Category Archives: Technology

Personal International Infosec

This year I have a small number of international speaking engagements, and I just returned from the first of those in 2017…which means it was the first since the recent spat of increased DHS and Customs enforcement. It was also my first trip to a Muslim-majority country, and while not one on the magic list, it still made me consider my re-entry into the US and the possible attention therein. These things combined to make me far more attentive to and aware of my personal information security (infosec) than every before. This post will be an attempt to catalog the choices I made and the process I used, as well as details of what actual technological precautions I took prior to leaving and when actively crossing the border.

This trip was to the SLA Arabian Gulf Library Conference, held this year in Manama, Bahrain, where I was on a panel discussing future tech. This means flying internationally through a major city, which for me meant flights from Nashville to JFK to Doha International Airport in Qatar, then finally to Manama, Bahrain. The return was was the same, with the exception of flying back into the US via O’Hare in Chicago rather than JFK. This meant crossing into at least 2 foreign countries physically on each leg of the trip, although in Qatar I remained in the international section of the airport and didn’t go through customs and enter the country proper. Still, there were LOTS of checkpoints, which meant lots of potential checks of my luggage and technology.

Threat Model

What was my concern, and why was I thinking so hard about this prior to the trip? After all, I’m a law-abiding US citizen, and as the saying goes, if you’ve nothing to hide, why worry? First off, the “if you’ve nothing to hide” argument is dismissible, especially given the last 6 weeks of evidence of harassment and aggression at the US border. I am a citizen of the US, but I have also been very outspoken online regarding my feelings for the actions of the current administration. On top of that, information security isn’t just about the individual…it’s about everyone I’ve exchanged email with, texted, messaged on Facebook, sent a Twitter DM, and the like….the total extent of my communications and connections could, if dumped to DHS computers, theoretically harm someone that isn’t me, and that was not ok in my book. A primary goal was to prevent any data about my communications or contacts from being obtained by DHS.

DHS and Border Control has very, very broad powers when it comes to searching electronic devices at the border. I was not certain of the power granted to Border Agents in Qatar and Bahrain, but my working assumption was they had at least the powers that the US Agents did. I also assumed that the US agents would probably have better technological tools for intrusion, so if I could protect my data against that threat, I was safe for the other locations as well.

A secondary goal in my particular model was to attempt to limit the possibility for delay in my travels. If I could comply with requests up to a certain point without breaking my primary goal of data protection, that would likely result in less delay. When considering these levels of access, I thought about questions like: could I power on my devices without any data leakage? Could I unlock my devices if requested and allow the Agent to handle my phone, for instance, without risking data leakage? Could I answer questions about my device and the apps on it (or other apps in question, for instance social media accounts such as Facebook or Twitter) honestly without risking data leakage?

With all of that in mind, here’s how I secured my technology for border crossing. Your mileage may vary, as your threat model may be very different, and the manner in which you choose to answer the various questions above may be different. If everything had gone south and my devices were impounded, I’d be writing a very different post (and contacting the EFF). But for this particular trip, this is my story.

What to Take

First off, I decided quickly that I wasn’t going to travel with my MacBook Pro. I was lucky enough that I didn’t need it for this trip, because there wasn’t any work that I would be doing on the road that necessitated a general purpose computer. I had work to do, but it all involved writing…some email, some writing text for a project, some viewing of spreadsheets and analysis of them. Simple and straightforward things that luckily could easily be done with a tablet and a decent keyboard. I already had an iPad with the Apple keyboard case, which made for an easily-carried and totally capable computing device for the trip. I could load some movies and music on it, fire up a text editor, answer email, and generally communicate without issue. It’s also iOS based, which makes it enormously more secure than Mac OS from first principles.

Since both my main computing device and my phone ran the same OS, I was able to also double-up any planning and efforts in security, as any decision I made could be equally applied to both devices. This turned out to be very, very convenient, and saved me time and effort.

The first thing that I did was backup the both the iPad and iPhone to a local computer here at my house (not iCloud) and ensure that those backups were successful. I stored those backups on my home network to ensure their safety…if anything went wrong later, these would be my “clean” images that I could revert to upon returning home. Then I used Apple Configurator 2 to “pair lock” my devices to my laptop, which would remain at home.

Pair Locking

This process was best described back in 2014 by security researcher Jonathan Zdziarski. While his instructions are fairly out of date, the general idea is still there and still works in iOS 10 and Apple Configurator 2. Basically, pair-locking an iOS device is a method by which the device is flashed with a cryptographic security certificate that prevents it from allowing a connection to any computer that doesn’t have the other half of the cryptographic pair on it. This means that once locked to my laptop (which, again, wasn’t in my possession and was still at my home), my iPhone and iPad would simply refuse to connect to any other computer in the world…whether that was someone that stole it from me and and attempted to reflash it using iTunes on their computer, or whether that is a diagnostic device being used by law enforcement.

This process is designed with the concept of using it for enterprise installation of iOS devices that need high security procedures to prevent employees from being able to connect their home computer to their work phone and retrieve any information. But it works very well for the purposes of preventing any possible attacker from accessing the phone’s memory directly through it’s lightning port. This processes ensures that even if the phone is unlocked and taken from my possession, DHS or other attacker cannot dump the memory directly or examine it using typical forensic information gathering devices.

Password Manager

Once both devices were pair-locked, I was left with two freshly installed iOS devices that I needed to reload with apps and content that would be useful for me. After loading a set of games and apps that would allow me to pass the time and still get some work done, as well as media I might want to consume on the road, I loaded my password manager (I use and am very happy with 1Password) and created a very, very long and complicated vault password that there was no possibility I could remember. I recorded that password on paper (left at home in a fireproof safe) and gave it to a trusted person that had instructions not to give the password to me until I had cleared the border and only over a secured channel.

I then changed the 1Password vault password to be that password plus a phrase that I knew and could remember (a sort of salt). 1Password was set up to allow me to login with TouchID, so I could still operate normally (logging into services and such) until such a time as that TouchID credential was revoked. Once revoked, I would be completely locked out of my passwords, with no ability to access them, until through a pre-arranged time and secure channel I got the vault password from either of the mentioned trusted sources. Those trusted sources, meanwhile, couldn’t access my password vault either, since the salt was resident only in my head.

It may be obvious, but I also ensured that everything in my life that was accessed with a password had a very strong one that was held by 1Password, and that I didn’t know and couldn’t memorize even if I tried. My bank, social media, dropbox…everything that could get a password, had a very, very secure one. Any service that supported 2-factor authentication had said 2 factor turned on, with the second factor set to an authentication app that supports a PIN (or, in the case of Very Important Accounts, a physical Yubikey that was left in TN as well). This is security 101, and not directly related to my border crossing…but if you don’t have the basics covered, nothing else really matters.

Sanitization

I made sure that iOS had most iCloud sync services off….no contact syncing, no calendar syncing, really the only thing I left syncing was my photo gallery. I did not install any social media apps (no Facebook app, no Twitter app, etc) and only logged in and out on the websites in question. The browser on both devices was set to not remember passwords, and I clear cache and history regularly when traveling. As far as I could, I eliminated anything that stored conversations or messages between myself and others…no Facebook Messenger app, etc. I deleted my email app, and didn’t enter my account information for email into the standard iOS mail app.

This was, keep in mind, just for the transit period. Once in country and across borders, I could use a VPN to connect to the ‘net and download any apps needed, log into them after retrieving the password from one of the trusted sources, and effectively use both devices normally (with basic security measures in place all the time, of course).

Crossing Borders

At this point, I had a device that couldn’t be memory dumped, that had very little personal information on it, and even less information about my contacts on it. It mostly acted normally for me, because 1Password handled all of my logins and I used TouchID during daily usage…right up until I needed to cross a border. Before I did so, I deleted my TouchID credentials via Settings (by deleting the fingerprint credential), and powered-cycled my phone. Those two actions did several things all at once:

The first was that it prevented me from being able to know or retrieve any passwords for anything in my life. That’s a pretty scary situation, but I knew it was fixable in the future (this wasn’t a permanent state). It also meant that if I were asked to unlock my phone, I could do so pretty much without anything of interest being capable of access. Without the ability to dump the phone forensically, officers could ask me for passwords for accounts and I could truthfully say that I had no way of telling them, because the password manager knew them all and I didn’t. And I couldn’t give them the password vault login because I literally didn’t know it.

The idea with all of this was to create a boundary of information access beyond which, if DHS wanted to try and access, they would need to impound the phone and potentially subpoena the information from me with a warrant. My guess (which turned out to be correct) was that they would ask to have it powered on, and maybe they would ask to see it unlocked, but that would be it. If they pried further, well…I was prepared to tell them truthfully that I didn’t know, that I couldn’t know. And I would call a lawyer if detained, and proceed from there.

The worst case scenario for me was minimal delay and discomfort. I am enormously privileged in my position to be able to think about this sort of passive resistance without actual fear for bodily harm or other forms of retribution. For me, the likely worst case, even if things had escalated to asking for social media passwords, would have been the confiscation of my devices and my being detained for a time. This is assuredly not the worst case for many, and it is extraordinarily important that each person judge their own risks when deciding on security practices.

For some, it is far better to simply not carry anything. Or to carry a completely blank device. Or purchase an inexpensive device when you arrive in the country of your destination. For me, I had the ability to prepare and be ready for resistance if needed. Your mileage may, and should, vary.

Conclusion

The results of all this thought and effort? Nothing at all. Not a single bit of attention was paid to me at the various border crossings, by either US or foreign agents. On the leg of my flight leaving Qatar, I went through no fewer than 4 security checkpoints from the time I landed until getting onto the plane taking me to O’Hare, and at each one there was a baggage scanner and metal detector, agents pulling people out of line for additional screening, and the like. When I finally got to my gate, it had its own private security apparatus,  again with metal detector and baggage X-ray. At this security checkpoint, I was randomly selected for additional screening, but the agent in question (a Qatar security agent) was incredibly professional, thorough, and neither invasive nor abusive. I got a pat down (much less severe than those I’ve been given at US airports), and they asked to look inside my carryon…they even asked me to power on my iPhone and iPad. But they didn’t ask to unlock them, and they didn’t ask for passwords of any type.

When entering into the US at O’Hare, the plane was greeted by DHS agents at the gate, who asked to check passports upon exiting the plane. The agent I was greeted by barely had time to glance at my US Passport before waving me through…again, the privilege of my appearance and nationality was evidenced by the fact that several of my fellow passengers were not waved through so easily. The last thing I heard as I walked up the jetway towards Customs was a DHS Agent saying to the robed gentleman behind me “So you don’t speak very much English, huh….”

The current state of our country cannot stand. We are a nation of immigrants many peoples1, and a nation that believes in the privacy of our affairs and effects. This concern I had for my own and my friends’ information shouldn’t have been necessary. We should be able to be secure in our possessions, even and especially when those possessions are information about ourselves and our relationships to others. I do not want to be in a position where I have to threat model crossing the border of my own country. And yet, here we are.

I’d love any thoughts about the process described above, especially from security types or lawyers. Any holes or issues, any thoughts about what was useless, anything at all would be great to hear. I hope, as I so often hope these days, that all of this information never becomes applicable to you and that you never need to use it. But if you do, I hope this helped in some way.

I was called out on Twitter for my use of “immigrant” as an inclusive term for people in the US, when, of course, many US citizens ancestry is far more complicated and difficult than “they chose to come here”. It was written in haste and while it works for the emotion I was attempting to convey, it definitely undercuts the violent and difficult history of many people in the US. I’ve edited the text to reflect the meaning more clearly and left the original to indicate my change.

Disaster Scenario Part One

I was honored to give the opening keynote for the SEFLIN 2016 Virtual Conference, entitled “Innovation & Disruption: Past, Present, Future” where I talked about why innovation is important in libraries, how structures disempower innovation, and what technologies I am watching for their capacity for disruption. It was this last topic that garnered the most comments during the talk, and even afterwards via email and twitter.

I have come to believe that we’re on the cusp of some truly weird societal changes due to the exponential growth of technology. AI/Machine Learning, Robotics, ubiquitous presence and sensornets via the Internet of Things, decentralization….all of these things are beginning to turn the corner from interesting ideas into realized technologies in the world. A couple of them in particular that I spoke about have what I think are truly frightening outcomes over the next decade, and I’m hoping to expand my thinking on why and how here. Let’s start with robots, in the form of autonomous automobiles.

Robots, in the form of self-driving or autonomous vehicles, are going to transform the US economy in ways that, for certain populations, may be disastrous. I think it’s fairly clear at this point that we are moving towards autonomous vehicles at breakneck speeds, and there seems to be a pretty clear map that gets us from the current state of somewhat-partial autonomy to autonomous-on-interstates and finally to fully doesn’t-need-a-human vehicles. The consensus among people who do this stuff is that the easiest problem to solve is that of long-distance interstate or highway travel, and the largest target for disruption to this type of driving is that of commercial trucking.

When it comes to automation, commercial trucking has a lot of things going for it. From the perspective of the companies doing the movement of goods around the country, fewer drivers is better in almost every way: fewer accidents almost assuredly, but also lower fuel costs (as computers are very, very good at optimization algorithms), fewer delays (same reason), and over time huge costs savings…robots do not yet require health coverage and retirement plans. There are benefits of partial autonomization as well…we don’t have to have fully self-driving trucks for there to be huge benefits for the companies involved, since the reduction of humans in the equation will garner cost savings immediately, and one can easily imagine a pathway that begins reducing drivers gradually: instead of needing 3 drivers for 3 trucks heading across country, 1 driver in the first truck acting as “lead” could be followed by 2 robotic trucks in sort of psuedo-autonomous caravan.

This move from One-Human-per-Truck to One-Human-per-X-Trucks to No-Human-At-All is going to happen over the course of the next 5-10 years. Currently, one of the most common middle-income jobs in the entire US is that of a truck driver…not always over-the-road, but again as we move from pseudonymous to autonomous the disruption will happen at ever-more-local levels. As this job is displaced by automation, there will be larger and larger numbers of workers that go from middle-income to greatly reduced or no income over the course of the next decade. These workers disproportionately live in rural areas of the country, and are the most vulnerable economically as there are fewer secondary labor options for them.

The people in rural areas often also have higher than average relocation burdens to overcome. Simply “moving to where the jobs are” isn’t really an option at all, for both emotional and practical reasons. In my areas of interest (KY, TN, the rural South) there is a huge emotional and psychological connection to the place and the community…getting out has a huge cost and those that do move to more economically vibrant areas are seen as deserters or traitors. More practically, there is a cost-of-living gap between the rural US and cities/suburbs that is a barrier for movement for many. When you sell your $50,000-$100,000 home and the land that your great-grandfather settled and was passed down to you, the move to any city is simply impossible financially. The math just doesn’t work to be able to reasonably move your family into a home even in the suburbs for that much, and trading the stability of a mortgage for renting an apartment when the entire reason you are moving is wage depression and loss…well, it just isn’t possible.

We have a situation where, over the course of the next decade, one of the most common middle-income jobs in the rural US could disappear, and it could mostly affect areas where the secondary job market for these workers is very constrained. The social services for everything to information about re-skilling to job application fulfillment will fall to the public library in their communities, as they are very often the only easily accessible and well-trusted governmental program in rural areas.

In addition to largely helping to deal with this crisis on an individual level, libraries will be stuck with ever-decreasing budgets in areas where said budgets are based on local taxes. The slow-motion economic collapse of rural america that has played out in the areas that I care about the most (the rural south, Eastern Kentucky, Middle Tennessee) will accelerate, and as these jobs collapse, families will be devastated and the tax base for library support will dwindle.

Libraries will be in a situation where they are asked, yet again, to do more for their local communities when the very communities that they are trying to save can’t possibly contribute to their budgets.

Since we love to argue with each other, when I pointed out on Twitter than I thought this round of economic upheaval due to automation was different, Tim Spalding of Librarything said:

 

Tim points out a common refrain from people who are skeptical of the ability of automation to “take jobs” from humans. He’s right to be skeptical, as every previous time this has happened, the overall economy has grown and individuals have re-skilled and found new jobs. Automation hasn’t, in the past, actually ended in a removal of jobs on average from a country, nor has it decreased average earnings.

The problem with that argument is that it generalizes from large-scale to small-scale. On average, the numbers for the US might still look ok…but the small towns, the places that are only still places at all because of their ready access to an interstate, those places and the people in them are going to have a very rough time of it. There are more jobs in the energy sector than ever before, but that doesn’t help the coal miners in Appalachia.

This highly localized effect will disproportionately affect the rural parts of the US, and thus will also disproportionately affect the libraries in those areas….libraries that are often already vulnerable to small changes in budget. My concern is that as this change begins, we will see a sort of wave of challenges: first the trickle of job loss, which begins to put pressure on local economies, and as the trickle becomes a swell and then a wave the combination of decreasing wages and localized economic depression will increase the movement out of rural areas. This will further depress the tax base, and rural library systems will see an ongoing downwards slope of budget.

There is an admitted problem of what the timeline looks like for this entire process. The automation of trucking is likely to begin affecting local economies in the next 5-10 years, but the rest of my prediction (the increased exodus of youth from rural areas, the mobility of those that can move quickly as opposed to the generational resettling that this movement begets) will take perhaps decades to fully unfold.

Is it possible that there will be a counter-balancing effect of some type that maintains the economy of these areas? Some form of job replacement that offsets, even partially, the jobs lost to autonomous trucks? For the country as a whole, of course there will be. There are going to be yet-unimagined new opportunities. As depressing as this possible-future is for rural America, I am overall a technological utopianist. I think that big-picture, we are moving in positive directions. If nothing else, I would absolutely be willing to trade localized economic disruption for the massive savings of human life that we will see as humans are replaced as drivers.

But the places that I love are going to be hurt. And even when I know that the good outweighs the bad, the bad is still bad.

How can libraries make a difference? Simply being aware of this possible future is the first step, and watching for leading indicators in their communities. Strategically, getting in front of the job loss wave by preparing for re-skilling and educational opportunities, making connections with other community resources in those arenas as well as other governmental offices that will be needed could be a way of preparing to be of the most use to the community. Rural libraries should have a relationship with their nearest community colleges or other formalized higher education options and should have strategies in place that help people move into formalized training or other economic recovery options.


In the next installment of Disaster Scenarios, I hope to take a look at AI/Machine Learning and see if there’s a similar story to tell about the way it is going to change not only how people interact with information, but how they are able to interact with information and the risks therein. I think information professionals might be in for some real weirdness in the next decade.

 

Sexism, meeting dynamics, attention analysis: who talks during meetings

Yesterday, Andromeda Yelton posted this excellent blog entry, Be Bold, Be Humble: Wikipedia, libraries, and who spoke. It’s about the well-known social sexism dynamic of meetings, where in a meeting that has both women and men, men speak more frequently, use fewer self-undercutting remarks (“I’m not sure….” or “Just…” or “Well, maybe…”), and interrupt others speech at a much higher rate than women in the same meeting.

The post got passed around the social nets (as it should, it’s wonderfully written and you should go read it now) and one of the results was this great exchange:

 

Which prompted me to reply:

I couldn’t get the idea out of my head, which basically means that it needs to show up here on the blog. I thought all night about how to architect something like that in hardware/software as a stand alone unit. There is always Are Men Talking Too Much?, which Andromeda linked to in her essay, but it has the downside of requiring someone to manually press the buttons in order to track the meeting.

I’ve been basically obsessing over attention metrics for the last couple of years as a part of bringing Measure the Future to life. The entire point of Measure the Future is to collect and analyze information about the environment that is currently difficult to capture…movement of patrons in space. The concept of capturing and analyzing speakers during a meeting isn’t far off, just with audio instead of video signal. How could we built a thing that would sit on a table in a meeting, listen and count men’s vs women’s speaking, including interruptions, and track and graph/visualize the meeting for analysis?

Here’s how I’d architect such a thing, if I were going to build it. Which I’m not right now, because Measure the Future is eating every second that I have, but…if I were to start tinkering on this after MtF gives me some breathing room, here’s how I might go about it.

We are at the point in the progress of Moore’s Law that even the cheapest possible microcomputer can handle audio analysis without much difficulty. The Raspberry Pi 3 is my latest object of obsession…the built-in wifi and BTLE changes the game when it comes to hardware implementations of tools. It’s fast, easy to work with, runs a variety of linux installs, and can support both GPIO or USB sensors. After that, it would just be selecting a good omnidirectional microphone to ensure even coverage of vocal capture.

I’d start with that for hardware, and then take a look at the variety of open source audio analysis tools out there. There’s a ton of open source code that’s available for speech recognition, because audio interfaces are the new hotness, but that’s actually overcomplicated for what we would need.

What we would want is something more akin to voice analysis software rather than recognition…we don’t care what words are being said, specifically, we just care about recognizing male vs female voices. This is difficult and has many complicating factors…it would be nearly impossible to get to 100% success rate in identification, as the complicating factors are many (multiple voices, echo in meeting rooms, etc). But there is work being done in this area: the voice-gender project on Github has a pre-trained software that appears to be exactly the sort of thing we’d need. Some good discussion about difficulty and strategies here as well.

If we weren’t concerned about absolute measures and instead were comfortable with generalized averages and rounding errors, we could probably get away with this suggestion, which involves fairly simply frequency averaging. These suggestions are from a few years ago, which means that the hardware power available to throw at the problem is 8x or better what it was at that point.

And if we have network connectivity, we could even harness the power of machine learning at scale and push audio to something like the Microsoft Speaker Recognition API, which has the ability to do much of what we’d ask. Even Google’s TensorFlow and Parsey McParseface might be tools to look at for this.

Given the state of cloud architectures, it may even be possible to build our gender meeting speech analysis engine entirely web-based, using Chrome as the user interface. The browser can do streaming audio to the cloud, where it would be analyzed and then returned for visualization. I have a particular bias towards instantiating things in hardware that can be used without connectivity, but in this case, going purely cloud architecture might be equally useful.

Besides gender, the other aspect that I had considered analyzing was interruptions, which I think could be roughly modeled by analyzing overlap of voices and ordering of speech actors. You could mark an “interruption event” by the lack of time between speakers, or actual overlap of voices, and you could determine the actor/interrupter by ordering of voices.

Once you have your audio analysis, visualizing it on the web would be straightforward. There are javascript libraries that do great things with charts like Chart.js or Canvas, or if working in the cloud you could use Google Chart Tools.

If any enterprising developer wants to work on something like this, I’d love to help manage the project. I think it could be a fun hackathon project, especially if going the cloud route. All it needs is a great name, which I’m not clever enough to think of right now. Taking suggestions over on Twitter @griffey.

OpenArchive

Sitting in the Internet Archive Great Room (see photo above for reference…yes, it’s in an old church….) I’m reminded that I never pushed out the link to the amazing new app that was created in part by my friend Nathan, available now for Android and coming soon for iOS that allows you to use the Internet Archive like your own personal Instagram:

Screen Shot 2016-06-07 at 12.03.22 PMOpenArchive

and because Nathan and his group are awesome, the app is also open source:

Github repo for OpenArchive

and finally, direct link to the Google Play store for the app.

I’ve not seen an easier way to add photos to the Internet Archive directly than this app, and it’s got some really fantastic side benefits..the primary one being that it works transparently over Orbot if you’d like, so that uploads and connections can be driven over the Tor network without any extra effort on the user’s part.

UPDATE

The Guardian Project just posted their own announcement for the app. Their take on it is also timely since I’m spending this week at the Decentralized Web Summit:

We see this as a first step towards a more distributed, decentralized way of managing and sharing your personal media, and publishing it and synchronizing it to different places and people, in different ways.

LibraryBox recognized in the 2015 Nominet Trust 100

I’m very happy to announce that The LibraryBox Project has been named among the 2015 NT100 – Nominet Trust’s annual celebration of 100 inspiring ‘tech for good’ ventures from around the world. Among this year’s companies selected for inclusion are Google X’s Project Loon and Open Street Maps…I’m gobsmacked that LibraryBox can be included in a list with those amazing projects.

The included projects all use digital technology to tackle the world’s social problems from lifesaving health tech to knowledge sharing via SMS text messaging.

Following a global call for nominations earlier this year The LibraryBox Project was selected by ten judging partners from the tech and charity world in recognition of our work. The judges included such companies as Comic Relief, Creative England, Facebook, Latimer, Nominet, Oxfam, O2 Telefonica, Salesforce and Society Guardian.

Thank you to everyone involved in The LibraryBox Project, especially Matthias Strubel, without whom it wouldn’t be as amazing as it is. Thanks also to the Kickstarter backers that made the v2.0 possible, and to the Knight Foundation Prototype Grant for enabling the development of the v2.1. If you’d like to learn more about The LibraryBox Project, a good place to start is the talk I did at Harvard Law School for the Berkman Center for Internet & Society earlier this year.

Learn more and and explore the 2015 NT100 here: socialtech.org.uk/nominet-trust-100/2015

Anonymous Communication on the Web

I wasn’t sure how my previous post would go over, but after some back-and-forth emailing with the reporter on the piece, WTVC asked me to come in for an interview on anonymity and the “deep web”. So I did!

We talked for almost an hour, and for some stupid reason I didn’t think to record the interview myself (will not make that mistake again). They did a fine job representing my views, although clearly edited the piece for a specific audience. I’ll admit that I probably got too heavy into the weeds of the details of Tor. They were particularly touchy about my correcting the use of “Deep Web” and “Dark Web” as useful categories. I just kept using anonymity, security, privacy and tried very hard not to fall into using their very fuzzy language to describe something with lots of complexity.

My talking points revolved around how anonymity is a requirement for the freedom of speech in a free society, and that fear-based reports like their last one are actually damaging to how people should react to the world (my example, that they didn’t use, was that instead of worrying about the incredibly rare possibility of child-abduction due to predators on Tor, perhaps parents should be more worried about driving their child to school in the morning, since it was orders of magnitude more dangerous). I suppose we’ll see if there’s any feedback that comes from this as a positive concept.

I’m glad they gave me the chance to come in and talk, and I do hope it’s useful for someone out there in Chattanooga to see that wanting anonymity and privacy online isn’t just something to abet criminal activity. Privacy issues online are something that increasingly everyone should be aware of, because the risks are going to be omnipresent as we continue to move our lives into the digital space.

Library Technology: Problems, Futures, and Directions

This is a keynote that I delivered at the MOBIUS Consortium conference in Columbia, Missouri on June 2, 2015. I talk about why library technology is terrible, why technology is a unique thing, the speed of change, what technological futures are near, and the broad strokes of how I think libraries need to respond in order to suck less at tech. It’s a fun time for everyone.

There’s one little technical glitch in the middle where Keynote decided to crash, but otherwise I’m pleased with the way this came together.

Just a few hours after I gave my presentation, in which I talk about the rise of voice interfaces to machine learning algorithms that act as personal assistants (a la Siri, Cortana and others), SoundHound drops this bombshell of a demo on the web:

That is ridiculous stuff, right there. But at least it shows I’m not wrong to be paying attention.

Apple Watch Sport Band Flip Trick

So here’s a tiny hack for the Apple Watch that I found really useful. In all of the promo shots, Apple shows the Sport Band attached to the Watch with the Pin side at the top of the Watch, and the holed-side attached at the bottom.

s42sg-sbbk-sel_GEO_US

I was having a terrible time actually putting the Watch on, because one-handed, I found that holding the Pin down and trying to pull the strap upwards to it was very awkward.

The solution? Flip the bands.

FullSizeRender 6

The band halves are completely reversible, and having the Pin on the lower part means that I can hold it in place with my thumb and pull the other band down towards it. Much easier for me, and you can’t tell at all once the Watch is on your wrist.

If you’ve got a Sport Band on your Apple Watch, give it a try and see if you think it’s easier.

10 Days with the Apple Watch

I was one of the lucky few that received their Apple Watch order on April 24th, the day the  Watch was released to the public. Here’s the story of my first 10 days to try to give you some idea about the technology (and aesthetics) behind the newest Apple product.

Order

IMG_8567

First up, what I ordered. My order was time stamped at 12:02am Pacific Time on April 10, the day that the Watch went on sale to the public, so I literally ordered mine within the first 120 seconds of availability. From the time the Watch was announced, I had been coveting the Stainless Steel with Milanese loop band. It was, to my eye, a wonderful throwback mid-century modern look that I love. When it came time to order, I decided that since it’s likely I’m wearing this thing every single day for the next 2+ years, I should just get the one I really liked rather than “settling” for the less expensive Sport version in aluminum.

That decision-making process illustrates one of the huge differences in this particular product. Every other Apple product that I’ve purchased (and I’ve purchased plenty at this point, a decade plus into my obsession with the company and its products) was purchased on the strength of the abilities of the technology. Apple isn’t a stranger to using design as a differentiator among their products…the classic iMac is the textbook example of style selling a technology. But over the last few years they have primarily used their design sense and engineering skills to differentiate themselves from other manufacturers, and not within a line of their own products.

The stainless steel Apple Watch functions literally identically to the less expensive aluminum Apple Watch Sport (and, of course, also identically to the much, much more expensive Apple Watch Edition). So the fact that they convinced me to pay for a purely aesthetic choice shows just how different this particular market is from Apple’s normal business. But they did convince me, and thus at just after midnight on April 10th, I placed my order.

Arrival

IMG_8569On April 24th, my Watch arrived. The package that was delivered was surprisingly heavy, almost shockingly so, and that is entirely due to the incredible packaging for the Watch. It is not hyperbole to say that I believe that Apple spent more time in R&D on the box for the Watch than some companies do on devices themselves. The retail box is a heavy, thick white plastic that feels as if it could be used for home construction…it’s that solid. On the inside the Watch was cradled in suede covered custom cutouts, isolated in the middle of a box that was at least 3 times larger than it needed to be purely to protect the device inside. Again, this is Apple’s aesthetics impinging upon a technology experience. “This is not a gadget”, is what this packages says “this is a piece of jewelry.”

My first impressions are of the Watch as Object: This is a gorgeous piece of design. Some have criticized the look of the Watch for its rounded rectangleness, or for being “bulbous.” I will say that on my wrist it is a great size, not heavy at all, and feels entirely like an analog watch would feel. Slimmer and lighter even than some men’s watches, which are enormous at times. I think it’s beautiful work, and shows Apple’s unparalleled heights of manufacturing. I don’t think it’s an exaggeration to say that no other company on the planet could make something this nice at this scale.

Use

Beyond the aesthetics, however, there are definitely issues. The primary function of the watch is clearly to tell the time, and Apple provides about 10 different faces to choose from, each with some level of customizability. Through the selection of detail, color, and complications, it’s possible to really focus the main interface of the watch on the information that you want at a glance: the time, your calendar, the date, the weather, and more. I find myself wishing that third-party apps had access to these complication areas, instead of being limited to just Apple’s first-party apps. For instance, a complication from Dark Sky telling me when it was going to start raining would be amazing, and I’m certain that there are lots of other really useful apps for the main face of the Watch. I’m hoping that’s one of the first bits of usability exposed during the next software update.

The other central concepts in using the Watch are Notifications, Glances, and Apps. Notifications are just what they sound like, and display as either a pop-over style update or in a list after pulling down from the top of the initial Watch screen. Aside from telling the time, Notifications have been the most game changing piece of the Watch in my life. It really is the case, as reported by lots of other reviewers, that I am looking at my phone a lot, lot less than I did prior to wearing the Apple Watch. Notifications on my wrist allows me to glance and decide whether any individual thing needs the escalation of “Deal With Now” or if I can just…not. As just one example, I wore the Watch at Computers in Libraries the day after receiving it, and realized after a few meals that I hadn’t taken my phone out of my pocket at all during lunch or dinner. I don’t remember the last time I didn’t take my phone out and put it on the table beside my plate…it’s nearly an automatic gesture from everyone I hang out with. With the Watch, I avoided the psychological habit of needing to be “connected” with the phone. It was shockingly liberating.

Glances are mini-apps, accessible by swiping up from the bottom of the main watch face. They are displayed as a linear row of full-screen windows that are swiped through, left or right, that are single-screen displays of an app’s information. For instance, going back to my favorite weather app, Dark Sky, the “glance” is just the weather in your current location, whereas the full application contains multiple screens of information. Glances can be useful, but since the only way to navigate is literally by paging through them one after the other, if you have more than 5-8 Glances active, finding the one you want becomes an exercise in futility. Luckily you can control which apps allow Glances and which don’t, as well as the order left-to-right of your glances, from the Apple Watch app on your iPhone.

Finally, we have what is the least useful bit of the current incarnation of the Apple Watch…the Apps. This is surprising, given that it was the app store and 3rd party app development that really ignited the iPhone as a mobile platform. However, the current status of Apps on the Watch as second or third class citizens makes them very difficult to use effectively. Currently, third-party apps don’t run on the watch natively, the run on the tethered iPhone and push display items to the watch when called. This means that the process of opening an App on the Watch is roughly: Press the digital crown in once, tap an App icon from the screen, and wait as the Watch tells the app on your iPhone what it wants, the app on the iPhone spins up and calls out for network resources if needed, the network traffic comes back, the iPhone app builds the view for the Watch, and finally the view is sent back to the watch over Bluetooth. This is roughly like sending an email to tell your neighbor to order a pizza, then having it delivered to her house and having her walk it over to you. It does end with you getting pizza, but there’s clearly a better way to accomplish this task.

When you launch a third-party app, pretty much any of them, there’s a 3-10 second delay while it does its little dance from the watch to the phone to the network and back again. This isn’t to say that the apps aren’t usable….many are, and some are very well designed and thought out. A few stand outs are Transit, Dark Sky, Workflow, and Lastpass. But for apps to really be usable, they have to be on-Watch, and not dancing between the two devices. The good news is that Apple has already announced that “this year” there will be an SDK for third-party native Watch apps…the only mystery is whether that will be an announcement at WWDC in June, or are they going to take “this year” literally and push that ability well into the Fall or Winter.

Two other Watch abilities that I haven’t yet mentioned are the Digital Touch haptic communication and Apple Pay. Haptics between Watches include the ability to “tap” someone else on the wrist to get their attention to communicate something, or to send them your heartbeat via the built in heartrate sensor. These are both interesting, and the taptic engine is a marvel of possibility, but until it’s opened up to third parties it strikes me as a parlor trick.

Apple Pay, on the other hand, is a revelation. With Apple Pay active on the Watch, you can double-press the side button and pay for something faster than you could even pull your iPhone from your pocket, and in the best sort of Apple way, it Just Works. It’s so easy and useful that I can see preferentially choosing to go to one store over another based on the fact that their payment system is compatible…it’s that good.

There are dozens of other services that the Apple Watch throws at you: activity measurement, maps, Siri on your wrist, taking a phone call from your wrist, music controls, remotes for your music or Keynote presentation. All of these are well done, and fine reasons to use the Watch. But if I have to boil my use case down using just the first 10 days, notifications, apple pay, and the fact that it is…well….a really nice watch are the things that keep me using it. It’s clearly going to be an ongoing platform for Apple, and they have a very, very good track record for incremental improvement of experience. I’m very bullish on the Watch overall, even if my recommendation for most people right now is to wait for version 2 or 3.

Libraries

Apple Watch So what’s the library play for Apple Watch? Given the existing capabilities, I would say that using some of the older, proven tech in Apple’s stack gets much better with the Watch. Passbook for your patron’s library card is a no brainer, and a fantastic use, and Apple Pay for fines/fees is going to be interesting as adoption of that service continues to grow. Also, Apple Pay is among the most secure and private mechanisms available for the use of a debit/credit card, which I think is a huge patron privacy benefit.

If your library already supports an iOS app, adding Watch functionality now is probably not really worth it. At the very least, waiting until WWDC in June and seeing what they announce (or don’t) for the next version of WatchKit is warranted. It’s interesting to consider what a library Watch app might do…it isn’t possible to do text entry other than via Siri and voice transcription, so actually searching a catalog in the traditional manner isn’t really going to work. On the other hand, a Watch app that displayed a patron’s “cart” of interested books with the call numbers would be really handy while browsing in the stacks.

Conclusion

I said aboveapple watch closeup that I am recommending that the average technology consumer wait on the Apple Watch until v2 or v3. This will give Apple time to work out the issues with some of the biggest hardware flaws (no on-board GPS, and like all Apple devices it will get thinner and lighter). It will also give the ecosystem time to evolve, 3rd party apps to run natively on the Watch, and for the price to drop a small amount. By version 3 the low end of the line will be under $300, the design will be slightly improved, and there will be more and better app experiences that enrich the experience of wearing the Watch. Until then, I’m going to keep mine, because even with its flaws it’s an absolutely incredible piece of tech engineering that has already shown that it can improve my relationship with my information ecosystem. And I think it will get better and better at doing just that, allowing me to deal with the information flows in my life. That, turns out, might just be worth the cost of the Apple Watch.

Apple Watch Predictions

Tomorrow is March 9th, and that means that we will get the formal Apple announcement of the Apple Watch. As always, I’ll be live tweeting the announcement, but I wanted to make a couple of predictions here about pricing, mostly because I think they are going to surprise everyone.

All that Apple has said thus far about pricing is the quote from the initial announcement of the product that “Apple Watch will start at $350”. There are three tiers of the watch, each made of different materials: Apple Watch Sport, which is aluminum and glass; Apple Watch, which is stainless steel and sapphire; and Apple Watch Edition, which is 18K Gold and sapphire. The assumption from pretty much everyone is that the Sport edition is the entry level, due to the less expensive material construction.

And I think that’s probably right, that the Sport will be the lowest priced model. But I don’t think that the lowest price will be $350.

My guess, which I admit is a huge stretch and will probably end with me making a massive retraction after the announcement, is that the Apple Watch, the stainless construction one, will start at $350, because that’s exactly what Tim Cook said. They don’t accidentally say things at Apple. I’m guessing that the stainless version will start at $350, with upsell on the various types of bands. I’m betting that the Milanese loop will be an extra $100, and the metal clasp band will be at least $150.

As a result, I think that the Sport will be cheaper, maybe in the $250 range. Cheaper materials, rubber (excuse me, elastopolymer) bands, and I think they could get away with a $200-250 price and still be making their legendary profits.

I’m probably wrong. They are probably going to have the stainless versions starting at $499. But they’ve done this sort of thing before. With the launch of the iPad, there were rumors of a $1000 price point, and then they announced a starting price of $499 at launch. But if Cook stands on the stage tomorrow and says “You know, I told you that the Apple Watch started at $349, and it does, but the Sport is going to be only $249” I will not be surprised in the least.

On the other hand, the Apple Watch Edition, with it’s 18K solid gold (even if Apple did find a way to make gold with less gold), is gonna be thousands. I wouldn’t be surprised in the least if it was $10K.

So am I gonna buy one? I’m probably 75% in the “yes” column, but a lot hinges on the pricing. If I do, I don’t want the Sport edition, I definitely want the stainless…I mean, it’s gorgeous. I am sort of in love with the stainless with Milanese loop.
Screen Shot 2015-03-08 at 4.38.32 PM

 

But I also can’t really see paying the prices that some bloggers have guessed for that combination. I suppose we will find out tomorrow.