Today, I came across a couple of techniques to subtly revolt against mass scraping and data:
I was a bit sceptical as to whether prompt injection from scraped data would work, but it seems so:
Indirect prompt injections
In these attacks, hackers hide their payloads in the data the LLM consumes, such as by planting prompts on web pages the LLM might read.
I haven’t implemented anything like this yet, but I’m considering it. I kind of like the idea of making the scrapers complete a task that’s intensive, but I’m not 100% about the environmental impact.
There’s also a possibility that LLMs have peaked already – or are close to – in which case this may shortly be a moot point.
These techniques remind me a subversive browser idea I liked the sound of. Instead of blocking ads, generate useless spoof data that makes the tracking tech useless.
]]>I didn’t get around to it for lots of reasons:
Among all the usual reasons things like this fall to the bottom of a list, repeatedly..for over 18 months.
This weekend, I realised I could probably put together an improvement in a couple of hours. Certainly enough to update the typefaces, simplify the design a bit and reset the colours.
This is very much a work-in-progress public redesign, and there are likely some bugs. But, I’ve pushed in in the spirit of “launching when it’s better than what was there before” – which I believe this is – and here we are.
]]>Notes
Courses
This course sat in my “to do one day” list for a pretty long time, but I finally had a direct need for it recently and took the plunge. It builds on lots of topics from Adam’s Form Design Principles book, but covers them in more detail with many more practical examples.
Adam’s approach to forms is articulated and reasoned incredibly well. Most of my clients don’t have the opportunity to test at anywhere near the scale or detail of GOV.UK, so there’s a lot of value in seeing these patterns that are based on lots of user research.
I was able to implement a lot of this learning immediately in a client project, and I can see that I’ll be using the principles time-and-time again. Worth every penny.
This free short course is a great reminder/introduction to good high-level design principles.
It’s free, easy to get through in a single sitting and covers good design principles – what’s not to like?
This course was the biggest major investment I made after Typewolf, several years earlier.
It’s incredibly thorough – I’d say it’s appropriate both for new designers and experienced designers looking to sharpen/refine their skills. Erik has some brilliantly useful thoughts on lots of hard-to-nail topics – colour is the obvious one that comes to mind, but there are lots of great tactics/approaches explained throughout.
One thing I particularly liked is how the course challenges some received design wisdom that I’ve been on the fence about for years (e.g. mobile-first, typography scales, etc). It’s never contrarian for contrarian’s sake – Erik takes an incredibly thoughtful and practical approach to everything.
This is not a cheap course and it requires a lot of time to get through the material, but it’s incredibly thorough. Highly recommended.
I bought this course before I decided to focus on design and move away from frontend development. The target audience is clearly developers, but there are useful things for designers here, too.
As a designer concerned with accessibility, I’ve dipped into this course to look at accessible implementations of things I’m designing before I present them.
Even though this isn’t a design course per se, I’d still highly recommend. It’s useful for designers with and without frontend code skills, and can be a useful thing to point developers to (particularly if you’re working with an in-house team).
Aimed a developers, this is a pretty thorough introduction to design principles. It’s primarily delivered as lots of rules with plenty of practical examples.
It’s on the more affordable side and covers lots of basics well. I’d say it’s a pretty good course for the target audience and new designers looking for something to get them off the ground.
An easy-to-digest action-packed course covering several techniques to take designs to the next level. Easy to get through the material in a couple of sittings, and lots of high-level takeaways.
This was the first higher-value course I bought. I’d read lots of articles and books on typography, so went back-and-forth on whether this would be worth the investment – and it was one of the best purchases I have ever have made.
The checklist is packed full of bitesize tips and presented in a beautifully straightforward and easy-to-understand manner. I recommend this wherever I can. Highly recommended.
]]>Obvious disclaimer: these all things I’ve heard about or directly experienced. Your mileage may vary.
When it comes to mortgage applications and the borrowing limits, self-employed people are penalised for income variability on all fronts.
For instance, if your income:
Self-employed people lose in both situations. You could have many years of stable income, reduce income in one year, then find your mortgage options are significantly limited.
Many people who work for themselves take some on PAYE work, either out of choice or because the employer refuses to work with people on a self-employed basis.
Self-employed people often find themselves on a zero-hours contract with fluctuating PAYE income. For mortgage applications, this can be risky for lots of reasons:
Any PAYE employment won’t be considered by lenders unless there’s a recent payslip, even if you have many years of proven income through P60s. If the work is seasonal and your application isn’t timed around a payslip, the income won’t be considered. This stings because this income would be considered – in spite of its ‘instability’ – if it was sole trader/company income.
Lenders annualise your latest payslips to work out your PAYE salary. Of course, this could be a benefit if you happen to time an application around an increase in PAYE income. But if your PAYE goes down in the months leading up to your mortgage application (perhaps you’ve balanced it with an increase of self-employed work that lenders can’t see), your mortgage offer will be reduced.
You’re at risk of being taxed immediately on single lump sum payments that would push you over the tax threshold when annualised. This is mainly a problem when receiving a one-off payment that isn’t representative of your earnings – some of this you won’t balance out until you submit your next self-assessment.
I’ll have two slots in September and October, with November and December tbc (they’re open to book right now, but may change).
More info and booking on my Unoffice Hours page.
]]>I’ve been free from social media for over a year – in both a personal and work capacity – so I don’t use social media to get work.
It’s been a process. I got rid of:
I gave up on Mastodon quite quickly (I was already tiring of short-form social media) and never really used Instagram.
There’s nothing atypical about any of these methods, but writing them down made me wonder what that looks like in numbers.
I don’t have a high turnover of clients and usually juggle a combination of long/short term projects.
I had 18 clients over the last year. These range from teeny tiny one-off projects, to projects that span many months.
Eight of these were new clients:
The other ten were either previous clients or projects on a longer-term basis.
There are other things I could do to promote myself further:
I don’t particularly want to invest time/energy in any of these channels, but I know they work for some people.
It was pointed out to me that there may be a few other ways that I get work:
I wouldn’t necessarily count on these as things that directly bring in work, but they probably help to a small degree.
I also remembered a tip on sharing work I heard at talk a few years ago: pass on work that isn’t a good fit for whatever reason (tech/industry/budget etc) to people who might be a better fit and there’s a chance that might come around one day.
]]>I tried using RSS on somewhat of a whim, so these benefits have been somewhat of an unintentional, zero-effort revelation. In terms of reduced distraction, it feels similar in impact to when I deleted social media apps and email from my phone.
]]>Everything below comes with the following preface/caveat:
- There’s no universally perfect charging method: I’m writing this to highlight something that’s been working for me
- These thoughts are somewhat of a work-in-progress
- Your mileage will vary
Until last year, I’d almost exclusively quoted project rates. This had worked ok but I’d found it difficult to get the balance right. A couple of years ago, I read Sanctuary Computer’s pieces on value pricing and quoting technology: these pieces strongly resonated with me.
The popularity of value pricing has led to pricing by time getting a bad rep among freelancers and independents. I’d never felt comfortable with value pricing, and found some issues in charging by project, so switching to time-based quoting has been a revelation.
Here are some of the benefits I’ve experienced in pricing by day:
I’m aware that some of my discomfort around project rate management are not insurmountable (i.e. ‘out-of-scope’ conversations). Changing the way I charge has helped to reduce some of the inherent frictions I found with project-based pricing, and I’ve generally found any new frictions to be easier to handle.
Without getting into the weeds, there are two common objections to time-based pricing:
On balance, I’ve found this new method of charging to be incredibly positive. I’m only a year in, so things may change, but I’ll be sticking with this for now.
]]>One of the tips to arise immediately is to use an alphanumeric passcode rather than a short numbers-only code. But if a thief shoulder surfs your alphanumeric passcode - or records it on a phone to playback later - that doesn’t help.
It turns out the steps below don’t prevent account changes – thieves can still go through a password reset flow even if you follow step 5.
I’m leaving these instructions because these steps may thwart thieves who don’t understand why the account is greyed out.
It turns out you can use the Screen Time feature in iOS to prevent account changes make it seem that account changes aren’t possible. Here’s how:
To change these settings in future, enable Account Changes in Screen Time (same steps as above). Don’t forget to disallow Account Changes again when you’re finished.
Following these steps should stop a thief changing your iCloud password. Even if they have your phone and passcode, they won’t be able to make account changes unless they also have your Screen Time Passcode (which they won’t).
Bob Hoffman (emphasis my own):
]]>The advertising industry was successful for many decades finding appropriate targets for advertisers without spying on the public. But the online ad industry claims that tracking is an essential part of their business model. This is the equivalent of saying that online advertising is such a weak force that the only way the industry can survive is if it is allowed to spy on the public.
As I said at the beginning of this piece, advertising is necessary for the continued operation of the free web as we know it. But tracking is not. The problem is not advertising. The problem is tracking.
The IAB and other trade groups have been complicit in opposing every serious attempt to reign in the excesses of the adtech industry. Instead they have put forward frivolous proposals like the laughable and cynically named “Privacy for America” program that protects the industry’s interests but undermines serious attempts to protect consumer privacy.
Mr. Cohen’s remarks were ignorant and irresponsible. His assertion that people opposed to the dangerous practices of the online ad industry are “extremists” and want to “eliminate” the advertising industry are absurd. Sadly, this is not surprising coming from the IAB. The IAB has the disgraceful ceo it deserves.
This whole piece is worth reading, but particularly these two extracts:
The most compelling advertising objective for any brand that aspires to be highly successful is to become famous. The most compelling advertising objective for any brand that is already famous is to remain famous. There is nothing else in advertising’s bag of tricks that can reliably provide fame’s contribution to business success.
One of the current obsessions of the advertising industry is “precision one-to-one” targeting. If you agree that fame is advertising’s most powerful contribution, then it should be obvious that “precision one-to-one” targeting is antithetical to this.
Advertising was invented for the very reason that trying to convince people one at a time was highly inefficient. But today, we are determined to go backward. If you want to sell one vacuum cleaner, sure, go door-to-door. But if you want to sell a million, you better find some way to make your vacuum cleaner famous.
When Meta and adtech complain that privacy laws and tech pushes hurt small businesses, what they really mean are businesses that rely on paying them for their tracking ads. And when businesses rely on tracking ads they’re not building brand awareness, they may as well be selling door-to-door.
]]>]]>…philosophy teachers owe it to our students to teach them how to construct and defend an argument – and to recognize when a belief has become indefensible.
The problem with “I’m entitled to my opinion” is that, all too often, it’s used to shelter beliefs that should have been abandoned. It becomes shorthand for “I can say or think whatever I like” – and by extension, continuing to argue is somehow disrespectful. And this attitude feeds, I suggest, into the false equivalence between experts and non-experts that is an increasingly pernicious feature of our public discourse.
I’ve been using Affinity software for a couple of years and they offer a genuinely competitive alternative to Adobe. This week, they’ve announced the 2.0 versions of their apps.
Unlike Adobe, Affinity’s software is purchased as a one-time fee, with free updates until the next major release. Affinity 1.0 has been around since at least 2015 as far as I can tell – one reasonably-priced paid upgrade every seven years seems like a pretty good deal to me.
The best endorsement I can give is that I have the Creative Cloud Suite, but default to using the Affinity equivalents (Photo = Photoshop, Design = Illustrator, Publisher = InDesign). They load faster and are generally much more stable.
This launch comes with an offer for 40% off and the introduction of a Universal Licence – £90 for all their apps on all platforms (including the limited time offer). This is a steal but don’t fret if you can’t take advantage of this now – Affinity run semi-regular sales with decent discounts.
]]>In the months leading up to the release of macOS Ventura, Stage Manager has received a largely negative reaction in the coverage I’ve seen. I suspect that’s mostly because of the myriad Stage Manager issues in iPadOS.
But I’ve been using it over the last few days and I’m pretty into it.
Years ago, I tried Spaces. That kind of worked, but I didn’t like zapping between screens. That was particularly annoying if I opened an app forgetting it was in a different Space as I’d find myself whisked away from what I was doing.
(This may have changed since I last used Spaces – apologies for any mischaracterisations here.)
To me, Stage Manager feels like a more manageable and flexible version of Spaces. There’s no desktop-wide transition and, if you happen to open an app forgetting it’s in a different Stage, it’s easy to visually move the app or reorganise your Stages.
Spaces are relatively flexible, but the setup always felt a bit more fixed, not least as apps could be set to specific Spaces. Stage Manager seems more ephemeral: set up a Stage that you need right now and close it when you’re done. Or don’t.
I particularly like that apps with multiple windows (i.e. browsers) can have windows in different Stages. That gives a real flexibility to how Stages are grouped: they can be hyper-focused to a specific task/project or more general (i.e. a productivity Stage).
Now if the Notes app could open multiple windows, that would be very handy...
I also just discovered that making a window full-width in Stage Manager causes the sidebar to move off-screen. It then reveals on-hover, like the Dock can, which makes for an interesting use case on smaller screens.
All-in-all, I’m enjoying Stage Manager so far and would recommend giving it a go, particularly if you’ve tried Spaces previously and didn’t quite get on with it. Stage Manager definitely won’t be for everyone, but it’s good that Apple continue to over multiple workflows without forcing a specific technique on their users.
]]>Two things of note from this video:
The new hotness in tech seems to be training AI on datasets without the owner/subject’s knowledge or consent and using that to produce features or products to sell. See Clearview’s scraping of faces for facial recognition tech, AI art generators scraping artists’ works and more (not unrelated: Cambridge Analytica and the whole surveillance ads market).
AI advocates say this content is public and therefore fair game – “artists use everything they’ve seen to inform their work”.
However an artist’s limited, personal and somewhat curated experiences eventually produce a unique style after years of honing their craft. Companies training AI on every image that’s ever been digitised – without a single copyright owner’s consent – with the aim of selling access to their dataset (or getting a $bn exit) is another prospect altogether. The difference in scale is key.
Another example of this is GitHub’s Copilot which is essentially an intelligent code autocomplete. The underlying dataset was trained on open source repositories without the owner’s permission.
Now a group of lawyers are investigating to see if there’s potential for a lawsuit. One to watch.
]]>Adding together these contributions gives us 22 billion tons of carbon dioxide per year. That sounds like quite a bit, but we are currently generating the equivalent of roughly 55 billion tons per year of carbon dioxide through fossil fuel burning and other human activities. That means that even if we accepted estimates from the very upper limits of the uncertainty range, the combined effect of reforestation and agriculture and land use practices would at most only slow the buildup of carbon dioxide in the atmosphere by a factor of 44 percent. In other words, atmospheric carbon dioxide levels would continue to rise, just at a rate that is roughly half as fast.
]]>I was using Time Machine on a local HDD and a Popular Backup Service™ – let’s call it, I dunno, Blazing Backups – for remote backups. One of the attractions of Blazing Backups was that it also offered a service to send a physical drive in case of emergency.
As it turned out, neither of these worked particularly well and restoring was an incredibly time-consuming process. It took over a week to get things back to normal.
Firstly, Time Machine completely failed. I’m a little fuzzy on the details now: I seem to remember the drive could be seen by the new device but it either wasn’t possible to restore from it or it hadn’t been backing up useful things. Either way, it was unusable.
And Blazing Backups was not a great experience. The online interface for manually accessing files was clunky and download speeds were incredibly slow. It took a few days of back-and-forth to get the files downloaded, on 200mbps internet, to download a little over 1TB of data.
I considered asking them to zip up the files on a physical drive and send it, but I was told it could take 2–3 days for this to even be dispatched. The packing time, shipping time to the UK and poor-timing of needing the service around holidays meant that delivery alone could have taken two weeks!
Of course, Blazing Backups can’t do anything about these things: it’s reasonable for there to be some time in preparation and shipping times are out of their control. But if you’re unlucky with holiday breaks when you need the back up, the physical disk option may not be as useful or quick as it sounds.
In some senses, my backup strategy worked: my first backup failed, but I was still able to get my files back. There will always be some disruption when your system is wiped, but this whole experience was incredibly suboptimal. I knew there must be a better way.
Everything, except project files is stored/managed through Sync (not an ashilliate link – if you would like an extra 1GB use this link instead). It’s end-to-end encrypted and basically as easy to use as Dropbox local.
This entirely replaces my desktop. The beauty of this is that setting up a new computer is incredibly quick:
I also use Super Duper for the local backup. This has the added advantage of also backing up applications not just files, something that Blazing Backups didn’t offer.
Project files are stored in git repositories, so those are synced very quickly.
The only downside of Sync is that, unlike Dropbox, you can’t run multiple accounts on the same computer through the local app...yet. But I’m willing to trade that for the end-to-end encryption.
I also wondered about the environmental impact of going all-in on a cloud setup. But this may actually have reduced my cloud use as I was previously using Dropbox in addition to the Blazing Backups service, so everything has been consolidated to a single place – no duplication.
The advice is always to test your backups. In particular, I’d suggest checking out your remote backup’s interface for restoring files: if it’s clunky and slow, moving to a cloud service might be a better option in case of emergency.
]]>All the usual caveats apply to this: your mileage may very, question all advice (even this), etc...
Only buy a MacBook with an M1 or M2 chip. Support for Intels will decrease significantly over the next year or two and the M1/M2’s wipe the floor with the previous chips from a performance POV – a different ballpark altogether.
If you buy an M1 or M2, don’t buy the 13” base model MacBook Pro – these are the worst machines in the M1 and M2 line-ups (a spec-matched MacBook Air is usually a better choice despite the ‘Pro’ name).
Related to the 13” MacBook Pro advice above, M1/2 MacBook Airs and Mac Minis are excellent computers for most people. With upgraded space and RAM they’ll suffice for most use cases.
If you’re coming from an Intel, an M1/M1 Pro will likely be a huge upgrade from what you’re used to and it may not be worth spending more on a Max or Ultra. If you need that extra power, you’ll probably know.
If you buy an M2 MacBook Air, be sure to upgrade the disk space to at least 512GB – there’s a bit of a performance dip on the base storage model (256GB).
The old advice for Intels was “max out the processor”, but this is much less important than it used to be due to the way to M1/M2 series chips work. In lots of testing, the upgraded chips offer little-to-no real-world improvements.
If you can afford it, do it – if it’s a choice between that and extra storage or something else, the processor is probably less important.
Similarly, your RAM needs on an M-series chip may be lower than previous Macs. I’d still recommend buying the maximum you can afford, probably a minimum of 16GB unless your laptop use is incredibly light and/or not business critical.
The choice mostly comes down to screen size.
With Apple’s transition to M-series chips, there is no real performance difference between a desktop and laptop machine equipped with the same chip (i.e. an M1 Max Mac Studio vs an M1 Max MacBook Pro). So if you’ve previously had a desktop and laptop, you might be able to consolidate the machines.
The main reason to buy an Apple Studio Display over other options is that it’s one of the only displays on the market that offer a 5K resolution at a native size. That means that the pixels aren’t scaled up like they are on 5K displays at bigger display sizes.
The build quality is excellent and, despite the poor reviews, I regularly get comments on the quality of the camera – despite previously using a front-facing iPhone 7 camera.
Last updated: 26th August, 2022
]]>I subscribed to Fastmail’s newsletter and was surprised to see they use Mailchimp to send them. But it turns out they create temporary email aliases for each subscriber every time they send an email.
Each time we send a newsletter, we create new temporary aliases for everyone to ensure we respect any changes in your newsletter preferences and keep your personal addresses private from our external email marketing tool (Mailchimp).
The temporary address will then expire, meaning you’ll disappear without a trace on Mailchimp and never receive any mail sent to that alias again.
At the moment, newsletters are sent 2–10 times per year. Each time a new newsletter is sent, a new list of aliases will be imported, reflecting any new additions or subtractions to users on the list.
It’s impressive – and cool – to see privacy-conscious companies walking the walk.
Cooler still, they don’t even store generated aliases:
]]>It’s actually not too much effort! We generate time-limited aliases by hashing together your real address + expiration time + some randomness. When we get the mail, we reverse that process to look up your account and deliver it.
(We don’t even store the generated aliases!)
This all points to a possible future in which social-media giants like Facebook may soon be past their long stretch of dominance. They’ll continue to chase new engagement models, leaving behind the protection of their social graphs, and in doing so eventually succumb to the new competitive pressures this introduces. TikTok, of course, is subject to these same pressures, so in this future it, too, will eventually fade. The app’s energetic embrace of shallowness makes it more likely, in the long term, to become the answer to a trivia question than a sustained cultural force. In the wake churned by these sinkings will arise new entertainments and new models for distraction, but also innovative new apps and methods for expression and interaction.
In this prediction, I find optimism. If TikTok acts as the poison pill that finally cripples the digital dictators that for so long subjugated the web 2.0 revolution, we just might be left with more breathing room for smaller, more authentic, more human online engagements.
Food for thought (and hope).
]]>There’s just one little problem with personalisation: it doesn’t make any sense. We believe the case against personalisation is significantly stronger than the case for it.
Most personalisation efforts are powered by third-party data. Marketers infer who customers are based on their browsing behavior. So how good is that third-party data? It must be extremely good, if you’re claiming to understand buyers on a “personal level”.
Spoiler alert: it’s not. Most third-party data is, to put it politely, garbage.
In an academic study from MIT and Melbourne Business School, researchers decided to test the accuracy of third-party marketing data. So, how accurate is gender targeting? It’s accurate 42.3% of the time. How accurate is age targeting? It’s accurate between 4% and 44% of the time. And those are the numbers for the leading global data brokers.
]]>Many enterprise technology companies spend millions of dollars ‘hyper-targeting’ IT decision makers (ITDMs) using third-party data. But if we get gender wrong more often than 50% of the time, what percentage of ITDMs do you think are actually ITDMs, according to the research?
Do you want to guess? It’s 14.3%. And for ‘senior ITDMs’, that number drops to 7.5%.
I had no intention of joining Dry January, but by the middle of the month I’d decided to give alcohol a little break. Nothing in particular triggered it, but I downloaded a copy of The Unexpected Joy of Being Sober and started listening.
A few interesting takeaways included:
As Gareth K Thomas put it, I’m an abstainer, not a moderator (origionally inspired by Gretchen Rubin).
Gray recommends that anyone interested in reducing their alcohol intake takes at least 90 days off. If that seems too difficult, start with 30.
So, in mid-January, I decided to take a break for 30 days and go for 90 if that went well.
Here’s what I’ve learned:
Alcohol-free beers are amazing, and I wouldn’t have got this far without them. Lucky Saint, Beavertown’s Lazer Crush, Free Damm and Brooklyn’s Special Effects are all worth a look. Even Heineken’s alcohol-free beer isn’t bad.
Update: The Guinness 0.0% is incredible. I rarely drank Guinness, but this AF version is pretty close: it tastes great and has something of an ale-y quality. Easily the best AF beer I’ve tried.
A key realisation for me was that drinking alcohol-free beer gave me about 70% of the enjoyment and relaxation compared to an alcoholic beer. Of course, it’s not the same, but it’s close enough. And, for me, the downsides of drinking aren’t worth that extra 30%.
I never thought that day tracking would be for me, but I’ve found it incredibly effective.
At the beginning of my alcohol-free stint, I hit lots of mini milestones. These generally prompted one of two thoughts:
It’s so helpful I’m now day counting a reduced sugar intake. As I write this, I haven’t eaten chocolate in three weeks.
I use Days Since.
About 40 days in, I realised I didn’t miss drinking at all and I was going to give up for the foreseeable future. It’s amazing not to ever wake up with a slightly hazy head, regret having that extra drink or saying something stupid while your inhibitions were suppressed.
There’s something wonderful about waking up each morning with a totally clear head. It’s not impossible that I’d drink again at some point in the future, but for now I’m enjoying life alcohol-free.
Or not that I’ve found. The only time I ever miss alcohol is when food would traditionally be paired with a red wine – but now that feels like a taste thing rather than desiring the alcohol per se.
If you know of a decent alcohol-free red wine, I’d love to hear about it!
Like many people, I felt that alcohol helped me in social situations. But I’ve realised I feel no more relaxed or less awkward with an alcohol-free option.
Over the past six months, my choice of alcohol-free beverage has prompted lots of discussion about giving up alcohol. Almost everyone I’ve spoken to has said they want to cut down, it crept up over the pandemic, etc.
It turns out that ‘The Unexpected Joy of Being Sober’ is a brilliantly accurate title for the book. I didn’t even finish it as I’d decided to give up forever when I was about halfway through.
I’d wholeheartedly recommend it if you’re thinking of taking a break from alcohol for any reason. It’s honest, relatable and full of revelations on how we view alcohol and the pressures around it.
]]>A report by Reveal and The Markup found that “Facebook is collecting ultra-sensitive personal data about abortion seekers and enabling anti-abortion organizations to use that data as a tool to target and influence people online…
No surprises there!
From the Washington Post:
The company (Google) received nearly 150,000 requests for user data from US law enforcement in the first half of 2021…and it handed over information on users in 78% of those cases. An estimated 26 states are expected to ban or heavily restrict abortion, and prosecutors will almost certainly go to tech companies, such as Google and Facebook…to seek the evidence they need to charge people who help provide the procedure.
Hoffman’s summary neatly wraps it up:
]]>For years, those who couldn’t see beyond their own noses couldn’t understand how “I have nothing to hide” was so fucking stupid. In an environment in which marketers know everything about us and governments try to know everything about us, everyone has something to hide. We just don’t know what it is.
The notion of surveillance advertising being perpetrated by ad platforms via social interactions is a myth: there is no omniscient social media entity spying on its users and hoarding their interaction data to power ads targeting.
This piece argues that surveillance advertising is a myth because:
But sending data about a user’s interactions on third-party sites back to social media platforms for ads targeting is precisely the ‘surveillance’ part of ‘surveillance advertising’. Especially when you consider how that data is used for other advertisers – that a user hasn’t interacted with – through lookalike audiences etc.
The piece mention’s the W3C definition of tracking:
Tracking is the collection of data regarding a particular user’s activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.
That definition of tracking sounds awfully like the data being sent to social media companies from third-parties. Tracking is another word for surveillance.
Surveillance. Advertising.
The piece also argues that the spheres of misinformation and on-platform engagement are unrelated to data fed back to social media platforms. But, as anyone who’s read Christopher Wylie’s Mindf*ck – a detailed account of Cambridge Analytica’s activities – this data has literally been used to anticipate behaviour at a population level and use that to manipulate elections and referendums.
]]>Great tip from John Gruber, and something all iPhone users should know:
The first is hard-locking. When you hard-lock your iPhone or iPad, it enters a mode that requires the device passcode to unlock. With recent iPhones and iPads, you enter this mode the same way that you turn off the device: by pressing and holding the power button and either of the volume buttons for about two seconds.
]]>[On iPhone 8 and later] you can also do the same thing by quickly pressing the side button alone five times.
In our data-driven world, we tend to overvalue numbers and undervalue anything ephemeral, soft or difficult to quantify. We mistakenly think the factors we can measure are the only factors that exist.
But just because you can measure something, doesn’t mean it’s the most important thing. And just because you can’t measure something, doesn’t mean it’s not important at all.
]]>Tracking is the collection of data regarding a particular user’s activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred. A context is a set of resources that are controlled by the same party or jointly controlled by a set of parties.
Good to see this defined by the W3C.
]]>]]>Command + Shift + 5, go to options and select location. Game changer
Sheryl Sandberg announced this month that she’s resigning from Facebook—now called Meta—to focus on her philanthropy. Her work there is done.
During her 14 years at the company, she’s done so much damage to our society that we may never recover. The simple truth is that you cannot simultaneously dedicate yourself to making untold fortunes for a giant corporation and to championing a social good.
This may not be a pivot to data justive warrior, but this get-rich-working-at-horrendous-tech-co before using those funds for conscience-clearing philanthropy has more than a hint of Maria Farrell’s Prodigal Techbro about it.
]]>A website is a file or bundle of files living on a server somewhere. A server is a computer that’s always connected to the internet, so that when someone types your URL in, the server will offer up your website. Usually you have to pay for a server. You also have to pay for a domain name, which is an understandable piece of language that points to an IP. An IP is a string of numbers that is an address to your server.
Links (rendered default blue and underlined—they’re the hypertext “HT” in HTML) are the oxygen of the web. Not all websites have links, but all links connect to other webpages, within the same site or elsewhere.
What a wonderful explanation.
Today more than ever, we need individuals rather than corporations to guide the web’s future. The web is called the web because its vitality depends on just that—an interconnected web of individual nodes breathing life into a vast network. This web needs to actually work for people instead of being powered by a small handful of big corporations—like Facebook/Instagram, Twitter, and Google.
(Emphasis my own)
I couldn’t agree more.
This whole article is a fanastic look at what a website is, what it can be and why it’s important for the web to be diverse.
]]>The notion that if a company has built a business model on top of privacy-invasive surveillance advertising, they have a right to continue doing so, seems to have taken particular root in Germany.
I’ll go back to my analogy: it’s like pawn shops suing to keep the police from cracking down on a wave of burglaries.
Too right, and it’s not just that the surveillance advertising is unethical – the data has often been collected illegally.
Centuries of pre-internet advertising prove that tracking isn’t necessary for advertising to work…
Daring Fireball is a fantastic example of this.
…but no one is arguing that tracking isn’t effective.
Effective at driving huge profits perhaps. There is growing evidence that demonstrates tracking ads aren’t that effective at their core activity.
From Augustine Fou (emphasis my own):
A 2019 study showed that a single targeting parameter, gender, derived from anonymous website visitation patterns was only 42% accurate, worse than random. If you did no targeting at all, and just did “spray and pray” with your digital ads, you’d at least hit one of the genders 50% of the time. When two parameters were taken into account – age and gender – the accuracy dropped as low as 12%. That’s like 9 times out of 10, those targeting parameters were wrong. And advertisers paid extra to make their digital marketing worse, not better.
Then there’s Bob Hoffman’s infamous Programmatic Poop Funnel. That chart showed how only three cents out of every dollar spent on programmatic ads is seen by humans.
And we can’t forget Tim Hwang’s Subprime Attention Crisis:
…the accuracy [of data profiles used for advertising] was often extremely poor. The most accurate sets still featured inaccuracies about 10% of consumers, with the worst having nearly 85% of the data about consumers wrong.
There are many more examples.
But I wonder how many clients would be happy to continue spending on surveillance ads given how inaccurate and expensive they are?
]]>Studies have shown that these inferences are inaccurate, if not completely wrong. For example, a 2019 study showed that a single targeting parameter, gender, derived from anonymous website visitation patterns was only 42% accurate, worse than random. If you did no targeting at all, and just did “spray and pray” with your digital ads, you’d at least hit one of the genders 50% of the time. When two parameters were taken into account – age and gender – the accuracy dropped as low as 12%. That’s like 9 times out of 10, those targeting parameters were wrong. And advertisers paid extra to make their digital marketing worse, not better.
(Emphasis my own.)
That last sentence is the kicker. How long will adtech, or their customers, ignore the increasing numbers of reports like this?
]]>The photo is from a gig several years ago – it’s clearly of me and I wanted it removed for obvious reasons.
According to the Facebook Community Standards in their ‘Transparency Center’(!), they care deeply about Authenticity:
We want to make sure that the content people see on Facebook is authentic. We believe that authenticity creates a better environment for sharing, and that's why we don't want people using Facebook to misrepresent who they are or what they're doing.
This is a case that would seem to be heavily related to authenticity, so let’s put this to the test.
There are a few options available to report:
I tried method one from a now-deleted ghost profile. However, it’s only possible to report the profile – not the photo – and there’s no option to give context. So Facebook only sees a report that the entire account is impersonating. Facebook rejected the complaint immediately with no opportunity to follow-up.
I shouldn’t have to give Facebook my government ID for a case like this – notably a heavier burden of proof than creating a Facebook account – so option 2 is a no-go.
I also filed a Copyright Report Form. I provided the URL of the photo along with a copy of the original photo at full resolution to demonstrate ownership (something the impersonating account wouldn’t be able to provide).
Despite this, Facebook said:
Thanks for contacting us. Based on the information you’ve provided, it’s not clear that you are the rights owner or are otherwise authorized to submit this report on the rights owner’s behalf. Please note that we can only process reports from a rights owner or someone authorized to report on their behalf, such as a lawyer or agent.
I asked Facebook how I could prove ownership given that the photo was taken on my device. Their response:
We are writing to get additional details so that we can better understand your recent report. Based on the information you provided, it is unclear where the content you wish to report appears on our site. In almost all instances, the best way to help us locate content is to provide us with active web addresses (URLs) leading directly to that specific content.
In the report you filed, you did not provide any URLs (or one or more of the URL(s) you provided seems to be incomplete or inactive), and you did not otherwise provide a description of the location of the content sufficient for us to be able to find it.
If you are trying to report a post or story in your news feed, you can find its direct URL by clicking the time and date that appears in gray with the content (for example: "8 hours ago" or "August 11 at 10:30am.").
If you cannot provide URLs leading directly to the content you wish to report, please be sure to include information reasonably sufficient to permit us to locate the content, such as a description of the content and where it appears (example: on a particular timeline, in a photo album, etc.), dates/times of when the content was posted (usually indicated below the content), names of responsible users, and/or quotes of the content you wish to report as it appears on Facebook.
Please note that it is possible that the content you wish to report has already been removed from the site. If that is the case, you do not need to respond to this message.
Once you have provided information sufficient for us to locate the content you wish to report, we would be happy to look into this matter further.
Round-and-round the carousel we go: all of the requested information was provided in the initial contact.
This last email was sent on April 15th, 2022. I replied the same day with account information and the original photo again.
Facebook have stopped communicating and ignored a follow-up on May 2nd – over a month ago at the time of writing.
If Facebook can’t or won’t action basic requests like this, what hope do we have that they will take action on more complex issues?
]]>For a couple of years, I’ve been using a fairly terrible playlist system of grouping songs by month. That doesn’t really work because I often don’t listen to enough music in a month to put together a playlist, so I skip months. Organising by season, however? That could really work.
]]>I recently noticed a new ‘Inactive Tabs’ button in Firefox iOS. It’s a new featured where windows that haven’t been opened for two weeks get shifted to a new area. I went from over 100 tabs to about ten.
It turns out it’s an experimental feature, not available to everyone, but it certainly seems like a good one.
]]>The offences occurred between May 2013 and September 2019, according to the court document, with the information ostensibly used for purposes including two-factor authentication. But Twitter would then use this data to allow advertisers to target specific groups of Twitter users, by matching the telephone numbers and email addresses to the advertisers’ own lists of telephone numbers and email addresses.
Aside from being generally horrible, this is terrible for user trust in security measures. It also demonstrates how single pieces of data can be used to de-anonymise users when compared to other datasets.
]]>This is another great piece from Julia Angwin @ The Markup, shining the spotlight on the tactics of big tech.
This newsletter looks at the Facebook “Pixel”. It’s a seemingly innocuous tracking script to site owners (“we’re just improving our conversion rate!”) and simultaneously one of grossest widespread violations of privacy on the internet.
As Jason Kint has pointed out on many occasions, the UK’s Competition and Markets Authority’s report into big tech showed that Facebook collect more data more users when then they’re not on Facebook than they do when users are on the site. That’s because of the Facebook Pixel.
Any site using a Facebook Pixel is sending your data to Facebook whether you like it or not.
Probably without your clear, informed permission. And almost certainly without a simple, easy way to withdraw permission – if you ever gave it to them, that is.
When you think about the scale of data fed back to Facebook, it’s pretty horrendous. I’m glad we live in a time where browsers like Firefox and Safari are working to protect internet users against this mass invasion of privacy.
]]>This is just a brilliantly simple idea: create a folder on your computer that’s excluded from Time Machine/Backblaze/Dropbox/Sync/whatever and use that whenever you need to temporarily store something you would never want to be backed up.
The example in the podcast is plain-text files of all your passwords. It might not seem like this sort of thing would crop up often, but it also seems like exactly the sort of thing that’s worth spending five minutes on now to save yourself a bunch of time, faff and potential unbacking-up later.
]]>Anecdotally, more and more people are having a hard time deciding how to build their site on WordPress.
This was one of the main reasons I started looking for WordPress alternatives. I couldn’t be sure that the way I’d build a site today would be the ‘right’ way to build a site in a year or two: important for maintainability and futureproofing a client site.
I suspect this confusion over building is a shared experience for amateurs and pros alike:
Whatever the reason, it’s interesting to see the market share dip for the first time.
]]>In the first quarter of 2022, Apple’s internal data shows that Search Ads had a 62.1% average conversion rate for iOS 15 users with Personalized Ads turned on versus 62.5% for iOS 15 users with Personalized Ads turned off across all countries and regions where Search Ads are available.
Incredible both that the numbers are so close and that personalised ads actually perform worse.
]]>]]>Arguing about the future of Twitter is a loser’s game; a dead end. The platform’s only conclusion can be abandonment: an overdue MySpace-ification.
Facebook announced various audio efforts last April during a hot market for podcasting and audio in general. But the company’s interest has waned, Bloomberg News reported last month, and it’s now focused on other initiatives, disappointing some providers.
Another example of how relying on platforms – whose desires seemingly sway in the wind – can leave businesses in the lurch.
]]>]]>While there are some problems with ad-supported media, they’re completely separate from the problems of surveillance – and the problems of surveillance are much worse than the problems of ads. That’s why we should ban surveillance ads.
Wait, I hear you saying. Doesn’t Europe ban surveillance ads already, through the GDPR? Well, yes, technically, they do. The process of getting consent for surveillance ads under the GDPR is deliberately so cumbersome that it is effectively impossible to run a surveillance ad industry.
So how is it that Google and Facebook and other ad-tech companies operate in Europe? Simple: they break the law. They – and many other companies – claim that they don’t need your consent to spy on you, because they can use the “legitimate interest” clause of the GDPR that allows them to process your data without asking you. This is a lie, and it’s only a lack of enforcement that allows the tech giants to get away with it (it’s possible that the new Digital Services Act will finally spur enforcement).
One of the challenges of Mastodon adoption is the onboarding process, because it’s not enough to capture a person’s desired username and e-mail and let them create an account, which is what people are used to from major websites; instead, you need to first choose a Mastodon server where you will make the account (comparable to e.g. choosing an e-mail provider). The implications of choosing the server are primarily in who is the entity responsible for the server, what moderation policies they enforce, what language and jurisdiction they operate in, and which domain name will be part of your username.
I’ve always found the server part of signing up to Mastodon a little odd. Why do we have to choose one? Why should we choose one over the other?
The comparison to email makes sense in my mind and the screenshots from this onboarding seem to make this a lot clearer.
]]>Not a bad description of NFTs:
What Wikipedia mentions but I’d like to emphasize is that buying an NFT does not buy you the art in question, nor the right to do what you will with it. It’s like walking into a bookstore, choosing a book that looks interesting, paying for a copy, and then leaving with only the receipt, proud of your brand new Book NFT, while the book itself remains in the store and anyone who wants to can come in and perfectly replicate and take a copy of the real thing for free. Yes, you do own….something. But the thing you own isn’t the art.
On web3 more generally:
Web 3, including Blockchain and NFTs, makes the argument that everything can and should be monetized. Each interaction has a value that can be measured in financial terms, each retweet or compliment or Kickstarter backing or Amazon review should help monetary value accrue to the tweeter or complimenter or backer or reviewer. The entire world could be Wall Street, and the fabric of our choices and online lives should rise or fall in financial value.
That is the terrifying promise, or ominous threat, of the new internet that Web3 folks are trying to usher in. It’s so deeply transactional, so exactly the opposite of the concept of mutual aid, community, and human caring.
I want to live in a world where joy exists, where things like inspiration, creation, education, and friendship are not monetized, because their value is greater and more than money can or should contain.
To me, this is one of the most understated downsides of web3.
I heard Jacob Silverman talk about this on a podcast: web3 would have everyone thinking constantly about money. Paid in Bitcoin? You’ll be forever wondering what that’s worth, if that will cover your rent, etc – a total nightmare.
On top of that, unlike traditional markets, these currencies fluctuate in value 24/7. They can be high when you go to bed and crash by the time you wake up. That’s a fundamental difference to other forms of investment and trading, especially if a significant portion of our [online] lives were to shift to transaction-based interactions.
I’m not sure it’s possible to mitigate the impact of introducing perpetual uncertainty and worry on top of already-stressful lives.
]]>Some genuinely useful macOS system tips in here. Worth watching in full, but here are the ones I want to remember:
[Option]
when selecting Sound from the menu bar[Command]
+ [r]
to open the folder of a file rather than the file itself[minimize]
[Option]
.[Command]
.[Option]
+ left or right key lets you skip words.[Option]
to resize capture area, hold [Space]
to move the box and press [Esc]
to cancel the screenshot.I only started using Spotlight to open apps last year and that’s been a gamechanger: it reduces the use of my mouse, makes opening/finding apps much quicker and declutters my dock. Many of these tips seem like they could be daily time savers, too. Perhaps I should keep up with this stuff…
]]>Dan Olson, who recently brought us the spectacular two-hour deepdive into web3, recently appeared on The Ezra Klein Show. The whole thing is worth a listen, but this dissection of the ‘diamond hands’ phenomenon – not limited to the crypto world – is absolutely spot on:
]]>So diamond hands — the logic under there and the way that that gets weaponized is that there’s not enough liquidity in these ecosystems. There’s not enough liquidity in crypto, as a whole, for the whales to do what they need to do. But then that disparity between how much cash is actually floating around and these absolutely absurd valuations that get tossed around is vast. And as a result, it’s very, very bad if people try to cash out in waves.
So as a protective measure, as like an immune-system response, the culture has developed diamond hands as a virtue, that someone who is willing to bear incoherence, that someone who is willing to bear instability, who is willing to just look past the volatility and the warning signs and just keep holding — you are a spiritually better person if you are a diamond hands who is willing to just get a grip on your Bored Ape and never sell it. So you have this Bored Ape, and it has this fictional price, whatever it’s at right now — $60,000, $120,000, $250,000, $2 million. Whatever the theoretical price of this thing is can only be realized if you sell. But selling is quitting. And quitting is spiritually bad. It means that you have given up. It means you don’t believe in the theoretical future value of that Ape.
So it’s trying to play both sides at the same time. It’s trying to make you think that it’s like, you have this asset. You are rich now, because you have this Bored Ape, and it has this value. But you’re actually cash poor, because you don’t have the money from that Ape. You can only get that money if you sell it. But selling it would be a bad thing to do. It would make you a bad person. It would make you a coward. You would be balking in the face of the future.
This insightful talk covers the evolution of John Gruber’s Daring Fireball and how this side project became a full-time gig. The retrospective is interesting, starting with the intentionality of making it work, but also the various turning points in the road to make it a success.
It’s always fascinating to hear how creators make their work pay and sustain itself long-term. What’s particularly interesting in this case is a model – for a solo creator – that is advertising based without resorting to the tracking and privacy abuses that underpin much of the ad-tech industry.
Worth a watch if only for the quip about hair pieces and freelance graphic design work.
]]>]]>As for what’s happened to all those precious NFTs, well, for all intents and purposes they no longer exist. It’s worth noting the developers are attempting to compensate owners of those now-worthless NFTs with replacement tokens for one of the company’s other blockchain-based racing games. Affected players can be compensated in various ways, including Replacement Cars, or a “Race Pass”, or “Proxy Assets”, which “will be used in the future to obtain NFTs to products across the REVV Motorsport ecosystem.” In other words, you get a token for your token. A perfectly secure investment!
Indeed, while Animoca’s gesture might seem like a company doing right by its customers, the whole point of an NFT is that it is supposed to convey security and permanence to a digital object. It’s supposed to say “this thing exists with a uniquely attributable value”. Hence, for Animoca to turn around and say to their customers “Oh no, these NFTs are entirely replaceable” makes a mockery of the whole endeavour.
This beautifully answers some Questions I Had about privacy, the blockchain and rights for data to be erased.
Well worth watching.
The belief that the world will be fairer if the rules are enshrined in code enforced by computers, and made extremely difficult to change or circumvent is laughable. It’s not merely naive but ahistoric.
Once again, I’m reminded of Nicole Perlroth’s book: there’s a story about cyber security experts being wildly overoptimistic about how many lines of code they could guarantee would be hack-free.
Feels like there are parallels here.
]]>My password manager revealed 186 accounts that needed updating. For each, I’d either update the email address or delete the account if no longer needed.
The flows and user experience varied greatly, but I hadn’t anticipated the number of issues that would come up.
Some of these were down to poor design. In once case, the email verification link failed if I wasn’t logged in, with no indication that I had to be logged in for it to work.
More concerning were the security and data protection issues that were revealed.
As you might expect, many of the password requirements limitations were horrendously weak: numbers/letters only, must be no longer than 10 characters. In one example the password had to ‘start with a letter’!
For reasons entirely unknown, a surprisingly large number of services forced me to contact support to change my email or delete my account. In many cases, I wasn’t able to change the email address at all.
This could be because the company/organisation wouldn’t permit it, or the reset flow was entirely broken (e.g. email not sent, the verification link didn’t work, etc). Tough luck if you lose access to your email account!
A surprisingly large number of services forced me to contact support to change my email or delete my account.
In one case, the company wouldn’t let me change email address without providing a screenshot of the inbox – impossible with a forwarding address! They only relented when I asked them to show me the requirement in their T&Cs for the account email address to have an associated inbox...
Many websites still don’t verify email addresses, too. This perpetuates entirely preventable unintended privacy and data breaches for people mistyping their email address.
It was concerning to discover that several sites I hadn’t interacted with in over a decade retained lots of personal data: name, phone number, history of delivery addresses, payment details, etc. This was true even in situations where a membership/subscription had lapsed many years ago or where I hadn’t purchased anything at all (e.g. abandoned checkout).
Are these places really “not keeping data longer than they need to” as their privacy policies so often claim? At what point would they delete this?
Many accounts also force individuals to keep unnecessary information on file. Why do we have to keep an address in our accounts? Or a phone number? Or our names?
In some cases, I wasn’t allowed to update a single piece of information – such as my email address – without also supplying additional information the company didn’t have: address, phone number, address, etc.
Several sites I hadn’t interacted with in over a decade retained lots of personal data
To combat this, I took a leaf out of Terence Eden’s book, entering ‘alternative information’ for required fields.
Lots of contact forms don’t practice data protection by design, requiring entirely superfluous fields: surname, address, phone number, date of birth. Some companies required me to enter credit card and transaction information just to change my email address.
I deleted a lot of accounts. In most cases this was because I was unlikely to need the account in future. But sometimes this was necessary as the company made it difficult/impossible to update information.
Very few sites make account deletion easy. Even fewer made it crystal clear that they delete your account and data. Account deletion is often framed as ‘deactivation’, which sounds suspiciously like they hold onto your data after deleting the account.
In most cases, deleting an account required searching through help pages, an internet search or contacting support. This led to a new personal policy: if a company doesn’t make account deletion easy or clear, I do a quick search of their privacy policy for their data protection officer’s email address and ask them to delete my data. This usually resulted in quick action.
NB: I wouldn’t do, or recommend doing, this to a microbusiness.
All I want is a big red button that says “delete my account and all associated data immediately”. Is that too much to ask?
This might seem over-the-top, but account deletion should be clear and quick. Users shouldn’t be forced to spend 10–15 minutes, longer if it involves contacting support, trying to work out how to delete their account.
All I want is a big red button that says “delete my account and all associated data immediately”. Is that too much to ask?
I’m glad I did this but it was work. It also revealed just how much of our personal data is peppered through the databases of companies we no longer have a relationship with.
Yes, this information is necessary to perform transactions. But it was surprising and concerning to see how many sites retain this data for many years after my last transaction or interaction. In more than a couple of cases, over a decade had passed since I’d last logged in.
There are clear and obvious benefits both to users and companies for data to be held for a period of time. But going back through so many accounts, it was startling to see so many pieces of still-accurate data (e.g. phone number) retained in accounts I hadn’t touched in many years. This digital trail also revealed many old addresses and the contact details/addresses of people I might have sent things to.
Where does the responsibility lie? Is it down to individuals to keep tabs on every single account they create or purchase they make? Should we all be making diary notes to check in and delete our details? Or should there be a standard point at which users are deemed ‘inactive’, after which their data is purged?
It seems the default position is to hold user data indefinitely, despite privacy policies frequently saying “we don’t hold data any longer than they need to”. Generally speaking, this statement seems worthless.
Should there be a standard point at which users are deemed ‘inactive’, after which their data is purged?
This causes problems for users, who seem solely responsible for cleansing their data from every single company they interact with, even if it’s not be clear or obvious their data is being held (i.e. when retained after an abandoned checkout).
And it could cause problems for companies, too: it increases the risk of unnecessary data being exposed in data breaches, which could lead to uncomfortable questions about their data retention practices.
If data was regularly purged when users become ‘inactive’, it would help users and companies alike. Individual’s personal data would be held in fewer places, their digital footprint would be minimised and companies would reduce their exposure in the event of a breach.
Ultimately, buying from or creating an account with a website doesn’t mean we give the company permission to hold our data forever. But in many cases, it seems that is exactly what’s happening.
]]>This talk is full of gems. It’s nearly ten years old, but it all still rings true today:
If you align your strategies to what everyone else is doing, be sure a single business bullet will take you all down.
I get a lot of people coming to me for mid-life crises, career crises, business ventures, startups, and I always ask them to do the same two things. And, interestingly, these two things are the same whether you’re a person who’s lost their way or a business who’s lost their way:
- Identify what it is that you absolutely love doing, that you’re passionate about
- Identify the conditions under which you most love doing it
I believe the future of business is about doing good and making money simultaneously. And not in the old world order way that most companies currently do it which goes: we make money ‘here’ and then we do good by writing cheques to causes to clear our conscience over ‘here’. But the new world order way that we make money because we do good.
The vast majority of purchasers in every product sector are women. The vast majority of influencers of purchasers in every product sector are women. Women form the majority of users of social media. These days, women are the majority of gamers. Women are the majority of people who express themselves as digital personas online.
The majority of people creating the advertising communication that targets those women are men. In the US, only 3% of all advertising agency creative directors are female – 97% are male. The majority of people deciding whether that communications and advertising are the gold standard of creativity and effectiveness in our industry are men.
]]>Women challenge the status quo because we are never it.
A rudimentary phishing attack arguable changed the course of the American Presidential election. We’ve seen patients turned away from hospital because of a North Korean cyber attack. We’ve caught Iranian hackers rifling through our dams. Our hospitals, towns, cities and, more recently, our gas pipelines have been held hostage with ransomware.
We’ve caught foreign allies repeatedly using cyber means to spy on and harass innocent civilians, including Americans. And over the course of the coronavirus pandemic, the usual suspects, like China and Iran and newer players, like Vietnam and South Korea, are targeting the institutions leading our response.
]]>If the next 9/11 struck tomorrow, the first question we would ask ourselves is the same question we would ask some two decades ago: how did we miss this? But in the two decades since 9/11, the threat landscape has been dramatically overhauled.
It is now arguably easier for a rogue actor or nation state to sabotage the software embedded in the Boeing 737 Max than it is for terrorists to hijack planes and send them careening into buildings.
]]>Some choice quotes:
People don’t want to run their own servers, and never will.
I made a dApp called Autonomous Art that lets anyone mint a token for an NFT by making a visual contribution to it. The cost of making a visual contribution increases over time, and the funds a contributor pays to mint are distributed to all previous artists (visualizing this financial structure would resemble something similar to a pyramid shape).
I also made a dApp called First Derivative that allows you to create, discover, and exchange NFT derivatives which track an underlying NFT, similar to financial derivatives which track an underlying asset 😉.
So much work, energy, and time has gone into creating a trustless distributed consensus mechanism, but virtually all clients that wish to access it do so by simply trusting the outputs from these two companies without any further verification. It also doesn’t seem like the best privacy situation. Imagine if every time you interacted with a website in Chrome, your request first went to Google before being routed to the destination and back. That’s the situation with ethereum today. All write traffic is obviously already public on the blockchain, but these companies also have visibility into almost all read requests from almost all users in almost all dApps.
Partisans of the blockchain might say that it’s okay if these types of centralized platforms emerge, because the state itself is available on the blockchain, so if these platforms misbehave clients can simply move elsewhere. However, I would suggest that this is a very simplistic view of the dynamics that make platforms what they are.
Instead of storing the data on-chain, NFTs instead contain a URL that points to the data. What surprised me about the standards was that there’s no hash commitment for the data located at the URL. Looking at many of the NFTs on popular marketplaces being sold for tens, hundreds, or millions of dollars, that URL often just points to some VPS running Apache somewhere. Anyone with access to that machine, anyone who buys that domain name in the future, or anyone who compromises that machine can change the image, title, description, etc for the NFT to whatever they’d like at any time (regardless of whether or not they “own” the token). There’s nothing in the NFT spec that tells you what the image “should” be, or even allows you to confirm whether something is the “correct” image.
]]>Given those dynamics, I don’t think it should be a surprise that we’re already at a place where your crypto wallet’s view of your NFTs is OpenSea’s view of your NFTs. I don’t think we should be surprised that OpenSea isn’t a pure “view” that can be replaced, since it has been busy iterating the platform beyond what is possible strictly with the impossible/difficult to change standards.
I think this is very similar to the situation with email. I can run my own mail server, but it doesn’t functionally matter for privacy, censorship resistance, or control – because GMail is going to be on the other end of every email that I send or receive anyway. Once a distributed ecosystem centralizes around a platform for convenience, it becomes the worst of both worlds: centralized control, but still distributed enough to become mired in time.
If a GDPR case affects people in more than one EU nation, the regulator overseeing it must submit a draft decision to their counterparts in other countries. If other regulators raise objections to the penalty, they can trigger a dispute-resolution process, giving them more time to deliberate.
The Irish data-protection commissioner oversees Alphabet, Meta and other tech giants because those companies’ European headquarters are in Ireland. The Irish watchdog has faced criticism from activists and other European privacy regulators for the length of its investigations.
By choosing to fine Google and Facebook under the ePrivacy law, the French regulator avoided the frustrations of the GDPR’s power-sharing system
Just imagine if these fines were issued under GDPR for the maximum 4% of turnover: we might see a bit more compliance on the cookie front.
Perhaps France should be responsible for overseeing Meta, Google and other giants under GDPR as well…or perhaps it shouldn’t be the sole responsibility of a commissioner in a single country.
]]>Emphasis mine:
Violent protests erupted over the soaring cost of fuel and [Kazakhstan’s] autocratic rule. President Kassym-Jomart Tokayev sacked his government and declared a state of emergency. Apparently on his orders, the largest telecom provider shuttered the internet to interrupt communications among the opposition’s ranks. When the web goes down, miners can’t communicate with the Bitcoin network. The “hash rate,” the random codes that win fresh awards of Bitcoin, collapses. A few hours into the outage, Larry Cermak of the crypto news and research site The Block tweeted that a full 12% of Bitcoin’s worldwide computational power had vanished. His data showed sharp declines for a number of producers with operations in Kazakhstan. The hash rates for AntPool, Poolin and Binance Pool all fell between 12% and 16%.
Blimey.
]]>Facebook likely maintains shadow profiles of people with deleted accounts anyway, so I’d rather be able to affirmatively control what they’re doing with the data they have on me.
Does Facebook continue to collect/store data about us (from advertisers, Facebook Pixel etc) even if we don’t have a Facebook account?
We already know that Facebook continues to store data about deactivated accounts and unless anything has changed since this exchange, it seems likely they do.
What’s the legal basis for storing or collecting that data about someone through a shadow profile? This is the same thing that caused the furore around Clubhouse’s request to upload all your contacts.
I’ve submitted a subject access request to find out what they have on me, but I suspect that will be rejected.
What right do companies have to collect/store/process data about individuals – associated through an email address, phone number or other identifier – when the individual hasn’t interacted with that company or has deleted an existing account?
]]>As part of a longer thread, Cory Doctorow tweeted:
After all, privacy is a team sport. I don’t use Gmail (my mail is on a standalone server that @orenwolf keeps at a data-center in Toronto, and I POP it every 60 seconds and move the mail offline to my encrypted laptop).
In some sense, none of my mail is in the cloud. In another sense, ALL of my mail is in the cloud, because EVERYONE I SEND MAIL TO is using Gmail or a handful of its competitors, all of whom mine that email for commercial surveillance purposes.
It’s pretty wild to think of it this way. We might take steps to protect privacy on email we receive, but email we send may be scanned/mined by the recipient’s email provider.
If that happens, what are the grounds to do this? Senders have no relationship with the recipient’s email provider and no way to know this is happening, let alone signal consent.
Scanning emails for security and spam prevention purposes is one thing. Using that data to feed surveillance capitalism is something else.
This isn’t definitely occuring, but if providers are mining user’s emails for advertising, it’s possible – likely, even – that this is not limited to emails that the user sends.
If this is happening, we arrive at a separate question: are email providers building profiles on people who don’t use the service? In theory, this could be tied to other data sources to match a data to a user through their email address.
Bearing all of this in mind, Doctorow’s positioning of privacy as a ‘team sport’ makes a lot of sense. Perhaps we have a responsibility not to use services like Gmail to protect the people we communicate with as well as ourselves.
]]>We were in a strong position to deal with this: there was no conceivable way we were liable and the due amount was small. But extracting information from Ovo about the trace and search process was tricky, and internet searches didn’t reveal much.
This account is to help others who might find themselves in a similar position and provide some transparency on what I’ve been able to discover about trace and search.
The episode also unveiled some data protection concerns: it shows how data is shared between third parties and the actions they might take. All without a subject’s knowledge or consent.
The invoice we received showed a billing period that started roughly nine months after we’d moved out: we weren’t Ovo customers when we left.
Our initial suspicion was identity theft. We knew that some mail hadn’t been redirected to our new address and wondered if a someone had tried to get away with dodging some bills.
We did a credit check to see if anything had changed on my wife’s account and called Ovo to ask about the bill. I was told my wife would be removed from the account and I should hear from someone within a few days...
Two weeks later, the only communication we’d received was a debt collection email sent to the address I’d provided in the initial phone call. Following up with Ovo, I was eventually told this wasn’t identity theft but a process called trace and search.
Ovo said trace and search had identified my wife as financially responsible for this address. Their debt collection department said this involved a credit check and someone visiting the address to verify this.
This wasn’t identity theft but a process called trace and search.
I was told my wife would have to prove she no longer lived at the address by providing a tenancy agreement for the previous address or a council tax bill at the new address.
This seemed odd, not least as a tenancy agreement would do nothing to prove we no longer lived at the property. Our agreement only stated the months of our initial year, after which we moved to a rolling tenancy.
The most concerning aspect of this was it revealed Ovo had fraudulently created an account in my wife’s name and put the onus on her to prove she shouldn’t be associated with it.
On top of this, Ovo had acquired details about my wife and wanted further details to cancel this account. Without the slightest hint of irony, Ovo used these details – name, date of birth, supply address – for ‘data protection’ each time I called.
Ovo had fraudulently created an account in my wife’s name and put the onus on her to prove she shouldn’t be associated with it.
When I pressed for details about the trace and search process – particularly who they had spoken to at the address – none were forthcoming. Customer services stuck to a script and reiterated that it was my wife’s responsibility to demonstrate she was not financially responsible.
It took several weeks before we were contacted by an Advanced Resolution Specialist. In the meantime, we’d checked my wife’s credit report again.
The report showed she had a couple of accounts associated with our old address. One was a bank account she didn’t use and another was a credit agreement for a phone – the bank was easily changed, the other not so much.
It can’t be unusual for people to forget to update an address or two – the house we’ve moved to still receives plenty of mail for the previous occupant. Yet it seems any active credit linked to an address is enough for a trace and search to:
The Advanced Resolution Specialist spoke openly about how this situation had occured. But there was no satisfactory explanation of why the account had been assigned to my wife. Our previous address comprised of several flats: any of the other occupants could have been deemed responsible for the bill.
They also explained that this was an entirely automated process – no-one had been to the address – and the active credit was the sole link between my wife and address. This confirmed my assumptions about trace and search.
In the six weeks between initially contacting Ovo and speaking to the Advanced Resolution Specialist, we received debt collection emails from Ovo’s attack dogs. These emails were punctuated with the following threat:
Please know, we share data with credit reference agencies, which might affect your credit rating. So the sooner we sort this, the better.
Nice.
Ultimately, Ovo sent us £50 as a resolution and the following apology:
On behalf of OVO Energy I would like to apologise for the recent trace and search that identified [your wife] as still updating credit at the address. This led to OVO Energy assigning charges in her name.
And that was the end of it, or it should have been...
As part of the resolution, I submitted an erasure request to remove my wife’s details from Ovo’s systems. A few weeks earlier, we’d also submitted a subject access request to find out what data Ovo held about her.
A couple of days later, I received an email from another Advanced Resolution Specialist to say the erasure request had been “rejected as it technically needs to be requested by the person who's details need to be erased”.
Throughout this entire debacle, I’d wondered what the the legal basis for collecting, storing and processing my wife’s data was. Ovo had created the account without her knowledge or consent and made no effort to contact her apart from the initial bill.
Ovo’s pushback on the erasure request raised further questions:
Ovo don’t have our address or my wife’s email address. As far as I can tell, they only have her name, date or birth and supply address: all information I was able to provide to get her case this far.
Would Ovo seriously be looking for her to provide more information: data they can’t verify?
One month on and Ovo haven’t responded to these questions. The 30-day deadline for the subject access request has passed, too.
I’ll update this article when I have answers regarding their basis for processing my wife’s data.
The last time I spoke to Ovo, I was told the Advanced Resolution Specialist I originally spoke to has left the company and the second has taken a different role. Apparently, our complaint is in a queue waiting to be reassigned: you couldn’t make it up.
Trace and search is an aggressive and opaque practice for companies to recover funds. With next-to-zero effort or evidence, companies are able to:
We only received Ovo’s invoice because of our mail redirection. If that hadn’t been in place, Ovo’s actions could easily have affected my wife’s credit rating and we would have no knowledge about the incident.
The worst part about this was how long Ovo took to remove my wife from the account. Matters like this should not take months to resolve: the company has unilaterally created her account.
Ovo made no effort to contact my wife before sending the invoice, nor did they verify the data they received. But as Ovo deem the onus is on her, there’s no incentive for them to move quickly.
Ovo told me that someone has subsequently taken over the energy supply for address. One would think that might be a good place to start making enquiries, but why bother when you can outsource the work to an automated credit check with no accountability?
]]>Adalytics asked the advertiser how they felt about this situation, when they noted that their ad tech vendors had reported “gdpr=0” whilst many of the receiving users were clearly in the EU. The advertiser responded (in writing):
“I would be worried about my compliance risk as an advertiser. After all, my ads were shown and regulators will think I was in breach of privacy regulations. I had trusted the network to take care of all of this, like other basic things (e.g., verifying ads.txt entries). Their lack of basic diligence puts me in jeopardy. If the exchange is not doing basic checks for something so simple, you’d wonder what else they are not doing well, or at all, to protect advertisers from fraud and other issues.”
…
An EU citizen with a German IP address installs Google Chrome on their desktop for the first time. This new instance of Chrome is not logged into any accounts or emails, and has no cookies or local storage.
The user visits a wsj.com article, and is shown a consent banner.
Before this user has an opportunity to click on any specific consent icons or buttons, the user’s browser makes dozens of HTTP requests to third party domains, belonging to companies such as Google, Adobe, New Relic, Cxense, and The Trade Desk.
Many of these HTTP requests contain response headers that set tracking cookies in the user’s browser. For example, an HTTP request made to match.adsrvr.org sets a cookie in the user’s browser called “TDID”; this cookie is set to expire in 365 days.
…
]]>This example with wsj.com and a German IP address user shows that several ad tech vendors are sending and receiving data, and storing cookies, without consent or legitimate interest. These patterns are observed even after the user has navigated through several pages on the wsj.com website post-consent selection.
This is quite something (emphasis my own):
]]>I agree with my friends (and lawyers) at the ACLU: the US government’s indictment of Assange amounts to the criminalization of investigative journalism. And I agree with myriad friends (and lawyers) throughout the world that at the core of this criminalization is a cruel and unsual paradox: namely, the fact that many of the activities that the US government would rather hush up are perpetrated in foreign countries, whose journalism will now be answerable to the US court system. And the precedent established here will be exploited by all manner of authoritarian leaders across the globe.
You can also feel safe knowing we’ve built these subscriptions so that they only renew if you use Signal over the course of the month. Should you stop using Signal, or uninstall the app, they will be automatically cancelled after the next cycle, which helps eliminate the “dark pattern” of subscriptions you’ve forgotten about.
Perhaps the way all software subscriptions should run.
]]>On the metaverse:
Take this quote from the WIRED article:
“If VR and AR headsets become comfortable and cheap enough for people to wear on a daily basis—a substantial ‘if’—then perhaps the idea of a virtual poker game where your friends are robots and holograms and floating in space could be somewhat close to reality.”
What an utterly clownish sentence. The substantiality of that ‘if’ is not ‘hey, maybe we’ll work this out,’ but ‘we are not even remotely close to doing this on a very basic level.’ If you’ve used an Oculus HTC, or Sony VR headset, or any other of the various bespoke VR experiences, you will know that they are janky, even if you can get the hardware to fit well.
…
The only reason people are giving this term the time of day is because Facebook (successfully) used it to distract from the larger conversation about how much they suck.
On Web3:
Every major influencer-investor - the ones that seemingly do not do anything other than post on Twitter and release 4-hour-long podcasts - has done some sort of 30-tweet thread about how web3 is the future of the economy, but also communities, and that is where the metaverse fits in. Confused? Well, they think you’re an idiot and they’re going to block you if you question it.
…
]]>The idea, of course, is that “everybody wins” because the value of a token goes up, and“it’s decentralized and thus no big party wins,“ as long as you don’t think about who has the most tokens, who invested early, and who is or isn’t manipulating the price. The public lie is that you’re playing or participating because it’s a fun game, and because you want to “own your data,” but the reality is you’re trying to “invest” in a system that was built to monetize you.
According to the ANA and PwC, 70% of advertising dollars spent on online programmatic advertising never touch a human being. Of $200 billion in annual programmatic ad spend, $140 billion disappears in “ad fees, fraud, non-viewable impressions, non-brand-safe placements, and unknown allocations” (by “unknown allocations” you can read “shit that no one can figure out.”)
All of that tracking and surveillance for nothing.
Also features a funny story about Scotland:
]]>At the time, when you arrived at an airport in Scotland, you were greeted by signs and posters announcing that you were visiting “The Best Small Country In The World.”
…
After spending $250,000 and six months, the new administration rolled out its exciting new slogan: “Welcome to Scotland”
On George Lucas’ writing tower:
]]>I think this case study underscores the more general point that, for professional creatives, spending money to upgrade the aesthetics of your workspace is not just an exercise in expression, but is perhaps instead one of the best business investments you’ll ever make.
But it’s that time of year where we start seeing a ton of autoresponders and it’s got me thinking about it again. Personally, I don’t care to see them ever. I literally don’t care in any context. Hit me back when you hit me back, I’m not going to read what your autoresponder says anyway.
Yes!
There are some cases where an autoresponder can be useful. If you’re working with someone, it can be helpful to know that they won’t get to this for a few days (so you shouldn’t wait for a reply), or if they’ll be gone for a long time and you should speak to someone else.
I’ve also enjoyed some regularly updated autoresponders, too.
Maybe there’s a middle-ground. Perhaps your inbox checks the autoresponder to see if you’ve had that exact message before, then hides it?
]]>Justin higlights two important thoughts on advice.
The first is from James Clear:
Everything is an oversimplification. Reality is messy and complex. The question is whether it is a useful simplification. Know the limitations of an idea and you can apply it to great effect—despite the messiness of reality.
The second is from Elizabeth Earnshaw:
I also like this idea from Elizabeth Earnshaw that a lot of popular wisdom has a “missing half.”
A few of her examples:
- “You can’t change other people… and you might influence them to change.”
- “Self-care isn’t selfish… and sometimes we call things ‘self care’ that actually are kind of selfish.”
These two ideas beautifully articulate something I increasingly struggled with when writing the Work Notes freelance guide. Everyone’s situation is different, their paths there are varied, we have different privileges and these things introduce nuance that can’t be accounted for, even if the advice is broadly accurate.
As Stewart Lee says, “context is not a myth”.
I’m reminded of Hilary Weiss’s takedown of the Charge What You’re Worth Mantra: another oversimplification with a missing side.
]]>From the platform’s perspective, it makes sense. They’re dealing with millions/billions of users: it’s impractical to have anything other than a self-service and automated support systems.
For users, this doesn’t matter when everything’s going smoothly, but what happens when something goes wrong? What happens if this account is critical for you business?
This happened to a friend-of-a-friend recently. A mutual friend put us in touch after their Twitter account had been hacked.
In short, they had received an email to say their account had been accessed from a different country. By the time they tried to access the account, the email address, password and phone number had been changed.
I don’t know anyone at Twitter, nor do have any experience of recovering lost accounts, but I wanted to help. They had already tried multiple methods of reaching Twitter support with no luck.
This struck me as odd because Twitter would be able to see:
Nothing from Twitter’s support pages on hacked accounts seemed to help. At one point, Twitter’s systems even asked the hackee to login to their account and verify their ownership...
In this case, the account was clearly attached to an individual: the photo was a headshot and the account username and name were that of the account holder. With this in mind, we decided that one approach would be to claim the account was an impersonation.
After some unsuccessful attempts, the account holder successfully regained access. The key was to pitch their support request around the fact that this account was representing their business (as a sole trader, but this should work for companies, too).
The account holder tried this after scouring the internet and finding a template letter similar to this (source currently unknown):
Dear Twitter Team,
Thank you for the quick response to my query regarding the official Twitter account of [NAME].
In answers to your questions:
- Your username - [@USERNAME]
- Any email addresses that may be associated with your account - [ACCOUNT EMAIL ADDRESS]
- The last date you had access to your account - [DATE]
- The phone number associated with the account (if you verified your phone number) - [PHONE NUMBER]
I am the sole representative of the business, [BUSINESS NAME], registered in the UK with HMRC.
The Twitter account [@USERNAME] was created [X] years ago and has been operated by me since then as the social media account for my business. Recently, someone maliciously acquired access to the account, changed the email address associated with it and also the password - on or around [DATE], which I think you will be able to see from your records.
Could I please request that you change the email address for the Twitter account back to [ACCOUNT EMAIL ADDRESS] so that I can recover the account and start using it as the business official Twitter account once more?
I hereby confirm that all the information provided above is true and accurate to the best of my knowledge.
If you have any questions, kindly contact me on this email or on [PHONE NUMBER].
With best wishes,
[NAME]
If you lose access to your Twitter account and it’s associated to your business, this could be a route to regain access.
]]>Today, Gmail is the most popular email service in the world, which has created a seemingly limitless number of what I collectively refer to as the Other Sara Morrisons: people who share my name and who, for whatever reason, enter my Gmail address when they mean to use their own. Their frequent invasions of my inbox have made me realize how much trust many of us put in a system that wasn’t designed to do some of the things we’ve come to use it for.
Email isn’t just a communication tool; it’s also an identifier and a security measure. Companies use it to create profiles of you when you start accounts with them and it often doubles as your username. Your email can also serve as your account recovery tool when you forget your username or password. All of this from something that doesn’t require you to verify your ID and that most people get to use for free, provided by a giant corporation that wants to harvest our data. In premium email provider Hey’s words, email is the “skeleton key to your digital life.” Well, I have a skeleton key to a lot of other people’s digital lives, too.
Emails sent to me that were meant for Other Sara Morrisons have given me a good deal of insight into — and a disturbing amount of access to — the lives of the many people who share my name. I know when and where their medical appointments are. I know when they give birth and am kept apprised about what their child ate and how often she pooped at daycare. I know when and where they’re going on vacation, what car they’re renting, and I get tickets to the theme parks they’ll visit when they get there.
I’ve been part of a monthslong job hunting process for one Other Sara Morrison and received the renewed occupational license for another … twice. I know their property tax payment issues. I know their addresses.
As someone who had an extremely guessable Gmail address, this is something I can relate to.
It’s amazing how many services still don’t require users to confirm their email addresses before creating accounts and purchasing goods or services. I’ve received order confirmations for everything from pizzas to car rentals all around the world, and endless accounts for other people using my email address.
And, despite my desire to completely rid myself of my personal Gmail account, I’ve come to realise I can never fully delete it as that could open up the possibility of identity theft.
In future, this could be an issue that masked email addresses solves, but widespread adoption of that will take a while.
]]>Lots of quotes to pull from this piece:
The sale of a piece of crypto art consumed as much energy as the studio uses in two years.
The system is similar to the one that verifies Bitcoin, involving a network of computers that use advanced cryptography to decide whether transactions are valid—and in doing so uses energy on the scale of a small country.
How exactly that energy use translates to carbon emissions is a hotly contested subject. Some estimates suggest as much as 70 percent of mining operations may be powered by clean sources. But that number fluctuates seasonally, and in a global energy grid that mostly runs on fossil fuels, critics say energy use is energy use.
Ethereum’s developers have planned a shift to a less carbon-intensive form of security, called proof-of-stake, via a blueprint called Ethereum 2.0. But this has been in the works for years, and there is no clear deadline for the switch.
“If you look at how much energy we are going to spend in the meantime, it’s ridiculous,” says Fanny Lakoubay, a crypto art collector and adviser.
]]>“People say that hopefully it will be fixed in a year or two so it’s OK to be exploitative right now,” says Akten.
A few weeks ago, my credit card provider wrote to me to tell me that they were switching me back from paperless to postal billing because I’d “not been receiving their emails”.
Even if you can somehow justify using tracking technologies (which don’t work reliably) to make general, statistical decisions (“fewer people open our emails when the subject contains the word ‘overdraft’!”), you can’t make individual decisions based on them. That’s just wrong.
Absolutely. Not only is this a poor UX, but another example of companies/organisations who don’t realise they shouldn’t be sending spy pixels in the first place
]]>If the outputs generated by tracking turn out to be inaccurate, then shouldn’t they lose their status?
But that line of reasoning shouldn’t even by necessary. We shouldn’t stop tracking users because it’s inaccurate. We should stop stop tracking users because it’s wrong.
Too right.
What’s interesting to me about the changes to Apple Mail are that they might be the factor that finally forces companies and marketers to stop building logs of user location + other things
Chris Coyier wrote a follow-up on CSS Tricks:
I’m interested not just in the ethical concerns and my long-time complacency with industry norms, but also as someone who very literally sells advertising. I can tell you these things are true:
- I have meetings about pricing where the decisions are based on the historical performance of what is being sold, meaning impressions and clicks.
- The vast majority of first conversations between bag-of-money-holding advertisers and publishers like me, the very first questions I’m asked are about performance metrics.
That feels largely OK to me. When I go to the store to buy walnuts, I want to know how many walnuts I’m going to get for my dollar. I expect the store to price the walnuts based on normal economic factors, like how much they cost and the supply/demand for walnuts. The advertising buyers are the walnut buyers — they want to know what kind of performance an ad is likely to get for their dollar.
What if I said: I don’t know? I don’t know how many people see these ads. I don’t know how many people click these ads. I don’t know where they are from. I don’t know anything at all. And more, you aren’t allowed to know either. You can give me a URL to send them to, but it cannot have tracking params on it and we won’t be tracking the clicks on it.
Would I lose money? I gotta tell you readers: yes. In the short-term, anyway. It’s hard enough to land advertisers as it is. Coming off as standoffish and unwilling to tell them how many walnuts they are going to get for their dollar is going to make them roll their eyes and move on. Long-term, I bet it could be done. Tell advertisers (and the world) up front, very clearly, your stance on user tracking and how it means that you don’t have and won’t provide numbers via tracking. Lean on supply and demand entirely. Price spots at $X to start. If other people have interest in the spot, raise the price until it stops selling, lower the price if it does.
This highlights the dilemma for publishers. If we agree that advertisers are valuing the wrong metrics, how do you change the narrative?
It’ll get there but there are first-mover costs. And by the way, UTMs are probably the best privacy-respecting metric right now.
Jason Kint puts it roughly like this: targeting and measuring ads is possible in a way that’s privacy-focused and within consumer’s expectations (reasonable people can disagree on whether email spy pixels fall under this, but the ICO is quite clear that users need to consent).
“Tracking” across vendors/services, that users wouldn’t know about or expect, falls outside of this. (Apologies to Jason if this mischaracterises his position in any way).
And there’s more to this. Many people don’t realise what’s going on under the hood. Email spy pixels are a good example: marketers know they can collect the data, but might not realise what data is collected, how or the implications of it.
From Chris’s piece:
As I write this, I’m poking around in the reporting section to see what else I can see. Ughghk, guess what? I can literally see exactly who opened the email (by the person’s email address) and which links they clicked. I didn’t even realize that until now, but wow, that’s very super personally identifiable analytics information. I’m going to look into how I can turn that off because it does cross an ethical line for me.
Now, Chris is a smart cookie. He knows code, he knows marketing, he understands how the web works in a way that many people don’t. And he didn’t know this stuff is going on.
This isn’t to say that naïvety makes this fine, but there will be lots of people innocently collecting this data without realising it.
[tracking] is just a prettier word for surveillance.
As Jeremy highlights in his piece, “analytics” can often be substituted for “tracking”. And, as Bob Hoffman notes, “[tracking] is just a prettier word for surveillance.”
No prizes for guessing which of these words features in most SaaS advertising…
This is part of the drive behind Below Radar: help business owners, marketers, freelancers make better choices, understand the options. Yes, it’s grassroots stuff, but we have to start somewhere.
]]>Cory Doctorow on GDPR:
Enter the GDPR. Under Europe’s landmark privacy regulation, companies have to ask you a plain-language question confirming your consent to every piece of data they collect and every use they plan on making of that data. They can’t punish you for refusing consent – by locking you out of a service or degrading its quality – and you can withdraw your consent at any time.
This is deliberately burdensome. It takes the position that consent is a weighty and serious thing, that personal data is genuinely valuable, and that the transactions in which data is gathered and processed should be solemnized by a thoughtful, substantial ceremony. It calls ad-tech’s bluff: “If you think people are really OK with all that spying you’ve done, let’s ask them, in depth, before you do it.”
Cory also references this study
Behavioral ads are only more profitable than context ads if all the costs of surveillance – the emotional burden of being watched; the risk of breach, identity-theft and fraud; the potential for government seizure of surveillance data – is pushed onto internet users. If companies have to bear those costs, behavioral ads are a total failure, because no one in the history of the human race would actually grant consent to all the things that gets done with our data.
Absolutely on point.
]]>From Lush’s CEO:
“I just thought ‘That’s their own research and they’re ignoring it and we are attracting people to their platform.’ We had no choice whatsoever. Lush attracts an awful lot of girls of that age.”
The article also includes this line:
He offers up the excuse that social media is as addictive to companies as individuals.
Certainly true and something to think about.
]]>I’ve also been doing more reading over the past couple of years. There are always quotes I want to remember or refer back to: what to do with those?
After reading Permanent Record, I wrote a little post with a couple of quotes, but the Writing section of this site isn’t there to be filled with book quotes.
I’ve previously stored quotes in Notion, but it’s slow and private: all the reasons I wanted the Bookmarks area in the first place.
This is a long way to say I’ve been looking for a place to store links and quotes, possibly with a way to comment on them, too.
Despite the minimalist feel, Daring Fireball handles a stream of various content types pretty well. The archive supports long posts and short posts with refreshing flexibility.
How can I get a bit of that on here?
In an Unoffice Hours, Joshua Galinato brought up the idea of a commonplace book. Here’s been working on an app to store quotes and this sounds like perfect personal site material.
Looking up the origins, commonplace books (or ‘commonplaces’):
Such books are similar to scrapbooks filled with items of many kinds: sententiae, notes, proverbs, adages, aphorisms, maxims, quotes, letters, poems, tables of weights and measures, prayers, legal formulas, and recipes.
This sounds like exactly what I’ve been looking for: a place not just to store quotes, but to comment on them and write notes, too.
For now, this site’s commonplace is split into two sections: Commonplace and Books:
At some point, it might make sense to pull Bookmarks and Writing into the Commonplace, so it becomes the ultimate archive for everything on this site.
Maybe.
]]>Digressive victimhood:
]]>
- Charged with discrimination, dominant groups often claim victimhood.
- These claims can be digressive, shifting the topic of conversation.
Illogically, we reasoned that by changing the word we could bend reality. Somehow we would now be able to have multiple first things. People and companies routinely try to do just that.
]]>The NFT explainer I’ve been looking for from Cory Doctorow:
]]>On Oct 26, an NFT bro calling himself Midwit Milhouse coined the term “right-clicker mentality” to refer to these spoilsports who insist on pointing out the inconvenient truth of his white-hot ponzi scheme.
Milhouse used the term to disparage an amateur chef who made his own version of a $2,000 “Salt Bae” steak for $90. Salt Bae is a trendy London chef who charges tens of thousands for gold-leaf-covered steaks that he showers with salt in a kind of tableside piece of performance art.
Milhouse called this person “a great example of right-clicker mentality,” whose homemade steak didn’t deliver “the satisfaction, flex, clout that comes from having eaten at Salt Bae’s restaurant.”
https://twitter.com/kenlowery/status/1455662848345055232
Milhouse went on: “The value is not in the cost of the steak. Go ahead, make yourself a gold-coated steak at home. Post a picture of it on Instagram. See how much clout it gets you.”
And then, displaying galactic-scale lack-of-self-awareness, “Salt Bae’s dish costs around 1500GBP because people want to pay 1500 GBP to show off that they can afford to pay that much. It’s all about the flex.”
You really couldn’t ask for a better encapsulation of the NFT bezzle: buy an NFT to “flex” and “show off you can afford to pay that much.” Ignore the intrinsic value or satisfaction of the underlying work. You’re doing this for “clout.”
Right-clicker-mentality is a value we should all aspire to. As Matthew Gault wrote on Motherboard: “Sometimes a word or phrase comes along that’s so perfect it almost makes you angry.”
“To right-click is one thing, but to have a right-clicker mentality implies an ontological break between crypto-fans and critics. Indeed, it implies the person saving the JPEG to their hard drive isn’t just wrong, they’re broken in some way.”
This is an incredibly useful service with a couple of benefits:
If we generate a random email address for each account, it reduces the chances of a hacker guessing the email address part of the login. This makes it harder to hack an account through brute force (though not as difficult as using two factor authentication).
This is particularly useful in the case that your email address is quite guessable (e.g. firstname.surname@icloud.com).
A side benefit of generating random email addresses for each account is that we can trace the source of spam and other unwanted email. If we’ve only used an email once, we know where an email was leaked or sold from.
Email isn’t just a personal identifier, it’s a direct line to contact you. In fact, it’s the most direct way to contact people aside from a phone number or address.
Disguising our email address also solves one of the biggest privacy issues with newsletters: many mailing list providers make it incredibly easy for list owners to spy on individual users.
Masking an email address is a way to buy back some privacy. This is useful in all sorts of situations: perhaps we don’t trust a service or there’s a reason that using our actual email address could expose us to a risk.
Disguising our email address also solves one of the biggest privacy issues with newsletters: many mailing list providers make it incredibly easy for list owners to spy on individual users.
List owners can often see:
Many users are completely unaware this data is collected. Aside from this being a gross invasion of privacy and trust, the fact it’s tied to an email address (a way to identify and contact that individual) makes it all the weirder.
Disguising our email addresses gives us more control of our privacy.
For Fastmail and 1Password users, there’s an integration that makes this even easier. Their Masked Email service automatically generates forwarding email addresses, a password and saves it for you.
If you’re not a Fastmail user already and want to use an affiliate link, here you go.
Update: 27th November, 2021: I recently discovered Simple Login which offers this service independently. Worth checking out if you’re not an iCloud or Fastmail user.
These services are making it easier than ever to create disguised email addresses, which is a great thing for privacy and security. I’ve already seen masked emails in use in mailing lists I run, and I’d love to see this more widely used.
It always takes a while for features like this to be adopted, especially given the extra friction it creates in signing up. But it would be wonderful if this became the de facto method for creating new accounts.
We live in hope.
]]>‘But some parents said they were unsure whether their children had been given enough information to make their decision, and suggested that peer pressure had also played a role.’
Surely, this is a decision that parents should be making? It seems incredible that this incredibly invasive tech would be entering the school for such a trivial ‘gain’.
It will be interesting to see the fallout from the first data breach.
]]>‘A lot of companies could be still pretty profitable if they chose to go this route,’ Weinberg says. ‘They may be a little less profitable. But you know, it’s like—is that extra profit worth all this societal impact and problems? We don’t think so.
’Even some ad buyers are questioning whether endless tracking works; a survey by Digiday found that 45 percent of ad execs saw “no significant benefit” from behavioral tracking, and 23 percent found it made revenues decline.
Societal benefits vs pure profit.
A trade-off many companies don’t seem to be willing to make.
]]>This interesting study suggests UK consumers would collectively pay over £1bn a year for control of their data. That’s a little over £1 per person per month.
]]>Because they use emails to recognize people who have asked not to have their data shared, some ad technologies require an email address to actually enable people’s privacy preferences.
Just in case there was any doubt about how broken privacy is on the web, huh…
]]>I’ve been tweaking it along the way. One of the greatest additions has been the Unoffice Hours, inspired by Matt Webb’s project. There have also been smaller tweaks like the addition of a Reply via email buttons on individual articles.
There are other things I’d like to add, such as an About page that lists podcast appearances and a Resources section. The latter is inspired by two things:
I haven’t decided on the exact format, but a place to log things I’ve found would be very useful. For a long time I did this in Notion, but the app is just so slow I’ve neglected to maintain it.
I suspect it would be easier to add new items to the site than there. And possibly useful to others, too.
With that in mind, I think it’s time to realign this site. The home page could do with some adjustment, bringing Unoffice Hours to the fore and there are other things I’d like to explore:
I’d initially liked the idea of a mono type for this site, but that’s not fantastic for readability. That’s why the site features a font switcher so users can switch to a sans-serif.
A while ago I discovered Relative Faux by Colophon. It’s a fauxnospaced font – monospaced characteristics with proportional spacing – and it might be the perfect fit.
The Writing section is a little rough-and-ready. It would be nice to tighten this up, call out Popular articles and possibly provide a search, too.
This could be a good opportunity to tweak the existing colours for more subtlety or move to something completely different.
For sites like this, I’m increasingly a fan of making the URLs as simple as possible. Instead of davesmyth.com/writing/realignment
, it would be nice to use davesmyth.com/realignment
.
This isn’t always appropriate, but I might make some changes on that front, too.
Let’s see what happens.
]]>To quickly recap, open rates are inaccurate because lots of email clients block the tracking pixels that allow the open to be tracked. These are blocked in two ways:
In either scenario, the sender has no way of knowing whether the email has been read by the recipient or not.
This is a common feature in lots of email clients and it’s set to become more so as iOS 15 will let Apple Mail users block this tracking.
Open rates are often used to assess how ‘active’ a mailing list recipient is. In other words, do they read the emails?
There is a perfectly legitimate business principle of valuing a small mailing list with high engagement over a large list with very low engagement. Not least because mailing list providers often charge based on the number of users in a list.
The seemingly logical conclusion of these two factors is the practice of removing users who don’t open emails.
In fact, this is something that lots of mailing list providers recommend. Not just for the reasons above, but – according to many providers – sending to many inactive subscribers hurts email deliverability.
Here are some articles on the topic from various providers:
Each of these articles defines different types of inactive subscribers and talks about the impact of keeping inactive subscribers on a list. But there’s absolutely no explanation of how inactive subscribers practically impact deliverability.
The theory seems to go like this:
Gmail, Outlook or another provider see that an email from a sender isn’t being opened by lots of people. At some point, the sender’s emails start to be automatically categorised as spam or sent to Gmail’s Promotions tab.
But how does that work in practice? Gmail or Outlook won’t have access to the open rate data from the mailing list provider (Mailchimp etc).
The only way I can think that this works is that email providers collect their own internal data on email opens. That data is fed back to a scoring mechanism for a sender, or perhaps a universal tool like SpamCop that helps email providers root out spam.
There is a clear case to do this: anyone who had an email account before Gmail will remember how much of a problem spam used to be. Gmail’s filters quickly reduced that headache and spam is no longer a huge issue for lots of email users.
But here’s the interesting thing: email providers such as Gmail and Outlook are likely generating entirely different open rates to mailing list platforms such as Mailchimp and ConvertKit etc:
What’s more, only the email providers decide/impact on what gets delivered to a user’s inbox. They are the ones with accurate data.
Newsletter owners pruning their lists based on open rates run a significant risk of removing active subscribers.
This isn’t to suggest that unread emails don’t impact on deliverability. But – given it’s likely there’s a discrepancy between emails that are reportedly and actually unread – how can a list be accurately pruned?
Some active subscribers will show up as inactive and some inactive subscribers will show up active.
Mailing list platforms cannot tell for certain who is active or not based on open rates alone. It would seem that newsletter owners pruning their lists based on open rates run a significant risk of removing active subscribers.
It might be better to rely on click rates to determine which subscribers are active. Or, even better, remove the spy pixels altogether.
The above makes several assumptions about how deliverability is assessed – if it’s inaccurate, I’d love to hear from you to set the record straight:
]]>Once you go digging into the actual technical mechanisms by which predictability is calculated, you come to understand that its science is, in fact, anti-scientific, and fatally misnamed: predictability is actually manipulation. A website that tells you that because you liked this book you might also like books by James Clapper or Michael Hayden isn’t offering an educated guess as much as a mechanism of subtle coercion.
We can’t allow ourselves to be used in this way, to be used against the future. We can’t permit our data to be used to sell us the very things that must not be sold, such as journalism. If we do, the journalism we get will be merely the journalism we want, or the journalism that the powerful want us to have, not the honest collective conversation that’s necessary.
]]>This quote stuck out:
Ultimately, saying you don’t care about privacy because you have nothing to hide is no different from saying you don’t care about freedom of speech because you have nothing to say.
As did this longer excerpt from the book’s conclusion:
Still, if we don’t act to reclaim our data now, our children might not be able to do so. Then they, and their children, will be trapped too—each successive generation forced to live under the data specter of the previous one, subject to a mass aggregation of information whose potential for societal control and human manipulation exceeds not just the restraints of the law but the limits of the imagination.
Once you go digging into the actual technical mechanisms by which predictability is calculated, you come to understand that its science is, in fact, anti-scientific, and fatally misnamed: predictability is actually manipulation. A website that tells you that because you liked this book you might also like books by James Clapper or Michael Hayden isn’t offering an educated guess as much as a mechanism of subtle coercion.
We can’t allow ourselves to be used in this way, to be used against the future. We can’t permit our data to be used to sell us the very things that must not be sold, such as journalism. If we do, the journalism we get will be merely the journalism we want, or the journalism that the powerful want us to have, not the honest collective conversation that’s necessary.
That’s quite something.
]]>Leaving aside privacy issues, open rates are a fragile metric, so we discussed monitoring link clicks instead.
Some newsletter providers allow list owners to track clicks in a privacy-focused way, but it’s not common. In many cases, the link strings are extended with unique identifiers that tie clicks to specific users.
This is an invasive and unnecessary practice. Unless those users are going to be retargeted for ads, of course.
If you have a website running analytics, you can use redirects to track links without coupling that data to a user’s email address:
If you’re repeating a link across multiple emails and want to tie the analytics to a specific newsletter, you may need to create new links for each email. But in many cases, this won’t be necessary – especially as you can usually filter analytics by date.
This is an incredibly simple, privacy-focused method of tracking links sitting right under our noses.
]]>Google’s explainer over on web.dev states that “websites will have the ability to opt in or out of FLoC”, but this is misleading.
All websites are opted into the trial by default.
Leaving aside the wider privacy concerns around FLoC, the trials present issues of consent. Chrome users may not realise they are part of the trial and website owners may not want their audience to be profiled.
The next steps depend on whether you’re a Chrome user or a website owners.
Site owners can opt out of the trial by adding an HTTP response header:
Permissions-Policy: interest-cohort=()
But how do you set this?
WordPress users
Plugins like Headlock will let you set this header. This plugin is from Tim Nash who also mentioned on Twitter that services like Cloudflare let site owners set headers, too.
Statamic users
Erin Dalzell has released an addon to send this header. No configuration required.
It’s also possible to do this natively: something that might make it to the Statamic core.
Once the header is set, tools like httpstatus can help you check the the header is being sent correctly. Look for Permissions-Policy section as shown at the bottom of this screenshot:
The technical nature of setting HTTP headers means that not all website owners will be able to opt-out of Google’s FLoC trial. That makes the decision to opt-in all sites by default frustrating and concerning.
If there are methods for users of Squarespace, Wix or other CMSs to opt-out, let me know and I’ll add them to this list.
]]>Earlier this month, I received a renewal notice about the additional Google space I was paying for. It seemed as good a time as any to get to work.
I set about deleting all 290,589 emails from my Gmail account.
Before deleting the emails, I wanted to take a backup of emails. If I don’t open this backup in the next year or so, I’ll probably wipe it completely.
Google’s Takeout service lets you export emails to an mbox
file. There are clear instructions on the HEY website.
That produced a 20GB export. It seems Google ignores requests to chunk the export into smaller files.
As we all know: a backup is only useful if it works. The file should have readable to Apple Mail but each attempt to import crashed due to the size of the export.
I ended up importing to Thunderbird with the ImportExportTools add-on. It took a while, but it worked.
As it turns out, Gmail isn’t great at deleting nearly 300,000 emails in one shot.
In theory, it’s possible to highlight all emails in an inbox and move them to trash. In practice, Gmail deletes 5–10k emails at a time, occasionally removing as many as 20–30k in one shot.
There’s a clever date-based filter trick that might help with deletion it’s detailed as Solution 2 in this support thread. This technique didn’t work for me, but it might work for small inboxes.
Ultimately, I ended deleting emails from each folder/label in batches. This made it easier to see the progress and left a much-reduced Inbox by the time I reached it.
The whole process took an hour. Worth every second.
The next step is deleting my Gmail account. I plan to leave it dormant for a while to make sure I’ve caught all the email changes I need to make before completely deleting the account.
]]>After my post about de-Googling, a few people asked about my custom domain email set-up with HEY.
Custom domains have been a hot topic since HEY’s launch as they weren’t supported until HEY for Work was released. HEY for Work is a separate plan to their personal email offering and costs $12 per user per month.
If you have a few email addresses running on custom domains the cost quickly adds up. The outlay might not be worth it if the addresses aren’t used much.
HEY for Work’s strength is in collaboration. I’m using it for an upcoming project and those features are brilliant.
So, if you
What can you do?
The solution is in two parts.
Firstly, most email providers (except hyper-secure options like Proton Mail), let you forward incoming email to another address In this case, that’s your personal HEY account.
The second part is relatively new: HEY now supports SMTP. That means your personal HEY account can ‘send as’ an external email address.
I’m running three custom domains on Fastmail and these are all forwarded to my personal HEY account. Now that HEY supports SMTP, I can now send emails through HEY from my external email addresses.
It’s a pretty useful feature for anyone who wants to use custom domains but doesn’t need the other features of HEY for Work. More details over on the HEY website.
]]>I closed both of my Google Workspace accounts a few days ago.
It’s difficult to go 100% Google-free as their services are so deeply embedded in the web, but I’m trying to use alternatives wherever reasonably possible.
Having used G Suite/Google Workspace for work email, I was slightly hesistant about the impact of losing access to Google Docs and Drive. I’d never used these much, but some clients are all-in on these services.
As it happens, clients can invite external email addresses to any services they need to collaborate on. I think this was previously limited to Gmail or G Workspace accounts, so it’s never been easier to move work services away from Google.
Here’s how I’m tackling switching from various Google services:
I use DuckDuckGo. For a long time, I used Startpage as it uses Google results while respecting user privacy, but DuckDuckGo’s results have improved a great deal. Highly recommended.
In December, I switched to Fastmail for work email (10% off affiliate link). It’s a good balance of privacy and user experience.
I’d previously tried ProtonMail, but couldn’t wrangle the Bridge service to import/export emails to third-party apps.
On Fastmail’s $5/month plan, you can any custom domains you need. Now that personal HEY email offers SMTP support, I can manage all work and personal email from the same place.
Fastmail also features a Calendar, knocking out another reliance on Google. I switched to Fantastical, which has been fantastic.
I’ve had my Gmail account for 17 years, but I’ve been enjoying HEY as a personal email alternative.
It’s daunting to turn this off given how many services are linked to it, but I’m taking this approach:
I expect this process will take some time, but I kicked the process off by deleting the 290,589 emails in my Gmail account.
I switched to Fathom ($10 off affiliate link) around 18 months ago.
I strongly recommend privacy-focused analytics to my clients. In some cases, it completely removes the need for a cookie banner.
I can maintain an account here without either a Gmail or Workspace account.
I have a few domains registered with Google Domains: moving them is non-trivial. I’ll keep them there for now and look to move each one at an appropriate time.
I register new domains with services like Gandi or Hover.
I’ve never really used Google Drive or Google Docs. Before switching of Workspace I checked I had copies of files stored locally or on Dropbox.
In 2022, I switched to Sync (here’s a referral link to give you and me an extra 1GB). It was a super easy switch, and one I wish I’d completed earlier.
There’s no alternative to this, but you can maintain an account without a Gmail or Workspace account.
I switched from Google Authenticator a year ago after hearing about a friend losing their phone and their 2FA codes with it.
I use Authy which supports device synchronisation and offers a desktop app. That means you don’t always need your phone on you and you’re not locked out if you lose it.
I’ve not used Google Chrome as my browser for years, preferring Firefox or Safari.
These are the servies I use, but there are lots of others.
For alternatives check out switching.software and Mark Hurst’s Good Reports.
Since I deactivated my Workspace account, I’ve noticed that Google regularly tries to push me to reactivate the account.
I’m often unintentionally logged in to Google, and my old Workspace account is still linked. That’s because clients sometimes share Google things to the email address associated with the old Workspace account.
This is what I see:
There are a few things that make this a particularly dark pattern:
admin.google.com
interface, which is only available to Google Workspace accounts. This makes it difficult to switch to a non-Workspace account.Google suggested two solutions:
It would be better if Google stopped trying to force their product on me. My user experience would be better if I’d never had a Google Workspace account: that doesn’t seem right.
This anecdote serves as a frequent reminder not to use Google at all.
Last updated: 14th April, 2022
]]>From The Verge:
The GPC standard sprang from a powerful but little-noticed provision in the California Consumer Privacy Act (CCPA), which ... gives Californians the right to opt out of having their personal information sold by the sites they visit.
Interestingly, the definition of ‘sold’ seems to be deliberately vague – in a good way:
Crucially, the law interprets “sell” as including any exchange of value, which could include being read broadly enough to go beyond outright data broker sales and into the endemic tracking pixels that power much of the advertising you see online.
Part of the appeal of the Global Privacy Control is that users can set this signal from their browser. There are several ways to broadcast the signal, but most users will only need to install a browser extension.
There’s support for Firefox, Chrome, Brave and Microsoft Edge browsers at the moment – Safari is a notable omission.
Here are the direct links to the extensions:
To enable this on mobile, users will need to use the DuckDuckGo Privacy Browser on Android or iOS.
Once installed, users can visit globalprivacycontrol.org and test their browser signal is working. If it is, a message will appear in a bar at the top of the page.
When I installed the Firefox extension, DuckDuckGo silently set itself as the default search engine. I understand this is a good move for users stuck on Google by default, but I wasn’t brilliantly impressed that this happened without asking.
According to The Verge article, “project organizers estimate that 40 million users worldwide will be sending out the GPC signal through one product or another”.
Right now, the project and download information is spread across a few sites and articles. I’ve written this brief rundown to pull together the key points and make it easier to download the extensions.
The power of a standard like this is in its take up. You can help the project by spreading the word.
]]>Turning off read receipts seems like a small thing: “who cares if they know when I read this?”
I started turning messaging read receipts off a couple of years ago: it’s had a positive impact on my experience of messaging apps.
On the occasions I’ve realised read receipts were on, perhaps in a new app, the relief I’ve felt in turning them off has been palpable.
Aside from this, there are the privacy considerations.
Most popular messaging apps turn read receipts on by default.
I can't stand breakfast. It's just constant eggs. I mean, why? Who decided?
This quote from Killing Eve sums up my feeling on this.
Apps where read receipts are on by default include:
It seems there’s no way to turn read receipts off for Facebook Messenger, Instagram direct messages or Telegram.
One of the most insidious quirks of read receipts in messaging apps is the receipt quid pro quo. To receive read receipts, users normally have to enable read receipts on their own device.
Surely, the only thing that matters is whether a recipient is happy for the sender to know they’ve read the message?
I used to accept this on the basis that it seemed fair. Now I’ve had some distance from read receipts, it seems like a particularly weird ‘trade’.
Surely, the only thing that matters is whether a recipient is happy for the sender to know they’ve read the message? Why does a sender have to opt-in to also share when they’ve read messages?
I’m not interested in when someone reads a message of mine, so this isn’t a strange feature request.
Most messaging apps let users turn read receipts off. The same courtesy isn’t extended to email users.
Of course, privacy-focused email services will block read receipts, but there’s no standard method for users to opt-out.
This is an important topic as email read receipts are particularly invasive. Whereas messaging apps will report the read status and possibly time of reading, email tracking might also report the user’s location.
That’s just personal email. Most mailing list software enables all of this by default and often tracks every instance of an email being read and internal links being clicked.
Mike Davison’s writing on Superhuman demonstrated this in action. Superhuman rolled back some of the worst excesses of their email tracking, and they’re not a newsletter service, but this practice is still common in mailing lists and marketing emails.
In most cases, tracking continues even after a user unsubscribes.
I remember when I used to think it was convenient to know when a message was read.
Looking back, it was convenient. It was convenient for me as the sender, but not for the recipient.
It’s nosy and with little justification.
The world of work finds plenty of reasons to justify tracking users without their consent.
Common examples include enabling cookies for analytics or tracking users all over the web under the guise of improving the effectiveness of ads.
Ecommerce businesses in particular make extensive use of tracking in mailing lists. From open rates times and locations to link clicking.
They’re far from the only ones and the use cases can be subtle. For instance, consider accounting software that tells users when a client has seen an invoice.
For years, websites and services have collected all possible data, just because they can.
When I start using a new messaging app, read receipts are one of the first things I look to disable. If you find yourself feeling pressure to reply, or you avoid opening messages so you don’t trigger a read receipt, I’d suggest doing the same.
I’d also recommend looking at email services that either block incoming read receipts or disrupt them. One of the ways we can individually effect change is by making the data useless.
]]>I wouldn’t have picked up the book if it wasn’t for Adam Pearson. He told me that in another of Newport’s books, Deep Work, he recommended:
That was enough to make me want to explore it.
I’m writing this for a few reasons. It’s partly a reminder to myself of the benefits of what I’ve been trying. I also hope it’s useful for other people who feel tech takes up too much of their world.
Digital minimalism isn’t about cutting out all tech. It’s about making tech work for you: getting the value you need without it ruling your life.
I’ve seen plenty of people share their experiences of this only to be met with replies like “just don’t use the internet or social media” or “why post it on social media”. These are spectacularly lazy hot takes that completely miss the point: no surprises there, then.
Digital minimalism isn’t about cutting out all tech. It’s about making tech work for you: getting the value you need without it ruling your life.
Here are some of the steps I’ve taken. I don’t imagine anyone would tread an identical path, but I hope sharing my experience and the benefits I’ve seen will be of use to someone.
I’d been tempted to remove Facebook for a while, but groups and nostalgia kept me around. Taking a social media break gave me the perfect excuse to deactivate my account and see how I’d fare.
When you deactivate your account, Facebook gives you the option to keep Messenger. Initially, I kept Messenger to keep in touch with friends who I mostly spoke to through that.
I found that keeping Messenger was a problem. Even though I’d deleted the Facebook app and stayed logged out, I was tempted to reactivate my account whenever I logged into Messenger.
I’d be surprised if this wasn’t by design.
After a couple of weeks, I set my account to be permanently removed, including Messenger. It’s strange how much I think about Facebook as a company from a privacy angle, but I haven’t thought about using it as an individual in months.
I don’t miss it.
Obviously Facebook went, along with the Messenger app, but I also removed the Twitter and Instagram apps from my phone.
Instagram has remained deleted. I may return to that one day, particularly if Facebook is broken up.
Incidentally, I came across a great tip for getting the full Instagram experience on desktop: “use the developer feature on Safari, switching User Agent to iPhone”.
A common recommendation for Digital Minimalists is to turn notifications off. I’d done this much before reading book: if you haven’t already, it’s well-worth it.
I took a 30-day social media break from everything but my personal Twitter account. After that, Newport recommends reintroducing tech intentionally.
I didn’t miss much social media, but Twitter was always going to be the difficult one for me. It’s the platform I use and enjoy most, but there’s lots of negative stuff on there. It’s easy to get drawn down increasingly depressing rabbit holes.
Removing the app from my phone completely stopped all Twitter notifications and prevented me accidentally firing up the app. The only way to access it was through a browser.
This did the trick for a bit, but I still saw loads of negativity on desktop and mobile.
To try and tackle this, I’ve gone list-based. The idea is to replace the timeline with lists for a more curated experience.
Twitter doesn’t let users set a list as their default view. This is ok if you’re using an app like Tweetdeck (which is perfect for this), but there’s no equivalent on mobile.
I copied accounts I was following to a list and unfollowed everyone.
Ultimately, I’ve gone all-in on using lists. As it’s not possible to set lists as a default mobile view, I copied accounts I was following to a list and unfollowed everyone.
This seems drastistic, but it’s done a load of good. I’m still following most of the accounts I followed before, but the experience is much more positive so far.
Let’s see how long that lasts.
It’s easy to conflate digital minimalism with reducing social media use. But it’s much broader than that: it’s about redefining your relationship with tech and making tech work for you.
I’ve been listening to a lot more podcasts over the past few years. And having used Apple Podcasts mainly, I took the opportunity to investigate some other options.
I hadn’t looked into this before: “how different could a podcast player be, really?!” Well, I wish I had. There are lots of subtle differences that add up to a much easier podcast interface.
For example, I’ve been listening to David Dylan Thomas’ excellent Cognitive Bias podcast. These episodes are often short. You want to listen to them in order as the content often references on previous episodes.
Changing the play order in Apple Podcasts is possible, but hidden in some not-particularly-obvious settings. In the new player, Overcast, it’s much clearer: very useful when you discover a new podcast.
This is a small example, but it reinforced to me how subtle app differences can have a big impact on how we interact with tech.
I’ve recommended Digital Minimalism to lots of people this year. Taking some steps towards digital minimalism has been a massively positive experience for me.
I’d highly recommend the book to anyone who feels they could benefit from resetting their relationship to tech.
]]>I also run a few things: my business, a course on CSS, Work Notes and this personal site.
Subscribers to the Websmyth newsletter previously received very occasional emails and my intention was to run one through this site, but there’s lots of crossover. With all of this in mind, I’m consolidating these two newsletters.
The newsletter looks at web things and tech with a privacy-focus. Freelancing will feature less often as that’s covered at Work Notes. I’ll use the newsletter to share links to things I’ve been reading, along with writing from both Websmyth and this site, with a sprinkling of work and other updates.
Original Websmyth subscribers will also notice that emails look different. That’s because I’ve switched to privacy-focused Buttondown, where I can properly turn off click and open tracking.
If you’re not already subscribed, you can sign-up below.
]]>To recap:
Keith’s article references the New York Times who, in 2018, turned off behavioural advertising for European readers. Digital advertising through their site increased through to early 2019.
They aren’t the only ones.
In August 2020, WIRED reported on the Nederlandse Publieke Omroep’s (NPO) strict approach to European cookie laws. Instead of assuming users are ok with targeted advertising if they skipped the cookie consent screen, they opted users out (incidentally, this is the correct approach).
The company found that ads served to users who opted out of cookies were bringing in as much or more money as ads served to users who opted in. The results were so strong that as of January 2020, NPO simply got rid of advertising cookies altogether. And rather than decline, its digital revenue is dramatically up, even after the economic shock of the coronavirus pandemic.
If behavioural ads aren’t more effective than contextual ads, what is all of that data collected for?
If websites opted for a context ads and privacy-focused analytics approach, cookie banners could become obsolete...
The attraction of heavily targeted advertising is strong for small businesses. For a start, it’s frequently the only recommended advertising method, but the pull of tweaking adverts to maximise small budgets must be strong.
In the spirit of investigating alternatives to invasive marketing techniques, I want to find out more. I’m interested in collecting more examples of businesses – large or small – that have bucked the trend and opted for contextual ads over behavioural ones.
Large and small businesses may advertise in different ways, but there will be lessons to learn from any business that’s gone against the grain here.
Send examples to keen.lion9019@davesmyth.com: the lists below are updated with examples as I find them.
Last updated: 27th March, 2021
These are some of the questions I’ve been thinking about recently.
The introduction of GDPR in 2018 created mass panic as businesses raced to meet the deadline. To many, compliance was – and in some cases still is – seen as needless hassle.
I’d guess that’s in no small part due to the nature of the topic and its role as regulation. But it’s also a complex area with plenty of nuance, something borne out by the number of larger companies that either don’t understand or choose to ignore the legislation.
Privacy is a much bigger topic than GDPR.
We’re emerging from somewhat of a wild west of data collection.
For years, websites and internet services have been collecting anything and everything they can about users. Often without user consent or awareness.
This is frequently justified as ‘essential analytics’ or ‘optimising advertising’. But the real reasons businesses do it is because collecting this data is easy and cheap/free. And because they can.
It’s easier to pitch the benefits of marketing (money) against user privacy (expense, hassle, legal). And business owners have been told they need to collect All The Data to optimise their sales and increase margins.
A classic example would be email marketing. Most mailing list platforms allow marketers to track:
This is often possible even after a user unsubscribes. Some mailing list providers will even opt-out users who they don’t think have read emails in a while (i.e. recipients who block these trackers).
Many recipients will have no idea they’re being tracked in these ways. They’re certainly not made aware of this when they sign up.
Here’s the rub: many of us don’t like the idea of our data being harvested, yet we’re happy to track users because money.
It would seem that if we want to effectively market to users and respect their privacy, that creates a tension. Is that the case or does it just require a change in thinking?
Let’s say we turn off email tracking and don’t send data to Google or Facebook. Perhaps – instead of a ‘loss of insight’ – we can view it as an opportunity to build better relationships with audiences and customer bases, rather than relying on spying on their habits.
I’m no expert in this field and – at a micro scale – I’ve used some of these privacy-invasive tools in the past. Things like:
These things are daily practice in marketing world but in hindsight they feel pretty icky, even at the tiny scale I used them.
Of course, tools that offer analytics encourage users to use them. As a small business, it’s easy to think using them has little bearing on privacy matters: it’s the big advertisers that are doing the really nasty stuff, right?
I’d guess that the combination of all small businesses who use these services inadvertently contribute significant amounts of data to these big tech firms.
I’m also conscious that there’s a sliding scale. It would be difficult – reckless even – for a business to stop advertising on Facebook or Instagram if that produces a significant portion of its revenue.
That might present an opportunity to build alternative and privacy-focused marketing streams, with a view to reducing the need to advertise on those platforms. But that’s not going to happen overnight.
Moving away from these tools takes time, effort and money. It’s work.
That’s assuming we’re aware of what the problems are and how we can resolve them: whether that’s changing settings or using alternative services.
There might be clear alternatives to services like Gmail or Google Analytics. But what are the options for businesses who rely on retargeting or other data-reliant techniques?
I’ve started to pull together lists of resources and articles that have helped change my thinking on these topics. For now, it’s mainly a series of connected and unconnected thoughts.
I’ll share these in my mailing list – there’s a signup below – but I’d also be interested to hear from freelancers and small business owners who are thinking similar things.
]]>Cookies fall into two categories: essential and non-essential. The Information Commissioner’s Office (ICO) describes essential cookies as:
...strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.
Good examples of this would be cookies that determine whether a user is logged in or not, remembering the items in a user’s shopping basket, etc.
Everything else is a non-essential cookie.
That might include cookies that:
The same cookie might be classified differently on two sites depending on the functionality that a site requires.
One of the key points around cookies in the PECR is that websites must seek consent before setting non-essential cookies:
Just because users may be unlikely to select a particular non-essential cookie when given the choice, or because the cookie is not privacy intrusive, is not a valid reason to pre-enable it.
Crucially, analytics cookies are not classed as essential, therefore permission should be sought before these are set.
The ICO article goes on to further explain – in clear terms – what is considered valid consent. Valid consent does not include cookie banners that:
I don’t have data on this, but almost every website I’ve checked that uses a service like Google Analytics sets the cookie before the user accepts/rejects permissions. Many of these don’t give users the choice to turn non-essential cookies off.
These breaches aren’t limited to small companies that may not have the resources or time to fully explore/understand these laws.
Here’s a screenshot of the cookie permissions page from Channel 4’s All 4 app:
It’s impossible for users to turn off analytics cookies. Channel 4 explains their rationale for requiring this as follows:
In short, they justify the use of requiring these cookies on the grounds that:
Apparently, that’s all ok because they ‘never access personal information from your device such as your name or email address’.
That seems reasonable, right? Yes, except for two points:
This is an organisation that clearly have the resources to be clued up on this stuff. And they’re not the only ones to ignore these regulations: I’ve seen many companies take a similar approach.
The underlying issue is that if sites fully complied with these laws, their current methods of collecting analytics data would mean their data is seriously inaccurate. Every user who didn’t specifically allow statistics cookies would not be counted and their movements around a site wouldn’t be tracked.
There are privacy-focused alternatives, like Fathom (that’s an affiliate link) or Simple Analytics, but the technical limitations of not setting a cookie limits the available data. To truly comply with the regulations would require companies to take a different approach to collecting and interpreting the available statistics.
That may also mean a change to online advertising models, too.
These are not bad things.
But while companies feel free to flout the regulations, analytics data is cheap and easy to come by: “cheap” if you’re not the user, that is.
Banners and notification overload are one of the difficult things about this whole malarkey. Even if a website uses a cookie wall, many users will accept all cookies because:
Or they may even be happy to have their data collected.
We already know that users don’t like waiting a long time for a website to load. The last thing they want is to wade through a load of complicated – and technical – options to decide on cookie use.
One solution would be for this to be tackled at the browser level. Browsers could define a way for websites to declare essential and non-essential cookies: the latter could be further divided into common subcategories (“Marketing”, “Analytics”, etc).
Website owners could then hook their cookies into these and users could set their default preferences for all sites, with exceptions as they want.
A widespread approach like this would encourage companies to finally take note of the cookie requirements, but it’s difficult to see this happening.
Google develop Chromium which powers Google Chrome, Microsoft Edge, Brave and others – possibly as much as ~60% of internet browsers. They almost certainly benefit from the data collected through Google Analytics and Google Ads – both services that need cookies to work best.
For general internet users concerned about online privacy and whether companies should be rewarded for ignoring regulation, now would be a great time to consider using Firefox as their main browser. It’s an excellent browser with a privacy-focus, demonstrated by their recent rollout of Facebook containers that stop Facebook tracking users around the web.
Browser diversity is important for all users if the web isn’t going to become a monopoly. If there is only one browser – and that browser happens to be controlled by a company who benefit greatly from the collection of ‘free’ data - the future for user privacy looks bleak.
]]>After some recommendations and exploring the features, I switched both sites over to Payhip. About a month later, I switched CSS For Designers back.
The two platforms offer similar functionality. Integrating the services is similar but not the same and even the design of the dashboards is similar.
So, why the change and why the change back?
One of the most obvious differences between the services is pricing. Gumroad offers:
Payhip’s free tier is a little more generous. There are no feature upgrades, just lower fees:
Despite this, cost wasn’t really a consideration for me. Both services have free tiers with an option to upgrade when sales volumes justify it.
There were a few key features that attracted me to switch both of my sites to Payhip.
Payhip can charge customers in GBP. Gumroad can display prices in GBP, but customers are always charged in USD.
This caused some friction in the payment process as customers:
These concerns are understandable and cause needless friction.
One of the main benefits of both of these services is that they totally relieve sellers of dealing with EU Digital VAT.
Payhip even allows sellers to choose whether EU Digital VAT is added on top of the list price, or to absorbed into the price. That’s a really nice feature.
The integration for Gumroad and Payhip is remarkably similar. Payhip’s is a little more cumbersome, but there’s barely any difference.
Even Payhip’s Webhooks are remarkably similar to Gumroad’s Ping. This made the switch fairly straightforward.
One other difference is how payouts are handled. Gumroad holds all payments for a week before issuing payouts through Stripe on Fridays. On Payhip, payouts are made one week after each purchase.
This is a plus and a minus. On one hand, Payhip pays out quicker, but that can mean a significant increase in bookkeeping.
It also seems that Payhip’s refunds need to be handled through Stripe, rather than Payhip dashboard. On Gumroad, this is handled through the account.
Switching to Payhip was remarkably easy, but after some time, I found some subtle differences and feature limitations. Ultimately, these caused me to switch CSS For Designers back to Gumroad.
Gumroad have developed lots of new features for variable products and subscriptions. A particularly useful subscription feature is the ability to automatically suspend a subscription after a specified period.
This isn’t possible on Payhip yet. Depending on your use case, that could be a dealbreaker.
Another longstanding feature on Gumroad is the ability to set suggested prices on pay-what-you-want (PWYW) products. Payhip offers PWYW pricing, but there isn’t an option to set a suggested fee.
That might not seem like a big deal, but if customers can pay anything, it’s useful to given a suggested value (i.e. $5).
Lastly – and this is a big ’un – Payhip requires users to opt-in to mailing list integrations. When I contacted their support, I was told this is for GDPR reasons, but there are lots of legitimate GDPR-compliant reasons that a seller might want to add users to a list (e.g. transactional emails).
Gumroad lets sellers automatically add users to mailing lists, which is useful for follow-ups and other things. If transactional emails are important, this is a big consideration.
It’s also worth mentioning Gumroad’s workflows. These allow sellers to send automated follow-ups through the Gumroad interface, which is a nice feature not available through Payhip.
As ever, the Devil’s in the details. Many of these differences aren’t clear from the feature descriptions on either Gumroad or Payhip.
Both platforms have some great features, though neither are perfect. Ultimately, it made sense to move CSS For Designers back to Gumroad, but I’ve kept Work Notes with Payhip.
]]>This was back in 1999, when we’d write things like <font size="4" color="#000000">
and DHTML was a thing.
When CSS came along my approach to learning didn’t differ. But I really wish I’d taken the time to learn CSS properly: there was so much fundamental stuff I missed.
Here are some things I didn’t know that I wish I’d learned earlier.
Even though I knew about these properties, I didn’t fully understand them for a long time.
Here’s a breakdown:
block
elements expand horizontally to take up a whole line (like a heading). We can apply vertical margin to these.inline
elements expand horizontally just enough to contain their content (like strong
or em
elements). We cannot apply vertical margins to these and they should usually be placed inside a block
element.inline-block
elements are like inline
elements, but you can apply vertical margins to these (making them useful for things like buttons).In the example below, block
elements have a blue border, inline
elements have an orange background, and our inline-block
element has a red border.
See the Pen (@websmyth) on CodePen.
Images being inline by default isn’t a problem, but it can cause confusion when trying to position them or add vertical margins.
If your CSS reset doesn’t include this already, I’d suggest adding the following rule:
img {
display: block;
}
That will make their behaviour much more predictable. You might also want to add max-width: 100%;
to stop them breaking out of their container, too.
By default, the width/height of a box is calculated by adding together the dimensions of the:
This isn’t usually a problem for an element’s height: we’re usually not too bothered about how content reflows vertically. The problems usually occur when trying to calculate an element’s width, especially if there’s more than one element in a row.
If we had the following CSS:
.some-class {
width: 50%;
padding: 2em;
border: 0.1rem;
}
The total calculated width
for .some-class
would be:
50% + 4em + 0.2rem
That’s because of a property called box-sizing
which has a default value of content-box
. This value means the width
property applies to the content area: everything else is added on top of this.
We can change this for all elements with the following rule:
* {
box-sizing: border-box;
}
Returning to our example, the element’s width would now apply to the border
, so our element’s total width
would be 50%
.
What happens to the border
and padding
? Those properties/values still apply, but they don’t affect the total width
of the element: they sit within the defined area.
Check out this Codepen to see this in action:
See the Pen (@websmyth) on CodePen.
We haven’t discussed
margin
here because margin is the space between elements. For that reason, it is never part of this calculation.
If an element has no background
or border
, it can appear that padding
and margin
are the same. They are not!
margin
is the space between elementspadding
is space inside an elementThat makes padding
useful for elements that have a background
. We often don’t want the content to be close to the edge of the element’s box and padding
helps us achieve that.
This has been the source of frustration for CSS newcomers for a long time. Rachel Andrew describes the behaviour as:
When margins collapse, they will combine so that the space between the two elements becomes the larger of the two margins. The smaller margin essentially ending up inside the larger one.
If we have two block elements with margin-bottom: 1em
on one element and margin-top: 1.5em
on the element directly below it, the total space between the two elements would be 1.5em
.
We can see that here:
See the Pen (@websmyth) on CodePen.
When two margins meet, the larger margin absorbs the smaller margin. If the margins are the same value, they absorb each other.
As soon as we know this, margin
calculations become easier. It might also change our approach to managing them, and that’s where something like the Lobotomised Owl selector can be useful.
Note: Margins don’t collapse when the parent element is set to display: grid
or display: flex
.
CSS stands for Cascading Style Sheets. It’s no surprise therefore that the cascade is one of the fundamental concepts of CSS.
Though we might be aware of how our own stylesheets interact with each other, we have to remember that there’s always a default browser stylesheet. This is loaded before any custom stylesheets, making it easy to redeclare existing values.
The declared styles vary by browser, but they’re the reason that, by default:
display
property (such as block
or inline
)And many other things.
Even if a website only has a single stylesheet, that stylesheet will always be merged with the browser’s default styles.
Using pixels (px
) is tempting because they’re simple to understand: declare font-size: 24px
and the text will be 24px
. But that won’t provide a great user experience, particularly for users who resize content at the browser level or zoom into content.
I started using em
(and later rem
) for font sizing early. It took much longer to feel comfortable using em
and rem
for other things such as padding
, margin
, letter-spacing
and border
.
Understanding the difference between em
and rem
is critical to making relative units manageable. For instance, we might use em
for @media
queries and vertical margins, but rem
for consistent border-width
.
The benefits of going all-in on relative sizing are well-worth the small adjustment in thinking that requires.
When using either the ::before
or ::after
pseudo-elements, they require the content
property, even if it’s left blank:
.some-class::before {
content: '';
}
If this isn’t included, the pseudo-element won’t display.
The ch
(character) unit is useful, particularly to set an element’s width
based roughly on the number of characters in a line of text.
Only roughly? Technically, the ch
unit doesn’t count the number of characters in a line.
ch
is based on the width of the 0
character. Eric Meyer wrote that:
1ch is usually wider than the average character width, usually by around 20-30%.
If you’re using this to control the measure of paragraphs or similar, this is a useful distinction to be aware of.
This was a term I’d heard a lot but didn’t fully understand for a long time. The “normal flow” means that elements appear on the page as they appear in source code.
For instance, if we wrote:
<h2>Heading</h2>
<p>Paragraph text.</p>
We would expect <h2>Heading</h2>
to appear before/above <p>Paragraph text.</p>
. That is the normal flow.
If an element is taken out of the normal flow, that means it won’t appear in this place. Floated and absolutely positioned elements are good examples of this.
I first learned about :hover
, :focus
and :active
pseudo-selectors in the context of styling links. At the time, all of the examples I’d seen looked something like this:
a {
color: black;
}
a:hover,
a:focus,
a:active {
color: red;
}
However, it’s better if we style our :focus
states differently.
:focus
is the state when a user tabs to or through focusable elements on a page (like links). When a user presses [tab]
, they don’t know where the focus will land.
Additionally, if a user focuses on already-hovered item, they won’t know where the focus is.
For all of these reasons, it’s best to style :focus
in a different way to :hover
and :active:
. For instance:
a:hover,
a:active {
/* styles */
}
a:focus {
/* styles */
}
Check out this Codepen:
See the Pen (@websmyth) on CodePen.
Notice how it’s the odd-numbered rows with a background
? Given our selector (p:nth-child(even)
), we might expect the even-numbered rows to be highlighted instead.
However, the :nth-child()
selector counts all sibling elements. Specifying an element in the selector (e.g. p:nth-child()
) does not cause the selector to start counting from the first of that element type.
Instead, specifying an element in the selector means that the rule will only be applied to that type of element. If we switch our example to be p:nth-child(odd)
, we will see that:
h1
is not highlighted, even though it’s an odd sibling elementp
elements that match the critera (paragraph two, four, six) are highlightedSee the Pen (@websmyth) on CodePen.
Returning to our first example, let’s assume we want the even-numbered p
elements to have a background
. In that case, we’re better off using a different pseudo-selector altogether: p:nth-of-type(even)
See the Pen (@websmyth) on CodePen.
This is demonstrates a key difference between :nth-child()
and :nth-of-type()
. It’s subtle, but knowing this might help to avoid some confusion.
It’s easy to get to grips with the basics of CSS, but understanding how and why things work is critical to writing better CSS.
Taking the time to learn these things not only helped me to write CSS more quickly, but it has also helped to make my code more efficient and resilient.
]]>The launch of HEY has been pretty divisive. That might be expected given the founders have created such an opinionated product for a fundamental internet function.
I’m coming to the end of my trial and it’s been a positive experience. It’s not a perfect product, but it’s already improving my email workflow and I’m interested to see what happens next.
Like many people, I use email as a to-do list, and not a particularly functional one. Unread messages needed to be actioned, and I’d be hoping not to accidentally leave a message ‘read’ or archive it.
For years, I used the native Gmail app. This worked ok, but switching between email services was a bit of a hassle, especially as I had six email accounts to check:
Things improved when I started using Spark. I particularly liked the calendar integration and how pinned emails displayed, but some ongoing sync issues forced me to rely on backup email apps.
A few things stood out to me as attractive HEY features:
A couple of years ago, I looked into the possibility of blocking all incoming emails except for specific senders. This is possible with Boomerrang, but only on their $15/month plan.
Though HEY doesn’t offer this exact functionality, I thought the combination of services might help to achieve the same effect: reducing day-to-day email clutter and everything that brings.
Here are the benefits I’ve found:
The combined effect has been a much calmer email experience. Even though I usually have emails to respond to, the Imbox is regularly empty: something that almost never happened before.
A few things I’d like to see:
Custom domains will rollout soon. That will be another good thing as “business” accounts/custom domains will bolt-on to personal accounts: no account switching.
It’s been encouraging to see how the founders have responded to feedback, so it will be interesting to see where they take the product next.
One of the main attractions about this product is that it’s privacy-focused. For me, that alone justifies the price (as it does with services like ProtonMail).
There’s no doubt competitors will copy features that prove useful. But the privacy aspect is something HEY will always have over much of the free competition.
It’s true that HEY might not be completely revolutionary: I could have replicated some of the features and sorted out a much better email system with filters and blocklists. But even after all these years, I hadn’t done this.
For me, that’s where such an opinionated service is handy. I don’t want to have to make decisions about how to sort out my email: for now, I’m quite happy to use HEY’s system.
That won’t be the case for everyone. If you’ve got a good system in place and like how your email works, HEY might not be an improvement for you.
For me, the UI and email workflow has forced me to change the way I manage email. So far, that’s been a good thing.
]]>clip-path
is a great way to create these.
Before this was widely supported, the only option was save images as a PNG with a transparent background, or add the website’s background colour to create a smaller JPG.
Urgh.
I’ve been experimenting with this on a couple of projects. Though there are several ways to clip an image with SVG, I’ve specifically needed to clip images using SVG-defined paths.
This is a little more complicated than using methods like circle
, polygon
or others. Clippy is a great tool if you need to clip a more basic shape.
We can either clip a background-image
or an img
element. Though I’ve used the background-image
on the CSS For Designers home page, the img
element technique is often more appropriate for client work because it:
alt
textPlus you retain all the other benefits of using an SVG clip-path
rather than saving a pre-cut PNG/JPG image (smooth edges, file size, etc).
Let’s get into it.
First of all, we need an SVG. Here’s what we’ll use:
See the Pen (@websmyth) on CodePen.
This is taken straight from Sketch (via the useful SVGO plugin), and I’ve added a fill so you can see the shape.
We also need an image to clip. Here’s one from Unsplash:
In the Codepen below, we have the basic HTML and CSS we’ll use:
See the Pen (@websmyth) on CodePen.
There’s a fair bit of code here, so let’s break it down.
In our HTML, the img
element contains the image we want to clip, with an alt
description. Our SVG code is embedded directly underneath.
We’re using the SVG-defined clip-path method outlined here. In short, we’ve:
svg
clipPath
with an id
path
(copied from our original SVG)In our CSS, we’ve used the clip-path
property. We’re referencing the SVG clipPath
we created in our HTML via its ID (#svgClip
).
The result is a clipped image, but the position and size of the clip doesn’t correlate to the image itself. To make matters worse, if the image isn’t as wide as the SVG, it will appear to be cut-off:
See the Pen (@websmyth) on CodePen.
SVG-defined clip-paths issue
In the article, Chris Coyier explains an issue with SVG-defined clip-paths, where they remain fixed in the upper-left of a document.
In my (brief) testing on Firefox, Safari and Brave (Chromium), I couldn’t replicate this so this may not be an issue on more recent browsers (the article was last updated in 2016). That said, there was a difference in how Safari rendered the SVG.
Ideally, we want the SVG clip-path
to scale with the image. To do this, we add clipPathUnits="objectBoundingBox"
to the clipPath
in our HTML:
<clipPath id="svgClip" clipPathUnits="objectBoundingBox">
However, if we want to use objectBoundingBox
, our SVG path values must be between 0
and 1
.
The simplest way to do this is to go back to our image editing software and resize our SVG to have a maximum width/height of 1px
.
Here’s the same SVG we saw earlier, resized. The 1px dot may be difficult to see but, most importantly, the values are all between 0
and 1
.
The SVG now successfully scales with the image:
See the Pen (@websmyth) on CodePen.
With a few more presentational styles, we can square this off and position the img
wherever we need:
See the Pen (@websmyth) on CodePen.
This is a hastily written and brief run-down of this technique. The thing that stumped me for a while was the requirement for objectBoundingBox
paths to be between 0
and 1
, and how to scale the SVG.
Corrections and suggestions welcome!
]]>I’ve barely used Facebook in a personal capacity for a few years. More recently, it’s been useful to keep in touch with friends and family, but there’s always email or phone.
I’ve also benefitted incredibly from the freelance groups I’ve been a part of:
For any freelancers on Facebook, I’d heartily recommend checking these groups out.
Now feels like the right time to cut ties with Facebook. I recognise that being tech-agnostic is somewhat of a privilege, but I don’t think sticking around for my own convenience is justifiable any longer.
I’ve been uncomfortable with Facebook for a long time. Since the Cambridge Analytica scandal, Facebook haven’t done anything to improve the quality of – or ban – political adverts.
Twitter is hardly a perfect, but at least it banned political ads.
I’ve been listening to “Oversubscribed” by Daniel Priestley recently. In one chapter, he describes how companies that don’t heavily target their ads are at a serious competitive disadvantage.
He goes as far as to say they’ll be run out of business.
An overdramatisation perhaps, but it’s pretty stomach-churning to think about the data profile we let these companies collect. For free.
In my fourteen years as a Facebook user, they’ve collected over 700MB of data about me. Images and videos make up 200MB of that, leaving over 500MB of messages and profile-building data.
To put that into context, the text in this post adds up to 4kb. Facebook’s collected 125,000 times that data in 14 years.
That’s roughly 35MB of text/profile data per year. Or 3MB per month.
All the time this data profits Facebook’s advertising model. Whether that’s companies targeting users for products or political parties during a campaign.
Targeted advertising and unethical user tracking have to end.
Twitter stirred up news when it started moderating Donald Trump’s tweets. This is no love letter to Twitter: the Will they suspend me? account demonstrates beautifully that not all tweets are treated equally.
But Facebook refuses to do anything. At some point, we have to decide whether we want to be associated with – and fund – a platform that chooses silence over action.
These Facebook-owned platforms are trickier to leave. WhatsApp might be easier as there’s a direct competitor in Telegram – I’ll need to convince family to move to that.
I mainly use Instagram that to support freelancers and small business owners through Work Notes. For now, it feels more important to continue that work than to leave – at some point that might change.
Totally correctly, it was pointed out to me that this article initially gave a shout out to Telegram. I strongly recomend Signal instead: in fact, I got my family to move to that from WhatsApp!
Also: I deactivated my Instagram accounts many months ago. No great loss.
Lastly: Inspired by Matt Baer’s Delete Your Facebook, I’m logging relevant articles in Bookmarks.
]]>Everyone knows you shouldn’t just send a mockup and ask what do you think? But in an age of online meetings, Sketch, Figma, Invision and whatever else, how do you get away from that?
On the Boagworld podcast, Leigh Howells talks about presenting designs through video. He says this tackles a few common issues:
I’ve been experimenting with this idea on-and-off for a while.
Initially, I was recording my screen and uploading to Vimeo.
Don’t do this unless you like dealing with:
Urgh.
I now use Loom and it’s brilliant:
Taking the lead from Howells’ method, I’ve started using video to present all initial design ideas.
Starting with wireframes, I’ll send a video that talks through the decisions I’ve made and the considerations behind them. I might also discuss ideas that didn’t make the cut and why. Demonstrating this through video is really straightforward.
Introducing video so early in the process gets the client used to receiving design ideas in that format. When we move to higher fidelity mockups, video really comes into its own.
At this stage, I’ll start by covering everything we’ve done so far:
Going over this helps clients to understand how the mockups have come about. The designs shouldn’t be a huge surprise.
The video format lets me discuss colour, type, layout and other design ideas in context. That can be difficult in other formats.
It also allows me to address potential objections before they’re raised. Demonstrating why the logo isn’t bigger, possibly by resizing it on-screen in the video, can be incredibly powerful.
It can be difficult to describe usability or accessibility issues in an easily understood manner. I find that using video helps clients understand much more easily, and it reduces any feeling that it’s just an excuse.
If you’ve ever had clients ask you to centre/justify paragraphs of text, or use illegibly light grey text, you’ll know that these can be difficult arguments to win. Even if video doesn’t change the result, it can help clients understand in a way they couldn’t before.
Once a client has seen a demonstration, I’ll send them a link to the Balsamiq/Invision project. These apps are great for feedback, but there is still a (small) learning curve.
The video format lets me quickly explain how these interfaces work, helping clients feel confident to add feedback in the app.
Another side effect of video is that the service feels much more personal. Every client I’ve done this with has loved receiving the videos, being talked through the process and the decision making.
In turn, that helps to get clients on board and become advocates for the work you’re doing. In my experience, at least.
None of these things are exclusive to presenting through video, but I’ve found it to be an incredibly effective way to communicate with clients.
]]>Each of these has a blog. I write about CSS on CSS For Designers, freelancing at Work Notes and design/website things at Websmyth, so why another one?
There are still things I want to write about and document, that don’t fit neatly into those categories:
That’s the plan. Let’s see what happens.
]]>px
, em
and rem
are the most popular options, but what’s the difference between them?
Pixels are an absolute unit of measurement in CSS. That means that if a user writes font-size: 16px
the output will be text at 16px
.
Pixels are an easy option, but they create accessibility issues. Users who need to increase the browser’s default font size won’t be able to when the font size is set as pixels.
em
is a relative unit of measurement. That means its size is relative to something else, but what?
em
units are relative to their parent element. 1em
is the same as the current parent’s font size.
If the parent element’s font size is 16px
, 1em
would be 16px
. That seems simple, but how does it work in practice?
If you had the following CSS:
body {
font-size: 16px;
}
p {
font-size: 1.5em;
}
And this HTML:
<body>
<p>What size will this text be?</p>
</body>
The p
text would be calculated as 1.5em
x 16px
= 24px
. The parent of p
is body
so the value of em
(1.5) is multiplied by 16px
.
You can see that in this Codepen – experiment with some different values, too.
See the Pen (@websmyth) on CodePen.
To make these examples easier to understand, they all use a pixel value for the body
font size:
body {
font-size: 16px;
}
It’s often better not to set a root font size. If we have to, set it at the html
level as a relative unit:
html {
font-size: 100%;
}
This works well as the text will scale up and down if a user changes the default font size, but it can be confusing. What happens if there are several nested elements?
If our HTML looked like this:
<body>
<article>
<p>What size will this text be?</p>
</article>
</body>
And had the following CSS:
body {
font-size: 16px;
}
article {
font-size: 1.5em;
}
p {
font-size: 2em;
}
How is the p
font size calculated? Here’s what happens:
The article
font size is calculated as 1.5em
x 16px
(the font size of its parent, body
). That gives article
a font size of 24px
.
The p
font size is calculated based on its parent font size. Its parent is article
, so 2em
x 24px
= 48px
.
You can see that in action here:
See the Pen (@websmyth) on CodePen.
This is where the rem
unit comes in handy. rem
units work in exactly the same way as em
units, except for one key difference:
The calculation is based on the root element, not the parent. That’s what the r stands for.
Returning to our example from above, the final font size of p
would now be 32px
because the calculation is now 2rem
x 16px
(the value set at the root, which is html
).
See the Pen (@websmyth) on CodePen.
The rem
unit allows font sizing to scale but it’s also predictable. You no longer have to worry about the impact of parent element sizes, so they’re the best of both worlds.
One of the main sources of layout frustration is that vertical margins collapse. There are some exceptions to this, but that’s the general rule.
Rachel Andrew published a fantastic breakdown of how CSS margins work, where she states:
When margins collapse, they will combine so that the space between the two elements becomes the larger of the two margins. The smaller margin essentially ending up inside the larger one.
Collapsing margins are seen frequently when we have two block elements stacked on top of each other.
In the example below, we have two p
elements with margin-top: 0.5em
and margin-bottom: 0.5em
:
See the Pen (@websmyth) on CodePen.
At a glance, it would seem the total amount of space between these elements is 1em
(0.5em
+ 0.5em
). But that isn’t the case because the margins collapse.
In our example, the margin-bottom
of the first p
combines with the margin-top
of the second p
. That creates a total margin of: 0.5em
.
Let’s say we wanted the gap between these elements to be 1em
, how could we do that?
One solution might be to set one, or both of the vertical margins to 1em
:
See the Pen (@websmyth) on CodePen.
That works and it gives us the desired spacing, but it’s hardly efficient: each pair of elements only uses three out of the four declared margin values.
Further problems arise when we start adding elements with different margin values into the mix. When applied across an entire site, it soon becomes difficult to know which margin values can be changed without breaking something.
A better margin strategy is to set all vertical margins in one direction only: either margin-top
or margin-bottom
.
Declaring margin values in this way makes our code much more predictable. You no longer have to worry about the knock-on effect of a collapsed margin.
It also makes code maintenance easier: you can safely adjust a margin knowing that it will have the desired effect.
Returning to our example, that could be rewritten like this:
See the Pen (@websmyth) on CodePen.
There will of course be exceptions to this, but they should be exactly that: exceptions.
Since adopting this technique, I’ve significantly cut down the use of top and bottom margins on a single element.
Setting margins in a single direction is particularly effective when combined with Heydon Pickering’s Lobotomised Owl technique. The original artice is well-worth reading.
Pickering’s technique lets us set margin only between elements. That means we no longer have spare margin at the top or bottom of a stack of elements.
In our example above, we’ve used margin-top: 1em
to provide the space between all p
elements. This works, but the first p
is not flush with the top of the parent container.
Below, I’ve added an article
container with a blue border to demonstrate this:
See the Pen (@websmyth) on CodePen.
To make the first p
flush with the top of the parent box, we would need to add:
p:first-child {
margin-top: 0;
}
See the Pen (@websmyth) on CodePen.
Removing margin-top
over an entire project can be verbose and difficult to maintain.
Pickering’s solution is to use the universal selector (*
) combined with the adjacent selector (+
), so that the margin is only applied between adjacent elements:
* + * {
margin-top: 1em;
}
We could write p + p
in our example, but the elegance of the universal selector is that it applies to all elements. That means we don’t need to guess which elements our content will need: we can write exceptions where necessary.
To further control where these margins are applied, we can limit this to direct child elements within parent containers.
In our example, that would look like this:
article > * + * {
margin-top: 1em;
}
See the Pen (@websmyth) on CodePen.
The Lobotomized Owl technique is an extremely helpful and practical method of controlling vertical space.
I’d recommend reading Pickering’s original article on Lobotomized Owls.
Applying margins to the top and bottom of elements can create layout headaches and maintenance issues. When vertical margins are set in a single direction and combined with the Lobotomized Owl technique, many of these issues are resolved.
]]>Seems obvious, but absolutely worth double checking.
You’ll want to clear two, possibly three, caches: your site’s cache, your browser and your server cache (if you have one). You may not be aware of a server cache but some hosts, such as SiteGround and WPEngine, use server-level caching to speed up websites.
Clearing your cache is the browser equivalent of turning it off and on again.
Is the selector spelt correctly? Is the punctuation and spacing correct in descendant selectors (i.e. is it nav.class
instead of nav .class
?
Another classic would be to forget to close the declaration, so your CSS looks like this:
p {
color: #fff
font-size: 1rem;
}
Notice how the color
is missing the semicolon? That means the CSS file will read that code like this:
color: #ffffont-size: 1rem;
Urgh!
Does it have a line through it? If so, your selector needs to be more specific.
In Chrome’s DevTools, the Computed tab can show you what’s being rendered by the browser and the rules being applied to a specific element: really handy for tracking down inheritance and specificity issues.
!important
in it?Or is the style declared in the HTML element (e.g. <div style="color: #fff;">
)? If so, you can only override that with another !important
.
This could be anything, so check the inheritance in the inspector.
It might need box-sizing: border-box;
applied to it so that the width and height are calculated based on the size of the border-box rather than the content box (the default).
This is much less of an issue than it used to be, but worth checking if the issue is replicated in another browser. The website caniuse.com is a great tool to help with this as well.
If you’ve got this far and nothing has worked, it might be worth popping it into the CSS Validator to check it’s valid CSS. CSS Lint is another resource to check out that will give some additional feedback on what you’ve written.
If it works there, but not in your site, you’re likely dealing with an issue of inheritance or specificity. This is especially likely if you’re using a framework or template.
If the rule is shown in the inspector but it’s not taking effect, there’s probably something not quite right.
Often things need to be applied to the parent element, especially things related to the display
or position
properties.
display
?It’s always worth checking the display
property, especially if it’s inline
, inline-block
or block
. This might fix the issue, especially if you’re trying to apply a property that’s incompatible (or has no effect) when applied to the wrong one.
Not all properties can be applied to all elements. :visited
is a good example of this, but there are lots of others.