Weekly output: Google hearings (x2), Microsoft wants facial-recognition rules, Google Maps and Lime scooters, U2F security keys, U.S. newspapers vs. the GDPR

My calendar for the coming week looks strange: There isn’t a single work appointment on it. I plan to celebrate that by not shaving tomorrow.

12/10/2018: Congress will grill Google’s CEO this week — here’s what to expect, Yahoo Finance

The House Judiciary Committee–in particular, certain of its Republican members–obliged me by living up so completely to this preview of Google chief executive Sundar Pichai’s Tuesday appearance there.

12/10/2018: Microsoft is asking the government to regulate the company’s facial recognition tech, Yahoo Finance

Microsoft president Brad Smith came to the Brookings Institution last week to make an unusual plea: Please regulate us before we get dragged into a race to the bottom with ethically-unbounded vendors of facial-recognition technology.

12/13/2018: Google Maps will now help you find Lime scooters, Yahoo Finance

I got an advance on this news from one of Lime’s publicists; by itself, this new feature isn’t a huge development, but covering it allowed me to discuss broader failings in both Google and Apple’s navigation software.

12/13/2018: On privacy, Google CEO’s congressional hearing comes up short, The Parallax

I wrote about several security and privacy questions that should have been asked during Pichai’s grilling but never came up. The single worst omission: Not a single representative even mentioned the name of a non-Google search engine.

12/14/2018: Primer: How to lock your online accounts with a security key, The Parallax

I’ve had the idea of an explainer about “U2F” security keys on my to-do list for a while. In the time it took for me to sell the piece, Microsoft and Apple finally began moving to support this particularly secure two-step verification option.

12/16/2018: Post-Dispatch, Tribune haven’t caught up with EU rules, Gateway Journalism Review

My former Washington Post colleague Jackie Spinner wrote about how the sites of some U.S. newspapers continue to block European readers instead of complying with the European Union’s General Data Protection Regulation. She gave me a chance to critique this self-defeating practice–I’d earlier griped about it in a Facebook comments thread with her–and I was happy to give her few quotes.

Advertisements

LastPass shows how to do two-step verification wrong

I finally signed up for LastPass Premium after years of using the free version of that password-management service. And I’m starting to regret that expense even though $2 a month should amount to a rounding error.

Instead of that minimal outlay, I’m irked by LastPass’s implementation of the feature I had in mind when typing in credit-card digits: support for Yubikey U2F security keys as a form of two-step verification.

Two-step verification, if any reminder is needed, secures your accounts by confirming any unusual login with a one-time code. The easy but brittle way to get a two-step code is to have a service text one to you, which works great unless somebody hijacks your phone number with a SIM swap. Using an app like Google Authenticator takes your wireless carrier’s security out of the equation but requires regenerating these codes each time you reset or switch phones.

Using a security key–Yubikey being one brand, “U2F” an older standard, “WebAuthn” a newer and broader standard–allows two-step verification independent of both your wireless carrier and your current phone.

Paying for LastPass Premium allowed me to use that. But what I didn’t realize upfront is that LastPass treats this as an A-or-B choice: If you don’t have your Yubikey handy, you can’t click or type a button to enter a Google Authenticator code instead as you can with a Google account.

A LastPass tech-support notice doesn’t quite capture the broken state of this user experience:

If multiple Authentication methods are used, only one will activate per login attempt. If you disable one, then another will activate on the next log in attempt. Because only one activates at a time, you cannot have multiple prompts during the same log in.

The reality you see if you happened to leave your Yubikey at home or just have your phone closer at hand: an “I’ve lost my YubiKey device” link you’re supposed to click to remove that security option from your account.

This absolutist approach to two-step verification is not helpful. But it’s also something I should have looked up myself before throwing $24 at this service.

Weekly output: credit checks for wireless service, Carpenter v. U.S., Safari security, Facebook listening patent

The second quarter of the year is in the books. Or to put this in less financial terms: Happy almost Fourth of July! Please take a moment during this holiday to remember that democracy is not a spectator sport.

6/25/2018: Sprint’s $15 unlimited data plan required a ‘hard pull’ credit report, and it’s not the only one, USA Today

The Collision conference gets an assist here for introducing me to CreditKarma co-founder Nichole Mustard, who on short notice provided a concise explanation of different levels of credit inquiries.

6/25/2018: Four things to note about the Supreme Court’s location privacy ruling, The Parallax

I applaud the Supreme Court ruling that the government has to get a search warrant to see my location history as tracked by my wireless carrier. But it also left many things unclear, like the validity of the “third-party doctrine” that originally allowed warrantless access to that location data.

6/29/2018: Apple’s Safari has dropped the ball on security, Yahoo Finance

News that Twitter would finally support two-step verification based on cryptographically-signed “U2F” USB keys gave me a timely peg for a piece recounting how Apple’s browser has been late to implement many security advances–even as Safari has led the industry in adding privacy protection.

6/30/2018: Facebook’s listening patent, Al Jazeera

I got a call from a producer as I was walking to Metro to meet friends for brunch, asking if I could talk about recent reports of Facebook obtaining a patent that appears to describe turning on a phone’s microphone when an ad broadcasts a special, inaudible-to-humans tone. I said this patent only showed that Facebook has aggressive patent lawyers. Why? See Nilay Patel’s debunking of this allegation in the Verge, based on a close reading of the claims in the actual patent.

Weekly output: Amy Webb, unlimited data, connected-car privacy, commercial geoint, U2F adoption, ECPA reform

The next few days will be a little crazy–starting with a 6 a.m. flight tomorrow to Orlando. I’m returning to Central Florida for the first time since 2011 to cover SpaceX’s attempt Tuesday to launch the Falcon Heavy rocket, the most powerful launch vehicle the U.S. has seen since the Saturn V. Assuming no scrubs, then I’m flying up to New York Tuesday night so I can cover Yahoo Finance’s cryptocurrency-focused All Markets Summit Wednesday, after which I will be delighted to sleep in my own bed once again.

1/29/2018: Fireside Chat with Futurist Amy Webb, State of the Net

I interviewed Amy at this tech-policy conference. She started with some harsh words about Washington’s ability to forecast future tech trends (her stock in trade), which probably didn’t go over very well in the room even if many policymakers around here need to realize the limits of their vision.

1/31/2018: Unlimited wireless data is here to stay; so is the need to check your options, USA Today

A new study by OpenSignal finding that download speeds at AT&T and Verizon have rebounded after a slump the research firm blamed on their shift to selling unlimited-data plans provided a news peg for this column reminding readers that they may be able to save money by opting for a limited-data plan–as unfashionable as that may be.

1/31/2018: Why a car can’t protect your privacy as well as a smartphone, Yahoo Finance

Watching a few panels at the Washington Auto Show’s public-policy day last week got me thinking about how Google Maps and connected cars each treat your location history–only one lets you inspect, edit, export and delete that information, and it’s not the one that requires an oil change.

1/31/2018: The Vanguard of Commercial GEOINT, Trajectory Magazine

This is the cover story for the U.S. Geospatial Intelligence Foundation’s quarterly magazine that holds up reasonably well for the first three-fourths or so–after which comes a bit on Strava that now looks problematic.

2/1/2018:  The authentication solution government has been slow to adopt, Fifth Domain

I’ve been meaning to write something about what’s held up the usage of “U2F” security keys–the cryptographically-signed USB fobs that can protect your Gmail or Facebook account from both phishing and the loss of either your phone number or your phone. This new government-cybersecurity site gave me that opportunity.

2/2/2018: The email privacy hole Congress won’t fix, Yahoo Finance

A couple of years ago, I started thinking that whenever Congress finally passed reform of the Electronic Communications Privacy Act, it would be fun to write a post recapping how long that took. Well, that hasn’t happened, so I decided to use Groundhog Day to instead write a post recapping how long Congress has failed to fix this obsolete law.