How not to code your bank website

When is a number not a number? When it is a PIN. Backstory: recently my bank overhauled its website. On the whole, it’s an improvement, but it hasn’t been entirely awesome. One of the changes was that special characters were no longer allowed in the security questions. As it turns out, that’s a good way to lock your users out. Me included.

Helpfully, if you lock yourself out, there’s a self-service unlock feature. You just need your Social Security Number and your PIN (and something else that I don’t recall at the moment). Like any good form, it validates the fields before proceeding. Except holy crap, if your PIN begins with 0, pressing “Submit” means the PIN field becomes three characters and you can never proceed. That’s right: it treats the PIN as an integer when really it should be a string.

I’ve made my share of dumb mistakes, so I try to be pretty forgiving. But bank websites need to be held to a very high standard, and this one clearly misses the mark. Breaking existing functionality and mistreating PINs are bad enough, but the final part that lead me to a polite-but-stern phone call was the fact that special characters are not allowed in the password field. This is 2016 and if your website can’t handle special characters, I have to assume you’re doing something terribly, terribly wrong.

In the meantime, I’ve changed my PIN.

Snapchat sunglasses? Why they could be successful

Snapchat’s founder announced on Friday that the company is working on a new, non-software product: sunglasses. Set to go on sale this fall, these sunglasses will include a camera that, when activated, will record 10 seconds of video. Presumably, this video will be posted to Snapchat by way of the user’s phone.

Some of the reaction I’ve seen so far is pretty predictable: “it’s like Google Glass, but less featured!” and “what a great way to announce that you’re a d-bag.” Haters gonna hate, as they say, and I’ll admit that the design is not my style. Still, there are reasons to believe Snapchat’s Spectacles will have the sort of wide consumer adoption that Google Glass never did:

  • Price. At less than one-tenth the price of Google Glass, it’s much more affordable. The price is in line with normal sunglasses, for those of us who don’t buy our sunglasses off the spinny rack at the drug store (full disclosure: I buy my sunglasses off the spinny rack at the drug store).
  • Branding. Oh sure, Google had great brand recognition when Glass launched. But Google’s brand is more about utility. Snapchat is about social. And this lines up well with the respective eyewear, but I think the fact that Snapchat is a social media platform, not a “know everything” platform helps in this case.
  • Obviousness. Both Google Glass and Spectacles are pretty obvious externally, but Spectacles will apparently have an LED light to indicate when it was recording. The fact that Spectacles are sunglasses, not a fixture on general-purpose glasses, means that some of the more obvious privacy concerns (particularly bathrooms) are avoided because people probably won’t be wearing them inside. Plus the limited duration shortens the window for privacy violations. It’s more “I have my camera ready to go” and less “I am recording your every move.”
  • Simplicity. Yes, Spectacles have very limited use, but that also means they’re really easy to use. I haven’t used Glass, so I can’t speak for the ease of use, but it’s hard to beat “push this button.”

None of this is any guarantee that Spectacles will be a success, of course. It will be interesting to see how this affects Snapchat usage. Anecdotally, while I have many friends of a variety of genders, ages, and interests on Snapchat, it’s a small group of mostly twenty-something women that post stories (perhaps there’s greater usage 1:1?). There’s a lot to be said for being able to share your experiences from your own point-of-view, so now we’ll have to see what Evan Spiegel and company can do.

Thoughts on the Wunderlist outage

For most of Wednesday and Thursday, the to-do list management service Wunderlist was unavailable. They haven’t published a public post mortem, though I’ve asked if they plan on it. It has to be a hell of a problem since it resulted in such a long outage.

I think they handled it fairly well, though. Logins were disabled in order to prevent further problems and regular updates were posted to the status page. I’d have preferred that the login page were redirected to the status site. I took a guess at the address and it was right, but I’m not sure all users would have done that. It might have saved their support team some effort.

The status page promised updates in various non-specific time frames. I’d have liked “we’ll provide another update at $specific_time”. When the specified time rolls around, if there’s nothing to say, just say “no new updates, we’ll update again at $blah”. And speaking of times, having the current time on the page is helpful for a global service, since not all users know what your time zone offset is.

On a more personal note, I was pleasantly surprised with how well I managed without my outsourced brain. Wunderlist has become a critical extension of my brain. Fortunately, I didn’t have much pressing due during the outage. But it did make me miss my old days of using TuDu running in a screen session.

Twitter doesn’t need read receipts

Not content to leave the potentially user-hostile decisions to Apple, Twitter announced last week that they were adding read receipts (among other features) to direct messages. Annoyingly, this is an opt-out feature. Twitter is once again adding a feature no one wants while ignoring the real problems of abuse on the platform.

I’m no product management expert, but I know there are times when you listen to your users and times when you don’t. “I want this thing” is a good time to not listen to your users. That’s not to say you ignore their wishes entirely, but you can build a product that people like even if they don’t realize that’s what they want at the time. Apple has had a fair amount of success with this approach.

“This thing is a problem” is absolutely something you listen to your users about. Particularly when prominent people end up abandoning the product. While Twitter has given lip service to the harassment problem, it does not appear to have taken any meaningful steps to address it. In fact, the read receipts can bolster harassment.

Before the addition of read receipts, harassers would have to guess if a direct message was read or not. With read receipts on, there’s the immediate satisfaction of knowing your message got through. Even setting harassment aside, read receipts just reinforce the cultural demand for immediacy. I’m fairly connected digitally, but I don’t see a benefit to read receipts. I’ll probably respond to a message quickly, but if I don’t then that’s my decision. I don’t need the platform insinuating that I’m ignoring someone when I’m really just trying to keep my children from tearing the house apart.

Instructions for disabling read receipts came out almost as quickly as the announcement.

Full disclosure: I own a small number of Twitter shares.

Slack and abuse

Recently, Sara Mauskopf asked how to block a user on Slack, the popular chat platform. Slack’s social media team replied: 

The response is not helpful. As Mauskopf pointed out, Slack is used in many environments. Communities have adopted Slack as an easy, cross-platform communication tool. Some may have governing bodies, and they should all have a code of conduct, but there’s often only an informal power structure. This means that abusers can go unchecked (and there’s no guarantee that a corporate HR department would be quick to act).

Slack’s self-reported diversity numbers are not as bad as many tech companies. Nonetheless, this strikes me as a failure to empathize with people who face abuse online. I don’t understand how a communication platform in 2016 can not have some kind of block feature. Even Twitter, which has a pretty lousy track record of dealing with abuse, has the ability to block users.

I can understand how some organizations might not want to allow users to block others, but that’s not a good reason to forego the feature entirely. Giving site administrators the option to allow blocking would be a big improvement. Until then, it’s hard to suggest Slack to open communities.

Twitter’s abuse problem

I’ve been an avid Twitter user for years. I’ve developed great friendships, made professional connections, learned, laughed, and generally had a good time. Of course, I also happen to be a relatively-anonymous white male, which means my direct exposure to abuse is fairly limited. I can’t say the same for some of my friends. Last week’s BuzzFeed article calling Twitter “a honeypot for assholes” didn’t seem all that shocking to me.

Twitter, of course, denied it in the most “that article is totally wrong, but we won’t tell you why because it’s actually spot on” way possible:

In response to today’s BuzzFeed story on safety, we were contacted just last night for comment and obviously had not seen any part of the story until we read it today. We feel there are inaccuracies in the details and unfair portrayals but rather than go back and forth with BuzzFeed, we are going to continue our work on making Twitter a safer place. There is a lot of work to do but please know we are committed, focused, and will have updates to share soon.

To it’s credit, Twitter has publicly admitted that it’s solution to harassment is woefully inadequate. It’s in a tough spot: balancing free expression and harassment prevention is not an easy task. Some have suggested the increased rollout of Verified status would help, but that’s harmful to some the people best served by anonymous free expression. I get that Twitter does not want to be in the business of moderating speech.

It’s important to distinguish speech, though, so I’m going to invent a word. There’s offensive speech and then there’s assaultive speech. Offensive speech might offend people or it might offend governments. Great social reform and obnoxious threadshitting both fall into this category. This is the free speech that we all argue for. Assaultive speech is less justifiable. It’s not merely being insulting, but it’s the aggressive attempt to squash someone’s participation.

I like to think of it as the difference between letting a person speak and forcing the audience to listen. I could write “Jack Dorsey sucks” on this blog every day and while it would be offensive, it is (and should be) protected. Even posting that on Twitter would fall into this category. If instead I tweeted “@jack you suck” every day, that’s still offensive but now it’s assaultive, too.

This, of course, is a in the context of a comany deciding what it will and won’t allow on its platform, not in the context of what should be legally permissible. And don’t mistake my position for “you can never say something mean to someone.” It’s more along the lines of “you can’t force someone to listen to you say mean things.” Blocks and mutes are woefully ineffective, especially against targeted attacks. It’s trivially easy to create a new Twitter account (and I have made several on a lark just because I could). But if the legal system can have Anti-SLAPP laws to prevent censorship-by-lawsuit, Twitter should be able to come up with a system of Anti-STAPP rules.

One suggestion I heard (I believe it was on a recent episode of “This Week in Tech”, but I don’t recall for sure) was the idea of a “jury of peers.” Instead of having Twitter staff review all of the harassment, spam, etc. complains, select some number of users to give it a first pass. Even if just a few hundred active accounts a day are selected for “jury duty”, this gives a scalable mechanism for actually looking at complaints and encouraging community norms.

Maybe this is a terrible idea, it’s clear that Twitter needs to do something effective if it wants to continue to attract (and retain!) users.

Full disclosure: I own a small number of shares of Twitter stock. It’s not going well for me.

Getting support via social media

Twitter wants you to DM brands about your problems” read a recent Engagdet article. It seems Twitter is making it easier to contact certain brand accounts by putting a big contact button on the profile page. The idea being that the button, along with additional information about when the account is most responsive, will make it easier for customers to get support via social media. I can understand wanting to make that process easier; Twitter and other social media sites has been an effective way for unhappy customers to get attention.

The previous sentence explains why I don’t think this will end up being a very useful feature. Good customer support seems to be the exception rather than the rule. People began turning to social media to vent their frustration with the poor service they received. To their credit, companies responded well by providing prompt responses (if not always resolutions). But the incentive there is to tamp down publicly-expressed bad sentiment.

When I worked at McDonald’s, we were told that people are more likely to talk about, and will tell more people, the customer service they experienced. Studies also show complaints have an outsized impact. The public nature of the complaint, not the specific medium, is what drives the effectiveness of social media support.

In a world where complaints are dealt with privately, I expect companies to revert to their old ways. Slow and unhelpful responses will become the norm over time. If anything, the experience may get worse since social media platforms lack some of the functionality of traditional customer support platforms. It will be easier, for example, for replies to fall through the cracks.

I try to be not-a-jerk. In most cases, I’ll go through the usual channels first and try to get the problem resolved that way. But if I take to social media for satisfaction, you can bet I’ll do it publicly.

Fourth Amendment protection and your computer

Back in January, I wrote an article for arguing that judges need to be educated on open source licensing. A recent decision from the Eastern District of Virginia makes it clear that the judiciary needs to better understand technology in general. Before I get into the details of the case, I want to make it clear that I tend to be very pro-defendant on the 4th-8th Amendments. I don’t see them as helping the guilty go free (although that is certainly a side effect in some cases), but as preventing the persecution of the innocent.

The defendant in this case is accused of downloading child pornography, which makes him a pretty unsympathetic defendant. Perhaps the heinous nature of his alleged crime weighed on the mind of the judge when he said people have no expectation of privacy on their home computers. Specifically:

Now, it seems unreasonable to think that a computer connected to the Web is immune from invasion. Indeed, the opposite holds true: in today’s digital world, it appears to be a virtual certainty that computers accessing the Internet can – and eventually will – be hacked.

As a matter of fact, that’s a valid statement. It’s good security advice. As a matter of law, that’s a terrible reason to conclude that a warrant was not needed. Homes are broken into every day, and yet the courts have generally ruled that an expectation of privacy exists in the home.

The judge drew an analogy to Minnesota v. Carter, in which the Supreme Court ruled that a police officer peering through broken blinds did not constitute a violation of the Fourth Amendment. I find that analogy to be flawed. In this case, it’s more like the officers entered through a broken window and began looking through drawers. Discovering the contents of a computer requires more than just a passing glance, but instead at least some measure of active effort.

What got less discussion is the Sixth Amendment issue. Access to the computer was made possible by an exploit in Tor that the FBI made use of. The defendant asked for the source code, which the the judge refused:

The Government declined to furnish the source code of the exploit due to its immateriality and for reasons of security. The Government argues that reviewing the exploit, which takes advantage of a weakness in the Tor network, would expose the entire NIT program and render it useless as a tool to track the transmission of contraband via the Internet. SA Alfin testified that he had no need to learn or study the exploit, as the exploit does not produce any information but rather unlocks the door to the information secured via the NIT. The defense claims it needs the exploit to determine whether the FBI closed and re-locked the door after obtaining Defendant’s information via the NIT. Yet, the defense lacks evidentiary support for such a need.

It’s a bit of a Catch-22 for the defense. They need evidence to get the evidence they need? I’m open to the argument that the exploit here is not a witness per se, making the Sixth Amendment argument here a little weak, but as a general trend, the “black boxes” used by the government must be subject to scrutiny if we are to have a just justice system.

It’s particularly obnoxious since unauthorized access to a computer by non-law-enforcement has been punished rather severely at times. If a citizen can get 10 years in jail for something, it stands to reason the government should have some accountability when undertaking the same action.

I have seen nothing that suggests the judge wrote this decision out of malice or incompetence. He probably felt that he was making the correct decision. But those who make noise about the “government taking our rights away” would be better served paying attention to the papercut cases like this instead of the boogeyman narratives.

The easy answer here is “don’t download child pornography.” While that’s good advice, it does nothing to protect the innocent from malicious prosecution. Hopefully this will be overturned on appeal.

I like technology, but I like owning the things I own

As easy as it is to hate computers, every so often I like to look around and remind myself that we’re living in The Future. Technology that is fairly routine today seemed so impossible when I was a kid. It’s not slowing down, either. Consumer technology, in particular the “connected home”, is making great advancements. But with great functionality comes great headaches. There are any number of reasons to be concerned about the rise of the machines, but here’s one.

If you’re one of the (apparently few) people who bought a Revolv hub, you probably wanted to make your life easier. The ability to control your lights, thermostat, etc from a smartphone is incredibly appealing. But come June 19, you can’t. Alphabet’s Nest bought Revolv back in October 2014 and has decided to shut down the service. It’s not just that the hubs will be unsupported, they will essentially become hummus-container-shaped paperweights.

Despite my hatred for computers, I actually like technology in general and I really like having fun new toys to play with. Even so, I have a hard time talking myself into purchases where I don’t really own what I own. I understand if a company decides that keeping a central service running for an unused or outdated product is no longer viable, but I’d still like to be able to play with it in standalone mode.

I have friends who strongly distrust relying on locked-in external services. If they can’t host it themselves (or at least have it hosted by a third party where they can freely move should the need arise), they don’t use it. I sympathize with that position, but I tend to take a more practical approach. There are a lot of things I let other people do — either in exchange for payment or in exchange for serving me ads — that I could do myself. I’d just rather spend my time and energy elsewhere.

A smart home system that is self-contained appeals to me greatly. I’d love to be able to go away during the winter and leave my thermostat at “just don’t let the pipes freeze, okay?” but when I get an hour from home, have the furnace fire back up. If that system requires the vendor to decide to keep their servers on, I’m not really interested (without even considering privacy and security implications). The “*aaS-ification” of technology offers great benefits to those who cannot implement technology solutions for themselves, but it also creates great risk.