Monica

Some updates on Glassdoor's privacy violations:

Use https://help.glassdoor.com/s/privacyrequest?language=en_US to request deletion of your data. Deactivating your account doesn't delete data. This might not either (no way to verify), but it's the strongest request you can make.

Media coverage: Ars Technica: Users ditch Glassdoor, stunned by site adding real names without consent, Wired: Glassdoor wants to know your real name. The Ars story is more detailed.

It seems that Glassdoor updated its terms of use on February 17, 2024. I did not receive email notification (my last TOS update from them was December 2022). Some salient bits from the current version:

We may update your Profile with information we obtain from third parties. We may also use personal data you provide to us via your resume(s) or our other services. You can read more about how we collect and process your data in our Privacy Policy.

I never provided a resume. I never typed my name into their site, nor did I use a social-media or Google identity. I created the account with an email address (~10 years ago). That part about "obtain from third parties" means they can try to match you up with LinkedIn, use your email headers if you should ever send them email, try to reconcile your account with Indeed if you're there (the same company owns both Glassdoor and Indeed), and whatever else they come up with.

Also, sometimes the information they add is incorrect. From Ars Technica:

As Monica's blog spread widely online, another Glassdoor user, Josh Simmons, commented to confirm that Glassdoor had "already auto-populated details" on his account, too. But instead of correcting Simmons' information, Glassdoor seemed to be adding mistakes to his profile.

Simmons, who requested to use his real name and share his employer information, is a managing director of Matrix.org Foundation. He discovered that Glassdoor had not only messed up his employer's name but also claimed that he was based in London, while he is actually located in California.

"It was bizarre, because I had never provided that information, and it was a somewhat incoherent mix of details," Simmons told Ars.

Back to the terms of use:

We may attempt to verify your employment history or status through various methods, including third party integrations or services. We may also utilize signals we receive from your current or former employer. Glassdoor is not responsible to you or any third party if we are unable to or inaccurately verify your employment history or status.

I don't know what "we may utilize signals we receive from your employer" means, but it sure sounds like "we might ask your employer if you work there", because your employer knowing you've posted Glassdoor reviews to prompt that question would be a "you" problem, not a "Glassdoor" problem.

(This information is repeated in the privacy policy.)

In order to provide you with access to features across our services, we may create and link different services’ accounts for you.

This is the part about them automatically creating a Fishbowl (social media) account on your behalf, without you explicitly doing anything and apparently without direct notification.

A portion of your Profile on our community and conversation services (e.g., Fishbowl and community and conversation features across our services) is always public. Therefore, your profile picture, company name, title, and other general information (but not including your semi-/anonymous Content submissions) will be visible to the public and available via search.. Content submitted with semi-/anonymous identifiers such as your company name or job title is not associated with the publicly-visible portion of your Profile.

So they added my name to my Glassdoor profile without consent, then propagated that to Fishbowl, and the Fishbowl profile was public?!

Glassdoor responded to Ars:

"We vigorously defend our users’ right to anonymous free speech and will appear in court to oppose and defeat requests for user information," Glassdoor's spokesperson said. "In fact, courts have almost always ruled in favor of Glassdoor and its users when we’ve fought to protect their anonymity. With the addition of Fishbowl’s community features to Glassdoor, our commitment to user privacy remains ironclad, and we will continue to defend our users from employers who seek to unmask their identity."

They "vigorously defend" privacy, yet they collect and store information that violates privacy. Also, note that what they're saying is that they'll defend outside requests for data ("almost" always successfully), but they say nothing about their own proactive use of that data -- like selling it to employers.

That data-deletion link once again: https://help.glassdoor.com/s/privacyrequest?language=en_US.

I've been using pobox.com since (checks...) 1996, when I needed to change email addresses and wanted to avert the hassle of getting updates pushed out the next time I had to do that. Pobox does two things: it gives me an email address that I can redirect wherever I want, and it gives me URL forwarding: a Pobox account comes with the ability to redirect http://www.pobox.com/~your-name to wherever you want.

I got email from Pobox today announcing that URL redirection will be discontinued in a couple months:

[...] Pobox alias URLs once served the same purpose as Pobox email aliases: you could get one URL and have it follow you as your web page moved. Over time, though, personal domains have taken over this use case, and Pobox’s URL redirection service is almost entirely unused. Upcoming changes to our web interface make this feature much harder to continue offering, and we have decided to retire it.

Your account’s URL is one of the few that has seen traffic in the last six months. Maybe that’s a fluke, and you’ve stopped using this URL, and it redirects to some long-abandoned page you owned in the 1990s. On the other hand, you might still be using this URL. If that’s the case, you should begin updating links to your Pobox URL and instead link directly to the target resource, or some other redirection service. [...]

As it happens, I am using that URL, and updating links kind of depends on knowing where the links are. (I mean, updating my own links is easy, but that's not why one uses redirection.) I use the domain I acquired in 2017 for all new stuff, and I've been migrating old stuff intermittently. But I didn't finish and cut over, because there are links to my old SCA stuff (in particular) all over the place out there, and I couldn't figure out how to cleanly make all the URLs work -- Pobox gives me one top-level redirect, but if I can't exactly preserve the structure under that, I'm into the realm of individual redirects and that's a big hassle.

Well ok, then -- Pobox is forcing my hand (and I don't really blame them if usage is that low), so I'll just rip that band-aid off and not worry about making the soon-to-be-dead URLs work on the new site. I also hit the Wayback Machine and archive.today with some pages I know are linked, and I asked Pobox if they could give me referrer logs so I can see if there's anyone I ought to notify. Beyond that, I'll just have to assume that search engines will eventually index the new locations and anyone who really cares will search.

Tonight I migrated my SCA pages, which are mainly the page (and many pictures) for the Pennsic house, since Greg Lindahl is already hosting most of my music (and Joy & Jealousy). I also had a bunch of stuff related to the Board crisis of 1994; rather than port all the individual pages, I archived it online and then dropped a ZIP file on my site. It was 30 years ago; I suspect very few people are interested, and those who are won't mind downloading the bundle.

My Pobox account next renews in 2029. I have email through my domain but, again, a lot of people use my Pobox address and updates are hard. But perhaps in the next five years I should attempt to put that change in place, because who knows if email forwarding will go the way of URL redirection by then?

I gave a d'var torah a couple weeks ago on shortish notice and forgot to post it here. This is for Bo, the parsha that contains the last three plagues and the actual exodus from Egypt.

--

The pattern is familiar: Moshe goes to Paro to demand freedom, Paro refuses, Moshe announces the next plague, and God carries it out. Paro says he's sorry and asks for relief, God lifts the plague, and then Paro hardens his heart and we start all over again. There's no change; the oppression never seems to end.

Rabbi Mordechai Kamenetzky points out that for most of the plagues these negotiations are strained but civil. Moshe and Paro are on opposite sides of an argument, but nobody is throwing tantrums as far as we can tell. But their last meeting is different: after telling Paro what is to come, the torah tells us that Moshe went out from Paro in hot anger.

Was he angry about Paro's stubborn refusal to let the people go? That doesn't seem likely; they've had that well-worn exchange many times before. No, what is different this time is the cost of Paro's recalcitrance.

The first nine plagues caused extensive damage to Mitzrayim, to the point where even Paro's advisors are urging him to give up because Egypt is surely lost. The first nine plagues destroyed crops and livestock, caused injury and sickness, and massively inconvenienced people -- but they weren't fatal to anyone who heeded the warnings to come in out of the hailstorm.

The last plague is different: there is an unavoidable human cost. The last plague targets based on who you are, not on what wrongs you did, and it kills. It's not individual punishment; it's a tax on those living in Egypt. Surely not all of the dead deserved it, even in a society with many evildoers and oppressors.

God does not want the death of sinners, our prophets tell us, but that they should repent. God wouldn't be sending this last plague if there were an alternative. Moshe sees this, Rabbi Kamenetzky points out, and it fills him with anger at the Paro who causes widespread death. This could have been avoided. These deaths are Paro's fault.

But wait, one might say -- it is God who sends this plague, and thus God could avert this widespread loss of human life. It's God's fault, not Paro's, right?

My father, of blessed memory, taught me many things. One of them is that we solve problems with words, not with fists. Another of them is that giving bullies what they demand does not end the bullying. There was a kid in my grade who, starting in kindergarten, was physically abusive to me, and in the many parental conferences that followed, his parents told my parents that boys will be boys and if I didn't react he would probably stop. My father said that was unacceptable. This went on for years, until I was given permission to respond. The bullying ended the day I decked that kid with my large-print dictionary. We don't solve problems with violence, except that sometimes we have to.

I hit the kid; did that make it my fault he got hurt? Absolutely not, according to me, my parents, and the school principal. Lesser interventions had failed. Now my attack didn't do permanent damage, didn't even break his nose -- nothing like the last plague in that regard. But the principle is the same: the oppressor is culpable for the consequences of his behavior. The blood of the victims of collateral damage is on the hands of the evildoers who refuse to resolve conflicts peacefully.

Rabbi Elie Kaunfer from Hadar points out a surprising passage near the end of the parsha, after the final plague, when Paro asks Moshe and Aharon to pray for him. Say what now? The Paro who has done so much damage asks his victims to pray for his welfare? Why would they do that?

Rabbi Kaunfer points out a rabbinic tradition that Paro did not die at the Sea of Reeds with his army. Through the midrashic principle of the conservation of biblical personalities (that's not Rabbi Kaunfer's label), Paro went on to become the king of Nineveh. When Yonah comes to Nineveh to announce their impending destruction, it is the king who asks for forgiveness and leads his nation in teshuva to avert the decree.

Perhaps Moshe and Aharon did pray for Paro like he asked. More specifically, perhaps they prayed that he repent and do teshuva, like we pray our enemies will do in the daily Amidah. That's a prayer I can get behind -- that oppressors big and small soften their hearts, stop doing harm, and turn toward the right path. Ken y'hi ratzono.

I've been using RateBeer to track beers I've tasted and how much I liked them. This is helpful to pull up on a phone in a restaurant or store. But it relies on their database; if they haven't heard of a beer (and I don't want to do very cumbersome editing to add it on the fly), I can't rate it. Untapped seems to have a larger database but a terrible mobile site.

Fundamentally, this is the wrong approach for me anyway. Sites like RateBeer and Untapped exist to collect and aggregate user-contributed content. I don't care about that. I'm not interested in "social beer". I just want to keep track of things I've tried. And this isn't really just about beer; in days of yore when I bought more books on paper, I wanted to be able to look up what I already own while standing in a bookstore, but GoodReads is not really the interface for that. Similarly, keeping track of board games I like (and variants) is not really a job for BoardGameGeek.

What I need is my own private little database, with a web front end to support both queries (searches) and data entry. I'm the only user, so I don't need anything fancy. (Web, not app, because while I'll do some data entry on the phone, anything non-trivial is going to be done on a computer with a real keyboard.)

This sure feels like a solved problem, but I'm not quite sure what to search for. (Or rather, my searches are leading me to pages like "how to use .NET to build your web form".) My web hosting comes with CPanel links to set up both MySQL and Postgres databases. I think I know the basics of raw HTML forms but I don't yet know how to hook one up to a running database, nor how to access-protect it. I'm comfortable with the SQL to create and query the tables, and while every database is a little different on this I assume I can figure out data import from CSV.

Or maybe I should be looking for something hosted, like Google Sheets but for an actual database. (I've tried importing this data into Google Sheets. Using that on my phone is pretty terrible and it doesn't really support search anyway.) So long as I can export data from someone else's service, I don't need to self-host. But if self-hosting is easy I'd prefer that.

Out of curiosity I asked ChatGPT, and it gave me some PHP with a username and password baked in and a suggestion to do better security. The code doesn't do quite what it said it would do (based on inspection), but it's broadly plausible and ChatGPT even pointed out the problems with security, input sanitation, and validation.

Any advice from my readers?

My mother is not computer-savvy, and when she's ready I'll help her sort out my father's computer stuff and (I hope) break into his account so we can sort out whatever household stuff he was managing online (like bill payments). She has "an old password" written down; here's hoping that helps.

She mentioned, in passing, that she'll contact their cell carrier to drop his line -- no sense continuing to pay for a second phone, after all.

Do I need to prevent her from doing that until we determine whether he was using 2FA for anything? I haven't figured out the right search queries that will cut through what you should do in advance lest you lose your phone. Like, I don't know where or if he was using 2FA, so I can't just go in and set alternate recovery addresses or something. The point is to be able to get into those accounts later, when my mom is ready. Does she need to keep paying for cell service so that phone number will be able to receive texts, or is there some other way to handle that? Should I go with her when she visits the cell provider (yes she was going to go to a store and do that in person)?

Anybody among my readers navigated this before?

My employer got bought (again) about a year ago, so we're being moved onto a new benefits setup as of January 1. This means new health insurance (with new prices, sigh...). We were told we'd get our ID cards in December. I have an appointment in early January that would be a pain to reschedule, so I've been watching for these.

Today I received physical mail, but instead of cards, it contained a piece of paper telling me my plan ID # and a URL where I can request cards or print my own.

They sent me paper to tell me how to request paper, instead of just sending the actual paper I needed.

After creating an account (another set of hoops, elided) I saved PDF copies, but I also asked for physical cards because paper probably won't stay in good shape in a wallet for a year. But this was unnecessarily complicated. I also hit a stupid limit: you can make one request per day, but both my medical and dental insurance are now with this carrier, that's two cards, and there was no way to request all cards. I requested the first, which was apparently successful, and when I requested the second I was told I couldn't.

The letter I got suggested I could use "digital cards", meaning download an image on my phone and skip the paper entirely, to "save space in my wallet" (not a concern, since I'm replacing this year's cards!). But my healthcare providers always want to hold the cards, sometimes keeping them for a while so they can do data entry at their convenience during my visit, and I'm not handing over my phone for that. My phone stays with me or, at worst, within my sight and otherwise locked. So paper it is.

I don't know if I'm abnormal or the insurance provider didn't think through their security model (maybe both). They sure didn't think through their model of what's convenient for users or lower-waste for the planet. By the time this is done they will, it appears, have sent me three separate pieces of physical mail.

I came back from Shabbat to a link to this interesting blog post by Jon Ericson. Jon and I haven't discussed this.

The original post contains links that I haven't reproduced in this excerpt:

After contemplating the situation for many years, I've come to the conclusion that Monica ran into a wall of injustice veiled in the language of progressivism. Applying Bari Weiss' framing, Monica was powerful within the community so her behavior was suspect by default. The factors I thought were to her favor by the new ideology didn't seem to matter:

1. She has vision problems which puts her at a disadvantage in the age of screens.
2. She's a woman in technology which means she's in the minority.
3. She's Jewish which puts her in a minority that's been discriminated against so often there is a common word for it in English.

The analysis I should have understood was:

1. It's possible the people deciding her fate didn't know about her vision. In any case, vision is a problem that can be corrected with technology and money.
2. In the calculus of intersectionality transgender people are more marginalized than straight women.
3. What I thought were strong arguments that removing a Jewish moderator on the Shabbat before Rosh Hashanah was a bad look, turned out to not matter. I can't prove it, but I suspect it's the result of subtle antisemitism that comes from observing that Jews tend to be successful in certain fields. Jew might be a minority, but they aren't under-represented so paradoxically that must mean they are among the powerful.

I'm not an expert on these things and so I operated under the naive assumption that progressive ideology was working toward the goal of treating people as if we were all created equal. But the standard tools of the new morality are ineffective. Instead, the logical conclusion of the new ideology appears to require mistreating people who don't conform to its evolving standards.

Granted that I'm biased, but if you're still using Stack Overflow or Stack Exchange, either the free sites or the paid service, it's probably time to reconsider. Squandering community trust was already a core business practice, and now it seems like they're having trouble keeping the lights on despite massive cash infusions.

2023 has not been a good year for them. In May they laid off 10% of the company including 30% (!) of engineering, and diverted 10% of those who remained to chasing the AI hype train. Then they barred moderators from acting against ChatGPT-generated nonsense while lying about that policy to the larger community, causing an unprecedented nine-week moderation strike. Early in the strike, it came out that the CEO had personally ordered that the regular data dumps be secretly shut down. (They apparently did not secure the silence of the people they fired.) Those dumps were, from the beginning, a company commitment to the users as an insurance policy against the company turning evil -- you could always take the data and go elsewhere. Except now you couldn't. So that was kind of a big deal, and restoring the data dumps got added to the strike demands.

The strike eventually limped to a settlement, with the ChatGPT policy mostly rescinded, the dumps restored, and a company promise to communicate better. Many remained skeptical; company claims of caring about the community have not stood up to scrutiny in the past, and the current CEO seems especially disdainful. I guess people decide when they've hit the trust thermocline at different times; for some of us it came in 2019, some earlier, and some over the intervening years, and some haven't hit it yet. (This is why it's so hard for communities to migrate. Communities don't move; they fragment.)

But while they've been mistreating their communities, it looks like they've also been having trouble with their paying customers. Cory Doctorow's essay on enshittification) comes to mind.

On Monday they laid off another 28% of the company. The layoffs included another two community managers who had advocated for the community, reminding me of when they purged people who had pushed back against toxic company actions in 2019. Questioning the executive team is dangerous to one's career. People are asking some rather pointed questions about the latest action, not that we should expect any meaningful answers. I think the VP who opened that discussion did it to try to channel the venting, not because anybody in company leadership cares.

In the past, the tension at Stack Overflow was between investing in the business to make money and investing in the community whose content enabled a lot of the business. There were trade-offs -- can we make more money from ads without pissing off users, can we neglect maintenance the communities depend on to invest in the SaaS product, can we lower our quality standards to draw more beginner "engagement", etc. "Trade-off" implies that you're giving up something to get something else, but what they're currently doing seems to be bad all around -- they're failing to make money from their paid products and also failing their communities. Prosus, who bought Stack Overflow in 2021 for a jaw-dropping $1.8 billion, must be feeling like chumps right about now. The cost-cutting feels like leadup to a sale, presumably at a large loss, to stop Prosus's bleeding. I wonder how that will go. I'm so glad I don't have to care.

If you are someone in the US who needs to keep the existence of your mobile phone a secret -- for example, someone in an abusive relationship who might need to be able to call for help -- then you might want to turn your phone off for an hour or so tomorrow. A test of the national emergency alert system will hit all phones (and TVs and radios), making a loud noise even if you have it in silent or vibrate mode. Scheduled start time is 14:20 Eastern time (UTC 18:20) and alerts could come for half an hour after that time.

Also:

Smartwatches, tablets and other connected devices might also receive the alerts depending on how they are set up and if they’re connected to cellular service directly or tethered to another device that is.

Me: Opens help chat with Netflix (there is no email option).
Chatbot: Title?
Me: Accessibility options for choosing shows

Chatbot: Sends links to irrelevant articles I already had to click past to get to the contact link.
Me: Clicks "chat with an agent".

(Opening handshake.)

Agent: Can you elaborate the issue that you are facing?

Me: When browsing shows, either on my TV or on your web site, you only show graphics for the shows. I don't see very well and the art is often hard to see, particularly if the show uses small or fancy fonts. Is there a way to see a text list? You used to have that for the web site (but not the TV) but that's been gone for a while. I do not want to have to hover over or navigate into each thing when browsing -- too many to do that. I'm looking for a way to scan a list of titles I can actually see.

Agent: The list is not available anymore

Me: Is there some accessibility setting I can change? It's really frustrating to not be able to navigate your offerings.

Agent: I understand, but there is no setting

Me: Thank you. I understand. How can I escalate my concern? I know that you cannot fix it but somebody at Netflix should be concerned about ADA/accessibility. How do I reach that person?

Agent: There is no one that can resolve it. I can pass on the suggestion and the feedback to our team. And they will look into it.

I suspect I know how that will go. I have the impression that all the streaming services are anti-accessible like this, though I've only done cursory browsing. They probably all think it's ok because everybody else does it. Netflix has had this problem for a while; I don't often use the service because of that, and every time I go to watch something I am reminded of how hostile it is. (In case you're wondering, my Netflix subscription comes bundled with something else; otherwise I probably would have dropped it by now because of this.)

The person who murdered my friends at Tree of Life has just been sentenced to death. There will presumably be years of appeals, but it still feels like there's some closure. I mean, as much as there can be when people we cared about are gone and obviously aren't coming back.

I have complicated feelings about the death penalty. In this case I found the defense's arguments wholly unconvincing. We're supposed to believe that someone who spent months planning an attack, who talked coherently about it on social media, who carried it out methodically, and who showed no remorse -- should get a pass because he had a difficult childhood? Lots of people have difficult childhoods but don't turn into bigoted murderers, y'know? I'm no expert, but it seems to me that he was clearly capable of forming intent, and did. I guess the defense made the best arguments they could; they just didn't have much to work with.

I've noticed that the local Jewish newspaper does not use his name, and neither shall I. We don't need to give him word-fame and help make him a martyr. He's a nobody, a murderous nobody -- Ploni.

I'm the main person doing bug triage for Codidact, which means I go through bug reports and requests that our users have made on our sites and, for the ones that will require code changes, file and tag GitHub issues for our developers. I tend to do these in batches and, unless it's urgent, with a delay -- sometimes the community wants to discuss different solutions first, so we let that play out.

I've been doing a batch of triage over the last few days. Sometimes a bug looks small and easy and I think "you know, fixing that would be less effort than writing it up and tagging it". Sometimes that's actually right. (I have three small PRs open right now.) Other times my attempt to fix it is followed by me writing up the bug. :-) Either way I'm learning stuff, which is pretty cool. Mostly I've been learning about front-end stuff, focusing on the "V" in "MVC". I hope to advance to Ruby/Rails; there are features I want that we haven't gotten to yet and maybe some of them are small enough for a beginner.

Someone asked me if triage is a chore. It's not; I actually like doing what I'm doing, because it's not just copying but analysis and refinement. I'm finding that I can bring a fair bit of architectural knowledge and history to the process. A bug report is a symptom, and sometimes the issue I end up filing is different (with a paper trail). I might not write much code, but I'm pretty happy with my GitHub contributions. :-)

I still don't have time for deep commentary (just got back from Origins; post about games to come), but there have been some developments since the Stack Overflow moderation strike began on June 5:

Data dumps

From very early on, Stack Overflow Inc. has published a quarterly data dump of all of the content (with attributions etc) from all network sites. This was the explicit insurance in case Stack Overflow turned evil in the future, like Experts Exchange, the company that led to SO being created, did. That stuff all uses the Creative Commons license and is meant to remain available.

Someone noticed that the June dump had not been posted on schedule, and asked a question about it. One of the people who was part of the 10% layoff in April replied, saying that the dumps had been disabled at the end of March with an annotation that they were only to be restored at the direction of the "Senior Leadership Team" (this usually means C-level executives). That drew some attention.

The company spent several days ignoring, then brushing off, then making excuses for this unannounced change. Nothing they said was credible. The strikers added "restore the data dumps" to their list of demands. After almost a week, the June dump was posted. No public promises have been made about the future yet as far as I know (though, see "was away for several days" above).

Spam overflow

With about 1500 curators (including about a quarter of moderators network-wide) on strike, and more importantly with the volunteer-run anti-spam automation turned off, the junk's been piling up. Reportedly, employees are now spending time handling spam, cutting into their day jobs.

While we're told that discussions are happening between representatives from the moderators and the company, they don't seem to have made much progress. A moderator told me that the company committed to keeping the data dumps coming, but it sounded like it was specific employees making the commitment, so the promise might not outlast their employment.

Rules for thee but not for me

In addition to violating the moderator agreement in a few ways (leading to the strike), the gen-AI-hype-chasing company recently announced that they are going to launch a site for "prompt design" (I am not making this up), but they're not going to use their existing process for creating communities because it doesn't work well, so instead they're looking for people to be part of a behind-closed-doors steering committee or some such, with the goal of launching the site by July 26.

The CEO is giving a talk about gen-AI hype at some conference on July 27.

Meanwhile, people who are trying to launch communities using the current process would like a word.

Meanwhile, over at Codidact...

Stack Overflow Inc. has given us a gift. We have lots of new participants and new activity, and some active efforts to build new communities here. Nice! We've gotten some questions about differences and was starting to think that we need an "immigration guide" and then someone reminded me of this early post asking about differences -- with a new answer from one of our new users. Nice.

It sounds like we might also attract some contributors on GitHub, which would be great. We have many things we want to do and not very many people.