated but hadn’t touched in years (and which, per the new policy Facebook CEO Mark Zuckerberg announced Wednesday, would now be cut off).
  • Apps that I still appreciated but which had more access to my data than I recalled granting.
  • Apps that I recognized and which didn’t demand information beyond the public-on-Facebook aspects of my profile.

The last category aside, it was an embarrassing exercise. How had I allowed so many apps to see my friends list? Aren’t I supposed to know this stuff?

After that humbling moment, I removed about two-thirds of the apps, with those offering discernable utility cut down to seeing only my basic profile information. I should have done that years ago. But so should most of us.

Bear in mind that I’ve never treated Facebook as a friends-only space. I know that screenshots exist; I hadn’t had a Facebook account for more than a year and change before a now-defunct D.C.-journalism-gossip site posted a sceengrab of it. If I post an update, I try to write it so it won’t look too incriminating when quoted elsewhere out of context.

During this overdue investigation, I also looked at the “Apps Others Use” category that Facebook vaguely explains as a way for friends to bring your info to apps they use. I’d unchecked all 13 of those options, but after seeing most activated in a dummy account I keep for fact-checking purposes–and having people ask if this didn’t mean that Facebook apps could still grab data from friends–I had to ask Facebook to clear this up.

The less-than-conclusive answer I got over two e-mails: That cluster of settings dates to “before we made significant changes to how developers build apps on Facebook” that eliminated its functionality, except that it “still addresses some limited situations like photo sharing.”

So it appears that this absurdly wealthy company has trouble updating and documenting its privacy interface. That’s yet another problem Facebook needs to solve.

How I screwed up a Strava story

A story I wrote weeks ago started to go bad last Saturday, before it had even been published and posted.

That’s when an Australian student named Nathan Ruser tweeted out an interesting discovery: The Global Heatmap provided by the activity-tracking social network Strava revealed the locations of both documented and secret foreign military bases, as outlined by the running and walking paths of service members that Strava’s apps had recorded.

The feature I had filed for the U.S. Geospatial Intelligence Foundation’s Trajectory Magazine–posted Wednesday and landing in print subscribers’ mailboxes this week–also covered Strava, but in a different light.

As part of an overview of interesting applications of “geoint,” I wrote about Strava Metro, the database of activities over time available to local governments and cyclist-advocacy organizations (but not commercial buyers). In that part of the story, I quoted Strava executive Brian Devaney explaining the company’s efforts to keep its users anonymous in both Metro and the heatmap.

Looking at Strava from the perspective of “will this show where people live?”, I didn’t even think about how Strava users might unwittingly map temporary workplaces abroad. I had my chance to clue in on Strava’s military user base from looking around D.C.–that’s Joint Base Andrews precisely outlined southeast of the District in the screengrab above–but I failed to draw any conclusions from that.

Apparently, so did everybody else in the months after the Nov. 1 debut of the heatmap, heralded in a post by Strava engineer Drew Robb that touted how “our platform has numerous privacy rules that must be respected.”

You can blame Strava for making it difficult to set a geofence around a sensitive area. But it’s less fair to hound a privately-run service built to share workout data–remember, it calls itself “the social network for athletes”–for not maintaining a database of classified military locations to be blacked out on its heatmap.

After Ruser’s first tweets, however, developer Steve Loughran poked around Strava’s system and found that he could correlate the heatmap with the records of individual people by uploading a fabricated GPS file of a workout to spoof the site into thinking he’d jogged along the same path. That’s a deeper problem, and one that appears to be Strava’s fault.

After I asked Strava to explain these new findings, spokesman Andrew Vontz pointed me to a Jan. 29 post by CEO James Quarles pledging action to make privacy a simpler choice in its system.

I hope that they do so forthwith. Meanwhile, a fourth of a magazine feature with my name on it (at least it’s the last fourth!) looks dumb. It’s true that every other journalist to write about Strava between November and last week also missed these angles–but I may be unique in having a positive piece about Strava land this week. That’s not a great feeling.