words from a colons

Being colons: the DVLA

Aug. 5, 2020 history

As of the first of August, I finally have formal, government-issued identification with my name on it. It’s a provisional driving license, and it cites me as ‘MX - COLONS’. The ‘COLONS’ is embossed and everything, it’s very fancy. I’d rather it didn’t have a title on it at all, but I can sort that later.

Extreme close-up of a UK drivers license for someone with the name "MX - COLONS"

2020-03-01: Initial application posted

I originally applied for an updated license on the first of March. With the application, I enclosed my old license, a copy of my existing deed poll, and documents like bank statements and utility bills calling me by my name as supplementary evidence in case they had doubts that I was being serious.

2020-03-23: Refusal

On the 28th of March, I received my application back. They’d updated the address and nothing else. Included with the application was a letter, dated five days earlier:

Dear Mr Colons.

Thank you for your recent application to change your name.

The United Kingdom driver licensing system forms part of the European Community‘s driver licensing system, as does that of all other Member States. As such, we are obliged to recognise the full driving licences issued by all other Member States, as are all other Member States obliged to recognise those issued by the United Kingdom.

The UK driving licence is a valuable document both here in the UK and the wider European driving licence network. The integrity of the licence and the DVLA’s reputation among other Member States is important to us and unfortunately we are unable to issue you a licence in the name requested as it is not our policy to grant a licence in a name that may bring the UK licence into disrepute or may cause problems when using the licence in the UK or the EU/EEA abroad.

In these circumstances, we will issue a licence in your original name without making reference to your change of name.

Yours sincerely,

[DVLA representative]

A lot about this letter sucks. Basically every sentence is wrong, mean, or deferent to falsehoods about names to a pitiable degree. I’d be flattered if my name had the power to bring an entire document-issuing institution into disrepute, but I don’t think it does.

For a while I tried to get on the phone with someone I could moan at. I never got through to a human, though, presumably because of COVID, so instead I sulked.

2020-03-29: A second attempt

When I was done sulking, I sent the same application again, but with the following letter attached, in which I tried to explain the many problems with their refusal:

Dear [DVLA representative],

I remain bewildered by your response to my request to issue a license in my name. I’ve been trying to get in touch by phone ever since I received it.

I’ve been going by colons full-time for most of the last decade. My friends, colleagues, bank, council, and utility providers all know me as colons, and most of them never knew my birth name. GOV.UK’s name change guidelines are pretty explicit that just going by a name is all that’s necessary for a name change to be legal, so the deed poll I signed in late 2019 was at this point largely a formality. Given this, it was wild to see you open your response calling my request for a correct license an ‘application to change my name’, especially given that it was almost* correctly addressed.

I can only read the combination of this letter and the license you sent as a deliberate issuance of ID that you know to be incorrect. I am pretty confident that the GDPR has provisions about my right to have you correct data that is wrongly held, which I would like to use in this case. I would also appreciate clarification of what power exactly you’re exercising to make editorial decisions about people’s names.

The letter also has alarming finality to it, which I find I cannot accept. There has to be something I can do to demonstrate that this isn’t some stunt I’m pulling, that this is my real actual name. I’ll attach some correctly-addressed bills, if that helps, but any guidance on what might turn you on this would be appreciated.

Stay safe,

colons

*I’m unsure why you were happy to re-issue the license but refused universally, even in the letter, to respect my title. Honestly, though, I’d rather just have no title at all.

I then waited for three months, hearing nothing. I assumed it’d managed to fall through a crack somewhere or was being intentionally ignored, but this is happening to a lot of people at the moment. When I chased on the 27th of July, I was told the license had already been issued and posted, and that I’d have it soon. It showed up a few days later without any enclosed acknowledgement of my letter.


I’m hoping this’ll reach some people who will find it useful, although I’m not sure what specific lesson might be the most useful for you, dear reader. For me, it’s a good reminder that I have more power and control than I usually give myself credit for.

I don’t know what turned them on the second attempt. I don’t expect I’ll ever be able to find out. Maybe it was the supporting documentation. Maybe it was the GDPR angle. Maybe they were overwhelmed because of the COVID backlog and wanted to get me off the pile as fast as possible. Maybe they were testing me with their initial response; making sure I was being serious. If it was just a test, it really would have been nice if they’d said so; a simple “this is a pretty unusual request; we’d appreciate it if you could confirm this is absolutely correct and also maybe provide some more supporting documents to prove you’re actually using this name”, perhaps.

I guess the main takeaway is that the DVLA do not require a court-enrolled deed poll to issue an updated license, even for folks with mononyms. Don’t give up. There’s precedent other than mine for repeat attempts paying off.

P.S.: To any family members reading this, I’m totally okay with not being colons to you. Do what makes you comfortable and what the people around you will understand.

Nobody talks about sideloading apps on iOS

Sept. 25, 2018 history

One of the oft-touted differences between Android and iOS is that Android lets you install apps from ‘unknown sources’, and iOS does not. This common knowledge is baked into almost all commentary written about mobile device security. For example, there was a lot of excitement after WWDC 2016 when Apple announced that free developer account certificates would be able to load apps onto iOS devices, but this is only for enrolled devices and the apps stop working after a week. There’s also a lot of recent talk about Epic’s decision to distribute Fortnite for Android outside of the Play Store, which is implicitly impossible with iOS.

Screenshot. A native iOS prompt saying 'public.boxcloud.com would like to install “Snapchat++”'. The selectable options are 'Cancel' and 'Install'. 'Install' is the primary action, bold and blue. Behind the prompt, a website is visible, showing a summary of an app called 'Snapchat ++', authored by someone called 'Unknown'. Features offered include 'Increased Recording', 'Custom Notifications', and 'Enhanced screenshoting'

The trouble is, though, that this premise is catastrophically incorrect. Anyone can go to a website in Safari, download an app bundle, tap an ‘Install’ button in an alert that pops up, and the app will be installed. The first time you do this with an app from some rando, you’ll also need to explicitly trust the signing authority in Settings. iOS won’t tell you how to do this up-front, but it’s not hard; certainly no harder than disabling Gatekeeper. No Mac is required, no developer account is required, and the app will run indefinitely. It’s about as easy to do as enabling untrusted sources in Android.

This is not hypothetical. This is being done at volume in the wild.

Screenshot. The iOS settings app. Explanatory text says 'Apps from developer “iPhone Distribution: Shenzhen Yunxun Technology Co., Ltd.” are not trusted on this iPad and will not run until the developer is trusted.' Beneath this text, there's an inviting blue button labelled 'Trust “Shenzhen Yunxun Technology Co., Ltd.”', and then there's a list of apps that are signed by this entity. The only item in the list is 'Twitter ++', an app that uses the official Twitter app icon. Opposite the name of the app, the word 'Verified' is shown.

There’s a website called BuildStore which sells subscriptions for access to their database of apps that can be installed this way, including open-source emulators and modified versions of apps like Facebook with ‘additional features’. Scarier, though, are the places that offer this for free, like iEmulators. Given the cost of hosting and the inherent price of the ability to offer this service (which we’ll get into in a bit), it seems reasonable to assume that the people running this free service are expecting to make a profit, somehow.

BuildStore’s practice of selling access to other people’s open-source software is questionable, but the ‘improved’ social media apps category offered by iEmulators is terrifying. I am not equipped to disassemble an iOS app and work out what it does, and I don’t want to make accusations about any specific application distributors, but if I was the ‘Unknown’ person who distributes these [social media website]++ apps and I wanted to make money unscrupulously, I know some things that I would do. I’d sell ads and send you paid notifications. I’d use all the compute time I could get to mine cryptocurrency. I’d record everything you did in the app. Once you granted camera permissions, I would never turn them off. Once you granted access to your photos library, I would use EXIF data to build a history of everywhere memorable you’ve ever been. I’d use each and every API that Apple don’t allow to be used in apps distributed in the App Store to gather as much personal information about you as possible, and I’d sell all of it. I’d also, naturally, gather your login credentials.

Twitter ++, which I briefly ran on a wiped device to see what it was like, injects ads into the signup process in a slick-enough way that there is clearly some serious technical skill behind these apps. I have no doubt that much of the rest of the above is being done, too.


BuildStore requires the unique identifier of enrolled iOS devices, which almost certainly means they’re just signing apps with developer provisioning profiles, rather than using TestFlight or the Volume Purchase Program store for their review-free distribution. I am unwilling to pay them to confirm this. The unrestricted distribution that free sites like iEmulators are able to do, however, is made possible by the Apple Developer Enterprise Program.

With the Apple Developer Enterprise Program, for $300 per year, you get to distribute apps to as many devices as you like. According to their license agreement, use of your apps on these devices should be:

(i) on Your physical premises and/or on Your Permitted Entity’s physical premises, or (ii) in other locations, provided all such use is under the direct supervision and physical control of Your Employees or Permitted Users (e.g., a sales presentation to a Customer)

The agreement goes on to explain that posting enterprise-signed apps on a public website is explicitly prohibited. Clearly, this is not being enforced, at least not particularly rigorously.

In theory, though, this should be fine! In theory, iOS is a reasonably secure operating system, and all apps have to ask permission to get access to sensitive information. In theory, there’s no reason iOS couldn’t safely host arbitrary apps and still be orders of magnitude safer than macOS. You can’t stop stuff like cryptocurrency miners, but you can at least stop invasive fingerprinting and data gathering. In theory.

App Store review is supposed to be an important protection here. Their automated reviews will catch use of private APIs and such, but there’s a lot that the humans don’t catch. iOS still contains a bunch of mechanisms apps can use to do malicious things that should be prevented by App Store policies and review, but aren’t. People have been doing pretty shady stuff on the App Store for years now, and Apple only reliably remedies it once it’s already a story. In the meantime, they’ll arbitrarily reject any app that a given reviewer has a political, social, financial, or functional objection to, and be stubbornly uncommunicative about it until enough people or press outlets get mad about it.


So why don’t Epic use enterprise certificates for Fortnite? ‘Obviously,’ I hear you cry, ‘it’s against the terms, so Epic’s enterprise certificate would get revoked immediately if they tried to distribute Fortnite outside of the App Store,’ and you’re right. Such a flagrantly contract-violating move for such a popular app from a big company would get massive press coverage, and be shut down within hours. If Apple’s primary concern here was security, though, Epic’s certificate would be the least of their worries. Apple know damn well that Epic’s not going to distribute malware, and we know that the primary reason they want to keep stuff in the App Store is for that hot 30% revenue cut. The long-term existence of third-party iOS malware distribution sites should hammer this past the point of deniability, but everyone covering these platforms either ignores their existence or, worse, doesn’t know about them.

iOS is living in the worst of both worlds. Nobody acting above board is allowed to distribute apps outside of Apple’s control, but there’s a thriving market of independently-distributed malware that nobody talks about. It would be nice if at least one of these downsides could be eliminated.

Being Reimu

Oct. 28, 2014 history

It’s a little after 7 A.M. on the morning of Saturday the 25th of October. Leicester is still, cold, cloudless, and a little misty, although the sun is rapidly burning it off. A man on his morning walk sees us approaching on the pavement and considers us for a moment. Shortly, he comes to his conclusion and knowingly asks, “Good night, lads?”

A man in a high-visibility jacket standing atop a university building looks down and sees us walking by. He puts his fingers in his mouth and wolf-whistles at us. “Hey, ladies!” then, to his friend, “there’s two lads…”

Cirno and I are heading to MCM (a nerd convention in London), but we’ve a long way to go and we’re pretty conspicuous.

Two white dudes dressed as Touhou characters. The one on the left (Reimu, in a frilly red dress and long brown wig) is hitting the one on the right (Cirno, wearing a short blue wig, a blue dress, and wire fairy wings) with a home-made gohei.

We’re still presenting as white dudes. We know that when we get home we can take the costumes off and revert to our usual, privileged state. It doesn’t hurt that we are not wearing makeup and these particular costumes make it clear even to people who don’t recognise the characters that we are very much still white dudes. Still, we are drawing attention to gender in a way that takes people out of their comfort zones, but because we are not us, we can view their reactions with detachment.

Reactions are varied, fascinating, and occasionally frightening. Some compliment us with slightly sneering irony. Some compliment us with sincerity. Some children ‘whisper’ to their parents as we pass (“whoah-ha-ha-ha… that’s a man…”), some parents approach us with their kids and ask with genuine interest what we’re dressed up for. The train conductor tells us we’re pretty and the next people he deals with ask why they don’t get the same treatment. Everybody laughs.

At MCM itself, we are barely an anomaly. Lots of people are in costumes. People are relaxed. Many ask for photos. One guy calls “Reimu!” and quickly looks in the other direction, too nonchalantly. A few apparent first-time visitors are more surprised; one woman remarks “That’s a boy! Dressed as a girl! Shocking.”

While waiting for Marisa to show up and complete the troupe, a man who is “here with [his] nephew” approaches us and speaks for a while and asks some mostly innocuous questions, but he seems to be dancing around saying what he actually wants to say. It is like he is either trying to prove that he is Totally Cool With This or is trying to decide if he even wants to be here at all. We humour him.

The man who takes our order at dinner gets super into the spirit of it, asking who we are and complimenting us. After taking our orders, he calls us ‘girls’ and then immediately fears he has crossed a line and gets sheepish and apologetic and quickly scampers off. I later try to communicate to him that we are more than okay with being referred to in character, but I mess up and probably make it worse. (If you’re reading this, I’m sorry. We’re cool.)


Disembarking from a London Underground train, we meet That Guy. That Guy is heading home from his Important Job. That Guy is white and middle-aged and wearing a suit. That Guy is boarding the train at the door we are leaving from. That Guy does not have long before we will be out of his life forever, but That Guy very much wants us to know that He Has Feelings About This.

“Psh,” he snorts with powerful indignation. “I hope that’s fancy dress.”

Firstly, yes, of course it’s fancy dress. These are not practical clothes. I’m carrying a piece of dowel with strips of paper taped to the end and my friend here has wire fairy wings on his back. We are having a bit of fun.

Secondly, though, and more importantly, what the fuck does it matter to you if it’s not, Guy? And why did you feel the need to let us and our fellow passengers know of your disapproval? Are we a sign of the coming apocalypse? An invitation for Satan to bring about babies having babies and cats living with dogs? Shit, man, people might even find themselves attracted to us, and that wouldn’t be right, dammit!


On the train back to Leicester, we are approached at our seats by a smiling woman. “I saw you earlier on the train into London,” she says, “you look exactly the same. Have you had fun?”

We appreciate the curiosity and chat for a bit.

I found her opening remark especially interesting not because of anything to do with our costume or any kind of maliciousness on her part, but because that middle part was just a thought that she had had. It was not intended for us. Something weird was happening, and she dropped her guard for a moment. She said something that made no sense except as part of an inner monologue in which she was trying to work out if we were the same people she saw earlier or not. It’s scary that that can happen.


The sun has long since set when we get back to Leicester. People have started their evening of drinking and the roads are still busy. We are honked at a few times, a near-toothless man walking out of a pub blesses us, and my pulse doubles every time we have to walk past a man. The majority of interactions we had were positive, but the ones that were not all smacked of people getting very upset about Gender Stuff. It was fun, but I am glad to get the costume off.

I’m lucky that I can.

I don’t use Notification Center, and it makes me sad

May 13, 2014 history

As an Android and OS X user, I was excited when Apple announced that they were going to integrate something resembling Growl into Mountain Lion. Growl was, at the time, a surprisingly critical part of the OS X ecosystem. Apple bringing Growl’s responsibilities in-house seemed long overdue.

I have barely touched Notification Center since a couple of days after Mountain Lion was released. What follows is an attempt to rationalise exactly why that is.

Action

One of my favourite things about Android’s notification interface is that if I get an email that I do not have to act on, I can archive it right from the notification. I use this a lot.

Notification Center’s transient notifications recently got similar little buttons added to them. You can reply to an email right there, provided you decide to act on it and can get your mouse up to the button within five seconds of the notification appearing. If you miss this opportunity, you are out of luck, because the persistent versions of notifications do not retain these buttons.

Persistence

When you have pending notifications on Android, it’s like having a splinter. You can ignore them, and if you are busy, you can even forget they’re there, but you won’t feel right until they’re gone.

As an example, here’s before:

A messy status bar full of icons vying for attention.

And after:

The same status bar, but with no icons. Much cleaner.

Feels better, right? You now know, without taking any action, that there’s nothing left for you to deal with right now. And everything is tidy.

Here’s Notification Center’s entire visible UI when you have notifications pending:

An icon that one can assume is supposed to represent notifications, with no badges or any indication that something important is here.

And when you do not:

Literally exactly the same image as the previous one.

Nothing changes.

Notification Center doesn’t get back to you when you are no longer busy; you have to get back to it. There is zero motivation to look in the slide-out drawer unless you already know there’s something there because you saw it earlier and made a note of it.

That bears repeating. This notification system requires you to remember that a notification appeared while you were busy (or briefly on the other side of the room) and follow up on it. Like an animal.

Retention

…so it goes unchecked. Notifications come in, and stay in, and will remain until you dismiss them.

Except that’s not true at all. What actually happens is that each app has a rotating collection of the five most recent notifications they emitted. Thus, if you get a lot of emails, Notification Center is useless for triage. If you get a lot of tweets, Notification Center is useless for sampling. In all cases I’ve encountered, the app that spawned the notification is a superior tool for catching up on things. Further, most of them have icon badges or menu bar widgets to constantly remind you that something is worth your attention, making Notification Center entirely redundant.

Dismissal

Every now and then, though, I accidentally open the drawer when trying to scroll or something, and I get wistful. I look at countless notifications for things I have already dealt with and I think of what could have been. I look mournfully at my phone, sigh, and dutifully click all the tiny X buttons.