Bandwidth battles in China

SHANGHAI–Crowded gadget trade shows like CES and Mobile World Congress usually entail connectivity complaints. But when you put the gadget show in China, you level up the complexity, thanks to the need to run a Virtual Private Network app to preserve access to U.S. sites blocked by China’s Internet filters.

In theory–and in every PR pitch from a VPN service advertising itself as the surefire way to stop your ISP from tracking your online activity–that should add no difficulty to getting online. You connect, the VPN app automatically sets up an encrypted link to the VPN firm’s servers, and then you browse as usual.

PIA VPN exit-server menu

The reality that I’ve seen at CES Asia this week while using the Private Internet Access Windows and Android apps has been a good deal less elegant.

  • Often, the PIA app will connect automatically to the best available server (don’t be like me by wasting selecting a particular U.S. server when the app usually gets this right) to provide a usable link to the outside world. But it’s never clear how long that link will stay up; you don’t want to start a long VoIP call or Skype conference in this situation.
  • On other occasions, the app has gotten stuck negotiating the VPN connection–and occasionally then falls into a loop in which it waits increasingly longer to retry the setup. Telling it to restart that process works sometimes; in others, I’ve had to quit the app. For whatever reason, this has been more of a problem on my laptop than on my phone.
  • The WiFi itself has been exceedingly spotty whether I’ve used my hotel WiFi, the Skyroam Solis international-roaming hotspot I took (a review loaner that I really, really need to send back), the press-room WiFi or, worst of all, the show-floor WiFi. Each time one of those connections drop, the VPN app has to negotiate a new connection.

If you were going to say “you’re using the wrong VPN app”: Maybe I am! I signed up for PIA last year when the excellent digital-policy-news site Techdirt offered a discounted two-year subscription; since then, my client Wirecutter has endorsed a competing service, IVPN (although I can’t reach that site at the moment). Since I don’t have any other trips to China coming up, I will wait to reassess things when my current subscription runs out next April.

Also, it’s not just me; my friend and former Yahoo Tech colleague Dan Tynan has been running into the same wonkiness.

To compound the weirdness, I’ve also found that some connectivity here seems to route around the Great Firewall without VPN help. That was true of the press-room WiFi Thursday, for instance, and I’ve also had other journalists attending CES Asia report that having a U.S. phone roam here–free on Sprint and T-Mobile, a surcharge on AT&T or Verizon–yielded an unfettered connection.

At the same time, using a VPN connection occasionally left the CES Asia site unreachable. I have no idea why that is so.

What I do know is that I’ll very much appreciate being able to break out my laptop somewhere over the Pacific in a few hours and pay for an unblocked connection–then land in a country where that’s the default condition.

Advertisements

My Facebook-apps privacy audit

At some point, I was going to revisit my Facebook-privacy settings, but this weekend’s news about Cambridge Analytica’s exfiltration of some 50 million Facebook users’ data via a personality-quiz app moved up that timetable a bit.

That also sped up my overdue reacquaintance with my Facebook app settings–something I hadn’t paid much attention to since I last added any apps to my profile. The how-to I wrote in late 2013 about Facebook privacy waved away that angle: “Most of the options under the ‘Apps’ heading only apply if you add applications to your profile.”

Alas, I had added a few apps to my profile, especially in the first few years I had an account. Make that a few dozen apps. They fell into a few categories:

  • Apps or site logins (Facebook lists both on the same page) that I didn’t remember adding but could imagine reasons to have done so.
  • Apps that I had once appreciated but hadn’t touched in years (and which, per the new policy Facebook CEO Mark Zuckerberg announced Wednesday, would now be cut off).
  • Apps that I still appreciated but which had more access to my data than I recalled granting.
  • Apps that I recognized and which didn’t demand information beyond the public-on-Facebook aspects of my profile.

The last category aside, it was an embarrassing exercise. How had I allowed so many apps to see my friends list? Aren’t I supposed to know this stuff?

After that humbling moment, I removed about two-thirds of the apps, with those offering discernable utility cut down to seeing only my basic profile information. I should have done that years ago. But so should most of us.

Bear in mind that I’ve never treated Facebook as a friends-only space. I know that screenshots exist; I hadn’t had a Facebook account for more than a year and change before a now-defunct D.C.-journalism-gossip site posted a sceengrab of it. If I post an update, I try to write it so it won’t look too incriminating when quoted elsewhere out of context.

During this overdue investigation, I also looked at the “Apps Others Use” category that Facebook vaguely explains as a way for friends to bring your info to apps they use. I’d unchecked all 13 of those options, but after seeing most activated in a dummy account I keep for fact-checking purposes–and having people ask if this didn’t mean that Facebook apps could still grab data from friends–I had to ask Facebook to clear this up.

The less-than-conclusive answer I got over two e-mails: That cluster of settings dates to “before we made significant changes to how developers build apps on Facebook” that eliminated its functionality, except that it “still addresses some limited situations like photo sharing.”

So it appears that this absurdly wealthy company has trouble updating and documenting its privacy interface. That’s yet another problem Facebook needs to solve.

How I screwed up a Strava story

A story I wrote weeks ago started to go bad last Saturday, before it had even been published and posted.

That’s when an Australian student named Nathan Ruser tweeted out an interesting discovery: The Global Heatmap provided by the activity-tracking social network Strava revealed the locations of both documented and secret foreign military bases, as outlined by the running and walking paths of service members that Strava’s apps had recorded.

The feature I had filed for the U.S. Geospatial Intelligence Foundation’s Trajectory Magazine–posted Wednesday and landing in print subscribers’ mailboxes this week–also covered Strava, but in a different light.

As part of an overview of interesting applications of “geoint,” I wrote about Strava Metro, the database of activities over time available to local governments and cyclist-advocacy organizations (but not commercial buyers). In that part of the story, I quoted Strava executive Brian Devaney explaining the company’s efforts to keep its users anonymous in both Metro and the heatmap.

Looking at Strava from the perspective of “will this show where people live?”, I didn’t even think about how Strava users might unwittingly map temporary workplaces abroad. I had my chance to clue in on Strava’s military user base from looking around D.C.–that’s Joint Base Andrews precisely outlined southeast of the District in the screengrab above–but I failed to draw any conclusions from that.

Apparently, so did everybody else in the months after the Nov. 1 debut of the heatmap, heralded in a post by Strava engineer Drew Robb that touted how “our platform has numerous privacy rules that must be respected.”

You can blame Strava for making it difficult to set a geofence around a sensitive area. But it’s less fair to hound a privately-run service built to share workout data–remember, it calls itself “the social network for athletes”–for not maintaining a database of classified military locations to be blacked out on its heatmap.

After Ruser’s first tweets, however, developer Steve Loughran poked around Strava’s system and found that he could correlate the heatmap with the records of individual people by uploading a fabricated GPS file of a workout to spoof the site into thinking he’d jogged along the same path. That’s a deeper problem, and one that appears to be Strava’s fault.

After I asked Strava to explain these new findings, spokesman Andrew Vontz pointed me to a Jan. 29 post by CEO James Quarles pledging action to make privacy a simpler choice in its system.

I hope that they do so forthwith. Meanwhile, a fourth of a magazine feature with my name on it (at least it’s the last fourth!) looks dumb. It’s true that every other journalist to write about Strava between November and last week also missed these angles–but I may be unique in having a positive piece about Strava land this week. That’s not a great feeling.

My no-longer-secret Bitcoin shame

Bitcoin has infested tech news lately–the cryptocurrency’s unlikely rise in value, its subsequent and unsurprising fall in value, what complete tools Bitcoin zealots can be in front of a reporter, and so on and on. I’ve watched all of this as an unwitting spectator.

Yes, I’m one of those doofuses who forgot a password to a Bitcoin wallet. At least I have a half-decent excuse: CES.

I didn’t go to the gadget show in 2014 planning on investing in Bitcoin, but one of the first events I attended featured a diverse contingent of BTC startups, one of which had a dollars-to-Bitcoin ATM. How could I not gamble a few bucks to earn an anecdote to throw into a Bitcoin explainer?

I put a $5 bill into this thing and followed an exhibitor’s advice to install the Mycelium wallet app on my phone, scan a QR code off the ATM’s screen, and set a 15-character passcode to protect my stash of .00513 BTC.

Guess what I forgot to do as I headed to my next CES appointment?

I then mostly ignored the app, except for the occasional check to see how my investment had decayed. That habit faded, and when I tried resetting my phone the next fall to fix some touchscreen bugginess, I didn’t even think about the risk of losing access to my tiny Bitcoin hoard.

By which I mean, I didn’t even think to open Mycelium until several months after that unsuccessful phone-troubleshooting exercise. Then I realized that I could no longer remember the 15 characters I’d typed on my phone’s screen two years earlier, without which I could not restore the backup I had made right after my ATM transaction.

That’s where things have remained, even as Bitcoin’s value has soared and then plummeted. It’s annoying, but at least I have two things going for me: The app won’t lock me out as I keep guessing the passcode incorrectly, and at the current exchange rate I’m only out $57 or so. I’ve done much worse gambling in Vegas.

CES 2018 travel-tech report: Ethernet lives!

I survived another CES without having my laptop or phone come close to running out of power during the workday, which is worth a little celebration but may also indicate that I did CES wrong.

One reason for this efficient electrical usage is that I showed up in Vegas for a new laptop for the first time since 2013. The HP Spectre x360 laptop that replaced my MacBook Air couldn’t get through an entire day without a recharge, but plugging it in during lunch and any subsequent writing time freed me from having to think about its battery for the rest of the day.

The Google Pixel phone I bought last summer was thirstier, mainly because I could never really put that down even after dark. But I still never needed to top off the phone with the external charger I bought.

Having both the phone and laptop charge via USB-C delivered an added bonus: Whenever I was sitting near an electrical outlet, I could plug either device into the laptop’s charger.

CES telecom, however, got no such upgrade. The press-room WiFi worked at the Mandalay Bay conference center but often did not in the media center I used at the Las Vegas Convention Center. And having to enter a new password every day–what looked like a misguided episode of IT security theater–did not enhance the experience.

Fortunately, the cheap USB-to-Ethernet adapter that my MacBook had inexplicably stopped recognizing a few years back worked without fuss on the HP so I often reverted to using wired connections. The irony of me offering an “it just works!” testimony to a Windows PC is duly noted.

T-Mobile’s LTE, meanwhile, crumpled inside the Sands and often struggled to serve up bandwidth at the LVCC. More than once, this meant I had to trust my luck in CES traffic when Google Maps coudn’t produce any road-congestion data.

I packed two devices I’ve carried for years to CES but only used one. The Belkin travel power strip I’ve brought since 2012 avoided some unpleasantness in a packed press room Monday but wasn’t necessary after then. The Canon point-and-shoot camera I’ve had since 2014, however, never left my bag. The camera in my Pixel is that good for close-up shots, and I didn’t come across any subjects that would have required the Canon’s superior zoom lens.

I also didn’t come across a worthy, pocket-sized successor to that “real” camera at any CES booths. But with some 2.75 million square feet of exhibits at this year’s show, I could have easily missed that and many other solutions to my travel-tech issues.

A Safari upgrade I like: accountability for resource-hogging pages

Apple is a few days away from shipping its next big update to its desktop operating system, but people running its current and previous macOS releases can already benefit from one of macOS High Sierra’s components.

Yes, I’m writing something nice about Safari for a change.

The browser that I’ve spent much of the past few years cursing at for its weak memory management and general inability to let me run the computer instead of the other way around got a welcome, pre-High Sierra update Tuesday.

The most talked-about feature in Safari 11.0 may have been its ability to automatically silence sites that without invitation play videos with audio on (yes, I know that includes some of my freelance clients), followed by its blocking of cross-site ad tracking. But the option I’m enjoying most at the moment is Safari 11’s ability–stashed in a new “Websites” tab of its preferences window–to open every page at a given site in the minimalist Reader view.

Where ad blockers are often clumsy and random, Reader can be an elegant weapon against sites that demand attention with junky ads and auto-playing media. It might also spare you from a particularly piggy page locking up your Mac with a demand for more memory than the system can allocate.

“Isn’t that the system’s damn job,” you say? Yes, it is. Fortunately, Safari 11 also now seems able to quash a site in the middle of a memory binge, to judge from the banner I saw atop a page advising me that Safari had reloaded it “because it was using significant memory.”

I’m not going to tell the Safari developers to kick back with a nice vacation – since this update, the browser has already forced a reboot when it somehow refused to restart or fully quit–only a week after I’d had to go through the same routine with Google’s Chrome. But at least I don’t feel like this app is conspiring against me.

Goodbye, Nexus; hello, Pixel

I’m no longer rocking a four-year-old phone. Instead, I’ve upgraded to a 2016-vintage model.

This Google Pixel represents–I hope!–the end of the smartphone saga that began when my increasingly glitchy Nexus 5X lapsed into a fatal bootloop. The refurbished 5X Google offered as a free out-of-warranty replacement never shipped, notwithstanding the “confirmed” status of that order, so after a second call with Google’s store support I took their fallback offer of a full refund of my 5X purchase.

(It’s possible I got special treatment–Google should know how to Google me–but comments in Reddit’s 5X-bootloop thread report similar outcomes.)

I opted to use that money (technically, future money, since I won’t get the credit until the dead 5X completes its journey back to Google) on a Pixel for a few reasons. It remains the Wirecutter’s pick as the best Android phone; a pricier Samsung Galaxy S8 would subject me to tacky interface alterations and delayed security fixes; the new OnePlus 5 would be cheaper but comes with an even weaker record of software updates.

(I did consider buying an iPhone 7, but its absence of a headphone jack has not stopped seeming idiotic to me. And my frequent iPad experience of seeing apps revert to the stock keyboard instead of Google’s better Gboard isn’t something I need to repeat on a phone.)

It bugs me a little to upgrade to a device that shipped last fall, barely a year after the 5X’s debut. Although the Pixel’s camera does indeed seem terrific, in other respects this phone doesn’t represent a major advance over the 5X. But smartphone evolution has slowed down in general–a point people forget when they whine about Apple not shipping breakthrough products anymore.

It’s possible that the next Pixel 2 will add cordless charging, expandable memory and water resistance, and in that scenario I may wish my old phone could have staggered on for another few months. Or maybe Google will follow Apple’s foolish lead and get rid of the headphone jack on its next Pixel, in which case I’ll be patting myself on the back for timing my phone failures so well.