The New Oil

Data privacy & cybesecurity for normal people

This month, gift-giving season officially begins in the United States (and several other places, I presume). It kicks off in full with Black Friday, but brands are increasingly starting their holiday deals as early as the beginning of this month. Consequently, this is the time to discuss safe shopping tactics. Below are updated online shopping tips, reflecting techniques and strategies I've picked up in the last year. (Note: some of the services I suggest offer affiliate programs, which The New Oil has signed up for. Affiliate links are clearly marked and are optional.)


I'll keep this one brief: there's a lot going on behind-the-scenes at TNO and there's always more to do, but I'm incredibly excited to announce that one of my longtime goals has finally come to fruition: The New Oil is finally available as a Tor hidden service, aka a “.onion” domain. Over the years I've had several readers write in to inform me of all kinds of small issues with accessing the site, from being falsely flagged on VirusTotal to CDN misconfigurations to being to straight-up blocked by foreign ISPs. A hidden service is the holy grail for any privacy site such as myself: privacy-respecting, secure, and capable of bypassing censorship in even the harshest regimes. With this new offering, readers from anywhere in the world will be able to safely, securely, and anonymously access The New Oil's website, ISPs and other obstacles be damned.

While hidden services are riding a fine line of potentially being “out of scope” given my target audience, the required costs (in time, maintenance, technical proficiency, and finances) are quite low, and given that TNO explicitly states that we are not an adequate resource for high-threat-model individuals, I feel like this is a service we can confidently offer to give our readers an extra layer of privacy – even from ourselves (trustworthy though I may feel we are). That said, I am certain there is room for improvement, and if any of the more experienced readers out there see ways that we can offer our readers even more protection, please open an issue on GitLab or GitHub.

To access our new Hidden Service, simply navigate to in the Tor Browser as we already have the automatic redirect set up, so your browser will either automatically redirect you or at very least offer to redirect you depending on your settings. If you'd rather go there directly, you can find us at vyrgfx4jz2lnejqduons56ph5xtsrtaoo7ovny53dd7okyzhfsgkzbad.onion. Thank you to everyone who made this possible and helps make The New Oil a little better everyday. I look forward to many more privacy-friendly moves like this in the future!

You can find more recommended services and programs at, and you can find our other content across the web here or support our work in a variety of ways here.

This is an out-of-band blog post. If you're reading this (not on the day it was published via your usual subscription channels but instead because I shared this link directly with you), chances are you told me that an article I shared on the TNO newsfeed is paywalled. It's possible that this article was paywalled after I posted it and that what I'm about to share won't work. More likely, however, what happened is that my browser is set to block paywalls and yours isn't. Here's how to fix that.


If you haven’t read last week’s post, I highly recommend it to get up to speed. A quick recap for those who may have forgotten: The Privacy Dad shared a blog post about why his friend ended up abandoning Tutanota, citing a number of issues and difficulties he ran into. Last week, I examined TPD’s Friend’s criticisms, focusing specifically on the ones that I felt were areas that end users should improve on themselves – such as the need to be more flexible and forgiving as well as becoming a little more tech-literate when it comes to reading support documentation. (Before anyone starts telling me how I’m gatekeeping or blaming the users, please read the blog post in full.) However, that doesn’t mean that the developers are without room for improvement here. There are a lot of things that developers (and other members of the privacy community – myself included) could be doing to reduce the friction of onboarding and retaining “normies” with privacy tools. So this week, as promised, let’s focus on those.


Many of you may have come across this blog post from The Privacy Dad, which serves as a follow up to a previous post titled “Privacy Tools Are Not Worth the Hassle.” A few years back, I had my “aha moment” in regards to privacy. Ever since, I’ve delved deeply into privacy, always cautious not to negatively impacting my life my too much, a topic I’ve written about many times.As such, I was very interested to hear directly from a user why they didn’t stick with Tutanota and what obstacles they had.

As I read through TPD’s Friend’s feedback, I had a lot of thoughts I wanted to share, both for end users and developers. This post ended up being much longer than I expected, so I’ve decided to split this up into two parts. This week, let’s dissect TPD’s friend’s criticisms that ultimately led them to decide that privacy tech was no longer worth it and see where we can improve on the end user’s side of the equation. I’ll put the developers on blast next time.


Disclosure: I have an affiliate link with Proton VPN that gives me a small financial payout if you sign up for a paid plan using it. You do not have to use this link; I provide a non-affiliate link at the end, and I tried my best to be unbiased in this review.

What is Proton VPN?

VPNs – short for Virtual Private Networks – are all the rage these days for various reasons, such as bypassing geographic restrictions to access foreign content. Unfortunately, VPN providers make misleading claims about what a VPN can and can’t do for their users. A VPN creates an encrypted tunnel between your device and the provider's server, safeguarding all your traffic from prying eyes, including your Internet Service Provider (ISP) or whoever owns the router (e.g., a public Wi-Fi network). After reaching the provider's server, your traffic continues on to your desired destination like normal. Proton is a particularly popular service provider in the privacy community.


Password managers are thankfully becoming a mainstream topic. In addition to seeing commercials for certain ones from time to time, it’s becoming more common for me to attempt to spread the word about good passwords only to be met with something like “oh I already use Dashlane/1Password/etc.” While it’s good for consumers that there are more options available, that also means it can be difficult for people to know what’s best since many companies are prone to exaggeration or poor practices (as we saw in the somehow still-ongoing LastPass data breach). So this week, I'd like to examine the three recommended passwords on the website and explain what I believe to be their use-cases, strengths, and weaknesses to help readers decide on the best password manager for them.


What is Threema & Why Do You Need It?

Threema is an end-to-end encrypted (E2EE) messenger available on Android, and iOS. Linux, Mac, Windows, and web clients also exist, but you’ll have to create an account on mobile first before connecting them (similar to Signal). I have long advocated for the need for E2EE in your daily communications for both practical and philosophical reasons. Practically, it can protect sensitive communications like financial discussions, upcoming plans, and NSFW content (if that's something you choose to engage in with another consenting adult). Philosophically, I believe that everyone should use encryption whenever possible to normalize it and make mass surveillance less feasible/practical/economical.


About nine months ago, Henry and I made a comment on Surveillance Report 106 about how there's not enough privacy content out there aimed at parents. Neither of us are parents – and I can't speak for Henry but personally I've decided not to have kids – so while we may possess the “technically correct” answers to the problems parents face, we both know that the reality is much more complicated and nuanced: kids are people, too, and while they may still need the guidance and protection of their parents, there is no one-size fits all solution for every child, let alone every age. Children mature differently, have different personalities, and come from different backgrounds. When we talked about this on air oh so long ago, Henry quipped that a great name for such a project would be “The Privacy Dad” or “The Privacy Mom.” We never expected anyone to actually take up the mantle. I should really stop expecting to stop being taken seriously these days.


Disclosure: I have an affiliate link with SimpleLogin that gives me credit towards my own SL account. You do not have to use this link, I provide a non-affiliate link at the end, and I tried my best to be unbiased in this review.

In this review, I’ve decided to lump both AnonAddy and SimpleLogin into the same review because they’re so incredibly similar in their offerings and features, though I will note any differences between them. I don’t think of this blog as “AnonAddy vs SimpleLogin,” though I’m sure it will help anyone who’s on the fence decide between the two. Rather, I present this as simply two tools you can use to achieve the same protection. I keep referring to AnonAddy first because I’m listing them in alphabetical order.


Enter your email to subscribe to updates.