Secondary thoughts on working yet another primary election

Tuesday had a lot in common with the four days I spent last year working as an election officer for Arlington County. Just as in March, June, July and then November, I staggered through a sleep-deprived day that started with a 5 a.m. arrival at the polling place and didn’t end until around 8:30 p.m. As in all of those elections except last March’s Democratic presidential primary, the day left me with a fair amount of downtime to fill with reading a book and chatting with my fellow poll workers. And once again, it felt deeply fulfilling to help my fellow citizens do their part to hire candidates for temporary, taxpayer-funded jobs.

Lillies bloom in the foreground, while the background shows election signs in front of a community center in Arlington, Va.

But since November 3, the subject of election security–a topic I’ve been covering on and off for most of the last two decades–has fallen prey to fever-dream conspiracy theories among Donald Trump followers who refuse to believe that the former president was fired by the largest electorate in American history.

I am tempted to give this post over to yet another rant denouncing those advocates of Trump’s Big Lie–as well as the sedition sympathizers in Congress who kept pandering to those dead-enders after the deadly riot at the Capitol January 6.

But instead, I will talk about my workday Tuesday. Here are some things you should know about how we did our part in Virginia’s primary elections, which I hope map with how elections are run wherever you may read this:

• Trust paper. Arlington uses hand-marked paper ballots that each voter feeds into a scanner that will read the ballot if it’s upside-down, right-side up, forwards or backwards. (We also have ballot-marking devices for voters with disabilities.) That paper trail then becomes part of the risk-limiting audit that Virginia now conducts after each election; the audit run after November’s election (but not reported out until March) confirmed that the votes as scanned accurately recorded how people marked their ballots. If your state is among the minority to still use “direct-recording” machines that leave no paper trail (hello, Texas), direct your ire at the elected officials who haven’t fixed that problem.

• Don’t confuse voter identification with TSA Pre. I checked in one voter who did not have a Virginia driver’s license but did appear in our poll-book app as a registered voter, and I saw other voters show up with the same scenario. That was understandable, as the Virginia DMV is struggling to catch up with a pandemic-inflicted backlog. It would be unconscionable to kick those people out of polling places when one government bureaucracy can’t issue ID cards fast enough while another has already confirmed their eligibility. I should note here that this voter brought their voter registration card; should you get stuck in this situation, bringing that other piece of paper will save a tired poll worker a little time.

• Expect software to fail; design for resilience. The most reassuring paper product I saw Tuesday was the printout of the entire pollbook for our precinct, which meant that we did not have to rely on our pollbook app to stay up all day. Fortunately, that software did work, by which I mean it functioned aside from the feature that was supposed to scan the bar code on the back of a Virginia driver’s license but instead failed at least nine out of 10 times in my experience.

• Check everything at least twice. My day started with opening packs of ballots and counting them, 10 at a time. Each shrink-wrapped pack should have held 100 ballots and did, but we checked that anyway–so that there would be no discrepancy between the number of ballots handed out and the number of voters checked in. We also verified each total at the end of every hour; each time, there was no surplus of voters or ballots. And then we made one last check after polls closed to confirm that we had handed out exactly one ballot per voter.

If the above sounds inefficient, you read this right. Election administration has to suffer some inefficiency to accommodate the conflicting demands of allowing voters secret ballots and yielding an auditable paper record. Deal with it.

Google’s useless-to-the-self-employed “External” label: another tiny bit of freelancer erasure

The Gmail app on my phone and in my browser looks a lot more yellow when I switch to my work account, and it’s all Google’s fault. Sometime in the last week or so, Google began slapping an “External” label in a shade of deep yellow on every message sent from somebody not in my organization.

Which, since I am self-employed, constitutes the rest of the population of Earth, plus every bot and script capable of sending me e-mail. Google describes the security measure it began enforcing in late April for Google Workspace accounts–the business accounts it once gave away for free as Google Apps, then turned into a paid service in 2012, then renamed to G Suite in 2016, and then renamed once again in 2020 to Workspace–as its way to help employees “avoid unintentionally sharing confidential information with recipients outside of their organization.”

Photo shows a spam message purporting to be from Comcast with Gmail's yellow "External" label, as seen on a Pixel 3a phone in front of graph paper.

But for solo practitioners who have no employees, it’s useless. It cannot teach me anything except that even when self-employed, I can still fall victim to IT department control-freakery–and that freelancers remain invisible to many business app and service developers.

(Fun fact about the obvious phishing message in the image here: Gmail’s spam filter did not catch it.)

A support note from Google indicates that Workspace users can turn off this warning. It does not explain why I don’t see that in my own admin console. But in a Reddit thread–once again, that site proved to be an underrated source of tech supportanother Workspace user said legacy free accounts don’t get that opt-out. A frequent Twitter correspondent with a grandfathered free account has since confirmed that he doesn’t have this setting either.

I suppose Google would like me to upgrade to a paid account, but I’m already paying: $19.99 a year for 100 GB of storage. The cheapest Workspace plan would only give me 30 GB and cost almost four times as much. Since Google apparently can’t be bothered to document this new limit to free accounts, the answer there is a hard nope.

All the time I’ve sunk into investigating this problem has not, however, been without benefits. Thanks to some hints from my fave avgeek blogger Seth Miller, I figured out how to disable the also-useless default warning about replying to external e-mails. To do that, sign into your admin console’s apps list page, click Calendar, click its “Sharing Settings” heading, click the pencil icon that will appear to the right of “External Invitations,” click to clear that checkbox, and click “Save.”

Although Calendar is clearly not Gmail, this settings change seems to apply in the mail app too. At some point while I was futzing around with Workspace settings, I also found an off switch for the comparable warning about sharing Google Docs with outsiders–but now I can’t find it, so maybe that opt-out is now yet another feature reserved for paying users but not documented accordingly.

Smartphone spring cleaning: delete some apps, pay for others

By keeping me at home for so much of the past year, the pandemic has prolonged the life of my 2019-vintage Pixel 3a phone to an unnatural degree. But the cushy, stay-home lifestyle this Android device has enjoyed has not prevented one sign of smartphone age: a dwindling amount of available storage.

The easiest way to free up a bunch of space is to get rid of apps you haven’t been using. In any version of Android, the Play Store should let you sort your list of installed apps by when they were last used, but the current Android 11 provides a more direct reminder: If you don’t use an app for long enough, the system will automatically reset its permissions to zero.

Screenshot of Android's list of apps with automatically-removed permissions

The resulting lists of apps with removed permissions reminded me of how long I’d used a bunch of travel apps, but they’ve also spotlighted apps that I had lost interest in using even before the pandemic.

But as I’ve been removing various apps from smartphone, I’m also not only adding some but paying for them.

That’s not a matter of storage space but privacy. As I’ve realized in covering privacy fears over phone apps–as in, the evidence-starved assertion that TikTok is uniquely dangerous–ad-supported apps can allow for the collection and subsequent resale of more data than you might imagine.

The simplest way to solve that concern is to pay for the app–either by upgrading to an ad-free version with in an-app payment (as I did last year with Flightradar24), or by switching to a competing app if the title in question doesn’t allow that option.

And that’s why I finally have a new weather app: After years of relying on Yahoo Weather and then starting to get grumpy over the space devoted in its interface to ads, I finally deleted it. In its place, I installed Today Weather, the pick of multiple reviewers, and then paid the $6.99 lifetime fee for ad-free operation with premium features enabled. Now I have a better set of forecasting tools without any ads and the tracking that goes on behind them.

And yes, this app takes up about a third of the space than Yahoo Weather did. On an aging device like my Pixel 3a, every little byte counts.

Reminder: Don’t overlook Reddit for crowdsourced tech support

Two weeks ago, I spent too much time on T-Mobile’s site because I didn’t go to Reddit’s first. I was trying to opt out of my wireless carrier’s new targeted-advertising scheme, but I could not find any way to do so when logged into my business account–and like any dummy perplexed by an unintuitive interface, I kept trying the same thing over and over instead of asking for help.

Screenshot of the icon for Reddit's r/tmobile subreddit: Snoo the alien, but wearing a magenta T-Mobile t-shirt under a jacket while holding a cell phone.

The answer I needed was waiting in a thread on Reddit’s r/tmobile subreddit, in which one T-Mo customer replied to a comment about the unhelpfulness of the carrier’s site for this opt-out by saying “I had to use the app and eventually found it in the privacy section.” As in, the T-Mobile app I’d had on my phone all long but had forgotten about, and which coverage I’d read about this issue had not clarified would be the only way for a business customer to adjust this setting.

(In case you’re still puzzling this through, open the app, sign in, tap the “More” button at the bottom right, and then tap “Advertising & Analytics.”)

This wasn’t the first time I’ve found Reddit’s company- or service-specific forums exceptionally useful for tech support. While smart companies maintain their own forums where people can sort out problems and share tips, Reddit has three things going for it that many other discussion boards lack: scale, a search that works, and crowdsourced measures of the value of a comment and its author.

Reddit upvotes, downvotes and the karma score they feed into can be abused like any other social-media system to protect toxic behavior–it was only last June that Reddit nuked r/The_Donald and some 2,000 other subreddits for repeated hate-speech violations. (Of course, there’s a subreddit on which you can debate those risks of abuse at length.) But in the context of a subreddit set up for users of the same app, service or gadget to solve each other’s problems, these collective accountability features seem to function well enough. I also keep wondering if Twitter could use some version of a karma score–and that, decades ago, Usenet could have had one as well.

Plus, many of these product-specific subreddits also feature wikis maintained by their more-frequent contributors, something you almost never see at the forums a company maintains for its customers.

In addition to T-Mobile tech support, I’ve found Reddit a good resource for help with my HP laptop, and some of my earlier smartphones. Reddit’s also proved useful as a journalistic resource when I’ve needed to find people using a service with limited availability, like Verizon’s 5G Home fixed-wireless service or SpaceX’s Starlink satellite broadband. I try to pay that assistance back by showing up in threads other people have started about my own stories–yes, “robpegoraro” there is me–and offering to answer whatever questions people have.

Writing this post made me realize I’ve probably neglected Reddit’s potential to help me puzzle through one app I use all the time: this blogging platform. Maybe r/Wordpress can help me feel less grumpy about the Block Editor?

Is it iPadOS 14 or iPadOS 13.8?

It’s been almost a month since I installed iPadOS 14 on my iPad mini 5, and not much about my tablet-computing experience since has reminded me of that.

Why? Compare Apple’s list of new iPadOS 14 features with its brag list for iOS 14: Apple tablets don’t get home-screen widgets or the App Library, even though their larger displays might better fit those interface changes. Apple’s new Translate app, a privacy-optimizing alternative to Google’s? iPhone only for now. Even emoji search in the keyboard is confined to Apple’s smaller-screen devices.

Like earlier iPad releases, iPadOS 14 omits the basics of weather and calculator apps. I guess Apple still couldn’t find a way “to do something really distinctly great,” as its software senior vice president Craig Federighi told tech journalist Marques Brownlee in the least-persuasive moments of a June interview.

There’s also still no kid’s mode that would let a parent hand over their iPad to a child and have it locked to open only designated apps. The continued absence of this fundamental feature–even the Apple TV supports multiple user accounts!–is especially aggravating after so many American parents have spent the last eight months mostly cooped up at home with their offspring.

Apple did add a bunch of fascinating new features in iPadOS 14 for Apple Pencil users–but my iPad mini 5 and my wife’s iPad mini 4 don’t work with that peripheral.

This new release has brought lesser benefits that I do appreciate. Incoming calls in FaceTime, Google Voice, and other Internet-calling apps now politely announce themselves with a notification at the edge of the screen instead of indulging in the interface misanthropy of a full-screen dialog, and Siri shares this restraint with screen real estate. Safari catches up to Chrome by offering automated translation of their text and surpasses Google’s browser with a privacy-report summary, both available with a tap of the font-size button. I can finally set default mail and browser apps–but not navigation, the area in which Apple remains farthest behind Google. And a set of new privacy defenses include the welcome option of denying an app access to my precise location.

But as nice as those things are, they don’t feel like the stuff of a major annual release–more like the pleasant surprises of an overperforming iPadOS 13.8 update. And they certainly don’t square with what you might reasonably expect from a company that reported $33.4 billion in cash and cash equivalents on hand in its most recent quarter.

Android 11 first impressions: payments with less stress

My pick for the single most helpful new feature in Android 11 doesn’t even get a description in Google’s highlights of its mobile operating system’s new version.

This addition lurks behind the power button: Press and hold that, and instead of Android 10’s sidebar menu with the “Lockdown” option that disables biometric unlocking and scrubs notifications from the lock screen, you see a full-screen menu with large buttons for that security feature, your Google-linked smart-home gadgets–and the credit cards you have active in Google Pay.

I’ve been a fan of NFC payments for years, but the world has caught up to me since March as merchants have rushed to provide contactless payment options. But until Android 11 landed on my Pixel 3a 11 days ago, matching a purchase with the card offering the best cash-back or points reward required me to open the Android Pay app and switch payment methods. Now, I just mash the power button and tap the card I want.

The Conversations features that do lead off Google’s sales pitch for Android 11 also seem like they’ll simplify my digital life. That’s “seem” because it took me until today to remember to swipe left on a text-message notification to expose the option to make the sender a priority–starring them in the Contacts app doesn’t affect this, nor do I see a way to promote people from within the Messages app. But at least now I know that messages from my wife will show up on my lock screen with her picture.

Android 11 also brings some less-obvious application-privacy enhancements, as detailed Google’s developer guidance. It improves on Android 10’s ability to deny apps background access to your location by letting you give an app only a one-time peek at your location. If you turn off location services altogether, COVID-19 exposure-notification apps like Virginia’s COVIDWISE now still work. And if you don’t open an app for a few months, the system will turn off its permissions automatically.

The biggest problem with Android 11 is one that has existed with every other Android update–but which fortunately doesn’t affect me as a Pixel 3a user. This update will probably take months to reach Android phones outside the small universe of Pixel devices and those from such other, smaller vendors as Nokia and OnePlus that decided to commit to shipping Google’s releases quickly.

My fellow Virginians, please install the COVIDWISE app. Now, thank you.

As the United States continues to flail away at the novel-coronavirus pandemic, my part of it has done one thing right. Wednesday morning, Virginia’s Department of Health launched COVIDWISE–the first digital contact-tracing app shipped in the U.S. on the privacy-optimized Exposure Notifications framework that Apple and Google co-developed this spring.

What that means is that COVIDWISE, available for iPhones running 13.5 or newer and most Android phones running Android 6.0 or newer, requires none of your data–not your name, not your number, not your e-mail, not even your phone’s electronic identifiers–to have it warn that you spent a sustained period of time close to somebody who has tested positive for COVID-19.

COVIDWISE and other apps built on the Apple/Google system instead send out randomized Bluetooth beacons every few minutes, store those sent by nearby phones running these apps, and flag those that indicate sufficiently extended proximity to allow for COVID-19 transmission as doctors understand it. That’s the important but often misunderstood point: All of the actual contact matching is done on individual phones by these apps–not by Apple, Google or any health authorities.

If a user of COVIDWISE tests positive and alerts this system by entering the code given them by a doctor or test lab into this app, that will trigger their copy of the app to upload its record of the last 14 days of those flagged close contacts–again, anonymized beyond even Apple or Google’s knowledge–to a VDH-run server. The health authority’s server will then send a get-tested alert to phones that had originally broadcast the beacons behind those detected contacts–once the apps on those devices do their daily check-ins online for any such warnings.

The U.S. is late to this game–Latvia shipped the first such app based on Apple and Google’s framework, Apturi Covid, in late May. In that time, the single biggest complaint about the Apple/Google project from healthcare professionals has been that it’s too private and doesn’t provide the names or locations that would ease traditional contact-tracing efforts.

I’m not writing this just off reading Apple and Google’s documentation; I’ve spent a lot of time over the last two months talking to outside experts for a long report on digital-contact-tracing apps. Please trust me on this; you should install COVIDWISE.

Plus, there’s nothing to it. The pictures above show almost the entire process on my Android phone: download, open, tap through a few dialogs, that’s it. At no point did I have to enter any data, and the Settings app confirms that COVIDWISE has requested zero permissions for my data. It uses the Bluetooth radio and the network connection; that’s it, as I’ve confirmed on two other Android phones.

If I’m curious about how this app’s working, I can pop into Android’s Settings app (search “COVID” or “exposure”) to see when my phone last performed an exposure check. But I don’t expect to get any other sign of this app’s presence on my phone–unless it warns me that I stood too close to somebody who tested positive, in which case I may not enjoy that notification but will certainly need it.

Updated 8/6/2020 with further details about the app’s setup and operation.

How I got Amazon Prime almost for free

Last summer, my appetite for quantifying my finances intersected with my food-procurement habits to yield a math exercise: How much of my Amazon Prime membership was I chipping away with these discounts at Whole Foods?

The Seattle retail leviathan’s 2017 purchase of the Austin-based grocery chain consolidated a large portion of my annual consumer spend at one company. It also gave me a new set of benefits for the Amazon Prime membership my wife and I have had since 2011: an extra 10% off sale items except beer and wine, plus some Prime-only deals.

(Personal-finance FYI: Amazon also touts getting 5% cash back at Whole Foods on its credit card, but the American Express Blue Cash Preferred offers 6% back on all grocery stores. That higher rate combined with Amex Offers for rebates at designated merchants easily erases the card’s $95 annual fee and returns more money than I’d get from Amazon’s card.)

So on my way out of Whole Foods, I created a new Google Docs spreadsheet on my phone and jotted down the Prime savings called out on my receipt. Then I did the same thing after subsequent visits. If Whole Foods and Amazon were going to track my shopping habits (which I assume they could from seeing the same credit card even if I didn’t scan in the QR code in the Amazon app at the checkout), I ought to do likewise.

Aside from $10-and-change savings during last July’s Prime Day promotion and again on roses for Valentine’s Day, most of these 41 transactions yielded $4 or less in Prime discounts. But after a year, they added up to $118.14, just 86 cents less than the $119 Prime annual fee.

To answer the obvious question: No, I did not step up my Whole Foods visits because of this tie-in. That place does happen to be the closest almost-full-spectrum grocery store to my home, but there’s a Trader Joe’s barely further away that trades a smaller selection for cheaper pricing on staples like milk and flour. And thanks to this dorky habit of mine, I can tell that I’ve shifted more of my business from WF to TJ’s the past few months.

Things I learned from working a primary election

After more than 15 years of writing about voting-machine security, I finally got some hands-on experience in the field–by waking up at 4 a.m. and working a 16-hour day.

I’d had the idea in my head for a while, thanks to frequent reminders from such election-security experts as Georgetown Law’s Matt Blaze that the best way to learn how elections work is to work one yourself. And I finally realized in January that I’d be in town for the March 3 Democratic primary and, as a self-employed type, could take the whole day off.

I applied at Arlington’s site by filling out a short form, and about two hours later got a confirmation of my appointment as an election officer. (My wife works for Arlington’s Department of Technology Services but has no role in election administration.) A training class Feb. 11 outlined the basics of the work and sent me home with a thick binder of documentation–yes, I actually read it–and on March 3, I woke up two minutes before my 4 a.m. alarm.

After packing myself a lunch and snacks, as if I were going to grade school, and powering through some cereal, I arrived at my assigned polling place just before the instructed start time of 5 a.m. I left a little before 9 p.m. Here are the big things I learned over those 16 hours:

  • Yes, having people fill out paper ballots and scan them in works. I saw 500-plus voters do that while I tended the scanner in the morning, and none had the machine reject their ballot. There was confusion over which way to insert that ballot, but the scanner accommodated that by reading them whether they were inserted upside down, right-side up, forwards or backwards. (I wish more machines were that tolerant of human variances in input.) And at the end of the day, we had a box full of ballots that will be kept for a year.
  • The technology overall appeared to be of higher quality than the grotesquely insecure, Windows-based Winvote touchscreen machines on which I voted for too many years. This scanner was an offline model running a build of Linux, while the poll-book apps ran on a set of iPads.
  • The “vote fraud” rationale for imposing photo ID requirements is not only fraudulent, but photo IDs themselves are overrated. The state allows a really broad selection of public- and private-sector IDs—unavoidable unless you want to make it obvious that you’re restricting the franchise to older and wealthier voters—and our instructions required us to be liberal in accepting those. I didn’t see or hear of anybody getting rejected for an ID mismatch. (The one surprise was how many people showed up with passports; I quickly grew to appreciate their larger color photos over the tiny black-and-white thumbnails on drivers’ licenses.)
  • Asking people to state their name and address, then matching that against voter-registration records, does work. That also happens to be how voter check-in used to work in Virginia before Republicans in the General Assembly shoved through the photo-ID requirement that’s now been reversed by the new Democratic majority in Richmond.
  • You know who really loves high turnout? Election officers who otherwise have some pretty dull hours in mid-morning and then mid-afternoon. At one point, the person in charge of the ballot scanner busied himself by arranging stickers into a bitmapped outline of Virginia, then added a layer of stickers on top of that to represent I-95 and I-66. Fortunately, precinct 44 blew away past primary-turnout records with a total of 1,046 in-person votes.
  • The attention to detail I saw was almost liturgical. Every hour, the precinct chief did a count of voters checked in and votes cast to ensure the numbers matched; every record was done in at least duplicate; every piece of paper was signed by at least two election officers, and the overall SOR (statement of results) bore the signatures of all eight of us. We closed out the night by putting documents and records in specified, numbered envelopes, each locked with a numbered zip-tie lock; each number was recorded on a piece of paper on the outside of each envelope that was itself signed by two election officers.
  • Serving as an election officer isn’t physically demanding work, but it does make for a long day. We did have coffee delivered, but it didn’t arrive until 9 a.m., and nobody had time for dinner during the rush to close out things after the polls closed.
  • It’s also not the most lucrative work ever. My paycheck arrived Friday: $175, amounting to an hourly wage of $10.94. The value of seeing the attention paid to make democracy work and then watching more than a thousand people show up to exercise their rights: priceless.

Updated 3/23/2020 to fix some formatting glitches.

Here’s how much Facebook was tracking me around the rest of the Web

Facebook finally fulfilled one of Mark Zuckerberg’s campaign promises this week–a promise dating back to May of 2018.

That’s when Facebook’s CEO said the company would roll out a “Clear History” feature that would let its users erase Facebook records of their activity at other sites and apps as gathered by the social network’s Like and Share buttons and other plug-ins.

(If it took you a long time to realize the extent of that tracking, I can’t blame you. Instead, I can blame me: The post I did for the Washington Post when my old shop integrated a batch of Facebook components to its site didn’t spell out this risk.)

Twenty months after Zuck’s announcement, this feature, renamed “Off Facebook Activity”, finally arrived for U.S. users on Tuesday. I promptly set aside that day’s tasks to check it out firsthand.

The good news, such as it was: Only 74 apps and sites had been providing Facebook info about my activity there. And most of them (disclosure: including such current and past clients as USA Today, Fast Company, The Points Guy and the Columbia Journalism Review) had only coughed up isolated data points.

The bad news: The Yelp, Eventbrite, AnyDo, and Duolingo apps had all coughed up more than 20 records of my interactions there, as had the sites of Home Depot and Safeway owner Albertson’s.

To judge from the responses I got from readers of my Facebook when I asked them how many sites and apps showed up in their own Off-Facebook Activity listings, I’m practically living a cloistered life. Most comments cited three-digit numbers, two close to four digits: 232, 356, 395, 862, and 974. One thing most of these users seemed to have in common: using Google’s Chrome as a default browser instead of Apple’s Safari or Mozilla Firefox, both of which automatically block tracking by social networks on other pages. The former is the default on my desktop, while the latter has that place on my laptop.

I’ve now cleared my history and turned off future Off-Facebook Activity–at the possible cost of no longer having WordPress.com publish new posts automatically to my Facebook page. I can probably live with that.