How I screwed up a Strava story

A story I wrote weeks ago started to go bad last Saturday, before it had even been published and posted.

That’s when an Australian student named Nathan Ruser tweeted out an interesting discovery: The Global Heatmap provided by the activity-tracking social network Strava revealed the locations of both documented and secret foreign military bases, as outlined by the running and walking paths of service members that Strava’s apps had recorded.

The feature I had filed for the U.S. Geospatial Intelligence Foundation’s Trajectory Magazine–posted Wednesday and landing in print subscribers’ mailboxes this week–also covered Strava, but in a different light.

As part of an overview of interesting applications of “geoint,” I wrote about Strava Metro, the database of activities over time available to local governments and cyclist-advocacy organizations (but not commercial buyers). In that part of the story, I quoted Strava executive Brian Devaney explaining the company’s efforts to keep its users anonymous in both Metro and the heatmap.

Looking at Strava from the perspective of “will this show where people live?”, I didn’t even think about how Strava users might unwittingly map temporary workplaces abroad. I had my chance to clue in on Strava’s military user base from looking around D.C.–that’s Joint Base Andrews precisely outlined southeast of the District in the screengrab above–but I failed to draw any conclusions from that.

Apparently, so did everybody else in the months after the Nov. 1 debut of the heatmap, heralded in a post by Strava engineer Drew Robb that touted how “our platform has numerous privacy rules that must be respected.”

You can blame Strava for making it difficult to set a geofence around a sensitive area. But it’s less fair to hound a privately-run service built to share workout data–remember, it calls itself “the social network for athletes”–for not maintaining a database of classified military locations to be blacked out on its heatmap.

After Ruser’s first tweets, however, developer Steve Loughran poked around Strava’s system and found that he could correlate the heatmap with the records of individual people by uploading a fabricated GPS file of a workout to spoof the site into thinking he’d jogged along the same path. That’s a deeper problem, and one that appears to be Strava’s fault.

After I asked Strava to explain these new findings, spokesman Andrew Vontz pointed me to a Jan. 29 post by CEO James Quarles pledging action to make privacy a simpler choice in its system.

I hope that they do so forthwith. Meanwhile, a fourth of a magazine feature with my name on it (at least it’s the last fourth!) looks dumb. It’s true that every other journalist to write about Strava between November and last week also missed these angles–but I may be unique in having a positive piece about Strava land this week. That’s not a great feeling.


My no-longer-secret Bitcoin shame

Bitcoin has infested tech news lately–the cryptocurrency’s unlikely rise in value, its subsequent and unsurprising fall in value, what complete tools Bitcoin zealots can be in front of a reporter, and so on and on. I’ve watched all of this as an unwitting spectator.

Yes, I’m one of those doofuses who forgot a password to a Bitcoin wallet. At least I have a half-decent excuse: CES.

I didn’t go to the gadget show in 2014 planning on investing in Bitcoin, but one of the first events I attended featured a diverse contingent of BTC startups, one of which had a dollars-to-Bitcoin ATM. How could I not gamble a few bucks to earn an anecdote to throw into a Bitcoin explainer?

I put a $5 bill into this thing and followed an exhibitor’s advice to install the Mycelium wallet app on my phone, scan a QR code off the ATM’s screen, and set a 15-character passcode to protect my stash of .00513 BTC.

Guess what I forgot to do as I headed to my next CES appointment?

I then mostly ignored the app, except for the occasional check to see how my investment had decayed. That habit faded, and when I tried resetting my phone the next fall to fix some touchscreen bugginess, I didn’t even think about the risk of losing access to my tiny Bitcoin hoard.

By which I mean, I didn’t even think to open Mycelium until several months after that unsuccessful phone-troubleshooting exercise. Then I realized that I could no longer remember the 15 characters I’d typed on my phone’s screen two years earlier, without which I could not restore the backup I had made right after my ATM transaction.

That’s where things have remained, even as Bitcoin’s value has soared and then plummeted. It’s annoying, but at least I have two things going for me: The app won’t lock me out as I keep guessing the passcode incorrectly, and at the current exchange rate I’m only out $57 or so. I’ve done much worse gambling in Vegas.

CES 2018 travel-tech report: Ethernet lives!

I survived another CES without having my laptop or phone come close to running out of power during the workday, which is worth a little celebration but may also indicate that I did CES wrong.

One reason for this efficient electrical usage is that I showed up in Vegas for a new laptop for the first time since 2013. The HP Spectre x360 laptop that replaced my MacBook Air couldn’t get through an entire day without a recharge, but plugging it in during lunch and any subsequent writing time freed me from having to think about its battery for the rest of the day.

The Google Pixel phone I bought last summer was thirstier, mainly because I could never really put that down even after dark. But I still never needed to top off the phone with the external charger I bought.

Having both the phone and laptop charge via USB-C delivered an added bonus: Whenever I was sitting near an electrical outlet, I could plug either device into the laptop’s charger.

CES telecom, however, got no such upgrade. The press-room WiFi worked at the Mandalay Bay conference center but often did not in the media center I used at the Las Vegas Convention Center. And having to enter a new password every day–what looked like a misguided episode of IT security theater–did not enhance the experience.

Fortunately, the cheap USB-to-Ethernet adapter that my MacBook had inexplicably stopped recognizing a few years back worked without fuss on the HP so I often reverted to using wired connections. The irony of me offering an “it just works!” testimony to a Windows PC is duly noted.

T-Mobile’s LTE, meanwhile, crumpled inside the Sands and often struggled to serve up bandwidth at the LVCC. More than once, this meant I had to trust my luck in CES traffic when Google Maps coudn’t produce any road-congestion data.

I packed two devices I’ve carried for years to CES but only used one. The Belkin travel power strip I’ve brought since 2012 avoided some unpleasantness in a packed press room Monday but wasn’t necessary after then. The Canon point-and-shoot camera I’ve had since 2014, however, never left my bag. The camera in my Pixel is that good for close-up shots, and I didn’t come across any subjects that would have required the Canon’s superior zoom lens.

I also didn’t come across a worthy, pocket-sized successor to that “real” camera at any CES booths. But with some 2.75 million square feet of exhibits at this year’s show, I could have easily missed that and many other solutions to my travel-tech issues.

A Safari upgrade I like: accountability for resource-hogging pages

Apple is a few days away from shipping its next big update to its desktop operating system, but people running its current and previous macOS releases can already benefit from one of macOS High Sierra’s components.

Yes, I’m writing something nice about Safari for a change.

The browser that I’ve spent much of the past few years cursing at for its weak memory management and general inability to let me run the computer instead of the other way around got a welcome, pre-High Sierra update Tuesday.

The most talked-about feature in Safari 11.0 may have been its ability to automatically silence sites that without invitation play videos with audio on (yes, I know that includes some of my freelance clients), followed by its blocking of cross-site ad tracking. But the option I’m enjoying most at the moment is Safari 11’s ability–stashed in a new “Websites” tab of its preferences window–to open every page at a given site in the minimalist Reader view.

Where ad blockers are often clumsy and random, Reader can be an elegant weapon against sites that demand attention with junky ads and auto-playing media. It might also spare you from a particularly piggy page locking up your Mac with a demand for more memory than the system can allocate.

“Isn’t that the system’s damn job,” you say? Yes, it is. Fortunately, Safari 11 also now seems able to quash a site in the middle of a memory binge, to judge from the banner I saw atop a page advising me that Safari had reloaded it “because it was using significant memory.”

I’m not going to tell the Safari developers to kick back with a nice vacation – since this update, the browser has already forced a reboot when it somehow refused to restart or fully quit–only a week after I’d had to go through the same routine with Google’s Chrome. But at least I don’t feel like this app is conspiring against me.

Goodbye, Nexus; hello, Pixel

I’m no longer rocking a four-year-old phone. Instead, I’ve upgraded to a 2016-vintage model.

This Google Pixel represents–I hope!–the end of the smartphone saga that began when my increasingly glitchy Nexus 5X lapsed into a fatal bootloop. The refurbished 5X Google offered as a free out-of-warranty replacement never shipped, notwithstanding the “confirmed” status of that order, so after a second call with Google’s store support I took their fallback offer of a full refund of my 5X purchase.

(It’s possible I got special treatment–Google should know how to Google me–but comments in Reddit’s 5X-bootloop thread report similar outcomes.)

I opted to use that money (technically, future money, since I won’t get the credit until the dead 5X completes its journey back to Google) on a Pixel for a few reasons. It remains the Wirecutter’s pick as the best Android phone; a pricier Samsung Galaxy S8 would subject me to tacky interface alterations and delayed security fixes; the new OnePlus 5 would be cheaper but comes with an even weaker record of software updates.

(I did consider buying an iPhone 7, but its absence of a headphone jack has not stopped seeming idiotic to me. And my frequent iPad experience of seeing apps revert to the stock keyboard instead of Google’s better Gboard isn’t something I need to repeat on a phone.)

It bugs me a little to upgrade to a device that shipped last fall, barely a year after the 5X’s debut. Although the Pixel’s camera does indeed seem terrific, in other respects this phone doesn’t represent a major advance over the 5X. But smartphone evolution has slowed down in general–a point people forget when they whine about Apple not shipping breakthrough products anymore.

It’s possible that the next Pixel 2 will add cordless charging, expandable memory and water resistance, and in that scenario I may wish my old phone could have staggered on for another few months. Or maybe Google will follow Apple’s foolish lead and get rid of the headphone jack on its next Pixel, in which case I’ll be patting myself on the back for timing my phone failures so well.

WeChat, but I can’t

SHANGHAI–It wasn’t until shortly before I left for CES Asia that I realized showing up here without a WeChat account would mark me as some kind of hick. I’m now about to head home, still bereft of a WeChat account. But I tried!

WeChat, for those as uninitiated as I once was, is the service AOL Instant Messenger became in an alternate universe. Tencent’s messaging app not only connects almost one billion users in real time, it functions as a wallet, a business card, a news feed and a great many other things.

So I downloaded the Android app, plugged in my Google Voice number–as the work number on my business card, it’s what I ordinarily use without a problem on phone-linked messaging systems.

But what worked in WhatsApp and Signal did not in WeChat. After creating an account and entering the security code texted to my number, I got this error message:

“This WeChat account has been confirmed of suspicious registration in batch or using plugins and is blocked. Continue to use this account by tapping OK and applying for an account unblock.”

Whoops. I tapped through to a “Self-service unblock allowed” screen, tapped its  “Read and accept” button. That presented me with CAPTCHA prove-you’re-not-a-robot interface that had me tap the letters in one graphic that matched those in another.

But after going through that, I still couldn’t log in. Instead, the app told me to get another WeChat user to verify my existence on their phone. I’ve now tried that a few times with both U.S.-based and local users, and after each try the app has offered a vague error message about the other person not being eligible to vouch for me.

After some further research, I think the problem is my using a Google Voice number. That possibility goes unmentioned in WeChat’s English-language online help, but a Quora post reports that Tencent quashed that option years ago.

And thinking about it, it does make sense: I can’t imagine that the Chinese government would look fondly on any communications service that allows people to use a number likely to be untethered from a billable address.

When I get back to the States, I will see if I can’t get WeChat to work with some kind of a burner number still attached to a real account–maybe from a loaner phone. Otherwise, I guess I’ll have to set up WeChat with my “real” phone number. I can’t stay illiterate in this service forever, right?

What made this Facebook post bot bait?

I never quite know what I’m doing with my public Facebook page, but I can usually count on this much: Only a small fraction of however many people see something I post there will Like it.

Something different happened with the link I shared on Saturday to my USA Today recap of Mobile World Congress. Of the 516 people it reached, 320 have liked it. Which would be nice, except that so many of them appear to be fake accounts that I should have put scare quotes around “people” in the previous sentence.

My new fans all appear to be young women of excellent health and are almost all dressed for the beach, an evening out, or an evening in. Some of them apparently use the same first and last names to make it easier to remember them: Alyssa Alyssa, Isabel Isabel, Kate Kate.

So while my page does desperately need a better gender balance–Facebook’s analytics report its audience is 71% men, 29% women–I don’t think my page’s new pals reflect a genuine shift. Question is, what made this one post draw out the bots when others don’t? And can I at least get some of them to click on the USAT story itself and maybe linger over an ad or two?