Skip to main content


Grad student at UC Berkeley, School of Information. I work on Web privacy.


1 min read

Of these four Netflix-original comedies, set in the greater Los Angeles area, where the protagonists struggle with a particularly modern form of depression consisting in substance abuse problems and obsession with both accomplishment and certain negative episodes from their past that prevent them from being open to new romantic relationships ...

  • Flaked (2016, Will Arnett)
  • Love (2016, Gillian Jacobs)
  • Bojack Horseman (2014-2016, Will Arnett)
  • Lady Dynamite (2016, Maria Bamford)

... the most accessible is the animated show about the anthropomorphic horse movie star where the jokes are animal puns. Season 3 of Bojack Horseman is available on Netflix now.


Pokémon and permissions

5 min read

How many things can you find wrong with this image? It's the very first screen you see when you open the PokémonGO app for the first time.

First screenshot of PokemonGO

1. Asking for location immediately upon first launch

Almost by definition, immediately upon launch the user can't possibly have any context or understanding of what an app does or why it needs access to certain information or sensors on a device. In fact, I would hope that the OS provider, in this case Google, would just automatically deny such requests, or detect this in an automated fashion during market review and reject the application. Permission requests should happen in response to user actions, when they're trying to use a particular feature. Immediately on first launch is never such a time. (You might think it's obvious to the user that location will be used -- that was how I knew to allow this first permission -- but I wager it's not obvious to every user who hears about this new game.)

2. No explanation or context

Many apps don't do as good a job as we'd like at explaining how data will be used at the time of its request. But this is literally as little information as you can provide: a completely black screen. (Quick: what's the name of the company that is requesting access to this information? Why do they need it? How long will they keep the data? With whom will they share it?)

Google is unfortunately inconsistent on this point in their documentation to developers. While best practices suggest that you explain a permission before you ask, they also provide a utility function to make it easier to only provide that rationale if the user has already denied permission on a previous request: shouldShowRequestPermissionRationale(). In this author's opinion, that function should simply always return true.

3. Bundled, modal permission requests

"1 of 4", really? This is an interesting example of trying to re-create install-time permissions even though Google has explicitly made these into run-time permissions in Android 6.0. Forcing the user to grant or deny permissions before the app will show a single screen to indicate it's even working regresses to making the choice appear all-or-nothing: you have to give up permission, it seems, before using the app. Related, these are _modal_ dialogs, the user has to make a decision before doing anything else; the user doesn't know the implications of the decision or whether she can change her mind later and can't use the app in the meantime to investigate why or what the implications might be of this permission request. Bundling them together into a longer list fatigues the user: how many detailed decisions about data access will the user make (all without any context of functionality or data practices, remember) before being able to finish the task the user engaged in, to launch the game? (This would make for a good user test: when presented with a long list of permissions, at what point do users stop reading? Do most users throw up their hands and start clicking ALLOW or get increasingly annoyed and tap DENY?)

Again, I would prefer if my operating system disabled this functionality to start with. Ask me for three or more permissions simultaneously? Automatically denied. If your app is indeed so special that it requires several different sensors or data sources before any feature can be used (I cannot think of a single category of application that meets this requirement, but I'm open to the possibility), then it apparently requires an introductory walkthrough to explain itself.

(I can't remember what the three additional dialogs were any more, but probably included access to the contacts database and files/media on the device. Anyway, you can and should DENY access; the game works just fine without them.)

Ask for permission in context

This list is really about the ways that the PokémonGO app goes against the basic privacy design pattern of asking for permission in context. Like all patterns, this won't always be the appropriate solution, but I believe it to be a useful guide. Ask the user for permission when the functionality they're using calls for it: your request will be more easily understood. As a result, you shouldn't need to ask for several permissions at once, or ask for permissions before running an app, or block the user from doing anything else before answering.

In general, that in context model has been how the Web has treated permissions: as non-modal, just-in-time requests; an "ask when you need it" approach. I hope it stays that way! As Robert noted in 2011, some apps (he calls them "greedy" and "lazy") will try to turn run-time permissions into bundled, install-time permissions; we should ask them to do better.

Disclosure: I'm totally enjoying PokémonGO and playing it not just because I want to explore how a location-based alternate-reality game has an effect on values such as privacy and in-person interaction. My trainer is Level 10, I've caught and seen 44 in my pokédex and my strongest pokémon is a Kingler (CP 570). Go Team Mystic.


Throw Yourself Like Seed

2 min read

Re-heard the Parable of the Sower this morning.

"Listen! A sower went out to sow. And as he sowed, some seed fell along the path, and the birds came and devoured it. Other seed fell on rocky ground, where it did not have much soil, and immediately it sprang up, since it had no depth of soil. And when the sun rose, it was scorched, and since it had no root, it withered away. Other seed fell among thorns, and the thorns grew up and choked it, and it yielded no grain. And other seeds fell into good soil and produced grain, growing up and increasing and yielding thirtyfold and sixtyfold and a hundredfold." And he said, "He who has ears to hear, let him hear." (Mark 4)

It's an important part of scripture for the Unitarian Church here, in part because the large stained-glass window is a depiction of the Sower, based on the Jean-François Millet painting from the mid-1800s, of a peasant at work.

I like re-hearing these parables because sometimes you get to see a new angle. Today, the reverend noted that she was initially apprehensive about the traditional interpretation of the parable, because it seemed to classify people into good and bad categories and imply that the bad groups of people were unreachable. But she also points out that in the parable, Jesus casts that seed, those words of love, everywhere, to everyone; he doesn't keep the seed only for fertile soil. Don't just ask whether you embody the soil that is prepared for the word of love, but consider whether you, like the Sower, will carry the word of love to everyone in your life.

The Sower

It was striking to learn that it was this parable that the bible study group was discussing on that night last June when Dylann Roof entered the Mother Emanuel church in Charleston and was welcomed into their group.

Definitely a painting to see the next time I'm in Boston. See also, "Throw Yourself Like Seed" by Miguel de Unamuno:

But to live is to work, and the only thing which lasts
Is the work; start there, turn to the work.
Throw yourself like seed as you walk, and into your own field


The wind is making vortices of cherry blossom petals on 42nd Street.


Consistent with his stated position, but hard to see how Admiral Rogers will ever re-build trust in NSA this way:


My heroes yesterday: the two strangers who, after receiving the apology I sent to a large mailing list, responded with kind thank you's.


Replied to a post on :

it doesn't have to be either/or. Standards typically work best when driven by implementations. Early implementations, even if they don't have effective interoperability, can help us work out bugs. And so on.


SPUR's report on Downtown Oakland is awesome:
* 40 acres of parking lots that could be buildings.


Quickly documenting some different behaviors when reading articles on the Washington Post:
1. Firefox 42.0a2, Tracking Protection turned on: article obscured, "To keep reading, please enter your e-mail address."
2. Firefox 42.0a2, Tracking Protection turned on, private browsing mode: article obscured, "Your ad blocker is on."
In both cases, it asks for an email address to continue. In both cases, the email submission form fails to work with a vague error message when I enter a address. With a spam GMail address (that is, including "+spam"), WaPo thanks me and lets me click through to the article.


Is there an English translation (or better yet, a cover) of this banned Chinese song about the challenge of finding a quiet place to study?