A Do It Yourself Future

I would assume that most people who read Nineteen Eighty-Four understand that the Party is supposed to be the bad guy. However, most politicians and a large number of corporations seem to believe the Party is the good guy and should be emulated as closely as Snes9x attempts to emulate the Super Nintendo Entertainment System.

It seems like every day we see news of new surveillance technologies either being mandated by politicians of voluntarily implemented by corporations. The two entities aren’t always intentionally working in tandem. Many of the surveillance technologies implemented by corporations are done for profit. Google and Facebook for example have business models dependent on surveillance. But sometimes they two entities are working in tandem. The Pegasus spyware is an example of a protect developed by a corporation for the obvious intent of selling to governments interested in surveilling individuals. Then there are the gray ares. Apple’s recent decision to install spyware on iOS devices to ostensibly detect child pornography is an example of something that was likely implemented at the behest of politicians but not mandated (yet).

Unfortunately, the situation is unlikely to get better before it gets worse. There’s too much money to be made by spying on customers and politicians’ power necessarily depends on surveilling citizens. Does this mean you will have to give up technology entirely? Will the Hutterites and Amish be the only free people left in a few years? Not necessarily. There is an option to utilize technology without subjecting yourself to constant surveillance. That option is to do it yourself.

This is really an extension of my self-hosting advocacy. For a long time I’ve preached and practiced self-hosting online services. It’s much harder for Google to surveil your e-mail if you host your own server (of course Google can still surveil your conversations with Gmail users). However, at the current rate of things the do it yourself strategy will have to be applied to technological products other than online services. For example, there is no longer a privacy respecting smartphone readily available to consumers. Your only option is to buy a device that both allows you to flash custom firmware and is supported by privacy respecting firmware.

The laptop and desktop market at least has a few privacy respecting options like System76 available, but beyond those boutique manufacturers you can’t trust the default operating system shipped with most computers. You need to install an operating system that you can trust such as a Linux distro or one of the open BSD flavors like OpenBSD and FreeBSD. There is also the issue of surveillance technology baked into the hardware. Just installing a trustworthy operating system isn’t enough if the hardware itself is spying on you too. In that case you’re going to have to build your own hardware to some extent. This will require many of the same skills as building a computer does today except instead of choosing parts for performance, you’ll need to choose parts for lack of baked in surveillance technology.

If you want an automobile that won’t spy on you, you’ll likely need to either maintain automobiles that were manufactured prior to surveillance mandates or learn how to disable installed surveillance technology. Mind you that either strategy could and most likely will be declared illegal. In that case you will need to spoof the surveillance technology in such a way that it isn’t tampered with in a detectable manner or can be quickly restored to a fully functional state if you need to take the vehicle in for an inspection or repair.

For those unwilling to unable to do the work themselves, they will be dependent on black market dealers who can. The upside is there is already a black market for surveillance avoidance and it will expand as surveillance becomes more pervasive. But the days of being able to buy a technological product and be reasonably sure that it isn’t spying on you are over (they’ve been over for a while, but the situation is continually becoming worse).

Apple Adds Big Brother to iOS

There are two dominate smartphone operating systems: Google’s Android and Apple’s iOS. Google’s business model depends on surveilling users. Apple has exploited this fact by making privacy a major selling point in its marketing material. When it comes to privacy, iOS is significantly better than Android… at least it was. Today it was revealed that Apple plans to add a feature to iOS that surveils users:

Child exploitation is a serious problem, and Apple isn’t the first tech company to bend its privacy-protective stance in an attempt to combat it. But that choice will come at a high price for overall user privacy. Apple can explain at length how its technical implementation will preserve privacy and security in its proposed backdoor, but at the end of the day, even a thoroughly documented, carefully thought-out, and narrowly-scoped backdoor is still a backdoor.

[…]

There are two main features that the company is planning to install in every Apple device. One is a scanning feature that will scan all photos as they get uploaded into iCloud Photos to see if they match a photo in the database of known child sexual abuse material (CSAM) maintained by the National Center for Missing & Exploited Children (NCMEC). The other feature scans all iMessage images sent or received by child accounts—that is, accounts designated as owned by a minor—for sexually explicit material, and if the child is young enough, notifies the parent when these images are sent or received. This feature can be turned on or off by parents.

When Apple releases these “client-side scanning” functionalities, users of iCloud Photos, child users of iMessage, and anyone who talks to a minor through iMessage will have to carefully consider their privacy and security priorities in light of the changes, and possibly be unable to safely use what until this development is one of the preeminent encrypted messengers.

I’ve been pleasantly surprised by the amount of outrage I’ve seen online about this feature. I expected most people to praise this feature out of fear of being labeled a defender of child pornography if they criticized it. But even comments on Apple fanboy sites seem to be predominantly against this nonsense.

This move once again demonstrates the dangers of proprietary platforms. If, for example, a Linux distro decided to include a feature like this, users would have a number of options. They could migrate to another distro. They could rip the feature out. They could create a fork of the distro that didn’t include the spyware. This is because Linux is an open system and users maintain complete control over it.

Unfortunately, there aren’t a lot of options when it comes to open smartphones. The options that do exist aren’t readily accessible to non-technical users. Android Open Source Projects, which are versions of Android without Google’s proprietary bits, like LineageOS and GrapheneOS don’t come preinstalled on devices. Users have to flash those distros to supported devices. Smartphones developed to run mainline Linux like the PinePhone and Librem 5 still lack stable software. Most people are stuck with spyware infested smartphone. Exacerbating this issue is the fact that smartphones, unlike traditional x86-based computers, are themselves closed platforms (which is not to say x86-based platforms are entirely open, but they are generally much more open that embedded ARM devices) so developing open source operating systems for them is much harder.

Social Media is Impossible

The toughest barrier for a new social media network to overcome is adoption. People will refrain from adopting the new service because not everybody is already on it. This is why keeps Facebook, Twitter, Instagram, and other social media networks remain in business. Since everybody is already using them, nobody wants to migrate no matter how terrible the services become. But this raises an important question, why do you want everybody to be on the same social media network?

A small number of people can become a tight knit community surprisingly fast. These tight knit communities form norms. If a new individual wants to join the group, they are expected to adopt these norms. Likewise, established members are expected to teach prospective members the norms. However, it’s easy for an influx to new members to overwhelm the established members. When that happens, the tight knit community often falls apart.

The Usenet term for this is Eternal September. Back in the day colleges often had their own Usenets. When freshmen arrived in September, they would log into the college Usenet for their first time. Because they didn’t know the norms of the group, they would often violate the Usenet norms. In time the established members would teach the freshmen the norms of the group and those freshmen would either adopt those norms or drop out of the Usenet. This changed in 1993 when AOL provided subscribers access to Usenets. Suddenly a never ending stream of new members were joining Usenet groups and it overwhelmed the established members. This changed the nature of Usenet entirely.

The same thing happened to Facebook when it went from a social media network exclusive to college students to one open to everybody. Suddenly everybody and (literally) their grandmother joined and the entire network changed.

When a group is overwhelmed by new members, the old norms are usually destroyed. What compounds this issue is that new norms are seldom established. I often bring up Dunbar’s number when talking about social media. Humans have a limited capacity for stable social relationships. When that number is exceeded, some social relationships become unstable. What happens when the number of unstable social relationships exceed the number of stable ones? Current mainstream social media networks.

Let’s once again look at Facebook. Facebook is suffering from a widespread breakdown of social cohesion. The site administrators are attempting to force new social norms by implementing an increasingly long list of unapproved behavior. Because Facebook is trying to appeal to the largest number of people, it is making the mistake of adopting what might be considered mainstream norms. However, mainstream norms don’t actually exist (it turns out that you can’t get hundreds of millions and especially billions of users to agree on anything). So rather than establishing new norms and creating stable social relationships, Facebook is angering more users and creating an even more unstable environment.

Facebook isn’t unique in this case. Twitter, Reddit, Instagram, and other large social media networks are suffering from the same problem.

I’ve increasingly become disillusioned with the idea of social media networks. Instead I’ve sought out small niche communities. I run several groups on Element and Signal and participate in several groups on both services run by other people. The groups are closed. In order to join you need to be invited. The invitation process ensures any prospective member has already been vetted. Vetting doesn’t guarantee a prospective member will fit in, but it greatly improves the odds. This is the opposite strategy used by mainstream social media networks, which try to interconnect everybody to everybody else. The difference between groups that follow one strategy or the other is stark. The groups in which I participate that are invite only, have remained stable for years. The social media networks in which I used to participate that were open to everybody, became so bad that I left.

So I return to my first question, why do you want everybody to be on the same social media network? Different people have different interests and personalities so it only makes sense that different groups exist.

Many people believed that the Internet would lead to a new era of peace because people all around the world would be able to talk out their differences. This hiccup in that theory is that people seem less inclined to invest time and energy seriously discussing their differences unless they already have a social relationship. This makes sense. Why invest the not insignificant time and energy discussing complex issues with people whom you have no preexisting relationship? That takes time away from your stable social relationships into which you’ve already invested greatly and are therefore more inclined to maintain.

In summary if you want a better online social experience, establish small groups. Social media as most people envision is impossible.

Losing Control of Your Data

There are many reasons why I advice against becoming reliant on third-party services. The most obvious one is privacy. Many service providers harvest personal information from users that can then be used by advertisers and government agencies alike. Another reason is resiliency. A service can disappear overnight. Google is especially notorious for killing of services. If you’re reliant on a service and the provider decides to stop providing it, there’s little you can do. A third reason is that providers can change the rules:

Financial services giant Intuit this week informed 1.4 million small businesses using its QuickBooks Online Payroll and Intuit Online Payroll products that their payroll information will be shared with big-three consumer credit bureau Equifax starting later this year unless customers opt out by the end of this month.

Intiut is giving customers until the end of the month to opt out… for now. Rule changes like this aren’t uncommon with online service providers. Oftentimes, as in this case, when a provider makes a significant change to the rules, it’ll give current users the option to opt out. However, as time goes by it’s common for the option to either be made harder to choose or taken away entirely.

This behavior is the norm rather than the exception for service providers. Google and Facebook are probably two of the most notorious perpetrators, but certainly not the only ones.

If you are a small business that uses Intiut services for your payroll, I suggest developing a migration strategy now. It’s much better to have a plan while you still have the option of opting out than to develop a plan after the option to opt out is taken away.

A Glimmer of Hope for a Decentralized Internet

If you don’t own your online services, you’re at the mercy of whoever does. This rule has always been true, but hasn’t been obvious until recently. Service providers have become increasingly tyrannical and arbitrary with the exercise of their control. More and more people are finding themselves banned from services like Facebook and YouTube. Compounding the issue is that the reasons given for the bans are often absurd and that’s assuming any any reasons is given at all.

This type of abusive relationship isn’t good for anybody, but is especially dangerous to individuals with money on the table. Imagine investing years of your life in building up a profitable business on a service like YouTube only to have Google take it away without providing so much as a reason. Some content creators on YouTube are beginning to acknowledge that risk and are taking actions to gain control over their fate:

Whether he’s showing off astronomically expensive computer gaming hardware or dumpster-diving for the cheapest PC builds possible, Linus Sebastian’s videos always strike a chord, and have made him one of the most popular tech personalities on YouTube.

But Google-owned YouTube gets most episodes of Linus Tech Tips a week late.

Now, they debut on his own site called Floatplane, which attracts a much smaller crowd.

A handful of content creators are mentioned in the article. Most of them are too nice or perhaps timid to state the real reasons they’re seeking alternatives to YouTube: YouTube has become a liability. Google; like Facebook, Amazon, Twitter, and other large online service providers; has been hard at work destroying all of the goodwill it built up over its lifetime. There’s no way to know whether a video you upload to YouTube today will be available tomorrow. There isn’t even a guarantee that your account will be around tomorrow. If you post something that irritates the wrong person, or more accurately the wrong machine learning algorithm, it will be removed and your account may be suspended for a few days if you’re lucky or deleted altogether if you’re unlucky. And when your content and account are removed, you have little recourse. There’s nobody you can call. The most you can do is send an e-mail and hope that either a person or machine learning algorithm sees it and have a bit of pity on you.

I’m ecstatic that this recent uptick in censorship is happening. In my opinion centralization of the Internet is dangerous. Large service providers like Google are proving my point. They are also forcing people to decentralize, which advances my goals. So less anybody think I’m ungrateful I want to close this post by giving a sincere thank you to companies like Google, Facebook, Twitter, and Amazon for being such complete bastards. Their actions are doing wonders for my cause of decentralizing the Internet.

Maybe Connecting Everything to the Internet Isn’t a Great Idea

I’ve made my feelings about the so-called Internet of things (IoT) abundantly clear over the years. While I won’t dismiss the advantages that come with making devices Internet accessible, I’m put off by industry’s general apathy towards security. This is especially true when critical infrastructure is connected to the Internet. Doing so can leads to stories like this:

Someone broke into the computer system of a water treatment plant in Florida and tried to poison drinking water for a Florida municipality’s roughly 15,000 residents, officials said on Monday.

The intrusion occurred on Friday evening, when an unknown person remotely accessed the computer interface used to adjust the chemicals that treat drinking water for Oldsmar, a small city that’s about 16 miles northwest of Tampa. The intruder changed the level of sodium hydroxide to 11,100 parts per million, a significant increase from the normal amount of 100 ppm, Pinellas County Sheriff Bob Gualtieri said in a Monday morning press conference.

The individuals involved with the water treatment plant have been surprisingly dismissive about this. They’ve pointed out that there was never any danger to the people of Oldsmar because treated water doesn’t hit the supply system for 24 to 36 hours and there procedures in place that would have caught the dangerous levels of sodium hydroxide in the water before it could be release. I believe both claims. I’m certain there are a number of water quality sensors involved in verifying that treated water is safe before it is released into the supply system. However, they’re not mentioning other dangers.

Poisoning isn’t the only danger of this kind of attack. What happens when treated water can’t be released into the supply system? If an attacker poisons some of the treated water, is there isolated surplus that can be released into the supply system instead? If not, this kind of attack is can work as a denial of service against the city’s water supply. What can be done with poisoned water? It can’t be released into the supply system and I doubt environmental regulations will allow it to be dumped into the ground. Even if it could be dumped into the ground, doing so would risk poisoning groundwater supplies. It’s possible that a percentage of the plant’s treatment capacity becomes unavailable for an extended period of time while the poisoned water is purified.

What’s even more concerning is that this attack wasn’t detected by an intrusion detection system. It was detected by dumb luck:

Then, around 1:30 that same day, the operator watched as someone remotely accessed the system again. The operator could see the mouse on his screen being moved to open various functions that controlled the treatment process. The unknown person then opened the function that controls the input of sodium hydroxide and increased it by 111-fold. The intrusion lasted from three to five minutes.

This indicates that the plant’s network security isn’t adequate for the task at hand. Had the operator not been at the console at the time, it’s quite possible that the attacker would have been able to poison the water. There is also a valid question about the user interface. Why does it apparently allow raising the levels of sodium hydroxide to a dangerous amount? If there are valid reasons for doing so (which there absolutely could be), why doesn’t doing so at least require some kind of supervisory approval?

It’s not uncommon for people involved in industries to cite the lack of budget necessary to address the issues I’ve raised. But if there isn’t a sufficient budget to address important security concerns when connecting critical infrastructure to the Internet, I will argue that it shouldn’t be done at all. The risks of introducing remote access to a system aren’t insignificant and the probability of an attack occurring are extremely high.

Whenever somebody discussing connecting a device to the Internet, I immediately ask what benefits doing so will provide. I then ask which of those benefits can be realized with a local automation system. For example, a Nest thermostat offers some convenient features, but many of those features can be realized with a local Home Assistant controller.

Google Suspends Element from Its Play Store

The developers of Element; a decentralized, federated, and secure messaging client; were just informed that their application has been suspended from the Google Play Store, which means Android users cannot currently install Element unless they do it through F-Droid or side loading. Why did Google suspend the app? At first Element’s developers weren’t given a reason but they were eventually informed the suspension was because of abusive content. Both the lack of transparency and citing abusive content have become staples of application store suspensions, which are two of many things that make centralized application stores like the Apple App Store and Google Play Store so frustrating for both users and developers.

The abusive content justification is bullshit because Element is no different than any other messaging application in that all content is user created. If Element is removed due to showing abusive content then by that very same justification Signal, Facebook Messenger, Instagram, and Google’s own Gmail should be removed. Furthermore, Element actually has a pretty complete set of moderation tools so Google can’t even argue that the lack of moderation is the culprit. But this doesn’t matter because there are no consequences for Google if it suspends an application for incorrect reasons. Agreements between developers and Google (and Apple for that matter) are one-sided. The only option for developers when their applications are suspended is to beg for clemency.

The suspension of Element is yet another example on the already extensive list that shows why centralized application stores and closed platforms are bad ideas. Without prior notice or (initially) any reason Google made it so Android users can no longer install Element unless they jump through some hoops (fortunately, unlike with iOS, Android generally gives you some options for installing applications that aren’t in the Play Store). Google might decide to be magnanimous and change its mind. Or it might not. In any case there’s very little that Element’s developers or Android users can do about it.

One-Sided Contracts

Yesterday I once again reiterated the fact that if you don’t own your infrastructure, you’re at the mercy of whoever does. Today I want to discuss why third-party providers can so easily pull the rug out from underneath you.

Businesses all over the world rely on third-party providers for any number of goods and services. They do so without too much concern that those third-parties are going to suddenly kneecap them. How do they accomplish such a feat? The answer is contracts. Large business deals aren’t made by one business clicking the accept button on a provider’s terms of service of end user license agreement. They’re made by lawyers on both sides negotiating terms. If one party only offers a deal where they can do whatever they want and the other party simply has to accept it, the other party will likely walk away. But such one-sided deals are common with online service providers.

If you sign up for an account on Amazon Web Services, Digital Ocean, GoDaddy, or any other hosting provider, you are presented with terms of service that you have to accept in order to use the service. There is no opportunity for you to negotiate. If you bother to read the terms of services, you’ll realize that they tend to put a lot of obligations on you as the paying customer but almost none of them as the provider. The terms of service usually allow the provider to cut you off for any reason without notice. But do you get any guarantees in return? Do they guarantee you uptime, reliability, or anything along those lines? If they do, do they agree to pay a financial penalty if they fail to provide what they guarantee? Do they offer a concise list of specific terms that are the only terms under which they are allowed to terminate the agreement without paying a financial penalty to you? They don’t.

I’ve been fortunate enough to observe contract negotiations between businesses. It’s both an interesting and painstaking process. They can take weeks, months, and even years. During that time both parties will strive to ensure every detail that could impact them is hammered out. Neither party wants to be in a position where the other can screw them.

Every end user license agreement and terms of service you’ve accepted over the years was likely entirely one-sided. The company you’re paying probably reserved all of the power for themselves. It’s likely that they dictated who will arbitrate any disagreement between them and you (if any disagreement is even allowed to you under the terms). This is one reason, perhaps the biggest reason, you can’t rely on a third-party service provider. If you decide to host your site on Amazon Web Services, Digital Ocean, GoDaddy, etc., they can remove your site for any reason without any advanced warning. In return you get to take it and ask for more.

No competent business would knowingly enter a one-sided contract. Take a page from their book. If you’re looking to purchase a good or service and the only offer is a one-sided agreement where the provider gets all of the power, walk away.

Silence!

The 2020 presidential election turned out exactly as I and anybody else who has witnessed two children fighting over a toy expected. The only thing missing was Biden giving Trump a wedgie and calling him a poophead after his victory was certified.

What has been far more interesting to me is the response by our technology overlords. It seems that online service providers are participating in a competition to see who can best signal their hatred of Trump and the Republican Party. MSN is acting as the high score record keeper and listing every online service that has banned Trump or anything related to the Republican Party. Some of the entries were predictable. For example, Facebook and Twitter both banned Trump and Reddit announce that it banned /r/DonaldTrump.

Some of the entries are a bit more interesting (although still not surprising). Apple and Google both banned Parler (basically a shittier Facebook marketed at Republicans) from their respective app stores. Then Amazon, not wanting to be shown up, announced it had banned Parler from using its AWS services (which Parler stupidly chose as its hosting provider). For over a decade I’ve been telling anybody who will listen about the dangers of relying on tightly controlled platforms and other people’s infrastructure (often referred to as “the cloud”). These announcements by Apple, Google, and Amazon are why.

If you use an iOS device, you are stuck playing by Apple’s rules. If Apple says you’re no longer allowed to install an app to access an online service, then you’re no longer allowed to install an app that accesses that online service. The same is true, although to a lesser extent (for now), with Android. Although Android is open source Google exercises control over the platform through access to its proprietary apps. If a device manufacturer wants to include Gmail, Google Maps, and other proprietary Google apps on their Android devices, they need to agree to Google’s terms of service. The saving grace with Android is that its open source nature allows unrestricted images such as LineageOS to be released, but they generally only work on a small list of available Android devices and installing them is sometimes challenging. I’ve specifically mentioned iOS and Android, but the same is true for any proprietary platform including Windows and macOS. If Microsoft and Apple want to prohibit an app from running on Windows and macOS, they have a number of options available to them including adding the app to their operating systems’ build-in anti-malware tools. The bottom line is if you’re running a proprietary platform, you don’t own your system.

Anybody who has been reading this blog for any length of time knows that I self-host my online services. This blog for instance is running on a computer in my basement. Self-hosting comes with a lot of downsides, but one significant upside is that the only person who can erase my online presence is me. If you’re relying on a third-party service provider such as Amazon, Digital Ocean, GoDaddy, etc., your online service is entirely at their mercy. Parler wasn’t the first service to learn this lesson the hard way and certainly won’t be the last.

I’ve had to think about these things for most of my life because my philosophical views have almost always been outside the list of acceptable ideas. I developed absolutist views on gun rights, free speech, and the concept of an accused individual being innocent until proven guilty beyond a reasonable doubt in school and continue to maintain those views today. Opposing all forms of gun and speech restrictions doesn’t make you popular in K-12 and especially doesn’t make you popular in college. Being the person who wants a thorough investigation to determine guilt during a witch hunt generally only results in you being called a witch too. However, that list of acceptable ideas has continuously shortened throughout my life. Absolutist or near absolutist views on free speech were common when I was young. They became less common when I was in college, but the general principle of free speech was still espoused by the majority. Today it seems more common to find people who actually believe words can be dangerous and demand rigid controls on speech. It also seems that any political views slightly right of Leninism have been removed from the list.

If you hold views that are outside of the list of acceptable ideas or are in danger of being removed from the list, you need to think about censorship avoidance. If you haven’t already started a plan to migrate away from proprietary platforms, now is a good time to start. Likewise, if you administer any online services and haven’t already developed a plan to migrate to self-hosted infrastructure, now is actually at least a year too late, but still a better time to start than tomorrow. Our technology overlords have made it abundantly clear that they will not allow wrongthink to be produced or hosted on their platforms.

The Continuing Deterioration of Duolingo

A few years ago I used Duolingo in combination with a number of other resources to learn Esperanto. I also used it to dabble in a number of other languages. My experience at the time lead me to recommend it to people who expressed an interest in learning another language with some caveats. A few months ago I decided to reassign most of the time I spent on social media to more productive activities. One of those activities was returning to language learning. As part of this endeavor I logged back into my Duolingo account. After a couple of years of almost complete absence (I did log in a couple of times, but never to do more than poke around) I discovered that my small list of caveats has grown.

My previous caveats were mostly related to the varying quality of Duolingo’s courses. Most, if not all (I’m not sure about the service’s flagship languages such as German and Spanish), of Duolingo’s course are created, maintained, and updated by volunteers. This results in courses with wildly differing levels of quality. A handful of courses such as the German and Spanish courses are very good. Another handful of courses such as the Swahili course are notoriously bad. But most of the courses lie somewhere in between.

To briefly illustrate the variety of middling quality, I’m going to highlight four courses: Esperanto (a language I know fairly well), Japanese (a language I took in college), Latin (a language I’m decent at reading and writing, but shit at speaking), and Hebrew (a language about which I know almost nothing).

The Esperanto course is quite good. This isn’t too surprising since there are a lot of passionate Esperantists willing to volunteer their time and energy to create educational material (Lernu.net is a great example of this). The Esperanto course includes extensive language notes, audio that is generally good, and enough content (65 skills) to keep learners engaged. But the course hasn’t received a lot of updates since I last used it. In fact the only content update appears to be the inclusion of skills in the main tree that were originally only available by paying lingots (Duolingo’s original in-app currency, which has been replaced by gems… except when it hasn’t). Popular features in the top tier courses, such as stories, are not available in the Esperanto course and I have my doubts they ever will be.

The Japanese course was awful when it was first released. Japanese uses three writing scripts: hiragana, katakana, and kanji. The initial release of the course taught hiragana and katakana, but taught little if any kanji. I also remember the original audio being variable in quality. However, unlike the Esperanto course, the Japanese course has been improved. Now it’s serviceable and there’s apparently a major update about to be released, which hopefully means the course will become decent or even good. But in its current state it still has some issues with kanji. Periodically the shown pronunciations for a kanji character is wrong in the context of a sentence and the pronunciations are written in romanji (showing the pronunciation using the Roman alphabet) instead of furigana (showing the pronunciation using hiragana). The reason this matters is because most elementary level written Japanese material use furigana and higher level material will still use it for lesser known kanji. It’s better the get learners acquainted with how a language is used in the real world. The current course also lacks stories, but it sounds like that’s part of the upcoming update.

I was excited when I heard that a Latin course was going to be released. Latin is one of my favorite languages and I’ve studied it for years. I wasn’t expecting a lot from the Latin course since Duolingo courses tend to be bare bones when they’re first released, but I was expecting more than what was released. The entire course only has 22 skills and only teaches the present indicative tense. There are useful notes and audio for many of the sentences. The pronunciations in the audio are obviously attempting to replicate Classical Latin. For the most part they do an OK job, but not a great job. Unless more skills are added the Latin course is useless for anything other than dipping toes into the Latin waters. With that said, the foundation is good enough that a better course could be built upon it someday.

So far I’ve covered courses for language with which I’m already familiar. Now I’m going to highlight a course from the perspective of a totally new learner. I decided to try the Hebrew course because I wanted to dabble in a Semitic language. The fact that Hebrew is a one of only a few examples of a successfully revived language also makes it a novelty to me. However, I immediately ran into a major roadblock. Hebrew, like Japanese, doesn’t use the Roman alphabet, but the Hebrew course, unlike the Japanese course, doesn’t teach you the alphabet. If you’re completely unfamiliar with Hebrew and want to use the Duolingo course, you need to first find another resource from which to learn the alphabet. Obviously I can’t comment any further on the Hebrew course because I couldn’t get anywhere in it (and as I said I wanted to dabble, I’m not interested enough to seek out other resources), which is what I wanted to highlight.

My first caveat when recommending Duolingo in the past was that some courses were good, some were OK, and some were terrible. If somebody expressed an interest in learning German, Spanish, or even Esperanto, I had no problem recommending Duolingo. If somebody expressed an interest in learning Japanese, I’d warn them away. My other major caveat was that Duolingo couldn’t be used by itself to become fluent in a language. Years ago Duolingo advertised itself as a tool that allowed users to achieve fluency (it would even rate how “fluent” you had become) in another language. The idea that one can achieve fluency in a language solely through translating sentences and typing out what was said in audio recordings is bullshit. Fortunately, Duolingo appears to have backed off from those historical claims and now prefers the much vaguer “learn a language” slogan.

Those two caveats remain, but now I have a number of new caveats when recommending Duolingo.

One of the biggest changes that was starting to roll out when I was first using Duolingo was hearts. Hearts are akin to hit points. Each mistake you make deducts one heart and if you make five mistakes, you’re kicked out the current lesson and blocked from doing anything other than practice. Duolingo claims that the heart system exists to discourage users from making mistakes, but this claim doesn’t hold up for two reasons.

First, what qualifies as a mistake is poorly defined and that definition changes. For example, missing punctuation normally wasn’t considered a mistake. Now it is (at least on some course). Sometimes a typo isn’t counted as a mistake (instead it’s highlighted as a typo, which doesn’t cost a heart), sometimes it is. Second, when you do something that is correct but the volunteers who created the course didn’t anticipate, it gets marked as a mistake and costs a heart. Consider the Latin course for a moment. Compared to English Latin has a very free word order. The standard word order in Latin is subject object verb (which is the same in Japanese, but the standard word order in English is subject verb object). When the Latin course was released on Duolingo a lot of my answers were marked as incorrect because the volunteers apparently assumed that everybody would use subject verb object word order whereas I normally use subject object verb word order for Latin. Likewise, Esperanto has a freer word order than English. Sometimes I’ll provide answers on the Esperanto course in subject object verb word order just to keep things interesting. The Esperanto course has existed long enough where most of those unanticipated answers have been discovered and are now accepted. However, when I first did the Esperanto course, that wasn’t the case. I’ve managed to block myself from progressing in both course by giving correct answers that the course creators didn’t anticipate.

If you run out of hearts, you have a handful of options. First, you can do a practice session, which gives you a single heart. Second, you can wait several hours. You get one heart back after five or six hours. So it takes almost a full day to get all of your hearts back. Third, the Duolingo app periodically provides you the opportunity to regain a heart by watching an ad. Fourth, you can pay gems (but not lingots for reasons I’ll get to in a bit) to get some hearts back. Finally, you can bypass the heart system entirely by signing up for Plus. The hearts feature brings one of the worst aspects of free-to-play games to the educational market: the choice between paying real money or grinding. But Duolingo manages to make this already annoying model worse by punishing you inconsistently and sometimes when you didn’t even make a mistake.

This leads me to one of my new caveats: if you plan to use Duolingo seriously, you should consider either paying for Plus or using the website. What do I mean by using the website? The hearts system only exists in the iOS and Android apps. If you log into the website to use Duolingo, you don’t have to deal with hearts (for now). This brings me to my second new caveat.

Your experience on Duolingo can be significantly different from other users. There are two major reasons for this. First, as I already mentioned, the website experience differs from the experience on the Android and iOS apps. The hearts system isn’t the only difference between the two. Notes that are available on the website can’t be accessed from the phone apps. Without notes you have to resort to a lot of trial and error, but the hearts system punishes you for using trial and error unless you subscribe to Plus. I also made a quip about gems replacing lingots except when they haven’t. If you use the website, you use lingots. If you use the phone apps, you use gems. There isn’t even a one-to-one ratio between lingots and gems. As I type this I have 3310 gems in my iOS app and 954 lingots on the website. When I earn lingots on the website, the number of gems that appear on my iOS app goes up and vice versa, so there is an exchange rate, just not an integer one.

The second reason your experience will vary from other users is A/B testing. Duolingo is infamous for it’s A/B testing. A/B testing is a method where a service provides one experience for one set of users and a different experience for another set of users. Because of Duolingo’s obsession with A/B testing, I have to warn anybody to whom I’m recommending the service that the experience I’m recommending may not be the experience they get. For example, a current A/B test on Duolingo is locking skill tests behind lingots (or gems). If you’re not part of this A/B test, you can test out of skills instead of drudge through multiple lessons. This is useful if, for example, you’re starting a course for a language with which you already have some familiarity. I tested out of the hiragana and katakana skills when I started the Japanese course because I learned those scripts in college (I didn’t test out of other early skills because I wanted a refresher). Since there is almost nothing to buy with lingots, this wouldn’t be a big deal. However, a new user won’t have any lingots so they will have to grind for some before they can skip a skill. If I had been a new user when I started the Japanese course, I would’ve had to do the hiragana and katakana skills, which would have been a waste of my time.

My third new caveat is related Duolingo’s gamification. Gamification is a two-edged sword for educational tools. On the plus side gamification encourages engagement. A user may continue using the app and therefore learning because of the game elements. On the con side gamification often encourages the game aspect of the service over the educational aspect. Duolingo has leagues and leader boards. When you complete a lesson, you get experience points. At the end of the week the top three user in the league win. Mind you the prize is just mostly useless lingots, but that’s enough for a competitive person. This has lead a lot of users to grind experience points in lessons that they can complete with confidence quickly in order to climb the leader board. Since you receive the same amount of experience points for doing a previously completed lesson as you do for a new lesson, there’s no motivation to push yourself in order to win your league. So my third caveat is that if you’re a competitive person, Duolingo may distract you from actually learning.

Rather than improving, Duolingo has gotten worse since I last used it. I used to enthusiastically recommend it for a lot of people. Now I’m hesitant. If somebody is willing to primarily use the website or pay for Plus, it can be a useful service… so long as the language course that interests you is decent and you don’t get trapped in a bad A/B test. What worries me the most is that I see no indication that Duolingo is going to turn itself around. How many headaches will users tolerate for a supplemental tool?