derhagen

Proposal for a more sustainable, inclusive and secure IT infrastructure at the University of Oslo

2023-01-25T00:00:00+01:00

The Department of Informatics (IFI) at the University of Oslo (UiO) is working on a “Strategy and action plan 2023-2026” and asked their students and employees for comments. This is a slightly modified version of my comment from November 15th, 2022. I’m publishing it, because the problems and solutions I outline can be of general use for universities. Very little of what I say here is specific to UiO or IFI.

I want to underline that IFI is not responsible for UiO’s infrastructure. However, since UiO did not act on previous critique, I used IFI’s call for comments to raise my concerns, again.

IFI’s preliminary “Strategy and action plan 2023–2026” opens up with Sustainability as the first mentioned fundamental value. I couldn’t agree more with the opening sentence: “Raising awareness about sustainability has an important educational aspect in it; technology is not value neutral and can never be.” I’d like to underline a sustainability aspect that I feel is underrepresented in the general discussion: The concept of sustainability is not limited to so-called “green IT” and fighting climate change. As the UN’s 17 sustainable developent goals (SDG) provide, sustainability also includes goals like inclusive, secure and resilient infrastructure and accountable institutions. Goals that I do not see sufficiently fulfilled with UiO’s current IT infrastructure.

Research and campus life are strongly governed by a simple need: communication. Not least since the corona pandemic hit our campus in 2020, our communication crucially relies on digital communication tools. In this context, I’m critical towards the outsourcing of key digital infrastructures to commercial gatekeepers like Microsoft, Zoom and Facebook.

In the following I will elaborate on the status quo, where I see certain risks for security and privacy, barriers for an inclusive campus and study life, as well as in some aspects clear breaches of European privacy law. I will – based on other European universities as a role model and with reference to open standards and open source platforms – propose ways to improve the situation and to create long-term viable, cost-efficient and sustainable digital infrastructure that respects their students’ and employees’ freedoms, gives back control to the responsible institutions and encourages a participative and collaborative campus life.

Dependence on unstable providers and lack of control

Before I go on with issues I see with the use of particular providers, let me mention that outsourcing, while often cost-efficient in the short-term, generally leads to a lack of control, uncertainty and attached long-term costs. The chaotic acquisition of Twitter by Elon Musk has impressively shown how a single billionaire’s midlife crisis can lead to the destruction of any commercial platform, of a political ecosystem, to risks for security and continued maintenance and to severe damage to its users. While Twitter itself is certainly not critical for UiO’s infrastructure, other tech giants are facing uncertainty and destructive restructuring as well, in the light of a general Silicon Valley tech-selloff. The situation is further complicated by the Schrems II verdict that declared most EU-US data transfers unlawful. Some of the affected providers are currently crucial for UiO’s and IFI’s ability to operate:

Zoom

Unlike stated by UiO, Zoom is not hosted on a Nordic platform, but on Amazon

In the beginning of the corona pandemic, UiO hastily decided to primarily use Zoom for digital teaching. Two years later, alternative solutions have, to my knowledge, not been offered by UiO.

Using the Zoom client is a security risk

Since the web client of Zoom was not fully developed at that time (and still lacks full Firefox support), students had to download the Zoom client to their private computers. This was decided even though the app wasn’t running stable on Linux, and against the advice of well-known security experts: At that time, Zoom opened client ports for a public-facing webserver with root privileges on our private devices. An implementation risk so obviously unnecessary and ill-considered for a video conferencing app, it could be an example from a Bachelor-level security exam. While companies like Google reacted and banned Zoom entirely for security reasons, we were and are still forced to use this software for our studies and teaching. While some security issues have been fixed now, there has been a long, subsequent list of embarassing vulnerabilities in the Zoom client (some of which were not fixed for eight months) that originate in bad security practices.

Someone in the supply-chain lies about the privacy risks of Zoom

In UiOs Zoom-specific privacy note, it states that “UiO runs its own installation of Zoom via its subcontractors. This means that UiO is not subject to Zoom’s general privacy policy”. In the data processing agreement between UiO and SIKT (formerly Uninett), it indeed says that all infrastructure is deployed in Nordic datacenters, and that there are no subcontractors except for NORDUnet, a Nordic infrastructure collaboration, involved in the provision of the special UiO-Zoom.

~UiO’s data processing agreement with Uninett/SIKT

It would be nice if these statements were true. In reality, it is easy to check that they’re not. UiO’s “own” Zoom instance (uio.zoom.us) is not provided on Nordic infrastructure, nor is is it run by SIKT or NORDUnet…

~> nslookup uio.zoom.us

uio.zoom.us	canonical name = eu01web.zoom.us.
Name:	eu01web.zoom.us
Address: 134.224.82.224

~Unlike claimed, this IP does not belong to NORDUnet, and not to any Nordic platform

…but simply links to eu01web.zoom.us, the central Zoom server for all European Zoom users, owned by Zoom and hosted by Amazon Web Services (134.224.82.224). Both of them are US companies or subsidiaries.

Joining a UiO Zoom call using uio.zoom.us/join (open it in a browser) presents us with the following terms all students and employees have to agree to:

By clicking "Join", you agree to our
<a target="_blank" href="https://zoom.us/terms">Terms of Services</a> and
<a target="_blank" href="https://zoom.us/privacy">Privacy Statement</a>

~HTML snippet from uio.zoom.us/join

As evident from the links, “our” of course means the Terms of Service and Privacy Policy of Zoom (US), not those of UiO (Norway).

That such an issue should not be taken lightly becomes apparent in Denmark, where entire schools were running Chromebooks and Google Workspaces, until Datatilsynet suspended their use and data transfers to the US. On top of the ongoing intrusion into student’s privacy, such an abrupt requirement to use privacy compliant services at UiO would imply a major cost factor, interruption of teaching and a loss of trust and image.

Microsoft

The use of Microsoft as a central Identity provider is less of a concern for me as a user, but more one for the general security of UiO’s systems. It is easy to fill an entire lecture with Exchange security vulnerabilities from the last 6 months. However, what disturbs me even more is that in order to login to studentweb (UiO’s student portal), I have to disregard everything I have learned and teach my parents about basic internet security.

Unlearning best practices regarding Phishing

Every time I want to login to UiO services, I have to provide my Email address and my 2FA token to login.microsoftonline.com that masks itself as a UiO login page, a UiO logo included. The first time I tried to login, I literally believed someone is trying to phish me. From a security perspective, training people to give out their login credentials to a website that masks itself as another institution is a terrible idea. Now that people get used to accepting weird URLs as legit login sites, it will be easy to lure them to give their password to login.uioonline.com (which is still available by the time of writing). Since Microsoft just provides a closed system “as a Service”, I doubt it’s possible to change this particularly dangerous property without moving from the entire service.

Facebook/Whatsapp

When I first joined UiO as an exchange student in 2020, I was surprised by how heavily Norwegian campus life depends on Facebook’s platforms. In order to participate in the traditional “Buddy week”, it was necessary to install Whatsapp, and most student organizations and study circles are organized on Facebook. Even UiO’s events are primarily announced here. A dilemma for me, as well as for some other exchange students who were uncomfortable with using Facebook’s services. Leading a student organization myself, I still ocassionally receive positive feedback from internationals, just for providing a simple, independent communication channel. The social pressure to be on Facebook’s platforms is not only problematic, because Facebook is an advertizing company that creates personal profiles that include surprisingly intimate data like health information – even SiOs chlamydia testing website loads scripts from Facebook. But also, studies have found correllations and a causal link between using Facebook and mental health issues, including depression and anxiety among college students. Having to choose between a negative impact on your mental health and social isolation – that is not a choice humans should have to take. On top, of course, Facebook’s business model primarily relies on selling advertizing and thereby stimulating unnecessary and unsustainable consumption.

Proposal to the strategy plan

An IT strategy is a difficult thing: IT systems have grown over time, there are multiple stakeholders, responsibilities and users that have gotten used to their tools. Therefore, my first proposals are rather general:

In their strategy plan, the Department of Informatics (IFI) should acknowledge the presented issues as blocking factors for many other declared strategy goals, including inclusiveness, trust-based leadership, a communicative environment and compliance with privacy law
IFI leadership should raise awareness for the mentioned issues with the responsible parties at UiO and USIT
The university’s IT concept should consider the inclusiveness of social life and student organizations’ communication platforms
For resilience and sustainability, all future IT investments should, where possible, be based on open source software and/or open protocols. In the long term, this will be a cost-reducing measure, as these tools can be independently improved and developed, instead of replacing them
These efforts could be coordinated within a Norwegian/Nordic effort to support independent and improved academic communication and collaboration inside and between institutions

Even though the primary responsibility for IT infrastructure lies with UiO and USIT, I think that the Department of Informatics (IFI) can play an important role in making a change:

IFI, given they work with technically interested students, should be an evaluation arena for alternatives to the currently used IT infrastructure. Solutions that prove to be successful at IFI can then be implemented at UiO
IFI should ask UiO for appropriate funding for such a venture and also apply for public funding, possibly even in terms of research on social and sustainability aspects of IT
IFI’s infrastructure development should be linked with IFI’s classes: Improving an open source tool is both a great and meaningful course project, gives students some real-world experience, but also benefits IFI with better digital infrastructure, customized to IFI’s needs

From my personal experience, I can recommend a number of tools that could be evaluated for many different aspects of academic and campus communication:

Internal organization and communication
- I was made aware that IFI runs a Mattermost, that’s great!
- I even more recommend Matrix / Element, which allows native (video-)calls and inter-institutional communication, and therefore suits academia’s needs for exchange with external researchers. It’s used by academic institutions, the French government, as well as inside the German health system. I’ve written down further thoughts about Matrix in my blog post “We need new communication infrastructure for academia”
Video conferencing
- Any video conferencing tools should be feature complete in the Browser and fully support Firefox- as well as Chromium-based browsers. It is a pain to force external guests to download Microsoft Teams or Zoom, before they can join a simple call.
- My recommendation goes to Jitsi, which nowadays scales just as well as Zoom, thanks to the implemented Selective Forwarding Unit
- Another option might be BigBlueButton
Social life, events and outreach
- The previously mentioned Matrix / Element also makes for a great replacement for Whatsapp and Snapchat, and would therefore positively influence the inclusiveness of general campus communication
- Events and public, social communication could happen on Mastodon, or any other part of the decentralized network called the Fediverse
- More complex student organizations could benefit from the use of Discourse, a structured community platform that can be used in different ways – e.g. like a mailing list or a web forum
Collaboration
- Nextcloud Hub is my undisputed recommendation for file sharing, collaboration and many further productivity applications. It’s used by the German and French government

I’ve seen all of these tools and standards being used in production, in schools, universities, companies and public bodies. As a German citizen, I can assure that the central-European university infrastructure – specifically in Germany and France – works well, and is to a significant extent based on the tools I proposed here. The required cost and maintenance of these systems on own or rented infrastructure, running on cheap, green Norwegian energy, could easily be offset by the savings from licensing and service cost we are currently paying for proprietary solutions.

If all relevant decisions and profits are made by the same five Silicon Valley companies, respectively their investors, studying IT seems kind of pointless.

Also, from a general perspective (and from my personal experience), taking control over infrastructure is important for the spirit of an IT student: If all relevant decisions and profits are made by the same five Silicon Valley companies, respectively their investors, studying IT seems kind of pointless. Being optimistic towards the possibility of making a change or towards starting a business in Europe can be positively influenced by seeing infrastructure being used that’s not under quasi-monopolistic control.

We need new communication infrastructure for academia

2022-09-27T00:00:00+02:00

Having attended a great conference and scientific networking event last week, I came to realize again the dysfunctional, scattered nature of today’s communication infrastructure that even scientists can not escape from.

Let me map out the current reality of sending each other messages: We were invited to a conference with over 200 researchers. To maintain communication among the participants during the event, the organizers decided to maintain a conference app, based on a solution from a random German company nobody had ever heard of. This app contained a chat service that seemed to work, and some people used it. The app also sent out important conference notifications. During the first day of the conference, most of the younger researchers joined a Whatsapp group for organizing bar trips in the evening. Some of us had to install the app first, some of us refused to do so. I’m one of those who refused, partly because Whatsapp requires me to hand over my whole address book to them, which I’m not willing to do without my contacts’ consent. I got some participants’ phone numbers and stayed in touch with them over Signal or SMS. Most of the long-term connections, I believe, were established through the exchange of good old business cards with printed email-addresses on them, that now fill my desk. I guess in a couple of cases, people connected through mutual follows on LinkedIn, Twitter or ResearchGate, if both parties used these platforms. Do you realize just how many apps and platforms one needs to take care of, just to keep in touch with a handful of scientists? What a mess! It is no wonder that conferences are so crucial for science, since they seem to be the only way to get everyone on the same boat for a few days.

As a researcher, I try to maintain a clean and structured desktop – both physically, as well as on my phones and PC’s home screen. However, just every morning’s “keeping up to date” nowadays involves checking your email, possibly opening LinkedIn, Twitter, ResearchGate, checking your Whatsapp, and maybe your working group’s slack channel. This chaotic waste of time makes me start my day scatterbrained and annoyed. It doesn’t help that a lot of these places are advertising-infested surveillance hellholes. Further, some of these platforms don’t allow a clear separation between private and academic contacts and thereby facilitate procrastinating. Who of us never suddenly regained consciousness at lunchtime just to realize they must have gotten lured into browsing memes and friends’ vacation pictures about three hours earlier?

I therefore propose to throw most of the old platforms over board and start over new. Thereby it seems natural to me to distinguish different ways of communicating: One the one hand you get in touch with someone to discuss an idea, have a chat or to send a relevant message to a defined group of people. This sort of communication is often covered by instant messaging apps like Slack, Whatsapp, Facebook messenger, LinkedIn’s chat function (is anyone actually using that one?) and so on. This sort of communication is what I’ll cover in this article. There will be a follow-up text that discusses types of communication without a clear intent or without a clearly specified audience, like it happens on twitter, ResearchGate, and other more social-network-style platforms.

When it comes to that first-mentioned type of communication, I see a couple of requirements scientists should demand from their infrastructure:

Frictionless, structured use

The system should be as simple and clean as possible, not adding unnecessary complexity to our work. Contacting or calling someone should be as easy as walking to the office next door. Incoming messages should be presented in a structured way. This includes a possibility to separate e.g. private contacts from students attending your course and your academic work group. Such a separation could be provided through different identities or by a good UI. Of course, the system should work with smartphones as well as on desktop PCs.

Free from ads

Ad-freeness is not only a direct consequence from the requirement before, but ads and scientific virtues also directly contradict each other. We’re constantly trying to reflect and mitigate the effects that unconscious biases have on our world-view. Being spammed by marketers who tell us which product is the most healthy and which party we should support does the exact opposite. Just remember how the tobacco industry corrupted the scientific discourse in the 20th century by consistently promoting other causes for lung cancer.

Independence from commercial gatekeepers

Yeah, that capitalism thing: If a commercial actor acts as a gatekeeper, they will either disappear or find a way to monetize their status to the disadvantage of their users (i.e. yours). That might happen through ads or by charging you excessive fees, while you are stuck with them. We’ve already made that mistake in scientific publishing.

Free from surveillance

Researchers need to communicate in a secure and private manner. A guaranteed private channel is important to be able to freely speak from your mind. Other researchers stealing your genius, unique ideas should only be an afterthought, given that in some countries, critical scientists are targeted by state oppression. You never know who wins the next election in your country (Sorry, Italy!). Secure end-to-end encryption should therefore be a requirement.

A clear path to establish a global standard

All these efforts require a certain consensus among scientists and scientific institutions. We lose the “Frictionless” property if communication happens on 5 different channels, and we risk excluding those who for the sake of some peace of mind didn’t follow up on the most recent app.

Alright, given all these requirements, I claim that coffee breaks at your favorite conference are the best we can do so far. They are globally recognized, more or less ad-free, frictionless, and if you want privacy you can whisper. The only gatekeeper is that you should better like coffee – and be able to pay the conference fee. However, having hundreds of people fly around the globe to attend a talk and have a cup of coffee together doesn’t scale too well.

Email is another approach. By its concept of federation (please remember this word for a second), universities can host their own servers and keep in touch with the outside world at the same time. Emancipation from gatekeepers? Yes. Global standard? You bet! However, email is not exactly frictionless, since it’s missing a bunch of modern features. “Calling someone” usually means sending a calendar invite to a Zoom call 3 days later. And neither Email nor Zoom is a trustworthy medium of communication.

However, the federated concept of email finally leads me to my proposal: Let’s use the matrix protocol. Just like email, matrix is an open, decentralized network, where universities can host their own server. The good thing is, it’s not email. It’s an extensible communication protocol that allows instant messaging inside and between institutions, and even voice and video calls. I’ve seen organizations that successfully replaced their slack and zoom with matrix and temporarily an embedded jitsi, since native group video calls are still under a bit of development. Matrix is end-to-end encrypted by default, even in group chats. Possibly one the best features is the possibility to bridge. If you still got some colleagues in that one old slack channel, just connect it to your matrix server! Depending on the platform you are bridging to, this might be easier or harder, but there is plenty of available bots and bridge-applications that may help you. My client, Element supports the spaces feature, so I can easily group contacts into “Facebook friends”, “Computer club folks”, “Academic contacts”, and “The slack channels from that NGO I work with”. Element is developed with a high pace, but feels very stable and ready for everyday use. Even though there is a bunch of features I’d still like to see implemented – which I could help with, it’s all open source – I love using it.

Back to the conference use case: How simple would it be to just join the channels #notifications:coolconference.org and #barhopping:coolconference.org with the app and account you already got from your home university? And in case you forgot to exchange business cards with that one combinatorics guy from XYZ university you had beers with last night, you could just find their handle @combinatoricsguy:xyz.edu in one of the channels and use it to keep in touch with that person. That’s exactly what matrix allows!

Well, one question remains: Can we make matrix a global standard for scientific communication and avoid xkcd’s infamous “15 completing standards” problem? I think a good part of that work is done by bridges: You can gradually move organizations to matrix by bridging to their current solution. Further, if we convinced a couple of universities to host matrix servers and give accounts to all their students and personnel, we’d have a huge user base all at once! Some universities and schools already run an instance! The German health system and the French government adopted it. So, even if I can’t really provide a waterproof argument here, I think if one protocol has the most potential and momentum, while fulfilling my outlined criteria, it would clearly be matrix. Universities were once considered avant-garde when they hosted some of the first email servers in their data centers. I think, adopting matrix would be a sensible opportunity to prove that, once again. Give it a go, text me on matrix!

This article has been written with a scientist audience in mind, but most of it equally applies to non-academic organizations as well. So if you are a commercial enterprise, a public administration or just a group of friends, and you’re currently stuck with slack or facebook or whatever, I hope I gave you some arguments to consider switching matrix.

What’s next

Well, matrix obviously doesn’t help you discover new interesting publications like ResearchGate does (Actually there is an RSS bot you could hook up to arXiv, but that’s not the point). It won’t help you use your #followerpower to make your current problem go somewhat viral and receive some input from random folks on the internet. Apps focused on instant messaging don’t provide a neat way to “connect” with someone, view their profile and receive updates on their latest works. I will handle these more social-network-style use-cases in another post. I could well imagine taking some inspiration in the decentralized twitter clone mastodon, the fediverse and it’s supporting ActivityPub protocol. Should we interbreed ORCID and google scholar with ActivityPub? I’ll have to think about it, but feel free to text me your ideas. See you soon!

I'm quitting my PhD

2022-05-23T00:00:00+02:00

Just a bit over half a year ago, I started my PhD in Quantum Computing. Even though I basically didn’t have any previous knowledge about it, I thought Quantum Computing was an interesting challenge to get into. What should I say? Quantum Computing is really cool, indeed! Having a background in Theoretical Informatics, new complexity classes (BQP and friends) are exciting to work with. Also, studying the underlying Quantum Mechanics and understanding this new concept of how physical reality might look like under the hood (there are actually multiple interpretations of that, from Probabilism to the popular Many-World-Theory) has been eye-opening.

However, just a couple of months into my project, I figured out, I wouldn’t find anyone to discuss my research with: My supervisors have a rather superficial understanding of Quantum Computing, and I feel like their idea to start a project in that domain was to a not inconsiderable extent motivated by the prospect of granted research funds, not primarily by their desire to achieve a deeper understanding of quantum stuff.

So there it was me, an excited PhD student driven by scientific ideals, trying to find and discuss a meaningful research question in a new field vs. the harsh reality of being the first PhD student in the project, without a PostDoc or supervisor to reach out to discuss with and to get some basic orientation from.

For quite a while, I didn’t know how to think about this situation. Of course, it is primarily my PhD thesis, so shouldn’t I try and make the best out of it? I should take some responsibility myself, right? I tried that. I read a bunch of books, watched more lectures, only to understand that the pure accumulation of knowledge does not help me finding orientation, quite the opposite. And the more I understood about Quantum Computing, the better I understood that the work that had been done in my research group before had been a rather performative act, aiming to produce PDF files that would be accepted at conferences (which seems to be easy-going if you sprinkle some fancy quantum vocabulary over something and hand it in to a non-quantum conference). I felt less and less comfortable in a setting that apparently expected me to pick some low-hanging – let’s call it fruits – and call it a day. After all, science is all about the pursuit of knowledge, even though the incentives of research funding might not be entirely aligned with that (I learned about The Declaration on Research Assessment (DORA), after starting to write this post).

I reached out for help. I expressed my doubts and difficulties to other PhDs as well as to more experienced researchers. Interestingly, most other PhDs could very well empathize with my situation and asserted me that my expectations in a certain amount of scientific supervision were justified and that I can’t be expected to create meaningful research entirely on my own. Conversely, the higher up or more experienced somebody was, the more often I got to hear that a PhD is generally seen as something you have to endure if you want to be a successful researcher afterwards. That I have to focus on my title if I want to be a researcher. It feels weird to me that experienced scientists tend to use anecdotal evidence of their own or other people’s underwhelming supervision situation to relativize my struggles. The difference between something being seemingly common, and something being acceptable or reasonable should be obvious, I thought.

After all, I decided to quit. I might not have tried everything humanly possible to rescue my PhD, but I feel like I have already wasted much more of my personal energy than I should have. Understanding what’s going on (and daring to put words on it) took me a while and while I tried at first to create an environment that I thrive in by addressing the issues I struggle with, I felt like my supervisors became more and more defensive. Meanwhile, even though I came up with a couple of theoretical research ideas that I would have liked to seen discussed, I was asked to find something that does not require so much understanding of Quantum Computing, something “more hands-on”. Now I’m at a point where I’m burning out. I’m getting frustrated the moment I sit down at my desk, I waste too much time idling, I can barely manage to read books I’m interested in. I hate that.

However, I don’t see my frustration as a reason to not like research, quite the opposite: Six months ago I was full of motivation and curiosity: I decided to take a TA position which I’ve been enjoying, I attended physics lectures, just for fun. I rather feel like it’s the people around me who don’t enjoy being researchers. It isn’t the first time such an environment has been burning me out (in particular when I was highly motivated in the start). For the future, it would probably be the easiest to cut down on my expectations and do what I was told: Focus on my title. But I feel like in that case, I would become one of them, forever chasing after the next title without ever finding fulfillment in the present.

Paradoxically, the only way to maintain my scientific standards seems to be dropping my current PhD and trying again, some other time. It’s terrifying to hear how many PhD colleagues of mine seem to admire me for that decision, because they feel similar towards their studies. It shouldn’t be that way. Thank you all for your support, for your open ears, for your time, no matter of what you advised me to do. Don’t risk your own mental health for a title and be assured you will find my and others’ support, should you ever decide for a change.

Disclaimer: This article has been primarily written to clear up my mind, and to potentially receive constructive, uplifting or critical comments from others. I feel like it helps me cope with a frustrating and difficult situation. I do not intend to attack anyone.

Also, what I outline here is of course anecdotal, even though I seem to not be alone with my feelings. I’m sure there is a lot of researchers and supervisors out there who are excited about their research and enjoy supervising. If you are one of those, are possibly based in Scandinavia and work on Quantum Computing, Game Theory, privacy research or policy, traffic planning or decentralized energy networks (i.e. with cables and hardware and reasonable protocols and stuff, not by adding 5 layers of blockchains on an already dysfunctional energy market), please get in touch! The same holds for those who just want to leave a comment, maybe struggle with their PhD themselves, or just want to say hi :)

Which BibTeX toolkit to use in conjunction with XeLaTeX

2021-08-26T00:00:00+02:00

This post is primarily a note to myself and collaborators, to avoid explaining and looking this up and over and over again. What is the modern way of making use of a .bib file in a document compiled with XeLaTeX and why?

Let me highlight the main point from this detailed explanation from the SO thread about the differences bibtex vs. biber and biblatex vs. natbib:

The biblatex package is being actively developed in conjunction with the biber backend.

…while natbib is pretty much dead and bibtex’s only advantage is being “very stable and widely used”, while it’s inflexible when it comes to changing the bibliography style. Also, as explained here biblatex with biber as a backend gives you access to RIS, Zotero RDF/XML and Endnote XML data sources, remote .bib files via HTTP, cross-referencing between entries, and full Unicode support, which is the primary reason I use XeLaTeX. We need those äöü and emojis, there is no excuse not to use Unicode/UTF-8 any more.

So, just go for

% Bibliography settings
\usepackage[backend=biber,urldate=iso,seconds=true]{biblatex} % Imports biblatex package with biber backend and ISO dates
\addbibresource{sample.bib} % Import the bibliography file

and \printbibliography % Prints bibliography.

The `.bib` file format

As mentioned in the above SO thread, BibTeX / BibLaTeX may also refer to the file format of the .bib file. In our configuration, we make use of the more modern BibLaTeX format that is mostly backwards-compatible to BibTeX-formatted files. Read §2.3 Usage Notes from the BibLaTeX documentation for compatibility notes, most notably the different meaning of the @inbook type and the new date field.

Magic comments

If you’re on XeLaTeX, you also might want to use these magic comments / TeX directives in the beginning of your files, so some IDEs (including TeXShop, TeXStudio, TeXworks) adjust their compiler and encoding automatically.

% !TEX TS-program = xelatex
% !TEX encoding = UTF-8

How to find a Bluetooth amp that doesn't suck

2021-04-29T00:00:00+02:00

Living in a Scandinavian city has its perks. Like finding two perfectly fine speaker boxes on the street. Unfortunately, the amplifier was already gone. No problem, I’d just order a $10 bluetooth amp from aliexpress and have a nice stereo at home. I thought. Well, turns out there is a couple of ways they can suck.

The amplifier chip

Of course I watched a youtube video titled something like “The best china bluetooth amp” and adjusted my purchase to their trustworthy judgment. They recommended boards based on the TPA3118, a 2x30W amplifier chip by Texas Instruments. That’s what I bought. Turning it on for the first time, I was actually quite satisfied with the music quality. But listening to radio reports or audiobooks was a pain: I assume for power saving reasons, something inside the bluetooth stack turns itself off after a second of silence or so, and cuts a split second off the beginning of every sentence. Once you notice, you can’t not hear it.

The bluetooth chip

What I should have done is not only picking a proper amplifier chip, but also putting some weight on a good bluetooth module. The one I got was… not even listed on the offer page. So probably a shitty one.

If you want something more high-quality, you could check the spec sheets at Qualcomm. Chances are they also produced the bluetooth chip in your phone. I went with CSRA64215. In the spec it says Bluetooth 4.2 and aptX, aptX Low Latency, SBC and AAC decoder support. These codecs are important, they specify how your phone or laptop communicates to the amp, and this includes a potentially lossy audio compression. Likely, a broken codec implementation caused my problems. aptX (as much as I refuse to advertise for a proprietary codec) is a higher-quality one, aptX HD might have been even better. It’s also owned by Qualcomm, so I really hope they know how to properly implement it. Further reason to go for this chip was that there is bluetooth amps with it available. I went for this one (see last paragraph) that fraudulently claims bluetooth 5.0 support. Well, it will do the job, I guess. And I like that the bluetooth board is a bit separated, so I might desolder it if the amp breaks down. As a nice bonus, the board exposes serial pins that should allow me to mess with the firmware and change the bluetooth name. I’ll edit this post as soon as it arrives.

Edit Jul 2021: Well, the board I ordered most likely came with a BEKEN BK3266 chip, not with a Qualcomm one. Still, it works great and I recommend it. It was quite easy to get a serial connection to change the bluetooth name and disable the annoying “Bluetooth pairing successful” message everytime I connect a device. Seriously, Aliexpress guy, why not just “beep”? Check araczkowski’s repo for the necessary AT codes.

AirBnB ignores the GDPR, and the Irish DPC is a fig leaf

2020-12-02T00:00:00+01:00

A couple of weeks ago, I decided to delete my AirBnB account. I had only used it two times in some years anyway and – while their platform is certainly comfortable to use – I prefer not to externalize my cost of traveling to those who need a place to live in, as I do in my own hometown. Turns out, deleting your account is easier said than done. While I was writing this article, I even found out that I had already tried to delete my account a year ago without success.

So what happened? The account deletion procedure is quite straightforward: You log into your account, after a while you find the form to delete it, verify yourself with a code sent to your phone, and that is it. Some dark patterns trying to make you “deactivate” your account, which pretty much doesn’t do anything at all, but we’re used to that, right?

Except, a while after I did this, I received an email:

We understand that you would like to exercise one of your data rights, namely the right of erasure. Airbnb is required to verify that the person making the request is the data subject entitled to the information being requested. […]

We kindly ask you to send us both of the following:

A re-statement of your request

A photocopy of a valid official government ID such as your driver’s license or passport to validate your identity and to facilitate your request

In other words: Thanks for your request. How about you ask us again? Further, your email, password, and the code sent to your phone certainly enable you to spend your money here, but our login system is not secure enough to authorize a deletion of your data.

Well, slightly annoyed, I repeated my request, mentioning that I verified three factors (Email+Password/Phone number/Ownership of email) to authorize my request now. The GDPR was on my side, since Art. 17 defines the right to erasure. While Art. 12(6) reads “[…] where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.”, I don’t see any way in which my identity could have been reasonably doubted at this point.

Long story short, what followed was 10 more emails full of customer service bullshit, a mail to the Irish Data Protection Commission (DPC), and finally, three weeks after my initial request – and without me uploading my passport:

We understand that you would like to delete all of your personal data. Please understand that this means that we will no longer be able to provide our services to you.

As you have provided us with sufficient information to prove your identity, we’ve started to review your request.

What a boring adventure! Well, aside from AirBnB not giving a damn about our funny European GDPR, I wondered the most about the DPC’s answer, that, while generally helpful, included the following paragraph:

Please also note that the Data Protection Commission (the “DPC”) acts as an independent regulator, and is therefore not in a position to approve or otherwise any specific data processing operations as this could prejudice the investigation of any future complaints. We are an independent office whose primary function is to give general guidance to members of the public regarding data protection.

To be clear: The responsible party for all AirBnB’s non-payment activity in Europe, where I live, is Airbnb Ireland UC¹, which makes the Irish DPC the responsible agency to send complaints to. This agency tells you that it won’t actually interfere with any data processing operations, since this might influence how future complaints are handled. That’s exactly what I thought was part of their job: Giving out fines to companies, thereby further clarifying the GDPR’s application. Or is the Irish DPC more of an outsourced call center for US companies to keep complaining customers busy? It’s not a secret you sometimes have to sue the DPC to make them do their job. But such a clear confession that they don’t intend to enforce the only law they are supposed to deal with is bizarre.

In the European Union, we have a traditional race to the bottom, in which Luxembourg, failing to contribute economic value, makes its money by being an inner-European tax haven. In the same way Luxembourg welcomes companies that don’t intend to pay taxes, Ireland openly advertises for companies who don’t want to be bothered by the GDPR. I told you that AirBnB is based in Ireland? Guess, where AirBnB based their payment services in Europe¹.

https://www.airbnb.co.uk/help/article/2860/outside-the-united-states ↩ ↩²

Video Conferencing is broken for many physical scenarios

2020-08-19T00:00:00+02:00

Most video conferencing systems generally assume the same physical usage scenario: We have n users who sit or lie around in distinct physical locations, each of them having a client device to participate in an n:n video call, i.e. everyone can talk to everyone. Even though some platforms came up with a designated presenter or breakout rooms, I haven’t seen the assumptions of the physical separation challenged yet. Thereby, we have been struggling with different physical scenarios for a while. People who have a conference room at their workplace, that is just too large for a conference phone, know the terrible “catch box”, a soft wireless microphone cube that is thrown from speaker to speaker, but is also magically attracted by half-empty coffee cups.

1. The classroom

A very similar setup comes up, now that university classes start again, with some students attending in-class and some online: If questions come up from the students in class, either the lecturer repeats them out loud, or we start passing microphones around for discussions. One of my fellow students came up with the idea to just follow the class both online and in-class. When we want so speak, we can unmute our laptop/phones, so the online participants can hear it. Unfortunately, in order to avoid feedback loops, the lecturer has to mute the room speakers, that we need to hear them. A lively discussion involving both groups of students is not really possible, this way.

2. The study group

There are more scenarios where a similar problem comes up: Students meet up physically in small, decentralized study groups to participate in an online lecture together. This is not a problem, as long as only one laptop is used, but this becomes difficult if you have to maintain a distance to each other. So each of us watches the lecture on their own laptop, with all but one having their speakers muted – or using headphones. Again, if one of us is asking a question, we have to mute the speaker/headphones in order to avoid feedback loops or to not hear the speaker in the room twice: Once in reality, a second later in the stream.

A solution proposal

Overcoming the first problem would be as easy as introducing a “microphone-only”-mode to video conferencing systems in the following way: Online participants join the conference in the usual way, whereas students sitting in the classroom or lecture hall join in the “microphone-only” mode that simply provides a basic push-to-talk functionality, nothing else. Assuming that the conference host is the one that controls the room speakers, the conferencing system could play the audio stream from students in class only to those participants that are not the host – and not “microphone-only”, of course. That’s basically a selective BYOD room-wide microphone array for each classroom that does not require any installation. Who needs expensive conference room installations any more, when a beamer, a speaker and n laptops or phones are all we need?

To solve the second problem, we can generalize this approach, but this requires our system to have a more detailed awareness of the physical context, i.e. which participants are in the same room with each other. While it would certainly be possible to figure this out automatically, as long as one device per room has their speakers enabled to send an identifying audio signal to the others, it would be sufficient to manually group clients if they are in the same room, so none of them hears the audio from the others – at least not through the video call. In the same way we don’t want to hear our own voice in the call, which we probably take for granted, but which means that some kind of client-specific selection of the audio streams already happens, anyway. This functionality would just have to be generalized to the set of other clients in the physical room.