Skip to main content


Grad student at UC Berkeley, School of Information. I work on Web privacy.



1 min read

Of these four Netflix-original comedies, set in the greater Los Angeles area, where the protagonists struggle with a particularly modern form of depression consisting in substance abuse problems and obsession with both accomplishment and certain negative episodes from their past that prevent them from being open to new romantic relationships ...

  • Flaked (2016, Will Arnett)
  • Love (2016, Gillian Jacobs)
  • Bojack Horseman (2014-2016, Will Arnett)
  • Lady Dynamite (2016, Maria Bamford)

... the most accessible is the animated show about the anthropomorphic horse movie star where the jokes are animal puns. Season 3 of Bojack Horseman is available on Netflix now.


Pokémon and permissions

5 min read

How many things can you find wrong with this image? It's the very first screen you see when you open the PokémonGO app for the first time.

First screenshot of PokemonGO

1. Asking for location immediately upon first launch

Almost by definition, immediately upon launch the user can't possibly have any context or understanding of what an app does or why it needs access to certain information or sensors on a device. In fact, I would hope that the OS provider, in this case Google, would just automatically deny such requests, or detect this in an automated fashion during market review and reject the application. Permission requests should happen in response to user actions, when they're trying to use a particular feature. Immediately on first launch is never such a time. (You might think it's obvious to the user that location will be used -- that was how I knew to allow this first permission -- but I wager it's not obvious to every user who hears about this new game.)

2. No explanation or context

Many apps don't do as good a job as we'd like at explaining how data will be used at the time of its request. But this is literally as little information as you can provide: a completely black screen. (Quick: what's the name of the company that is requesting access to this information? Why do they need it? How long will they keep the data? With whom will they share it?)

Google is unfortunately inconsistent on this point in their documentation to developers. While best practices suggest that you explain a permission before you ask, they also provide a utility function to make it easier to only provide that rationale if the user has already denied permission on a previous request: shouldShowRequestPermissionRationale(). In this author's opinion, that function should simply always return true.

3. Bundled, modal permission requests

"1 of 4", really? This is an interesting example of trying to re-create install-time permissions even though Google has explicitly made these into run-time permissions in Android 6.0. Forcing the user to grant or deny permissions before the app will show a single screen to indicate it's even working regresses to making the choice appear all-or-nothing: you have to give up permission, it seems, before using the app. Related, these are _modal_ dialogs, the user has to make a decision before doing anything else; the user doesn't know the implications of the decision or whether she can change her mind later and can't use the app in the meantime to investigate why or what the implications might be of this permission request. Bundling them together into a longer list fatigues the user: how many detailed decisions about data access will the user make (all without any context of functionality or data practices, remember) before being able to finish the task the user engaged in, to launch the game? (This would make for a good user test: when presented with a long list of permissions, at what point do users stop reading? Do most users throw up their hands and start clicking ALLOW or get increasingly annoyed and tap DENY?)

Again, I would prefer if my operating system disabled this functionality to start with. Ask me for three or more permissions simultaneously? Automatically denied. If your app is indeed so special that it requires several different sensors or data sources before any feature can be used (I cannot think of a single category of application that meets this requirement, but I'm open to the possibility), then it apparently requires an introductory walkthrough to explain itself.

(I can't remember what the three additional dialogs were any more, but probably included access to the contacts database and files/media on the device. Anyway, you can and should DENY access; the game works just fine without them.)

Ask for permission in context

This list is really about the ways that the PokémonGO app goes against the basic privacy design pattern of asking for permission in context. Like all patterns, this won't always be the appropriate solution, but I believe it to be a useful guide. Ask the user for permission when the functionality they're using calls for it: your request will be more easily understood. As a result, you shouldn't need to ask for several permissions at once, or ask for permissions before running an app, or block the user from doing anything else before answering.

In general, that in context model has been how the Web has treated permissions: as non-modal, just-in-time requests; an "ask when you need it" approach. I hope it stays that way! As Robert noted in 2011, some apps (he calls them "greedy" and "lazy") will try to turn run-time permissions into bundled, install-time permissions; we should ask them to do better.

Disclosure: I'm totally enjoying PokémonGO and playing it not just because I want to explore how a location-based alternate-reality game has an effect on values such as privacy and in-person interaction. My trainer is Level 10, I've caught and seen 44 in my pokédex and my strongest pokémon is a Kingler (CP 570). Go Team Mystic.


Throw Yourself Like Seed

2 min read

Re-heard the Parable of the Sower this morning.

"Listen! A sower went out to sow. And as he sowed, some seed fell along the path, and the birds came and devoured it. Other seed fell on rocky ground, where it did not have much soil, and immediately it sprang up, since it had no depth of soil. And when the sun rose, it was scorched, and since it had no root, it withered away. Other seed fell among thorns, and the thorns grew up and choked it, and it yielded no grain. And other seeds fell into good soil and produced grain, growing up and increasing and yielding thirtyfold and sixtyfold and a hundredfold." And he said, "He who has ears to hear, let him hear." (Mark 4)

It's an important part of scripture for the Unitarian Church here, in part because the large stained-glass window is a depiction of the Sower, based on the Jean-François Millet painting from the mid-1800s, of a peasant at work.

I like re-hearing these parables because sometimes you get to see a new angle. Today, the reverend noted that she was initially apprehensive about the traditional interpretation of the parable, because it seemed to classify people into good and bad categories and imply that the bad groups of people were unreachable. But she also points out that in the parable, Jesus casts that seed, those words of love, everywhere, to everyone; he doesn't keep the seed only for fertile soil. Don't just ask whether you embody the soil that is prepared for the word of love, but consider whether you, like the Sower, will carry the word of love to everyone in your life.

The Sower

It was striking to learn that it was this parable that the bible study group was discussing on that night last June when Dylann Roof entered the Mother Emanuel church in Charleston and was welcomed into their group.

Definitely a painting to see the next time I'm in Boston. See also, "Throw Yourself Like Seed" by Miguel de Unamuno:

But to live is to work, and the only thing which lasts
Is the work; start there, turn to the work.
Throw yourself like seed as you walk, and into your own field


Quotes I interpret as about the Internet, from Hannah Arendt's 1950s political philosophy

1 min read

We often talk about computer-mediated communication, but there's also an important sense in which the Internet provides for communication with less mediation and context than we're accustomed to, with a shock to the participants because of the lack of relation they have to one another. See, Reddit.

The weirdness of this situation resembles a spiritualistic seance where a number of people gathered around a table might suddenly, through some magic trick, see the table vanish from their midst, so that two persons sitting opposite each other were no longer separated but also would be entirely un-related to each other by anything tangible.

I especially like this for anticipating the challenges of archiving as necessary for the Internet to be a "public space":

If the world is to contain a public space, it cannot be erected for one generation and planned for the living only; it must transcend the life-span of mortal men.

Quotes from: Arendt, Hannah. The Human Condition. University of Chicago Press,


Alice's Restaurant

1 min read

After the ordeal, we went back to the jail. Obie said he was going to put us in the cell. Said, "Kid, I'm going to put you in the cell, I want your wallet and your belt." And I said, "Obie, I can understand you wanting my wallet so I don't have any money to spend in the cell, but what do you want my belt for?" And he said, "Kid, we don't want any hangings." I said, "Obie, did you think I was going to hang myself for littering?"

There's a pause in the song after that question, which always felt ominous to me but I never understood why. Today, I feel like maybe I understand it a little bit more.


Trolling and distrust in the Web itself

3 min read

Read a fascinating article in The New York Times Magazine about the Internet Research Agency, a Russian organization of trolls that create fake accounts to spread Russian government propaganda, which also apparently includes a sub-group that uses elaborate methods to spread chaos in the United States. One goal is to create distrust of the Internet as a whole, an advantage to some when the Internet has recently been the only means for opposition groups to spread information:

By working every day to spread Kremlin propaganda, the paid trolls have made it impossible for the normal Internet user to separate truth from fiction. “The point is to spoil it, to create the atmosphere of hate, to make it so stinky that normal people won’t want to touch it,” Volkov said, when we met in the office of Navalny’s Anti-Corruption Foundation. “You have to remember the Internet population of Russia is just over 50 percent. The rest are yet to join, and when they join it’s very important what is their first impression.”

Of course, I went to Wikipedia to find out more. But of course, Wikipedia itself is particularly vulnerable to sockpuppetry and to debates that attempt to poison the well (for example). I don't have the time to sort through the whole thing at the moment (ah, and isn't that the thing?), but here are a few relevant articles:

  • Trolls from Olgino, an informal term used to described the organizations that troll on behalf of the government
  • Web brigades, another generic term used to describe sockpuppetry groups. This article in particular has had edit wars; some wish to delete the article, rename it, or make it about allegations of sockpuppetry, or about a "conspiracy theory".
  • Cyberwarfare in Russia, a more generic article that also touches on denial of service/hacking, surveillance and persecution. This article has also been renamed several times and edit wars about "allegations", settling on this title which doesn't describe that it's about government-sponsored activities.
  • 50 Cent Party, the name used for Chinese people hired to post supportive comments on social media. This article doesn't seem to suffer from the same debates/warring in the articles on apparent Russian equivalents.
  • Operation Earnest Voice, a short article on a US government propaganda project.

(I've created a redirect on Wikipedia for "Internet Research Agency" to the Trolls from Olgino article for the meantime. I was surprised that searching Wikipedia for the name didn't turn up anything.)

It's not clear to me how to fight this problem in general. It seems like it's going to become increasingly common, whether it's Gamergate or nation-states. Wikipedia is clearly not sufficiently prepared. Social media seem quite vulnerable to sockpuppetry, to piling on and to rapid spread of misinformation (whether intentional or not) with little curation or editing. I'd be interested in seeing research on the topic and proposals/prototypes for addressing it.


interesting questions I heard from students in class: standard-setting and "punting" decisions

2 min read

17 February 2015 Edition (second in a series)

We talked about standard-setting in class last week, an area particularly close to my heart. We started by gathering our questions on the whiteboard, which I thought made an interesting roadmap for class discussion.

  • Why is Nick interested in standards? Why would anyone be?
  • Why are standards created but not adopted? Are there binding mechanisms for standards adoption?
  • What are some alternative processes for decision-making?
  • Is any stakeholder too "evil" to participate in a multistakeholder process?
  • Who decides who the stakeholders are?

I think these might be useful questions to hit for anyone teaching Web/Internet standards or discussing multistakeholder processes. (Answers not included here, because that would require transcribing our entire class discussion.) I especially appreciate the candor of that first question.

And not just questions, but one great idea that came up in class while discussing the "mechanism, not policy" koan:

engineers "punt" certain decisions

Why do decisions get "punted" to future versions, other layers of the stack, or for someone else to decide? We came up with at least the following:

  1. lack of qualification
  2. flexibility for under-represented stakeholders
  3. empowering unanticipated uses
  4. deflecting responsibility
  5. failure to find agreement/consensus
  6. running out of time


Del Valle panorama

0 min read

Del Valle


interesting ideas I heard from students in class

2 min read

3 February 2015 Edition (first in a potentially very long series)

“you can imagine a system” with an alternative design or different values

I like how both philosophers and engineers use that kind of phrasing: the philosopher in introducing a thought experiment, the engineer in describing an alternate implementation.

standards can prove problematic for security because of their homogeneity. what about the value of diversity?

Awesome. Also, I take this as a reminder to emphasize, when we talk about standards, how they typically exist to enable some kinds of diversity.

“26/11”, a term for the 2008 terrorist attacks in Mumbai

and apparently used as a justification for limitations on BlackBerry messaging

“I could commit a crime right now”

In discussing the “zone of lawlessness” and how our classrooms are lawless in the sense that nothing is pre-emptively preventing criminal activity.

what is the violability of disk encryption or transport-layer encryption?

Per the advice I give at the beginning of every Crypto Party, the typical encryption tools we can easily learn aren’t so strong that you can keep the contents of your communications secret from a focused criminal investigation into your background. Even strong and properly implemented crypto is typically violable, via endpoint security if nothing else, in a particular investigation; it’s only inviolable in the sense of mass surveillance.


Humility, Darkness and Light

3 min read

Since August, I've been thinking about humility. I read it in Infinite Jest, talking about Alcoholics Anonymous, or, related, in that "This is Water" speech about the capital-T Truth of life we struggle to see. And I heard it at a recent sermon at the First Unitarian Universalist Church here in Oakland, which took this prayer as its subject:

Lord, make me an instrument of your peace;
where there is hatred, let me sow love;
where there is injury, pardon;
where there is discord, union;
where there is doubt, faith;
where there is despair, hope;
where there is darkness, light; and
where there is sadness, joy.

O Divine Master, grant that I may not so much seek
to be consoled, as to console;
to be understood, as to understand;
to be loved, as to love;
for it is in giving that we receive,
it is in pardoning that we are pardoned, and
it is in dying that we are born to eternal life.

Prayer of St. Francis (not actually written by St. Francis, but traced back to early 20th-century, and clearly in the spirit of poverty and humility that Francis of Assisi, namesake of our City by the Bay, exemplified)

This is difficult advice to follow; I suppose that goes without saying. But it's useful to hear about it from all over, because we need those kinds of reminders. Particularly moving for me was hearing these words from my cousin Elisa, who lives in St. Louis:

I know my own heart, I know how easy it is for anger and pride to arise. I know how easy it is to be passive or passionate about something. Yes, I’ve experienced pain, but what I’m learning is that it’s through pain and the exposing of the darkness in my own heart that healing is then able to take place.

I think part of why this has been so painful for me is that I'm becoming aware — actively aware, not just theoretically cognizant — of injustice that has long been present. It's humbling to see that kind of blindness in oneself. I will try harder to remember that. I thank all of you who have helped remind me.

20140805 mural-obtained-by-hatred
The mural just down the street from me, across from the high school.

So tomorrow, to celebrate Martin Luther King Jr.'s birthday, I'll be out marching.

Darkness cannot drive out darkness; only light can do that. Hate cannot drive out
hate; only love can do that.

— Rev. Martin Luther King, Jr., Strength to Love, 1963.

Reverend Phil Lawson this morning was quoting Martin Buber (Jewish philosopher and theologian), in saying that the opposite of slavery is not freedom, but community. The opposite of low wages and no healthcare and inadequate housing is community. So that's what I'm marching for. Come join us, at noon by Fruitvale Station, or at a gathering in your own city. It will be a family friendly event (face-painting! crafts!) and a chance to meet members of your family you didn't even know about.