Category: Writing

Categories
Links Writing

The Role of Link Posts

One of the things that I’ve thought a lot about over the past few years are link posts. I’ve tried numerous different platforms and ways of sharing and commenting on links. And something that I’ve always appreciated are blogs that combine different forms of content (including link posts) along with something else to give them some unique perspective on the content of interest to their authors.

Gabe Weatherhead has recently written that:

It’s far too easy to grab a story headline streaming by and create a link post.

The reason I’ve walled off Macdrifter link articles behind Hobo Signs was because I wanted to clearly show that they weren’t my work. They are source materials. There is no guarantee I’ve reviewed them or even thought much about them. Sometimes I provide commentary but often they are just links.

I like link articles as much as the next person. But I felt disingenuous mixing those on a site that also provided commentary and opinion. It blurred lines I didn’t want to blur at a time when regurgitation looks like the successor to original content on the web. I don’t wonder why indie blogs are dying any more. Link posts are killing them.

I don’t think that link posts are necessarily killing indie blogs. I think that the problem is that indie blogs are often so replete with them that there isn’t a clear voice, narrative, or expertise associated with the comments on the links.

But link posts also raise the question about who blogging is for, and what we mean to do when blogging. Twitter and Facebook are fluid publication spaces: it can be impossible to see what you wrote on those platforms, about different topics, whereas its comparatively easy to retroactively see what you’ve written about on (most) structured blogging platforms. You can build a body of work that includes a shifting, or development, of thoughts and ideas over time. At the very least, you can turn Google search onto a blog and dredge up the various posts related to your search query to try to divine how your thoughts have changed over time. That’s next to impossible on more transient social media.

While commercial (or commercially-motivated) indie blogs might suffer from link posts I’m not convinced that such posts are kryptonite to personal blogs. And even for those which are commercially-oriented it’s not self-evident that link posts are bad: for the big indie blogs, the authors operate as tastemakers and news curators. They can quickly indicate their pleasure or displeasure where a fully review is unnecessary, or surface news of interest to them and their readers without requiring a detailed analysis of the issue at hand. Admittedly breaking news or entirely novel products may be ill served by such hot takes, but fast and short posts are routinely useful to their readership. The trick is to have a sufficiently interesting and authoritative voice that someone wants to read the author’s work in the first place. And that’s a space where most authors routinely struggle, indie writers or not.

Categories
Writing

WhatsApp Profits

Facebook’s purchase of WhatsApp made sense in terms to buying a potential competitor before it got too large to threaten Facebook’s understanding of social relationships. The decision to secure communications between WhatsApp users only solidified Facebook’s position that it was less interested in mining the content of communications than on understanding the relationships between each user.

However, as businesses turn to WhatsApp to communicate with their customers a new revenue opportunity has opened for Facebook: compelling businesses to pay some kind of a fee to continue using the service for commercial communications.

WhatsApp will eventually charge companies to use some future features in the two free business tools it started testing this summer, WhatsApp’s chief operating officer, Matt Idema, said in an interview.

The new tools, which help businesses from local bakeries to global airlines talk to customers over the app, reflect a different approach to monetization than other Facebook products, which rely on advertising.

This is Facebook flipping who ‘pays’ for using WhatsApp. Whereas in the past customers paid a small yearly fee, now customers will get it free and businesses will be charged to use it. It remains to be seen, however, whether WhatsApp is ‘sticky’ enough for consumers to genuinely expect businesses to use it for customer communications. Further, Facebook’s payment model will also stand as a contrast between WhatsApp and its Asian competitors, such as LINE and WeChat, which have transformed their messaging platforms into whole social networks that can also be used for robust commercial transactions. Is this the beginning of an equivalent pivot on Facebook’s part or are they, instead, trying out an entirely separate business model in the hopes of not canibalizing Facebook itself?

Categories
Writing

Thoughts on 1Password ‘Home’ Edition

People are worried that someone’s going to steal their data or secretly access their personal devices. Border agents are accessing devices with worrying regularity. Travellers are being separated from their devices and electronic when they fly. Devices are stolen with depressing regularity. And then there’s the ongoing concern that jealous spouses, partners, or family members will try to see with whom their partner’s been emailing, Snapchatting, or Whatsapping.

Few people are well positioned to defend against all of these kinds of intrusions. Some might put a password on their device. Others might be provided by updates for their devices (and even install the updates!). But few consumers are well situated to determine which software is better or worse in terms of providing security and user privacy, or make informed decisions about how much a security product is actually worth.

Consider a longstanding question that plagues regular consumers: which version of Windows is ‘the most secure’? Security experts often advise consumers to encrypt their devices to prevent many of the issues linked to theft. Unfortunately, only the professional or enterprise versions of Windows offer BitLocker, which provides strong full disk encryption.1 These professional versions are rarely provided by-default to consumers when they buy their laptops or desktops — they get the ‘Home’ editions instead — because why would everyday folks want to encrypt their data at rest using the best security available? (See above list for reasons.)

Consumers ask the same security-related questions about different applications they use. Consider:

  • Which messaging software gives you good functionality and protects your chats from snoops?
  • Which cloud services is it safe to store my data in?
  • Which VoIP system encrypts my data securely, so no one else can listen in?
  • And so on…

Enter the Password Managers

Password managers all generally offer the same kind of security promises: use the manager, generate unique passwords, and thus reduce the likelihood that one website’s security failure will result in all of a person’s accounts being victimized. ‘Security people’ have been pushing regular consumers to adopt these managers for a long time. It’s generally an uphill fight because trusting a service with all your passwords is scary. It’s also a hill that got a little steeper following an announcement by AgileBits this week.

AgileBits sells a password manager called ‘1Password’. The company has recognized that people are worried about their devices being seized at borders or about border agents compelling people to log into their various services and devices. Such services could include the 1Password, which is pitched as a safe place to hold your logins, credit card information, identity information, and very private notes. Recognizing the the company has encouraged people to store super sensitive information in one place, and thus create a goldmine for border agents, AgileBits has released a cool travel mode for 1Password to reduce the likelihood that a border agent will get access to that stash of private and secret data.

1Password Home Edition

But that cool travel mode that’s now integrated into 1Password? It’s only available to people who pay a monthly subscription for the software. So all those people who were already skeptical of password managers and who it was very hard to convince them to use a manger in the first place but who we finally got to use 1Password or similar service? Or those people who resist monthly payments for things and would rather just buy their software once and be done with it? Yeah, they’re unlikely to subscribe to AgileBit’s monthly service. And so those users who’ve been taught to store all their stuff in 1Password are effectively building up a prime private information goldmine for border agents and AgileBits is willing to sell them out to the feds because they’re not paying up.

People who already sunk money into 1Password to buy the software are, now, users the 1Password Home version. Or to be blunt: they get the segregated kinds of security that Microsoft is well known for. It’s disappointing that in AgileBits’ efforts to ‘convert’ people to ongoing payments that the company has decided to penalize some of its existing user base. But I guess it’s great for border agents!

I’m sure AgileBits and 1Password will survive, just as Microsoft does, but it’s certainly is a sad day when some users get more security than others. And it’s especially sad when a company that is predicated on aggregating sensitive data in one location decides it would rather exploit that vulnerability for its own profit instead of trying to protect all of its users equally.

NOTE: This was first published on Medium on May 24, 2017.

  1. 1 Windows 8 and 10 do offer ‘Device Encryption’ but not all devices support this kind of encryption. Moreover, it relies on signing into Windows with a Microsoft Account and uploads the recovery key to Microsoft’s servers, meaning the user isn’t in full control of their own security. Unauthorized parties can, potentially, access the recovery key and subsequently decrypt computers secured with Device Encryption. ↩︎
Categories
Writing

When ‘Contact Us’ Forms Becomes Life Threatening

Journalists targeted by security services can write about relatively banal subjects. They might report on the amount and quality of food available in markets. They might write about the slow construction of roads. They might write about dismal housing conditions. They might even just include comments about a politician that are seen as unfavourable, such as the politician wiped sweat from their brow before answering a question. Risky reporting from extremely hostile environments needn’t involve writing about government surveillance, policing, or corruption: far, far less ‘sensitive’ reporting can be enough for a government to cast a reporter as an enemy of the state.

The rationale for such hyper-vigilance on the part of dictatorships and authoritarian countries is that such governments regularly depend on international relief funds or the international community’s decision to not harshly impede the country’s access to global markets. Negative press coverage could cut off relief funds or monies from international organizations following a realization that the country lacks the ‘freedoms’ and ‘progress’ the government and most media publicly report on. If the international community realizes that the country in question is grossly violating human rights it might also limit the country’s access to capital markets. In either situation, limiting funds available to the government can endanger the reigning government or hinder leaders from stockpiling stolen wealth.

Calling for Help

Reaching out to international journalism protection organizations, or to foreign governments that might offer asylum, can raise serious negative publicity concerns for dictatorial or authoritarian governments. If a country’s journalists are fleeing because they believe they are in danger, and that fact rises to public attention, it could negatively affect a leader’s public image and the government’s access to funds. On this basis governments may place particular journalists under surveillance and punish them should they do anything to threaten the public image of the leader or country. Such surveillance is also utilized when reporters who are in a country are covering, and writing about, facts that stand in contravention to government propaganda.

The potential for electronic surveillance is particularly high, and serious, when the major telecommunications providers in a country tend to fully comply with, or willingly provide assistance to, state security and intelligence services. This degree of surveillance makes contacting international organizations that assist journalists risky; when a foreign organization does not encrypt communications sent to it, the organization’ security practices may further endanger a journalist calling for help. One of the many journalists covered in Bad News: Last Journalists in a Dictatorship who feared his life was in danger by the Rwandan government stated,

[h]e had written to the Committee to Protect Journalists, in New York, but someone in the president’s office had then shown him the application that he had filled out online. He didn’t trust people living abroad any longer.” (Bad News: Last Journalists in a Dictatorship, 83-4)

Such surveillance could have taken place in a few different ways: the local network or computer the journalist used to prepare and send the application might have been compromised. Alternately, the national network might have been subject to surveillance for ‘sensitive’ materials. Though the former case is a prevalent problem (e.g., Internet cafes being compromised by state actors) it’s not one that international journalist organizations are well suited to fix. The latter situation, however, where the national network itself is hostile, is something that media organizations can address.

Network inspection technologies can be configured to look for particular pieces of metadata and content that are of interest to government monitors. By sorting for certain kinds of metadata, such as websites visited, content selection can be applied relatively efficiently and automated analysis of that content subsequently be employed. That content analysis, however, depends on the government in question having access to plaintext communications.

Many journalism organizations historically have had ‘contact us’ pages on their websites, and many continue to have and use these pages. Some organizations secure their contact forms by using SSL encryption. But many organizations do not, including organizations that actively assert they will provide assistance to international journalists in need. These latter organizations make it trivial for states that are hostile to journalists to monitor in-country journalists who are making requests or issuing claims using these insecure contact forms.

Mitigating Threats

One way that journalism protection organizations can somewhat mitigate the risk of government surveillance is to implement SSL on their websites, which encrypts communications sent to the organization’s web server. It is still apparent to network monitors what website was visited but not which pages. And if the journalist sends a message using a ‘contact us’ form the data communicated will be encrypted, thus preventing network snoops from figuring out what is being said.

SSL isn’t a bulletproof solution to stopping governments from monitoring messages sent using contact forms. But it raises the difficulty of intercepting, decrypting, and analyzing the calls for help sent by at-risk journalists. And adding such security is relatively trivial to implement with the advent of free SSL encryption projects like ‘Let’s Encrypt’.

Ideally journalism organizations would either add SSL to their websites — to inhibit adversarial states from reading messages sent to these organizations — or only provide alternate means of communicating with them. That might mandate email, and list hosts that provide service-to-service encryption (i.e. those that have implemented STARTSSL), messaging applications that provide sufficient security to evade most state actors (everything from WhatsApp or Signal, to even Hangouts if the US Government and NSA aren’t the actors you’re hiding from), or any other kind of secure communications channel that should be secure from non-Five Eyes surveillance countries.

No organization wants to be responsible for putting people at risk, especially when those people are just trying to find help in dangerous situations. Organizations that exist to, in part, protect journalists thus need to do the bare minimum and ensure their baseline contact forms are secured. Doing anything else is just enabling state surveillance of at-risk journalists, and stands as antithetical to the organizations’ missions.

NOTE: This post was previously published on Medium.

Categories
Aside Writing

Limits of Data Access Requests

Last week I wrote about the limits of data access requests, as they related to car sharing applications like Uber. A data access request involves you contacting a private company and requesting a copy of your personal information, as well as the ways in which that data is processed, disclosed, and the periods of time for which data is retained.

Research has repeatedly shown that companies are very poor at comprehensively responding to data access requests. Sometimes this is because of divides between technical teams that collect and use the data, policy teams that determine what is and isn’t appropriate to do with data, and legal teams that ascertain whether collections and uses of data comport with the law. In other situations companies simply refuse to respond because they adopt a confused-nationalist understanding of law: if the company doesn’t have an office somewhere then that jurisdiction’s laws aren’t seen as applying to the company, even if the company does business in the jurisdiction.

Automated Data Export As Solution?

Some companies, such as Facebook and Google, have developed automated data download services. Ostensibly these services are designed so that you can download the data you’ve input into the companies, thus revealing precisely what is collected about you. In reality, these services don’t let you export all of the information that these respective companies collect. As a result when people tend to use these download services they end up with a false impression of just what information the companies collect and how its used.

A shining example of the kinds of information that are not revealed to users of these services has come to light. A recently leaked document from Facebook Australia revealed that:

Facebook’s algorithms can determine, and allow advertisers to pinpoint, "moments when young people need a confidence boost." If that phrase isn’t clear enough, Facebook’s document offers a litany of teen emotional states that the company claims it can estimate based on how teens use the service, including "worthless," "insecure," "defeated," "anxious," "silly," "useless," "stupid," "overwhelmed," "stressed," and "a failure."

This targeting of emotions isn’t necessarily surprising: in a past exposé we learned that Facebook conducted experiments during an American presidential election to see if they could sway voters. Indeed, the company’s raison d’être is figure out how to pitch ads to customers, and figuring out when Facebook users are more or less likely to be affected by advertisements is just good business. If you use the self-download service provided by Facebook, or any other data broker, you will not receive data on how and why your data is exploited: without understanding how their algorithms act on the data they collect from you, you can never really understand how your personal information is processed.

But that raison d’être of pitching ads to people — which is why Facebook could internally justify the deliberate targeting of vulnerable youth — ignores baseline ethics of whether it is appropriate to exploit our psychology to sell us products. To be clear, this isn’t a company stalking you around the Internet with ads for a car or couch or jewelry that you were browsing about. This is a deliberate effort to mine your communications to sell products at times of psychological vulnerability. The difference is between somewhat stupid tracking versus deliberate exploitation of our emotional state.1

Solving for Bad Actors

There are laws around what you can do with the information provided by children. Whether Facebook’s actions run afoul of such law may never actually be tested in a court or privacy commissioner’s decision. In part, this is because actually mounting legal challenges is extremely challenging, expensive, and time consuming. These hurdles automatically tilt the balance towards activities such as this continuing, even if Facebook stops this particular activity. But, also, part of the problem is Australia’s historically weak privacy commissioner as well as the limitations of such offices around the world: Privacy Commissioners Offices are often understaffed, under resourced, and unable to chase every legally and ethically questionable practice undertaken by private companies. Companies know about these limitations and, as such, know they can get away with unethical and frankly illegal activities unless someone talks to the press about the activities in question.

So what’s the solution? The rote advice is to stop using Facebook. While that might be good advice for some, for a lot of other people leaving Facebook is very, very challenging. You might use it to sign into a lot of other services and so don’t think you can easily abandon Facebook. You might have stored years of photos or conversations and Facebook doesn’t give you a nice way to pull them out. It might be a place where all of your friends and family congregate to share information and so leaving would amount to being excised from your core communities. And depending on where you live you might rely on Facebook for finding jobs, community events, or other activities that are essential to your life.

In essence, solving for Facebook, Google, Uber, and all the other large data broker problems is a collective action problem. It’s not a problem that is best solved on an individualistic basis.

A more realistic kind of advice would be this: file complaints to your local politicians. File complaints to your domestic privacy commissioners. File complaints to every conference, academic association, and industry event that takes Facebook money.2 Make it very public and very clear that you and groups you are associated with are offended by the company in question that is profiting off the psychological exploitation of children and adults alike.3 Now, will your efforts to raise attention to the issue and draw negative attention to companies and groups profiting from Facebook and other data brokers stop unethical data exploitation tomorrow? No. But by consistently raising our concerns about how large data brokers collect and use personal information, and attributing some degree of negative publicity to all those who benefit from such practices, we can decrease the public stock of a company.

History is dotted with individuals who are seen as standing up to end bad practices by governments and private companies alike. But behind them tend to be a mass of citizens who are supportive of those individuals: while standing up en masse may mean that we don’t each get individual praise for stopping some tasteless and unethical practices, our collective standing up will make it more likely that such practices will be stopped. By each working a little we can do something that, individually, we’d be hard pressed to change as individuals.

NOTE: This blog was first published on Medium on May 1, 2017.

  1. 1 Other advertising companies adopt the same practices as Facebook. So I’m not suggesting that Facebook is worst-of-class and letting the others off the hook. ↩︎
  2. 2 Replace ‘Facebook’ with whatever company you think is behaving inappropriately, unethically, or perhaps illegally. ↩︎
  3. 3 Surely you don’t think that Facebook is only targeting kids, right? ↩︎
Categories
Writing

Uber and the Limits of Privacy Law

When was the last time that you thought long and hard about the information companies are collecting, sharing, and selling about you? Maybe you thought about it after reading some company had suffered a data breach or questionably used your data, and then set the worries out of your mind.

What you may not know is that most contemporary Western nation-states have established data protection and privacy legislation over the past several decades. A core element of these laws include data access rights: the right for individuals to compel companies to disclose what information the companies have collected, stored, and shared about them.

In Canada, federal commercial privacy legislation lets Canadian citizens and residents request their personal information. They can use an online application to make those requests to telecommunications companies, online dating companies, or fitness wearable companies. Or they can make requests themselves to specific companies on their own.

So, what happens when you make a request to a ride sharing company? A company like Uber? It might surprise you but they tend to provide you with a lot of information about you, pretty quickly, and in surprisingly digestible formats. You can see when you used a ride sharing application to book a ride, the coordinates of the pickup, where you were dropped off, and so forth.

But you don’t necessarily get all of the information that ride sharing companies collect about you. In the case of Uber, the company was recently found to be fingerprinting the phones its application was installed on. There’s some reason to believe that this was for anti-fraud purposes but, regardless, the collection of that information arguably constitutes the collection of personal information. Per Canadian privacy legislation, such information is defined as “information about an identifiable individual” and decisions by the Commissioner have found that if there is even an instant where machine identifiers are linked with identifiable subscriber data, that the machine identifiers also constitute personal information. Given that Uber was collecting the fingerprints while the application was installed, it likely was linking those fingerprints with subscriber data, even if only momentarily before subsequently separating the identifiers and other data.

So if Uber had a legal duty to inform individuals about the personal information that it collected, and failed to do so, what is the recourse? Either the Federal Office of the Privacy Commissioner of Canada could launch an investigation or someone who requested their personal information from Uber could file a formal complaint with the Office. That complaint would, pretty simply, argue that Uber had failed to meet its legal obligations by not disclosing the tracking information.

But even if Uber was found to have violated Canadian law there isn’t a huge amount of recourse for affected individuals. There aren’t any fines that can be levied by the Canadian federal commissioner. And Uber might decide that it doesn’t want to implement any recommendations that Privacy Commissioner provided: in Canada, to enforce an order, a company has to be taken to court. Even when companies like Facebook have received recommendations they have selectively implemented them and ignored those that would impact their business model. So ‘enforcement’ tends to be limited to moral suasion when applied by the federal privacy commissioner.1

But the limits of enforcement only strike to a part of the problem. What is worse is we only know about Uber’s deceptive practices because of journalism. It isn’t because the company was forthcoming and proactively disclosed this information well-in-advance of fingerprinting devices. Other companies can read that signal and know that they can probably engage in questionable and unlawful practices and have a pretty low expectation of being caught or punished.

In a recent article published by a summer fellow for the Citizen Lab, Adrian Fong argued that enforcing data protection and privacy laws on individual private companies is likely an untenable practice. Too few companies will be able to figure out how to deal with data access requests, fewer will be inclined to respond to them, and even fewer will understand whether they are obligated to respond to such requests or not in the first place. Instead, Fong argues that application stores — such as Google’s and Apple’s respective App stores — could include comprehensive data access rights as part of the contracts that app developers agree to with the app store owners. Failure to comply with the data access rights aspect of a contract could lead to an app being removed from the app store. Were Google and Apple to seriously implement such a practice then their ability to remove bad actors, such as Uber, from app stores could lead to a modification of business practices.

Ultimately, however, I’m not certain that the ‘solution’ to Uber is better privacy law. It’s probably not even just better regulation. Rather, ‘solving’ for companies like Uber demands changing how engineers and business persons are educated and trained, and modifying the grounds under which they’re rewarded and punished for their actions. Greater emphases on ethical practices and the politics of code need to be ingrained in their respective educational curriculum, just as arts and humanities students should be exposed in more depth to the hard sciences. And engineers, generally, need to learn that they’re not just solving hard problems such as preventing fraudulent rides: they’re also embedding power structures in the code they develop, and those structures can’t just run roughshod over the law that democratic publics have established to govern private behaviours. Or, at least, if they run afoul of the law — be it national data protection law or contract law — there will at least be serious consequences. Doing otherwise will simply incentivize companies to act unethically on the basis that there are few, or no, consequences for behaving like a bad actor.

NOTE: this was originally posted to Medium.

  1. 1 Some of Canada’s provincial commissioners do have order making powers. ↩︎
Categories
Writing

Feature Parity in Apple Notes

I have a love and occasional hate relationship with Apple Notes. And a mostly hate and kind fond memory relationship with my longstanding notes application, Evernote. So for the past few months I’ve slowly and tediously shifting a few thousand notes from one service to another.

This is the story of why, the joys and miseries of the decision, and what I hope Apple changes in future versions of its note taking application.

Evernote’s Trust and Pricing Deficit

Evernote has some serous problems to my eye. I like some of its features, such as the ability to search .PDFs and adding tags to different notes. But these features aren’t enough to overcome the baseline problem that I no longer trust Evernote with my content. There are two core reasons underscoring this lack of trust: the company’s questionable stance on users’ privacy and the company’s willingness to increase prices without providing a corresponding improvement in their services.

In case you missed it, Evernote announced a plan to have specific employees read the content their users added to their notes. The employee would be reading users’ notes to improve on the machine learning algorithms that Evernote was rolling out. Those algorithms, themselves, meant to improve the services provided to users.

So the company was only going to infringe on its users’ privacy for the best of reasons.

The company backed off from its decision pretty quickly in the wake of a media backlash. Nevertheless, the initial decision left a bad taste in my mouth. How could I trust a company that had so cavalierly indicated a willingness to intrude upon their users’ private content? Some people use Evernote for personal journaling, others to manage their businesses, some to store medical information, and yet others for their research and professional writing. On what possible grounds could anyone at a company based on storing people’s thoughts and dreams think it would be appropriate to have employees read potentially sensitive notes? I was already somewhat uneasy with the company but seriously started exploring ways out of their service following this particular privacy SANFU.

The second problem I had with the company was its decision to raise prices for professional users without providing a real benefit to end users. I get that companies sometimes have to adjust their pricing but as a long-standing user it seemed like I was being penalized after trusting the company in its infancy. It just seemed wrong to penalize very early adopters such as myself who’d championed the application from an early point in the company’s existence. There should have been a grace period, at the very least, if not an actual grandfathering of long term users’ prices.

So in the advent of these issues, combined with a decreasing enjoyment of the user interface and user experience more generally, I decided that I wanted out.

Enter Apple Notes

I’ve used Apple Notes off and on for a lot of years. And until the updates that came in iOS 9 I’ve generally stayed away. The service has just been deeply underwhelming in terms of its organization of different notes, to say nothing of the annoyances I had with sharing notes with other people.

The worst of those annoyances have been dealt with in a few ways:

  1. I can organize folders and use macOS to nest different folders in one another, which is essential for me to keep my notes in some semblance of order.
  2. I can search through notes with relative ease on all my Apple devices, though I admit this is an area where improvements would be delightful.
  3. I have more faith in Apple to push back against efforts to access my notes through a legal process, and to protect the privacy of my notes’ contents using best security practices.

Furthermore, I’m already paying for iCloud storage. As a result, shifting my Evernote documents to Apple Notes will likely leave me with a little more money in my bank account each year.

The actual writing experience in Apple Notes is a bit threadbare. That’s ok on the whole – the ability to add headings and titles, along with some baseline formatting is almost enough – and share sheets have made it a lot more pleasant to send a note to a colleague or collaborator.

Aside: The Miseries of Note Migration

There are some automated ways to pull data out of Evernote and into other note taking applications, including Apple Notes. But I’m not using them for two separate reasons.

First, I want to be able to re-curate all the stuff that’s collected in Evernote over then past years. So that means that I want to put my own eyes on old notes to determine what should and shouldn’t make the cut. I’ve shed about a thousand notes thus far and I’m pretty sure that even are going to vanish into the digital ether.

Second, the way I organized notes in Evernote changed over the years that I was using it. I did a lot of learning while using the application which mean that I changed my tagging and notebook structures a few times. That meant there was a pretty bad mess I’d built up and I wanted that cleaned up.

I should acknowledge that Evernote also put a lot of really badly formatted notes in my various notebooks and I’m spending more time than is really appropriate to fix up those notes. Specifically, I used the company’s web clipping tool on a regular basis and the way it clipped pages was often sub-par (to be generous). In some cases it meant that HTML was laced through notes. In others, the clipped pages were filled with ads and other badly formatted junk; this was the result of website publishers having to incorporate ads and ruin the user experience.

I should be blunt: I was working around the deficiencies of Evernote’s clipping service. Apple Notes has its own problems and deficiencies and, between the two, Evernote is actually better at clipping than Apple.

Limitations of Apple Notes

There’s still room for improvements with Apple Notes.

iOS is definitely an area that is still developing, and I periodically come across things that haven’t been implemented for some reason. One of the teething struggles associated with iOS’s Notes s linked with share sheets: why can I share a note with someone, but not a folder containing multiple notes? My use case is this: I often collect resources for ongoing projects in folders and it’d be great to be able to share all of those items, at once, as opposed to on an individual basis.

In a related vein, I’d be delightful to be able to:

  • Add hyperlinks to text in the Notes applications for iOS;
  • Create sub-folders in the iOS application (I can do it in macOS so why not in iOS?);
  • In macOS, automatically create a note when I drag a file — such as a .pdf, .doc, or other file — into the application.

I also really, really wish that Notes on iOS and macOS supported smart folders and tags. macOS already supports that kinds of functionality in Finder and (to an extent) iTunes and Photos! Adding these kinds of functions into the Notes application would mean I could more easily use the same note in multiple folders. The use case? I often keep reviews of articles and documents in Apple Notes and subsequently want to organize them into additional folders for specific papers that I’m writing or blog posts I’m drafting. As it stands now I need to make total copies of notes and re-create them in folders for the given paper or blog. That’s nuts: I shouldn’t be doubling or tripling notes.

But maybe it’s just too hard to do all that. So if I had to ask for a smaller thing it’d be this: please, please, please just let me pin important notes to the top of different folders in notes.

Finally, it’d be amazing if there was some integration of Markdown functionality. I don’t imagine that’s going to happen anytime soon, but it’d be nice.1 A better web clipping service would also be helpful: Evernote did a not good but generally serviceable if not good job of that and Notes just sucks in comparison.

NOTE: This was originally posted on Medium.

  1. 1: Yes, services like Bear might actually provide a better experience. And its support for Markdown makes it super tempting. But I’d rather pay for fewer services as part of some 2017 ‘financial cleaning’. ↩︎
Categories
Links Writing

Why We Need to Reevaluate How We Share Intelligence Data With Allies

Last week, Canadians learned that their foreign signals intelligence agency, the Communications Security Establishment (CSE), had improperly shared information with their American, Australian, British, and New Zealand counterparts (collectively referred to as the “Five Eyes”). The exposure was unintentional: Techniques that CSE had developed to de-identify metadata with Canadians’ personal information failed to keep Canadians anonymous when juxtaposed with allies’ re-identification capabilities. Canadians recognize the hazards of such exposures given that lax information-sharing protocols with US agencies which previously contributed to the mistaken rendition and subsequent torture of a Canadian citizen in 2002. 

Tamir Israel (of CIPPIC) and I wrote and article for Just Security following these revelations. We focused on the organization’s efforts, and failure, to suppress Canadians’ identity information that is collected as part of CSE’s ongoing intelligence activities and the broader implications of erroneous information sharing. Specifically, we focus on how such sharing can have dire life consequences for those who are inappropriately targeted as a result by Western allies and how such sharing has led to the torture of a Canadian citizen. We conclude by arguing that the collection and sharing of such information raises questions regarding the ongoing viability of the agency’s old-fashioned mandates that bifurcate Canadian and non-Canadian persons’ data in light of the integrated nature of contemporary communications systems and data exchanges with foreign partners.

Read the Article

Categories
Writing

So Now I’m Here

For the past decade and a half I’ve been publishing on a variety of platforms. Livejournal. Tumblr (a bunch of different times). A long lasting WordPress instantiation (and a few that weren’t so long lasting), plus some offline places where I reflect on more personal things and some online places that died relatively fast or of ignominious ends (remember Posterous?).1

The Experience of Online Publishing

Each of the online platforms I’ve previously used have seen me experiment with different aspects of self-publishing. From spreading my content all over the Internet I’ve learned about a few things about what matters to me:

  1. Publishing platforms need to emphasize the importance of user interfaces and user experiences.
  2. Platforms need to appreciate that if they aren’t seen trustworthy then fewer people will publish using them.
  3. In some cases, companies that are offering online platforms need to help users make at least some tweaks to the publishing environment so that they can personalize the space to their content.
  4. Publishing platforms need to consider how to help users develop and foster a positive community that is inviting to new users and readers.

I’ve ultimately grown disenchanted with each of the major and minor writing platforms I’ve used over the years for one reason or another:

  • Livejournal (that social network of yore) was a product of its time in every sense. The user interface was crude, if serviceable. The community finding aspects were pretty decent for its time. But innovation slowed and being sold to a Russian company raised pretty serous questions about censorship arose. (I went from Livejournal to WordPress, where a lot of my content has lived ever since.)
  • Tumblr remains, at least as I’ve experienced it, a burning garbage fire of user interface issues. I’ve gone back several times over the past six or seven years and it never seems to have really improved from its basic state. The sale to Yahoo! – a company that can’t secure itself from toddlers, it seems – makes that a space less than inviting to add content to: will it be there tomorrow? And if so, who will be in charge of losing users’ logins, passwords, security questions, and content next?
  • While I use WordPress on a regular basis, and one installation has held my professional work for a decade, I don’t want yet another platform I have to secure from third-parties. The functionality is great but maintenance is something I want to do less of, not more.

But, if I’m being entirely honest, only part of the problem of finding outlets for my creative instincts has to do with the different platforms. A bigger problem is directly tied to me.

Professional Appropriation of Creativity

My professional job involves a lot of writing. The majority of the writing that I’ve done for ‘myself’ over the past decade has generally linked my public and professional personas. To my chagrin, most of the public places I’ve written have ultimately been appropriated by, and arguably undermined by, that public-professional persona.2

The result is that I really haven’t had (or maintained) a good place to place my creative outputs that extend beyond my professional work. Things that are about different pieces of technology I’m using and why, what I think about different photos that I’ve taken over the years, or comments on politics, reflections on poignant books or articles I’ve come across, as well as other things that catch my fancy. Sure there are microblogging sites but I want something more substantive and meaty and long-lasting than 140 characters.

If I thought I could write more personal, non-professional, pieces on the website that bears my own name I probably would. But that doesn’t feel like a real option for me: doing so would overlap my professional and personal lives more than I’m comfortable with, while also running the risk of weakening the professional ‘value’ I’ve build up in that long-lasting website.

So, Now I’m Here.

Medium has terrific typography and the people who routinely write here that I follow tend to be doing interesting and involving work. The topics are diverse. The publishing process seems pretty solid and made with the user in mind. And I already know a lot of people who are writing here, which definitely helps to make this a more inviting writing space.

So while my professional work is going to remain stovepiped in my long lasting WordPress blog, I think I’m going to see what it’s like to use Medium as a place for my own work. Things that are less serious. Things that just don’t really belong in my other writing environments. Things that are personal but not so personal that they have to be kept from public eye entirely.

NOTE: This was initially published on Medium in early 2017.

  1. 1 I’m excluding the other ‘microblogging’ sites that we all use, like Twitter, Facebook, or Instagram. ↩︎
  2. 2 To say that I’ve had bad work-life balance in the past is an understatement. I was 90% work, 10% life. I attribute that lack of balance, in part, to my professional appropriation of my creative spaces. ↩︎
Categories
Links Writing

WhatsApp’s new vulnerability is a concession, not a backdoor

The underlying weakness has to do with alerts rather than cryptography. Although they share the same underlying encryption, the Signal app isn’t vulnerable to the same attack. If the Signal client detects a new key, it will block the message rather than risk sending it insecurely. WhatsApp will send that message anyway. Since the key alert isn’t on by default, most users would have no idea.

It’s a controversial choice, but WhatsApp has good reasons for wanting a looser policy. Hard security is hard, as anyone who’s forgotten their PGP password can attest. Key irregularities happen, and each app has different policies on how to respond. Reached by The Guardian, WhatsApp pointed to users who change devices or SIM cards, the most common source of key irregularities. If WhatsApp followed the same rules as Signal, any message sent with an unverified key would simply be dropped. Signal users are happy to accept that as the price of stronger security, but with over a billion users across the world, WhatsApp is playing to a much larger crowd. Most of those users aren’t aware of WhatsApp’s encryption at all. Smoothing over those irregularties made the app itself simpler and more reliable, at the cost of one specific security measure. It’s easy to criticize that decision, and many have — but you don’t need to invoke a government conspiracy to explain it.

A multitude of secure messaging applications are vulnerable to keys being changed at the server level without the end-user being notified. This theoretically opens a way for state security agencies to ‘break into’ secured communications channels but, to date, we don’t have any evidence of a company in the Western or Western-affiliated world engaging in such behaviours.

There are laws that require some types of communications to be interceptable. Mobile communications carried by telecommunications carriers in Canada must be interceptable, and VoIP along with most other kinds of voice communications that are transmitted by equivalent carriers are subject to interception in the United States. There are not, however, similar demands currently placed on companies that provide chat or other next-generation communications system.

While there are not currently laws mandating either interception or decryption of chat or next-generation communications it remains plausible that laws will be introduced to compel this kind of functionality. It’s that possibility that makes how encryption keys are managed so important: as politicians smell that there is even the possibility of demanding decrypted communications the potential for such interception laws increases dramatically. Such laws would formalize and calcify vulnerabilities into the communications that we use everyday, to the effect of not just ensuring that domestic authorities could always potentially be listening, but foreign and unauthorized parties as well.