https://davesmyth.com/commonplace-feed Dave Smyth – Commonplace 2022-06-23T00:00:00+00:00 https://davesmyth.com/q/habits-compound <![CDATA[Habits Compound]]> Dave Smyth 2022-06-23T00:00:00+00:00 Small habits don’t add up, they compound.

]]>
https://davesmyth.com/q/measurement <![CDATA[Measurement]]> Dave Smyth 2022-06-23T00:00:00+00:00 Measurement is only useful when it guides you and adds context to a larger picture, not when it consumes you. Each number is simply one piece of feedback in the overall system.

In our data-driven world, we tend to overvalue numbers and undervalue anything ephemeral, soft or difficult to quantify. We mistakenly think the factors we can measure are the only factors that exist.

But just because you can measure something, doesn’t mean it’s the most important thing. And just because you can’t measure something, doesn’t mean it’s not important at all.

]]>
https://davesmyth.com/q/goodharts-law <![CDATA[Goodhart’s law]]> Dave Smyth 2022-06-23T00:00:00+00:00 “When a measure becomes a target, it ceases to be a good measure.”
– Goodhart’s Law

]]>
https://davesmyth.com/commonplace/w3c-definition-of-tracking <![CDATA[W3C definition of tracking]]> Dave Smyth 2022-06-22T00:00:00+00:00 W3C definition of tracking

Tracking is the collection of data regarding a particular user’s activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred. A context is a set of resources that are controlled by the same party or jointly controlled by a set of parties.

Good to see this defined by the W3C.

]]>
https://davesmyth.com/commonplace/choose-where-to-save-screenshots-on-a-mac <![CDATA[Choose where to save screenshots on a Mac]]> Dave Smyth 2022-06-22T00:00:00+00:00 Choose where to save screenshots on a Mac

Command + Shift + 5, go to options and select location. Game changer

]]>
https://davesmyth.com/commonplace/sandberg-s-pivot-to-philanthropy <![CDATA[Sandberg’s pivot to philanthropy]]> Dave Smyth 2022-06-19T00:00:00+00:00 Sandberg’s pivot to philanthropy

Sheryl sandberg announced this month that she’s resigning from Facebook—now called Meta—to focus on her philanthropy. Her work there is done.

During her 14 years at the company, she’s done so much damage to our society that we may never recover. The simple truth is that you cannot simultaneously dedicate yourself to making untold fortunes for a giant corporation and to championing a social good.

This may not be a pivot to data justive warrior, but this get-rich-working-at-horrendous-tech-co before using those funds for conscience-clearing philanthropy has more than a hint of Maria Farrell’s Prodigal Techbro about it.

]]>
https://davesmyth.com/commonplace/what-is-the-web-why-have-a-website <![CDATA[What is the web? Why have a website?]]> Dave Smyth 2022-06-17T00:00:00+00:00 What is the web? Why have a website?

A website is a file or bundle of files living on a server somewhere. A server is a computer that’s always connected to the internet, so that when someone types your URL in, the server will offer up your website. Usually you have to pay for a server. You also have to pay for a domain name, which is an understandable piece of language that points to an IP. An IP is a string of numbers that is an address to your server.

Links (rendered default blue and underlined—they’re the hypertext “HT” in HTML) are the oxygen of the web. Not all websites have links, but all links connect to other webpages, within the same site or elsewhere.

What a wonderful explanation.

Today more than ever, we need individuals rather than corporations to guide the web’s future. The web is called the web because its vitality depends on just that—an interconnected web of individual nodes breathing life into a vast network. This web needs to actually work for people instead of being powered by a small handful of big corporations—like Facebook/Instagram, Twitter, and Google.

(Emphasis my own)

I couldn’t agree more.

This whole article is a fanastic look at what a website is, what it can be and why it’s important for the web to be diverse.

]]>
https://davesmyth.com/commonplace/gruber-on-apple-s-app-tracking-transparency <![CDATA[Gruber on Apple’s App Tracking Transparency]]> Dave Smyth 2022-06-15T00:00:00+00:00 Gruber on Apple’s App Tracking Transparency

The notion that if a company has built a business model on top of privacy-invasive surveillance advertising, they have a right to continue doing so, seems to have taken particular root in Germany.

I’ll go back to my analogy: it’s like pawn shops suing to keep the police from cracking down on a wave of burglaries.

Too right, and it’s not just that the surveillance advertising is unethical – the data has often been collected illegally.

Centuries of pre-internet advertising prove that tracking isn’t necessary for advertising to work…

Daring Fireball is a fantastic example of this.

…but no one is arguing that tracking isn’t effective.

Effective at driving huge profits perhaps. There is growing evidence that demonstrates tracking ads aren’t that effective at their core activity.

From Augustine Fou (emphasis my own):

A 2019 study showed that a single targeting parameter, gender, derived from anonymous website visitation patterns was only 42% accurate, worse than random. If you did no targeting at all, and just did “spray and pray” with your digital ads, you’d at least hit one of the genders 50% of the time. When two parameters were taken into account – age and gender – the accuracy dropped as low as 12%. That’s like 9 times out of 10, those targeting parameters were wrong. And advertisers paid extra to make their digital marketing worse, not better.

Then there’s Bob Hoffman’s infamous Programmatic Poop Funnel. That chart showed how only three cents out of every dollar spent on programmatic ads is seen by humans.

And we can’t forget Tim Hwang’s Subprime Attention Crisis:

…the accuracy [of data profiles used for advertising] was often extremely poor. The most accurate sets still featured inaccuracies about 10% of consumers, with the worst having nearly 85% of the data about consumers wrong.

There are many more examples.

But I wonder how many clients would be happy to continue spending on surveillance ads given how inaccurate and expensive they are?

]]>
https://davesmyth.com/q/sustainability-and-personal-data-ethics <![CDATA[Sustainability and personal data ethics]]> Dave Smyth 2022-06-08T00:00:00+00:00 It’s not enough that a company produces sustainably. If you have sustainable production and at the same time expose customers to the misuse of their personal data digitally, then you have no credibility.

]]>
https://davesmyth.com/commonplace/advertisers-paid-extra-to-make-their-digital-marketing-worse-not-better <![CDATA[Advertisers paid extra to make their digital marketing worse, not better]]> Dave Smyth 2022-06-07T00:00:00+00:00 Advertisers paid extra to make their digital marketing worse, not better

Studies have shown that these inferences are inaccurate, if not completely wrong. For example, a 2019 study showed that a single targeting parameter, gender, derived from anonymous website visitation patterns was only 42% accurate, worse than random. If you did no targeting at all, and just did “spray and pray” with your digital ads, you’d at least hit one of the genders 50% of the time. When two parameters were taken into account – age and gender – the accuracy dropped as low as 12%. That’s like 9 times out of 10, those targeting parameters were wrong. And advertisers paid extra to make their digital marketing worse, not better.

(Emphasis my own.)

That last sentence is the kicker. How long will adtech, or their customers, ignore the increasing numbers of reports like this?

]]>
https://davesmyth.com/facebook-impersonation <![CDATA[Facebook impersonation]]> Dave Smyth 2022-06-03T00:00:00+00:00 A little while ago, I came across a Facebook profile that used a photo of me as the avatar. It’s a seemingly old, inactive profile with a fake name (“Hi Hi”) and spam links.

The photo is from a gig several years ago – it’s clearly of me and I wanted it removed for obvious reasons.

According to the Facebook Community Standards in their ‘Transparency Center’(!), they care deeply about Authenticity:

We want to make sure that the content people see on Facebook is authentic. We believe that authenticity creates a better environment for sharing, and that's why we don't want people using Facebook to misrepresent who they are or what they're doing.

This is a case that would seem to be heavily related to authenticity, so let’s put this to the test.

Reporting options

There are a few options available to report:

  1. If you have a Facebook account, you can report the profile as impersonation
  2. If you don’t have a Facebook account, you have to fill in a form and provide government ID
  3. Report a copyright/intellectual property claim if you are the copyright holder

I tried method one from a now-deleted ghost profile. However, it’s only possible to report the profile – not the photo – and there’s no option to give context. So Facebook only sees a report that the entire account is impersonating. Facebook rejected the complaint immediately with no opportunity to follow-up.

I shouldn’t have to give Facebook my government ID for a case like this – notably a heavier burden of proof than creating a Facebook account – so option 2 is a no-go.

I also filed a Copyright Report Form. I provided the URL of the photo along with a copy of the original photo at full resolution to demonstrate ownership (something the impersonating account wouldn’t be able to provide).

Despite this, Facebook said:

Thanks for contacting us. Based on the information you’ve provided, it’s not clear that you are the rights owner or are otherwise authorized to submit this report on the rights owner’s behalf. Please note that we can only process reports from a rights owner or someone authorized to report on their behalf, such as a lawyer or agent.

I asked Facebook how I could prove ownership given that the photo was taken on my device. Their response:

We are writing to get additional details so that we can better understand your recent report. Based on the information you provided, it is unclear where the content you wish to report appears on our site. In almost all instances, the best way to help us locate content is to provide us with active web addresses (URLs) leading directly to that specific content.

In the report you filed, you did not provide any URLs (or one or more of the URL(s) you provided seems to be incomplete or inactive), and you did not otherwise provide a description of the location of the content sufficient for us to be able to find it.

If you are trying to report a post or story in your news feed, you can find its direct URL by clicking the time and date that appears in gray with the content (for example: "8 hours ago" or "August 11 at 10:30am.").

If you cannot provide URLs leading directly to the content you wish to report, please be sure to include information reasonably sufficient to permit us to locate the content, such as a description of the content and where it appears (example: on a particular timeline, in a photo album, etc.), dates/times of when the content was posted (usually indicated below the content), names of responsible users, and/or quotes of the content you wish to report as it appears on Facebook.

Please note that it is possible that the content you wish to report has already been removed from the site. If that is the case, you do not need to respond to this message.

Once you have provided information sufficient for us to locate the content you wish to report, we would be happy to look into this matter further.

Round-and-round the carousel we go: all of the requested information was provided in the initial contact.

This last email was sent on April 15th, 2022. I replied the same day with account information and the original photo again.

Facebook have stopped communicating and ignored a follow-up on May 2nd – over a month ago at the time of writing.

If Facebook can’t or won’t action basic requests like this, what hope do we have that they will take action on more complex issues?

]]>
https://davesmyth.com/commonplace/categorising-music-by-seasons <![CDATA[Categorising music by seasons]]> Dave Smyth 2022-05-31T00:00:00+00:00 Categorising music by seasons

For a couple of years, I’ve been using a fairly terrible playlist system of grouping songs by month. That doesn’t really work because I often don’t listen to enough music in a month to put together a playlist, so I skip months. Organising by season, however? That could really work.

]]>
https://davesmyth.com/commonplace/firefox-ios-inactive-tabs <![CDATA[Firefox iOS Inactive Tabs]]> Dave Smyth 2022-05-31T00:00:00+00:00 Firefox iOS Inactive Tabs

I recently noticed a new ‘Inactive Tabs’ button in Firefox iOS. It’s a new featured where windows that haven’t been opened for two weeks get shifted to a new area. I went from over 100 tabs to about ten.

It turns out it’s an experimental feature, not available to everyone, but it certainly seems like a good one.

]]>
https://davesmyth.com/commonplace/twitter-fined-usd150m-for-selling-user-data-collected-under-the-auspices-of-2fa <![CDATA[Twitter fined $150m for selling user data collected under the auspices of 2FA]]> Dave Smyth 2022-05-31T00:00:00+00:00 Twitter fined $150m for selling user data collected under the auspices of 2FA

The offences occurred between May 2013 and September 2019, according to the court document, with the information ostensibly used for purposes including two-factor authentication. But Twitter would then use this data to allow advertisers to target specific groups of Twitter users, by matching the telephone numbers and email addresses to the advertisers’ own lists of telephone numbers and email addresses.

Aside from being generally horrible, this is terrible for user trust in security measures. It also demonstrates how single pieces of data can be used to de-anonymise users when compared to other datasets.

]]>
https://davesmyth.com/commonplace/facebook-s-secret-data-collecting-weapon-the-pixel <![CDATA[Facebook’s secret data-collecting weapon: the pixel]]> Dave Smyth 2022-05-14T00:00:00+00:00 Facebook’s secret data-collecting weapon: the pixel

This is another great piece from Julia Angwin @ The Markup, shining the spotlight on the tactics of big tech.

This newsletter looks at the Facebook “Pixel”. It’s a seemingly innocuous tracking script to site owners (“we’re just improving our conversion rate!”) and simultaneously one of grossest widespread violations of privacy on the internet.

As Jason Kint has pointed out on many occasions, the UK’s Competition and Markets Authority’s report into big tech showed that Facebook collect more data more users when then they’re not on Facebook than they do when users are on the site. That’s because of the Facebook Pixel.

Any site using a Facebook Pixel is sending your data to Facebook whether you like it or not.

Probably without your clear, informed permission. And almost certainly without a simple, easy way to withdraw permission – if you ever gave it to them, that is.

When you think about the scale of data fed back to Facebook, it’s pretty horrendous. I’m glad we live in a time where browsers like Firefox and Safari are working to protect internet users against this mass invasion of privacy.

]]>
https://davesmyth.com/commonplace/create-a-do-not-backup-folder <![CDATA[Create a “Do not backup” folder]]> Dave Smyth 2022-05-13T00:00:00+00:00 Create a “Do not backup” folder

This is just a brilliantly simple idea: create a folder on your computer that’s excluded from Time Machine/Backblaze/Dropbox/Sync/whatever and use that whenever you need to temporarily store something you would never want to be backed up.

The example in the podcast is plain-text files of all your passwords. It might not seem like this sort of thing would crop up often, but it also seems like exactly the sort of thing that’s worth spending five minutes on now to save yourself a bunch of time, faff and potential unbacking-up later.

]]>
https://davesmyth.com/commonplace/wordpress-market-share-is-shrinking <![CDATA[WordPress’ market share is shrinking]]> Dave Smyth 2022-05-12T00:00:00+00:00 WordPress’ market share is shrinking

Anecdotally, more and more people are having a hard time deciding how to build their site on WordPress.

This was one of the main reasons I started looking for WordPress alternatives. I couldn’t be sure that the way I’d build a site today would be the ‘right’ way to build a site in a year or two: important for maintainability and futureproofing a client site.

I suspect this confusion over building is a shared experience for amateurs and pros alike:

  • Clients constantly report that Full Site Editing is a suboptimal experience, something borne out by installs of the Classic Editor and Classic Widgets plugins
  • Pros still rely heavily on third-party tools like Advanced Custom Fields, which arguably should have been bought into WordPress core.

Whatever the reason, it’s interesting to see the market share dip for the first time.

]]>
https://davesmyth.com/commonplace/ios-app-store-ads-convert-better-when-personalised-ads-are-turned-off <![CDATA[iOS App Store ads convert better when personalised ads are turned off]]> Dave Smyth 2022-05-11T00:00:00+00:00 iOS App Store ads convert better when personalised ads are turned off

In the first quarter of 2022, Apple’s internal data shows that Search Ads had a 62.1% average conversion rate for iOS 15 users with Personalized Ads turned on versus 62.5% for iOS 15 users with Personalized Ads turned off across all countries and regions where Search Ads are available.

Incredible both that the numbers are so close and that personalised ads actually perform worse.

]]>
https://davesmyth.com/commonplace/robin-sloan-on-twitter-s-future <![CDATA[Robin Sloan on Twitter’s future]]> Dave Smyth 2022-05-03T00:00:00+00:00 Robin Sloan on Twitter’s future

Arguing about the future of Twitter is a loser’s game; a dead end. The platform’s only conclusion can be abandonment: an overdue MySpace-ification.

]]>
https://davesmyth.com/commonplace/facebook-kills-podcasts-after-only-a-year <![CDATA[Facebook kills podcasts after only a year]]> Dave Smyth 2022-05-02T00:00:00+00:00 Facebook kills podcasts after only a year

Facebook announced various audio efforts last April during a hot market for podcasting and audio in general. But the company’s interest has waned, Bloomberg News reported last month, and it’s now focused on other initiatives, disappointing some providers.

Another example of how relying on platforms – whose desires seemingly sway in the wind – can leave businesses in the lurch.

]]>
https://davesmyth.com/commonplace/the-surveillance-ad-industry-shouldn-t-exist-in-europe <![CDATA[The surveillance ad industry shouldn’t exist in Europe]]> Dave Smyth 2022-04-29T00:00:00+00:00 The surveillance ad industry shouldn’t exist in Europe

While there are some problems with ad-supported media, they’re completely separate from the problems of surveillance – and the problems of surveillance are much worse than the problems of ads. That’s why we should ban surveillance ads.

Wait, I hear you saying. Doesn’t Europe ban surveillance ads already, through the GDPR? Well, yes, technically, they do. The process of getting consent for surveillance ads under the GDPR is deliberately so cumbersome that it is effectively impossible to run a surveillance ad industry.

So how is it that Google and Facebook and other ad-tech companies operate in Europe? Simple: they break the law. They – and many other companies – claim that they don’t need your consent to spy on you, because they can use the “legitimate interest” clause of the GDPR that allows them to process your data without asking you. This is a lie, and it’s only a lack of enforcement that allows the tech giants to get away with it (it’s possible that the new Digital Services Act will finally spur enforcement).

]]>
https://davesmyth.com/q/actions-are-votes <![CDATA[Actions are votes]]> Dave Smyth 2022-04-28T00:00:00+00:00 Every action you take is a vote for the type of person you wish to become. No single instance will transform your beliefs, but as the votes build up, so does the evidence of your new identity. This is one reason why meaningful change does not require radical change. Small habits can make a meaningful difference by providing evidence of a new identity. And if a change is meaningful, it is actually big. That's the paradox of making small improvements.

]]>
https://davesmyth.com/commonplace/mastodon-available-on-ios-and-android <![CDATA[Mastodon available on iOS and Android]]> Dave Smyth 2022-04-22T00:00:00+00:00 Mastodon available on iOS and Android

One of the challenges of Mastodon adoption is the onboarding process, because it’s not enough to capture a person’s desired username and e-mail and let them create an account, which is what people are used to from major websites; instead, you need to first choose a Mastodon server where you will make the account (comparable to e.g. choosing an e-mail provider). The implications of choosing the server are primarily in who is the entity responsible for the server, what moderation policies they enforce, what language and jurisdiction they operate in, and which domain name will be part of your username.

I’ve always found the server part of signing up to Mastodon a little odd. Why do we have to choose one? Why should we choose one over the other?

The comparison to email makes sense in my mind and the screenshots from this onboarding seem to make this a lot clearer.

]]>
https://davesmyth.com/commonplace/scarcity-ownership-and-the-inexorable-rise-of-nfts <![CDATA[Scarcity, ownership, and the inexorable rise of NFTs]]> Dave Smyth 2022-04-21T00:00:00+00:00 Scarcity, ownership, and the inexorable rise of NFTs

Not a bad description of NFTs:

What Wikipedia mentions but I’d like to emphasize is that buying an NFT does not buy you the art in question, nor the right to do what you will with it. It’s like walking into a bookstore, choosing a book that looks interesting, paying for a copy, and then leaving with only the receipt, proud of your brand new Book NFT, while the book itself remains in the store and anyone who wants to can come in and perfectly replicate and take a copy of the real thing for free. Yes, you do own….something. But the thing you own isn’t the art.

On web3 more generally:

Web 3, including Blockchain and NFTs, makes the argument that everything can and should be monetized. Each interaction has a value that can be measured in financial terms, each retweet or compliment or Kickstarter backing or Amazon review should help monetary value accrue to the tweeter or complimenter or backer or reviewer. The entire world could be Wall Street, and the fabric of our choices and online lives should rise or fall in financial value.

That is the terrifying promise, or ominous threat, of the new internet that Web3 folks are trying to usher in. It’s so deeply transactional, so exactly the opposite of the concept of mutual aid, community, and human caring.

I want to live in a world where joy exists, where things like inspiration, creation, education, and friendship are not monetized, because their value is greater and more than money can or should contain.

To me, this is one of the most understated downsides of web3.

I heard Jacob Silverman talk about this on a podcast: web3 would have everyone thinking constantly about money. Paid in Bitcoin? You’ll be forever wondering what that’s worth, if that will cover your rent, etc – a total nightmare.

On top of that, unlike traditional markets, these currencies fluctuate in value 24/7. They can be high when you go to bed and crash by the time you wake up. That’s a fundamental difference to other forms of investment and trading, especially if a significant portion of our [online] lives were to shift to transaction-based interactions.

I’m not sure it’s possible to mitigate the impact of introducing perpetual uncertainty and worry on top of already-stressful lives.

]]>
https://davesmyth.com/commonplace/macos-15-tips <![CDATA[macOS 15 Tips]]> Dave Smyth 2022-04-16T00:00:00+00:00 macOS 15 Tips

Some genuinely useful macOS system tips in here. Worth watching in full, but here are the ones I want to remember:

  1. Prevent Safari auto-opening downloaded files: Safari > Preferences > General > Uncheck “Open ‘safe’ files after downloading”
  2. After selecting multiple files, they can be merged into a PDF from the right-click context menu
  3. Switch audio inputs by holding [Option] when selecting Sound from the menu bar
  4. In Spotlight, press [Command] + [r] to open the folder of a file rather than the file itself
  5. Double clicking on a window causes inconsistent resizing by default, change this to always minimize: System Preferences > Dock & Menu Bar > Minimize windows using [minimize]
  6. Delete an entire word at a time by holding [Option].
  7. Delete an entire line by holding [Command].
  8. [Option] + left or right key lets you skip words.
  9. When taking a screenshot, hold [Option] to resize capture area, hold [Space] to move the box and press [Esc] to cancel the screenshot.

I only started using Spotlight to open apps last year and that’s been a gamechanger: it reduces the use of my mouse, makes opening/finding apps much quicker and declutters my dock. Many of these tips seem like they could be daily time savers, too. Perhaps I should keep up with this stuff…

]]>
https://davesmyth.com/commonplace/ezra-klein-dan-olson-and-diamond-hands <![CDATA[Ezra Klein, Dan Olson and diamond hands]]> Dave Smyth 2022-04-10T00:00:00+00:00 Ezra Klein, Dan Olson and diamond hands

Dan Olson, who recently brought us the spectacular two-hour deepdive into web3, recently appeared on The Ezra Klein Show. The whole thing is worth a listen, but this dissection of the ‘diamond hands’ phenomenon – not limited to the crypto world – is absolutely spot on:

So diamond hands — the logic under there and the way that that gets weaponized is that there’s not enough liquidity in these ecosystems. There’s not enough liquidity in crypto, as a whole, for the whales to do what they need to do. But then that disparity between how much cash is actually floating around and these absolutely absurd valuations that get tossed around is vast. And as a result, it’s very, very bad if people try to cash out in waves.

So as a protective measure, as like an immune-system response, the culture has developed diamond hands as a virtue, that someone who is willing to bear incoherence, that someone who is willing to bear instability, who is willing to just look past the volatility and the warning signs and just keep holding — you are a spiritually better person if you are a diamond hands who is willing to just get a grip on your Bored Ape and never sell it. So you have this Bored Ape, and it has this fictional price, whatever it’s at right now — $60,000, $120,000, $250,000, $2 million. Whatever the theoretical price of this thing is can only be realized if you sell. But selling is quitting. And quitting is spiritually bad. It means that you have given up. It means you don’t believe in the theoretical future value of that Ape.

So it’s trying to play both sides at the same time. It’s trying to make you think that it’s like, you have this asset. You are rich now, because you have this Bored Ape, and it has this value. But you’re actually cash poor, because you don’t have the money from that Ape. You can only get that money if you sell it. But selling it would be a bad thing to do. It would make you a bad person. It would make you a coward. You would be balking in the face of the future.

]]>
https://davesmyth.com/commonplace/john-gruber-on-the-evolution-of-daring-fireball <![CDATA[John Gruber on the evolution of Daring Fireball]]> Dave Smyth 2022-04-10T00:00:00+00:00 John Gruber on the evolution of Daring Fireball

This insightful talk covers the evolution of John Gruber’s Daring Fireball and how this side project became a full-time gig. The retrospective is interesting, starting with the intentionality of making it work, but also the various turning points in the road to make it a success.

It’s always fascinating to hear how creators make their work pay and sustain itself long-term. What’s particularly interesting in this case is a model – for a solo creator – that is advertising based without resorting to the tracking and privacy abuses that underpin much of the ad-tech industry.

Worth a watch if only for the quip about hair pieces and freelance graphic design work.

]]>
https://davesmyth.com/commonplace/f1-associated-nft-game-shuts-down-taking-the-nfts-with-it <![CDATA[F1 associated NFT game shuts down, taking the NFTs with it]]> Dave Smyth 2022-04-06T00:00:00+00:00 F1 associated NFT game shuts down, taking the NFTs with it

As for what’s happened to all those precious NFTs, well, for all intents and purposes they no longer exist. It’s worth noting the developers are attempting to compensate owners of those now-worthless NFTs with replacement tokens for one of the company’s other blockchain-based racing games. Affected players can be compensated in various ways, including Replacement Cars, or a “Race Pass”, or “Proxy Assets”, which “will be used in the future to obtain NFTs to products across the REVV Motorsport ecosystem.” In other words, you get a token for your token. A perfectly secure investment!

Indeed, while Animoca’s gesture might seem like a company doing right by its customers, the whole point of an NFT is that it is supposed to convey security and permanence to a digital object. It’s supposed to say “this thing exists with a uniquely attributable value”. Hence, for Animoca to turn around and say to their customers “Oh no, these NFTs are entirely replaceable” makes a mockery of the whole endeavour.

]]>
https://davesmyth.com/commonplace/web3-is-a-privacy-nightmare <![CDATA[Web3 is a privacy nightmare]]> Dave Smyth 2022-01-25T00:00:00+00:00 Web3 is a privacy nightmare

This beautifully answers some Questions I Had about privacy, the blockchain and rights for data to be erased.

Well worth watching.

The belief that the world will be fairer if the rules are enshrined in code enforced by computers, and made extremely difficult to change or circumvent is laughable. It’s not merely naive but ahistoric.

Once again, I’m reminded of Nicole Perlroth’s book: there’s a story about cyber security experts being wildly overoptimistic about how many lines of code they could guarantee would be hack-free.

Feels like there are parallels here.

]]>
https://davesmyth.com/changing-email <![CDATA[Changing 186 email addresses]]> Dave Smyth 2022-01-15T00:00:00+00:00 As part of my ongoing de-Googling, I recently finished removing my old personal Gmail account from as many accounts as I can. Along with switching email provider, I’ve switched to using masked emails instead of an actual inbox.

My password manager revealed 186 accounts that needed updating. For each, I’d either update the email address or delete the account if no longer needed.

The flows and user experience varied greatly, but I hadn’t anticipated the number of issues that would come up.

Some of these were down to poor design. In once case, the email verification link failed if I wasn’t logged in, with no indication that I had to be logged in for it to work.

More concerning were the security and data protection issues that were revealed.

Security theatre

As you might expect, many of the password requirements limitations were horrendously weak: numbers/letters only, must be no longer than 10 characters. In one example the password had to ‘start with a letter’!

For reasons entirely unknown, a surprisingly large number of services forced me to contact support to change my email or delete my account. In many cases, I wasn’t able to change the email address at all.

This could be because the company/organisation wouldn’t permit it, or the reset flow was entirely broken (e.g. email not sent, the verification link didn’t work, etc). Tough luck if you lose access to your email account!

A surprisingly large number of services forced me to contact support to change my email or delete my account.

In one case, the company wouldn’t let me change email address without providing a screenshot of the inbox – impossible with a forwarding address! They only relented when I asked them to show me the requirement in their T&Cs for the account email address to have an associated inbox...

Many websites still don’t verify email addresses, too. This perpetuates entirely preventable unintended privacy and data breaches for people mistyping their email address.

Extraordinary data retention

It was concerning to discover that several sites I hadn’t interacted with in over a decade retained lots of personal data: name, phone number, history of delivery addresses, payment details, etc. This was true even in situations where a membership/subscription had lapsed many years ago or where I hadn’t purchased anything at all (e.g. abandoned checkout).

Are these places really “not keeping data longer than they need to” as their privacy policies so often claim? At what point would they delete this?

Many accounts also force individuals to keep unnecessary information on file. Why do we have to keep an address in our accounts? Or a phone number? Or our names?

In some cases, I wasn’t allowed to update a single piece of information – such as my email address – without also supplying additional information the company didn’t have: address, phone number, address, etc.

Several sites I hadn’t interacted with in over a decade retained lots of personal data

To combat this, I took a leaf out of Terence Eden’s book, entering ‘alternative information’ for required fields.

Lots of contact forms don’t practice data protection by design, requiring entirely superfluous fields: surname, address, phone number, date of birth. Some companies required me to enter credit card and transaction information just to change my email address.

Account deletion

I deleted a lot of accounts. In most cases this was because I was unlikely to need the account in future. But sometimes this was necessary as the company made it difficult/impossible to update information.

Very few sites make account deletion easy. Even fewer made it crystal clear that they delete your account and data. Account deletion is often framed as ‘deactivation’, which sounds suspiciously like they hold onto your data after deleting the account.

In most cases, deleting an account required searching through help pages, an internet search or contacting support. This led to a new personal policy: if a company doesn’t make account deletion easy or clear, I do a quick search of their privacy policy for their data protection officer’s email address and ask them to delete my data. This usually resulted in quick action.

NB: I wouldn’t do, or recommend doing, this to a microbusiness.

All I want is a big red button that says “delete my account and all associated data immediately”. Is that too much to ask?

This might seem over-the-top, but account deletion should be clear and quick. Users shouldn’t be forced to spend 10–15 minutes, longer if it involves contacting support, trying to work out how to delete their account.

All I want is a big red button that says “delete my account and all associated data immediately”. Is that too much to ask?

A permanent record for convenience

I’m glad I did this but it was work. It also revealed just how much of our personal data is peppered through the databases of companies we no longer have a relationship with.

Yes, this information is necessary to perform transactions. But it was surprising and concerning to see how many sites retain this data for many years after my last transaction or interaction. In more than a couple of cases, over a decade had passed since I’d last logged in.

There are clear and obvious benefits both to users and companies for data to be held for a period of time. But going back through so many accounts, it was startling to see so many pieces of still-accurate data (e.g. phone number) retained in accounts I hadn’t touched in many years. This digital trail also revealed many old addresses and the contact details/addresses of people I might have sent things to.

Where does the responsibility lie? Is it down to individuals to keep tabs on every single account they create or purchase they make? Should we all be making diary notes to check in and delete our details? Or should there be a standard point at which users are deemed ‘inactive’, after which their data is purged?

It seems the default position is to hold user data indefinitely, despite privacy policies frequently saying “we don’t hold data any longer than they need to”. Generally speaking, this statement seems worthless.

Should there be a standard point at which users are deemed ‘inactive’, after which their data is purged?

This causes problems for users, who seem solely responsible for cleansing their data from every single company they interact with, even if it’s not be clear or obvious their data is being held (i.e. when retained after an abandoned checkout).

And it could cause problems for companies, too: it increases the risk of unnecessary data being exposed in data breaches, which could lead to uncomfortable questions about their data retention practices.

If data was regularly purged when users become ‘inactive’, it would help users and companies alike. Individual’s personal data would be held in fewer places, their digital footprint would be minimised and companies would reduce their exposure in the event of a breach.

Ultimately, buying from or creating an account with a website doesn’t mean we give the company permission to hold our data forever. But in many cases, it seems that is exactly what’s happening.

]]>
https://davesmyth.com/commonplace/redesigning-the-business-of-advertising-cindy-gallop <![CDATA[Redesigning the business of advertising – Cindy Gallop]]> Dave Smyth 2022-01-10T00:00:00+00:00 Redesigning the business of advertising – Cindy Gallop

This talk is full of gems. It’s nearly ten years old, but it all still rings true today:

If you align your strategies to what everyone else is doing, be sure a single business bullet will take you all down.

I get a lot of people coming to me for mid-life crises, career crises, business ventures, startups, and I always ask them to do the same two things. And, interestingly, these two things are the same whether you’re a person who’s lost their way or a business who’s lost their way:

  1. Identify what it is that you absolutely love doing, that you’re passionate about
  2. Identify the conditions under which you most love doing it

I believe the future of business is about doing good and making money simultaneously. And not in the old world order way that most companies currently do it which goes: we make money ‘here’ and then we do good by writing cheques to causes to clear our conscience over ‘here’. But the new world order way that we make money because we do good.

The vast majority of purchasers in every product sector are women. The vast majority of influencers of purchasers in every product sector are women. Women form the majority of users of social media. These days, women are the majority of gamers. Women are the majority of people who express themselves as digital personas online.

The majority of people creating the advertising communication that targets those women are men. In the US, only 3% of all advertising agency creative directors are female – 97% are male. The majority of people deciding whether that communications and advertising are the gold standard of creativity and effectiveness in our industry are men.

Women challenge the status quo because we are never it.

]]>
https://davesmyth.com/q/tihttmtwe-epilogue-ii <![CDATA[Epilogue II]]> Dave Smyth 2022-01-09T00:00:00+00:00 Threats that were only hypotheticals a decade ago are now very real. Russia proved it can turn off power in the dead of winter. The same Russian hackers who switched off the safety locks at the Saudi petrochemical plant are now doing digital drive-bys of American targets.

A rudimentary phishing attack arguable changed the course of the American Presidential election. We’ve seen patients turned away from hospital because of a North Korean cyber attack. We’ve caught Iranian hackers rifling through our dams. Our hospitals, towns, cities and, more recently, our gas pipelines have been held hostage with ransomware.

We’ve caught foreign allies repeatedly using cyber means to spy on and harass innocent civilians, including Americans. And over the course of the coronavirus pandemic, the usual suspects, like China and Iran and newer players, like Vietnam and South Korea, are targeting the institutions leading our response.

]]>
https://davesmyth.com/q/tihttmtwe-epiloque-i <![CDATA[Epiloque]]> Dave Smyth 2022-01-09T00:00:00+00:00 One decade ago, the primary threats to our national security were still, for the most part, in the physical domain: hijackers flying planes into buildings, rogue nations getting a hold of nukes, drug mules tunneling in through the southern border, the improvised explosive devices tormeting our troops in the Middle East, and the homegrown terrorists detonating them in the middle of America. Developing the means to track those threats and stave off the next attack has always been in the NSA’s job description.

If the next 9/11 struck tomorrow, the first question we would ask ourselves is the same question we would ask some two decades ago: how did we miss this? But in the two decades since 9/11, the threat landscape has been dramatically overhauled.

It is now arguably easier for a rogue actor or nation state to sabotage the software embedded in the Boeing 737 Max than it is for terrorists to hijack planes and send them careening into buildings.

]]>
https://davesmyth.com/q/tihttmtwe-everything-has-been-intercepted <![CDATA[Everything has been intercepted]]> Dave Smyth 2022-01-09T00:00:00+00:00 The barrier between the physical and digital worlds is wearing thin. “Everything can be intercepted” is right, and most everything important already has: our personal data, our intellectual property, our chemical factories, our nuclear plants, even our own cyber weapons. Our infrastructure is now virtualised, and only becoming more so as the pandemic thrusts us online with a scope and speed we could never have imagined only weeks ago. As a result, our attack surface – and potential for sabotage – has never been greater.

]]>
https://davesmyth.com/q/tihttmtwe-vuln-consealment <![CDATA[Vulnerability consealment]]> Dave Smyth 2022-01-09T00:00:00+00:00 For years, intelligence agencies rationalised the consealment of digital vulnerabilities as critical to monitoring America’s adversaries, to war-planning, to our national security. But those rationalisations are buckling. They ignore the fact that the internet, like so much we are now witnessing in a global pandemic, has left us inextricably connected. Digital vulnerabilities that affect one, affect us all.

]]>
https://davesmyth.com/commonplace/my-first-impressions-of-web3 <![CDATA[My first impressions of web3]]> Dave Smyth 2022-01-08T00:00:00+00:00 My first impressions of web3

Some choice quotes:

People don’t want to run their own servers, and never will.

Experiments

I made a dApp called Autonomous Art that lets anyone mint a token for an NFT by making a visual contribution to it. The cost of making a visual contribution increases over time, and the funds a contributor pays to mint are distributed to all previous artists (visualizing this financial structure would resemble something similar to a pyramid shape).

I also made a dApp called First Derivative that allows you to create, discover, and exchange NFT derivatives which track an underlying NFT, similar to financial derivatives which track an underlying asset 😉.

Trust

So much work, energy, and time has gone into creating a trustless distributed consensus mechanism, but virtually all clients that wish to access it do so by simply trusting the outputs from these two companies without any further verification. It also doesn’t seem like the best privacy situation. Imagine if every time you interacted with a website in Chrome, your request first went to Google before being routed to the destination and back. That’s the situation with ethereum today. All write traffic is obviously already public on the blockchain, but these companies also have visibility into almost all read requests from almost all users in almost all dApps.

Partisans of the blockchain might say that it’s okay if these types of centralized platforms emerge, because the state itself is available on the blockchain, so if these platforms misbehave clients can simply move elsewhere. However, I would suggest that this is a very simplistic view of the dynamics that make platforms what they are.

Tokens

Instead of storing the data on-chain, NFTs instead contain a URL that points to the data. What surprised me about the standards was that there’s no hash commitment for the data located at the URL. Looking at many of the NFTs on popular marketplaces being sold for tens, hundreds, or millions of dollars, that URL often just points to some VPS running Apache somewhere. Anyone with access to that machine, anyone who buys that domain name in the future, or anyone who compromises that machine can change the image, title, description, etc for the NFT to whatever they’d like at any time (regardless of whether or not they “own” the token). There’s nothing in the NFT spec that tells you what the image “should” be, or even allows you to confirm whether something is the “correct” image.

Comparisons to email

Given those dynamics, I don’t think it should be a surprise that we’re already at a place where your crypto wallet’s view of your NFTs is OpenSea’s view of your NFTs. I don’t think we should be surprised that OpenSea isn’t a pure “view” that can be replaced, since it has been busy iterating the platform beyond what is possible strictly with the impossible/difficult to change standards.

I think this is very similar to the situation with email. I can run my own mail server, but it doesn’t functionally matter for privacy, censorship resistance, or control – because GMail is going to be on the other end of every email that I send or receive anyway. Once a distributed ecosystem centralizes around a platform for convenience, it becomes the worst of both worlds: centralized control, but still distributed enough to become mired in time.

]]>
https://davesmyth.com/commonplace/france-fines-google-usd169m-and-facebook-usd67m-for-making-it-too-hard-to-reject-cookies <![CDATA[France fines Google ($169m) and Facebook ($67m) for making it too hard to reject cookies]]> Dave Smyth 2022-01-07T00:00:00+00:00 France fines Google ($169m) and Facebook ($67m) for making it too hard to reject cookies

If a GDPR case affects people in more than one EU nation, the regulator overseeing it must submit a draft decision to their counterparts in other countries. If other regulators raise objections to the penalty, they can trigger a dispute-resolution process, giving them more time to deliberate.

The Irish data-protection commissioner oversees Alphabet, Meta and other tech giants because those companies’ European headquarters are in Ireland. The Irish watchdog has faced criticism from activists and other European privacy regulators for the length of its investigations.

By choosing to fine Google and Facebook under the ePrivacy law, the French regulator avoided the frustrations of the GDPR’s power-sharing system

Just imagine if these fines were issued under GDPR for the maximum 4% of turnover: we might see a bit more compliance on the cookie front.

Perhaps France should be responsible for overseeing Meta, Google and other giants under GDPR as well…or perhaps it shouldn’t be the sole responsibility of a commissioner in a single country.

]]>
https://davesmyth.com/commonplace/kazakhstan-internet-shutdown-sheds-light-on-a-big-bitcoin-mining-mystery <![CDATA[Kazakhstan internet shutdown sheds light on a big Bitcoin mining mystery]]> Dave Smyth 2022-01-06T00:00:00+00:00 Kazakhstan internet shutdown sheds light on a big Bitcoin mining mystery

Emphasis mine:

Violent protests erupted over the soaring cost of fuel and [Kazakhstan’s] autocratic rule. President Kassym-Jomart Tokayev sacked his government and declared a state of emergency. Apparently on his orders, the largest telecom provider shuttered the internet to interrupt communications among the opposition’s ranks. When the web goes down, miners can’t communicate with the Bitcoin network. The “hash rate,” the random codes that win fresh awards of Bitcoin, collapses. A few hours into the outage, Larry Cermak of the crypto news and research site The Block tweeted that a full 12% of Bitcoin’s worldwide computational power had vanished. His data showed sharp declines for a number of producers with operations in Kazakhstan. The hash rates for AntPool, Poolin and Binance Pool all fell between 12% and 16%.

Blimey.

]]>
https://davesmyth.com/commonplace/shadow-accounts-on-social-media-platforms <![CDATA[Shadow accounts on social media platforms]]> Dave Smyth 2022-01-02T00:00:00+00:00 Shadow accounts on social media platforms

Facebook likely maintains shadow profiles of people with deleted accounts anyway, so I’d rather be able to affirmatively control what they’re doing with the data they have on me.

Does Facebook continue to collect/store data about us (from advertisers, Facebook Pixel etc) even if we don’t have a Facebook account?

We already know that Facebook continues to store data about deactivated accounts and unless anything has changed since this exchange, it seems likely they do.

What’s the legal basis for storing or collecting that data about someone through a shadow profile? This is the same thing that caused the furore around Clubhouse’s request to upload all your contacts.

I’ve submitted a subject access request to find out what they have on me, but I suspect that will be rejected.

What right do companies have to collect/store/process data about individuals – associated through an email address, phone number or other identifier – when the individual hasn’t interacted with that company or has deleted an existing account?

]]>
https://davesmyth.com/commonplace/https-twitter-com-doctorow-status-1476076093538979842-s-20 <![CDATA[Privacy is a team sport]]> Dave Smyth 2021-12-29T00:00:00+00:00 Privacy is a team sport

As part of a longer thread, Cory Doctorow tweeted:

After all, privacy is a team sport. I don’t use Gmail (my mail is on a standalone server that @orenwolf keeps at a data-center in Toronto, and I POP it every 60 seconds and move the mail offline to my encrypted laptop).

In some sense, none of my mail is in the cloud. In another sense, ALL of my mail is in the cloud, because EVERYONE I SEND MAIL TO is using Gmail or a handful of its competitors, all of whom mine that email for commercial surveillance purposes.

It’s pretty wild to think of it this way. We might take steps to protect privacy on email we receive, but email we send may be scanned/mined by the recipient’s email provider.

If that happens, what are the grounds to do this? Senders have no relationship with the recipient’s email provider and no way to know this is happening, let alone signal consent.

Scanning emails for security and spam prevention purposes is one thing. Using that data to feed surveillance capitalism is something else.

This isn’t definitely occuring, but if providers are mining user’s emails for advertising, it’s possible – likely, even – that this is not limited to emails that the user sends.

If this is happening, we arrive at a separate question: are email providers building profiles on people who don’t use the service? In theory, this could be tied to other data sources to match a data to a user through their email address.

Bearing all of this in mind, Doctorow’s positioning of privacy as a ‘team sport’ makes a lot of sense. Perhaps we have a responsibility not to use services like Gmail to protect the people we communicate with as well as ourselves.

]]>
https://davesmyth.com/ovo <![CDATA[Trace + Search]]> Dave Smyth 2021-12-29T00:00:00+00:00 My wife and I have been dealing with the fallout of a service companies use to try and identify people liable for unpaid bills. A few months ago, we were forward a bill from Ovo Energy, sent to our old address.

We were in a strong position to deal with this: there was no conceivable way we were liable and the due amount was small. But extracting information from Ovo about the trace and search process was tricky, and internet searches didn’t reveal much.

This account is to help others who might find themselves in a similar position and provide some transparency on what I’ve been able to discover about trace and search.

The episode also unveiled some data protection concerns: it shows how data is shared between third parties and the actions they might take. All without a subject’s knowledge or consent.


The invoice we received showed a billing period that started roughly nine months after we’d moved out: we weren’t Ovo customers when we left.

Our initial suspicion was identity theft. We knew that some mail hadn’t been redirected to our new address and wondered if a someone had tried to get away with dodging some bills.

We did a credit check to see if anything had changed on my wife’s account and called Ovo to ask about the bill. I was told my wife would be removed from the account and I should hear from someone within a few days...

Trace and search

Two weeks later, the only communication we’d received was a debt collection email sent to the address I’d provided in the initial phone call. Following up with Ovo, I was eventually told this wasn’t identity theft but a process called trace and search.

Ovo said trace and search had identified my wife as financially responsible for this address. Their debt collection department said this involved a credit check and someone visiting the address to verify this.

This wasn’t identity theft but a process called trace and search.

I was told my wife would have to prove she no longer lived at the address by providing a tenancy agreement for the previous address or a council tax bill at the new address.

This seemed odd, not least as a tenancy agreement would do nothing to prove we no longer lived at the property. Our agreement only stated the months of our initial year, after which we moved to a rolling tenancy.

The most concerning aspect of this was it revealed Ovo had fraudulently created an account in my wife’s name and put the onus on her to prove she shouldn’t be associated with it.

On top of this, Ovo had acquired details about my wife and wanted further details to cancel this account. Without the slightest hint of irony, Ovo used these details – name, date of birth, supply address – for ‘data protection’ each time I called.

Ovo had fraudulently created an account in my wife’s name and put the onus on her to prove she shouldn’t be associated with it.

When I pressed for details about the trace and search process – particularly who they had spoken to at the address – none were forthcoming. Customer services stuck to a script and reiterated that it was my wife’s responsibility to demonstrate she was not financially responsible.

Resolution

It took several weeks before we were contacted by an Advanced Resolution Specialist. In the meantime, we’d checked my wife’s credit report again.

The report showed she had a couple of accounts associated with our old address. One was a bank account she didn’t use and another was a credit agreement for a phone – the bank was easily changed, the other not so much.

It can’t be unusual for people to forget to update an address or two – the house we’ve moved to still receives plenty of mail for the previous occupant. Yet it seems any active credit linked to an address is enough for a trace and search to:

  1. Determine a person currently lives at an address
  2. Arbitrarily assign the financial responsibility to that person
  3. Create an account in their name
  4. Require that person to prove they don’t live there

The Advanced Resolution Specialist spoke openly about how this situation had occured. But there was no satisfactory explanation of why the account had been assigned to my wife. Our previous address comprised of several flats: any of the other occupants could have been deemed responsible for the bill.

They also explained that this was an entirely automated process – no-one had been to the address – and the active credit was the sole link between my wife and address. This confirmed my assumptions about trace and search.

In the six weeks between initially contacting Ovo and speaking to the Advanced Resolution Specialist, we received debt collection emails from Ovo’s attack dogs. These emails were punctuated with the following threat:

Please know, we share data with credit reference agencies, which might affect your credit rating. So the sooner we sort this, the better.

Nice.

Ultimately, Ovo sent us £50 as a resolution and the following apology:

On behalf of OVO Energy I would like to apologise for the recent trace and search that identified [your wife] as still updating credit at the address. This led to OVO Energy assigning charges in her name.

And that was the end of it, or it should have been...

Data concerns

As part of the resolution, I submitted an erasure request to remove my wife’s details from Ovo’s systems. A few weeks earlier, we’d also submitted a subject access request to find out what data Ovo held about her.

A couple of days later, I received an email from another Advanced Resolution Specialist to say the erasure request had been “rejected as it technically needs to be requested by the person who's details need to be erased”.

Throughout this entire debacle, I’d wondered what the the legal basis for collecting, storing and processing my wife’s data was. Ovo had created the account without her knowledge or consent and made no effort to contact her apart from the initial bill.

Ovo’s pushback on the erasure request raised further questions:

  1. What was the legal basis for continuing to store and process her data now Ovo acknowledge the account was incorrectly associated with her?
  2. In the case of an incorrectly created account, is an erasure request necessary?
  3. If my wife decided to submit erasure request herself, how would Ovo expect her to prove her identity?

Ovo don’t have our address or my wife’s email address. As far as I can tell, they only have her name, date or birth and supply address: all information I was able to provide to get her case this far.

Would Ovo seriously be looking for her to provide more information: data they can’t verify?

One month on and Ovo haven’t responded to these questions. The 30-day deadline for the subject access request has passed, too.

I’ll update this article when I have answers regarding their basis for processing my wife’s data.


Summary

The last time I spoke to Ovo, I was told the Advanced Resolution Specialist I originally spoke to has left the company and the second has taken a different role. Apparently, our complaint is in a queue waiting to be reassigned: you couldn’t make it up.

Trace and search is an aggressive and opaque practice for companies to recover funds. With next-to-zero effort or evidence, companies are able to:

  1. Create accounts for people
  2. Issue bills for whatever they feel they are owed
  3. Threaten their credit rating

We only received Ovo’s invoice because of our mail redirection. If that hadn’t been in place, Ovo’s actions could easily have affected my wife’s credit rating and we would have no knowledge about the incident.

The worst part about this was how long Ovo took to remove my wife from the account. Matters like this should not take months to resolve: the company has unilaterally created her account.

Ovo made no effort to contact my wife before sending the invoice, nor did they verify the data they received. But as Ovo deem the onus is on her, there’s no incentive for them to move quickly.

Ovo told me that someone has subsequently taken over the energy supply for address. One would think that might be a good place to start making enquiries, but why bother when you can outsource the work to an automated credit check with no accountability?

]]>
https://davesmyth.com/commonplace/https-adalytics-io-blog-adtech-not-checking-user-tcf-consent-german-user-wsj <![CDATA[Adtech not checking user consent]]> Dave Smyth 2021-12-27T00:00:00+00:00 Adtech not checking user consent

Adalytics asked the advertiser how they felt about this situation, when they noted that their ad tech vendors had reported “gdpr=0” whilst many of the receiving users were clearly in the EU. The advertiser responded (in writing):

“I would be worried about my compliance risk as an advertiser. After all, my ads were shown and regulators will think I was in breach of privacy regulations. I had trusted the network to take care of all of this, like other basic things (e.g., verifying ads.txt entries). Their lack of basic diligence puts me in jeopardy. If the exchange is not doing basic checks for something so simple, you’d wonder what else they are not doing well, or at all, to protect advertisers from fraud and other issues.”

An EU citizen with a German IP address installs Google Chrome on their desktop for the first time. This new instance of Chrome is not logged into any accounts or emails, and has no cookies or local storage.

The user visits a wsj.com article, and is shown a consent banner.

Before this user has an opportunity to click on any specific consent icons or buttons, the user’s browser makes dozens of HTTP requests to third party domains, belonging to companies such as Google, Adobe, New Relic, Cxense, and The Trade Desk.

Many of these HTTP requests contain response headers that set tracking cookies in the user’s browser. For example, an HTTP request made to match.adsrvr.org sets a cookie in the user’s browser called “TDID”; this cookie is set to expire in 365 days.

This example with wsj.com and a German IP address user shows that several ad tech vendors are sending and receiving data, and storing cookies, without consent or legitimate interest. These patterns are observed even after the user has navigated through several pages on the wsj.com website post-consent selection.

]]>
https://davesmyth.com/commonplace/https-edwardsnowden-substack-com-p-assange01 <![CDATA[Snowden on Assange]]> Dave Smyth 2021-12-24T00:00:00+00:00 Snowden on Assange

This is quite something (emphasis my own):

I agree with my friends (and lawyers) at the ACLU: the US government’s indictment of Assange amounts to the criminalization of investigative journalism. And I agree with myriad friends (and lawyers) throughout the world that at the core of this criminalization is a cruel and unsual paradox: namely, the fact that many of the activities that the US government would rather hush up are perpetrated in foreign countries, whose journalism will now be answerable to the US court system. And the precedent established here will be exploited by all manner of authoritarian leaders across the globe.

]]>
https://davesmyth.com/commonplace/https-signal-org-blog-become-a-signal-sustainer <![CDATA[Signal’s subscription model]]> Dave Smyth 2021-12-24T00:00:00+00:00 Signal’s subscription model

You can also feel safe knowing we’ve built these subscriptions so that they only renew if you use Signal over the course of the month. Should you stop using Signal, or uninstall the app, they will be automatically cancelled after the next cycle, which helps eliminate the “dark pattern” of subscriptions you’ve forgotten about.

Perhaps the way all software subscriptions should run.

]]>
https://davesmyth.com/commonplace/https-ez-substack-com-p-the-malevolence-of-the-metaverse <![CDATA[Malevolence of the metaverse]]> Dave Smyth 2021-12-22T00:00:00+00:00 Malevolence of the metaverse

On the metaverse:

Take this quote from the WIRED article:

“If VR and AR headsets become comfortable and cheap enough for people to wear on a daily basis—a substantial ‘if’—then perhaps the idea of a virtual poker game where your friends are robots and holograms and floating in space could be somewhat close to reality.”

What an utterly clownish sentence. The substantiality of that ‘if’ is not ‘hey, maybe we’ll work this out,’ but ‘we are not even remotely close to doing this on a very basic level.’ If you’ve used an Oculus HTC, or Sony VR headset, or any other of the various bespoke VR experiences, you will know that they are janky, even if you can get the hardware to fit well.

The only reason people are giving this term the time of day is because Facebook (successfully) used it to distract from the larger conversation about how much they suck.

On Web3:

Every major influencer-investor - the ones that seemingly do not do anything other than post on Twitter and release 4-hour-long podcasts - has done some sort of 30-tweet thread about how web3 is the future of the economy, but also communities, and that is where the metaverse fits in. Confused? Well, they think you’re an idiot and they’re going to block you if you question it.

The idea, of course, is that “everybody wins” because the value of a token goes up, and“it’s decentralized and thus no big party wins,“ as long as you don’t think about who has the most tokens, who invested early, and who is or isn’t manipulating the price. The public lie is that you’re playing or participating because it’s a fun game, and because you want to “own your data,” but the reality is you’re trying to “invest” in a system that was built to monetize you.

]]>
https://davesmyth.com/commonplace/https-typeagroup-createsend-com-campaigns-reports-viewcampaign-aspx-d-d-and-c-fc142680cdb9311a-and-id-3e07dd46c1b32a112540ef23f30feded-and-temp-false-and-tx-0-and-source-report <![CDATA[Bob Hoffman on wasted ad dollars]]> Dave Smyth 2021-12-22T00:00:00+00:00 Bob Hoffman on wasted ad dollars

According to the ANA and PwC, 70% of advertising dollars spent on online programmatic advertising never touch a human being. Of $200 billion in annual programmatic ad spend, $140 billion disappears in “ad fees, fraud, non-viewable impressions, non-brand-safe placements, and unknown allocations” (by “unknown allocations” you can read “shit that no one can figure out.”)

All of that tracking and surveillance for nothing.

Also features a funny story about Scotland:

At the time, when you arrived at an airport in Scotland, you were greeted by signs and posters announcing that you were visiting “The Best Small Country In The World.”

After spending $250,000 and six months, the new administration rolled out its exciting new slogan: “Welcome to Scotland”

]]>
https://davesmyth.com/commonplace/https-www-calnewport-com-blog-2021-11-23-the-forgotten-tale-of-george-lucass-writing-tower <![CDATA[George Lucas’ writing tower]]> Dave Smyth 2021-12-22T00:00:00+00:00 George Lucas’ writing tower

On George Lucas’ writing tower:

I think this case study underscores the more general point that, for professional creatives, spending money to upgrade the aesthetics of your workspace is not just an exercise in expression, but is perhaps instead one of the best business investments you’ll ever make.

]]>
https://davesmyth.com/commonplace/https-email-is-good-com-2021-12-13-email-clients-should-offer-to-hide-autoresponders <![CDATA[Hide autoresponders]]> Dave Smyth 2021-12-13T00:00:00+00:00 Hide autoresponders

But it’s that time of year where we start seeing a ton of autoresponders and it’s got me thinking about it again. Personally, I don’t care to see them ever. I literally don’t care in any context. Hit me back when you hit me back, I’m not going to read what your autoresponder says anyway.

Yes!

There are some cases where an autoresponder can be useful. If you’re working with someone, it can be helpful to know that they won’t get to this for a few days (so you shouldn’t wait for a reply), or if they’ll be gone for a long time and you should speak to someone else.

I’ve also enjoyed some regularly updated autoresponders, too.

Maybe there’s a middle-ground. Perhaps your inbox checks the autoresponder to see if you’ve had that exact message before, then hides it?

]]>
https://davesmyth.com/q/gifting-books <![CDATA[Gifting Books]]> Dave Smyth 2021-12-11T00:00:00+00:00 Entertain the idea of never lending out a book again. Instead – give them away, then buy yourself a replacement. A lent book often lingers in the background of a friendship as a little irritation obligation. (When will they return it? Will they have folded the corners down?) Whereas a gift is a gift is a gift.

]]>
https://davesmyth.com/q/james-clear-on-reading <![CDATA[James Clear On Reading]]> Dave Smyth 2021-12-11T00:00:00+00:00 James Clear, who’s quite an expert on how to form new habits successfully, sums all this up more constructively: ‘Start more books, quit most of them, read the great ones twice.’

]]>
https://davesmyth.com/q/thumb <![CDATA[Thumb]]> Dave Smyth 2021-12-11T00:00:00+00:00 Put your e-reader app where your Twitter / Facebook / Instagram app currently lives on your phone.

]]>
https://davesmyth.com/commonplace/https-justinjackson-ca-conventional <![CDATA[Justin Jackson on popular wisdoms]]> Dave Smyth 2021-12-11T00:00:00+00:00 Justin Jackson on popular wisdoms

Justin higlights two important thoughts on advice.

The first is from James Clear:

Everything is an oversimplification. Reality is messy and complex. The question is whether it is a useful simplification. Know the limitations of an idea and you can apply it to great effect—despite the messiness of reality.

The second is from Elizabeth Earnshaw:

I also like this idea from Elizabeth Earnshaw that a lot of popular wisdom has a “missing half.”

A few of her examples:

  • “You can’t change other people… and you might influence them to change.”
  • “Self-care isn’t selfish… and sometimes we call things ‘self care’ that actually are kind of selfish.”

These two ideas beautifully articulate something I increasingly struggled with when writing the Work Notes freelance guide. Everyone’s situation is different, their paths there are varied, we have different privileges and these things introduce nuance that can’t be accounted for, even if the advice is broadly accurate.

As Stewart Lee says, “context is not a myth”.

I’m reminded of Hilary Weiss’s takedown of the Charge What You’re Worth Mantra: another oversimplification with a missing side.

]]>
https://davesmyth.com/twitter-hacks <![CDATA[Twitter Hacks]]> Dave Smyth 2021-12-07T00:00:00+00:00 It’s incredibly difficult to speak to a human in support on social media platforms.

From the platform’s perspective, it makes sense. They’re dealing with millions/billions of users: it’s impractical to have anything other than a self-service and automated support systems.

For users, this doesn’t matter when everything’s going smoothly, but what happens when something goes wrong? What happens if this account is critical for you business?

Recovering an account

This happened to a friend-of-a-friend recently. A mutual friend put us in touch after their Twitter account had been hacked.

In short, they had received an email to say their account had been accessed from a different country. By the time they tried to access the account, the email address, password and phone number had been changed.

I don’t know anyone at Twitter, nor do have any experience of recovering lost accounts, but I wanted to help. They had already tried multiple methods of reaching Twitter support with no luck.

This struck me as odd because Twitter would be able to see:

  • Login patterns/locations
  • That this person was emailing from the previously-associated email address
  • That the account email, password and phone number were all changed shortly after a login from a previously unused location

Nothing from Twitter’s support pages on hacked accounts seemed to help. At one point, Twitter’s systems even asked the hackee to login to their account and verify their ownership...

Template letter

In this case, the account was clearly attached to an individual: the photo was a headshot and the account username and name were that of the account holder. With this in mind, we decided that one approach would be to claim the account was an impersonation.

After some unsuccessful attempts, the account holder successfully regained access. The key was to pitch their support request around the fact that this account was representing their business (as a sole trader, but this should work for companies, too).

The account holder tried this after scouring the internet and finding a template letter similar to this (source currently unknown):

Dear Twitter Team,

Thank you for the quick response to my query regarding the official Twitter account of [NAME].

In answers to your questions:

  • Your username - [@USERNAME]
  • Any email addresses that may be associated with your account - [ACCOUNT EMAIL ADDRESS]
  • The last date you had access to your account - [DATE]
  • The phone number associated with the account (if you verified your phone number) - [PHONE NUMBER]

I am the sole representative of the business, [BUSINESS NAME], registered in the UK with HMRC.

The Twitter account [@USERNAME] was created [X] years ago and has been operated by me since then as the social media account for my business. Recently, someone maliciously acquired access to the account, changed the email address associated with it and also the password - on or around [DATE], which I think you will be able to see from your records.

Could I please request that you change the email address for the Twitter account back to [ACCOUNT EMAIL ADDRESS] so that I can recover the account and start using it as the business official Twitter account once more?

I hereby confirm that all the information provided above is true and accurate to the best of my knowledge.

If you have any questions, kindly contact me on this email or on [PHONE NUMBER].

With best wishes,

[NAME]

If you lose access to your Twitter account and it’s associated to your business, this could be a route to regain access.

]]>
https://davesmyth.com/commonplace/https-www-vox-com-recode-22620276-what-to-do-when-you-get-someone-elses-email-security-vulnerabilities-gmail-inbox-invasion <![CDATA[Receiving other people’s email]]> Dave Smyth 2021-12-05T00:00:00+00:00 Receiving other people’s email

Today, Gmail is the most popular email service in the world, which has created a seemingly limitless number of what I collectively refer to as the Other Sara Morrisons: people who share my name and who, for whatever reason, enter my Gmail address when they mean to use their own. Their frequent invasions of my inbox have made me realize how much trust many of us put in a system that wasn’t designed to do some of the things we’ve come to use it for.

Email isn’t just a communication tool; it’s also an identifier and a security measure. Companies use it to create profiles of you when you start accounts with them and it often doubles as your username. Your email can also serve as your account recovery tool when you forget your username or password. All of this from something that doesn’t require you to verify your ID and that most people get to use for free, provided by a giant corporation that wants to harvest our data. In premium email provider Hey’s words, email is the “skeleton key to your digital life.” Well, I have a skeleton key to a lot of other people’s digital lives, too.

Emails sent to me that were meant for Other Sara Morrisons have given me a good deal of insight into — and a disturbing amount of access to — the lives of the many people who share my name. I know when and where their medical appointments are. I know when they give birth and am kept apprised about what their child ate and how often she pooped at daycare. I know when and where they’re going on vacation, what car they’re renting, and I get tickets to the theme parks they’ll visit when they get there.

I’ve been part of a monthslong job hunting process for one Other Sara Morrison and received the renewed occupational license for another … twice. I know their property tax payment issues. I know their addresses.

As someone who had an extremely guessable Gmail address, this is something I can relate to.

It’s amazing how many services still don’t require users to confirm their email addresses before creating accounts and purchasing goods or services. I’ve received order confirmations for everything from pizzas to car rentals all around the world, and endless accounts for other people using my email address.

And, despite my desire to completely rid myself of my personal Gmail account, I’ve come to realise I can never fully delete it as that could open up the possibility of identity theft.

In future, this could be an issue that masked email addresses solves, but widespread adoption of that will take a while.

]]>
https://davesmyth.com/commonplace/https-www-wired-com-story-nfts-hot-effect-earth-climate <![CDATA[NFTs + the environment]]> Dave Smyth 2021-12-05T00:00:00+00:00 NFTs + the environment

Lots of quotes to pull from this piece:

The sale of a piece of crypto art consumed as much energy as the studio uses in two years.

The system is similar to the one that verifies Bitcoin, involving a network of computers that use advanced cryptography to decide whether transactions are valid—and in doing so uses energy on the scale of a small country.

How exactly that energy use translates to carbon emissions is a hotly contested subject. Some estimates suggest as much as 70 percent of mining operations may be powered by clean sources. But that number fluctuates seasonally, and in a global energy grid that mostly runs on fossil fuels, critics say energy use is energy use.

Ethereum’s developers have planned a shift to a less carbon-intensive form of security, called proof-of-stake, via a blueprint called Ethereum 2.0. But this has been in the works for years, and there is no clear deadline for the switch.

“If you look at how much energy we are going to spend in the meantime, it’s ridiculous,” says Fanny Lakoubay, a crypto art collector and adviser.

“People say that hopefully it will be fixed in a year or two so it’s OK to be exploitative right now,” says Akten.

]]>
https://davesmyth.com/q/no-is-a-complete-sentence <![CDATA[‘No’ is a complete sentence]]> Dave Smyth 2021-12-04T00:00:00+00:00 ‘No’ is a complete sentence. (Anne Lamott)

]]>
https://davesmyth.com/commonplace/https-danq-me-2021-11-16-email-tracking-and-paperless-banking <![CDATA[Email tracking and paperless banking]]> Dave Smyth 2021-12-02T00:00:00+00:00 Email tracking and paperless banking

A few weeks ago, my credit card provider wrote to me to tell me that they were switching me back from paperless to postal billing because I’d “not been receiving their emails”.

Even if you can somehow justify using tracking technologies (which don’t work reliably) to make general, statistical decisions (“fewer people open our emails when the subject contains the word ‘overdraft’!”), you can’t make individual decisions based on them. That’s just wrong.

Absolutely. Not only is this a poor UX, but another example of companies/organisations who don’t realise they shouldn’t be sending spy pixels in the first place

]]>
https://davesmyth.com/commonplace/https-adactio-com-journal-18625 <![CDATA[Jeremy Keith on tracking]]> Dave Smyth 2021-11-26T00:00:00+00:00 Jeremy Keith on tracking

If the outputs generated by tracking turn out to be inaccurate, then shouldn’t they lose their status?

But that line of reasoning shouldn’t even by necessary. We shouldn’t stop tracking users because it’s inaccurate. We should stop stop tracking users because it’s wrong.

Too right.

What’s interesting to me about the changes to Apple Mail are that they might be the factor that finally forces companies and marketers to stop building logs of user location + other things

Chris Coyier wrote a follow-up on CSS Tricks:

I’m interested not just in the ethical concerns and my long-time complacency with industry norms, but also as someone who very literally sells advertising. I can tell you these things are true:

  • I have meetings about pricing where the decisions are based on the historical performance of what is being sold, meaning impressions and clicks.
  • The vast majority of first conversations between bag-of-money-holding advertisers and publishers like me, the very first questions I’m asked are about performance metrics.

That feels largely OK to me. When I go to the store to buy walnuts, I want to know how many walnuts I’m going to get for my dollar. I expect the store to price the walnuts based on normal economic factors, like how much they cost and the supply/demand for walnuts. The advertising buyers are the walnut buyers — they want to know what kind of performance an ad is likely to get for their dollar.

What if I said: I don’t know? I don’t know how many people see these ads. I don’t know how many people click these ads. I don’t know where they are from. I don’t know anything at all. And more, you aren’t allowed to know either. You can give me a URL to send them to, but it cannot have tracking params on it and we won’t be tracking the clicks on it.

Would I lose money? I gotta tell you readers: yes. In the short-term, anyway. It’s hard enough to land advertisers as it is. Coming off as standoffish and unwilling to tell them how many walnuts they are going to get for their dollar is going to make them roll their eyes and move on. Long-term, I bet it could be done. Tell advertisers (and the world) up front, very clearly, your stance on user tracking and how it means that you don’t have and won’t provide numbers via tracking. Lean on supply and demand entirely. Price spots at $X to start. If other people have interest in the spot, raise the price until it stops selling, lower the price if it does.

This highlights the dilemma for publishers. If we agree that advertisers are valuing the wrong metrics, how do you change the narrative?

It’ll get there but there are first-mover costs. And by the way, UTMs are probably the best privacy-respecting metric right now.

Jason Kint puts it roughly like this: targeting and measuring ads is possible in a way that’s privacy-focused and within consumer’s expectations (reasonable people can disagree on whether email spy pixels fall under this, but the ICO is quite clear that users need to consent).

“Tracking” across vendors/services, that users wouldn’t know about or expect, falls outside of this. (Apologies to Jason if this mischaracterises his position in any way).

And there’s more to this. Many people don’t realise what’s going on under the hood. Email spy pixels are a good example: marketers know they can collect the data, but might not realise what data is collected, how or the implications of it.

From Chris’s piece:

As I write this, I’m poking around in the reporting section to see what else I can see. Ughghk, guess what? I can literally see exactly who opened the email (by the person’s email address) and which links they clicked. I didn’t even realize that until now, but wow, that’s very super personally identifiable analytics information. I’m going to look into how I can turn that off because it does cross an ethical line for me.

Now, Chris is a smart cookie. He knows code, he knows marketing, he understands how the web works in a way that many people don’t. And he didn’t know this stuff is going on.

This isn’t to say that naïvety makes this fine, but there will be lots of people innocently collecting this data without realising it.

[tracking] is just a prettier word for surveillance.

As Jeremy highlights in his piece, “analytics” can often be substituted for “tracking”. And, as Bob Hoffman notes, “[tracking] is just a prettier word for surveillance.”

No prizes for guessing which of these words features in most SaaS advertising…

This is part of the drive behind Below Radar: help business owners, marketers, freelancers make better choices, understand the options. Yes, it’s grassroots stuff, but we have to start somewhere.

]]>
https://davesmyth.com/commonplace/https-pluralistic-net-2021-11-26-ico-ico-market-structuring <![CDATA[Cory Doctorow on surveillance and consent]]> Dave Smyth 2021-11-26T00:00:00+00:00 Cory Doctorow on surveillance and consent

Cory Doctorow on GDPR:

Enter the GDPR. Under Europe’s landmark privacy regulation, companies have to ask you a plain-language question confirming your consent to every piece of data they collect and every use they plan on making of that data. They can’t punish you for refusing consent – by locking you out of a service or degrading its quality – and you can withdraw your consent at any time.

This is deliberately burdensome. It takes the position that consent is a weighty and serious thing, that personal data is genuinely valuable, and that the transactions in which data is gathered and processed should be solemnized by a thoughtful, substantial ceremony. It calls ad-tech’s bluff: “If you think people are really OK with all that spying you’ve done, let’s ask them, in depth, before you do it.”

Cory also references this study

Behavioral ads are only more profitable than context ads if all the costs of surveillance – the emotional burden of being watched; the risk of breach, identity-theft and fraud; the potential for government seizure of surveillance data – is pushed onto internet users. If companies have to bear those costs, behavioral ads are a total failure, because no one in the history of the human race would actually grant consent to all the things that gets done with our data.

Absolutely on point.

]]>
https://davesmyth.com/commonplace/https-www-theguardian-com-business-2021-nov-26-im-happy-to-lose-10m-by-quitting-facebook-says-lush-boss <![CDATA[Lush quit Facebook]]> Dave Smyth 2021-11-26T00:00:00+00:00 Lush quit Facebook

From Lush’s CEO:

“I just thought ‘That’s their own research and they’re ignoring it and we are attracting people to their platform.’ We had no choice whatsoever. Lush attracts an awful lot of girls of that age.”

The article also includes this line:

He offers up the excuse that social media is as addictive to companies as individuals.

Certainly true and something to think about.

]]>
https://davesmyth.com/commonplace-books <![CDATA[Commonplace Books]]> Dave Smyth 2021-11-26T00:00:00+00:00 When I recently realigned this site, one of the goals was to let me use this place to store thoughts more easily. The Bookmarks section handles this to a degree but, catering only for a link and category, it’s limited to fulfilling the role of a log. There’s no room for comment or other thoughts.

I’ve also been doing more reading over the past couple of years. There are always quotes I want to remember or refer back to: what to do with those?

After reading Permanent Record, I wrote a little post with a couple of quotes, but the Writing section of this site isn’t there to be filled with book quotes.

I’ve previously stored quotes in Notion, but it’s slow and private: all the reasons I wanted the Bookmarks area in the first place.

This is a long way to say I’ve been looking for a place to store links and quotes, possibly with a way to comment on them, too.

Inspiration

Despite the minimalist feel, Daring Fireball handles a stream of various content types pretty well. The archive supports long posts and short posts with refreshing flexibility.

How can I get a bit of that on here?

In an Unoffice Hours, Joshua Galinato brought up the idea of a commonplace book. Here’s been working on an app to store quotes and this sounds like perfect personal site material.

Looking up the origins, commonplace books (or ‘commonplaces’):

Such books are similar to scrapbooks filled with items of many kinds: sententiae, notes, proverbs, adages, aphorisms, maxims, quotes, letters, poems, tables of weights and measures, prayers, legal formulas, and recipes.

This sounds like exactly what I’ve been looking for: a place not just to store quotes, but to comment on them and write notes, too.

Format

For now, this site’s commonplace is split into two sections: Commonplace and Books:

  • Books is a space to store quotes from things as I’m reading them: a place to quickly refer back to when I can’t remember the exact quote from an author.
  • Commonplace is an archive of these quotes, along with commented links/quotes from online articles

At some point, it might make sense to pull Bookmarks and Writing into the Commonplace, so it becomes the ultimate archive for everything on this site.

Maybe.

]]>
https://davesmyth.com/commonplace/https-www-sciencedirect-com-science-article-pii-s0022103121001360 <![CDATA[Digressive victimhood]]> Dave Smyth 2021-11-19T00:00:00+00:00 Digressive victimhood

Digressive victimhood:

  • Charged with discrimination, dominant groups often claim victimhood.
  • These claims can be digressive, shifting the topic of conversation.

h/t Rasmus Kleis Nielsen

]]>
https://davesmyth.com/q/priority <![CDATA[Priority]]> Dave Smyth 2021-11-16T00:00:00+00:00 The word priority came into the English Language in the 1400s. It was singular. It meant the very first or prior thing. It stayed singular for the next 500 years. Only in the 1900s did we pluralise the term and start talking about priorities.

Illogically, we reasoned that by changing the word we could bend reality. Somehow we would now be able to have multiple first things. People and companies routinely try to do just that.

]]>
https://davesmyth.com/commonplace/https-pluralistic-net-2021-11-08-tina-v-tapas-spoilsports-r-us <![CDATA[Doctorow: NFTs are a flex]]> Dave Smyth 2021-11-09T00:00:00+00:00 Doctorow: NFTs are a flex

The NFT explainer I’ve been looking for from Cory Doctorow:

On Oct 26, an NFT bro calling himself Midwit Milhouse coined the term “right-clicker mentality” to refer to these spoilsports who insist on pointing out the inconvenient truth of his white-hot ponzi scheme.

Milhouse used the term to disparage an amateur chef who made his own version of a $2,000 “Salt Bae” steak for $90. Salt Bae is a trendy London chef who charges tens of thousands for gold-leaf-covered steaks that he showers with salt in a kind of tableside piece of performance art.

Milhouse called this person “a great example of right-clicker mentality,” whose homemade steak didn’t deliver “the satisfaction, flex, clout that comes from having eaten at Salt Bae’s restaurant.”

https://twitter.com/kenlowery/status/1455662848345055232

Milhouse went on: “The value is not in the cost of the steak. Go ahead, make yourself a gold-coated steak at home. Post a picture of it on Instagram. See how much clout it gets you.”

And then, displaying galactic-scale lack-of-self-awareness, “Salt Bae’s dish costs around 1500GBP because people want to pay 1500 GBP to show off that they can afford to pay that much. It’s all about the flex.”

You really couldn’t ask for a better encapsulation of the NFT bezzle: buy an NFT to “flex” and “show off you can afford to pay that much.” Ignore the intrinsic value or satisfaction of the underlying work. You’re doing this for “clout.”

Right-clicker-mentality is a value we should all aspire to. As Matthew Gault wrote on Motherboard: “Sometimes a word or phrase comes along that’s so perfect it almost makes you angry.”

“To right-click is one thing, but to have a right-clicker mentality implies an ontological break between crypto-fans and critics. Indeed, it implies the person saving the JPEG to their hard drive isn’t just wrong, they’re broken in some way.”

]]>
https://davesmyth.com/disguised-emails <![CDATA[Disguised Emails]]> Dave Smyth 2021-10-28T00:00:00+00:00 In iOS 15, Apple introduced Hide My Email for users with an iCloud+ Subscription. This lets users generate a random email address that forwards to their inbox.

This is an incredibly useful service with a couple of benefits:

Security

If we generate a random email address for each account, it reduces the chances of a hacker guessing the email address part of the login. This makes it harder to hack an account through brute force (though not as difficult as using two factor authentication).

This is particularly useful in the case that your email address is quite guessable (e.g. firstname.surname@icloud.com).

A side benefit of generating random email addresses for each account is that we can trace the source of spam and other unwanted email. If we’ve only used an email once, we know where an email was leaked or sold from.

Privacy

Email isn’t just a personal identifier, it’s a direct line to contact you. In fact, it’s the most direct way to contact people aside from a phone number or address.

Disguising our email address also solves one of the biggest privacy issues with newsletters: many mailing list providers make it incredibly easy for list owners to spy on individual users.

Masking an email address is a way to buy back some privacy. This is useful in all sorts of situations: perhaps we don’t trust a service or there’s a reason that using our actual email address could expose us to a risk.

Disguising our email address also solves one of the biggest privacy issues with newsletters: many mailing list providers make it incredibly easy for list owners to spy on individual users.

List owners can often see:

  • How many times an individual opens an email
  • What days and times they opened it
  • In some cases, where they were when they opened it

Many users are completely unaware this data is collected. Aside from this being a gross invasion of privacy and trust, the fact it’s tied to an email address (a way to identify and contact that individual) makes it all the weirder.

Disguising our email addresses gives us more control of our privacy.

Fastmail + 1Password

For Fastmail and 1Password users, there’s an integration that makes this even easier. Their Masked Email service automatically generates forwarding email addresses, a password and saves it for you.

If you’re not a Fastmail user already and want to use an affiliate link, here you go.

Update: 27th November, 2021: I recently discovered Simple Login which offers this service independently. Worth checking out if you’re not an iCloud or Fastmail user.

The future of email?

These services are making it easier than ever to create disguised email addresses, which is a great thing for privacy and security. I’ve already seen masked emails in use in mailing lists I run, and I’d love to see this more widely used.

It always takes a while for features like this to be adopted, especially given the extra friction it creates in signing up. But it would be wonderful if this became the de facto method for creating new accounts.

We live in hope.

]]>
https://davesmyth.com/commonplace/https-www-ft-com-content-af08fe55-39f3-4894-9b2f-4115732395b9 <![CDATA[Surveillance tech in schools]]> Dave Smyth 2021-10-18T00:00:00+00:00 Surveillance tech in schools

‘But some parents said they were unsure whether their children had been given enough information to make their decision, and suggested that peer pressure had also played a role.’

Surely, this is a decision that parents should be making? It seems incredible that this incredibly invasive tech would be entering the school for such a trivial ‘gain’.

It will be interesting to see the fallout from the first data breach.

]]>
https://davesmyth.com/commonplace/https-www-wired-com-story-tech-companies-dont-need-to-be-creepy-to-make-money <![CDATA[Is extra profit worth the problems surveillance causes?]]> Dave Smyth 2021-10-16T00:00:00+00:00 Is extra profit worth the problems surveillance causes?

‘A lot of companies could be still pretty profitable if they chose to go this route,’ Weinberg says. ‘They may be a little less profitable. But you know, it’s like—is that extra profit worth all this societal impact and problems? We don’t think so.

’Even some ad buyers are questioning whether endless tracking works; a survey by Digiday found that 45 percent of ad execs saw “no significant benefit” from behavioral tracking, and 23 percent found it made revenues decline.

Societal benefits vs pure profit.

A trade-off many companies don’t seem to be willing to make.

]]>
https://davesmyth.com/q/in-2014-google-released-a-report-suggesting-that-56-1-percent-of-all-ads-displayed-on-the-internet-are-never-seen-by-a-human <![CDATA[In 2014, Google released a report suggesting that 56.1 percent of all ads displayed on the internet are never seen by a human.]]> Dave Smyth 2021-10-14T00:00:00+00:00 In 2014, Google released a report suggesting that 56.1 percent of all ads displayed on the internet are never seen by a human.

]]>
https://davesmyth.com/q/inaccuracy-of-data-profiles <![CDATA[Inaccuracy of data profiles]]> Dave Smyth 2021-10-14T00:00:00+00:00 ...the accuracy [of data profiles used for advertising] was often extremely poor. The most accurate sets still featured inaccuracies about 10% of consumers, with the worst having nearly 85% of the data about consumers wrong.

]]>
https://davesmyth.com/commonplace/https-www-which-co-uk-policy-digital-8107-value-of-the-choice-requirement-remedy <![CDATA[UK consumers would pay £1bn for control of data]]> Dave Smyth 2021-10-11T00:00:00+00:00 UK consumers would pay £1bn for control of data

This interesting study suggests UK consumers would collectively pay over £1bn a year for control of their data. That’s a little over £1 per person per month.

]]>
https://davesmyth.com/commonplace/https-digiday-com-media-californias-new-privacy-chief-could-push-for-rules-on-email-based-ad-identifers <![CDATA[Emails required to identify users who don’t want to be tracked]]> Dave Smyth 2021-10-09T00:00:00+00:00 Emails required to identify users who don’t want to be tracked

Because they use emails to recognize people who have asked not to have their data shared, some ad technologies require an email address to actually enable people’s privacy preferences.

Just in case there was any doubt about how broken privacy is on the web, huh…

]]>
https://davesmyth.com/realignment <![CDATA[Realignment]]> Dave Smyth 2021-09-22T00:00:00+00:00 Since publishing this site back in May last year, this site has expanded in several ways. It was fairly hastily put together with the Writing, Uses, Now and Reading sections.

I’ve been tweaking it along the way. One of the greatest additions has been the Unoffice Hours, inspired by Matt Webb’s project. There have also been smaller tweaks like the addition of a Reply via email buttons on individual articles.

There are other things I’d like to add, such as an About page that lists podcast appearances and a Resources section. The latter is inspired by two things:

  1. Matt Baer’s Delete Your Facebook, which is a beautifully simple way to highlight issues with the most problematic social media platform
  2. Luke Mitchell’s Bookmarks, which lists discovered links and resources

I haven’t decided on the exact format, but a place to log things I’ve found would be very useful. For a long time I did this in Notion, but the app is just so slow I’ve neglected to maintain it.

I suspect it would be easier to add new items to the site than there. And possibly useful to others, too.

Time to realign

With that in mind, I think it’s time to realign this site. The home page could do with some adjustment, bringing Unoffice Hours to the fore and there are other things I’d like to explore:

New typefaces

I’d initially liked the idea of a mono type for this site, but that’s not fantastic for readability. That’s why the site features a font switcher so users can switch to a sans-serif.

A while ago I discovered Relative Faux by Colophon. It’s a fauxnospaced font – monospaced characteristics with proportional spacing – and it might be the perfect fit.

Layouts

The Writing section is a little rough-and-ready. It would be nice to tighten this up, call out Popular articles and possibly provide a search, too.

Colours

This could be a good opportunity to tweak the existing colours for more subtlety or move to something completely different.

URL restructuring

For sites like this, I’m increasingly a fan of making the URLs as simple as possible. Instead of davesmyth.com/writing/realignment, it would be nice to use davesmyth.com/realignment.

This isn’t always appropriate, but I might make some changes on that front, too.

Let’s see what happens.

]]>
https://davesmyth.com/deliverability <![CDATA[Open Rates + Deliverability]]> Dave Smyth 2021-09-07T00:00:00+00:00 Even though we know that email open rates are tricky to gauge, they’re still an incredibly popular metric.

To quickly recap, open rates are inaccurate because lots of email clients block the tracking pixels that allow the open to be tracked. These are blocked in two ways:

  1. Blocking the load of all images, which would present as an unread email
  2. Instantly loading the email on the user’s behalf to strip the pixel, presenting as a read email

In either scenario, the sender has no way of knowing whether the email has been read by the recipient or not.

This is a common feature in lots of email clients and it’s set to become more so as iOS 15 will let Apple Mail users block this tracking.

Business decisions

Open rates are often used to assess how ‘active’ a mailing list recipient is. In other words, do they read the emails?

There is a perfectly legitimate business principle of valuing a small mailing list with high engagement over a large list with very low engagement. Not least because mailing list providers often charge based on the number of users in a list.

The seemingly logical conclusion of these two factors is the practice of removing users who don’t open emails.

In fact, this is something that lots of mailing list providers recommend. Not just for the reasons above, but – according to many providers – sending to many inactive subscribers hurts email deliverability.

Here are some articles on the topic from various providers:

Each of these articles defines different types of inactive subscribers and talks about the impact of keeping inactive subscribers on a list. But there’s absolutely no explanation of how inactive subscribers practically impact deliverability.

How does it work?

The theory seems to go like this:

Gmail, Outlook or another provider see that an email from a sender isn’t being opened by lots of people. At some point, the sender’s emails start to be automatically categorised as spam or sent to Gmail’s Promotions tab.

But how does that work in practice? Gmail or Outlook won’t have access to the open rate data from the mailing list provider (Mailchimp etc).

The only way I can think that this works is that email providers collect their own internal data on email opens. That data is fed back to a scoring mechanism for a sender, or perhaps a universal tool like SpamCop that helps email providers root out spam.

There is a clear case to do this: anyone who had an email account before Gmail will remember how much of a problem spam used to be. Gmail’s filters quickly reduced that headache and spam is no longer a huge issue for lots of email users.

Whose data to trust?

But here’s the interesting thing: email providers such as Gmail and Outlook are likely generating entirely different open rates to mailing list platforms such as Mailchimp and ConvertKit etc:

  • Email providers are likely to have the actual data on open rates
  • Mailing list providers are reporting open rates based on the (incomplete) data they receive

What’s more, only the email providers decide/impact on what gets delivered to a user’s inbox. They are the ones with accurate data.

Newsletter owners pruning their lists based on open rates run a significant risk of removing active subscribers.

This isn’t to suggest that unread emails don’t impact on deliverability. But – given it’s likely there’s a discrepancy between emails that are reportedly and actually unread – how can a list be accurately pruned?

Some active subscribers will show up as inactive and some inactive subscribers will show up active.

Mailing list platforms cannot tell for certain who is active or not based on open rates alone. It would seem that newsletter owners pruning their lists based on open rates run a significant risk of removing active subscribers.

It might be better to rely on click rates to determine which subscribers are active. Or, even better, remove the spy pixels altogether.


The above makes several assumptions about how deliverability is assessed – if it’s inaccurate, I’d love to hear from you to set the record straight:

]]>
https://davesmyth.com/q/don-t-care-about-privacy <![CDATA[Don’t care about privacy]]> Dave Smyth 2021-08-24T00:00:00+00:00 Ultimately, saying you don’t care about privacy because you have nothing to hide is no different from saying you don’t care about freedom of speech because you have nothing to say.

]]>
https://davesmyth.com/q/privacy-future <![CDATA[Privacy future]]> Dave Smyth 2021-08-24T00:00:00+00:00 Still, if we don’t act to reclaim our data now, our children might not be able to do so. Then they, and their children, will be trapped too—each successive generation forced to live under the data specter of the previous one, subject to a mass aggregation of information whose potential for societal control and human manipulation exceeds not just the restraints of the law but the limits of the imagination.

Once you go digging into the actual technical mechanisms by which predictability is calculated, you come to understand that its science is, in fact, anti-scientific, and fatally misnamed: predictability is actually manipulation. A website that tells you that because you liked this book you might also like books by James Clapper or Michael Hayden isn’t offering an educated guess as much as a mechanism of subtle coercion.

We can’t allow ourselves to be used in this way, to be used against the future. We can’t permit our data to be used to sell us the very things that must not be sold, such as journalism. If we do, the journalism we get will be merely the journalism we want, or the journalism that the powerful want us to have, not the honest collective conversation that’s necessary.

]]>
https://davesmyth.com/permanent-record <![CDATA[Permanent Record]]> Dave Smyth 2021-08-24T00:00:00+00:00 I just finished reading Edward Snowden’s book, “Permanent Record”. Having wathced Citizenfour some years ago, it’s fascinating to read the background to the events leading up to it.

This quote stuck out:

Ultimately, saying you don’t care about privacy because you have nothing to hide is no different from saying you don’t care about freedom of speech because you have nothing to say.

As did this longer excerpt from the book’s conclusion:

Still, if we don’t act to reclaim our data now, our children might not be able to do so. Then they, and their children, will be trapped too—each successive generation forced to live under the data specter of the previous one, subject to a mass aggregation of information whose potential for societal control and human manipulation exceeds not just the restraints of the law but the limits of the imagination.

Once you go digging into the actual technical mechanisms by which predictability is calculated, you come to understand that its science is, in fact, anti-scientific, and fatally misnamed: predictability is actually manipulation. A website that tells you that because you liked this book you might also like books by James Clapper or Michael Hayden isn’t offering an educated guess as much as a mechanism of subtle coercion.

We can’t allow ourselves to be used in this way, to be used against the future. We can’t permit our data to be used to sell us the very things that must not be sold, such as journalism. If we do, the journalism we get will be merely the journalism we want, or the journalism that the powerful want us to have, not the honest collective conversation that’s necessary.

That’s quite something.

]]>
https://davesmyth.com/email-links <![CDATA[Email links]]> Dave Smyth 2021-07-19T00:00:00+00:00 I was recently talking to a friend about their email list. They’d turned off analytics (read: spy pixels) but wanted some metrics to relay to sponsors and advertisers.

Leaving aside privacy issues, open rates are a fragile metric, so we discussed monitoring link clicks instead.

Some newsletter providers allow list owners to track clicks in a privacy-focused way, but it’s not common. In many cases, the link strings are extended with unique identifiers that tie clicks to specific users.

This is an invasive and unnecessary practice. Unless those users are going to be retargeted for ads, of course.

Privacy-focused link tracking

If you have a website running analytics, you can use redirects to track links without coupling that data to a user’s email address:

  1. Set a redirect at yoursite.com/redirect for each link you want to track in an email
  2. Use these yoursite.com redirects in your email
  3. Check the stats for these links after you’ve sent the email

If you’re repeating a link across multiple emails and want to tie the analytics to a specific newsletter, you may need to create new links for each email. But in many cases, this won’t be necessary – especially as you can usually filter analytics by date.

This is an incredibly simple, privacy-focused method of tracking links sitting right under our noses.

]]>
https://davesmyth.com/opting-out-of-floc <![CDATA[Opting out of FLoC]]> Dave Smyth 2021-04-14T00:00:00+00:00 Google trials of the new FLoC system for targeted ads have begun.

Google’s explainer over on web.dev states that “websites will have the ability to opt in or out of FLoC”, but this is misleading.

All websites are opted into the trial by default.

Screenshot from web.dev about the FLoC trial, “websites will have the ability to opt in or out of FLoC”.

Leaving aside the wider privacy concerns around FLoC, the trials present issues of consent. Chrome users may not realise they are part of the trial and website owners may not want their audience to be profiled.

Actions to take

The next steps depend on whether you’re a Chrome user or a website owners.

Chrome users

  1. Install the DuckDuckGo extension that blocks FLoC
  2. Consider switching to a privacy-focused browser like Firefox, Safari or Brave

Website owners

Site owners can opt out of the trial by adding an HTTP response header:

Permissions-Policy: interest-cohort=()

But how do you set this?

WordPress users

Plugins like Headlock will let you set this header. This plugin is from Tim Nash who also mentioned on Twitter that services like Cloudflare let site owners set headers, too.

Statamic users

Erin Dalzell has released an addon to send this header. No configuration required.

It’s also possible to do this natively: something that might make it to the Statamic core.

Once the header is set, tools like httpstatus can help you check the the header is being sent correctly. Look for Permissions-Policy section as shown at the bottom of this screenshot:

Screenshot showing the permissions policy has been set.

Other platforms

The technical nature of setting HTTP headers means that not all website owners will be able to opt-out of Google’s FLoC trial. That makes the decision to opt-in all sites by default frustrating and concerning.

If there are methods for users of Squarespace, Wix or other CMSs to opt-out, let me know and I’ll add them to this list.

]]>
https://davesmyth.com/q/if-you-have-the-luxury-to-organise-your-schedule-realise-you-don-t-have-to-suffer-overload <![CDATA[If you have the luxury to organise your schedule, realise you don't have to suffer overload.]]> Dave Smyth 2021-03-23T00:00:00+00:00 If you have the luxury to organise your schedule, realise you don't have to suffer overload.

]]>
https://davesmyth.com/deleting-emails <![CDATA[Deleting 290,589 emails]]> Dave Smyth 2021-03-18T00:00:00+00:00 As part of my drive to reduce my use of Google services, I’m planning to get rid of my personal Gmail account.

Earlier this month, I received a renewal notice about the additional Google space I was paying for. It seemed as good a time as any to get to work.

I set about deleting all 290,589 emails from my Gmail account.

Backing up

Before deleting the emails, I wanted to take a backup of emails. If I don’t open this backup in the next year or so, I’ll probably wipe it completely.

Google’s Takeout service lets you export emails to an mbox file. There are clear instructions on the HEY website.

That produced a 20GB export. It seems Google ignores requests to chunk the export into smaller files.

As we all know: a backup is only useful if it works. The file should have readable to Apple Mail but each attempt to import crashed due to the size of the export.

I ended up importing to Thunderbird with the ImportExportTools add-on. It took a while, but it worked.

Deleting

As it turns out, Gmail isn’t great at deleting nearly 300,000 emails in one shot.

In theory, it’s possible to highlight all emails in an inbox and move them to trash. In practice, Gmail deletes 5–10k emails at a time, occasionally removing as many as 20–30k in one shot.

There’s a clever date-based filter trick that might help with deletion it’s detailed as Solution 2 in this support thread. This technique didn’t work for me, but it might work for small inboxes.

Ultimately, I ended deleting emails from each folder/label in batches. This made it easier to see the progress and left a much-reduced Inbox by the time I reached it.

The whole process took an hour. Worth every second.

The next step is deleting my Gmail account. I plan to leave it dormant for a while to make sure I’ve caught all the email changes I need to make before completely deleting the account.

]]>
https://davesmyth.com/custom-domains-on-hey <![CDATA[Custom domains on HEY]]> Dave Smyth 2021-02-17T00:00:00+00:00 After my post about de-Googling, a few people asked about my custom domain email set-up with HEY.

Custom domains have been a hot topic since HEY’s launch as they weren’t supported until HEY for Work was released. HEY for Work is a separate plan to their personal email offering and costs $12 per user per month.

If you have a few email addresses running on custom domains the cost quickly adds up. The outlay might not be worth it if the addresses aren’t used much.

HEY for Work’s strength is in collaboration. I’m using it for an upcoming project and those features are brilliant.

So, if you

  1. Like the HEY interface
  2. Have a personal account
  3. Have other custom domains you want to use through HEY

What can you do?

Forwarding + SMTP

The solution is in two parts.

Firstly, most email providers (except hyper-secure options like Proton Mail), let you forward incoming email to another address In this case, that’s your personal HEY account.

The second part is relatively new: HEY now supports SMTP. That means your personal HEY account can ‘send as’ an external email address.

I’m running three custom domains on Fastmail and these are all forwarded to my personal HEY account. Now that HEY supports SMTP, I can now send emails through HEY from my external email addresses.

It’s a pretty useful feature for anyone who wants to use custom domains but doesn’t need the other features of HEY for Work. More details over on the HEY website.

]]>
https://davesmyth.com/de-googling <![CDATA[De-Googling]]> Dave Smyth 2021-02-15T00:00:00+00:00 One upside of being independent is that I can choose the tools I use. I’m trying to make better choices and using alternatives to Google is one of these.

I closed both of my Google Workspace accounts a few days ago.

It’s difficult to go 100% Google-free as their services are so deeply embedded in the web, but I’m trying to use alternatives wherever reasonably possible.

Having used G Suite/Google Workspace for work email, I was slightly hesistant about the impact of losing access to Google Docs and Drive. I’d never used these much, but some clients are all-in on these services.

As it happens, clients can invite external email addresses to any services they need to collaborate on. I think this was previously limited to Gmail or G Workspace accounts, so it’s never been easier to move work services away from Google.

Google alternatives

Here’s how I’m tackling switching from various Google services:

I use DuckDuckGo. For a long time, I used Startpage as it uses Google results while respecting user privacy, but DuckDuckGo’s results have improved a great deal. Highly recommended.

Work email

In December, I switched to Fastmail for work email (10% off affiliate link). It’s a good balance of privacy and user experience.

I’d previously tried ProtonMail, but couldn’t wrangle the Bridge service to import/export emails to third-party apps.

On Fastmail’s $5/month plan, you can any custom domains you need. Now that personal HEY email offers SMTP support, I can manage all work and personal email from the same place.

Fastmail also features a Calendar, knocking out another reliance on Google. I switched to Fantastical, which has been fantastic.

Personal email

I’ve had my Gmail account for 17 years, but I’ve been enjoying HEY as a personal email alternative.

It’s daunting to turn this off given how many services are linked to it, but I’m taking this approach:

  1. Set-up an auto-responder (contacts only) to tell them to update their email address for me
  2. Change email addresses for each service I regularly use
  3. Use a password manager to identify other services I use less frequently
  4. Any services I don’t/won’t use and/or where there’s no significant negative to losing access, I won’t change the email address. I can always create a new account in future.

I expect this process will take some time, but I kicked the process off by deleting the 290,589 emails in my Gmail account.

Analytics

I switched to Fathom ($10 off affiliate link) around 18 months ago.

I strongly recommend privacy-focused analytics to my clients. In some cases, it completely removes the need for a cookie banner.

Search Console

I can maintain an account here without either a Gmail or Workspace account.

Domains

I have a few domains registered with Google Domains: moving them is non-trivial. I’ll keep them there for now and look to move each one at an appropriate time.

I register new domains with services like Gandi or Hover.

Drive & Docs

I’ve never really used Google Drive or Google Docs. Before switching of Workspace I checked I had copies of files stored locally or on Dropbox.

In 2022, I switched to Sync (here’s a referral link to give you and me an extra 1GB). It was a super easy switch, and one I wish I’d completed earlier.

Google My Business

There’s no alternative to this, but you can maintain an account without a Gmail or Workspace account.

Authenticator

I switched from Google Authenticator a year ago after hearing about a friend losing their phone and their 2FA codes with it.

I use Authy which supports device synchronisation and offers a desktop app. That means you don’t always need your phone on you and you’re not locked out if you lose it.

Chrome

I’ve not used Google Chrome as my browser for years, preferring Firefox or Safari.

Alternative alternatives

These are the servies I use, but there are lots of others.

For alternatives check out switching.software and Mark Hurst’s Good Reports.

Punishment for cancelled subscriptions

Since I deactivated my Workspace account, I’ve noticed that Google regularly tries to push me to reactivate the account.

I’m often unintentionally logged in to Google, and my old Workspace account is still linked. That’s because clients sometimes share Google things to the email address associated with the old Workspace account.

This is what I see:

Screenshot of Google page asking me to resubscribe to Google Workspace.

There are a few things that make this a particularly dark pattern:

  1. This happens even when I’m trying to access services that are openly available to users without a Google account, like Google Translate.
  2. I’m simultaneously signed into several Google accounts, but Google always defaults to the ex-Workspace account.
  3. When I try to switch account from this page, I’m redirected to the admin.google.com interface, which is only available to Google Workspace accounts. This makes it difficult to switch to a non-Workspace account.

Google suggested two solutions:

  1. Remove the account from Google Chrome. Chrome might have market dominance, but it’s quite the assumption that I am using their browser.
  2. Delete the Workspace account. This might be the ‘right’ option, but I’d likely need to sign up for another Google account with the old email address for client purposes.

It would be better if Google stopped trying to force their product on me. My user experience would be better if I’d never had a Google Workspace account: that doesn’t seem right.

This anecdote serves as a frequent reminder not to use Google at all.

Last updated: 14th April, 2022

]]>
https://davesmyth.com/global-privacy-control <![CDATA[Global Privacy Control]]> Dave Smyth 2021-01-29T00:00:00+00:00 Yesterday saw the announcement of a new standard that makes it easier to users to out opt of data collection and sharing. It’s called the Global Privacy Control and lets users signal they want to opt-out of tracking through their browser.

From The Verge:

The GPC standard sprang from a powerful but little-noticed provision in the California Consumer Privacy Act (CCPA), which ... gives Californians the right to opt out of having their personal information sold by the sites they visit.

Interestingly, the definition of ‘sold’ seems to be deliberately vague – in a good way:

Crucially, the law interprets “sell” as including any exchange of value, which could include being read broadly enough to go beyond outright data broker sales and into the endemic tracking pixels that power much of the advertising you see online.

Installing the signal

Part of the appeal of the Global Privacy Control is that users can set this signal from their browser. There are several ways to broadcast the signal, but most users will only need to install a browser extension.

There’s support for Firefox, Chrome, Brave and Microsoft Edge browsers at the moment – Safari is a notable omission.

Extension links

Here are the direct links to the extensions:

To enable this on mobile, users will need to use the DuckDuckGo Privacy Browser on Android or iOS.

Once installed, users can visit globalprivacycontrol.org and test their browser signal is working. If it is, a message will appear in a bar at the top of the page.

Search engine switch

When I installed the Firefox extension, DuckDuckGo silently set itself as the default search engine. I understand this is a good move for users stuck on Google by default, but I wasn’t brilliantly impressed that this happened without asking.

Spread the word

According to The Verge article, “project organizers estimate that 40 million users worldwide will be sending out the GPC signal through one product or another”.

Right now, the project and download information is spread across a few sites and articles. I’ve written this brief rundown to pull together the key points and make it easier to download the extensions. 

The power of a standard like this is in its take up. You can help the project by spreading the word.

]]>
https://davesmyth.com/read-receipts <![CDATA[Read receipts]]> Dave Smyth 2021-01-24T00:00:00+00:00 When I wrote about exploring Digital Minimalism, I overlooked the practice of turning off read receipts. This is something I was doing before I read Cal Newport’s book.

Turning off read receipts seems like a small thing: “who cares if they know when I read this?”

I started turning messaging read receipts off a couple of years ago: it’s had a positive impact on my experience of messaging apps.

On the occasions I’ve realised read receipts were on, perhaps in a new app, the relief I’ve felt in turning them off has been palpable.

Aside from this, there are the privacy considerations.

On by default

Most popular messaging apps turn read receipts on by default.

I can't stand breakfast. It's just constant eggs. I mean, why? Who decided?

This quote from Killing Eve sums up my feeling on this.

Apps where read receipts are on by default include:

It seems there’s no way to turn read receipts off for Facebook Messenger, Instagram direct messages or Telegram.

I’ll send read receipts if you send yours

One of the most insidious quirks of read receipts in messaging apps is the receipt quid pro quo. To receive read receipts, users normally have to enable read receipts on their own device.

Surely, the only thing that matters is whether a recipient is happy for the sender to know they’ve read the message?

I used to accept this on the basis that it seemed fair. Now I’ve had some distance from read receipts, it seems like a particularly weird ‘trade’.

Surely, the only thing that matters is whether a recipient is happy for the sender to know they’ve read the message? Why does a sender have to opt-in to also share when they’ve read messages?

I’m not interested in when someone reads a message of mine, so this isn’t a strange feature request.

Email can stalk you

Most messaging apps let users turn read receipts off. The same courtesy isn’t extended to email users.

Of course, privacy-focused email services will block read receipts, but there’s no standard method for users to opt-out.

This is an important topic as email read receipts are particularly invasive. Whereas messaging apps will report the read status and possibly time of reading, email tracking might also report the user’s location.

That’s just personal email. Most mailing list software enables all of this by default and often tracks every instance of an email being read and internal links being clicked.

Mike Davison’s writing on Superhuman demonstrated this in action. Superhuman rolled back some of the worst excesses of their email tracking, and they’re not a newsletter service, but this practice is still common in mailing lists and marketing emails.

In most cases, tracking continues even after a user unsubscribes.

Spying is convenient

I remember when I used to think it was convenient to know when a message was read.

Looking back, it was convenient. It was convenient for me as the sender, but not for the recipient.

It’s nosy and with little justification.

The business case

The world of work finds plenty of reasons to justify tracking users without their consent.

Common examples include enabling cookies for analytics or tracking users all over the web under the guise of improving the effectiveness of ads.

Ecommerce businesses in particular make extensive use of tracking in mailing lists. From open rates times and locations to link clicking.

They’re far from the only ones and the use cases can be subtle. For instance, consider accounting software that tells users when a client has seen an invoice.

For years, websites and services have collected all possible data, just because they can.

Opting out

When I start using a new messaging app, read receipts are one of the first things I look to disable. If you find yourself feeling pressure to reply, or you avoid opening messages so you don’t trigger a read receipt, I’d suggest doing the same.

I’d also recommend looking at email services that either block incoming read receipts or disrupt them. One of the ways we can individually effect change is by making the data useless.

]]>
https://davesmyth.com/digital-minimalism <![CDATA[Digital minimalism]]> Dave Smyth 2021-01-01T00:00:00+00:00 In early 2020 I read Cal Newport’s Digital Minimalism. It completely changed my outlook on tech.

I wouldn’t have picked up the book if it wasn’t for Adam Pearson. He told me that in another of Newport’s books, Deep Work, he recommended:

  1. Quitting social media for 30 days
  2. Not telling anyone
  3. Seeing if anyone noticed

That was enough to make me want to explore it.

I’m writing this for a few reasons. It’s partly a reminder to myself of the benefits of what I’ve been trying. I also hope it’s useful for other people who feel tech takes up too much of their world.

Digital minimalism isn’t about cutting out all tech. It’s about making tech work for you: getting the value you need without it ruling your life.

I’ve seen plenty of people share their experiences of this only to be met with replies like “just don’t use the internet or social media” or “why post it on social media”. These are spectacularly lazy hot takes that completely miss the point: no surprises there, then.

Digital minimalism isn’t about cutting out all tech. It’s about making tech work for you: getting the value you need without it ruling your life.

Getting started

Here are some of the steps I’ve taken. I don’t imagine anyone would tread an identical path, but I hope sharing my experience and the benefits I’ve seen will be of use to someone.

Deleted my Facebook account

I’d been tempted to remove Facebook for a while, but groups and nostalgia kept me around. Taking a social media break gave me the perfect excuse to deactivate my account and see how I’d fare.

When you deactivate your account, Facebook gives you the option to keep Messenger. Initially, I kept Messenger to keep in touch with friends who I mostly spoke to through that.

I found that keeping Messenger was a problem. Even though I’d deleted the Facebook app and stayed logged out, I was tempted to reactivate my account whenever I logged into Messenger.

I’d be surprised if this wasn’t by design.

After a couple of weeks, I set my account to be permanently removed, including Messenger. It’s strange how much I think about Facebook as a company from a privacy angle, but I haven’t thought about using it as an individual in months.

I don’t miss it.

Removed social media apps from my phone

Obviously Facebook went, along with the Messenger app, but I also removed the Twitter and Instagram apps from my phone.

Instagram has remained deleted. I may return to that one day, particularly if Facebook is broken up.

Incidentally, I came across a great tip for getting the full Instagram experience on desktop: “use the developer feature on Safari, switching User Agent to iPhone”.

Notifications

A common recommendation for Digital Minimalists is to turn notifications off. I’d done this much before reading book: if you haven’t already, it’s well-worth it.

Managing Twitter

I took a 30-day social media break from everything but my personal Twitter account. After that, Newport recommends reintroducing tech intentionally.

I didn’t miss much social media, but Twitter was always going to be the difficult one for me. It’s the platform I use and enjoy most, but there’s lots of negative stuff on there. It’s easy to get drawn down increasingly depressing rabbit holes.

Removing the app from my phone completely stopped all Twitter notifications and prevented me accidentally firing up the app. The only way to access it was through a browser.

This did the trick for a bit, but I still saw loads of negativity on desktop and mobile.

To try and tackle this, I’ve gone list-based. The idea is to replace the timeline with lists for a more curated experience.

Twitter doesn’t let users set a list as their default view. This is ok if you’re using an app like Tweetdeck (which is perfect for this), but there’s no equivalent on mobile.

I copied accounts I was following to a list and unfollowed everyone.

Ultimately, I’ve gone all-in on using lists. As it’s not possible to set lists as a default mobile view, I copied accounts I was following to a list and unfollowed everyone.

This seems drastistic, but it’s done a load of good. I’m still following most of the accounts I followed before, but the experience is much more positive so far.

Let’s see how long that lasts.

Podcasts

It’s easy to conflate digital minimalism with reducing social media use. But it’s much broader than that: it’s about redefining your relationship with tech and making tech work for you.

I’ve been listening to a lot more podcasts over the past few years. And having used Apple Podcasts mainly, I took the opportunity to investigate some other options.

I hadn’t looked into this before: “how different could a podcast player be, really?!” Well, I wish I had. There are lots of subtle differences that add up to a much easier podcast interface.

For example, I’ve been listening to David Dylan Thomas’ excellent Cognitive Bias podcast. These episodes are often short. You want to listen to them in order as the content often references on previous episodes.

Changing the play order in Apple Podcasts is possible, but hidden in some not-particularly-obvious settings. In the new player, Overcast, it’s much clearer: very useful when you discover a new podcast.

This is a small example, but it reinforced to me how subtle app differences can have a big impact on how we interact with tech.

Wrapping up

I’ve recommended Digital Minimalism to lots of people this year. Taking some steps towards digital minimalism has been a massively positive experience for me.

I’d highly recommend the book to anyone who feels they could benefit from resetting their relationship to tech.

]]>
https://davesmyth.com/consolidating-newsletters <![CDATA[Consolidating newsletters]]> Dave Smyth 2020-12-29T00:00:00+00:00 Over the past year, I’ve become a big fan of Digital Minimalism, thanks in no small part to Cal Newport’s book of the same name.

I also run a few things: my business, a course on CSS, Work Notes and this personal site.

Subscribers to the Websmyth newsletter previously received very occasional emails and my intention was to run one through this site, but there’s lots of crossover. With all of this in mind, I’m consolidating these two newsletters.

The newsletter looks at web things and tech with a privacy-focus. Freelancing will feature less often as that’s covered at Work Notes. I’ll use the newsletter to share links to things I’ve been reading, along with writing from both Websmyth and this site, with a sprinkling of work and other updates.

Original Websmyth subscribers will also notice that emails look different. That’s because I’ve switched to privacy-focused Buttondown, where I can properly turn off click and open tracking.

If you’re not already subscribed, you can sign-up below.

]]>
https://davesmyth.com/contextual-ads <![CDATA[Contextual ads]]> Dave Smyth 2020-12-15T00:00:00+00:00 Jeremy Keith’s piece on Clean Advertising is an excellent read. One of the key takeaways is that behavioural advertising may not be as effective as its contextual counterpart.

To recap:

  • Behavioural advertising centres around tracking users around the web to build profiles about their behaviour. Users are shown ads specific to them, irrelevant of the context: e.g. a user visits a shoe shop, then sees an ad for those shoes on Facebook.
  • Contextual advertising doesn’t track users or build profiles of them. Users are shown ads based on the context: i.e. a user searches for tennis racket and is shown an advert for one.

Keith’s article references the New York Times who, in 2018, turned off behavioural advertising for European readers. Digital advertising through their site increased through to early 2019.

They aren’t the only ones.

In August 2020, WIRED reported on the Nederlandse Publieke Omroep’s (NPO) strict approach to European cookie laws. Instead of assuming users are ok with targeted advertising if they skipped the cookie consent screen, they opted users out (incidentally, this is the correct approach).

The company found that ads served to users who opted out of cookies were bringing in as much or more money as ads served to users who opted in. The results were so strong that as of January 2020, NPO simply got rid of advertising cookies altogether. And rather than decline, its digital revenue is dramatically up, even after the economic shock of the coronavirus pandemic.

If behavioural ads aren’t more effective than contextual ads, what is all of that data collected for?

If websites opted for a context ads and privacy-focused analytics approach, cookie banners could become obsolete...

What about small businesses?

The attraction of heavily targeted advertising is strong for small businesses. For a start, it’s frequently the only recommended advertising method, but the pull of tweaking adverts to maximise small budgets must be strong.

In the spirit of investigating alternatives to invasive marketing techniques, I want to find out more. I’m interested in collecting more examples of businesses – large or small – that have bucked the trend and opted for contextual ads over behavioural ones.

Large and small businesses may advertise in different ways, but there will be lessons to learn from any business that’s gone against the grain here.

Send examples to dave@davesmyth.com: the lists below are updated with examples as I find them.

Last updated: 27th March, 2021

Examples

]]>
https://davesmyth.com/twitter-lists <![CDATA[Twitter lists]]> Dave Smyth 2020-12-11T00:00:00+00:00 Twitter is pretty much the only social media platform I use. It’s a useful platform, but not without problems.

I try to balance the time I spend on there. I don’t have the app on my phone and recently switched to TweetDeck on desktop.

TweetDeck took a little getting used to, but the best feature I’ve found is the ability to browse using Twitter lists by default.

Still, it’s easy to get sucked into reading replies about fairly depressing stuff. Especially on mobile, where the default is the timeline, rather a list.

So, taking inspiration from Anil Dash’s article, I unfollowed everyone on Twitter and copied everyone I’m following onto a list.

Going list-based

Whenever I’ve seen an account following no-one, I’ve thought it was odd. Possibly even a little arrogant.

How do they keep in touch with people or see content? Are they just broadcasting, rather than interacting?

The answer is: use lists as an alternative timeline. But because you’re not following anyone, you’re in more control of what you see.

Lists let me ‘follow’ and keep in touch with the people I want, but in a more healthy way.

If you’ve unfollowed everyone, why should I follow you?

I’m not sure that you should, in the traditional sense at least. Everyone has to make platforms work for them: for some that will mean using the follow function, for others it’s lists.

Lists let me ‘follow’ and keep in touch with the people I want, but in a more healthy way. The existence of lists – and their comparable functionality to the timeline – shows just how much of a vanity metric a follower count is.

Oh, and lists are ad-free, too.

For now, this is an experiment. I’m interested to see if it improves Twitter and makes it easier to cut out toxic stuff.

If you want to do the same thing without the command line, I found this script that worked pretty nicely.

Update: January 2022

Since I wrote this, a several people have been in touch to tell me they’re going list-based or talk about the idea.

The benefits to going list-based aren’t always immediately clear, but Anil Dash succinctly noted one of the main upsides of taking this approach:

One of the most immediate benefits is that, when something terrible happens in the news, I don't see an endless, repetitive stream of dozens of people reacting to it in succession. It turns out, I don't mind knowing about current events, but it hurts to see lots of people I care about going through anguish or pain when bad news happens. I want to optimize for being aware, but not emotionally overwhelmed.

That last sentence is a great summary.

From Anil’s Personal Digital Reset post:

Some of the reason for resetting my follows is to reflect my own changing interests in what I want to read or learn about, but also to ensure that I’m not (for example) just following some news account that only ever causes me stress when it updates.

The main downside of unfollowing everyone is that you lose connection to people with locked accounts. One option would be just to follow these people, but as Morten Rand Hendriksen noted:

Among the people I used to follow were several women, BIPoC, and LGBTQ2+ who made their accounts private due to ongoing harassment and other unwanted interactions. ... In hindsight this was an obvious consequence, and there's currently no meaningful workaround for it: If I were to only follow people with private accounts, that would be very obvious to anyone paying attention, and would highlight the private status of these accounts. And because the accounts are private, adding them to a list makes no sense because the posts from these accounts are private and thus not visible to me.

Perhaps Twitter will let private account users accept/deny list requests at some point...

Articles + resources on going list-based

]]>
https://davesmyth.com/privacy-marketing <![CDATA[Balancing privacy & marketing]]> Dave Smyth 2020-10-17T00:00:00+00:00 What does it mean to run a privacy-focused business? What does that look like and involve? Is it just GDPR – cue eye-rolls – or is there more to it than that?

These are some of the questions I’ve been thinking about recently.

The introduction of GDPR in 2018 created mass panic as businesses raced to meet the deadline. To many, compliance was – and in some cases still is – seen as needless hassle.

I’d guess that’s in no small part due to the nature of the topic and its role as regulation. But it’s also a complex area with plenty of nuance, something borne out by the number of larger companies that either don’t understand or choose to ignore the legislation.

Privacy is a much bigger topic than GDPR.

The Wild West of the Web

We’re emerging from somewhat of a wild west of data collection.

For years, websites and internet services have been collecting anything and everything they can about users. Often without user consent or awareness.

This is frequently justified as ‘essential analytics’ or ‘optimising advertising’. But the real reasons businesses do it is because collecting this data is easy and cheap/free. And because they can.

Marketing > privacy

It’s easier to pitch the benefits of marketing (money) against user privacy (expense, hassle, legal). And business owners have been told they need to collect All The Data to optimise their sales and increase margins.

A classic example would be email marketing. Most mailing list platforms allow marketers to track:

  • When a recipient opens an email
  • How often they’ve read an email
  • Where they are when they read it

This is often possible even after a user unsubscribes. Some mailing list providers will even opt-out users who they don’t think have read emails in a while (i.e. recipients who block these trackers).

Many recipients will have no idea they’re being tracked in these ways. They’re certainly not made aware of this when they sign up.

Running a privacy-focused business

Here’s the rub: many of us don’t like the idea of our data being harvested, yet we’re happy to track users because money.

It would seem that if we want to effectively market to users and respect their privacy, that creates a tension. Is that the case or does it just require a change in thinking?

Let’s say we turn off email tracking and don’t send data to Google or Facebook. Perhaps – instead of a ‘loss of insight’ – we can view it as an opportunity to build better relationships with audiences and customer bases, rather than relying on spying on their habits.

The privacy scale

I’m no expert in this field and – at a micro scale – I’ve used some of these privacy-invasive tools in the past. Things like:

  • Aggregated data on open rates, clicks and audience locations in mailing lists
  • Subscriber tagging for email sequences
  • Demographically targeted Facebook and Google ads
  • Session recording (with tools like FullStory)

These things are daily practice in marketing world but in hindsight they feel pretty icky, even at the tiny scale I used them.

Of course, tools that offer analytics encourage users to use them. As a small business, it’s easy to think using them has little bearing on privacy matters: it’s the big advertisers that are doing the really nasty stuff, right?

I’d guess that the combination of all small businesses who use these services inadvertently contribute significant amounts of data to these big tech firms.

I’m also conscious that there’s a sliding scale. It would be difficult – reckless even – for a business to stop advertising on Facebook or Instagram if that produces a significant portion of its revenue.

That might present an opportunity to build alternative and privacy-focused marketing streams, with a view to reducing the need to advertise on those platforms. But that’s not going to happen overnight.

Stepping away from the data

Moving away from these tools takes time, effort and money. It’s work.

That’s assuming we’re aware of what the problems are and how we can resolve them: whether that’s changing settings or using alternative services.

There might be clear alternatives to services like Gmail or Google Analytics. But what are the options for businesses who rely on retargeting or other data-reliant techniques?

I’ve started to pull together lists of resources and articles that have helped change my thinking on these topics. For now, it’s mainly a series of connected and unconnected thoughts.

I’ll share these in my mailing list – there’s a signup below – but I’d also be interested to hear from freelancers and small business owners who are thinking similar things.

]]>
https://davesmyth.com/cookies <![CDATA[Cookies]]> Dave Smyth 2020-07-19T00:00:00+00:00 Cookies present issues for website owners and users alike, and they’re nothing new. While the GDPR and PECR legislation have encouraged companies to proactively consider user privacy, the basic cookie requirements are neglected on a large number of sites.

Cookies fall into two categories: essential and non-essential. The Information Commissioner’s Office (ICO) describes essential cookies as:

...strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.

Good examples of this would be cookies that determine whether a user is logged in or not, remembering the items in a user’s shopping basket, etc.

Everything else is a non-essential cookie.

That might include cookies that:

  • Improve a user’s experience
  • Provide marketing data (e.g. Facebook Pixels)
  • Track users around the internet

The same cookie might be classified differently on two sites depending on the functionality that a site requires.

One of the key points around cookies in the PECR is that websites must seek consent before setting non-essential cookies:

Just because users may be unlikely to select a particular non-essential cookie when given the choice, or because the cookie is not privacy intrusive, is not a valid reason to pre-enable it.

Crucially, analytics cookies are not classed as essential, therefore permission should be sought before these are set.

The ICO article goes on to further explain – in clear terms – what is considered valid consent. Valid consent does not include cookie banners that:

  • State “by continuing to use this site you accept our use of cookies”
  • Over-emphasise “Agree” or “Accept all” buttons
  • Don’t allow users to make a choice

I don’t have data on this, but almost every website I’ve checked that uses a service like Google Analytics sets the cookie before the user accepts/rejects permissions. Many of these don’t give users the choice to turn non-essential cookies off.

These breaches aren’t limited to small companies that may not have the resources or time to fully explore/understand these laws.

Here’s a screenshot of the cookie permissions page from Channel 4’s All 4 app:

The All 4 app’s settings don’t let users turn off analytics cookies.

It’s impossible for users to turn off analytics cookies. Channel 4 explains their rationale for requiring this as follows:

The policy states, “We can’t fix or improve what we can’t measure. We receive information about the programmes you watch, the parts of our service that aren’t working well, and which version of a page works best. We access descriptive information about your device, such as model and manufacturer, and use a first part cookie to recognise it. We use viewing information to serve more relevant advertising. We never access personal information from your device such as your name or email address”.

In short, they justify the use of requiring these cookies on the grounds that:

  1. They want to ‘improve’ the service
  2. They need to know what device you’re using
  3. They want to serve more ‘relevant’ ads to you

Apparently, that’s all ok because they ‘never access personal information from your device such as your name or email address’.

That seems reasonable, right? Yes, except for two points:

  1. Using the app requires a user to be logged in. That means the information is already associated with the user (irrespective of accessing a name and email address).
  2. Setting these cookies is explicitly prohibited.

This is an organisation that clearly have the resources to be clued up on this stuff. And they’re not the only ones to ignore these regulations: I’ve seen many companies take a similar approach.

Why don’t they comply?

The underlying issue is that if sites fully complied with these laws, their current methods of collecting analytics data would mean their data is seriously inaccurate. Every user who didn’t specifically allow statistics cookies would not be counted and their movements around a site wouldn’t be tracked.

There are privacy-focused alternatives, like Fathom (that’s an affiliate link) or Simple Analytics, but the technical limitations of not setting a cookie limits the available data. To truly comply with the regulations would require companies to take a different approach to collecting and interpreting the available statistics.

That may also mean a change to online advertising models, too.

These are not bad things.

But while companies feel free to flout the regulations, analytics data is cheap and easy to come by: “cheap” if you’re not the user, that is.

Future solutions

Banners and notification overload are one of the difficult things about this whole malarkey. Even if a website uses a cookie wall, many users will accept all cookies because:

  • They just want to get rid of the banner
  • It might be the highlighted option
  • The microcopy might be confusing (e.g. “Accept all”, “Accept”, “Save” or “Save all”)

Or they may even be happy to have their data collected.

We already know that users don’t like waiting a long time for a website to load. The last thing they want is to wade through a load of complicated – and technical – options to decide on cookie use.

One solution would be for this to be tackled at the browser level. Browsers could define a way for websites to declare essential and non-essential cookies: the latter could be further divided into common subcategories (“Marketing”, “Analytics”, etc).

Website owners could then hook their cookies into these and users could set their default preferences for all sites, with exceptions as they want.

A widespread approach like this would encourage companies to finally take note of the cookie requirements, but it’s difficult to see this happening.

Google develop Chromium which powers Google Chrome, Microsoft Edge, Brave and others – possibly as much as ~60% of internet browsers. They almost certainly benefit from the data collected through Google Analytics and Google Ads – both services that need cookies to work best.

For general internet users concerned about online privacy and whether companies should be rewarded for ignoring regulation, now would be a great time to consider using Firefox as their main browser. It’s an excellent browser with a privacy-focus, demonstrated by their recent rollout of Facebook containers that stop Facebook tracking users around the web.

Browser diversity is important for all users if the web isn’t going to become a monopoly. If there is only one browser – and that browser happens to be controlled by a company who benefit greatly from the collection of ‘free’ data - the future for user privacy looks bleak.

]]>
https://davesmyth.com/gumroad-vs-payhip <![CDATA[Gumroad vs Payhip]]> Dave Smyth 2020-07-06T00:00:00+00:00 Gumroad is one of the most well-known platforms for selling digital products. I’ve used it to sell on both Work Notes and CSS For Designers.

After some recommendations and exploring the features, I switched both sites over to Payhip. About a month later, I switched CSS For Designers back.

The two platforms offer similar functionality. Integrating the services is similar but not the same and even the design of the dashboards is similar.

So, why the change and why the change back?

Pricing

One of the most obvious differences between the services is pricing. Gumroad offers:

  • A free tier where the transaction fee is 8.5% + 30¢
  • $10/month tier (for fewer than 1,000 customers) with a reduced fee (3.5% + 30¢) and some other benefits

Payhip’s free tier is a little more generous. There are no feature upgrades, just lower fees:

  • Free tier: 5%
  • $29/month: 2%
  • $99/month: no transaction fee

Despite this, cost wasn’t really a consideration for me. Both services have free tiers with an option to upgrade when sales volumes justify it.

Switching

There were a few key features that attracted me to switch both of my sites to Payhip.

Currency

Payhip can charge customers in GBP. Gumroad can display prices in GBP, but customers are always charged in USD.

This caused some friction in the payment process as customers:

  1. Weren’t sure they were charged in USD
  2. Might be charged conversion fees by their bank
  3. Were confused why a UK-based site would charge in dollars

These concerns are understandable and cause needless friction.

EU Digital VAT

One of the main benefits of both of these services is that they totally relieve sellers of dealing with EU Digital VAT.

Payhip even allows sellers to choose whether EU Digital VAT is added on top of the list price, or to absorbed into the price. That’s a really nice feature.

Integration similarities

The integration for Gumroad and Payhip is remarkably similar. Payhip’s is a little more cumbersome, but there’s barely any difference.

Even Payhip’s Webhooks are remarkably similar to Gumroad’s Ping. This made the switch fairly straightforward.

Payouts

One other difference is how payouts are handled. Gumroad holds all payments for a week before issuing payouts through Stripe on Fridays. On Payhip, payouts are made one week after each purchase.

This is a plus and a minus. On one hand, Payhip pays out quicker, but that can mean a significant increase in bookkeeping.

It also seems that Payhip’s refunds need to be handled through Stripe, rather than Payhip dashboard. On Gumroad, this is handled through the account.

Payhip’s missing features

Switching to Payhip was remarkably easy, but after some time, I found some subtle differences and feature limitations. Ultimately, these caused me to switch CSS For Designers back to Gumroad.

Gumroad have developed lots of new features for variable products and subscriptions. A particularly useful subscription feature is the ability to automatically suspend a subscription after a specified period.

This isn’t possible on Payhip yet. Depending on your use case, that could be a dealbreaker.

Another longstanding feature on Gumroad is the ability to set suggested prices on pay-what-you-want (PWYW) products. Payhip offers PWYW pricing, but there isn’t an option to set a suggested fee.

That might not seem like a big deal, but if customers can pay anything, it’s useful to given a suggested value (i.e. $5).

Lastly – and this is a big ’un – Payhip requires users to opt-in to mailing list integrations. When I contacted their support, I was told this is for GDPR reasons, but there are lots of legitimate GDPR-compliant reasons that a seller might want to add users to a list (e.g. transactional emails).

Gumroad lets sellers automatically add users to mailing lists, which is useful for follow-ups and other things. If transactional emails are important, this is a big consideration.

It’s also worth mentioning Gumroad’s workflows. These allow sellers to send automated follow-ups through the Gumroad interface, which is a nice feature not available through Payhip.

Wrapping up

As ever, the Devil’s in the details. Many of these differences aren’t clear from the feature descriptions on either Gumroad or Payhip.

Both platforms have some great features, though neither are perfect. Ultimately, it made sense to move CSS For Designers back to Gumroad, but I’ve kept Work Notes with Payhip.

]]>
https://davesmyth.com/thoughts-on-hey <![CDATA[Thoughts on HEY]]> Dave Smyth 2020-06-27T00:00:00+00:00 The launch of HEY has been pretty divisive. That might be expected given the founders have created such an opinionated product for a fundamental internet function.

I’m coming to the end of my trial and it’s been a positive experience. It’s not a perfect product, but it’s already improving my email workflow and I’m interested to see what happens next.

Background

Like many people, I use email as a to-do list, and not a particularly functional one. Unread messages needed to be actioned, and I’d be hoping not to accidentally leave a message ‘read’ or archive it.

For years, I used the native Gmail app. This worked ok, but switching between email services was a bit of a hassle, especially as I had six email accounts to check:

Things improved when I started using Spark. I particularly liked the calendar integration and how pinned emails displayed, but some ongoing sync issues forced me to rely on backup email apps.

Using HEY

A few things stood out to me as attractive HEY features:

  • Screening emails
  • Bunching emails from a single sender
  • Focus & Reply
  • Separation of Reply Later and Set Aside
  • Renaming email subjects
  • Privacy-focus

A couple of years ago, I looked into the possibility of blocking all incoming emails except for specific senders. This is possible with Boomerrang, but only on their $15/month plan.

Though HEY doesn’t offer this exact functionality, I thought the combination of services might help to achieve the same effect: reducing day-to-day email clutter and everything that brings.

Email workflow improvements

Here are the benefits I’ve found:

  1. Screening emails forces me to make a decision about a sender. That might mean accepting but unsubscribing, sending all emails to The Feed or something else.
  2. Bunching emails from a single sender is incredibly useful for some clients who might send several emails a day.
  3. Reply Later, and specifically the Focus & Reply mode, is a great productivity hack. Previously, I’d have replied to things immediately, but I now bunch up emails that might take a few minutes and crank through them in a much more efficient manner.
  4. The Feed is a neat way to browse newsletters and other promotional stuff. As the emails are already open, I actually look at the content: something I never did in Gmail’s Promotions/Updates/Forums folders.
  5. As someone who uses email as a to-do list, Set Aside (pinning) is a useful separation from Reply Later.

The combined effect has been a much calmer email experience. Even though I usually have emails to respond to, the Imbox is regularly empty: something that almost never happened before.

Improvements

A few things I’d like to see:

  • The ability to automatically filter emails by subject/body content as well as the sender. This is already possible on a per-email basis, but it would be nice to automate this.
  • Calendar integration.
  • Schedule send – I can reply later, but I don’t necessarily want the emails to go out then.
  • Easier mark read/unread in the Imbox and Feed.

Custom domains will rollout soon. That will be another good thing as “business” accounts/custom domains will bolt-on to personal accounts: no account switching.

It’s been encouraging to see how the founders have responded to feedback, so it will be interesting to see where they take the product next.

Summing up

One of the main attractions about this product is that it’s privacy-focused. For me, that alone justifies the price (as it does with services like ProtonMail).

There’s no doubt competitors will copy features that prove useful. But the privacy aspect is something HEY will always have over much of the free competition.

It’s true that HEY might not be completely revolutionary: I could have replicated some of the features and sorted out a much better email system with filters and blocklists. But even after all these years, I hadn’t done this.

For me, that’s where such an opinionated service is handy. I don’t want to have to make decisions about how to sort out my email: for now, I’m quite happy to use HEY’s system.

That won’t be the case for everyone. If you’ve got a good system in place and like how your email works, HEY might not be an improvement for you.

For me, the UI and email workflow has forced me to change the way I manage email. So far, that’s been a good thing.

]]>
https://davesmyth.com/leaving-facebook <![CDATA[Leaving Facebook]]> Dave Smyth 2020-06-05T00:00:00+00:00 After fourteen years of Facebook activity, I’m finally deleting my account.

I’ve barely used Facebook in a personal capacity for a few years. More recently, it’s been useful to keep in touch with friends and family, but there’s always email or phone.

I’ve also benefitted incredibly from the freelance groups I’ve been a part of:

For any freelancers on Facebook, I’d heartily recommend checking these groups out.

Now feels like the right time to cut ties with Facebook. I recognise that being tech-agnostic is somewhat of a privilege, but I don’t think sticking around for my own convenience is justifiable any longer.

Why now?

I’ve been uncomfortable with Facebook for a long time. Since the Cambridge Analytica scandal, Facebook haven’t done anything to improve the quality of – or ban – political adverts.

Twitter is hardly a perfect, but at least it banned political ads.

Facebook isn’t free

I’ve been listening to “Oversubscribed” by Daniel Priestley recently. In one chapter, he describes how companies that don’t heavily target their ads are at a serious competitive disadvantage.

He goes as far as to say they’ll be run out of business.

An overdramatisation perhaps, but it’s pretty stomach-churning to think about the data profile we let these companies collect. For free.

In my fourteen years as a Facebook user, they’ve collected over 700MB of data about me. Images and videos make up 200MB of that, leaving over 500MB of messages and profile-building data.

To put that into context, the text in this post adds up to 4kb. Facebook’s collected 125,000 times that data in 14 years.

That’s roughly 35MB of text/profile data per year. Or 3MB per month.

All the time this data profits Facebook’s advertising model. Whether that’s companies targeting users for products or political parties during a campaign.

Targeted advertising and unethical user tracking have to end.

Facebook is not neutral

Twitter stirred up news when it started moderating Donald Trump’s tweets. This is no love letter to Twitter: the Will they suspend me? account demonstrates beautifully that not all tweets are treated equally.

But Facebook refuses to do anything. At some point, we have to decide whether we want to be associated with – and fund – a platform that chooses silence over action.

Instagram & WhatsApp

These Facebook-owned platforms are trickier to leave. WhatsApp might be easier as there’s a direct competitor in Telegram – I’ll need to convince family to move to that.

I mainly use Instagram that to support freelancers and small business owners through Work Notes. For now, it feels more important to continue that work than to leave – at some point that might change.

September 2021 Update

Totally correctly, it was pointed out to me that this article initially gave a shout out to Telegram. I strongly recomend Signal instead: in fact, I got my family to move to that from WhatsApp!

Also: I deactivated my Instagram accounts many months ago. No great loss.

Lastly: Inspired by Matt Baer’s Delete Your Facebook, I’m logging relevant articles in Bookmarks.

]]>
https://davesmyth.com/video-feedback <![CDATA[Using video for design feedback]]> Dave Smyth 2020-05-22T00:00:00+00:00 Getting design feedback can be tricky.

Everyone knows you shouldn’t just send a mockup and ask what do you think? But in an age of online meetings, Sketch, Figma, Invision and whatever else, how do you get away from that?

Introducing video

On the Boagworld podcast, Leigh Howells talks about presenting designs through video. He says this tackles a few common issues:

  1. Anyone watching the video can’t see the design without hearing the commentary. Though this is technically possible, they’re more likely to listen to commentary than read a long email.
  2. This extends to comps passed on to people outside the project team. Even if you take the time to explain a comp to someone, there’s nothing to stop a client forwarding that onto someone with a no context “whaddya think?”
  3. If there’s anything demonstrated in a browser, it lets you present quick code mockups in a browser that you know works. This reduces the chance of a key decision maker loading your demo in IE5 and asking why it doesn’t work.

First attempts

I’ve been experimenting with this idea on-and-off for a while.

Initially, I was recording my screen and uploading to Vimeo.

Don’t do this unless you like dealing with:

  • Huge file sizes, likely requiring reformatting
  • Bad aspect ratios
  • Long upload times

Urgh.

I now use Loom and it’s brilliant:

  • You can choose whether to record the whole screen or a single window
  • The app can include a video of you in the corner, which makes the recordings more personal
  • There’s no upload time and links are instantly shareable
  • Loom can tell you when a client has viewed the video...if you need that...

Presenting initial ideas

Taking the lead from Howells’ method, I’ve started using video to present all initial design ideas.

Starting with wireframes, I’ll send a video that talks through the decisions I’ve made and the considerations behind them. I might also discuss ideas that didn’t make the cut and why. Demonstrating this through video is really straightforward.

Introducing video so early in the process gets the client used to receiving design ideas in that format. When we move to higher fidelity mockups, video really comes into its own.

Mockups

At this stage, I’ll start by covering everything we’ve done so far:

  • Research
  • Project goals
  • Moodboards/references
  • Wireframes

Going over this helps clients to understand how the mockups have come about. The designs shouldn’t be a huge surprise.

The video format lets me discuss colour, type, layout and other design ideas in context. That can be difficult in other formats.

It also allows me to address potential objections before they’re raised. Demonstrating why the logo isn’t bigger, possibly by resizing it on-screen in the video, can be incredibly powerful.

Addressing feedback

It can be difficult to describe usability or accessibility issues in an easily understood manner. I find that using video helps clients understand much more easily, and it reduces any feeling that it’s just an excuse.

If you’ve ever had clients ask you to centre/justify paragraphs of text, or use illegibly light grey text, you’ll know that these can be difficult arguments to win. Even if video doesn’t change the result, it can help clients understand in a way they couldn’t before.

Other benefits

Once a client has seen a demonstration, I’ll send them a link to the Balsamiq/Invision project. These apps are great for feedback, but there is still a (small) learning curve.

The video format lets me quickly explain how these interfaces work, helping clients feel confident to add feedback in the app.

Another side effect of video is that the service feels much more personal. Every client I’ve done this with has loved receiving the videos, being talked through the process and the decision making.

In turn, that helps to get clients on board and become advocates for the work you’re doing. In my experience, at least.

None of these things are exclusive to presenting through video, but I’ve found it to be an incredibly effective way to communicate with clients.

]]>
https://davesmyth.com/personal-site <![CDATA[Launching a personal site]]> Dave Smyth 2020-05-21T00:00:00+00:00 As I launch this site, I maintain several projects:

Each of these has a blog. I write about CSS on CSS For Designers, freelancing at Work Notes and design/website things at Websmyth, so why another one?

There are still things I want to write about and document, that don’t fit neatly into those categories:

  • Thoughts about design process
  • Short posts/articles
  • Things I’ve learned
  • Unfinished thoughts/ideas

That’s the plan. Let’s see what happens.

]]>
https://davesmyth.com/q/font-sizing <![CDATA[Font sizing]]> Dave Smyth 2019-12-16T00:00:00+00:00 Desktop browsers tend to render fonts at 16px by default. There is a rationale for reasonably large defaults: anything else risks alienating a huge swath of users, many from older populations whose eyesight has deteriorated. “But my audience is young and hip!” I hear you say. Sure, but generous font sizes don’t offend young, keen-eyed folks. The key to inclusive design isn’t to target specific groups, it’s to not exclude groups arbitrarily — there’s nothing to gain.

]]>
https://davesmyth.com/q/inclusive-design <![CDATA[Inclusive Design]]> Dave Smyth 2019-12-16T00:00:00+00:00 The key to inclusive design isn’t to target specific groups, it’s to not exclude groups arbitrarily — there’s nothing to gain.

]]>
https://davesmyth.com/q/creativity-time <![CDATA[Creativity + Time]]> Dave Smyth 2014-05-25T00:00:00+00:00 There is no equation which shows that an increase in creativity is a direct cause of the time spent.

]]>