Keeping email private…

Whenever one of the market-anointed tech titans speaks, people start to pay attention to their privacy… or lack thereof. In this instance, the question received regarded email, asking about alternatives to Microsoft & Google offerings, as compared to a Swiss service ProtonMail. Get your beverage(s) ready, this is going to be a long one.

Disclaimer: I am not a lawyer, and I did not sleep in a Holiday Inn Express last night. This discussion is relative to my understanding of United States Laws and court decisions. Your mileage may vary. 

First – how much inconvenience are you willing to suffer to keep your email private? What are you willing to pay?

On the surface, ProtonMail (which prides itself on end-to-end-encryption, and being based in Switzerland) seems like the obvious winner, since there’s a free version. But there are issues here. First is the recently passed CLOUD Act (Clarifying Lawful Overseas Use of Data Act, HR 4943, signed into law March 23, 2018) which allows for bilateral treaty-based exchange of overseas data between signatories. Note there is already such a treaty in existence with Switzerland. Proton’s off-stated “we only store encrypted data” claim is only good to the extent a user is not otherwise compelled to give up a password… or that the encryption is as described. Further, the only interface allowed to Proton is via web browser…

Gmail/Hotmail etc – “free” or “paid” – your email is going to be read by robots, mostly looking for advertising ‘bait’ or to build a better profile… (more on this later). Of course, these offerings win on convenience, and of course “free!”

Finally, there’s “roll-your-own” email. Invest in a server, configure your own email, have your own custom address pool, make your own filters and blocks, set auto-replies, run email lists… in simple terms, do everything the big boys can, but in your own way. All the mission-critical email for me has run on my own email server for more than twenty years. I use Gmail as a convenience, and am forced to use Outlook by various clients.

Now – let’s look at the legal implications on privacy, for the three offerings above. In the US, email privacy is governed by two major acts: the aforementioned CLOUD Act, and the ECPA (Electronic Communications Privacy Act, 1986). Most email communications falls under the [ancient] ECPA guidelines (assuming it is stored in the US).

The ECPA defines five types of communication for email. Three of those types require a warrant for access; two require a subpoena. Subpoenas are routinely issued by lawyers in the name of the court; penalties may be assessed for non-compliance. Warrants are issued by a judge, have stringent requirements for issuance, and are usually enforced by police agencies.

The ‘warrant required’ types of communications are: email in transit, email stored on a home computer, and email in remote storage, unopened, stored for 180 days or less.

The subpoena required types of communications are: email in remote storage, opened, and email in remote storage, unopened, stored for more than 180 days.

I run a combination server – it is IMAP when I’m away from home, and POP3 when I’m home. In simple terms – during a work day outside the house, or while travelling, I’m running the server in much the same mode as one does with any web-based system. The email is available via remote access (remote storage in ECPA terms). When I’m home, I have a POP3 client which downloads the email to a home computer, and erases that mail from the server.

In this mode, my critical email is always in the warrant-required states per the ECPA. Warrants are issued under standards more than 200 years old – it must be based on probable cause, describe the place or person to be searched, and for what evidence the search is being requested; all under oath or affirmation to a judge or magistrate. I feel reasonably secure.

Hope this helps the decision matrix.

ps – Gmail’s robots really kick in after about 200 emails are in the account. Want to baffle the builder? Set Gmail to operate in POP3 mode (delete after download) and watch the fun. (Running NoScript and disabling the Google Stats scripts also screws up the profile builder).

 

Advertisements

In praise of PagePlus X9

PagePlus X9 turns out to have sufficient functionality in layout design to replace InDesign CS3. (See the prior post “Migration” for why I have to change).

PagePlus is a product of Serif, a long-time competitor to Adobe. The Plus line of software is no longer in active development but licenses are still available – PagePlus is $25 from Serif directly, or a bit less in DVD form on Amazon.

Down the road a bit, the company expects to have a more full-featured layout package (Affinity Publisher)… but it’s been pushed back several times. I think the main development effort is in their Photoshop replacement software.

As to PagePlus, so far it’s worked fine for the four-to-eight page layouts I routinely need; shortly I’ll test it on a longer project.

A word on doing work for “exposure:”

NO.

That’s it, just say NO.

If the work is sufficiently complex to require special skills (yours) then it’s of sufficient value to the client to get paid.

I recently went through this dance. A prospect got in touch via email (referral from various sources), then we did some phone tag, several conference calls, a ream or more of additional email, and then a meeting was arranged.

For me, it was a two-hour drive early in the morning (I’m a night owl) to a breakfast meeting in a diner. Got there, and things started downhill almost immediately. The client principal wasn’t in attendance even though she would have to approve any ‘deal.’ The talk quickly turned to my doing this for ‘exposure’ (sorry, No); then well “you do the design and if we like the design then you can bid on the job and if you’re the winner you get paid after the job is all done.”

NO.

Not playing that game… time to leave. They wanted a ‘ball-park’ figure; I gave them one, and then added that it would of necessity be much higher should they return in a few months – disgruntled people are much more difficult clients. When they told me it wasn’t likely, I wished them success – with all those other consultants they’d tracked down for this sort of work.

My exit was made in silence, at least from that group. I expect they’ll be back, and my answer will, for them, always be NO.

End result – I think I’m going to have to start charging for prospect meetings, especially if the prospect isn’t used to dealing with custom software.

Updating the homepage

It finally was time — time to update the main site (homepage) of www.woodall.com, to make it mobile-friendly and modern.

When I started with the Internet the whole idea of a small consultancy having its own outpost on the web was avant-garde – I registered woodall.com in October 1995 and went live immediately, and in the summer of 1997 brought the hosting in-house, where it remains to this day.

The main site exists mostly as a tool repository – only about a dozen pages were ever in the ‘official’ linkage and there are dozens of pages reachable only by typing in the URLs directly… or from offsite links.¹ Keeping the main page updated hasn’t been a priority.

Then one fine January morning a note popped in on email – Google was going to start lowering my page scores because the site was not “mobile-friendly.” Ahem. Something must be done. And now, it is.

Expect to see various changes in the site layout and background photos as I experiment with what works best, but for now, there’s a new site out there. And it looks far better than the old.


¹ After examining the logs it’s clear there are only three of the ‘hidden’ pages still being accessed – so after a bit of legerdemain with mod_rewrite those items are now restored.

Ink-stained rant

One of the tasks tonight was printing out student work; it needs to be printed so I can grade it and hand it back. Nowadays most students won’t print their own work… usually, I think, from the cost involved.

The big cost is ink. My usual printer for everyday use is a worn Epson Stylus C-120. It uses four colors but five cartridges -doubling up on black – and if I were to use Epson-brand ink, the cost for one set of cartridges would be about  $60. Each cartridge holds 12 ml of ink – thus Epson ink costs $1,000 per liter, or a bit less than $4,000 to the gallon. And you thought gasoline was high-priced?

I don’t use Epson inks. I print way too much to go that route.

For the first couple of years I used a CISS – Continuous Ink Supply System. This is a set of 5 cartridges with tubing which loops outside the printer to a set of tanks holding bulk ink. The cost of the CISS was $35 – for 100 ml of ink in each tank! Re-inking costs were about $30 per 500ml – far less than name-brand.

CISS systems expect to be used, a lot. Daily works best. Otherwise the inks slowly draw back down the supply lines into the tank. If the time between use is too great, the inks may clot up a bit at the feed end of the tanks… at which point it’s easier to pull the system out and replace it rather than fix it. Been there, done that. These inks are dye-based and not particularly stable, but work just fine for daily print work (mostly text).

For now, I’m using generic dye-filled cartridges bought on Amazon – the vendor name changes with each purchase, but on average I’m paying $1.25 per cartridge… everything is working fine, except the ‘status’ messages from the Epson printer driver software.

Epson’s printer drivers give a visual depiction of remaining ink; and a warning pop-up when the capacity is ‘low.’ What I’m finding out is that ‘low’ is… a marketing ploy as opposed to any sort of reality. Two days ago I got the pop-up, urging me to buy ink as I was ‘low’ on black. Earlier tonight when I started to print, the indicator was at the bottom, indicating imminent emptiness – or so it seemed. Two hundred and four pages later, the indicator is still at the bottom… and the black ink is still printing nice and strong.

Tsk tsk tsk.

Dear web-design fiends:

Please check spelling and use the appropriate words when putting up your portfolio sights… if you want future work.

It happened again. In the course of my work, I’ll run across a small business or non-profit in desperate need of a website refresh. I then refer the business to a former student (many of whom have completed web-development classes), and both are happy.

But not this time… because of a simple spelling error. Actually, the word is correctly spelled, but it’s the wrong word – “bare with me” is not the same as “bear with me” – and given the basic purpose of a website is to communicate – it’s a major failing.

Quality has to extend to all the parts… or what’s the point?