Dave Smyth 2023-03-09T00:00:00+00:00 <![CDATA[Screen Time Security]]> Dave Smyth 2023-03-09T00:00:00+00:00 Joanna Stern’s recent WSJ report showed how thieves can change a user’s iCloud password with the phone and passcode only. In most cases, this permanently locks the user out of the account, meaning they lose access to years/decades of photos, notes and other irreplaceables.

One of the tips to arise immediately is to use an alphanumeric passcode rather than a short numbers-only code. But if a thief shoulder surfs your alphanumeric passcode - or records it on a phone to playback later - that doesn’t help.

It turns out the steps below don’t prevent account changes – thieves can still go through a password reset flow even if you follow step 5.

I’m leaving these instructions because these steps may thwart thieves who don’t understand why the account is greyed out.

It turns out you can use the Screen Time feature in iOS to prevent account changes make it seem that account changes aren’t possible. Here’s how:

  1. Settings > Screen Time > Content & Privacy Restrictions
  2. Enable the Content & Privacy Restrictions at the top of this page, and change the Account Changes option to Don’t Allow
  3. Go back to Screen Time and select Use Screen Time Passcode
  4. Enter a different code to your phone’s main passcode
  5. When you’re presented with the Screen Time Passcode Recovery screen, select Cancel then Skip
  6. When you return to the Settings page, your account section (with profile picture) should be greyed out and not selectable.

To change these settings in future, enable Account Changes in Screen Time (same steps as above). Don’t forget to disallow Account Changes again when you’re finished.

Following these steps should stop a thief changing your iCloud password. Even if they have your phone and passcode, they won’t be able to make account changes unless they also have your Screen Time Passcode (which they won’t).

]]> <![CDATA[Stage Manager first impressions]]> Dave Smyth 2022-10-28T00:00:00+00:00 Ever since Stage Manager was demoed at WWDC 2022, I’ve been keen to give it a go. The idea of grouping windows by project, task or any other theme is really attractive to me and it looked like it did just that.

In the months leading up to the release of macOS Ventura, Stage Manager has received a largely negative reaction in the coverage I’ve seen. I suspect that’s mostly because of the myriad Stage Manager issues in iPadOS.

But I’ve been using it over the last few days and I’m pretty into it.

Stage Manager vs Spaces

Years ago, I tried Spaces. That kind of worked, but I didn’t like zapping between screens. That was particularly annoying if I opened an app forgetting it was in a different Space as I’d find myself whisked away from what I was doing.

(This may have changed since I last used Spaces – apologies for any mischaracterisations here.)

To me, Stage Manager feels like a more manageable and flexible version of Spaces. There’s no desktop-wide transition and, if you happen to open an app forgetting it’s in a different Stage, it’s easy to visually move the app or reorganise your Stages.

Spaces are relatively flexible, but the setup always felt a bit more fixed, not least as apps could be set to specific Spaces. Stage Manager seems more ephemeral: set up a Stage that you need right now and close it when you’re done. Or don’t.

Workflow options

I particularly like that apps with multiple windows (i.e. browsers) can have windows in different Stages. That gives a real flexibility to how Stages are grouped: they can be hyper-focused to a specific task/project or more general (i.e. a productivity Stage).

Now if the Notes app could open multiple windows, that would be very handy...

I also just discovered that making a window full-width in Stage Manager causes the sidebar to move off-screen. It then reveals on-hover, like the Dock can, which makes for an interesting use case on smaller screens.

All-in-all, I’m enjoying Stage Manager so far and would recommend giving it a go, particularly if you’ve tried Spaces previously and didn’t quite get on with it. Stage Manager definitely won’t be for everyone, but it’s good that Apple continue to over multiple workflows without forcing a specific technique on their users.

]]> <![CDATA[Backing up my Mac]]> Dave Smyth 2022-08-27T00:00:00+00:00 At the end of 2021, I had the misfortune of needing to reinstall everything on my main computer. Something had crashed and the only way to get my computer working was to do a fresh install.

I was using Time Machine on a local HDD and a Popular Backup Service™ – let’s call it, I dunno, Blazing Backups – for remote backups. One of the attractions of Blazing Backups was that it also offered a service to send a physical drive in case of emergency.

As it turned out, neither of these worked particularly well and restoring was an incredibly time-consuming process. It took over a week to get things back to normal.


Firstly, Time Machine completely failed. I’m a little fuzzy on the details now: I seem to remember the drive could be seen by the new device but it either wasn’t possible to restore from it or it hadn’t been backing up useful things. Either way, it was unusable.

And Blazing Backups was not a great experience. The online interface for manually accessing files was clunky and download speeds were incredibly slow. It took a few days of back-and-forth to get the files downloaded, on 200mbps internet, to download a little over 1TB of data.

I considered asking them to zip up the files on a physical drive and send it, but I was told it could take 2–3 days for this to even be dispatched. The packing time, shipping time to the UK and poor-timing of needing the service around holidays meant that delivery alone could have taken two weeks!

Of course, Blazing Backups can’t do anything about these things: it’s reasonable for there to be some time in preparation and shipping times are out of their control. But if you’re unlucky with holiday breaks when you need the back up, the physical disk option may not be as useful or quick as it sounds.

In some senses, my backup strategy worked: my first backup failed, but I was still able to get my files back. There will always be some disruption when your system is wiped, but this whole experience was incredibly suboptimal. I knew there must be a better way.

New strategy

Everything, except project files is stored/managed through Sync (not an ashilliate link – if you would like an extra 1GB use this link instead). It’s end-to-end encrypted and basically as easy to use as Dropbox local.

This entirely replaces my desktop. The beauty of this is that setting up a new computer is incredibly quick:

  1. Download the Sync app
  2. Choose the highest-priority folders to download
  3. Sync other folders later
  4. Download and install other apps as needed

I also use Super Duper for the local backup. This has the added advantage of also backing up applications not just files, something that Blazing Backups didn’t offer.

Project files are stored in git repositories, so those are synced very quickly.


The only downside of Sync is that, unlike Dropbox, you can’t run multiple accounts on the same computer through the local app...yet. But I’m willing to trade that for the end-to-end encryption.

I also wondered about the environmental impact of going all-in on a cloud setup. But this may actually have reduced my cloud use as I was previously using Dropbox in addition to the Blazing Backups service, so everything has been consolidated to a single place – no duplication.

Check your backups

The advice is always to test your backups. In particular, I’d suggest checking out your remote backup’s interface for restoring files: if it’s clunky and slow, moving to a cloud service might be a better option in case of emergency.

]]> <![CDATA[Mac Recommendations]]> Dave Smyth 2022-08-26T00:00:00+00:00 “Which Mac should I buy?” comes up fairly often in communities I’m in. There are a lot of options – especially as Apple haven’t completed their transition from Intel to the M-series chips yet – but here are some general recommendations.

All the usual caveats apply to this: your mileage may very, question all advice (even this), etc...

Don’t buy an Intel

Only buy a MacBook with an M1 or M2 chip. Support for Intels will decrease significantly over the next year or two and the M1/M2’s wipe the floor with the previous chips from a performance POV – a different ballpark altogether.

Avoid the 13” base model MacBook Pro

If you buy an M1 or M2, don’t buy the 13” base model MacBook Pro – these are the worst machines in the M1 and M2 line-ups (a spec-matched MacBook Air is usually a better choice despite the ‘Pro’ name).

Airs and Minis

Related to the 13” MacBook Pro advice above, M1/2 MacBook Airs and Mac Minis are excellent computers for most people. With upgraded space and RAM they’ll suffice for most use cases.

If you’re coming from an Intel, an M1/M1 Pro will likely be a huge upgrade from what you’re used to and it may not be worth spending more on a Max or Ultra. If you need that extra power, you’ll probably know.

Upgrade the M2 disk space

If you buy an M2 MacBook Air, be sure to upgrade the disk space to at least 512GB – there’s a bit of a performance dip on the base storage model (256GB).

Processor upgrades are optional

The old advice for Intels was “max out the processor”, but this is much less important than it used to be due to the way to M1/M2 series chips work. In lots of testing, the upgraded chips offer little-to-no real-world improvements.

If you can afford it, do it – if it’s a choice between that and extra storage or something else, the processor is probably less important.


Similarly, your RAM needs on an M-series chip may be lower than previous Macs. I’d still recommend buying the maximum you can afford, probably a minimum of 16GB unless your laptop use is incredibly light and/or not business critical.

Any 14”/16” M1 MacBook Pro should be good!

The choice mostly comes down to screen size.

Laptop or desktop?

With Apple’s transition to M-series chips, there is no real performance difference between a desktop and laptop machine equipped with the same chip (i.e. an M1 Max Mac Studio vs an M1 Max MacBook Pro). So if you’ve previously had a desktop and laptop, you might be able to consolidate the machines.

Apple Studio Display

The main reason to buy an Apple Studio Display over other options is that it’s one of the only displays on the market that offer a 5K resolution at a native size. That means that the pixels aren’t scaled up like they are on 5K displays at bigger display sizes.

The build quality is excellent and, despite the poor reviews, I regularly get comments on the quality of the camera – despite previously using a front-facing iPhone 7 camera.

Last updated: 26th August, 2022

]]> <![CDATA[182.5 days alcohol-free]]> Dave Smyth 2022-07-18T00:00:00+00:00 182.5 days ago, I unintentionally gave up alcohol for good. For now, at least.

I had no intention of joining Dry January, but by the middle of the month I’d decided to give alcohol a little break. Nothing in particular triggered it, but I downloaded a copy of The Unexpected Joy of Being Sober and started listening.

A few interesting takeaways included:

  • The author, Catherine Gray, talks about where she was on the scale of alcoholism (1–10), which is an interesting concept in and of itself
  • Recognising that alcohol intake – and one’s position on that scale – often creeps up by the breaking of small, seemingly inconsequential rules. “I’ll have a dry night…ok just one…ok just two…”
  • Everyone knows that alcohol is an addictive substance, but society doesn’t recognise it. There should be no shame in abstaining because drinking in moderation might be difficult due to its addictive nature.

As Gareth K Thomas put it, I’m an abstainer, not a moderator (origionally inspired by Gretchen Rubin).

Gray recommends that anyone interested in reducing their alcohol intake takes at least 90 days off. If that seems too difficult, start with 30.

So, in mid-January, I decided to take a break for 30 days and go for 90 if that went well.

Here’s what I’ve learned:


Alcohol-free beers are amazing, and I wouldn’t have got this far without them. Lucky Saint, Beavertown’s Lazer Crush, Free Damm and Brooklyn’s Special Effects are all worth a look. Even Heineken’s alcohol-free beer isn’t bad.

Update: The Guinness 0.0% is incredible. I rarely drank Guinness, but this AF version is pretty close: it tastes great and has something of an ale-y quality. Easily the best AF beer I’ve tried.

A key realisation for me was that drinking alcohol-free beer gave me about 70% of the enjoyment and relaxation compared to an alcoholic beer. Of course, it’s not the same, but it’s close enough. And, for me, the downsides of drinking aren’t worth that extra 30%.

Day tracking

I never thought that day tracking would be for me, but I’ve found it incredibly effective.

At the beginning of my alcohol-free stint, I hit lots of mini milestones. These generally prompted one of two thoughts:

  1. “I don’t want to break this streak”
  2. “I don’t want to have to start this streak again”

It’s so helpful I’m now day counting a reduced sugar intake. As I write this, I haven’t eaten chocolate in three weeks.

I use Days Since.

Day 40

About 40 days in, I realised I didn’t miss drinking at all and I was going to give up for the foreseeable future. It’s amazing not to ever wake up with a slightly hazy head, regret having that extra drink or saying something stupid while your inhibitions were suppressed.

There’s something wonderful about waking up each morning with a totally clear head. It’s not impossible that I’d drink again at some point in the future, but for now I’m enjoying life alcohol-free.

There’s no decent red wine alternative

Or not that I’ve found. The only time I ever miss alcohol is when food would traditionally be paired with a red wine – but now that feels like a taste thing rather than desiring the alcohol per se.

If you know of a decent alcohol-free red wine, I’d love to hear about it!

Alcohol is no social lubricant

Like many people, I felt that alcohol helped me in social situations. But I’ve realised I feel no more relaxed or less awkward with an alcohol-free option.

Over the past six months, my choice of alcohol-free beverage has prompted lots of discussion about giving up alcohol. Almost everyone I’ve spoken to has said they want to cut down, it crept up over the pandemic, etc.

It turns out that ‘The Unexpected Joy of Being Sober’ is a brilliantly accurate title for the book. I didn’t even finish it as I’d decided to give up forever when I was about halfway through.

I’d wholeheartedly recommend it if you’re thinking of taking a break from alcohol for any reason. It’s honest, relatable and full of revelations on how we view alcohol and the pressures around it.

]]> <![CDATA[Facebook impersonation]]> Dave Smyth 2022-06-03T00:00:00+00:00 A little while ago, I came across a Facebook profile that used a photo of me as the avatar. It’s a seemingly old, inactive profile with a fake name (“Hi Hi”) and spam links.

The photo is from a gig several years ago – it’s clearly of me and I wanted it removed for obvious reasons.

According to the Facebook Community Standards in their ‘Transparency Center’(!), they care deeply about Authenticity:

We want to make sure that the content people see on Facebook is authentic. We believe that authenticity creates a better environment for sharing, and that's why we don't want people using Facebook to misrepresent who they are or what they're doing.

This is a case that would seem to be heavily related to authenticity, so let’s put this to the test.

Reporting options

There are a few options available to report:

  1. If you have a Facebook account, you can report the profile as impersonation
  2. If you don’t have a Facebook account, you have to fill in a form and provide government ID
  3. Report a copyright/intellectual property claim if you are the copyright holder

I tried method one from a now-deleted ghost profile. However, it’s only possible to report the profile – not the photo – and there’s no option to give context. So Facebook only sees a report that the entire account is impersonating. Facebook rejected the complaint immediately with no opportunity to follow-up.

I shouldn’t have to give Facebook my government ID for a case like this – notably a heavier burden of proof than creating a Facebook account – so option 2 is a no-go.

I also filed a Copyright Report Form. I provided the URL of the photo along with a copy of the original photo at full resolution to demonstrate ownership (something the impersonating account wouldn’t be able to provide).

Despite this, Facebook said:

Thanks for contacting us. Based on the information you’ve provided, it’s not clear that you are the rights owner or are otherwise authorized to submit this report on the rights owner’s behalf. Please note that we can only process reports from a rights owner or someone authorized to report on their behalf, such as a lawyer or agent.

I asked Facebook how I could prove ownership given that the photo was taken on my device. Their response:

We are writing to get additional details so that we can better understand your recent report. Based on the information you provided, it is unclear where the content you wish to report appears on our site. In almost all instances, the best way to help us locate content is to provide us with active web addresses (URLs) leading directly to that specific content.

In the report you filed, you did not provide any URLs (or one or more of the URL(s) you provided seems to be incomplete or inactive), and you did not otherwise provide a description of the location of the content sufficient for us to be able to find it.

If you are trying to report a post or story in your news feed, you can find its direct URL by clicking the time and date that appears in gray with the content (for example: "8 hours ago" or "August 11 at 10:30am.").

If you cannot provide URLs leading directly to the content you wish to report, please be sure to include information reasonably sufficient to permit us to locate the content, such as a description of the content and where it appears (example: on a particular timeline, in a photo album, etc.), dates/times of when the content was posted (usually indicated below the content), names of responsible users, and/or quotes of the content you wish to report as it appears on Facebook.

Please note that it is possible that the content you wish to report has already been removed from the site. If that is the case, you do not need to respond to this message.

Once you have provided information sufficient for us to locate the content you wish to report, we would be happy to look into this matter further.

Round-and-round the carousel we go: all of the requested information was provided in the initial contact.

This last email was sent on April 15th, 2022. I replied the same day with account information and the original photo again.

Facebook have stopped communicating and ignored a follow-up on May 2nd – over a month ago at the time of writing.

If Facebook can’t or won’t action basic requests like this, what hope do we have that they will take action on more complex issues?

]]> <![CDATA[Changing 186 email addresses]]> Dave Smyth 2022-01-15T00:00:00+00:00 As part of my ongoing de-Googling, I recently finished removing my old personal Gmail account from as many accounts as I can. Along with switching email provider, I’ve switched to using masked emails instead of an actual inbox.

My password manager revealed 186 accounts that needed updating. For each, I’d either update the email address or delete the account if no longer needed.

The flows and user experience varied greatly, but I hadn’t anticipated the number of issues that would come up.

Some of these were down to poor design. In once case, the email verification link failed if I wasn’t logged in, with no indication that I had to be logged in for it to work.

More concerning were the security and data protection issues that were revealed.

Security theatre

As you might expect, many of the password requirements limitations were horrendously weak: numbers/letters only, must be no longer than 10 characters. In one example the password had to ‘start with a letter’!

For reasons entirely unknown, a surprisingly large number of services forced me to contact support to change my email or delete my account. In many cases, I wasn’t able to change the email address at all.

This could be because the company/organisation wouldn’t permit it, or the reset flow was entirely broken (e.g. email not sent, the verification link didn’t work, etc). Tough luck if you lose access to your email account!

A surprisingly large number of services forced me to contact support to change my email or delete my account.

In one case, the company wouldn’t let me change email address without providing a screenshot of the inbox – impossible with a forwarding address! They only relented when I asked them to show me the requirement in their T&Cs for the account email address to have an associated inbox...

Many websites still don’t verify email addresses, too. This perpetuates entirely preventable unintended privacy and data breaches for people mistyping their email address.

Extraordinary data retention

It was concerning to discover that several sites I hadn’t interacted with in over a decade retained lots of personal data: name, phone number, history of delivery addresses, payment details, etc. This was true even in situations where a membership/subscription had lapsed many years ago or where I hadn’t purchased anything at all (e.g. abandoned checkout).

Are these places really “not keeping data longer than they need to” as their privacy policies so often claim? At what point would they delete this?

Many accounts also force individuals to keep unnecessary information on file. Why do we have to keep an address in our accounts? Or a phone number? Or our names?

In some cases, I wasn’t allowed to update a single piece of information – such as my email address – without also supplying additional information the company didn’t have: address, phone number, address, etc.

Several sites I hadn’t interacted with in over a decade retained lots of personal data

To combat this, I took a leaf out of Terence Eden’s book, entering ‘alternative information’ for required fields.

Lots of contact forms don’t practice data protection by design, requiring entirely superfluous fields: surname, address, phone number, date of birth. Some companies required me to enter credit card and transaction information just to change my email address.

Account deletion

I deleted a lot of accounts. In most cases this was because I was unlikely to need the account in future. But sometimes this was necessary as the company made it difficult/impossible to update information.

Very few sites make account deletion easy. Even fewer made it crystal clear that they delete your account and data. Account deletion is often framed as ‘deactivation’, which sounds suspiciously like they hold onto your data after deleting the account.

In most cases, deleting an account required searching through help pages, an internet search or contacting support. This led to a new personal policy: if a company doesn’t make account deletion easy or clear, I do a quick search of their privacy policy for their data protection officer’s email address and ask them to delete my data. This usually resulted in quick action.

NB: I wouldn’t do, or recommend doing, this to a microbusiness.

All I want is a big red button that says “delete my account and all associated data immediately”. Is that too much to ask?

This might seem over-the-top, but account deletion should be clear and quick. Users shouldn’t be forced to spend 10–15 minutes, longer if it involves contacting support, trying to work out how to delete their account.

All I want is a big red button that says “delete my account and all associated data immediately”. Is that too much to ask?

A permanent record for convenience

I’m glad I did this but it was work. It also revealed just how much of our personal data is peppered through the databases of companies we no longer have a relationship with.

Yes, this information is necessary to perform transactions. But it was surprising and concerning to see how many sites retain this data for many years after my last transaction or interaction. In more than a couple of cases, over a decade had passed since I’d last logged in.

There are clear and obvious benefits both to users and companies for data to be held for a period of time. But going back through so many accounts, it was startling to see so many pieces of still-accurate data (e.g. phone number) retained in accounts I hadn’t touched in many years. This digital trail also revealed many old addresses and the contact details/addresses of people I might have sent things to.

Where does the responsibility lie? Is it down to individuals to keep tabs on every single account they create or purchase they make? Should we all be making diary notes to check in and delete our details? Or should there be a standard point at which users are deemed ‘inactive’, after which their data is purged?

It seems the default position is to hold user data indefinitely, despite privacy policies frequently saying “we don’t hold data any longer than they need to”. Generally speaking, this statement seems worthless.

Should there be a standard point at which users are deemed ‘inactive’, after which their data is purged?

This causes problems for users, who seem solely responsible for cleansing their data from every single company they interact with, even if it’s not be clear or obvious their data is being held (i.e. when retained after an abandoned checkout).

And it could cause problems for companies, too: it increases the risk of unnecessary data being exposed in data breaches, which could lead to uncomfortable questions about their data retention practices.

If data was regularly purged when users become ‘inactive’, it would help users and companies alike. Individual’s personal data would be held in fewer places, their digital footprint would be minimised and companies would reduce their exposure in the event of a breach.

Ultimately, buying from or creating an account with a website doesn’t mean we give the company permission to hold our data forever. But in many cases, it seems that is exactly what’s happening.

]]> <![CDATA[Trace + Search]]> Dave Smyth 2021-12-29T00:00:00+00:00 My wife and I have been dealing with the fallout of a service companies use to try and identify people liable for unpaid bills. A few months ago, we were forward a bill from Ovo Energy, sent to our old address.

We were in a strong position to deal with this: there was no conceivable way we were liable and the due amount was small. But extracting information from Ovo about the trace and search process was tricky, and internet searches didn’t reveal much.

This account is to help others who might find themselves in a similar position and provide some transparency on what I’ve been able to discover about trace and search.

The episode also unveiled some data protection concerns: it shows how data is shared between third parties and the actions they might take. All without a subject’s knowledge or consent.

The invoice we received showed a billing period that started roughly nine months after we’d moved out: we weren’t Ovo customers when we left.

Our initial suspicion was identity theft. We knew that some mail hadn’t been redirected to our new address and wondered if a someone had tried to get away with dodging some bills.

We did a credit check to see if anything had changed on my wife’s account and called Ovo to ask about the bill. I was told my wife would be removed from the account and I should hear from someone within a few days...

Trace and search

Two weeks later, the only communication we’d received was a debt collection email sent to the address I’d provided in the initial phone call. Following up with Ovo, I was eventually told this wasn’t identity theft but a process called trace and search.

Ovo said trace and search had identified my wife as financially responsible for this address. Their debt collection department said this involved a credit check and someone visiting the address to verify this.

This wasn’t identity theft but a process called trace and search.

I was told my wife would have to prove she no longer lived at the address by providing a tenancy agreement for the previous address or a council tax bill at the new address.

This seemed odd, not least as a tenancy agreement would do nothing to prove we no longer lived at the property. Our agreement only stated the months of our initial year, after which we moved to a rolling tenancy.

The most concerning aspect of this was it revealed Ovo had fraudulently created an account in my wife’s name and put the onus on her to prove she shouldn’t be associated with it.

On top of this, Ovo had acquired details about my wife and wanted further details to cancel this account. Without the slightest hint of irony, Ovo used these details – name, date of birth, supply address – for ‘data protection’ each time I called.

Ovo had fraudulently created an account in my wife’s name and put the onus on her to prove she shouldn’t be associated with it.

When I pressed for details about the trace and search process – particularly who they had spoken to at the address – none were forthcoming. Customer services stuck to a script and reiterated that it was my wife’s responsibility to demonstrate she was not financially responsible.


It took several weeks before we were contacted by an Advanced Resolution Specialist. In the meantime, we’d checked my wife’s credit report again.

The report showed she had a couple of accounts associated with our old address. One was a bank account she didn’t use and another was a credit agreement for a phone – the bank was easily changed, the other not so much.

It can’t be unusual for people to forget to update an address or two – the house we’ve moved to still receives plenty of mail for the previous occupant. Yet it seems any active credit linked to an address is enough for a trace and search to:

  1. Determine a person currently lives at an address
  2. Arbitrarily assign the financial responsibility to that person
  3. Create an account in their name
  4. Require that person to prove they don’t live there

The Advanced Resolution Specialist spoke openly about how this situation had occured. But there was no satisfactory explanation of why the account had been assigned to my wife. Our previous address comprised of several flats: any of the other occupants could have been deemed responsible for the bill.

They also explained that this was an entirely automated process – no-one had been to the address – and the active credit was the sole link between my wife and address. This confirmed my assumptions about trace and search.

In the six weeks between initially contacting Ovo and speaking to the Advanced Resolution Specialist, we received debt collection emails from Ovo’s attack dogs. These emails were punctuated with the following threat:

Please know, we share data with credit reference agencies, which might affect your credit rating. So the sooner we sort this, the better.


Ultimately, Ovo sent us £50 as a resolution and the following apology:

On behalf of OVO Energy I would like to apologise for the recent trace and search that identified [your wife] as still updating credit at the address. This led to OVO Energy assigning charges in her name.

And that was the end of it, or it should have been...

Data concerns

As part of the resolution, I submitted an erasure request to remove my wife’s details from Ovo’s systems. A few weeks earlier, we’d also submitted a subject access request to find out what data Ovo held about her.

A couple of days later, I received an email from another Advanced Resolution Specialist to say the erasure request had been “rejected as it technically needs to be requested by the person who's details need to be erased”.

Throughout this entire debacle, I’d wondered what the the legal basis for collecting, storing and processing my wife’s data was. Ovo had created the account without her knowledge or consent and made no effort to contact her apart from the initial bill.

Ovo’s pushback on the erasure request raised further questions:

  1. What was the legal basis for continuing to store and process her data now Ovo acknowledge the account was incorrectly associated with her?
  2. In the case of an incorrectly created account, is an erasure request necessary?
  3. If my wife decided to submit erasure request herself, how would Ovo expect her to prove her identity?

Ovo don’t have our address or my wife’s email address. As far as I can tell, they only have her name, date or birth and supply address: all information I was able to provide to get her case this far.

Would Ovo seriously be looking for her to provide more information: data they can’t verify?

One month on and Ovo haven’t responded to these questions. The 30-day deadline for the subject access request has passed, too.

I’ll update this article when I have answers regarding their basis for processing my wife’s data.


The last time I spoke to Ovo, I was told the Advanced Resolution Specialist I originally spoke to has left the company and the second has taken a different role. Apparently, our complaint is in a queue waiting to be reassigned: you couldn’t make it up.

Trace and search is an aggressive and opaque practice for companies to recover funds. With next-to-zero effort or evidence, companies are able to:

  1. Create accounts for people
  2. Issue bills for whatever they feel they are owed
  3. Threaten their credit rating

We only received Ovo’s invoice because of our mail redirection. If that hadn’t been in place, Ovo’s actions could easily have affected my wife’s credit rating and we would have no knowledge about the incident.

The worst part about this was how long Ovo took to remove my wife from the account. Matters like this should not take months to resolve: the company has unilaterally created her account.

Ovo made no effort to contact my wife before sending the invoice, nor did they verify the data they received. But as Ovo deem the onus is on her, there’s no incentive for them to move quickly.

Ovo told me that someone has subsequently taken over the energy supply for address. One would think that might be a good place to start making enquiries, but why bother when you can outsource the work to an automated credit check with no accountability?

]]> <![CDATA[Twitter Hacks]]> Dave Smyth 2021-12-07T00:00:00+00:00 It’s incredibly difficult to speak to a human in support on social media platforms.

From the platform’s perspective, it makes sense. They’re dealing with millions/billions of users: it’s impractical to have anything other than a self-service and automated support systems.

For users, this doesn’t matter when everything’s going smoothly, but what happens when something goes wrong? What happens if this account is critical for you business?

Recovering an account

This happened to a friend-of-a-friend recently. A mutual friend put us in touch after their Twitter account had been hacked.

In short, they had received an email to say their account had been accessed from a different country. By the time they tried to access the account, the email address, password and phone number had been changed.

I don’t know anyone at Twitter, nor do have any experience of recovering lost accounts, but I wanted to help. They had already tried multiple methods of reaching Twitter support with no luck.

This struck me as odd because Twitter would be able to see:

  • Login patterns/locations
  • That this person was emailing from the previously-associated email address
  • That the account email, password and phone number were all changed shortly after a login from a previously unused location

Nothing from Twitter’s support pages on hacked accounts seemed to help. At one point, Twitter’s systems even asked the hackee to login to their account and verify their ownership...

Template letter

In this case, the account was clearly attached to an individual: the photo was a headshot and the account username and name were that of the account holder. With this in mind, we decided that one approach would be to claim the account was an impersonation.

After some unsuccessful attempts, the account holder successfully regained access. The key was to pitch their support request around the fact that this account was representing their business (as a sole trader, but this should work for companies, too).

The account holder tried this after scouring the internet and finding a template letter similar to this (source currently unknown):

Dear Twitter Team,

Thank you for the quick response to my query regarding the official Twitter account of [NAME].

In answers to your questions:

  • Your username - [@USERNAME]
  • Any email addresses that may be associated with your account - [ACCOUNT EMAIL ADDRESS]
  • The last date you had access to your account - [DATE]
  • The phone number associated with the account (if you verified your phone number) - [PHONE NUMBER]

I am the sole representative of the business, [BUSINESS NAME], registered in the UK with HMRC.

The Twitter account [@USERNAME] was created [X] years ago and has been operated by me since then as the social media account for my business. Recently, someone maliciously acquired access to the account, changed the email address associated with it and also the password - on or around [DATE], which I think you will be able to see from your records.

Could I please request that you change the email address for the Twitter account back to [ACCOUNT EMAIL ADDRESS] so that I can recover the account and start using it as the business official Twitter account once more?

I hereby confirm that all the information provided above is true and accurate to the best of my knowledge.

If you have any questions, kindly contact me on this email or on [PHONE NUMBER].

With best wishes,


If you lose access to your Twitter account and it’s associated to your business, this could be a route to regain access.

]]> <![CDATA[Commonplace Books]]> Dave Smyth 2021-11-26T00:00:00+00:00 When I recently realigned this site, one of the goals was to let me use this place to store thoughts more easily. The Bookmarks section handles this to a degree but, catering only for a link and category, it’s limited to fulfilling the role of a log. There’s no room for comment or other thoughts.

I’ve also been doing more reading over the past couple of years. There are always quotes I want to remember or refer back to: what to do with those?

After reading Permanent Record, I wrote a little post with a couple of quotes, but the Writing section of this site isn’t there to be filled with book quotes.

I’ve previously stored quotes in Notion, but it’s slow and private: all the reasons I wanted the Bookmarks area in the first place.

This is a long way to say I’ve been looking for a place to store links and quotes, possibly with a way to comment on them, too.


Despite the minimalist feel, Daring Fireball handles a stream of various content types pretty well. The archive supports long posts and short posts with refreshing flexibility.

How can I get a bit of that on here?

In an Unoffice Hours, Joshua Galinato brought up the idea of a commonplace book. Here’s been working on an app to store quotes and this sounds like perfect personal site material.

Looking up the origins, commonplace books (or ‘commonplaces’):

Such books are similar to scrapbooks filled with items of many kinds: sententiae, notes, proverbs, adages, aphorisms, maxims, quotes, letters, poems, tables of weights and measures, prayers, legal formulas, and recipes.

This sounds like exactly what I’ve been looking for: a place not just to store quotes, but to comment on them and write notes, too.


For now, this site’s commonplace is split into two sections: Commonplace and Books:

  • Books is a space to store quotes from things as I’m reading them: a place to quickly refer back to when I can’t remember the exact quote from an author.
  • Commonplace is an archive of these quotes, along with commented links/quotes from online articles

At some point, it might make sense to pull Bookmarks and Writing into the Commonplace, so it becomes the ultimate archive for everything on this site.


]]> <![CDATA[Disguised Emails]]> Dave Smyth 2021-10-28T00:00:00+00:00 In iOS 15, Apple introduced Hide My Email for users with an iCloud+ Subscription. This lets users generate a random email address that forwards to their inbox.

This is an incredibly useful service with a couple of benefits:


If we generate a random email address for each account, it reduces the chances of a hacker guessing the email address part of the login. This makes it harder to hack an account through brute force (though not as difficult as using two factor authentication).

This is particularly useful in the case that your email address is quite guessable (e.g.

A side benefit of generating random email addresses for each account is that we can trace the source of spam and other unwanted email. If we’ve only used an email once, we know where an email was leaked or sold from.


Email isn’t just a personal identifier, it’s a direct line to contact you. In fact, it’s the most direct way to contact people aside from a phone number or address.

Disguising our email address also solves one of the biggest privacy issues with newsletters: many mailing list providers make it incredibly easy for list owners to spy on individual users.

Masking an email address is a way to buy back some privacy. This is useful in all sorts of situations: perhaps we don’t trust a service or there’s a reason that using our actual email address could expose us to a risk.

Disguising our email address also solves one of the biggest privacy issues with newsletters: many mailing list providers make it incredibly easy for list owners to spy on individual users.

List owners can often see:

  • How many times an individual opens an email
  • What days and times they opened it
  • In some cases, where they were when they opened it

Many users are completely unaware this data is collected. Aside from this being a gross invasion of privacy and trust, the fact it’s tied to an email address (a way to identify and contact that individual) makes it all the weirder.

Disguising our email addresses gives us more control of our privacy.

Fastmail + 1Password

For Fastmail and 1Password users, there’s an integration that makes this even easier. Their Masked Email service automatically generates forwarding email addresses, a password and saves it for you.

If you’re not a Fastmail user already and want to use an affiliate link, here you go.

Update: 27th November, 2021: I recently discovered Simple Login which offers this service independently. Worth checking out if you’re not an iCloud or Fastmail user.

The future of email?

These services are making it easier than ever to create disguised email addresses, which is a great thing for privacy and security. I’ve already seen masked emails in use in mailing lists I run, and I’d love to see this more widely used.

It always takes a while for features like this to be adopted, especially given the extra friction it creates in signing up. But it would be wonderful if this became the de facto method for creating new accounts.

We live in hope.

]]> <![CDATA[Realignment]]> Dave Smyth 2021-09-22T00:00:00+00:00 Since publishing this site back in May last year, this site has expanded in several ways. It was fairly hastily put together with the Writing, Uses, Now and Reading sections.

I’ve been tweaking it along the way. One of the greatest additions has been the Unoffice Hours, inspired by Matt Webb’s project. There have also been smaller tweaks like the addition of a Reply via email buttons on individual articles.

There are other things I’d like to add, such as an About page that lists podcast appearances and a Resources section. The latter is inspired by two things:

  1. Matt Baer’s Delete Your Facebook, which is a beautifully simple way to highlight issues with the most problematic social media platform
  2. Luke Mitchell’s Bookmarks, which lists discovered links and resources

I haven’t decided on the exact format, but a place to log things I’ve found would be very useful. For a long time I did this in Notion, but the app is just so slow I’ve neglected to maintain it.

I suspect it would be easier to add new items to the site than there. And possibly useful to others, too.

Time to realign

With that in mind, I think it’s time to realign this site. The home page could do with some adjustment, bringing Unoffice Hours to the fore and there are other things I’d like to explore:

New typefaces

I’d initially liked the idea of a mono type for this site, but that’s not fantastic for readability. That’s why the site features a font switcher so users can switch to a sans-serif.

A while ago I discovered Relative Faux by Colophon. It’s a fauxnospaced font – monospaced characteristics with proportional spacing – and it might be the perfect fit.


The Writing section is a little rough-and-ready. It would be nice to tighten this up, call out Popular articles and possibly provide a search, too.


This could be a good opportunity to tweak the existing colours for more subtlety or move to something completely different.

URL restructuring

For sites like this, I’m increasingly a fan of making the URLs as simple as possible. Instead of, it would be nice to use

This isn’t always appropriate, but I might make some changes on that front, too.

Let’s see what happens.

]]> <![CDATA[Open Rates + Deliverability]]> Dave Smyth 2021-09-07T00:00:00+00:00 Even though we know that email open rates are tricky to gauge, they’re still an incredibly popular metric.

To quickly recap, open rates are inaccurate because lots of email clients block the tracking pixels that allow the open to be tracked. These are blocked in two ways:

  1. Blocking the load of all images, which would present as an unread email
  2. Instantly loading the email on the user’s behalf to strip the pixel, presenting as a read email

In either scenario, the sender has no way of knowing whether the email has been read by the recipient or not.

This is a common feature in lots of email clients and it’s set to become more so as iOS 15 will let Apple Mail users block this tracking.

Business decisions

Open rates are often used to assess how ‘active’ a mailing list recipient is. In other words, do they read the emails?

There is a perfectly legitimate business principle of valuing a small mailing list with high engagement over a large list with very low engagement. Not least because mailing list providers often charge based on the number of users in a list.

The seemingly logical conclusion of these two factors is the practice of removing users who don’t open emails.

In fact, this is something that lots of mailing list providers recommend. Not just for the reasons above, but – according to many providers – sending to many inactive subscribers hurts email deliverability.

Here are some articles on the topic from various providers:

Each of these articles defines different types of inactive subscribers and talks about the impact of keeping inactive subscribers on a list. But there’s absolutely no explanation of how inactive subscribers practically impact deliverability.

How does it work?

The theory seems to go like this:

Gmail, Outlook or another provider see that an email from a sender isn’t being opened by lots of people. At some point, the sender’s emails start to be automatically categorised as spam or sent to Gmail’s Promotions tab.

But how does that work in practice? Gmail or Outlook won’t have access to the open rate data from the mailing list provider (Mailchimp etc).

The only way I can think that this works is that email providers collect their own internal data on email opens. That data is fed back to a scoring mechanism for a sender, or perhaps a universal tool like SpamCop that helps email providers root out spam.

There is a clear case to do this: anyone who had an email account before Gmail will remember how much of a problem spam used to be. Gmail’s filters quickly reduced that headache and spam is no longer a huge issue for lots of email users.

Whose data to trust?

But here’s the interesting thing: email providers such as Gmail and Outlook are likely generating entirely different open rates to mailing list platforms such as Mailchimp and ConvertKit etc:

  • Email providers are likely to have the actual data on open rates
  • Mailing list providers are reporting open rates based on the (incomplete) data they receive

What’s more, only the email providers decide/impact on what gets delivered to a user’s inbox. They are the ones with accurate data.

Newsletter owners pruning their lists based on open rates run a significant risk of removing active subscribers.

This isn’t to suggest that unread emails don’t impact on deliverability. But – given it’s likely there’s a discrepancy between emails that are reportedly and actually unread – how can a list be accurately pruned?

Some active subscribers will show up as inactive and some inactive subscribers will show up active.

Mailing list platforms cannot tell for certain who is active or not based on open rates alone. It would seem that newsletter owners pruning their lists based on open rates run a significant risk of removing active subscribers.

It might be better to rely on click rates to determine which subscribers are active. Or, even better, remove the spy pixels altogether.

The above makes several assumptions about how deliverability is assessed – if it’s inaccurate, I’d love to hear from you to set the record straight:

]]> <![CDATA[Permanent Record]]> Dave Smyth 2021-08-24T00:00:00+00:00 I just finished reading Edward Snowden’s book, “Permanent Record”. Having wathced Citizenfour some years ago, it’s fascinating to read the background to the events leading up to it.

This quote stuck out:

Ultimately, saying you don’t care about privacy because you have nothing to hide is no different from saying you don’t care about freedom of speech because you have nothing to say.

As did this longer excerpt from the book’s conclusion:

Still, if we don’t act to reclaim our data now, our children might not be able to do so. Then they, and their children, will be trapped too—each successive generation forced to live under the data specter of the previous one, subject to a mass aggregation of information whose potential for societal control and human manipulation exceeds not just the restraints of the law but the limits of the imagination.

Once you go digging into the actual technical mechanisms by which predictability is calculated, you come to understand that its science is, in fact, anti-scientific, and fatally misnamed: predictability is actually manipulation. A website that tells you that because you liked this book you might also like books by James Clapper or Michael Hayden isn’t offering an educated guess as much as a mechanism of subtle coercion.

We can’t allow ourselves to be used in this way, to be used against the future. We can’t permit our data to be used to sell us the very things that must not be sold, such as journalism. If we do, the journalism we get will be merely the journalism we want, or the journalism that the powerful want us to have, not the honest collective conversation that’s necessary.

That’s quite something.

]]> <![CDATA[Email links]]> Dave Smyth 2021-07-19T00:00:00+00:00 I was recently talking to a friend about their email list. They’d turned off analytics (read: spy pixels) but wanted some metrics to relay to sponsors and advertisers.

Leaving aside privacy issues, open rates are a fragile metric, so we discussed monitoring link clicks instead.

Some newsletter providers allow list owners to track clicks in a privacy-focused way, but it’s not common. In many cases, the link strings are extended with unique identifiers that tie clicks to specific users.

This is an invasive and unnecessary practice. Unless those users are going to be retargeted for ads, of course.

Privacy-focused link tracking

If you have a website running analytics, you can use redirects to track links without coupling that data to a user’s email address:

  1. Set a redirect at for each link you want to track in an email
  2. Use these redirects in your email
  3. Check the stats for these links after you’ve sent the email

If you’re repeating a link across multiple emails and want to tie the analytics to a specific newsletter, you may need to create new links for each email. But in many cases, this won’t be necessary – especially as you can usually filter analytics by date.

This is an incredibly simple, privacy-focused method of tracking links sitting right under our noses.

]]> <![CDATA[Opting out of FLoC]]> Dave Smyth 2021-04-14T00:00:00+00:00 Google trials of the new FLoC system for targeted ads have begun.

Google’s explainer over on states that “websites will have the ability to opt in or out of FLoC”, but this is misleading.

All websites are opted into the trial by default.

Screenshot from about the FLoC trial, “websites will have the ability to opt in or out of FLoC”.

Leaving aside the wider privacy concerns around FLoC, the trials present issues of consent. Chrome users may not realise they are part of the trial and website owners may not want their audience to be profiled.

Actions to take

The next steps depend on whether you’re a Chrome user or a website owners.

Chrome users

  1. Install the DuckDuckGo extension that blocks FLoC
  2. Consider switching to a privacy-focused browser like Firefox, Safari or Brave

Website owners

Site owners can opt out of the trial by adding an HTTP response header:

Permissions-Policy: interest-cohort=()

But how do you set this?

WordPress users

Plugins like Headlock will let you set this header. This plugin is from Tim Nash who also mentioned on Twitter that services like Cloudflare let site owners set headers, too.

Statamic users

Erin Dalzell has released an addon to send this header. No configuration required.

It’s also possible to do this natively: something that might make it to the Statamic core.

Once the header is set, tools like httpstatus can help you check the the header is being sent correctly. Look for Permissions-Policy section as shown at the bottom of this screenshot:

Screenshot showing the permissions policy has been set.

Other platforms

The technical nature of setting HTTP headers means that not all website owners will be able to opt-out of Google’s FLoC trial. That makes the decision to opt-in all sites by default frustrating and concerning.

If there are methods for users of Squarespace, Wix or other CMSs to opt-out, let me know and I’ll add them to this list.

]]> <![CDATA[Deleting 290,589 emails]]> Dave Smyth 2021-03-18T00:00:00+00:00 As part of my drive to reduce my use of Google services, I’m planning to get rid of my personal Gmail account.

Earlier this month, I received a renewal notice about the additional Google space I was paying for. It seemed as good a time as any to get to work.

I set about deleting all 290,589 emails from my Gmail account.

Backing up

Before deleting the emails, I wanted to take a backup of emails. If I don’t open this backup in the next year or so, I’ll probably wipe it completely.

Google’s Takeout service lets you export emails to an mbox file. There are clear instructions on the HEY website.

That produced a 20GB export. It seems Google ignores requests to chunk the export into smaller files.

As we all know: a backup is only useful if it works. The file should have readable to Apple Mail but each attempt to import crashed due to the size of the export.

I ended up importing to Thunderbird with the ImportExportTools add-on. It took a while, but it worked.


As it turns out, Gmail isn’t great at deleting nearly 300,000 emails in one shot.

In theory, it’s possible to highlight all emails in an inbox and move them to trash. In practice, Gmail deletes 5–10k emails at a time, occasionally removing as many as 20–30k in one shot.

There’s a clever date-based filter trick that might help with deletion it’s detailed as Solution 2 in this support thread. This technique didn’t work for me, but it might work for small inboxes.

Ultimately, I ended deleting emails from each folder/label in batches. This made it easier to see the progress and left a much-reduced Inbox by the time I reached it.

The whole process took an hour. Worth every second.

The next step is deleting my Gmail account. I plan to leave it dormant for a while to make sure I’ve caught all the email changes I need to make before completely deleting the account.

]]> <![CDATA[Custom domains on HEY]]> Dave Smyth 2021-02-17T00:00:00+00:00 After my post about de-Googling, a few people asked about my custom domain email set-up with HEY.

Custom domains have been a hot topic since HEY’s launch as they weren’t supported until HEY for Work was released. HEY for Work is a separate plan to their personal email offering and costs $12 per user per month.

If you have a few email addresses running on custom domains the cost quickly adds up. The outlay might not be worth it if the addresses aren’t used much.

HEY for Work’s strength is in collaboration. I’m using it for an upcoming project and those features are brilliant.

So, if you

  1. Like the HEY interface
  2. Have a personal account
  3. Have other custom domains you want to use through HEY

What can you do?

Forwarding + SMTP

The solution is in two parts.

Firstly, most email providers (except hyper-secure options like Proton Mail), let you forward incoming email to another address In this case, that’s your personal HEY account.

The second part is relatively new: HEY now supports SMTP. That means your personal HEY account can ‘send as’ an external email address.

I’m running three custom domains on Fastmail and these are all forwarded to my personal HEY account. Now that HEY supports SMTP, I can now send emails through HEY from my external email addresses.

It’s a pretty useful feature for anyone who wants to use custom domains but doesn’t need the other features of HEY for Work. More details over on the HEY website.

]]> <![CDATA[De-Googling]]> Dave Smyth 2021-02-15T00:00:00+00:00 One upside of being independent is that I can choose the tools I use. I’m trying to make better choices and using alternatives to Google is one of these.

I closed both of my Google Workspace accounts a few days ago.

It’s difficult to go 100% Google-free as their services are so deeply embedded in the web, but I’m trying to use alternatives wherever reasonably possible.

Having used G Suite/Google Workspace for work email, I was slightly hesistant about the impact of losing access to Google Docs and Drive. I’d never used these much, but some clients are all-in on these services.

As it happens, clients can invite external email addresses to any services they need to collaborate on. I think this was previously limited to Gmail or G Workspace accounts, so it’s never been easier to move work services away from Google.

Google alternatives

Here’s how I’m tackling switching from various Google services:

I use DuckDuckGo. For a long time, I used Startpage as it uses Google results while respecting user privacy, but DuckDuckGo’s results have improved a great deal. Highly recommended.

Work email

In December, I switched to Fastmail for work email (10% off affiliate link). It’s a good balance of privacy and user experience.

I’d previously tried ProtonMail, but couldn’t wrangle the Bridge service to import/export emails to third-party apps.

On Fastmail’s $5/month plan, you can any custom domains you need. Now that personal HEY email offers SMTP support, I can manage all work and personal email from the same place.

Fastmail also features a Calendar, knocking out another reliance on Google. I switched to Fantastical, which has been fantastic.

Personal email

I’ve had my Gmail account for 17 years, but I’ve been enjoying HEY as a personal email alternative.

It’s daunting to turn this off given how many services are linked to it, but I’m taking this approach:

  1. Set-up an auto-responder (contacts only) to tell them to update their email address for me
  2. Change email addresses for each service I regularly use
  3. Use a password manager to identify other services I use less frequently
  4. Any services I don’t/won’t use and/or where there’s no significant negative to losing access, I won’t change the email address. I can always create a new account in future.

I expect this process will take some time, but I kicked the process off by deleting the 290,589 emails in my Gmail account.


I switched to Fathom ($10 off affiliate link) around 18 months ago.

I strongly recommend privacy-focused analytics to my clients. In some cases, it completely removes the need for a cookie banner.

Search Console

I can maintain an account here without either a Gmail or Workspace account.


I have a few domains registered with Google Domains: moving them is non-trivial. I’ll keep them there for now and look to move each one at an appropriate time.

I register new domains with services like Gandi or Hover.

Drive & Docs

I’ve never really used Google Drive or Google Docs. Before switching of Workspace I checked I had copies of files stored locally or on Dropbox.

In 2022, I switched to Sync (here’s a referral link to give you and me an extra 1GB). It was a super easy switch, and one I wish I’d completed earlier.

Google My Business

There’s no alternative to this, but you can maintain an account without a Gmail or Workspace account.


I switched from Google Authenticator a year ago after hearing about a friend losing their phone and their 2FA codes with it.

I use Authy which supports device synchronisation and offers a desktop app. That means you don’t always need your phone on you and you’re not locked out if you lose it.


I’ve not used Google Chrome as my browser for years, preferring Firefox or Safari.

Alternative alternatives

These are the servies I use, but there are lots of others.

For alternatives check out and Mark Hurst’s Good Reports.

Punishment for cancelled subscriptions

Since I deactivated my Workspace account, I’ve noticed that Google regularly tries to push me to reactivate the account.

I’m often unintentionally logged in to Google, and my old Workspace account is still linked. That’s because clients sometimes share Google things to the email address associated with the old Workspace account.

This is what I see:

Screenshot of Google page asking me to resubscribe to Google Workspace.

There are a few things that make this a particularly dark pattern:

  1. This happens even when I’m trying to access services that are openly available to users without a Google account, like Google Translate.
  2. I’m simultaneously signed into several Google accounts, but Google always defaults to the ex-Workspace account.
  3. When I try to switch account from this page, I’m redirected to the interface, which is only available to Google Workspace accounts. This makes it difficult to switch to a non-Workspace account.

Google suggested two solutions:

  1. Remove the account from Google Chrome. Chrome might have market dominance, but it’s quite the assumption that I am using their browser.
  2. Delete the Workspace account. This might be the ‘right’ option, but I’d likely need to sign up for another Google account with the old email address for client purposes.

It would be better if Google stopped trying to force their product on me. My user experience would be better if I’d never had a Google Workspace account: that doesn’t seem right.

This anecdote serves as a frequent reminder not to use Google at all.

Last updated: 14th April, 2022

]]> <![CDATA[Global Privacy Control]]> Dave Smyth 2021-01-29T00:00:00+00:00 Yesterday saw the announcement of a new standard that makes it easier to users to out opt of data collection and sharing. It’s called the Global Privacy Control and lets users signal they want to opt-out of tracking through their browser.

From The Verge:

The GPC standard sprang from a powerful but little-noticed provision in the California Consumer Privacy Act (CCPA), which ... gives Californians the right to opt out of having their personal information sold by the sites they visit.

Interestingly, the definition of ‘sold’ seems to be deliberately vague – in a good way:

Crucially, the law interprets “sell” as including any exchange of value, which could include being read broadly enough to go beyond outright data broker sales and into the endemic tracking pixels that power much of the advertising you see online.

Installing the signal

Part of the appeal of the Global Privacy Control is that users can set this signal from their browser. There are several ways to broadcast the signal, but most users will only need to install a browser extension.

There’s support for Firefox, Chrome, Brave and Microsoft Edge browsers at the moment – Safari is a notable omission.

Extension links

Here are the direct links to the extensions:

To enable this on mobile, users will need to use the DuckDuckGo Privacy Browser on Android or iOS.

Once installed, users can visit and test their browser signal is working. If it is, a message will appear in a bar at the top of the page.

Search engine switch

When I installed the Firefox extension, DuckDuckGo silently set itself as the default search engine. I understand this is a good move for users stuck on Google by default, but I wasn’t brilliantly impressed that this happened without asking.

Spread the word

According to The Verge article, “project organizers estimate that 40 million users worldwide will be sending out the GPC signal through one product or another”.

Right now, the project and download information is spread across a few sites and articles. I’ve written this brief rundown to pull together the key points and make it easier to download the extensions. 

The power of a standard like this is in its take up. You can help the project by spreading the word.

]]> <![CDATA[Read receipts]]> Dave Smyth 2021-01-24T00:00:00+00:00 When I wrote about exploring Digital Minimalism, I overlooked the practice of turning off read receipts. This is something I was doing before I read Cal Newport’s book.

Turning off read receipts seems like a small thing: “who cares if they know when I read this?”

I started turning messaging read receipts off a couple of years ago: it’s had a positive impact on my experience of messaging apps.

On the occasions I’ve realised read receipts were on, perhaps in a new app, the relief I’ve felt in turning them off has been palpable.

Aside from this, there are the privacy considerations.

On by default

Most popular messaging apps turn read receipts on by default.

I can't stand breakfast. It's just constant eggs. I mean, why? Who decided?

This quote from Killing Eve sums up my feeling on this.

Apps where read receipts are on by default include:

It seems there’s no way to turn read receipts off for Facebook Messenger, Instagram direct messages or Telegram.

I’ll send read receipts if you send yours

One of the most insidious quirks of read receipts in messaging apps is the receipt quid pro quo. To receive read receipts, users normally have to enable read receipts on their own device.

Surely, the only thing that matters is whether a recipient is happy for the sender to know they’ve read the message?

I used to accept this on the basis that it seemed fair. Now I’ve had some distance from read receipts, it seems like a particularly weird ‘trade’.

Surely, the only thing that matters is whether a recipient is happy for the sender to know they’ve read the message? Why does a sender have to opt-in to also share when they’ve read messages?

I’m not interested in when someone reads a message of mine, so this isn’t a strange feature request.

Email can stalk you

Most messaging apps let users turn read receipts off. The same courtesy isn’t extended to email users.

Of course, privacy-focused email services will block read receipts, but there’s no standard method for users to opt-out.

This is an important topic as email read receipts are particularly invasive. Whereas messaging apps will report the read status and possibly time of reading, email tracking might also report the user’s location.

That’s just personal email. Most mailing list software enables all of this by default and often tracks every instance of an email being read and internal links being clicked.

Mike Davison’s writing on Superhuman demonstrated this in action. Superhuman rolled back some of the worst excesses of their email tracking, and they’re not a newsletter service, but this practice is still common in mailing lists and marketing emails.

In most cases, tracking continues even after a user unsubscribes.

Spying is convenient

I remember when I used to think it was convenient to know when a message was read.

Looking back, it was convenient. It was convenient for me as the sender, but not for the recipient.

It’s nosy and with little justification.

The business case

The world of work finds plenty of reasons to justify tracking users without their consent.

Common examples include enabling cookies for analytics or tracking users all over the web under the guise of improving the effectiveness of ads.

Ecommerce businesses in particular make extensive use of tracking in mailing lists. From open rates times and locations to link clicking.

They’re far from the only ones and the use cases can be subtle. For instance, consider accounting software that tells users when a client has seen an invoice.

For years, websites and services have collected all possible data, just because they can.

Opting out

When I start using a new messaging app, read receipts are one of the first things I look to disable. If you find yourself feeling pressure to reply, or you avoid opening messages so you don’t trigger a read receipt, I’d suggest doing the same.

I’d also recommend looking at email services that either block incoming read receipts or disrupt them. One of the ways we can individually effect change is by making the data useless.

]]> <![CDATA[Digital minimalism]]> Dave Smyth 2021-01-01T00:00:00+00:00 In early 2020 I read Cal Newport’s Digital Minimalism. It completely changed my outlook on tech.

I wouldn’t have picked up the book if it wasn’t for Adam Pearson. He told me that in another of Newport’s books, Deep Work, he recommended:

  1. Quitting social media for 30 days
  2. Not telling anyone
  3. Seeing if anyone noticed

That was enough to make me want to explore it.

I’m writing this for a few reasons. It’s partly a reminder to myself of the benefits of what I’ve been trying. I also hope it’s useful for other people who feel tech takes up too much of their world.

Digital minimalism isn’t about cutting out all tech. It’s about making tech work for you: getting the value you need without it ruling your life.

I’ve seen plenty of people share their experiences of this only to be met with replies like “just don’t use the internet or social media” or “why post it on social media”. These are spectacularly lazy hot takes that completely miss the point: no surprises there, then.

Digital minimalism isn’t about cutting out all tech. It’s about making tech work for you: getting the value you need without it ruling your life.

Getting started

Here are some of the steps I’ve taken. I don’t imagine anyone would tread an identical path, but I hope sharing my experience and the benefits I’ve seen will be of use to someone.

Deleted my Facebook account

I’d been tempted to remove Facebook for a while, but groups and nostalgia kept me around. Taking a social media break gave me the perfect excuse to deactivate my account and see how I’d fare.

When you deactivate your account, Facebook gives you the option to keep Messenger. Initially, I kept Messenger to keep in touch with friends who I mostly spoke to through that.

I found that keeping Messenger was a problem. Even though I’d deleted the Facebook app and stayed logged out, I was tempted to reactivate my account whenever I logged into Messenger.

I’d be surprised if this wasn’t by design.

After a couple of weeks, I set my account to be permanently removed, including Messenger. It’s strange how much I think about Facebook as a company from a privacy angle, but I haven’t thought about using it as an individual in months.

I don’t miss it.

Removed social media apps from my phone

Obviously Facebook went, along with the Messenger app, but I also removed the Twitter and Instagram apps from my phone.

Instagram has remained deleted. I may return to that one day, particularly if Facebook is broken up.

Incidentally, I came across a great tip for getting the full Instagram experience on desktop: “use the developer feature on Safari, switching User Agent to iPhone”.


A common recommendation for Digital Minimalists is to turn notifications off. I’d done this much before reading book: if you haven’t already, it’s well-worth it.

Managing Twitter

I took a 30-day social media break from everything but my personal Twitter account. After that, Newport recommends reintroducing tech intentionally.

I didn’t miss much social media, but Twitter was always going to be the difficult one for me. It’s the platform I use and enjoy most, but there’s lots of negative stuff on there. It’s easy to get drawn down increasingly depressing rabbit holes.

Removing the app from my phone completely stopped all Twitter notifications and prevented me accidentally firing up the app. The only way to access it was through a browser.

This did the trick for a bit, but I still saw loads of negativity on desktop and mobile.

To try and tackle this, I’ve gone list-based. The idea is to replace the timeline with lists for a more curated experience.

Twitter doesn’t let users set a list as their default view. This is ok if you’re using an app like Tweetdeck (which is perfect for this), but there’s no equivalent on mobile.

I copied accounts I was following to a list and unfollowed everyone.

Ultimately, I’ve gone all-in on using lists. As it’s not possible to set lists as a default mobile view, I copied accounts I was following to a list and unfollowed everyone.

This seems drastistic, but it’s done a load of good. I’m still following most of the accounts I followed before, but the experience is much more positive so far.

Let’s see how long that lasts.


It’s easy to conflate digital minimalism with reducing social media use. But it’s much broader than that: it’s about redefining your relationship with tech and making tech work for you.

I’ve been listening to a lot more podcasts over the past few years. And having used Apple Podcasts mainly, I took the opportunity to investigate some other options.

I hadn’t looked into this before: “how different could a podcast player be, really?!” Well, I wish I had. There are lots of subtle differences that add up to a much easier podcast interface.

For example, I’ve been listening to David Dylan Thomas’ excellent Cognitive Bias podcast. These episodes are often short. You want to listen to them in order as the content often references on previous episodes.

Changing the play order in Apple Podcasts is possible, but hidden in some not-particularly-obvious settings. In the new player, Overcast, it’s much clearer: very useful when you discover a new podcast.

This is a small example, but it reinforced to me how subtle app differences can have a big impact on how we interact with tech.

Wrapping up

I’ve recommended Digital Minimalism to lots of people this year. Taking some steps towards digital minimalism has been a massively positive experience for me.

I’d highly recommend the book to anyone who feels they could benefit from resetting their relationship to tech.

]]> <![CDATA[Consolidating newsletters]]> Dave Smyth 2020-12-29T00:00:00+00:00 Over the past year, I’ve become a big fan of Digital Minimalism, thanks in no small part to Cal Newport’s book of the same name.

I also run a few things: my business, a course on CSS, Work Notes and this personal site.

Subscribers to the Websmyth newsletter previously received very occasional emails and my intention was to run one through this site, but there’s lots of crossover. With all of this in mind, I’m consolidating these two newsletters.

The newsletter looks at web things and tech with a privacy-focus. Freelancing will feature less often as that’s covered at Work Notes. I’ll use the newsletter to share links to things I’ve been reading, along with writing from both Websmyth and this site, with a sprinkling of work and other updates.

Original Websmyth subscribers will also notice that emails look different. That’s because I’ve switched to privacy-focused Buttondown, where I can properly turn off click and open tracking.

If you’re not already subscribed, you can sign-up below.

]]> <![CDATA[Contextual ads]]> Dave Smyth 2020-12-15T00:00:00+00:00 Jeremy Keith’s piece on Clean Advertising is an excellent read. One of the key takeaways is that behavioural advertising may not be as effective as its contextual counterpart.

To recap:

  • Behavioural advertising centres around tracking users around the web to build profiles about their behaviour. Users are shown ads specific to them, irrelevant of the context: e.g. a user visits a shoe shop, then sees an ad for those shoes on Facebook.
  • Contextual advertising doesn’t track users or build profiles of them. Users are shown ads based on the context: i.e. a user searches for tennis racket and is shown an advert for one.

Keith’s article references the New York Times who, in 2018, turned off behavioural advertising for European readers. Digital advertising through their site increased through to early 2019.

They aren’t the only ones.

In August 2020, WIRED reported on the Nederlandse Publieke Omroep’s (NPO) strict approach to European cookie laws. Instead of assuming users are ok with targeted advertising if they skipped the cookie consent screen, they opted users out (incidentally, this is the correct approach).

The company found that ads served to users who opted out of cookies were bringing in as much or more money as ads served to users who opted in. The results were so strong that as of January 2020, NPO simply got rid of advertising cookies altogether. And rather than decline, its digital revenue is dramatically up, even after the economic shock of the coronavirus pandemic.

If behavioural ads aren’t more effective than contextual ads, what is all of that data collected for?

If websites opted for a context ads and privacy-focused analytics approach, cookie banners could become obsolete...

What about small businesses?

The attraction of heavily targeted advertising is strong for small businesses. For a start, it’s frequently the only recommended advertising method, but the pull of tweaking adverts to maximise small budgets must be strong.

In the spirit of investigating alternatives to invasive marketing techniques, I want to find out more. I’m interested in collecting more examples of businesses – large or small – that have bucked the trend and opted for contextual ads over behavioural ones.

Large and small businesses may advertise in different ways, but there will be lessons to learn from any business that’s gone against the grain here.

Send examples to the lists below are updated with examples as I find them.

Last updated: 27th March, 2021


]]> <![CDATA[Twitter lists]]> Dave Smyth 2020-12-11T00:00:00+00:00 Twitter is pretty much the only social media platform I use. It’s a useful platform, but not without problems.

I try to balance the time I spend on there. I don’t have the app on my phone and recently switched to TweetDeck on desktop.

TweetDeck took a little getting used to, but the best feature I’ve found is the ability to browse using Twitter lists by default.

Still, it’s easy to get sucked into reading replies about fairly depressing stuff. Especially on mobile, where the default is the timeline, rather a list.

So, taking inspiration from Anil Dash’s article, I unfollowed everyone on Twitter and copied everyone I’m following onto a list.

Going list-based

Whenever I’ve seen an account following no-one, I’ve thought it was odd. Possibly even a little arrogant.

How do they keep in touch with people or see content? Are they just broadcasting, rather than interacting?

The answer is: use lists as an alternative timeline. But because you’re not following anyone, you’re in more control of what you see.

Lists let me ‘follow’ and keep in touch with the people I want, but in a more healthy way.

If you’ve unfollowed everyone, why should I follow you?

I’m not sure that you should, in the traditional sense at least. Everyone has to make platforms work for them: for some that will mean using the follow function, for others it’s lists.

Lists let me ‘follow’ and keep in touch with the people I want, but in a more healthy way. The existence of lists – and their comparable functionality to the timeline – shows just how much of a vanity metric a follower count is.

Oh, and lists are ad-free, too.

For now, this is an experiment. I’m interested to see if it improves Twitter and makes it easier to cut out toxic stuff.

If you want to do the same thing without the command line, I found this script that worked pretty nicely.

Update: January 2022

Since I wrote this, a several people have been in touch to tell me they’re going list-based or talk about the idea.

The benefits to going list-based aren’t always immediately clear, but Anil Dash succinctly noted one of the main upsides of taking this approach:

One of the most immediate benefits is that, when something terrible happens in the news, I don't see an endless, repetitive stream of dozens of people reacting to it in succession. It turns out, I don't mind knowing about current events, but it hurts to see lots of people I care about going through anguish or pain when bad news happens. I want to optimize for being aware, but not emotionally overwhelmed.

That last sentence is a great summary.

From Anil’s Personal Digital Reset post:

Some of the reason for resetting my follows is to reflect my own changing interests in what I want to read or learn about, but also to ensure that I’m not (for example) just following some news account that only ever causes me stress when it updates.

The main downside of unfollowing everyone is that you lose connection to people with locked accounts. One option would be just to follow these people, but as Morten Rand Hendriksen noted:

Among the people I used to follow were several women, BIPoC, and LGBTQ2+ who made their accounts private due to ongoing harassment and other unwanted interactions. ... In hindsight this was an obvious consequence, and there's currently no meaningful workaround for it: If I were to only follow people with private accounts, that would be very obvious to anyone paying attention, and would highlight the private status of these accounts. And because the accounts are private, adding them to a list makes no sense because the posts from these accounts are private and thus not visible to me.

Perhaps Twitter will let private account users accept/deny list requests at some point...

Articles + resources on going list-based

]]> <![CDATA[Balancing privacy & marketing]]> Dave Smyth 2020-10-17T00:00:00+00:00 What does it mean to run a privacy-focused business? What does that look like and involve? Is it just GDPR – cue eye-rolls – or is there more to it than that?

These are some of the questions I’ve been thinking about recently.

The introduction of GDPR in 2018 created mass panic as businesses raced to meet the deadline. To many, compliance was – and in some cases still is – seen as needless hassle.

I’d guess that’s in no small part due to the nature of the topic and its role as regulation. But it’s also a complex area with plenty of nuance, something borne out by the number of larger companies that either don’t understand or choose to ignore the legislation.

Privacy is a much bigger topic than GDPR.

The Wild West of the Web

We’re emerging from somewhat of a wild west of data collection.

For years, websites and internet services have been collecting anything and everything they can about users. Often without user consent or awareness.

This is frequently justified as ‘essential analytics’ or ‘optimising advertising’. But the real reasons businesses do it is because collecting this data is easy and cheap/free. And because they can.

Marketing > privacy

It’s easier to pitch the benefits of marketing (money) against user privacy (expense, hassle, legal). And business owners have been told they need to collect All The Data to optimise their sales and increase margins.

A classic example would be email marketing. Most mailing list platforms allow marketers to track:

  • When a recipient opens an email
  • How often they’ve read an email
  • Where they are when they read it

This is often possible even after a user unsubscribes. Some mailing list providers will even opt-out users who they don’t think have read emails in a while (i.e. recipients who block these trackers).

Many recipients will have no idea they’re being tracked in these ways. They’re certainly not made aware of this when they sign up.

Running a privacy-focused business

Here’s the rub: many of us don’t like the idea of our data being harvested, yet we’re happy to track users because money.

It would seem that if we want to effectively market to users and respect their privacy, that creates a tension. Is that the case or does it just require a change in thinking?

Let’s say we turn off email tracking and don’t send data to Google or Facebook. Perhaps – instead of a ‘loss of insight’ – we can view it as an opportunity to build better relationships with audiences and customer bases, rather than relying on spying on their habits.

The privacy scale

I’m no expert in this field and – at a micro scale – I’ve used some of these privacy-invasive tools in the past. Things like:

  • Aggregated data on open rates, clicks and audience locations in mailing lists
  • Subscriber tagging for email sequences
  • Demographically targeted Facebook and Google ads
  • Session recording (with tools like FullStory)

These things are daily practice in marketing world but in hindsight they feel pretty icky, even at the tiny scale I used them.

Of course, tools that offer analytics encourage users to use them. As a small business, it’s easy to think using them has little bearing on privacy matters: it’s the big advertisers that are doing the really nasty stuff, right?

I’d guess that the combination of all small businesses who use these services inadvertently contribute significant amounts of data to these big tech firms.

I’m also conscious that there’s a sliding scale. It would be difficult – reckless even – for a business to stop advertising on Facebook or Instagram if that produces a significant portion of its revenue.

That might present an opportunity to build alternative and privacy-focused marketing streams, with a view to reducing the need to advertise on those platforms. But that’s not going to happen overnight.

Stepping away from the data

Moving away from these tools takes time, effort and money. It’s work.

That’s assuming we’re aware of what the problems are and how we can resolve them: whether that’s changing settings or using alternative services.

There might be clear alternatives to services like Gmail or Google Analytics. But what are the options for businesses who rely on retargeting or other data-reliant techniques?

I’ve started to pull together lists of resources and articles that have helped change my thinking on these topics. For now, it’s mainly a series of connected and unconnected thoughts.

I’ll share these in my mailing list – there’s a signup below – but I’d also be interested to hear from freelancers and small business owners who are thinking similar things.

]]> <![CDATA[Cookies]]> Dave Smyth 2020-07-19T00:00:00+00:00 Cookies present issues for website owners and users alike, and they’re nothing new. While the GDPR and PECR legislation have encouraged companies to proactively consider user privacy, the basic cookie requirements are neglected on a large number of sites.

Cookies fall into two categories: essential and non-essential. The Information Commissioner’s Office (ICO) describes essential cookies as:

...strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.

Good examples of this would be cookies that determine whether a user is logged in or not, remembering the items in a user’s shopping basket, etc.

Everything else is a non-essential cookie.

That might include cookies that:

  • Improve a user’s experience
  • Provide marketing data (e.g. Facebook Pixels)
  • Track users around the internet

The same cookie might be classified differently on two sites depending on the functionality that a site requires.

One of the key points around cookies in the PECR is that websites must seek consent before setting non-essential cookies:

Just because users may be unlikely to select a particular non-essential cookie when given the choice, or because the cookie is not privacy intrusive, is not a valid reason to pre-enable it.

Crucially, analytics cookies are not classed as essential, therefore permission should be sought before these are set.

The ICO article goes on to further explain – in clear terms – what is considered valid consent. Valid consent does not include cookie banners that:

  • State “by continuing to use this site you accept our use of cookies”
  • Over-emphasise “Agree” or “Accept all” buttons
  • Don’t allow users to make a choice

I don’t have data on this, but almost every website I’ve checked that uses a service like Google Analytics sets the cookie before the user accepts/rejects permissions. Many of these don’t give users the choice to turn non-essential cookies off.

These breaches aren’t limited to small companies that may not have the resources or time to fully explore/understand these laws.

Here’s a screenshot of the cookie permissions page from Channel 4’s All 4 app:

The All 4 app’s settings don’t let users turn off analytics cookies.

It’s impossible for users to turn off analytics cookies. Channel 4 explains their rationale for requiring this as follows:

The policy states, “We can’t fix or improve what we can’t measure. We receive information about the programmes you watch, the parts of our service that aren’t working well, and which version of a page works best. We access descriptive information about your device, such as model and manufacturer, and use a first part cookie to recognise it. We use viewing information to serve more relevant advertising. We never access personal information from your device such as your name or email address”.

In short, they justify the use of requiring these cookies on the grounds that:

  1. They want to ‘improve’ the service
  2. They need to know what device you’re using
  3. They want to serve more ‘relevant’ ads to you

Apparently, that’s all ok because they ‘never access personal information from your device such as your name or email address’.

That seems reasonable, right? Yes, except for two points:

  1. Using the app requires a user to be logged in. That means the information is already associated with the user (irrespective of accessing a name and email address).
  2. Setting these cookies is explicitly prohibited.

This is an organisation that clearly have the resources to be clued up on this stuff. And they’re not the only ones to ignore these regulations: I’ve seen many companies take a similar approach.

Why don’t they comply?

The underlying issue is that if sites fully complied with these laws, their current methods of collecting analytics data would mean their data is seriously inaccurate. Every user who didn’t specifically allow statistics cookies would not be counted and their movements around a site wouldn’t be tracked.

There are privacy-focused alternatives, like Fathom (that’s an affiliate link) or Simple Analytics, but the technical limitations of not setting a cookie limits the available data. To truly comply with the regulations would require companies to take a different approach to collecting and interpreting the available statistics.

That may also mean a change to online advertising models, too.

These are not bad things.

But while companies feel free to flout the regulations, analytics data is cheap and easy to come by: “cheap” if you’re not the user, that is.

Future solutions

Banners and notification overload are one of the difficult things about this whole malarkey. Even if a website uses a cookie wall, many users will accept all cookies because:

  • They just want to get rid of the banner
  • It might be the highlighted option
  • The microcopy might be confusing (e.g. “Accept all”, “Accept”, “Save” or “Save all”)

Or they may even be happy to have their data collected.

We already know that users don’t like waiting a long time for a website to load. The last thing they want is to wade through a load of complicated – and technical – options to decide on cookie use.

One solution would be for this to be tackled at the browser level. Browsers could define a way for websites to declare essential and non-essential cookies: the latter could be further divided into common subcategories (“Marketing”, “Analytics”, etc).

Website owners could then hook their cookies into these and users could set their default preferences for all sites, with exceptions as they want.

A widespread approach like this would encourage companies to finally take note of the cookie requirements, but it’s difficult to see this happening.

Google develop Chromium which powers Google Chrome, Microsoft Edge, Brave and others – possibly as much as ~60% of internet browsers. They almost certainly benefit from the data collected through Google Analytics and Google Ads – both services that need cookies to work best.

For general internet users concerned about online privacy and whether companies should be rewarded for ignoring regulation, now would be a great time to consider using Firefox as their main browser. It’s an excellent browser with a privacy-focus, demonstrated by their recent rollout of Facebook containers that stop Facebook tracking users around the web.

Browser diversity is important for all users if the web isn’t going to become a monopoly. If there is only one browser – and that browser happens to be controlled by a company who benefit greatly from the collection of ‘free’ data - the future for user privacy looks bleak.

]]> <![CDATA[Gumroad vs Payhip]]> Dave Smyth 2020-07-06T00:00:00+00:00 Gumroad is one of the most well-known platforms for selling digital products. I’ve used it to sell on both Work Notes and CSS For Designers.

After some recommendations and exploring the features, I switched both sites over to Payhip. About a month later, I switched CSS For Designers back.

The two platforms offer similar functionality. Integrating the services is similar but not the same and even the design of the dashboards is similar.

So, why the change and why the change back?


One of the most obvious differences between the services is pricing. Gumroad offers:

  • A free tier where the transaction fee is 8.5% + 30¢
  • $10/month tier (for fewer than 1,000 customers) with a reduced fee (3.5% + 30¢) and some other benefits

Payhip’s free tier is a little more generous. There are no feature upgrades, just lower fees:

  • Free tier: 5%
  • $29/month: 2%
  • $99/month: no transaction fee

Despite this, cost wasn’t really a consideration for me. Both services have free tiers with an option to upgrade when sales volumes justify it.


There were a few key features that attracted me to switch both of my sites to Payhip.


Payhip can charge customers in GBP. Gumroad can display prices in GBP, but customers are always charged in USD.

This caused some friction in the payment process as customers:

  1. Weren’t sure they were charged in USD
  2. Might be charged conversion fees by their bank
  3. Were confused why a UK-based site would charge in dollars

These concerns are understandable and cause needless friction.

EU Digital VAT

One of the main benefits of both of these services is that they totally relieve sellers of dealing with EU Digital VAT.

Payhip even allows sellers to choose whether EU Digital VAT is added on top of the list price, or to absorbed into the price. That’s a really nice feature.

Integration similarities

The integration for Gumroad and Payhip is remarkably similar. Payhip’s is a little more cumbersome, but there’s barely any difference.

Even Payhip’s Webhooks are remarkably similar to Gumroad’s Ping. This made the switch fairly straightforward.


One other difference is how payouts are handled. Gumroad holds all payments for a week before issuing payouts through Stripe on Fridays. On Payhip, payouts are made one week after each purchase.

This is a plus and a minus. On one hand, Payhip pays out quicker, but that can mean a significant increase in bookkeeping.

It also seems that Payhip’s refunds need to be handled through Stripe, rather than Payhip dashboard. On Gumroad, this is handled through the account.

Payhip’s missing features

Switching to Payhip was remarkably easy, but after some time, I found some subtle differences and feature limitations. Ultimately, these caused me to switch CSS For Designers back to Gumroad.

Gumroad have developed lots of new features for variable products and subscriptions. A particularly useful subscription feature is the ability to automatically suspend a subscription after a specified period.

This isn’t possible on Payhip yet. Depending on your use case, that could be a dealbreaker.

Another longstanding feature on Gumroad is the ability to set suggested prices on pay-what-you-want (PWYW) products. Payhip offers PWYW pricing, but there isn’t an option to set a suggested fee.

That might not seem like a big deal, but if customers can pay anything, it’s useful to given a suggested value (i.e. $5).

Lastly – and this is a big ’un – Payhip requires users to opt-in to mailing list integrations. When I contacted their support, I was told this is for GDPR reasons, but there are lots of legitimate GDPR-compliant reasons that a seller might want to add users to a list (e.g. transactional emails).

Gumroad lets sellers automatically add users to mailing lists, which is useful for follow-ups and other things. If transactional emails are important, this is a big consideration.

It’s also worth mentioning Gumroad’s workflows. These allow sellers to send automated follow-ups through the Gumroad interface, which is a nice feature not available through Payhip.

Wrapping up

As ever, the Devil’s in the details. Many of these differences aren’t clear from the feature descriptions on either Gumroad or Payhip.

Both platforms have some great features, though neither are perfect. Ultimately, it made sense to move CSS For Designers back to Gumroad, but I’ve kept Work Notes with Payhip.

]]> <![CDATA[Things I wish I’d known about CSS]]> Dave Smyth 2020-06-28T00:00:00+00:00 I learned how to build websites the old fashioned way: looking at website source code and trying to replicate the things I saw. I threw in the odd book for the stuff I couldn’t see (like PHP/MySQL), and I was on my way.

This was back in 1999, when we’d write things like <font size="4" color="#000000"> and DHTML was a thing.

When CSS came along my approach to learning didn’t differ. But I really wish I’d taken the time to learn CSS properly: there was so much fundamental stuff I missed.

Here are some things I didn’t know that I wish I’d learned earlier.

Block, inline and inline-block

Even though I knew about these properties, I didn’t fully understand them for a long time.

Here’s a breakdown:

  • block elements expand horizontally to take up a whole line (like a heading). We can apply vertical margin to these.
  • inline elements expand horizontally just enough to contain their content (like strong or em elements). We cannot apply vertical margins to these and they should usually be placed inside a block element.
  • inline-block elements are like inline elements, but you can apply vertical margins to these (making them useful for things like buttons).

In the example below, block elements have a blue border, inline elements have an orange background, and our inline-block element has a red border.

See the Pen (@websmyth) on CodePen.

Images are inline

Images being inline by default isn’t a problem, but it can cause confusion when trying to position them or add vertical margins.

If your CSS reset doesn’t include this already, I’d suggest adding the following rule:

img {
	display: block;

That will make their behaviour much more predictable. You might also want to add max-width: 100%; to stop them breaking out of their container, too.

How height and width are calculated

By default, the width/height of a box is calculated by adding together the dimensions of the:

  • Content area
  • Padding area
  • Border area

This isn’t usually a problem for an element’s height: we’re usually not too bothered about how content reflows vertically. The problems usually occur when trying to calculate an element’s width, especially if there’s more than one element in a row.

If we had the following CSS:

.some-class {
	width: 50%;
    padding: 2em;
    border: 0.1rem;

The total calculated width for .some-class would be:

50% + 4em + 0.2rem

That’s because of a property called box-sizing which has a default value of content-box. This value means the width property applies to the content area: everything else is added on top of this.

We can change this for all elements with the following rule:

* {
	box-sizing: border-box;

Returning to our example, the element’s width would now apply to the border, so our element’s total width would be 50%.

What happens to the border and padding? Those properties/values still apply, but they don’t affect the total width of the element: they sit within the defined area.

Check out this Codepen to see this in action:

See the Pen (@websmyth) on CodePen.

We haven’t discussed margin here because margin is the space between elements. For that reason, it is never part of this calculation.

Padding & margin aren’t the same

If an element has no background or border, it can appear that padding and margin are the same. They are not!

  • margin is the space between elements
  • padding is space inside an element

That makes padding useful for elements that have a background. We often don’t want the content to be close to the edge of the element’s box and padding helps us achieve that.

Margins collapse

This has been the source of frustration for CSS newcomers for a long time. Rachel Andrew describes the behaviour as:

When margins collapse, they will combine so that the space between the two elements becomes the larger of the two margins. The smaller margin essentially ending up inside the larger one.

If we have two block elements with margin-bottom: 1em on one element and margin-top: 1.5em on the element directly below it, the total space between the two elements would be 1.5em.

We can see that here:

See the Pen (@websmyth) on CodePen.

When two margins meet, the larger margin absorbs the smaller margin. If the margins are the same value, they absorb each other.

As soon as we know this, margin calculations become easier. It might also change our approach to managing them, and that’s where something like the Lobotomised Owl selector can be useful.

Note: Margins don’t collapse when the parent element is set to display: grid or display: flex.

Browsers have a default stylesheet

CSS stands for Cascading Style Sheets. It’s no surprise therefore that the cascade is one of the fundamental concepts of CSS.

Though we might be aware of how our own stylesheets interact with each other, we have to remember that there’s always a default browser stylesheet. This is loaded before any custom stylesheets, making it easy to redeclare existing values.

The declared styles vary by browser, but they’re the reason that, by default:

  • Headings have different sizes
  • Text is black
  • Lists have bullet points
  • Elements have any display property (such as block or inline)

And many other things.

Even if a website only has a single stylesheet, that stylesheet will always be merged with the browser’s default styles.

Use relative units everywhere

Using pixels (px) is tempting because they’re simple to understand: declare font-size: 24px and the text will be 24px. But that won’t provide a great user experience, particularly for users who resize content at the browser level or zoom into content.

I started using em (and later rem) for font sizing early. It took much longer to feel comfortable using em and rem for other things such as padding, margin, letter-spacing and border.

Understanding the difference between em and rem is critical to making relative units manageable. For instance, we might use em for @media queries and vertical margins, but rem for consistent border-width.

The benefits of going all-in on relative sizing are well-worth the small adjustment in thinking that requires.

::before and ::after need content

When using either the ::before or ::after pseudo-elements, they require the content property, even if it’s left blank:

.some-class::before {
	content: '';

If this isn’t included, the pseudo-element won’t display.

The ch unit

The ch (character) unit is useful, particularly to set an element’s width based roughly on the number of characters in a line of text.

Only roughly? Technically, the ch unit doesn’t count the number of characters in a line.

ch is based on the width of the 0 character. Eric Meyer wrote that:

1ch is usually wider than the average character width, usually by around 20-30%.

If you’re using this to control the measure of paragraphs or similar, this is a useful distinction to be aware of.

Normal flow

This was a term I’d heard a lot but didn’t fully understand for a long time. The “normal flow” means that elements appear on the page as they appear in source code.

For instance, if we wrote:

<p>Paragraph text.</p>

We would expect <h2>Heading</h2> to appear before/above <p>Paragraph text.</p>. That is the normal flow.

If an element is taken out of the normal flow, that means it won’t appear in this place. Floated and absolutely positioned elements are good examples of this.

Styling :focus states

I first learned about :hover, :focus and :active pseudo-selectors in the context of styling links. At the time, all of the examples I’d seen looked something like this:

a {
	color: black;
a:active {
	color: red;

However, it’s better if we style our :focus states differently.

:focus is the state when a user tabs to or through focusable elements on a page (like links). When a user presses [tab], they don’t know where the focus will land.

Additionally, if a user focuses on already-hovered item, they won’t know where the focus is.

For all of these reasons, it’s best to style :focus in a different way to :hover and :active:. For instance:

a:active {
  	/* styles */
a:focus {
    /* styles */


Check out this Codepen:

See the Pen (@websmyth) on CodePen.

Notice how it’s the odd-numbered rows with a background? Given our selector (p:nth-child(even)), we might expect the even-numbered rows to be highlighted instead.

However, the :nth-child() selector counts all sibling elements. Specifying an element in the selector (e.g. p:nth-child()) does not cause the selector to start counting from the first of that element type.

Instead, specifying an element in the selector means that the rule will only be applied to that type of element. If we switch our example to be p:nth-child(odd), we will see that:

  • h1 is not highlighted, even though it’s an odd sibling element
  • p elements that match the critera (paragraph two, four, six) are highlighted

See the Pen (@websmyth) on CodePen.

Returning to our first example, let’s assume we want the even-numbered p elements to have a background. In that case, we’re better off using a different pseudo-selector altogether: p:nth-of-type(even)

See the Pen (@websmyth) on CodePen.

This is demonstrates a key difference between :nth-child() and :nth-of-type(). It’s subtle, but knowing this might help to avoid some confusion.

Wrapping up

It’s easy to get to grips with the basics of CSS, but understanding how and why things work is critical to writing better CSS.

Taking the time to learn these things not only helped me to write CSS more quickly, but it has also helped to make my code more efficient and resilient.

]]> <![CDATA[Thoughts on HEY]]> Dave Smyth 2020-06-27T00:00:00+00:00 The launch of HEY has been pretty divisive. That might be expected given the founders have created such an opinionated product for a fundamental internet function.

I’m coming to the end of my trial and it’s been a positive experience. It’s not a perfect product, but it’s already improving my email workflow and I’m interested to see what happens next.


Like many people, I use email as a to-do list, and not a particularly functional one. Unread messages needed to be actioned, and I’d be hoping not to accidentally leave a message ‘read’ or archive it.

For years, I used the native Gmail app. This worked ok, but switching between email services was a bit of a hassle, especially as I had six email accounts to check:

Things improved when I started using Spark. I particularly liked the calendar integration and how pinned emails displayed, but some ongoing sync issues forced me to rely on backup email apps.

Using HEY

A few things stood out to me as attractive HEY features:

  • Screening emails
  • Bunching emails from a single sender
  • Focus & Reply
  • Separation of Reply Later and Set Aside
  • Renaming email subjects
  • Privacy-focus

A couple of years ago, I looked into the possibility of blocking all incoming emails except for specific senders. This is possible with Boomerrang, but only on their $15/month plan.

Though HEY doesn’t offer this exact functionality, I thought the combination of services might help to achieve the same effect: reducing day-to-day email clutter and everything that brings.

Email workflow improvements

Here are the benefits I’ve found:

  1. Screening emails forces me to make a decision about a sender. That might mean accepting but unsubscribing, sending all emails to The Feed or something else.
  2. Bunching emails from a single sender is incredibly useful for some clients who might send several emails a day.
  3. Reply Later, and specifically the Focus & Reply mode, is a great productivity hack. Previously, I’d have replied to things immediately, but I now bunch up emails that might take a few minutes and crank through them in a much more efficient manner.
  4. The Feed is a neat way to browse newsletters and other promotional stuff. As the emails are already open, I actually look at the content: something I never did in Gmail’s Promotions/Updates/Forums folders.
  5. As someone who uses email as a to-do list, Set Aside (pinning) is a useful separation from Reply Later.

The combined effect has been a much calmer email experience. Even though I usually have emails to respond to, the Imbox is regularly empty: something that almost never happened before.


A few things I’d like to see:

  • The ability to automatically filter emails by subject/body content as well as the sender. This is already possible on a per-email basis, but it would be nice to automate this.
  • Calendar integration.
  • Schedule send – I can reply later, but I don’t necessarily want the emails to go out then.
  • Easier mark read/unread in the Imbox and Feed.

Custom domains will rollout soon. That will be another good thing as “business” accounts/custom domains will bolt-on to personal accounts: no account switching.

It’s been encouraging to see how the founders have responded to feedback, so it will be interesting to see where they take the product next.

Summing up

One of the main attractions about this product is that it’s privacy-focused. For me, that alone justifies the price (as it does with services like ProtonMail).

There’s no doubt competitors will copy features that prove useful. But the privacy aspect is something HEY will always have over much of the free competition.

It’s true that HEY might not be completely revolutionary: I could have replicated some of the features and sorted out a much better email system with filters and blocklists. But even after all these years, I hadn’t done this.

For me, that’s where such an opinionated service is handy. I don’t want to have to make decisions about how to sort out my email: for now, I’m quite happy to use HEY’s system.

That won’t be the case for everyone. If you’ve got a good system in place and like how your email works, HEY might not be an improvement for you.

For me, the UI and email workflow has forced me to change the way I manage email. So far, that’s been a good thing.

]]> <![CDATA[Clip-path scaling]]> Dave Smyth 2020-06-25T00:00:00+00:00 Funky image shapes are pretty popular and SVG clip-path is a great way to create these.

Before this was widely supported, the only option was save images as a PNG with a transparent background, or add the website’s background colour to create a smaller JPG.


Clipping images

I’ve been experimenting with this on a couple of projects. Though there are several ways to clip an image with SVG, I’ve specifically needed to clip images using SVG-defined paths.

This is a little more complicated than using methods like circle, polygon or others. Clippy is a great tool if you need to clip a more basic shape.

We can either clip a background-image or an img element. Though I’ve used the background-image on the CSS For Designers home page, the img element technique is often more appropriate for client work because it:

  1. Allows content editors to change the image
  2. Lets content editors specify alt text

Plus you retain all the other benefits of using an SVG clip-path rather than saving a pre-cut PNG/JPG image (smooth edges, file size, etc).

Let’s get into it.

Getting started

First of all, we need an SVG. Here’s what we’ll use:

See the Pen (@websmyth) on CodePen.

This is taken straight from Sketch (via the useful SVGO plugin), and I’ve added a fill so you can see the shape.

We also need an image to clip. Here’s one from Unsplash:

Tourist holding a camera in a street market.

In the Codepen below, we have the basic HTML and CSS we’ll use:

See the Pen (@websmyth) on CodePen.

Breaking this down

There’s a fair bit of code here, so let’s break it down.

In our HTML, the img element contains the image we want to clip, with an alt description. Our SVG code is embedded directly underneath.

We’re using the SVG-defined clip-path method outlined here. In short, we’ve:

  • Created a zero-width/height svg
  • Defined a clipPath with an id
  • Specified the path (copied from our original SVG)

In our CSS, we’ve used the clip-path property. We’re referencing the SVG clipPath we created in our HTML via its ID (#svgClip).

The result is a clipped image, but the position and size of the clip doesn’t correlate to the image itself. To make matters worse, if the image isn’t as wide as the SVG, it will appear to be cut-off:

See the Pen (@websmyth) on CodePen.

SVG-defined clip-paths issue

In the article, Chris Coyier explains an issue with SVG-defined clip-paths, where they remain fixed in the upper-left of a document.

In my (brief) testing on Firefox, Safari and Brave (Chromium), I couldn’t replicate this so this may not be an issue on more recent browsers (the article was last updated in 2016). That said, there was a difference in how Safari rendered the SVG.

Scaling the clip-path

Ideally, we want the SVG clip-path to scale with the image. To do this, we add clipPathUnits="objectBoundingBox" to the clipPath in our HTML:

<clipPath id="svgClip" clipPathUnits="objectBoundingBox">

However, if we want to use objectBoundingBox, our SVG path values must be between 0 and 1.

The simplest way to do this is to go back to our image editing software and resize our SVG to have a maximum width/height of 1px.

Here’s the same SVG we saw earlier, resized. The 1px dot may be difficult to see but, most importantly, the values are all between 0 and 1.

The SVG now successfully scales with the image:

See the Pen (@websmyth) on CodePen.

With a few more presentational styles, we can square this off and position the img wherever we need:

See the Pen (@websmyth) on CodePen.

Wrapping up

This is a hastily written and brief run-down of this technique. The thing that stumped me for a while was the requirement for objectBoundingBox paths to be between 0 and 1, and how to scale the SVG.

Corrections and suggestions welcome!

]]> <![CDATA[Leaving Facebook]]> Dave Smyth 2020-06-05T00:00:00+00:00 After fourteen years of Facebook activity, I’m finally deleting my account.

I’ve barely used Facebook in a personal capacity for a few years. More recently, it’s been useful to keep in touch with friends and family, but there’s always email or phone.

I’ve also benefitted incredibly from the freelance groups I’ve been a part of:

For any freelancers on Facebook, I’d heartily recommend checking these groups out.

Now feels like the right time to cut ties with Facebook. I recognise that being tech-agnostic is somewhat of a privilege, but I don’t think sticking around for my own convenience is justifiable any longer.

Why now?

I’ve been uncomfortable with Facebook for a long time. Since the Cambridge Analytica scandal, Facebook haven’t done anything to improve the quality of – or ban – political adverts.

Twitter is hardly a perfect, but at least it banned political ads.

Facebook isn’t free

I’ve been listening to “Oversubscribed” by Daniel Priestley recently. In one chapter, he describes how companies that don’t heavily target their ads are at a serious competitive disadvantage.

He goes as far as to say they’ll be run out of business.

An overdramatisation perhaps, but it’s pretty stomach-churning to think about the data profile we let these companies collect. For free.

In my fourteen years as a Facebook user, they’ve collected over 700MB of data about me. Images and videos make up 200MB of that, leaving over 500MB of messages and profile-building data.

To put that into context, the text in this post adds up to 4kb. Facebook’s collected 125,000 times that data in 14 years.

That’s roughly 35MB of text/profile data per year. Or 3MB per month.

All the time this data profits Facebook’s advertising model. Whether that’s companies targeting users for products or political parties during a campaign.

Targeted advertising and unethical user tracking have to end.

Facebook is not neutral

Twitter stirred up news when it started moderating Donald Trump’s tweets. This is no love letter to Twitter: the Will they suspend me? account demonstrates beautifully that not all tweets are treated equally.

But Facebook refuses to do anything. At some point, we have to decide whether we want to be associated with – and fund – a platform that chooses silence over action.

Instagram & WhatsApp

These Facebook-owned platforms are trickier to leave. WhatsApp might be easier as there’s a direct competitor in Telegram – I’ll need to convince family to move to that.

I mainly use Instagram that to support freelancers and small business owners through Work Notes. For now, it feels more important to continue that work than to leave – at some point that might change.

September 2021 Update

Totally correctly, it was pointed out to me that this article initially gave a shout out to Telegram. I strongly recomend Signal instead: in fact, I got my family to move to that from WhatsApp!

Also: I deactivated my Instagram accounts many months ago. No great loss.

Lastly: Inspired by Matt Baer’s Delete Your Facebook, I’m logging relevant articles in Bookmarks.

]]> <![CDATA[Using video for design feedback]]> Dave Smyth 2020-05-22T00:00:00+00:00 Getting design feedback can be tricky.

Everyone knows you shouldn’t just send a mockup and ask what do you think? But in an age of online meetings, Sketch, Figma, Invision and whatever else, how do you get away from that?

Introducing video

On the Boagworld podcast, Leigh Howells talks about presenting designs through video. He says this tackles a few common issues:

  1. Anyone watching the video can’t see the design without hearing the commentary. Though this is technically possible, they’re more likely to listen to commentary than read a long email.
  2. This extends to comps passed on to people outside the project team. Even if you take the time to explain a comp to someone, there’s nothing to stop a client forwarding that onto someone with a no context “whaddya think?”
  3. If there’s anything demonstrated in a browser, it lets you present quick code mockups in a browser that you know works. This reduces the chance of a key decision maker loading your demo in IE5 and asking why it doesn’t work.

First attempts

I’ve been experimenting with this idea on-and-off for a while.

Initially, I was recording my screen and uploading to Vimeo.

Don’t do this unless you like dealing with:

  • Huge file sizes, likely requiring reformatting
  • Bad aspect ratios
  • Long upload times


I now use Loom and it’s brilliant:

  • You can choose whether to record the whole screen or a single window
  • The app can include a video of you in the corner, which makes the recordings more personal
  • There’s no upload time and links are instantly shareable
  • Loom can tell you when a client has viewed the video...if you need that...

Presenting initial ideas

Taking the lead from Howells’ method, I’ve started using video to present all initial design ideas.

Starting with wireframes, I’ll send a video that talks through the decisions I’ve made and the considerations behind them. I might also discuss ideas that didn’t make the cut and why. Demonstrating this through video is really straightforward.

Introducing video so early in the process gets the client used to receiving design ideas in that format. When we move to higher fidelity mockups, video really comes into its own.


At this stage, I’ll start by covering everything we’ve done so far:

  • Research
  • Project goals
  • Moodboards/references
  • Wireframes

Going over this helps clients to understand how the mockups have come about. The designs shouldn’t be a huge surprise.

The video format lets me discuss colour, type, layout and other design ideas in context. That can be difficult in other formats.

It also allows me to address potential objections before they’re raised. Demonstrating why the logo isn’t bigger, possibly by resizing it on-screen in the video, can be incredibly powerful.

Addressing feedback

It can be difficult to describe usability or accessibility issues in an easily understood manner. I find that using video helps clients understand much more easily, and it reduces any feeling that it’s just an excuse.

If you’ve ever had clients ask you to centre/justify paragraphs of text, or use illegibly light grey text, you’ll know that these can be difficult arguments to win. Even if video doesn’t change the result, it can help clients understand in a way they couldn’t before.

Other benefits

Once a client has seen a demonstration, I’ll send them a link to the Balsamiq/Invision project. These apps are great for feedback, but there is still a (small) learning curve.

The video format lets me quickly explain how these interfaces work, helping clients feel confident to add feedback in the app.

Another side effect of video is that the service feels much more personal. Every client I’ve done this with has loved receiving the videos, being talked through the process and the decision making.

In turn, that helps to get clients on board and become advocates for the work you’re doing. In my experience, at least.

None of these things are exclusive to presenting through video, but I’ve found it to be an incredibly effective way to communicate with clients.

]]> <![CDATA[Launching a personal site]]> Dave Smyth 2020-05-21T00:00:00+00:00 As I launch this site, I maintain several projects:

Each of these has a blog. I write about CSS on CSS For Designers, freelancing at Work Notes and design/website things at Websmyth, so why another one?

There are still things I want to write about and document, that don’t fit neatly into those categories:

  • Thoughts about design process
  • Short posts/articles
  • Things I’ve learned
  • Unfinished thoughts/ideas

That’s the plan. Let’s see what happens.

]]> <![CDATA[How to set font sizes in CSS]]> Dave Smyth 2020-05-06T00:00:00+00:00 There are lots of ways to set the size of text in CSS. px, em and rem are the most popular options, but what’s the difference between them?

Pixels (px)

Pixels are an absolute unit of measurement in CSS. That means that if a user writes font-size: 16px the output will be text at 16px.

Pixels are an easy option, but they create accessibility issues. Users who need to increase the browser’s default font size won’t be able to when the font size is set as pixels.

Ems (em)

em is a relative unit of measurement. That means its size is relative to something else, but what?

em units are relative to their parent element. 1em is the same as the current parent’s font size.

If the parent element’s font size is 16px, 1em would be 16px. That seems simple, but how does it work in practice?

If you had the following CSS:

body {
	font-size: 16px;
p {
	font-size: 1.5em;

And this HTML:

	<p>What size will this text be?</p>

The p text would be calculated as 1.5em x 16px = 24px. The parent of p is body so the value of em (1.5) is multiplied by 16px.

You can see that in this Codepen – experiment with some different values, too.

See the Pen (@websmyth) on CodePen.

Root font size

To make these examples easier to understand, they all use a pixel value for the body font size:

body {
	font-size: 16px;

It’s often better not to set a root font size. If we have to, set it at the html level as a relative unit:

html {
	font-size: 100%;

Ems and nesting

This works well as the text will scale up and down if a user changes the default font size, but it can be confusing. What happens if there are several nested elements?

If our HTML looked like this:

    	<p>What size will this text be?</p>

And had the following CSS:

body {
	font-size: 16px;
article {
	font-size: 1.5em;
p {
	font-size: 2em;

How is the p font size calculated? Here’s what happens:

The article font size is calculated as 1.5em x 16px (the font size of its parent, body). That gives article a font size of 24px.

The p font size is calculated based on its parent font size. Its parent is article, so 2em x 24px = 48px.

You can see that in action here:

See the Pen (@websmyth) on CodePen.

Rems (rem)

This is where the rem unit comes in handy. rem units work in exactly the same way as em units, except for one key difference:

The calculation is based on the root element, not the parent. That’s what the r stands for.

Returning to our example from above, the final font size of p would now be 32px because the calculation is now 2rem x 16px (the value set at the root, which is html).

See the Pen (@websmyth) on CodePen.

The rem unit allows font sizing to scale but it’s also predictable. You no longer have to worry about the impact of parent element sizes, so they’re the best of both worlds.

]]> <![CDATA[Managing vertical margins in CSS]]> Dave Smyth 2020-04-07T00:00:00+00:00 Achieving consistent vertical space between elements with CSS can be hard. Margins are usually to blame, but how can we make them more manageable?

Collapsing margins

One of the main sources of layout frustration is that vertical margins collapse. There are some exceptions to this, but that’s the general rule.

Rachel Andrew published a fantastic breakdown of how CSS margins work, where she states:

When margins collapse, they will combine so that the space between the two elements becomes the larger of the two margins. The smaller margin essentially ending up inside the larger one.

Collapsing margins are seen frequently when we have two block elements stacked on top of each other.

In the example below, we have two p elements with margin-top: 0.5em and margin-bottom: 0.5em:

See the Pen (@websmyth) on CodePen.

At a glance, it would seem the total amount of space between these elements is 1em (0.5em + 0.5em). But that isn’t the case because the margins collapse.

In our example, the margin-bottom of the first p combines with the margin-top of the second p. That creates a total margin of: 0.5em.

A hacky fix

Let’s say we wanted the gap between these elements to be 1em, how could we do that?

One solution might be to set one, or both of the vertical margins to 1em:

See the Pen (@websmyth) on CodePen.

That works and it gives us the desired spacing, but it’s hardly efficient: each pair of elements only uses three out of the four declared margin values.

Further problems arise when we start adding elements with different margin values into the mix. When applied across an entire site, it soon becomes difficult to know which margin values can be changed without breaking something.

Margin strategy

A better margin strategy is to set all vertical margins in one direction only: either margin-top or margin-bottom.

Declaring margin values in this way makes our code much more predictable. You no longer have to worry about the knock-on effect of a collapsed margin.

It also makes code maintenance easier: you can safely adjust a margin knowing that it will have the desired effect.

Returning to our example, that could be rewritten like this:

See the Pen (@websmyth) on CodePen.


There will of course be exceptions to this, but they should be exactly that: exceptions.

Since adopting this technique, I’ve significantly cut down the use of top and bottom margins on a single element.

Lobotomized Owls

Setting margins in a single direction is particularly effective when combined with Heydon Pickering’s Lobotomised Owl technique. The original artice is well-worth reading.

Pickering’s technique lets us set margin only between elements. That means we no longer have spare margin at the top or bottom of a stack of elements.

In our example above, we’ve used margin-top: 1em to provide the space between all p elements. This works, but the first p is not flush with the top of the parent container.

Below, I’ve added an article container with a blue border to demonstrate this:

See the Pen (@websmyth) on CodePen.

To make the first p flush with the top of the parent box, we would need to add:

p:first-child {
	margin-top: 0;

See the Pen (@websmyth) on CodePen.

Removing margin-top over an entire project can be verbose and difficult to maintain.

Pickering’s solution is to use the universal selector (*) combined with the adjacent selector (+), so that the margin is only applied between adjacent elements:

* + * {
	margin-top: 1em;

We could write p + p in our example, but the elegance of the universal selector is that it applies to all elements. That means we don’t need to guess which elements our content will need: we can write exceptions where necessary.

To further control where these margins are applied, we can limit this to direct child elements within parent containers.

In our example, that would look like this:

article > * + * {
	margin-top: 1em;

See the Pen (@websmyth) on CodePen.

Reducing margin headaches

The Lobotomized Owl technique is an extremely helpful and practical method of controlling vertical space.

I’d recommend reading Pickering’s original article on Lobotomized Owls.

Applying margins to the top and bottom of elements can create layout headaches and maintenance issues. When vertical margins are set in a single direction and combined with the Lobotomized Owl technique, many of these issues are resolved.

]]> <![CDATA[Troubleshooting CSS]]> Dave Smyth 2019-07-31T00:00:00+00:00 If your CSS updates aren’t working as you expect, what’s the best way to troubleshoot it? It can be a bit of a rabbit hole, but here are 13 ways to check your CSS.

The checklist

1. Have you saved the file?

Seems obvious, but absolutely worth double checking.

2. Clear your cache

You’ll want to clear two, possibly three, caches: your site’s cache, your browser and your server cache (if you have one). You may not be aware of a server cache but some hosts, such as SiteGround and WPEngine, use server-level caching to speed up websites.

Clearing your cache is the browser equivalent of turning it off and on again.

3. Check for spelling/syntax errors

Is the selector spelt correctly? Is the punctuation and spacing correct in descendant selectors (i.e. is it nav.class instead of nav .class?

Another classic would be to forget to close the declaration, so your CSS looks like this:

p {
	color: #fff
	font-size: 1rem;

Notice how the color is missing the semicolon? That means the CSS file will read that code like this:

color: #ffffont-size: 1rem;


4. Does your rule appear in the inspector?

Does it have a line through it? If so, your selector needs to be more specific.

In Chrome’s DevTools, the Computed tab can show you what’s being rendered by the browser and the rules being applied to a specific element: really handy for tracking down inheritance and specificity issues.

5. Does the style you’re overriding have an !important in it?

Or is the style declared in the HTML element (e.g. <div style="color: #fff;">)? If so, you can only override that with another !important.

6. Is the element inheriting a default browser style?

This could be anything, so check the inheritance in the inspector.

7. Is the element wider/taller than you’d expected?

It might need box-sizing: border-box; applied to it so that the width and height are calculated based on the size of the border-box rather than the content box (the default).

8. Is it a browser incompatibility issue?

This is much less of an issue than it used to be, but worth checking if the issue is replicated in another browser. The website is a great tool to help with this as well.

9. Have you validated it?

If you’ve got this far and nothing has worked, it might be worth popping it into the CSS Validator to check it’s valid CSS. CSS Lint is another resource to check out that will give some additional feedback on what you’ve written.

10. Try replicating the CSS and basic HTML structure in a tool like Codepen

If it works there, but not in your site, you’re likely dealing with an issue of inheritance or specificity. This is especially likely if you’re using a framework or template.

More advanced checks

If the rule is shown in the inspector but it’s not taking effect, there’s probably something not quite right.

11. Have you applied the rule to the correct element?

Often things need to be applied to the parent element, especially things related to the display or position properties.

12. Does the element have the right value for display?

It’s always worth checking the display property, especially if it’s inline, inline-block or block. This might fix the issue, especially if you’re trying to apply a property that’s incompatible (or has no effect) when applied to the wrong one.

13. Can you actually apply that property to the element?

Not all properties can be applied to all elements. :visited is a good example of this, but there are lots of others.