Twitter is urging users to change their passwords after a bug caused passwords to be written unencrypted to an internal log before being masked through bcrypt hashing. The company didn’t release details about how many of the 330 million active Twitter accounts were affected.

Although Twitter said that it found the error on its own and that its investigation failed to turn up any indication of a breach or misuse, the company suggests that you should still change your password. If you used that password on any other Web sites, change it there too. Situations like this show why reusing passwords is a bad idea—rely on a password manager so every site can have a unique strong password.

Enabling two-factor authentication would also protect your account even if your password was compromised. Given the trouble that someone could cause for you if they had access to your Twitter account, we recommend two-factor authentication for Twitter more than for many other Internet services.

Reporting on its Q2 2018 financial results, encompassing January through March 2018, Apple announced a net profit of $13.8 billion ($2.73 per diluted share) on revenues of $61.1 billion, a figure in line with analyst expectations. The company’s revenues were up 16% compared to the year-ago quarter (see “Apple’s Q2 2017 Financial Results Show Slight Growth,” 2 May 2017). Apple CEO Tim Cook noted that this was Apple’s sixth consecutive quarter of accelerating revenue growth.

“We’re thrilled to report our best March quarter ever, with strong revenue growth in iPhone, Services, and Wearables,” said Cook. And revenue growth for iPhone was indeed strong, with $38 billion in iPhone revenue marking a gain of 14% year-over-year. While iPhone unit sales also increased, that figure was not nearly as strong, with only 3% more units sold in the current quarter than in last year’s. On the other hand, the average sales price for iPhones exceeded $720, a new high, and the high price of the iPhone X no doubt accounts for that increase and the percentage disparity between revenues and unit sales. In any case, the iPhone results should put to rest reports of weak iPhone X sales: Cook said that Q2 2018 was the first quarter in which the top-of-the-line iPhone model was also the most popular.

iPad sales rose 2%, and iPad revenue increased 6% year-over-year, bringing in $4.1 billion in revenue. Half of all iPad sales were to new customers, and iPad now has 50% of the tablet market, up from 40% a year ago.

At $5.8 billion, Mac revenue was flat year-over-year, but the Mac business did post a drop in unit sales of 3%. No new Macs entered the market during the quarter, and reports of user dissatisfaction with the latest MacBook Pro keyboards may also have affected those results.

Services revenue went up 31% year-over-year, tallying $9.2 billion—almost as much as iPad and Mac revenues combined. It was the best quarter yet for services, and growth continues to be strong, Cook said, with a total of 270 million paying subscribers in the Apple ecosystem. Cook mentioned that the number of Apple Pay users doubled year over year.

Revenue for Apple’s Other Products category was up 38% year-over-year, totaling $4 billion—almost as much as the iPad alone. The HomePod, which launched in Q2 2018, is likely a factor, though Apple stayed mum on HomePod sales numbers. However, Cook did mention that wearables—including the Apple Watch, Beats headphones, and AirPods—were up almost 50%, and he added that the wearables business is now the size of a Fortune 300 company. While the company still hasn’t shared Apple Watch sales specifics, Cook said that Apple Watch revenue grew by double digits year-over-year, achieving a new March quarter record.

During the quarterly investor call, Cook claimed last year’s Republican tax bill would help Apple create 20,000 new U.S. jobs, spur a 16% increase in Apple’s stockholder dividend, and make possible the company’s new $100 billion share repurchase authorization. Apple has returned $275 billion to shareholders since August 2012. As he discussed that, Cook almost casually mentioned a new American campus, which he said would be described in more detail in the future. The company can certainly afford another new campus, as Apple now has $267.2 billion in cash.

If you’re like many Internet users, in the last few weeks you’ve been inundated with vague, weirdly upbeat notices from companies announcing changes to their terms and privacy policies. Whether they say so or not, most of these updates are to comply with the European Union’s General Data Protection Regulation, or GDPR. The GDPR is a complex policy and regulatory regime that aims to give European citizens “digital rights” over their personal data: who holds it, what they hold, and how it is used.

The GDPR goes into effect on 25 May 2018, and—unlike previous data protection efforts in the EU—it applies uniformly across all EU nations and to any organization anywhere in the world holding or processing the data of EU citizens. That’s a vast swath of the Internet, and, indeed, the entire world economy. Given that the EU typically leads the way on digital consumer privacy, the GDPR will directly or indirectly raise the bar for how companies handle users’ personal data in much of the world.

So how does the GDPR work, and how will it impact you?

Who’s Covered?

In broad terms, the GDPR applies to any EU citizen—data subjects, in the parlance of the regulations—and two broad, overlapping classes of organizations: data controllers and data processors. Data controllers collect and use information, while data processors store, manage, or act upon that information on behalf of data controllers.

Data controllers are everywhere and include any person or organization that collects personal information about EU citizens. Common examples include Internet titans (think Apple, Google, Facebook, Amazon, and Microsoft) and those shadowy “data brokers” that assemble information from public sources and track Internet use. But it also includes governments, public sector agencies, banks, health care providers, and virtually all employers.

Moreover, it covers retailers, restaurants, hotels, venues, and any business with customer records, as well as schools, museums, non-profits, charities, volunteer organizations—even sports leagues. TidBITS has European subscribers and contributors, so TidBITS is a data controller under the GDPR. Maybe you run a mailing list or a site for a hobby: if anyone from the EU is on your list or uses your site, guess what? You are a data controller. Data controllers bear the main responsibility for complying with the GDPR.

Data processors are typically one step removed from individuals: they handle personal information they didn’t collect themselves. Many service providers are data processors—Salesforce, Google Cloud, Microsoft Azure, and Amazon AWS all qualify. If you have a mailing list that you send to the postal service to have addresses standardized and verified, the postal service is a data processor. But the lines get blurred fast: let’s say you have a business that uses a payroll service. Your business would be a data controller, and the payroll service would be a data processor. However, if that payroll service uses data to, say, offer a service comparing salaries to industry averages, they are also a data controller.

What’s Covered?

Under the GDPR, personal information includes most data related to an identifiable person, regardless of whether that connection is made directly (say by name, government-issued identification, or banking information) or indirectly using factors like physical appearance, location, physiology, online identifiers, or economic, cultural, or social identities.

Email addresses, location data, smartphone device identifiers, and IP addresses—even dynamically assigned IP addresses—are all considered personal data. Technically, that means virtually every Internet site and Internet-connected app is subject to the GDPR once accessed by EU residents, since nearly all log users’ IP addresses by default.

Moreover, data regarding ethnicity, race, genetics, biometric data, health information, sex life, religious/philosophical beliefs, or trade union membership is deemed “sensitive” personal data subject to additional protections. And the GDPR doesn’t just apply to data collected on or after 25 May 2018: all previously collected data is covered as well.

These definitions have significant implications for Internet companies— particularly data brokers and advertisers—since nearly all log IP numbers, many collect email addresses, and most of them use cookies and other trackers that constitute online identifiers. That’s one reason you’re seeing so many notices from Internet companies about updated privacy policies and terms of service.

What’s Allowed?

Under the GDPR, there are only six lawful reasons for processing personal data:

1. Legal contracts
2. Legal requirements
3. Vital interests (protecting life)
4. Public tasks (public interest or official functions)
5. So-called “legitimate interests”
6. Consent

Legitimate interests are a somewhat subjective but seemingly narrow category where processing personal data is the only means to meet an end. Common cases would be businesses working with customers to fulfill orders or provide services. If I want a company to deliver a pizza, they have a legitimate need to know where to take it.

For advertisers, the GDPR leaves consent as the primary legal avenue for processing personal data—and the GDPR substantially raises the bar. Consent must be “freely given, specific, informed, and unambiguous,” and be given via a “clear affirmative action.” Silence, inaction, and scrolling through screens of legalese do not qualify as consent. All those “soft opt-in” pre-checked boxes won’t cut it anymore, and companies must present terms in an “intelligible and easily accessible form, using clear and plain language.”

Data controllers must also specify how personal information is used as part of the consent process, whether it be serving up ads, profiling by matching up with third-party databases, sharing it with partners, or other functions. However, companies won’t necessarily name with whom they’re sharing personal data unless a user makes a specific request.

These new rules are another reason you’re seeing so many privacy and policy updates: companies that have not previously satisfied these requirements must obtain their users’ specific, informed, and unambiguous consent before the GDPR goes into effect. Expect many firms to do a hard sell extolling the benefits of consenting, or—as in the case of Facebook—presenting affirmative consent as the fastest way to get annoying screens out of your way. If users don’t consent, the only option may be to stop using a particular app or service—but the GDPR requires that it must be as easy to withdraw consent as to give it.

Some companies may enable users to consent to some types of data use but not others: maybe an email address is required, but consenting to use of location or photos would be optional. However, many outfits will require all-or-nothing consent because that’s the least amount of work.

What Rights Do Individuals Have?

First off, any data subject—remember, that’s a resident of the European Union—must be able to withdraw their consent to use of personal data as easily as they gave it. Withdrawing consent probably means someone won’t be able to keep using a site, app, or service, but it does mean the company must stop using data if there is no other legal basis to process it (like a legal requirement). For instance, if you pre-order a book from a company and later withdraw consent regarding your personal data, the company can still use your personal info to fulfill your order—assuming you didn’t cancel it—without violating GDPR. Similarly, if the company is subject to a court order to retain personal data for auditing purposes, it isn’t violating GDPR if it keeps data for that audit after consent has been withdrawn.

Subjects also have a right to demand data controllers disclose whether their information is being processed. If it is, individuals have a right to access that data (for free!) along with details of why it’s being processed, who is processing it, and for how long. Generally, controllers must fulfill these requests within one month. Digital rights advocates are expected to make broad use of this right to map out the activities of firms like Facebook, Google, Apple, and Amazon, so companies that make broad use of personal data are gearing up for a torrent of requests once the GDPR goes into effect.

Subjects have the right to have information about them corrected under the GDPR. This right isn’t aimed so much at the Facebooks and Googles of the world as it is at agencies that report on credit, perform background checks, and determine eligibility for things like housing, employment, benefits, and medical care. Individuals have a right not to be subjected to decisions made by automated profiling if they have a significant legal impact on them, such as eligibility for housing or a job.

The GDPR also enshrines a “right to be forgotten,” meaning individuals can request all personal data about them be erased—again, barring any legal reason the controller must keep it. As with access requests, many Internet companies are expecting a flood of deletion demands once the GDPR goes into effect. EU residents unhappy with the likes of Google and Facebook may see deletion requests as a way to get back at them.

The GDPR also has a right to data portability—if subjects don’t like the way a controller is handling their data, they can request it be made available to them or another controller in a “commonly used” machine-readable format. Unfortunately, data portability will be pretty limited in the real world, at least initially. Most companies will be able to dump data to formats like JSON or XML, but it’s unlikely other controllers will be able to make much use of it. The European Commission seems to have intended data portability to apply to social networks, but there aren’t many meaningful ways to (say) transition a Facebook account to Twitter, Pinterest, or LinkedIn.

Controller Responsibilities

Data controllers and processors have a number of other specific obligations under the GDPR. Here are some highlights:

• Companies must report data breaches to their nation’s supervisory authority within 72 hours of discovery. If the breach is “high risk”—e.g., could result in identity theft—then impacted individuals must be informed “without undue delay.” This might be a public announcement for a large breach or individualized notifications. Remember when companies like Uber and Yahoo sat on massive data breaches for a year or more? That would violate GDPR.
• Controllers must document users’ consent to use personal data: that’s more than recording a simple yes or no, but more akin to a timestamped record including the version of the forms or screens used to collect it, along with all relevant documents like phone scripts, complete terms of service, and policies. If there is a dispute, controllers have to be able to prove consent was legitimately granted.
• Controllers can retain identifiable personal data “no longer than is necessary,” which is tremendously vague but follows a principle of data minimization and provides legal ammunition if controllers misuse or mishandle data they had no reason to keep. The GDPR encourages anonymization and pseudonymization to protect personal data.
• Controllers whose core activities include personal or sensitive data on a “large scale” must appoint a data protection officer. The GDPR does not define “large scale,” but there are no minimum thresholds. Some EU countries—most notably Germany—have stricter requirements for appointing a data protection officer.

I’m Small-Time: Do I Need to Worry About the GDPR?

Some people who run Internet sites, apps, podcasts, or small businesses—particularly outside Europe—may assume (or hope) that the GDPR will have no real impact on them. That might be true in some cases, but many small online endeavors will have to make some adjustments. Even small businesses are data controllers, and data controllers bear most of the responsibility for complying with the GDPR.

I cannot offer legal advice, and every activity impacted by the GDPR will have different concerns. But here are a few things to consider:

• A purchase or contribution is not consent to marketing or further contact. If an EU resident buys something from your Etsy shop or makes a donation to your podcast, you cannot just add them to your marketing list as an existing customer. Consent to additional contact must be separate, clear, unambiguous, and affirmative. A pre-ticked checkbox on a checkout page won’t cut it.
• If you think you have some magic way of using an IP address, phone number, billing address, or other data to infer whether someone is an EU resident (so you can tell if the GDPR applies to them): you don’t. You would need to ask users directly if they’re EU citizens, and, if not, offer less privacy protection. That may not be a message you want to send. For small shops, applying GDPR protections to everybody is usually the shortest path.
• Only collect necessary information. If you run a mailing list, you have a legitimate need for a subscriber’s email address, but you don’t need their birthday, phone number, location, or even their name. Sure, some of that info is great for personalizing communications, but do you need it? Can it be optional? (And do you think automated personalization is fooling anyone?)
• Be ready to disclose all third-party businesses that process your customers’ information, whether payment processors (like PayPal or Square), shippers (like the USPS and DHL), cloud service providers (like Apple, Amazon, Google, or Microsoft), and many more. Does your site tie in directly with Facebook or Twitter? What about a mailing service like MailChimp or SendGrid? How about advertising networks? Analytics services? Under the GDPR users have a right to ask for this information directly; for many small businesses, it makes sense to include the information up front in privacy policies and terms of service.
• Only keep necessary information. Sure, you want to analyze your sales records to manage seasonal inventory, but you don’t need customers’ personal details to do that. Delete customers’ personal information when you no longer need it for any reasonable business purpose, unless you’re required by law to hang on to it. If you must keep it, anonymize the data (so individuals can’t be identified, even by you) or at least pseudonymize it: if your business records are compromised, there’s less risk to both you and your customers.
• Consider how you will respond to a customer who requests to view all the personal data you have about them. How will you verify this person is who they claim to be? How will you collate the data? How will you (securely!) make it available? Even for small businesses, this can become complicated. And you have only 30 days from when you receive your first request.
• Think about how you will respond to a customer who requests you delete all personal data about them. How will you ensure any data processors you use also delete that data?
• Users must be able to withdraw their consent to use of their data as easily as they gave it. This may mean changing your site or app to make withdrawal of consent easier and more apparent. You may also have to tell data processors to remove that person’s information.

How Will Enforcement Work?

If EU residents believe their personal data is being unlawfully processed or misused, they can file complaints with supervisory authorities in their own countries. If that authority rules against an individual—or simply doesn’t respond to the complaint in 3 months—that person can take the matter to court. Both data controllers and data processors can be liable for any damage caused by their actions. Individual member states are responsible for establishing rules and penalties for infringements.

Failure to comply with the GDPR could be very expensive: fines can be up to 4% of a company’s worldwide revenue or €20 million—whichever is greater. However, such penalties are likely only if companies engage in egregious, willful violations of the GDPR—and would likely only apply after a lengthy court battle and appeals process. Most national authorities won’t expect perfect compliance and will be unlikely to levy heavy penalties if organizations generally try to do the right thing. National authorities will be primarily concerned with large-scale data processors and organizations handling high-risk data.

What about Brexit?

The United Kingdom is leaving the European Union on 20 March 2019, but it won’t be leaving the principles of the GDPR behind. The UK will comply with the GDPR when it takes effect this May, and under the proposed “Great Repeal Bill” the GDPR would be incorporated into UK law after Brexit. UK law will then be amended with a proposed Data Protection Bill, which is unlikely to diverge significantly from the GDPR.

However, Brexit may have some immediate data protection implications, since the UK will no longer be part of the US-EU Privacy Shield (the current framework for exchanging personal data for commercial purposes between the United States and EU) or the US-EU Umbrella Agreement (a framework for law enforcement cooperation). The UK wants its own separate replacements with both the United States and the European Union, but nothing has been agreed upon yet.

Will the GDPR Matter?

Internet users are increasingly aware their personal information can be sensitive, and we live in an era of massive data breaches. In bulk, our data is being leveraged to sow discord and influence elections. At a personal level, its misuse can have many consequences: identify theft, loss of a job, altered credit ratings, higher insurance rates, increased health care costs, and more. And, of course, our personal data is worth very real money to many of the world’s most valuable corporations.

With the GDPR, the United States will drop further behind the European Union in terms of data protection regulation. Soft “opt-ins” and pre-checked boxes are still permissible in the United States. Although there is a limited exception for credit reporting, individuals still have no real right to see data collected about them or have it corrected or forgotten. Although some U.S. states have enacted data breach laws, there is no national requirement that individuals be informed if their data is compromised. And companies can essentially use any personal data they have for whatever they like, for as long as they like.

However, the GDPR will have indirect benefits for Americans and many non-European Internet users—and the evidence is all those notices you’re receiving about new terms and privacy policies. Companies are feeling pressure to extend GDPR benefits to users outside of Europe. While some (like Google) are notably silent, Apple has already announced it is extending GDPR rules to customers in the United States and other markets, including giving users the ability to view and correct information Apple processes. Even Facebook says it will extend the “spirit” of GDPR to users outside Europe, although it won’t extend GDPR protections worldwide.

The GDPR should be viewed as an attempt to bring regulation up to date with the reality of the digital world. It won’t fix everything or solve every problem, but it’s a big reason why momentum is currently shifting toward better data protection, rather than away from it.

In the movie Ready Player One, people use virtual reality headsets and haptic feedback clothing to inhabit a virtual world called the OASIS. Both the film and the New York Times best-selling book upon which it’s based are great, and I recommend them highly. But throughout the movie, whenever I saw someone wearing a VR headset with anyone else around, all I could think was how horribly vulnerable I’d feel to have my sight and hearing cut off from the outside world.

That’s both the promise and the curse of the Royole Moon, an $800 “3D mobile theater” that couples a head-mounted display with headphones. It promises to provide a “truly immersive, 3D movie watching or gaming experience that could be enjoyed anytime and anywhere.” Technically, it meets that goal, but in real-world usage, I couldn’t bring myself to use it outside the house or even when Tonya was in the room with me. Maybe I’m too self-conscious, or just too old, to judge from the dude that Royole has modeling the Moon below.

Royole Moon Hardware

The Moon’s headset employs dual 1080p AMOLED displays to simulate an 800-inch curved screen viewed from 20 meters away. They also provide 3D capabilities when used to show appropriate content—you can find some on YouTube. Royole claims the 1920-by-1080-pixel screens simulate 3000 pixels per inch and have a 60 Hz refresh rate. You can adjust the lenses to provide from -7.0 to +2.0 diopters, which means that most people can use it with or without corrective lenses, which is good, since you can’t wear glasses with it.

That sounds impressive, but in my experience, the video quality was merely adequate, and with a Netflix show I was watching, not nearly as good as an iPad Pro, particularly in darker scenes. Even with tweaking the lenses to make each eye as crisp as possible, there was always some blurriness, particularly toward the bottom of the screen. The video quality of local movies did seem a little better than Netflix—if you cared, you could probably figure out the optimal settings for ripping DVDs or Blu-ray discs.

The built-in, noise-canceling headphones provide excellent audio. Royole claims the Moon’s headphones have a noise reduction percentage of >92% and noise reduction rating of >22 db. For more audio details, see the full specs.

The Moon runs the custom Moon OS, which is derived from Google’s Android. It has 2 GB of RAM and a 32 GB hard drive for storing content. That’s all built into an iPhone-sized box with jacks for connecting to the headset and to power, and a big power button for turning it on and off. It supports 802.11n Wi-Fi and Bluetooth 3.0 for wireless connectivity; there’s also a mini HDMI port and adapter cable for connecting it to other video sources. The box contains a 6000 mAh battery that charges via USB in 2 hours and promises 5 hours of video playback.

Although the cable tethering the Moon’s box to the headset is long enough that you could stash the box in a pocket in your clothing, it’s still awkward to manipulate it when you can’t see, and it’s easy to pull it off a table or drop it by moving while wearing the headset.

The headband is highly adjustable and even folds down so you can pack the Moon in a suitcase. Overall, the package gives the impression of being well-constructed, but I’d be leery of carrying it in my laptop bag given the abuse to which that bag can be subjected while traveling.

Royole Moon Software

Moon OS is fairly easy for basic usage. You’re presented with a horizontally scrolling screen of large icons, one of which is always selected. You switch between the icons by swiping left or right on the right earpiece. To navigate down into an icon, you tap the right earpiece; double-tapping brings you back up a level. Changing volume requires swiping around the outside edge of the right earpiece. (Apologies for the screenshots; it’s tricky taking photos through a lens, and they’re fuzzier on the edges than they look in real life.)

The list of icons includes:

• Wi-Fi and system settings
• YouTube, with a decent interface for browsing
• Videos, for locally stored videos
• Royole Lounge, an online service that provides free content
• Music, for local audio files
• Pictures, for local images, but there’s no slideshow, so you must navigate manually
• Browse, a functional Web browser with a painful onscreen keyboard
• File Explorer, for browsing the drive directly
• Netflix, which I discuss in a moment
• An option to install additional apps

Overall, controls are a little fussy, but not hard. That is, unless you want to install and use the Netflix app (it wasn’t pre-installed on my review unit; perhaps that has changed). Moon OS includes a full Web browser, but entering URLs or searching in Google from the onscreen keyboard is clumsy, slow, and error-prone. To “type,” you need to move a Mac-style pointer around by dragging on the right earpiece and tap on the earpiece when the pointer is over the letter you want to enter.

To install Netflix, you must type netflix.com in the browser, after which the Moon requests permission to load the Netflix app. And if you think typing a URL is bad, wait until you need to enter your username and password in the Netflix app. It took me 15-20 minutes to complete the task successfully. Royole apparently has a better approach for installing apps now and suggests that it’s a good way to install Hulu, Vevo, and the YouTube TV app. Presumably, any Android app would work, but don’t expect interactions to be easy.

For instance, navigating within the Netflix app is tricky. As with the Web browser and keyboard, you get a pointer. To scroll within the Netflix interface, you need to position the pointer at an edge of the screen. Tapping opens a show, and double-tapping brings you back to the main screen. It works, but will take practice before it becomes second nature.

I focused on Netflix because that’s where I watch most video, but I suspect Royole expects more people to load movies on the Moon and play them locally from the Videos app. Since it’s an Android device, you can’t connect the Moon to your Mac via USB and transfer video files directly. Instead, you need to use Google’s Android File Transfer app. It works to put your own content into the Movies, Music, and Pictures folders, but it isn’t as good an experience as if the Moon mounted on the Mac Desktop like any other volume.

Real World Usage

I’ll admit, I requested a review unit of the Royole Moon last year because it sounded tremendously cool. And you know, it does what it says—the video is decent, if not up to theater standards, the audio is great, and you can get around efficiently enough with the controls built into the right earpiece. (It took me a while to begin testing the Moon because I felt that it was a non-starter without the promised Netflix support, and for much of the time I had it, the Netflix app suffered from a crippling synchronization lag between the audio and video. That’s now solved.)

Despite its technical achievements, I haven’t found the Moon compelling because of its social and physical issues. Problems include:

• I found it extremely disconcerting to have my senses cut off from the outside world. Royole has promotional pictures of someone wearing a Moon in an airplane seat, but I can’t imagine cocooning myself off like that with no awareness of what the people around me are doing. I feel like wearing it would project a big “Steal my stuff” caption over my head.
• It may be a fashion statement, but it’s not a good one. I’m embarrassed to use the Moon in the house if I’m not alone, since I can’t tell when Tonya might come into the room. The first time she saw me wearing it, she said, “You look like a complete dork.” Whenever she walks into the room while I’m wearing it and taps me on the shoulder, I feel guilty, like I’m hiding something from her. And she’s clearly restraining herself from a snarky comment.
• Although Royole did a good job making the Moon as comfortable to wear as possible, it’s not light at 1 lb 7 oz (660 g). The highly adjustable and comfortable headband takes most of the load, but it still weighs on my nose and slightly hampers my breathing.
• It’s a little tricky to figure out the optimal position in which to watch, in part because of the weight. When I had the flu recently, I discovered that the Moon is great for being deathly ill, since I could lie flat on my back and look “up” at the screen. You can’t move around all that easily when wearing it, which makes changing positions awkward.
• If I’m too warm, or my face is at all sweaty, the lenses fog up. This can happen even when I feel comfortable—the problem is that the Moon creates a light-proof seal around your eyes. Although the padding has tiny air holes built in, they aren’t always sufficient. Cleaning the lenses helps only temporarily; if they’re going to fog up, I can’t use the Moon until I cool down.
• The optical trick that the Moon uses to make the screen seem 800 inches wide can be tiring on the eyes, possibly because you’re focusing quite closely while your brain tells you the image is far away. In fact, the Moon suggests that you might want to take a break after an hour. That’s in the middle of a movie, which might be hard, but I’d be hesitant to wear it for more than necessary to finish. It doesn’t seem like prolonged use would be good for your eyes.

I decided that the Moon is something I’d hardly ever use for these reasons. Similarly, I can’t recommend it generally, particularly in contrast with an iPad and earbuds, which would be cheaper, more comfortable, and more flexible.

On the other hand, if you live alone in a city apartment and are trying to block out external light and sound, the Moon might be worth a try. Test with a good blindfold and earbuds first, to make sure you don’t mind being cut off from the outside world. At $800, the Moon is not cheap, and its physical hardware and user interface are both a bit awkward, but it could be ideal for those who cannot otherwise eliminate distractions.

The best use case I saw in Royole’s materials is the dentist’s chair, where you really wish you were somewhere else anyway, and where you’ve already signed on for whatever bad might happen. If you frequently travel by yourself, the Moon might also work well for watching movies in hotel rooms. The company also suggests giving it to kids on long car trips, but again, an iPad is likely more appropriate.

In the end, the Royole Moon does provide an immersive experience, for good and ill. In Ready Player One, the main characters need to hide themselves away in the real world so they can participate fully in the virtual world. Apart from specific situations like getting your teeth cleaned, physical seclusion may be necessary with the Moon as well.

To be fair, many new technologies suffer from these conflicts with the real world to greater or lesser degrees. Radio, TV, video games—they all remove us from our surroundings to some extent, and the trend is increasing. I’m undoubtedly dating myself, but I still find it off-putting to share a sidewalk or a coffee shop with people wearing earbuds and staring at their phones. At least it’s possible to get their attention if necessary. While it’s common for teens to walk around like tech zombies, we’ve trained our son to remove his earbuds when he’s in the room with us, because they hamper basic human interaction.

The Royole Moon may not offer full virtual reality, but it is a step in that direction, as are products like the PlayStation VR, a virtual reality headset for the PlayStation 4 gaming console. Although I understand the attraction of virtual worlds and immersive experiences and appreciate that they have their place, I find the concept of augmented reality philosophically much more appealing. We cannot escape our bodies or our environment, so I’d prefer to see technology focusing on enhancing our experience of the world around us rather than trying to replace it.