phiffer.org

Dan Phiffer Dan Phiffer builds websites, makes art, and teaches in NYC

Do not let the bastards grind you downtoe.prx.org

I was recently on my friend Benjamen Walker‘s podcast Theory of Everything, talking about digital security.

MP3 download

Related posts

Link

Surveillance and inaction

NYPD skywatch tower
Photo: Life under occupation by Barry Hoggard

I am awash in thoughts and feelings this week. Donald J. Trump will very likely be our next President. This fact has already emboldened hate groups, leaving us to contemplate what the next four years could mean—especially for friends who will likely become targets of bigotry.

Should we go outside and protest? Should we turn inward and lean on our support networks? Do we start thinking about the 2018 midterms? Yes. Yes to all of it. If you need time away from this divisive election, you’ll be welcome to join us when you’re ready. I completely understand, especially if you worked on a 2016 political campaign.

For my part, I am regrouping, considering how I can do more, do better. Some friends have asked me about strategies for resisting surveillance. Digital privacy will become even more important in the coming years, and we should all collectively get better at protecting ourselves.

A very short answer is: switch your texting over to Signal, use a password manager. Start today.

Keep in mind that surveillance is for controlling your behavior. If you’ve ever said “but I have nothing to hide,” now is a good time to consider whether you intend to keep it that way. If you do choose to toe that line—maybe you want to wait and see if a President Trump keeps to his campaign promises—take a moment to consider how pervasive surveillance and the threat of anticipated consequences may be blinding you from a civic responsibility to resist.

I’d like to write more about this in the coming weeks, but for starters here are some links that might be helpful. Stay safe out there.

If you are wondering how precisely to get involved, please don’t hesitate to contact me. I am figuring that out myself and would welcome your ideas.

On Encryption and Terroristsnadim.computer

Nadim Kobeissi, maker of Crypto.cat and Minilock:

The premise driving the people writing encryption software is not exactly that we’re giving people new rights or taking some away: it’s the hope that we can enforce existing rights using algorithms that guarantee your ability to free speech, to a reasonable expectation of privacy in your daily life. When you make a credit card payment or log into Facebook, you’re using the same fundamental encryption that, in another continent, an activist could be using to organize a protest against a failed regime.

In a way, we’re implementing a fundamental technological advancement not dissimilar from the invention of cars or airplanes. Ford and Toyota build automobiles so that the entire world can have access to faster transportation and a better quality of life. If a terrorist is suspected of using a Toyota as a car bomb, it’s not reasonable to expect Toyota to start screening who it sells cars to, or to stop selling cars altogether.

Link via Matthias Bruggmann

How to escape the advertising bubble

Maciej Cegłowski has interesting things to say about big data and the online advertising business. He argues—persuasively, I think—that the advertising technology (adtech) sector is overvalued. In a recent essay, he describes what will happen when that adtech bubble finally bursts.

The problem is not that these companies will fail (may they all die in agony), but that the survivors will take desperate measures to stay alive as the failure spiral tightens.

These companies have been collecting and trafficking in our most personal data for many years. It’s going to get ugly.

Remember when, in its death throes, RadioShack sold off the customer data of 67 million people? This will probably be worse than that. And a whole lot of the web is built on top of adtech spaghetti business (think: spaghetti code, but for business).

The prognosis for publishers is grim. Repent! Find a way out of the adtech racket before it collapses around you. Ditch your tracking, show dumb ads that you sell directly (not through a thicket of intermediaries), and beg your readers for mercy. Respect their privacy, bandwidth, and intelligence, flatter their vanity, and maybe they’ll subscribe to something.

One way I could see publishers phasing in this more-respectful business model is through existing web browsers’ do-not-track differentiation. Every modern browser has privacy settings that let an individual user opt out of online tracking. That do-not-track preference gets included with each and every web request, but it’s up to the website operator to act on it. As far as I can tell, all adtech companies seem to ignore this preference completely.

Firefox privacy preferences
Firefox privacy preferences

Okay, so are you ready for my idea for how publishers can escape the adtech bubble? Stay with me here, because this is a crazy suggestion: if I’ve signaled through my preferences that I prefer not to be tracked, then … I dunno, maybe don’t track me.

A typical ad-driven website relies on dozens of companies to show me slow loading, poorly-customized advertising. But there’s nothing stopping the website itself from simply not letting those companies’ code onto the page.

I would say just switch to dumb (non-tracking) ads for everyone, but I know how this would play out: “it’s too extreme, we can’t afford it!” But here’s the thing, if you think this adtech spaghetti business is going to collapse, you’ll have to start switching traffic over to something else eventually. Why not start out with current and future subscribers (aka “users”) who’ve already indicated they prefer not to be tracked by the adtech industry? Just do what we’ve been asking for in the first place.

Here’s how: if a given visitor has checked the do-not-track box, you’ll be able to detect it. Adjust your ad libraries and CDNs to detect the DNT: 1 HTTP header and then show a small message congratulating yourself, and set aside those ad spots for “artisanal” ads. Once things are rolling along you can ditch the old bloated, crappy ads for everybody else.

You can already tell what proportion of visitors have do-not-track enabled, it’s there in the traffic stats if you look for it. You could pitch this to the higher ups with real numbers, and spin it as a Premium Advertising Experience, like organic fair trade traffic without all the slow bandwidth-bloat and creepy surveillance.

The big challenge, of course, is this type of effort involves cooperation between many departments that may not currently get along well. But getting the ad sales people and the ad tech people and the web developers to get along is important.

Nobody likes working on ads, and I know it’s hard to just get buy-in, let alone actually launch a new thing. But an adtech collapse might be an existential threat, better to get in front of this now rather than wait for it to happen.

Also posted on Medium.com

Let’s Encrypt (updated)

Update: since this was written, the letsencrypt-auto script has improved significantly. When I tried it again today (December 8, 2015), the process was basically just cloning the GitHub repo and running ./letsencrypt-auto. I’ll leave the original (outdated) information here for posterity.

As of today phiffer.org is being served using SSL encryption thanks to a free certificate from Let’s Encrypt. It’s a recently launched service, sponsored by Mozilla and the Electronic Frontier Foundation (among others), intended to make HTTPS encryption ubiquitous on the web.

Hooray for [Let's Encrypt!](https://letsencrypt.org/)
Hooray for Let’s Encrypt!

Let’s Encrypt is very new, and there are still some rough edges, but overall I’m impressed by how smoothly the process went. I wanted to document my experience, in case it’s helpful to others (and future-me). This post is a bit more technical than usual and, because the service is new, much of it may not be relevant very long into the future. That said, I hope this might offer some clues for folks trying to get up and running on HTTPS.

(more…)

Haunted by Datawww.youtube.com

Here’s Maciej Cegłowski giving a talk on the hazards of Big Data.

Video

The current model of total surveillance and permanent storage is not tenable.

If we keep it up, we’ll have our own version of Three Mile Island, some widely-publicized failure that galvanizes popular opinion against the technology.

At that point people who are angry, mistrustful, and may not understand a thing about computers will regulate your industry into the ground.

See also: the text version of the talk.

Link

Unfit Bitswww.unfitbits.com

Hack the planet your personal fitness device!!

Does your lifestyle prevent you from qualifying for insurance discounts? Do you lack sufficient time for exercise or have limited access to sports facilities? Maybe you just want to keep your personal data private without having to pay higher insurance premiums for the privilege?

Unfit Bits provides solutions. At Unfit Bits, we are investigating DIY fitness spoofing techniques to allow you to create walking datasets without actually having to share your personal data. These techniques help produce personal data to qualify you for insurance rewards even if you can’t afford a high exercise lifestyle.

Made by my friends Tega and Surya. Also be sure to download the DIY guide from Biononymous.me.

Link

Could a Bank Deny Your Loan Based on Your Facebook Friends?www.theatlantic.com

Facebook recently filed a rather unsettling patent application describing (among other things) a hypothetical social-graph-based credit scoring system. What level of freaked out would be an appropriate response?

Facebook makes its money by encouraging people to have large friend networks and create lots of content for it to show ads against. And given that that’s the primary profit driver for Facebook, as a practical manner, it would really surprise me if they decided to get into the credit-scoring business, just because I think that’s going to make people feel panicked and uncomfortable. If I were them, I would not be in a giant rush to do that.

This makes me wonder if a lot of people suddenly started blocking ads, would companies like Facebook move quickly to adopt more dystopian business models? Or would they be more likely to start embracing those business models much earlier—quietly, secretly, mischievously—in anticipation?

Link via Ingrid

What Happens Next Will Amaze Youidlewords.com

Maciej Cegłowski on the perilous surveillance of online advertising:

Ad fraud works because the market for ads is so highly automated. Like algorithmic trading, decisions happen in fractions of a second, and matchmaking between publishers and advertisers is outside human control. It’s a confusing world of demand side platforms, supply-side platforms, retargeting, pre-targeting, behavioral modeling, real-time bidding, ad exchanges, ad agency trading desks and a thousand other bits of jargon.

The winners in this game are the ones running the casino: big advertising networks, surveillance companies, and the whole brand-new industry known as “adtech”.

The losers are small publishers and small advertisers. Universal click fraud drives down the value of all advertising, making it harder for niche publishers to make ends meet.

Link via Ethan Marcotte

Fall updates

It is starting to feel like Fall here in New York, and I am up to some new things since the last time I wrote here in January (!). By the way, those New Years resolutions? They are going terribly! So it goes.

The big news, if you hadn’t heard, is that I’ve left my job at the New Yorker magazine. I am still very proud of how the redesign turned out, and I learned a ton from my many amazing colleagues there, but after two years it just felt like time for me to move on. So I am back to freelancing, and feeling excited to work on some new things. And yes, I am looking for new clients, you should hire me!

In addition to freelancing, I’ve also started a fellowship at Columbia’s Tow Center for Digital Journalism. I’m working with an awesome group of collaborators using telephony and wifi darknets as tools for gathering stories. I’ll be posting more about that here in the coming weeks.

Also, if you look around, you may notice I’ve updated my WordPress theme a bit. The underlying structure is very similar to what I had before, but I focused on a few key improvements:

  1. The page layout is now responsive, so it works better on very small and very large screens.
  2. Whenever possible, I’ve minimized my reliance on third-party tools (for example, I no longer use TypeKit for my header fonts).
  3. So long green and red, hello pink! I’ve also made it easy to change the color scheme in the future through the magic of Sass variables.
  4. Comments are gone! At least for now, maybe I’ll change my mind about that. I do love getting feedback about stuff I post on here, so drop me a line if you might have otherwise left a comment.

Of all the changes in this website update, the one I feel best about is cutting out the third-party tracking. I’ve noticed that YouTube embeds serve up a DoubleClick advertising tracker, just by loading a page with a video, which isn’t cool. Now video embeds only load on demand, after you’ve hit the play button (mobile visitors may need to tap two times). Naturally, you’ll still be tracked by Google if you play an embedded YouTube video, but otherwise the page shouldn’t leak data to any off-site parties.

Third-party trackers, before and after.
Third-party trackers, before and after. Mint is the one thing I kept around, but it’s hosted on my own server.

The bottom line is I am in control of what goes up on phiffer.org, which includes things like hidden advertising trackers. Now there is slightly less ambient surveillance around here. Plus the pages should load marginally faster!

Gizmodo will pay you for photos of Mark Zuckerberggizmodo.com

Mat Honan:

Two years ago, Mark Zuckerberg told startup publicist Mike Arrington that “people have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time.”

Facebook has evolved over time too. No longer privately held, it is itself a public company, with a public CEO. We think it’s time he evolves along with his company. In short, it’s time for Mark to go public too.

Here’s the deal: We’re going to pay for photos and videos of Mark Zuckerberg taken between now and Labor Day. Snap a photo or shoot some video of Mark. At a bar, after a conference, on the street. Totally great. We want pictures of him that he isn’t expecting to have made. If we run it, we’ll send you a cool $20.

I’m going to go out on a limb and say $20 is low compared to standard paparazzi rates. This reminds me a little of Rob Cockerham’s paparazzi contest, which was great fun to participate in.

Link