The New Oil

Information Security for normal people | https://www.TheNewOil.org | https://thenewoil.org/blog-index.html

This blog post is likely going to sound like tin-foil hat paranoia, but please hear me out.

We all like to think that we’re smart. That doesn’t mean we’re arrogant, it’s just human nature. I’m not even talking about the fact that we don’t know what we don’t know – therefore we may think we know a good bit about a subject when in reality we’ve barely scratched the surface. No, I’m talking about the absolutely dumb things we do. Story time: in my previous life as a freelance audio guy, I was once setting up the audio for an event. I plugged everything in, turned on the board, slowly pushed up the volume and… nothing. Absolutely nothing. I checked my connections. I checked the speakers. I tried a different mic. I spent a good 15 minutes or so troubleshooting. Why the heck wasn’t I hearing anything? Then, suddenly, I noticed the little red “mute” light above the master fader. Sheepishly, I turned the master down, unmuted it, slowly brought it back up, and there was my voice loud and clear. I got a paid a lot of money that day to forget to check the mute button. Now, obviously making a dumb mistake like that doesn’t detract from my intelligence. I still know a lot and have a ton of experience. But it does show that no matter how long you’ve been at it, how many times you’ve done something, or simple and obvious the fix is, sometimes you make mistakes.

Let me make a quick transition back to privacy and security: I despise being called an “influencer.” I prefer to think of myself as an educator, but I hope to god I’m not “influencing” anyone. That’s because most modern influencers are just advertisers, and I don’t want to advertise things, especially subtly. While I’m not a fan of ads, I don’t mind “this episode is brought to you by Sponsor” or the show pausing for a commercial. What I absolutely abhor is subtle advertising. “Here’s a review of a product that’s actually an ad” or – even worse – “let me tell you about this awesome new thing I’m into, but I was actually paid to say that and I don’t really use it myself.”

And now, let’s bring them together: we all like to think we’re smarter than we really are. You probably read that last paragraph and went “ugh, same. I would never fall for that.” But you probably have. Let me ask you this: do you have ANY products with logos on them? Laptops, phones, shirts, backpacks, etc? If the answer is “yes,” congratulations! You’re a walking ad for that product – and you actually paid THEM to advertise for them, no less. That’s not necessarily a bad thing. I buy shirts from bands I like, and I wear shirts for privacy-related companies I like. I want to advertise those bands and brands because I believe in them and want others to know about them. But you’ve probably never thought about it like that before, have you? It’s so easy to say “ads don’t work on me.” And some don’t. I have never seen a TV commercial for a product and gone “hey, I’m interested in that.” But I have seen a commercial for Taco Bell's latest menu item and went “alright, I’m curious.” I don’t pay attention to billboards until I see one for DuckDuckGo and then stop mid-sentence to go “Ay! DuckDuckGo!”

A lot of people misunderstand the purpose of advertising. They think the purpose is to make you drop everything and sprint to the nearest McDonald’s to buy a new McHeartAttack, but that’s not it at all. In the 1980’s, they called it “brand awareness.” The goal is to keep the brand on your mind so that next time you’re out of the office and going “man, I’m kinda hungry,” your brain remembers that McDonald’s has a dollar menu. (Note: so does Wendy’s, and their food doesn’t taste like cardboard and disappointment smothered in ketchup.) Sometimes the goal is also to create subconscious correlations. I once had the privilege of hearing a former marketing director for Coors speak. Dude is a genius. Sleazy, but brilliant. He said that they were one of the first companies to start marketing beer as “ice cold.” Do you remember Coors’ marketing campaign from a few years back? Icy, arctic mountains, cold fog everywhere. Why is that? Cold = refreshing. They didn’t want to say “go buy Coors.” They wanted you to associate Coors with cold and refreshing drinks, making you more likely to buy one. Gatorade does the same thing with energy and athletics: feeling thirsty, dehydrated? Gatorade will rehydrate you, get you going, help you crush it. (It’s got what plants crave, after all.)

So what does this all have to do with privacy? Because privacy can help break this cycle. Remember: we’re not as smart as we think we are. That goes for all of us, myself included. I’m not Prometheus bringing you fire, I’m a cancer patient in the same ward as you. My friends and I joke about the time I walked into Guitar Center and walked out with an Ibanez guitar and it wasn’t until I was in the parking lot going “did I just buy an Ibanez?” (Ibanez makes great bass guitars, okay regular guitars. I never thought I’d buy an Ibanez guitar, but I did once. It was okay.) We all fall for it. Look no further than the now-legendary Cambridge Analytica scandal. This was when a company accessed tons of user data from Facebook that they weren’t supposed to access and abused it, unarguably contributing in vital ways to the successful election of Donald Trump and the passing of Brexit in 2016. Facebook user data literally altered history. I’m not saying that Brexit wouldn’t have happened without Cambridge Analytica, it’s hard to know for sure because it was such a hot, controversial topic. Same with Donald Trump: I’m not saying that he would’ve lost in 2016 without them, but Cambridge Analytica executives admit to being responsible for keeping “Hillary’s emails” in the forefront of the national debate, in addition to tons of other issues that Americans will remember from that time frame.

It’s hard to explain how Cambridge Analytica worked, because just as with normal advertising, you read about it and go “how did people fall for that? I wouldn’t have.” But people did. The very, very broad version is that Cambridge Analytica used a quiz to access user data – not just those who took the quiz but also friends of those who took the quiz. This included all kinds of information like age, gender, likes, and more. They were then able to use this information to paint a picture of that person – for example, “this person is a Christian parent with conservative values” – and then cater specifically to that person. But it’s so much deeper than that. “This person is a Christian parent – age 34 – of two children – ages 11 and 4, both girls – with conservative values. Specifically they worry about the quality of the education system and feel that their values are being attacked by the left. They enjoy police procedural TV show and listen to country music.” Cambridge Analytica would then use this data to serve ads from shell companies and fake Facebook pages set up specifically by them to say things like “Donald Trump wants to invest in education!” and show them country musicians endorsing Donald Trump and religious pages saying that Donald Trump is God’s choice of candidate. This is not hypothetical, this is exactly what happened. These pages might even post memes – like “remember Hillary's emails?” – or blatantly untrue news stories – also from “news” sites that were created specifically for profit without regard to reporting truthfully. And it’s so difficult to convey how insidious this truly was, because any American reading this goes “yeah, that’s pretty common” and “yeah, so what if they know all that information about me?” It doesn’t truly convey how effective this type of advertising is and how invasive the data actually is. Take a moment real quick to skim this article from Signal about targeted advertising on Instagram for some better context about how granular and invasive ads can be.

And look, I’m with you. I don’t mind targeted ads. The problem is when ads don’t look like ads. Because that’s – in my opinion – one of the biggest issues that made the Cambridge Analytica incident so successful. It’s one thing to say “sponsored post” at the top. It’s also okay to say “and now a word from our sponsors.” But what happens when a post looks like any other post? What happens when you think someone is genuinely saying “I think Trump is God’s candidate” and you don’t know that person is actually an atheist leftist being paid to post that to help someone else win a position of power? How do you know that person really shares your values if they’re willing to invest so much time and resources into lying about it just to get that seat? I’m not trying to be political here, I think we can all agree that this is disingenuous and destructive. It’s a betrayal of trust for your own ends. And sure, all politicians are liars – claiming to be “believers” when they aren’t just for votes – but that’s not the point. Focus here. The problem is that you’re being assaulted with it, 24/7 and often in very subtle ways. We’re not as smart as we think we are. We can’t always detect it. And if you aren’t aware of what’s happening, how can you defend against it?

Cambridge Analytica was not an isolated incident. There are still many companies and intelligence agencies – many from Russia, China, and Iran – that run fake social media profiles and organizations designed to sew chaos and disruption. They question facts, promote candidates, and sew disinformation and sensationalized headlines all in an effort to cause further division and confusion. I said at the top this post would sound like tin-foil hat stuff, but it’s not. This is real. It’s still happening all around the world as we speak.

So how can privacy help us fight back? In two ways: first, by closing the door. They say that the average person sees 6,000 – 10,000 ads per day. Remember that in this context, “ads” includes everything from billboards, t-shirts with logos, radio ads, TV commercials, and yes – those fake videos and posts that claim to be legitimate endorsements but are really paid ads. One of the major tenants of digital privacy is minimalism: don’t sign up for an account unless you really need it. Do you really need Facebook AND Instagram AND Twitter AND TikTok AND Snapchat AND…? Probably not. Pick the one or two you use and stick to those. (Better yet, delete social media altogether because those companies are highly invasive to your privacy – don’t forget that Cambridge Analytica didn’t collect all this data themselves, they stole it from Facebook.) By limiting the number of accounts you have – whether that’s social media accounts, streaming accounts, online shopping, etc – you’ll be exposed to fewer ads targeted specifically to you.

Second: the targeting. If you must use an invasive advertising platform like Twitter or Hulu, privacy helps reduce the accuracy of the information. By blocking trackers and ads, opting out of invasive platforms that collect data, and using privacy tools like encrypted email and VPNs, you’re reducing the amount of data flowing to these organizations, which makes it harder for them to build an accurate profile on you and thus harder for them to accurately advertise to you. Like most of you, I get tons of political campaign SMS messages around election season. These people seem to think I’m a black Democrat from Ohio. (Spoiler alert: I’m white from Texas, I won’t disclose my political leanings but I will say it’s not “Democrat.”) If you’re pro-life, it’s pretty hard to fall for a pro-choice ad no matter how subtle. If you’re an “ACAB” person (for those who don’t know, that basically means “vehemently anti-cop,”) then a “back the blue” ad is just gonna make you laugh in derision. By regaining your privacy, you’re reducing the chances that they can accurately serve you an ad that actually sways you.

Before I go: I think changing your mind is good and healthy. I don’t think anyone knows everything. I have my political opinions, and I’m sure some of them are wrong. But I don’t think that it’s good to have your mind changed subliminally by people who just want power and money. I think your mind should be changed by healthy, transparent discussions and evidence. So whatever your political leanings reading this: be open-minded. Be willing to change your opinions. But protect your privacy so that people aren’t manipulating you, changing your opinions for you, and tricking you by taking advantage of your loyalties to make you do things you wouldn’t normally otherwise do.

Privacy matters. I’m sorry for the long post, and I apologize if it seemed very messy and paranoid. Like I said, this stuff sounds hard to believe for some, and for many it’s hard to wrap our minds around how it could work so well, but it did and it does. Don’t let it happen again. Protect your privacy.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

I always say that the privacy and security landscapes are constantly evolving, so it seems only fitting that my annual “safe shopping” blog post should become a yearly tradition.

With gift-giving season officially beginning in the United States (and at least a few other places, I presume), I figure this would be a great time to discuss safe shopping tactics. I don’t feel like this needs any sort of real introduction, it’s pretty self-explanatory, so let’s begin.

  • Pay with cash in person. There’s a large push for card usage in the US, and it has some personal finance benefits. Cards often come with cashback and purchase protection, and while the risk of skimming still exists, fintech (financial technology) security has come a long way. However, cards are still a privacy nightmare. Your shopping data will absolutely be sold by your bank to data brokers. As such, cash is king. But if you need some less-crazy, more practical reasons to use cash: if you’re buying a gift for someone who has access to your bank statements (significant other, parent, etc) it can help shield your purchases – both the site and the amount – and keep the gift a surprise. Furthermore, holiday spending and gift giving is often a source of debt in the new year, so using cash will help you stick to your budget. Personally I think racking up a boatload of new debt is a really crappy way to start the new year.

  • Of course, online shopping has long been popular, and even moreso this year. For online transactions, use pre-paid cards (such as the Vanilla card) or card-masking services like Privacy.com, MySudo, Blur, Revolut or LastCard to avoid having your real information stolen. If a scammer steals your information, the effects could be as minimal as having to get a new card or as serious as draining your bank account, stealing your identity, or even stalking you. Be aware that all of these services have to adhere to various Know Your Customer laws, so they will ask for some personal information that some people may not be comfortable with. I have a comparison of these different services here so you can find the one for you.

  • Use a masked email address. All that online shopping data will be sold to anyone and everyone you can imagine. By using a masked email address, you're getting a number of advantages. First, you can break up your “marketing profile” by making it harder (but not impossible) for companies to correlate purchases (if you use the same email/card on two websites, that's obviously you). Second, you can more easily control phishing – and more practically, spam. Once an address gets sold or leaked and starts getting Nigerian prince emails or nonstop marketing “here's other crap you don't care about” messages, you can simply shut it off. Poof! Goodbye spam! Finally, you make it harder for a malicious actor to track you across multiple sites or know which email service you use to attack you. Email forwarding services are a subtle but powerful tool in the data privacy and protection arsenal.

  • Use a PO Box. PO Boxes can serve tons of great purposes that you didn’t even know you needed. For starters, they start off inexpensive, in some places as little as $20/year. They can be handy because your packages don’t sit unguarded on your porch while you’re at work, they sit safely inside the building of your box. And of course, you don’t have to worry about some stranger on the internet snagging your home address, whether that’s the random person on Etsy, the rogue employee at Amazon, or the cybercriminal who hopefully didn’t steal your information because you already implemented the above bullet points.

  • Don’t quit on December 26. The thing about these habits is that they’re great year-round, not just around the holidays. Shopping is something we do all the time, all year, and these strategies can be implemented there, too. You can pay cash at the grocery store. Forwarding email addresses can be used year-round to manage newsletters, giveaways, various accounts you use, etc. Online data breaches are quickly becoming a daily occurrence, so using card-masking can prevent your card number from getting permanently posted to the dark web (if you’re not worried about that, clearly you’ve never had the hassle of updating EVERY service you use after a card number changed for any reason). Even a PO Box can be a neat thing to have on hand if you rent and move in the same area frequently, if you need an address on file for work (again, data breaches), or freelance and need somewhere to send checks or a return address for merchandise you sell.

Take some time to think about which of these strategies can benefit you most. The email masking services I recommend offer apps and plugins for quick,easy use in your day-to-day. A PO Box can be easily added into your routine by renting one nearby or on your way to/from work (if you have a concern about stalkers, you may want to consider getting one in a nearby town instead). Cash can be handy as well to help you stick to a budget. I hope these tips help keep you safer online this holiday season, and good luck finding that perfect gift!

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

What is XMPP?

Trying to review XMPP is a lot like saying I’m gonna review soda. Sure, it’s a drink, but after that there’s so much variation that it’s hard to give a blanket review. With that in mind, let me attempt to review soda this week.

XMPP is a chat protocol – like Matrix. In fact, it is a pretty old school protocol and has been around since the early days when the internet belonged to the nerds alone. Don’t let that fool you, though, you’ve likely used it. A large number of tools you use in your daily life are powered by it, including Google and Apple push notifications and Google Cloud Messaging (now called Firebase). In the past AOL, Skype, and Facebook all experimented with supporting XMPP.

The Good

There’s a lot to love about XMPP. For starters, it can be anonymous. The key word there was “can be.” As with 99% of privacy, it’s not the tool itself but how you use it. Most servers don’t require any information to sign up, except maybe an email address and I’ve never seen one that actually verified it or rejected it for being a forwarding email address. So assuming you use a VPN, a clean hardened browser, and a unique username, congratulations. You’re more or less anonymous except against the most advanced threats. You may actually be hidden from them, too, but there are other factors involved there and this isn’t really the time or place. The point is the potential is there, probably moreso than any other chat option.

The next great thing about XMPP is that it’s decentralized. Easily. You can easily host your own server, or use any available server. This also means that some servers are located in privacy-respecting countries like Switzerland, Germany, or Iceland. Or you can host your own in one of those countries.

The final pro is the apps. Because XMPP is open source, so are the apps, which means there’s a variety to pick from. Monal (iOS) and Conversations (Android) are among the most polished and common, and should be easy to use for almost any moderately tech-comfortable user. Some of them even offer phone calling capabilities – assuming your server also offers this – allowing for a total VoIP solution for those willing to put in the work to set it up.

The Bad

XMPP’s strengths also make for its weaknesses. Because it is freely decentralized, not all servers support the same features like voice calling – or even have the latest security updates. Likewise, some are in privacy-unfriendly countries like the US or Australia. Additionally, end-to-end encryption must be manually enabled with each conversation – and depending on the client you use, that can sometimes be glitchy. Finally, on the topic of servers and decentralization, never forget that a server admin can easily see all your data, so make sure you use encryption and that you really trust the server.

To the best of my knowledge, the XMPP protocol has not been audited – though some of the clients have been. If this is incorrect, please someone contact me and let me know (with sources) and I’ll update both this blog and the site accordingly. Finally, XMPP is not always user friendly. While joining an existing server is a pretty straightforward process – and most of the best apps have made signing into that account (or making a new one) equally simple – those who are not confident with technology may be easily scared off by XMPP. It can be overwhelming, as they do not offer a default server like Matrix does. It’s entirely on the user to get set up, and unless you’re guiding someone through it they might feel overwhelmed.

Conclusion

XMPP is honestly probably the near-perfect, near-ideal solution for privacy. It’s decentralized, self-hostable (is that a word?), capable of end-to-end encryption, capable of voice calls, and open source. Perhaps the only thing keeping it from mainstream adoption is that the sheer freedom it offers can make it daunting to those who don't consider themselves “techy.” If you’ve never tried out XMPP but you’re confident with your software tinkering skills, I highly encourage you to check it out. If you like it and feel comfortable, perhaps you can be the one who guides those around you into it.

You can learn more about XMPP here and get started with their recommendations for clients and servers here.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

As we round out cybersecurity awareness month, I wanted to close out by bringing different types of security strategies to the attention of my readers. In my opinion, all of these strategies have good aspects and all of them should be used to varying degrees, but not one is perfect. Before I explain further, it would be helpful to know what I'm talking about. So let’s go through some of the most common security strategies out there. This is probably not a comprehensive list, just the ones I see and hear about the most. This list is in no particular order.

1. Security Through Obscurity

This is probably the most commonly talked about strategy. Security Through Obscurity relies on secrecy as the first line of defense. For example, proprietary software. The first line of defense is that the source code is not open. It cannot be easily reproduced or audited, thereby leaving an attacker (or researcher) to simply take a guess at the best point to begin their attack. In the privacy world, we often see this strategy employed with data removal. Once we’ve gone through the basic, “easy” stuff like adopting secure passwords and switching to encrypted providers, it’s common for people to start taking an interest in removing themselves from the internet. This could take the form of deleting old accounts or removing their information from people search websites. It's hard to steal my identity when you can’t find it in the first place, after all.

It’s worth noting that in many circles, “Security Through Obscurity” refers specifically to purposely covering up known flaws. I think this still applies with my data removal example. After all, my identity is my identity. I can’t change my birthday or social security number. They’re weak spots. The only way I can harden them (aside from a credit freeze) is to hide them. Security Through Obscurity is sometimes a lazy out, but sometimes it’s the only (or last) solution available.

2. Security Through Obfuscation

I don’t know if this is a real term, but I’m referring to disinformation. This is a blog post I still need to make in full as I think this is a strategy that is often unspoken and under-represented in the privacy community. Disinformation in this context refers to intentionally (but legally) spreading fake information about yourself to poison any marketing profiles or waste the time and resources of any potential attackers. That attacker could be a private investigator or simply an angry internet troll. In both cases, they have finite resources – the amount of money the client has to spend or the amount of time they can waste on doxxing you, for example. The more time they waste chasing fake information, the more likely they are to run out of resources before they find anything useful on you.

3. Security Through Obsolescence

Fun fact, in a nearby town there’s a “Floppy Disk Repair Store.” I am 100% convinced that this store is some kind of front for illegal activity. Probably money laundering. No one can convince me otherwise. Has anyone even seen a floppy disk in the last decade other than the save button icon? But believe it or not, many government agencies still use severely outdated technologies like analog tape or floppy disks. In some cases, this is because of lack of funding, but in many cases this is intentional. If something is so old that modern cracking tools don’t work on it, then it becomes secure simply by that virtue alone. Sure, maybe your floppy disks aren’t encrypted, but who cares when it’s literally impossible to get your hands on a device to even plug the floppy disk in and read it? At least, that’s the logic. Some of the most important government devices are using technology that goes as far back as the 1980s for this reason. Like I said, there’s other reasons peppered in there – stability, funding, etc – but that’s definitely one of them.

“Ogres Are Like Onions...”

So which of these strategies is best? None of them. Security Through Obscurity relies on you being 100% hidden 100% of the time, which is basically impossible for anyone. Security Through Obfuscation hinges on the idea that the attacker will run out of resources before they find your real information, which may not be the case if your real information is equally as prevalent. And Security Through Obsolescence makes a lot of other tradeoffs and assumptions.

The best strategy, in my opinion, is a mixture. Take Obscurity and Obfuscation for example: I try to remove as much personal data from the internet as I can. In return, I seed a lot of disinformation. I use fake names, fake address or PO Boxes, fake or burner phone numbers, fake birthdays, etc. By combining both of these strategies, I create a lot of “noise” that any attacker would have to sift through, burying any real information that accidentally gets overlooked by my Obscurity practices. This makes it more likely to not get noticed, or to get dismissed as more fake information.

What about Obsolescence? Is there a place for that in our lives? Yes, but with a caveat: it largely depends on your threat model. For example, keeping a physical calendar may prevent your sensitive appointments from being caught up in a data breach, but if you have a high risk of a physical stalker or attacker, leaving your calendar in an unencrypted, anyone-can-access-it format might be incredibly risky. Another example would be keeping your finances in an offline spreadsheet. It may be great to protect your privacy from data-hungry financial services, but if you’re secretly stashing away money to leave your abusive partner then leaving that on a shared computer could be a recipe for disaster.

Even with a low threat model, Obsolescence requires a balance. Keeping a copy of Windows XP because it has less telemetry than Windows 10 is incredibly dangerous, especially if that device is connected to the internet. It no longer receives security updates, making it risky and vulnerable to attack. Even making it air-gapped (disconnected from the internet) may not be a good solution as researchers are continually finding new (and interesting) side-channel attacks that compromise air-gapped machines. Remember: nothing is unhackable.

So ultimately, just remember that there’s rarely one way to do things. When I was younger and early in my career, I got a great piece of advice: “you’re gonna have some great bosses, and you’re gonna have some terrible ones. When you get the great ones, figure out what makes them great and copy that aspect of them. When you meet the terrible ones, figure out why they suck and make an effort to avoid doing that.” Privacy and security are the same way: don’t take an entire strategy or solution as gospel. Figure out the bits and pieces that work and figure out how to use them to make your security posture better. And likewise, when you learn of someone’s failure, take lessons from what they did wrong and learn how to avoid those same mistakes.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

What is Zero-Knowledge/End-to-End Encrypted Email & Why Do You Need It?

Tutanota is one of the more popular end-to-end encrypted (E2EE)/zero-knowledge email providers out there, largely considered the main competitor to ProtonMail. A zero-knowledge provider means that they can’t read your inbox, which is – in my opinion – a must-have for any person who values their privacy and security. Many people argue that zero-knowledge email providers are overhyped – or worse – because you’re only securing half of the chain. If I email someone at a Gmail address, the contents are still exposed on Google’s servers. However, in my opinion, that’s still cutting your attack surface in half. If we’re both using Gmail – or if one of us is using another provider like Yahoo – that’s just twice the opportunity for a data breach, warrants, or an insider threat. Sure, you may not get the full benefit without both parties using encryption, but it still counts for something.

The Good

The main thing that sets Tutanota apart from other recommended email providers, in my opinion, is that they use a modified version of PGP that encrypts more content than usual. Normal PGP does not encrypt metadata, specifically the subject line, sender, and recipient (source). This is much more than Proton or Ctemplar’s simpler “content and attachments” policies.

Just like Proton, Tutanota also offers a zero-knowledge calendar which – unlike Proton – is accessible within the app for both iOS and Android. Like Proton, Tutanota is powered by renewable energy (if that’s a thing you care about) and like both Proton and CTemplar, Tutanota offers a way for you to initiate secure conversations with non-Tutanota users. They are also based in Germany, which has strong consumer privacy laws, and they are known for having a much lower price than Proton (great for those on a budget) and having outstanding customer service. (I can attest to both: while both offer great customer service, I have personally noticed that Tutanota seems to go above and beyond in my experience). Tutanota has further expressed their support for the open source community by offering free Premium features to open source software projects (source). They also offer submission forms, and while they may cost a bit too much for my own basically soloprenuer project, they should be easily affordable for most small/medium-sized businesses, which means companies now have an easy, drag-and-drop solution for clients to securely contact them. Also they created their own alternative to the CAPTCHA to further de-Google themselves, so that’s cool.

The Bad

I like Tutanota, I really do, but as with every review I do, nobody is perfect. Let’s start with the two biggest dings for me: the first is their modified encryption. Since Tutanota is not based on pure PGP, that means there is absolutely no way for a non-Tutanota user to initiate secure communication with Tutanota users. With Proton or CTemplar, I can post my public key and any PGP user – even those who don’t use the same service – can email me securely and start the conversation. With Tutanota, the only way to start a secure conversation with me is to also be a Tutanota user.

Next, Germany. While Germany does indeed have strong privacy laws, they have also repeatedly expressed their eagerness to join the Five Eyes intelligence community. It’s pretty hard to accept that a country who wants to be part of the most invasive, illegal, unethical, and comprehensive surveillance network ever seen also has my privacy in mind. Now of course, that doesn’t mean Tutanota is a sham. I’m a US citizen and yet I personally take privacy very seriously. The country you’re based out of doesn’t necessarily reflect your own values. However, it does mean that you are subject to their rules, which has already come back to bite Tutanota at least once.

Finally, there are a few other small dings against Tutanota that largely come down to personal preference. They do have a desktop app, but it’s Electron-based. As a non-programmer, from what I understand that means it’s basically just the website wrapped in an app and generally insecure. Their mobile app is notoriously slow. Tutanota’s web client has been audited, but not their servers (though one could make the argument that if the client is secure and does what it claims then the servers hardly matter) and not their mobile apps (though they claim their mobile apps use the same protocols and standards as the web app, so they should – in theory – be equally secure). And, this is just personal experience, Tutanota seems to get DDoS’d a lot. At least once every couple months. For most of us, I don’t think we do anything so time-sensitive that this matters, they usually have it fixed within a couple hours, and I guess there’s also the argument to be made that when you’re meeting resistance you’re probably headed in the right direction (video game logic), but still, that can be an issue for some.

Conclusion

Email is not secure. I think that’s worth pointing out. Email was never designed to be 100% secure. You never know who might print it or forward it, and there’s also a bunch of super-technical issues with both email itself and PGP that literally cannot be fixed. You should never trust your life to email (which is why Snowden didn’t just email his documents to people). But also, email is still a widely-used tool that permeates almost every service we use in some way, shape, or form. For that reason alone, it’s worth trying to get a secure email provider to mitigate the risks as much as possible. And, truth be told, you can’t do much better than Tutanota. There are a few niche things that make other providers more appealing – more features, better jurisdictions – but Tutanota has repeatedly proven themselves to be advocates and friends of privacy, with an equally long history of striving to be as secure, private, and user-friendly as possible. In your quest for an encrypted email provider, you’d be making a huge mistake not to check out Tutanota and give them a chance.

You can learn more and sign up for Tutanota here.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

In my first blog post this month, I decided to focus on cybersecurity basics in celebration of October being Cybersecurity Awareness Month. Originally the blog was “5 Cyber Security Basics” and included Network Security as #5, however as I began to write that portion it quickly ballooned into a bigger topic that nearly doubled the post length and deserved its own deep dive. So this week, let’s pick up on that topic and really dig in.

If you have internet at home – as most of us do – you can leverage your router for added device protection, and in some cases add protections that may otherwise not normally be available. For example, a smart TV rarely (if ever) allows you to load a VPN on the device, but putting one on your router can give you that same protection. Here are a few basic pieces of network protection that I will discuss in order of accessibility:

1. Change default passwords

Try this: go to your favorite privacy-respecting search engine and search “[your router model number] default login.” You may be surprised to see that your router probably has a pre-programmed login – especially if it’s inexpensive – and that many forums and websites share that default information for lots of perfectly valid reasons. Most people don’t bother to change this information, and furthermore most people don’t bother to change the router’s default IP address – usually 192.168.1.1. If an attacker were able to access your network, they could easily find your router login page, determine what type of router you’re using (it usually says on the login page) and then do the same search you just did. So the first line of defense that anyone can do is to change the default login on your router. At bare minimum, you should change the password, but most of them also allow you to change the username too. You should also change the default IP address while you’re at it.

2. Use a good passphrase for the WiFi

If you’re like me, the first question you ask in most new places – especially if it’s someone you know somewhat well – is “what’s the WiFi?” If you set up your guest WiFi appropriately – discussed further down – then you’ll probably be more than happy to let people login. But you also want to make sure only approved people log in. The easiest way to do that is to use a strong password, but trying to tell your friends to login using the password “h+h{u3eUda.i2k7E” is a nightmare. Instead, I personally have found it extremely easy to use a 6-word passphrase for the WiFi, then when people ask I say “it’s all lowercase, with spaces” then read off the words to them one at a time (or just hand them a piece of paper). Your friends may laugh at your over-the-top password, but in my experience they also express a degree of respect for having such a strong one and because it's all words it's still relatively easy for them to put in.

3. Enable a firewall

Most routers come with a built-in firewall. This may or may not be sufficient for more advanced tasks, like blocking known IP addresses of trackers or porn sites (if you want child-friendly filters), but they should do a decent enough job of keeping outsiders from being able to probe your network. A good firewall will block most connections unless you initiate them, meaning that your experience should change little, if at all, while outsiders are thwarted. Personally I like the “try it and see what happens” approach. If you enable a firewall setting and it turns out to be too much, you can always disable it later.

4. VPN

Some routers possess the ability to load a VPN onto them. Not all routers support this – usually the one your ISP issues you and the cheapest ones you can buy yourself don't – but it is increasingly common, even in the mid-range “off the shelf” routers you'd find at any given big box store. If your router supports a VPN, this a great way to work around the simultaneous connection limits of less expensive plans – a router on your VPN only counts as one connection, even if you have a dozen devices connected to it. Not to mention, as I said earlier, many devices like smart TVs or home assistants don’t allow you to load a VPN directly onto the device, but loading it onto the router can allow you to safely hide them behind the tunnel anyways. (Of course, I encourage you to be judicious with your IoT devices, but sometimes they’re unavoidable.)

If your router doesn’t support a VPN, it almost certainly supports changing the DNS. While this provides significantly less privacy than a VPN, I still encourage you to switch to a DNS provider that provides content blocking if a VPN is not an option. Some of the providers listed here provide lists that block known trackers, malware, ads, and even adult websites if you have kids.

5. VLANs

Just as some routers support VPNs, some nicer routers also support VLANs. VLANs are Virtual Local Area Networks. To put it in simple terms: VLANs are isolated subnets within your network. Two devices on separate VLANs will treat each other as if they’re in separate parts of the world, even if they’re right next to each other and connected to the same router. This can be a powerful piece of defense against malware: if your smart TV gets compromised but is isolated to its own VLAN, the malware is unable to spread to other devices on other VLANs. If your router supports VLANs, you should set these up. Generally speaking, the minimum recommended setup is to have an isolated guest WiFi, an isolated WiFi for people who live in the home, and an isolated IoT network – whether WiFi or hardwired – specifically for IoT devices. You can add more if your router supports it and you feel the need.

6. Update the Firmware

As with most firmware, router firmware typically doesn't get updated very often, if at all. When purchasing a new router, be sure to check and make sure that it does indeed get updates. In a perfect world, you should get one that has automatic updates, but in my experience those are rare (if they exist at all). Instead, the next best solution is set a reminder to periodically check the manufacturer website for new firmware and update the router manually. Personally, I recommend at least once every six months, but of course you're always welcome to do that more often if you want.

This is also a good time to mention flashing custom firmware such as DD-WRT, OpenWRT, or Tomato onto your router. It's likely that a stock router firmware – from companies like Linksys, Asus, or Netgear – probably collects at least some degree of user data, even with things like VPNs enabled. Using an open source firmware will likely reduce much – if not all – of this data collection, and reduces the likelihood of software backdoors. These can take some time to adjust to and require specific routers, so be sure to do your research. I personally have been using DD-WRT for over a year now and how found it more than enough for my needs. Your needs and resources may vary.

Conclusion

As with anything in the privacy game, there’s always more to do. This is just scratching the surface of ways you can secure your home network. But just using these few techniques will put miles ahead of most people and give you a relatively secure and private network you can use at home to help protect yourself from snooping ISPs and trackers, non-targeted malicious attack, and just give yourself a lit more safety and peace of mind.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

What is Wire & Why Do You Need It?

Wire is an end-to-end encrypted (E2EE) messenger available on Linux, Mac, Windows, Android, and iOS. I have long touted the need for E2EE in your daily communication platform for both practical and philosophical reasons. For practical reasons, it can protect sensitive communications like financial discussions, upcoming plans, and NSFW pics/texts if that’s your thing. For philosophical reasons, I think that everyone should use encryption whenever possible to normalize it and make mass surveillance less feasible/practical/economical. I’ve gotten to the point where encryption is such a normal part of my life that I feel uncomfortable talking about serious subjects on unencrypted channels these days.

The Good

Wire has a lot of valuable features. In addition to the obvious things that make it recommended by this site such as being open source and audited, one major advantage of Wire is that it is username based. You can sign up entirely anonymously by signing up on desktop, using a VPN (or Tor), and using a throwaway email. Even without hardcore anonymous signup, you can still retain a great deal of privacy by using a forwarding email address and not submitting a phone number or real name. And because you pick a username, that means you can privately communicate with others without having to provide any personal information like a phone number to that person. You can also have up to three accounts on a single device, allowing you to easily compartmentalize work and personal life.

According to their privacy policy, Wire does not retain any encryption keys, and uses TLS to encrypt metadata when possible. They claim not to retain copies of encrypted data after it has been delivered, and to only keep technical logs for 72 hours for the purposes of troubleshooting and abuse-prevention. If I remember correctly, analytics were opt-in (not on by default) when I signed up for an account.

Ultimately, I think Wire’s biggest features are the universal availability in terms of devices and the support of usernames. These two features alone make it a powerful choice worth considering.

The Bad

However, Wire is not without its drawbacks. The privacy policy I linked doesn’t contain any information about the data they collect, be it detailed or vague. For example, they just say they collect “technical data” in the logs I mentioned before. It’s also worth noting that their exact jurisdiction is fuzzy: Wire itself is based in Switzerland, but the holding company that “owns” them for funding purposes is based in Germany – which is largely considered a country with strong consumer privacy laws, but they have a pretty eager history with surveillance.

Perhaps the single biggest drawback I noticed right away was how slow it is. Wire is very slow. I can’t emphasize that enough. Not just in the sending/receiving of messages but just in the general operation. Without dating myself too much, I grew up in the dial-up days. I know what slow internet and slow devices are like. Wire isn’t that slow by comparison, but by modern standards it is very slow. Loading new pages, sending a message, all of that stuff takes a good second or two, sometimes three.

It’s also relatively lacking in features. Wire’s business model is to focus on companies, so it makes sense they wouldn’t have all the trappings that other messengers like Telegram, WhatsApp, and Signal have adopted in order to reel in the casual user, but even so it was a huge culture shock moving from Signal to Wire while testing for this review. Group chats are a thing, and so are voice and video calls, but no voice messages, GIF support is clunky at best, and no ability to quote and reply to specific messages (that last one does seem a little weird even for Wire – I know firsthand that group workplace chats can get very confusing very fast without that ability).

Last but not least, it’s important to know what got Wire booted from Privacy Guides in the first place: changing the privacy policy without announcing it. While this is common for many services, it’s troubling for privacy- and security-advocating services in particular. Based on the most recent privacy policy I read, this still seems to be their practice. (It’s worth noting that this blog cites an article that says Wire stores unencrypted metadata. I was unable to confirm if this is still true, and as I mentioned Wire’s own privacy policy is quite vague on what constitutes a “technical log.”)

Oh, and it’s also worth noting that Wire is centralized. A premium feature does allow it to be federated for enterprises, but for the average free user, the main centralized server is your only choice.

Conclusion

Wire is far from perfect, but to be honest there is no perfect messenger in the privacy space. The ones that are user-friendly usually have glaring flaws, and the ones that are almost perfect are usually nightmarish to implement and/or use. Wire is definitely not for everybody, however I think it offers some powerful advantages – much of the metadata collection can be outsmarted with a simple VPN and a forwarding email address (and by using it on desktop only, if your threat model is that severe) – and the ability to have a username instead of a phone number is something that can’t be discredited. However, I don’t think Wire is right for everyone. Again, while it is user-friendly it’s also missing a lot of mainstream features that you would find in something like Signal that you might be able to use to lure in your non-privacy-centric friends, and even services like Matrix offer a plethora of features alongside decentralization. Ultimately I think Wire might be a good trade-off between Matrix and Signal: a little more user-friendly than Matrix, but doesn’t require a mobile device like Signal does. Ultimately, as always, it depends on your needs and threat model.

You can learn more and download Wire here.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

October is Cybersecurity Awareness Month! In keeping with the theme, this month I’ll be sharing some thoughts on the security side of privacy and security. Let’s start with a quick review of the basics, and for anyone new to this stuff, consider this a “getting started” guide.

1. Strong Unique Passwords

The single most important thing you can do to protect your accounts is to not reuse passwords, and to make sure that each password is strong. What does “strong” look like? Conventional wisdom says at least 16 characters. I like to future-proof and say at least 30 or more if the site allows it.

Passphrase or password?

This is where we arrive at the never-ending debate about whether passphrases or passwords are better. A good, strong, password is a randomly generated set of uppercase letters, lowercase letters, numbers, and special characters. A good, strong passphrase is a series of randomly-selected words (five or more words).

Many people argue that a passphrase is superior to a password because of the length. The crux of this argument mainly rests on the fact that most people tend to use short, easily-remembered (and therefore easily-guessed) passwords. It stands to reason that a randomly-generated passphrase of five or more words is better than a password because even a short passphrase would be 25+ characters and a criminal would have to guess every possible combination of uppercase letters, lowercase letters, numbers, AND special characters. Each character you add exponentially increases the amount of time spent guessing.

However, this argument also rests on the idea that you have to remember your password. There are definitely some that you have to remember, like the password to unlock your device or to login to your password manager (which I’ll discuss in a moment). Those should definitely be passphrases so you can get the best of both worlds: easy to remember, but still long and secure. Beyond that, I don’t think there’s a right answer. Without going into technical detail, from a cybercriminal’s perspective, a 30-character passphrase and a 30-character password require the same amount of work to crack. It’s entirely personal preference. Personally I prefer to go with passwords because most sites will require uppercase, lowercase, numbers, and characters anyways, and it saves me the time of switching my password manager back to “password” mode from “passphrase” mode, but again that's just personal preference. As long as they're long enough, there's really no difference. (But I wouldn't go around advertising that you use a passphrase if that's your choice, for reasons that fall outside of the scope of this post.)

How to Get Started

Regardless of whether you choose to go the password route or the passphrase route (from here on out, I’ll just say “password” as a catchall to save time), one of the most important practices is to not reuse your password anywhere. Even with only a handful of accounts, this can quickly become unrealistic, especially if you only use some of those accounts rarely and therefore are likely to forget the password for those accounts. I strongly encourage the use of a password manager: a program that can record all your login information in a secure manner that keeps it reasonably safe from data breaches or attackers. Here, you can safely record all your usernames, passwords, login link, and other information. As an added bonus, doing this can help you avoid phishing attacks because you have the login link saved for easy and direct access. At this time the only two password managers I recommend are Bitwarden and Keepass. You can find more information about both of them and how to use them here. Be sure to enable the next feature on your password manager of choice's account, too, for added security.

2. Multifactor Authentication

Multifactor authentication is when you have to use more than just your username and/or password to login to a service. A username/password is considered “something you know.” A second factor could include “something you are,” which takes the form of biometrics like a fingerprint scan, or “somewhere you are,” which could be the geolocation on your phone when signing into an app. The most common second factor is “something you have,” which usually takes the form of a code on your phone. In some cases, this code is sent to you via SMS or email, but it can also be generated by an app (known as a “software token”). According to Microsoft, using two-factor authentication (or 2FA) can stop up to 99% of unauthorized account access. With 2FA, even if a criminal gets ahold of your username and password, they still need that code to get into your account. Combining 2FA with the password advise above can make you almost (but never 100%) unhackable.

How to Get Started

First, try to avoid two-factor codes that are sent to you via SMS or email if you have other options. These are largely considered to be insecure because SIM-based phone numbers can be easily taken over by an attacker. Email isn’t much harder either and can have much further-reaching consequences if compromised. Some services offer “push” authentication – For example, Google may ask you to confirm the login on your Android device. This is marginally better, but for the best blend of “easy-to-use,” “widely available,” and “secure,” you probably want to use a software token. I list a few different options here, as well as some information about hardware tokens. Hardware tokens are the most secure two-factor option, but are not without their drawbacks and are not for the faint of heart. That link has all the information you need to know if you’re curious.

3. Zero-Knowledge Storage

These days, most of our lives are online: email, real-time communications, social media, many of us even have automatic cloud backup on our devices for photos or files. From a cybersecurity perspective, this is incredibly dangerous. This would be the equivalent of giving your house keys to a stranger every day when you go to work, then giving them your car keys every night when you get home and hoping that they don’t take your stuff or abuse it. (Spoiler alert: they often do.) An easy way to reduce this risk is to switch to zero-knowledge storage solutions. For email this could be Ctemplar, ProtonMail, Tutanota, or a whole host of others. For real-time communications Signal dominates the market but is not alone. There are a plethora of good choices. For storage I’ve had good experiences with services like Filen, Nextcloud, and ProtonDrive. For social media you are unfortunately less likely to find options that meet your needs. If you’re just a lurker, there’s tons of great front-ends like Libreddit, Nitter, and Invidious that can help protect your privacy and reduce tracking. If you actually want to post and contribute, there are platforms like Mastodon and PeerTube, but they may not scratch your social itch. Instead, the best I can offer is to remember that anything you upload to a mainstream social media provider like Facebook or Twitter becomes theirs and more often than not becomes public. Once you hit “post,” “tweet,” “share,” whatever, you instantly lose control over what happens to it from there, for better or worse.

4. Full Disk Encryption & Backups

Of course, not all threats to our digital lives are digital in nature. A broken device can result in loss of important documents and a stolen one can result in exposure of sensitive information. Many of these risks can be mitigated by using good backup habits and full disk encryption. Let’s start with the first one.

Backups

There’s a lot that goes into good backups. For a full rundown, see this page. Here’s the short version:

  1. Figure out how much space you need

  2. Decide how often you need to back things up

  3. Come up with a system that works for you – automatic backups, calendar reminders, whatever.

Don’t forget the 3-2-1 rule: 3 copies of your data (including your “live” in-use copy), 2 formats (cloud and external hard drive, for example), and 1 off-site (such as the cloud).

Full Disk Encryption

So what if your primary device gets lost? Or what if a criminal breaks into your home and steals your external backup drive? This is where full-disk encryption comes into play. Even before I was into privacy and technology, I learned that I can use a $20 cable from Newegg and a second computer to remove a computer’s hard drive and access it, even if the computer won’t boot up (related note: never pay Geek Squad to recover your dead computers. It's a scam. Just use that). But full-disk encryption makes this drive unreadable and inaccessible unless you have the password. Macs come with a program called FileVault, many Windows versions come with Bitlocker, and some Linux devices offer LUKS. If your device doesn’t have these, or if you’d prefer using something else, I recommend Veracrypt. (This is good for encrypting external backups, too.) For Android and iOS, these get encrypted automatically as soon as you enable a password to unlock. You can learn more about all of this here.

Conclusion

Originally this post was supposed to be “5 Cybersecurity Basics,” and #5 was going to be network security. However, my sublist of tips kept growing and growing and now it’s basically a blog post of its own. So tune in the week after next (next week is a review week) for the conclusion with some tips on how to secure your home network better.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

Disclaimer/Disclosure of Interest: I use ProtonVPN’s Plus plan and I have a ProtonVPN affiliate link.

What is ProtonVPN?

A VPN – or Virtual Private Network – is a service that creates an encrypted tunnel between the device – be it a phone, computer, or router – and the VPN server. From there, your traffic continues on to your desired destination – such as TheNewOil.org – like normal. ProtonVPN is a service headquartered in Switzerland and is part of Proton Technologies AG, the same company behind ProtonMail (also including in their suite of Drive, Contacts, and Calendar).

Why Do You Need VPN?

You may not, to be honest. A lot of people really hype VPNs as one of those absolutely, must-have, lifechanging things that will solve all your problems. In all honesty, while I do believe that VPNs are an essential piece of your privacy strategy, there many other free or low-cost strategies that will give you significantly more protection. A VPN these days pretty much only has two purposes: changing your IP address and protecting your traffic from local snoops. Changing your IP address is a valuable part of avoiding tracking, but it’s just one way and a VPN won’t protect you against those others like browser fingerprinting, tracking pixels, cookies, and more. Likewise, while it can be great to protect your traffic from your Internet Service Provider or a local cybercriminal, from a security perspective you’re already pretty well covered so long as you enable your browser’s HTTPS-Only mode and make sure you’re using the correct sites and not spoof sites. Having said all that, I do still consider a VPN to be a critical part of your privacy and security posture. It can bypass censorship, stop your ISP from selling your browsing data, help obscure your IP address from tracking and logging, and protect your traffic from local attackers.

Why Not Tor?

Some people prefer Tor over VPNs. Tor is definitely right in certain situations, but not all of them. For one, many essential services – like banks – block known Tor IP addresses to prevent fraud and abuse, making using those services nearly impossible. Second, Tor loses almost – if not – all of its anonymity once you login to something. If you login to your email and then your Reddit account in the same session, they’re now tied to together and you’ve lost your anonymity benefit. For this reason, I recommend reputable VPNs for any services that are tied to your real identity or sensitive and Tor for random searches or accounts that are not tied to your real identity.

The Good

ProtonVPN’s upsides are numerous. At the time of this writing, they boast 1,314 servers in 55 countries with various capabilities such as peer-to-peer, compatibility with streaming services, multi-hop, and even Tor-over-VPN. They offer connection speeds of up to 10 Gbps, a 30-day money-back guarantee, and a built in adblocker. They have open-source apps for all operating systems – Android, iOS, Debian, Mac, and Windows. They also have detailed documentation on how to install their VPN on a DD-WRT router, which is great as I whole-heartedly recommend those routers and putting a VPN on your whole network like that.

On the backend, ProtonVPN is located in Switzerland and insists that Swiss law prevents them ever keeping logs (but don’t get any ideas: they have admitted they will use real-time analysis to find people who abuse their service if they suspect you). They are also the only VPN provider I know of who offers a truly free tier that I would recommend for those who are tight on money. Last but not least, they’re the only provider I know of who allows me to change my protocol on the iOS app, allowing me to use both a VPN and a firewall at the same time. The value of that can’t be overstated, in my opinion.

The Bad

ProtonVPN is not perfect. For starters, their customer service is a bit slow unless you pay for Visionary. Not painfully slow, but like “get an email back in a day or two” slow. I’ve also been having issues with split tunneling on Windows lately and their ultimate solution was basically “VPN or Antivirus. Pick one.” Disappointing considering that those solve two completely different problems. That’s like asking me to pick between coffee and chocolate. Very different things.

Another general ding is that ProtonVPN could do better on the privacy front when it comes to user signup. While they do accept Bitcoin and cash, other services like Mullvad accept Monero. It would be nice to see Proton step up to their level.

I’ve also noticed that contrary to their claims of “up to 10 Gbps,” that’s not always the case. At the time of writing, I used Speedtest.net to test this. Without a VPN, I connected to the CA Department of Education in Sacremento, CA. I had a 0ms ping, 477.76 Mbps download speed, and 416.21 Mbps upload speed (attention ISP: that’s half the speeds I’m paying for. Go figure). After reconnecting using the “fastest” option, I was connected to Proton’s TX#27, which had a 45% load. This time, I was connected to Surfshark’s server in New York, NY. My ping stayed 0ms, but my download speed fell to 329.70 Mbps, though my upload actually improved to 491.95 Mbps. Despite technically being slower, the speeds have rarely been a negative impact in my life as I’m not a professional gamer or streamer of any kind. Even with my VPN on, I still manage to upload my raw, hour-long, 1080/30 footage of Surveillance Report to send to Techlore for editing in less than 15 mins most days (never more than 30, depends on how slow the server is that day).

Honestly I don’t have too many issues with ProtonVPN, but it is important to note that no product or service is perfect. These are just a few of the issues I’ve personally noticed.

Conclusion

Again, while VPNs are not the magical bulletproof unicorn that some people make them out to be, I do still think they have valid and essential uses. As far as VPNs go, Proton is a very solid choice. They have a solid track record and a variety of easy-to-use features that make them incredibly easy for even the most non-techy person to incorporate into their daily lives and get comfortable with it. In fact, when I asked my partner – the non-tech, non-privacy-centric person in the house – for her notes and thoughts on Proton (which she uses regularly), she didn’t have any. The only notes she came up with are that she likes that it automatically boots up with her computer on startup, and that it does slightly degrade the battery on her phone when it’s active but not enough to deter her from using it. If even the “I'm willing to do privacy as long as it's convenient” person has no bad things to say, I think that's a pretty powerful endorsement in my opinion.

You can learn more and sign up for ProtonVPN here, non-affiliate link here.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

A few weeks ago, ProtonMail was forced to turn over the IP address and device information of a user to the Swiss government. A couple months ago, Wickr sold to Amazon. A few months before that, Signal integrated with cryptocurrency MobileCoin. Long before that, Wire moved to the US. So many services out there, none of them perfect, and all of them constantly evolving. How do you know which one to use? Better yet, how do you know when you should abandon one and move on to another after they make a major change?

Every time any critical piece of news comes out regarding a privacy tool, there’s always at least one person saying it’s time to jump ship and go to their competitor. So this week, I want to weigh in on when you really should switch services and replace one for another.

If the Service is Definitely Compromised

Let’s go ahead and get the obvious one out of the way: if a service is definitely compromised, you should jump ship. This begs the obvious question “what is definitely compromised?” Some people say that Signal is now compromised because of their MobileCoin integration. Others say Wire is compromised because of their relocation to the US. I’m not talking about that. I’m talking about “is it unarguable?” For example, Anom is definitely compromised. There is no argument there. If there is 100% credible, unarguable proof that a service has been cracked, sold, or otherwise compromised, you should drop it. Simple as that.

If the Service is Arguably Compromised

Unfortunately, if you’re unsure of whether you should switch or not, that’s likely because it’s unclear if the service is truly compromised or to what extent. In my experience, 90% of the time this is just disinformation and sensationalism spread by YouTubers looking to make ad revenue and perpetuated by haters of the service in question who are either purist/extremists (“anything that isn’t self-hosted is a honeypot”) or loyal to a competitor (“this is why everyone should drop Signal for Session”). However, there is that 10%. In my experience, the 10% of legitimate concerns boil down to two categories: theoretical and unconfirmed.

Theoretical Compromise

Let’s look at the Signal/MobileCoin incident. While the incident was extremely poorly handled, it doesn’t indicate any kind of actual compromise in the integrity of Signal’s encryption or their data handling procedures. However, I think cybersecurity expert Bruce Schneier summed it up best in his own blog post regarding the incident:

It’s that adding a cryptocurrency to an end-to-end encrypted app....invites all sorts of government investigative and regulatory meddling: by the IRS, the SEC, FinCEN, and probably the FBI.

In this case, the potential for regulatory meddling and government investigation opens up new avenues of abuse by governments that previously weren't feasible: for example, demands to log user data as in the name of “national security” or “fighting fraud” or some other facade. It offers new tools for the government to exploit that previously didn’t exist. Prior to Signal integrating with MobileCoin, demands to “Know Your Customer” wouldn’t have made any sense because Signal did not handle any financial data. Now those demands suddenly seem more likely. (Signal claims they still don’t handle any user financial data and that it’s all handled by MobileCoin and their own exchanges, but it’s not hard to imagine the government forcing Signal to also log user financial transaction data that can be correlated with MobileCoin's or their exchange's data to unmask the parties involved.)

More often than not, this is the reasoning behind why a service is suddenly “compromised” when it changes hands, teams up with other services, introduces new features, or relocates. When Wire moved to the US, this was the concern. When Wickr was purchased by Amazon, the concern is not that messages suddenly became readable, but that Amazon now had access to all the metadata. In some cases, there is precedent to some of these concerns (like how Facebook owns WhatsApp and admits to making extensive use of user metadata). In other cases there aren’t, but that doesn’t mean that some of these theoretical abuses aren’t possible and aren’t worth noting. A “theoretical” compromise is not necessarily a current compromise of the service or project itself, but rather the increased potential for a project to be come compromised that didn’t exist prior to the change introduced. It's important to be able to tell the difference between a legitimate theoretical abuse – like Schneier's concerns with regulation – and someone who just hates MobileCoin cause it's not Monero or whatever.

Unconfirmed Compromised

When I originally began writing this blog, I wanted to do a quick explanation of critical thinking, but I quickly realized that deserved an entire in-depth blog post itself. So if you haven’t read that yet, please take a few minutes to do so here. I will now assume you’ve read this post as it will be critical to this next section.

There’s an old meme that says “on the internet, nobody knows you’re a dog.” As fun as this meme is, there’s some truth to it. While our online anonymity has been largely stripped by governments and surveillance capitalism, for the average person it’s still alive and well. You have no way of knowing if the person you’re talking to is a world-renowned cybersecurity expert or if they’re a 12-year-old making things up. So when someone posts on Reddit and says “I have found cryptographic weaknesses in Matrix,” it can often be hard to know if they’re telling the truth, especially if the comment goes ignored or is hotly contested in the comments section. This is often compounded by the technical jargon of an explanation. Even the most low-level writing I’ve seen explaining various bugs and vulnerabilities typically has a few sections that leave me unsure if what I just read was actually English and just trusting the author that it made sense to someone. This can often lead to us walking around with questions about not only the validity of something, but also the severity of it. Not all threats are created equal. For example, the now-infamous Pegasus malware is a very serious and severe threat, but the nature of it means that it is often reserved for government targets like journalists, activists, and sometimes terrorists. It’s virtually impossible that the rando you pissed off on X-Box Live is going to hack your phone with Pegasus. Generally speaking, you should not be concerned about the risks of getting targeted with Pegasus. So then where does that leave us? Are iPhone unsafe because of Pegasus? Is Android any safer or harder to crack? Is Matrix’ encryption acceptable, or compromised? You can find no shortage of articles arguing both ways. This is when I think we must fall back on our critical thinking skills. Who is making this claim? What evidence are they offering? Can you confirm the person’s identity or claims? What are the risks if what they’re saying is true? What’s your threat model? Can you afford those risks? Is it worthwhile to switch just to be sure?

I think more often than not, a compromise you can’t confirm comes down to the reputation, feasibility, and risk. Signal is widely reputed by experts to be secure, even if those same experts have complaints with the company itself. A single person claiming to have cracked it, to me, doesn’t move the proverbial needle enough to outweigh the reputation of Signal. Likewise, I’ve seen posts that say “hey, do you think r/AskReddit questions are actually scammers attempting to learn information for their scams?” The feasibility isn’t there: too much work to verify people, match up information, record it all individually, etc. There’s easier, more feasible ways to steal user data for scams. Last but not least: risk. Is the Matrix protocol cracked? Maybe. But I’ve got some of my friends using it who would otherwise not be using any kind of encryption, and all we really talk about is sharing memes and music videos. The risk level is low, and even if Matrix is cracked we’re not using it to send passwords or credit card numbers. (I know that one is kind of a variation of “nothing to hide,” but I think of it more as “lesser of two evils.”)

Note: Threat Modeling and Compromise

It's worth remembering that your threat model also determines the extent to which a theoretical or unconfirmed compromise matters. Let’s take Wire for example: Wire moved to the US to have more funding opportunities. The US is a five-eyes country, which means that Wire is likely now more vulnerable to court orders and other US data collection policies. If your goal is simply to protect your SMS messages from your cell carrier and avoid giving out your phone number, Wire is still a solid choice. They log very little metadata and their encryption is still considered secure. But if you’re a whistleblower, Wire may not be the best choice for you anymore because they are beholden to one of the most powerful and invasive governments on Earth. You may wish to look into other choices like Threema or self-hosting an XMPP server. As always, you are free (and I encourage you) to go above and beyond, but it’s important to know what your threat model demands so you don’t neglect important areas or negatively impact yourself by trying to do more than you need to. I mentioned that some of my friends use Matrix earlier. If Matrix is cracked, none of our conversations are sensitive enough to be at risk. It's not worth the threat model of trying to move them all to something unarguably secure, like a self-hosted XMPP server. Your situation may require that, though.

Conclusion

Sometimes it’s easy to know when to switch services, like when you find out you’ve been doing it wrong this whole time and there’s a better way to do it. Sometimes, it’s less obvious. But hopefully between this breakdown and the critical thinking blog I linked earlier, this post has helped you know when to make that decision. And of course, as I said before, I always encourage you to go as far as you can in your privacy journey. There’s no shame in saying “I want to switch cause I think this service/product does better and I want that better protection.” Just make sure that you’re not negatively impacting your life – emotionally, mentally, or relationally – and that you’re not doing it because of the latest sensationalist headlines.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

Enter your email to subscribe to updates.