The New Oil

Information Security for normal people | https://www.TheNewOil.org | https://thenewoil.org/blog-index.html

Guest blog post by our moderator Uncover

Streaming services. Many of us love them, though sometimes we get frustrated with them (I’m looking at you, Hulu ads). Regardless of your personal feelings towards a specific platform, they have became a staple in many of our daily lives. For all the laughter and joy we get from them, the tracking and data collection – while varied – can create a accurate portrayal of a consumer’s likes and dislikes. With that in mind, here are some easy “in-house” methods on each of the top 10 platforms (by subscriber count) to somewhat limit the amount of tracking that takes place. All of these instructions are done from a desktop web browser, as this typically gives you the most control over your account settings.

Netflix

I consider Netflix to be one of the more mild streaming services in terms of the amount of collected data. Unfortunately there’s no real ability to opt out of data collection, but you can remove your viewing history, which will also prevent the algorithms from learning. You’ll have to repeat this process periodically, you cannot tell Netflix not to save your viewing history.

  1. Visit Netflix.com and sign in to your account
  2. Choose your profile, hover over the profile icon in the upper-right corner, and scroll down to Account.
  3. Scroll down to Profile and Parental Controls, and click your profile picture.
  4. Click Viewing Activity.
  5. Click the circle icon on the right of each entry to remove it from your watch history. To remove your entire watch history, scroll down and click hide all.
  6. Repeat the process for each profile on your account.

Amazon Prime Video

Amazon tracks all your activity by default (on any and all platforms they can get their hands on). It saves all searches, things viewed recently, shows and movies watched, and categories you looked through. In my opinion they are one of the worst for tracking (here and everywhere else they can). This data helps Amazon create targeted ads. That’s why you’ll see products and suggestions similar to what you’ve watched or looked up. Here’s how to help limit Amazon from tracking your browsing activity:

  1. Visit PrimeVideo.com and sign into your account.
  2. Hover over Accounts & Lists in the top right corner and select Browsing History from the menu.
  3. Click the Manage history drop-down arrow.
  4. Toggle Turn Browsing History on/off to the Off position.

You can also disable personalized ads to stop your data from being used for advertising.

  1. Hover over Accounts & Lists and click Account.
  2. Under Communication and content, click on Advertising preferences.
  3. Choose Do not show me interest-based ads provided by Amazon and click Submit.

Crunchyroll

Crunchyroll is a bit of niche streaming service focusing exclusively on anime, but according to our source this freemium service ranks #3 in terms of subscriber numbers.

  1. Go to Crunchryoll.com and log in.
  2. Once signed in, you may be on the video-watching platform, which has limited options. If so, navigate to crunchyroll.com/editprofile/?tab=basic.
  3. Empty out your profile of as much information as possible, or – if that’s not an option – fill it with false information.
  4. Under Privacy Settings, toggle Online Status to Offline and check Achievement Privacy so that Achievements are private and visible only to you.
  5. Under Social Integrations, I recommend unlinking your Twitter if is already linked.
  6. Check My Devices and ensure there are no old or unfamiliar devices authorized. If you do not recognize any of the devices, deactivate them.

Hulu:

Ah Hulu, the wannabe underdog of streaming. The service that will always be in the “friend zone” of streaming giants. Out of the box it collects quite a bit of data but gives some options to disable some of the data collection.

  1. Visit Hulu.com and sign into your account.
  2. Hover over your profile picture in the top right corner and select Account.
  3. On the right side, under Privacy And Settings, select Manage Nielsen Measurement and click OPT OUT.
  4. Next, select California Privacy Rights.
  5. Under Manage Activity, click Watch History and Clear Selected. Like Netflix, this will affect your algorithm but you will regain some privacy.
  6. On the same page, under Right to Opt Out, click Change Status.
  7. Click OPT OUT.

Apple TV+

AppleTV is another relatively-privacy-friendly option. While Apple does collect some data, they get a lot of points from most experts because they don’t use that data to create advertising profiles or sell ad space. However, as privacy advocates, we’re typically not fans of any unnecessary data collection at all, and in that sense Apple does collect more data than they probably need.

  1. Log in to tv.apple.com.
  2. Click on your profile picture in the top right corner and select Settings.
  3. Under Account Access select Sign Out of All Browser.
  4. Under Play History select Clear Play History. This will likely remove your algorithmic recommendations, just as with Hulu and Netflix.

You can ask Apple more questions about your data here.

Honorable Mention: YouTube

While not a “streaming service” in the same sense as the above services, YouTube remains one of the most popular platforms for content on the planet. YouTube is owned by Google (yuck), who uses your search history, browser history (if you use Chrome), and more to build a detailed ad profile about you. This personalizes the ads, recommendations, and even search results you see. With Google having one of the furthest reaching hands in the internet, they are able to pull your info from all over the web and your viewing data is just one more juicy morsel to them. If you want to help clear out what YouTube knows about you, you have to visit your Google Account.

First lets check the search and activity page

  1. Log in at myactivity.google.com.
  2. You will see check marks next to Web & App Activity, Location History, and YouTube History. Click each one to change your settings. You can toggle each of them off to stop Google from tracking you.
  3. On the menu that appears in the left sidebar, click on Delete activity by. Choose how far back you would like to delete your history in the pop-up menu (I highly recommend the longest option available). Then click Delete to confirm your changes.

Next, lets turn off personalized ads. This is how Google serves you ads based on your activity and history.

  1. On the menu on the left, click Google Account then select Privacy & personalization.
  2. Scroll down until you see Ad settings.
  3. Select Ad personalization and turn it off.

You may have noticed that we said “top 10 streaming services” at the beginning, but didn’t list 10. That’s because five of them – Disney+, Peacock, HBO Max, Discovery+, and ESPN+ – didn’t offer any privacy settings whatsoever except one. All of these services offered a “Do not sell my data” option that was relatively obscured. A few other services did, too. Here, we’ve included a direct link to this option for each service, including any additional advertising opt-out links.

Crunchyroll Interest-based advertising Disney+ Interest-based advertising (Requires 3rd Party Cookies) Peacock HBO Max Discovery+ Interest-based advertising ESPN+ Nielsen Measurements Interest-based Advertising

Wrapping Up

These are “big dogs” of the streaming entertainment scene. Use this knowledge and apply it to other streaming services you use that we haven’t listed. Your mileage may vary or may have no success at all (some sites don’t offer any clear options).

As a final note, here's a few universal tips for protecting your privacy while streaming regardless of the service.. First is watching in a browser on your computer whenever possible. When you’re on a “desktop” environment, you use firewalls, ad blockers (like uBlock Origin) and other browser hardening tricks to take it a step further. This is especially useful for the services that don’t offer any privacy controls. (Editor’s note: uBlock Origin blocks Hulu ads. 10/10 recommend.)

The next tip is to set your browser to clear all cookies on exit. This will sign you out of everything, which some people may find incredibly inconvenient. You can allowlist (or whitelist) certain sites to keep their cookies, but this may defeat the purpose from a tracking perspective so I recommend clearing all cookies if you’re willing to put up with the mild inconvenience of signing back in each day. Even if you do allowlist certain sites, that's still an improvement though, so definitely look into this option on your browser.

A final more advanced tip is to use a VPN. Not all VPNs work with streaming services. ProtonVPN, one of the few we recommend, proudly advertises that they are streaming-service friendly, and their DNS comes with an ad, tracker, and malware blocker that will help reduce (but not eliminate) more ads and tracking from each of these services. (Here’s an affiliate link if you want to get ProtonVPN and support us at the same time, but don't feel obligated.) You can also add this to your router (if your router supports VPNs) to protect all the devices on your network, like Smart TVs and game consoles.

I hope this was helpful and can provide some insight in an area not typically discussed in the privacy/security community. Stay private and stay safe.

-Uncover

(Proofreading and additions added by Nate B)

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

“What a year.” My annual catchphrase. I always say that this project has exploded in ways I never expected, and that never stops being true. So where are we now?

Looking Back: What Worked (And Didn't)

According to last year’s blog post, my main goal for 2021 was to “continue to grow.” Kind of a crappy goal, but technically a success. I’ll get numbers in a moment. I also stated a goal to add a new podcast series. That ended up being much more work than I expected. The good news is, the writing is now done for Season 1 and production was SUPPOSED to be this month. Instead it is now being pushed to January with a goal to release in Spring 2022. (Hopefully I can start pushing out episodes sometime between late March and early May, depending on how my schedule allows). I mentioned my goals to add videos and in-depth blog posts. I didn’t do the in-depth blog posts, but I did start making video content on YouTube, Odysee, and PeerTube. Video production is a lot of work, but I’m thankful for the warm reception I’ve gotten. Thank you to everyone who subscribes, watches, comments, etc.

Next I mentioned plans to start consulting, which I did (you can view the submission form here) and I mentioned plans to speak more in the real world. I did do one livestream round table, but that was about it. C’est la vie.

The next goal I mentioned was plans to ethically monetize. In addition to tons of donation methods, we also added affiliate links (with non-affiliate links, all transparently marked, as promised) and even added sponsorships and had our first sponsor, IVPN! I’m pretty excited. I’m a big fan of IVPN. I love their commitment to ethics and transparency and the fact that every time we cover a VPN story, it almost always turns out that IVPN has already fixed the issue or never had it in the first place because of their security. Great company. I’m hoping to partner with more amazing companies like them in the future to keep growing and bringing more and better content. Of course, I also want to make sure we’re doing this in an ethical way, so you can check out our rules for sponsorships here.

I mentioned translating the site. This is still on the to-do list, and every time I start we do major changes and make it so I have to start over. Ugh. Oh well. I’m hoping to have the Spanish site up in early 2022, maybe end of January if I’m lucky. I’ve even had one amazing Spanish-speaking reader offer to help translate the blog post. You can check that out here and donate some Monero directly to them to thank them for their time.

Thankfully, I don’t see a lot of “what didn’t work” stuff. I met most of my goals, and the ones I didn’t meet weren’t really hard goals anyways. I think I’ll skip that section this year, but just know that technically there were a few “it’d be nice” goals that I didn’t quite hit. I already mentioned them above.

Growth

Alright, let’s get to the exciting numbers: how did I grow? According to last year’s post, I had over 650 Mastodon followers at the start of the year. The blog had 16 Fediverse followers, 15 email subscribers, 21,000 views, and the podcast had 50 listeners and 2,000 total listens. The site itself peaked at just under 5,000 unique visitors in December. Prepare to have those numbers blown out of the water.

My Mastodon account now boasts over 1800 followers. I also started a Twitter account – mostly to schedule posts in Mastodon easier (for some reason my instance’s scheduler doesn’t work) – and that has grown from 0 to over 1100 followers. It’s also proven to be a great way to reach new people.

The English blog (which are you reading) now has 25 Fediverse followers and 36 email subscribers. (Hey email subscribers, did you know you can reply to this post and message me directly? Neat!). Total stats are hard to get with write.as because of the way they prioritize privacy-respecting analytics, but I think the lifetime reads are more than 34,000. I get over 500 monthly visitors and about 1,000 monthly reads.

The site stayed relatively steady all year. Most months were at least 5,000 unique monthly visitors ranging up to 6,500 on average, though if I’m reading the numbers right I was just shy of 7,400 in October. Wow! Altogether, we had over 72,000 unique visitors throughout 2021. Many of you may have also noticed we moved from .xyz to .org. This is because many readers were reporting that .xyz is flagged by a number of security organizations as a spam domain. We thought that moving to .org might look more professional and also reduce the number of issues readers were having.

Oh, and the weekly podcast! How could I forget? Well, early in 2021 I retired my own podcast to join forces with Henry of Techlore. You see, Henry was already making a weekly current-events podcast very similar to mine called Surveillance Report. Unlike mine, however, Surveillance Report was very hit-or-miss in terms of consistent, weekly releases. So I reached out to Henry with the idea that maybe I could come on board and help bring some consistency to Surveillance Report. With my consistency and his audience, I thought we could have a real impact there, and I guess I was right. Since I’ve joined, we’ve put out an episode almost every single week and the podcast has grown to have over 10,000 views on YouTube alone each week! You can listen to SR on all the major podcast outlets (Spotify, Apple, etc) as well as RSS and Youtube, Odysee, and Peertube.

In previous years I haven’t noted community stats. This year, at the time of writing, we have over 400 members in our primary Matrix room and two moderators, one of whom has become a very eager advisor and has been a person that has helped me bounce ideas and get feedback on plans. So the internal team is starting to grow. TNO is no longer 100% just me, though I remain the captain at the helm.

Financial Transparency

This year was also wildly successful new territory for The New Oil financially. We raised the following funds:

We raised $351.30 in cryptocurrency. This money was never cashed out into fiat currency. Thus, according to US tax code, the value of these donations for tax purposes is calculated based on the value at the time of donation, which I calculated according to Yahoo Finance.

We made $1963.07 in USD. $213.28 came from sponsorships, and $1015.96 came from Techlore for my work on Surveillance Report. For the record, I never demanded any money from Henry. He willingly donates to The New Oil in recognition of the work I put in. We both contribute articles and notes, and we both take turns editing the videos each week. The amount he donates is an attempt to share any potential revenue generated from Surveillance Report. I'm not sure if this counts as a donation, sponsorship, or something else, so I thought it might be best to disclose it separately from the other categories. The remaining money ($733.83) came from either donations or consulting. For the sake of preserving privacy, I won’t give a breakdown of how much came from where. (I suspect that technically stating consultation earnings – even in bulk and without any further details – can give one insight into how many clients I had or how many sessions I had with each client.)

Expenses were as follows: * Write.As Pro (for the blog): $45 * Web hosting & domain name (.xyz, main site): 43.95 * Web hosting (PeerTube): $92.44 * ProtonMail/VPN Plus: $30.60 Total: $211.99 Remaining: $2102.38

The Proton number is derived based on rough, low estimates of how much time I spend working on The New Oil.

A few miscellaneous donations and compensations include a Brave Heart Edition Pinephone (valued at $199.99, I think) and the .org TLD, which I will pay for moving forward using TNO funds. I also purchased a computer off an associate for $500. Given the specs on the device, this was a steal for me. I’m not sure if I should include this device – at least partially – in business expenses. While I do some leisure stuff on it, like watch streaming services and play video games, I spend the vast majority of my time working on The New Oil: filming and editing videos, collecting and posting articles, writing blog posts, etc.

The left over $2102.38 seems like a huge number at first. Admittedly, it feels like a big number to me and I wish I had tracked it better so I could’ve better allocated it to things I want/need for The New Oil – like some of the expenses I discuss next. However, in terms of money I pocketed, know that the living wage for my area is about $47,000 a year. Assuming I worked on The New Oil part time (20 hours a week) for the whole year, that means I made $2.02/hr. When you put it like that, I think it’s fair to say that while I could’ve and should’ve spent the money better, pocketing it doesn’t exactly count as an abuse of funds. (Though, for those interested, my rent is about 33% below market average for my area, I drive a deacade-old non-luxury sedan, and I buy off-brand food at the local grocery store, so I’m pretty frugal. It’s not like I’m out here living in a condo downtown driving a luxury car).

Goals for 2022

Most of 2022 will be spent staying the course and delivering on the promises mentioned above, like the new podcast series and translating the site. As I said, I hope to have both of those at least started by spring. I’m also hoping to continue to grow financially – but ethically – so I can continue to devote time to this project. I actually took some paid time off work during the holidays, mostly to burn some PTO but also to use that time to catch up on TNO stuff that I had fallen critically behind on. The last week and a half has been absolutely wonderful. Normally I’d wake up at 5-6 am (depending on the day) to an alarm, go to work where of course my day job expects me to do work for them and not my own stuff, and then have to cram in all the TNO stuff in a few hours at the end of the day when I’m already mentally exhausted – trying to be creative, make decisions, and then hoping I have enough time and energy after that to shower, meal prep, and spend time with the partner. This past week, I woke up on my own time with no alarm, cooked a warm breakfast each morning, worked on TNO all day, ran errands as needed, and at the end of the day I can actually close the computer and spend time with my partner. Not to air my dirty laundry or tell a sob story, but my partner and I have actually had conflict in the past multiple times over how much time I spend working on TNO and not spending time with her (and she’s not wrong, for the record. Some nights I go straight to bed and barely acknowledge her at all. I’ve been trying my best to better manage my time). This past week has been zero conflict because I can actually set daily goals, finish them, and then “clock out” and spend time relaxing with her. All that to say: please, please, please donate if you can. This is the dream and while I love my industry I am absolutely dreading going back to work Monday. Having had a taste of working on The New Oil full time, I absolutely would love to do that. So TL;DR: one of my goals for 2022 is continue monetizing so I can eventually move down to part time – or even contract or quitting my day job entirely – so I can do TNO full time.

[Note for those rereading: this goal has been removed out of an abundance of caution, however I will still be announcing it upon completion.]

There are two other brand new goals I have for 2022. One is delving into TikTok. I know, I know, it’s literally the worst, but multiple people have suggested trying it to reach the people who need this stuff most, and my partner is constantly showing me videos of people who are surprised by data abuses of all kinds so clearly there’s a need for someone to explain how it works. As such, I’m gonna try it and see if it helps anyone. If people find it helpful and I can get just a few more people to take their privacy seriously, then I’ll call that a win. (This will not be a major focus for me. Videos will not be high-production value and I will not be posting them on a regular schedule, rather only when I have time and something to say.)

The other major goal will be a merch store. I will likely use BigCartel – at least at first as a test run – though I will also have other channels for those who wish to use cryptocurrency or don’t want to trust BigCartel (I think some of their themes use Google fonts). This will start small – stickers, maybe a few shirt designs but at least one – and if it proves successful I’ll keep it going and look into more privacy-respecting store options. This will be something that will be a bit of an up-front startup cost as in order to be as privacy-preserving as possible, I’ll need to order the merch in bulk up front then sell it myself, unlike some other sites where the merch is made on-demand when you order it. (This will also mean lower prices for you.)

Oh, one last small goal for 2022: I plan to buy a shotgun microphone soon so that I can record high-quality audio for videos but keep the mic out of frame. That’s gonna be cool.

Wrap Up

I always laugh at small, unsigned bands when they break up, not because I enjoy their failure but because they always say something like “this project went further than we ever could’ve imagined.” Please. We all know you had dreams of stadium shows, European tours, and being the next Metallica. Quit lying. But imagination and expectation are two different things. The New Oil is not my first business venture, but it is by far my most successful. While I can imagine some pretty lofty dreams – public speaking, TV appearances, conferences, if we’re being honest – I’ve done enough rodeos that I knew what to expect realistically: a handful of regular readers, a few hundred hits per month, and maybe $20/month in donations if I’m lucky. And then this happened. The New Oil continued to grow and grow. I’m so thankful for every single one of you who has made this grow. Believe it or not, you guys challenge and educate me, too. Every person who writes in to say “hey you were incorrect about this, here’s how it really works,” or every person that says “what do you think of this?” and makes me go learn about something new, you all help to make me smarter and better informed. It’s amazing hearing people’s ideas, strategies, opinions, and feedback on various tools, tricks, and tips. It makes us all better in the long run.

Thank you for being part of The New Oil. Here’s to bigger and better heights in 2022.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

According to The Atlantic, there are an estimated 526,000,000 kids under 14 who celebrate Christmas and therefore receive presents around the world. Logically, if we expand that number to include adults who receive presents on or around December 25 – regardless of religion – that number rises exponentially. While traditions (and even exact dates) vary around the world, gift giving around the Christmas season seems to have become a pretty common global phenomenon. Therefore, if you’re reading this blog post, it’s highly likely that you yourself got some gifts recently. So this week, I want to share some tips for any electronic gifts you may have received.

1. Be Mindful of Your Trash

First and foremost, let’s talk about a bit of practical advice: the left over trash. If anything can be recycled, please do. (Don’t bother with plastics.) If anything can be re-used – like gift bags or boxes – I encourage you to stash them away for next year. (Maybe make note of who gave the bag to you so you don’t look cheap by regifting them the same bag next year.) But for big, expensive items, don’t put the boxes and bags on the street corner for trash pickup. Things like TV boxes, for example. There’s an urban legend – even acknowledge by the police – that thieves look for such items to help pick which house to target next. If you’ve got a bunch of boxes for new computers, Alexas, and Smart TVs, you’re basically waving a big flag to rob you. While Snopes argues that there’s no evidence that this has ever happened, why take the risk? I strongly encourage you to break down your trash and make it less obvious.

2. Internet Connected Devices

Whatever gifts you got this year, I’m willing to bet that at least one item has internet connectivity. Maybe it’s the new Smart TV or a toy for your kids. It seems like every few years people just latch onto some trendy buzzword and then everything has to have that thing shoved into it regardless of whether it actually needs it or not: apps, blockchain, internet connectivity, etc. Many, many toys and items these days come with internet connectivity and apps, even if they have no reason to. (I once heard an ethical hacker say he got access to a target by exploiting the coffee pot, which was – of course – running an admin account on the company WiFi.) So the first question you should ask yourself before rushing to connect that [insert item here that obviously doesn’t need an internet connection] to the internet is “does it actually need it?” Sure, your smart TV can connect to the internet, but do you even use streaming services? If you’re not a streamer, leave it offline. Your kid’s toys 100% do not need to be connected to the internet (with a few exceptions, like tablets). If it doesn’t actually need internet, don’t connect it in the first place. (Note: some devices unfortunately will connect to any open WiFi whether you approve it or not, so first make sure your device isn’t already attempting to do so. If you have a device that does this, I encourage you to connect it to your own network and follow the rest of the tips in this post to prevent someone else from connecting to and abusing your device.)

Side Note: Why Does It Matter?

You may be wondering “why would anyone even bother connecting to my device in the first place?” First off, if a criminal accesses one device in your home, they’ll frequently be able to use that to access other devices. Think of it like your physical home: if you get through the front door, you can usually use that access to easily walk into other rooms of the house unimpeded. Just like your physical home, once a criminal has access to one unimportant device – say your Smart TV – they can pivot into other devices that do hold sensitive information, like your computer where you check your bank account or your smart phone that has sensitive photos.

“But I’m not even doing anything interesting,” you might say. “Why would they bother hacking my smart TV in the first place?” Maybe you’re not. But the internet has made the criminal’s investment in attacking you negligible. Continuing with the physical home example, unlike your physical home the internet connects all parts of the world instantaneously. In the physical space, you only have to worry about nearby threats – in other words, the world’s best lockpicker isn’t going to fly in from Australia or Spain to come pick your lock (credit to Bruce Schneier for this analogy). You’re just not worth it. But in the digital space, that flight takes about two seconds and absolutely no cost. Suddenly it does become worth it just to give it a quick try. So while you may not be a famous celebrity or a business tycoon, attempting to hack you is pretty much the same as trying the doorknob of every door you pass while walking by. It’s not hard, it takes very little time or effort, so why not? (And unlike trying every door you walk past IRL, an attacker is highly unlikely to be noticed and flagged by the Neighborhood Watch.) In fact, most attacks these days are automated, so “hacking you” isn’t even something that a criminal does in the sense you’re thinking of. Most criminals “hack you” while they’re busy making a sandwich, sleeping, or watching Netflix. Their machine does 90% of the work automatically – sometimes even trying out different username/password combos. The attacker just checks the reports every so often to see what was found and what they have to work with.

So what they do when they get in? It depends. The vast majority of these automated accesses result in planting malware on your device, usually for use in a DDoS attack (the ones where millions of devices ping a website at the same time and cause it to go down) or mining cryptocurrency. These typically result in slower devices and network speeds for you, so even if you don’t care about the ethics or legality of these abuses you still suffer negative impacts for it. More advanced malwares may attempt to intercept the traffic on your network or place malware on other devices and look for additional data and credentials, like your bank login or sensitive communications. Then they can blackmail, drain your bank account, any number of malicious things.

Now that we’ve had this talk, let’s get back to the advice.

3. Default Credentials

Right now, there’s an epidemic of exposed devices online. How are they exposed? Is it through malicious software? Open ports? Outdated firmware? Well yes, but there’s another reason that’s far more prevalent than any of those: default login credentials. You see, a lot of people get a new device and just plug it in, get it going, and call it good. Little do they know that quick Google search for “[make and model number] default login” can often turn up the factory-preset credentials. And most routers, for example, will show you the exact make and model number on the login page. In other words: as I mentioned earlier, criminals have bots that automatically scan every IP address and port number they can think of to check for any hits. Once they get a hit, they can easily see the make/model of the device and software, then they can quickly search dozens of totally free, totally legal databases for the default password, and then come back and try it. Again, this is often 100% automated, and now your device is compromised. And to think, you can prevent almost all of this just by taking five seconds to change the default password. For more information on how to pick a good password and remember it, check out this page.

4. VLANs (& VPNs)

Virtual Local Area Networks, or VLANs, are on of the most criminally underrated things that are available to modern consumers. Once again, using the physical house analogy, think of VLANs like shutting and locking the doors to each room. By putting different devices on different VLANs – all cell phones on one, all computers on another, all IoT devices on a third, etc – you’re effectively compartmentalizing each device. So now, let’s say that an attacker gets access to your Smart TV – which in the house example is a bedroom. In addition to the initial hassle of finding and accessing your one room, the attacker now has the additional challenge of opening each door into each other room to gain access to all of those devices and their data, too. Most mid-level and higher routers now come with the ability to set up multiple VLANs and configure them any number of way. To give you some ideas, in my home we have a guest WiFi VLAN, our own WiFi VLAN we use for our phones, a VLAN for the Smart TV (our only IoT device), and a VLAN for the game consoles. If your router doesn’t support VLANs, a cheap alternative is to simply go buy a second router, connect it to your main router, and then put all your IoT devices on the second router. This will accomplish the same goal, and can be done for the cost a $20 router from Target.

Note: a subnet and a VLAN are similar, but different. A VLAN is actually separated and firewalled from other VLANs on the network. So if you’re tech savvy and you simply decide to assign different subnets yourself, that may help to some extent but it’s not the same as an actual VLAN.

You may also wish to put all your devices on a VPN. This is an entire discussion worthy of a separate blog post, but long story short is that a VPN only does two things: hides your traffic from your Internet Service Provider (ISP) and gives you a different IP address. Both are valuable things that I believe are worthwhile, and I strongly encourage you to put a VPN on your router to protect your IoT devices, but just remember that VPNs – no matter where you put them – are not silver bullets that magically make you hacker- or tracker-proof.

5. Default Settings (& The Privacy Policy)

Finally, the last tip I have for you is to carefully check each setting on your new device. Many devices nowadays come with an option to disable or limit the sharing of information. While I’m skeptical that this will completely eliminate data sharing, it reduce some of it and helps make a statement that you don’t wish to be tracked. Two factor authentication is another powerful security measure that’s becoming more widely available in recent years, so be sure to check your account settings for the new device and see if you can enable that. Needless to say the exact range of options varies from device to device and company to company, but be sure to sit down and know what your options are and tweak them for an appropriate level of privacy and security.

The last thing to do before unleashing your new device gift into the wilderness of your home is to read the privacy policy. As I write this, I suddenly realize I’ve never written a blog post about how to read a privacy policy. That’s now on my schedule and I will rectify that. In the meantime, know that there are two main sections I pay attention to: “What Data We Collect” and “How We Use That Data.” (The exact names of each section may vary, but it’s usually something along those lines.) Most privacy policies are intentionally written to be very vague to give the company more leeway and less culpability, but they will still give you a pretty good idea of what the company collects and how (ex, “any information you willingly add to your online account such as name and email address” or “geolocation data collected from the app.”) This will help you make responsible decisions about when and where the device can and should be used and any additional protections you may need to take for it.

Hopefully this post has been helpful. Hopefully you were given some gifts that actually add value to your life. Technology is a double edged sword, and it can bring some really cool, convenient, and even life-changing or life-saving things into our lives, but it can also bring some trouble, harms, and risks, too. Be sure to do everything your power to manage those risks and make technology serve you instead of the other way around. Happy holidays to all those who celebrate (and for those who don’t, happy Saturday).

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

Did you know I started putting out video content this year? You can view it on PeerTube, Odysee, and YouTube. If you do so, you may notice that I reuploaded my Bitwarden video. That’s because, this week, I accidentally lightly doxxed myself. And I want to talk about what we can learn from it.

What Was It & Damage Control

Let’s start by answering the question I’m sure everyone’s wondering: “What got exposed?” Well, I’ll answer because there’s a lot we can learn there, too. It was my email address – including a custom domain – for my personal Bitwarden account. My response – once someone more attentive than me caught this mistake – was to pull the video, blur out the email address, and reupload it. Hence, the reupload file.

So What Can We Learn?

1. Mistakes can happen to anyone. This is gonna sound a little narcissistic but bear with me: The New Oil’s success has made me a bit of an authority. While I try to be very open about the limits of my expertise, that doesn’t stop people from constantly contacting me to ask my opinion on a variety of privacy- and security-related topics. That’s fine, I enjoy sharing what I know, but the point is that nobody is immune to mistakes. Even being an “expert” or “authority” in this space does not make me immune to slip ups. I’ve said it a million times and I’ll continue saying it: nothing is unhackable. No matter how much you’ve done, you will still have weaknesses, and sometimes that weakness is yourself. Always be vigilant, always look for ways to improve. (But be careful not to get paranoid and carried away.) On that topic:

2. Risk management. When this leak was pointed out to me, I wasn’t scared. I was more upset at myself for missing it in editing. That’s because the information that was leaked was very non essential. It’s a personal email address, but it wasn’t a password, and my account is protected behind two-factor authentication. Furthermore, I don’t keep any essential passwords in Bitwarden. I mainly use it to share passwords with my partner – like the Netflix password or grocery list – and sync passwords to Windows for my audio stuff. I don’t have any banking passwords, sensitive account passwords, or anything like that. I’ve managed the risk: when I’m on Windows (which I am every time I produce a video), there’s very little sensitive information to expose. That’s by design. Risk management. Finally:

3. Non-descript usernames and domain names. The main reason this leak wasn’t a big deal though, and one of the biggest takeaways I want to discuss is the nondescript nature of it. I’m a big fan of purchasing your real name as a domain to plant your flag, but I’m also a big fan of not using it unless you have a reason. As such, I have another domain that I use for emails that are important to me and I don’t want to lose control of, but I also don’t necessarily want it tied to my real name.

I hope this blog has been helpful. We all make mistakes, but hopefully you can learn from mine. Be vigilant, cut yourself some slack when you fail, and try to fix it so it doesn’t happen twice. The only true failure is not learning from a failure.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

Last year, I wrote a blog post about gift ideas for privacy-oriented people. That list hasn’t changed much, and I’m also a firm believer that failure can be just as good of a learning opportunity as success, so in that spirit let’s take a look at some of the most popular gifts this year according to Google and some privacy-respecting alternatives.

iPads

Tablets are awesome. I had one back in the day and pretty much stopped using my laptop because the tablet made life so easy. But lately, Apple’s commitment to privacy and security are a bit questionable. Instead, I would recommend using a different tablet that gives you more privacy. The most obvious example would be the PineTab, but Lineage also offers some decently powerful tablets if you’re willing to do the flashing yourself. It should be noted that with the PineTab, you may have to resort to bookmarking websites on the home screen rather than downloading actual apps, but otherwise it should essentially work the same.

Ring Doorbells

Smart doorbells also have their merit. One of my past clients when I was a freelancer was located downtown and staffed entirely by women. For the record, I don’t subscribe to gender norms. I’ve met women who could kick my butt and that doesn’t bother me. But these women were not like that. One time an unhoused person entered the building and refused to leave when asked. Ultimately they had to call the cops to have the person escorted out. After that, they expressed an interest in getting a smart doorbell so they could lock the doors, but still know when deliveries and people arrived. The point of this story is that there are legitimate uses for this technology.

Ring is owned by Amazon, and has already been in the headlines several times for not only their privacy practices and sharing data with police, but also for bugs allowing strangers access to your cameras. Unfortunately there’s not really any golden privacy-respecting alternatives when it comes to smart doorbells, but there are ones that suck a lot less. Over at Mozilla’s Privacy Not Included Project, the one I found most appealing based on their summaries is the Netatmo. Locally stored video, company based in the EU for strong data protection laws, and no known data breaches. There are other decent options, but some of them use the cloud. While that’s not necessarily a dealbreaker, it is another point of risk that you should be aware of before committing. Some of the ones to avoid on the list are the Nest, Blink, and of course Ring. When reviewing that page, be sure to check what data they record, what they do with it, and their history of data protection.

Fitness Trackers

Some people really want to make sure they get their steps in every day. Or, if you’re like me, you simply wanted to hatch new Pokemon in Pokemon Go. (Yes, I used to play that.) I applaud the desire to be healthy and know what’s going on with your body, but FitBit was recently purchased by Google and now I think we can do better. Once again, we’ll have to turn to Mozilla for recommendations here. The choices are a little worse than the doorbell options listed above, but I guess that’s to be expected when we’re talking about a device that collects intimate health details. It seems your best bets – if you want to avoid Big Tech – are the Garmin products, Whoop Strap, or Oura Ring. If you don’t mind Big Tech, I think the Apple Watch is probably the best choice out of those options. Either way, feel free to browse and make up your own mind. A good section to pay attention to here is the “What could happen if something goes wrong” section. It’s also worth noting that if all you want is to count steps, the PineTime does include a step counter. I personally have not found it to be very accurate, but others have found it to be quite accurate, so your mileage my vary. It works with Android and iOS and it also tells time (of course), heart rate (also varied accuracy), has a few simple games, a stop watch, an alarm, timer, and even a metronome. It can also do things like change the current song and help navigate with maps, depending on your device and app of choice.

Oculus Quest

Point blank: I got nothing here. VR and AR are very much new frontiers in technology, and that means that it's both expensive and there’s really not a lot of good alternatives out there, especially if you’re looking for something open-source and privacy-minded. The best I can offer is that Oculus is owned by Facebook, whose privacy policies and track record can basically be summed up as “lol screw you.” Seriously. I cannot stress enough not only how bad Facebook’s privacy practices and security measures are, but also how downright evil of a company they are. If you must get a VR headset, I strongly encourage you to look into alternatives, like the HTC Vive or Playstation VR (if you own a Playstation console). If none of those solutions work for you, you’re probably best just to pass on this altogether.

Google

As an honorable mention, I wanted to mention “Google anything.” The article I linked at the top has an entire section dedicated to Google products, like Nest doorbells and thermostats (Mozilla has a section for this, too) to Chromebooks. Mozilla likely has alternatives for the popular items in this category, and most of them have already been tackled. The one I haven’t mentioned yet is a Chromebook. The appeal of a Chromebook is that it is an inexpensive but reliable device. It won’t do much (if any) gaming, but it can do all the basics like check your email, watch Netflix, etc. In that spirit, I unreservedly suggest the Pinebook Pro. You won’t be able to do any serious production or gaming on it, but you’ll be able to easily manage documents, surf the net, etc. If you need some better firepower for gaming or production, check out System76 or Purism. It’s also worth mentioning that all of these devices come preloaded with Linux: Debian (Pinebook Pro), Pop!_OS (System76), and PureOS (Purism). These are all basically the same OS with some different under-the-hood tweaks, but for the end user the only real difference should be how they look. They’ll all give you access to the same programs. Using one of these devices will give you significant privacy improvements over a Chromebook or regular PC at a similar price.

Game Consoles & Smart Toys

Last but not least, let’s mention smart toys and game consoles. I’m a casual gamer. I get it. My partner has binged Animal Crossing: New Horizons pretty much since it came out. I myself got super pumped for the release of Jurassic World Evolution 2, and during a work trip earlier this year I got one of my coworkers hooked on Civilization 6. Games are fun, and it’s important to find ways to relax and unwind from the stresses of life. The fact is that in most cases, you’re not going to find a privacy-perfect solution. Sure, some games are available on Linux – like Civilization 6. In other cases, you’re limited to an actual console like a Nintendo Switch or a Sony Playstation, or if you’re a PC gamer you might be forced to use Windows. In these cases, I have some basic advice. First, check to see if Linux is an option. You’d be amazed how often it is. We recently covered a story on the podcast about how something like 70%+ of PC games are now available on Linux. If it’s not available on Linux but it is on Windows, I recommend that as Windows offers far more customization than a console like a Switch or an X-Box. While Windows is very invasive, it’s much easier to dual-boot your computer and restrict some of the telemetry than it would be to do so on a console. Finally, if you must use a console, be sure to examine each setting regularly to disable any data collection possible (the Switch, for example, received an update shortly after launch that added Google Analytics and opted you in by default, hence the need to check often). If it’s an online game or device with network connectivity, I recommend putting a VPN on your router and then connecting devices to that protected network. VPNs only do so much, but every little bit helps.

Conclusion

The worst gift you could give someone – in my opinion – is something they don’t want, need, or use. I don’t need to tell my readers how commercialized and consumerist the holidays have become. Personally, I’m not much for giving or receiving gifts. I’d rather just get together, share a few beers, and spend some quality time together. Before considering any gift, before even considering the privacy or security implications of a gift, I would consider if that gift will actually add value to someone’s life. The best smart thermostat is the one you never get somebody because they never change their thermostat anyways. Instead of just rushing out to buy someone some cool new trinket that will introduce new risks into their life, first ask if they even need this thing. Maybe they’d prefer a gift card. Or a power tool. Or something low-tech like a paper book or a board game. But if you do want to buy something techie for someone in your life and you think their life might be improved by one of those gifts, be sure to vet said gifts for privacy and security. The worst gifts, to me, are the ones that add more work to my life. “Great, this is another thing I have to update, care for, configure, etc.” Make sure that your gift adds more value than work, and make sure it doesn’t put them at risk.

Happy holidays.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

This blog post is likely going to sound like tin-foil hat paranoia, but please hear me out.

We all like to think that we’re smart. That doesn’t mean we’re arrogant, it’s just human nature. I’m not even talking about the fact that we don’t know what we don’t know – therefore we may think we know a good bit about a subject when in reality we’ve barely scratched the surface. No, I’m talking about the absolutely dumb things we do. Story time: in my previous life as a freelance audio guy, I was once setting up the audio for an event. I plugged everything in, turned on the board, slowly pushed up the volume and… nothing. Absolutely nothing. I checked my connections. I checked the speakers. I tried a different mic. I spent a good 15 minutes or so troubleshooting. Why the heck wasn’t I hearing anything? Then, suddenly, I noticed the little red “mute” light above the master fader. Sheepishly, I turned the master down, unmuted it, slowly brought it back up, and there was my voice loud and clear. I got a paid a lot of money that day to forget to check the mute button. Now, obviously making a dumb mistake like that doesn’t detract from my intelligence. I still know a lot and have a ton of experience. But it does show that no matter how long you’ve been at it, how many times you’ve done something, or simple and obvious the fix is, sometimes you make mistakes.

Let me make a quick transition back to privacy and security: I despise being called an “influencer.” I prefer to think of myself as an educator, but I hope to god I’m not “influencing” anyone. That’s because most modern influencers are just advertisers, and I don’t want to advertise things, especially subtly. While I’m not a fan of ads, I don’t mind “this episode is brought to you by Sponsor” or the show pausing for a commercial. What I absolutely abhor is subtle advertising. “Here’s a review of a product that’s actually an ad” or – even worse – “let me tell you about this awesome new thing I’m into, but I was actually paid to say that and I don’t really use it myself.”

And now, let’s bring them together: we all like to think we’re smarter than we really are. You probably read that last paragraph and went “ugh, same. I would never fall for that.” But you probably have. Let me ask you this: do you have ANY products with logos on them? Laptops, phones, shirts, backpacks, etc? If the answer is “yes,” congratulations! You’re a walking ad for that product – and you actually paid THEM to advertise for them, no less. That’s not necessarily a bad thing. I buy shirts from bands I like, and I wear shirts for privacy-related companies I like. I want to advertise those bands and brands because I believe in them and want others to know about them. But you’ve probably never thought about it like that before, have you? It’s so easy to say “ads don’t work on me.” And some don’t. I have never seen a TV commercial for a product and gone “hey, I’m interested in that.” But I have seen a commercial for Taco Bell's latest menu item and went “alright, I’m curious.” I don’t pay attention to billboards until I see one for DuckDuckGo and then stop mid-sentence to go “Ay! DuckDuckGo!”

A lot of people misunderstand the purpose of advertising. They think the purpose is to make you drop everything and sprint to the nearest McDonald’s to buy a new McHeartAttack, but that’s not it at all. In the 1980’s, they called it “brand awareness.” The goal is to keep the brand on your mind so that next time you’re out of the office and going “man, I’m kinda hungry,” your brain remembers that McDonald’s has a dollar menu. (Note: so does Wendy’s, and their food doesn’t taste like cardboard and disappointment smothered in ketchup.) Sometimes the goal is also to create subconscious correlations. I once had the privilege of hearing a former marketing director for Coors speak. Dude is a genius. Sleazy, but brilliant. He said that they were one of the first companies to start marketing beer as “ice cold.” Do you remember Coors’ marketing campaign from a few years back? Icy, arctic mountains, cold fog everywhere. Why is that? Cold = refreshing. They didn’t want to say “go buy Coors.” They wanted you to associate Coors with cold and refreshing drinks, making you more likely to buy one. Gatorade does the same thing with energy and athletics: feeling thirsty, dehydrated? Gatorade will rehydrate you, get you going, help you crush it. (It’s got what plants crave, after all.)

So what does this all have to do with privacy? Because privacy can help break this cycle. Remember: we’re not as smart as we think we are. That goes for all of us, myself included. I’m not Prometheus bringing you fire, I’m a cancer patient in the same ward as you. My friends and I joke about the time I walked into Guitar Center and walked out with an Ibanez guitar and it wasn’t until I was in the parking lot going “did I just buy an Ibanez?” (Ibanez makes great bass guitars, okay regular guitars. I never thought I’d buy an Ibanez guitar, but I did once. It was okay.) We all fall for it. Look no further than the now-legendary Cambridge Analytica scandal. This was when a company accessed tons of user data from Facebook that they weren’t supposed to access and abused it, unarguably contributing in vital ways to the successful election of Donald Trump and the passing of Brexit in 2016. Facebook user data literally altered history. I’m not saying that Brexit wouldn’t have happened without Cambridge Analytica, it’s hard to know for sure because it was such a hot, controversial topic. Same with Donald Trump: I’m not saying that he would’ve lost in 2016 without them, but Cambridge Analytica executives admit to being responsible for keeping “Hillary’s emails” in the forefront of the national debate, in addition to tons of other issues that Americans will remember from that time frame.

It’s hard to explain how Cambridge Analytica worked, because just as with normal advertising, you read about it and go “how did people fall for that? I wouldn’t have.” But people did. The very, very broad version is that Cambridge Analytica used a quiz to access user data – not just those who took the quiz but also friends of those who took the quiz. This included all kinds of information like age, gender, likes, and more. They were then able to use this information to paint a picture of that person – for example, “this person is a Christian parent with conservative values” – and then cater specifically to that person. But it’s so much deeper than that. “This person is a Christian parent – age 34 – of two children – ages 11 and 4, both girls – with conservative values. Specifically they worry about the quality of the education system and feel that their values are being attacked by the left. They enjoy police procedural TV show and listen to country music.” Cambridge Analytica would then use this data to serve ads from shell companies and fake Facebook pages set up specifically by them to say things like “Donald Trump wants to invest in education!” and show them country musicians endorsing Donald Trump and religious pages saying that Donald Trump is God’s choice of candidate. This is not hypothetical, this is exactly what happened. These pages might even post memes – like “remember Hillary's emails?” – or blatantly untrue news stories – also from “news” sites that were created specifically for profit without regard to reporting truthfully. And it’s so difficult to convey how insidious this truly was, because any American reading this goes “yeah, that’s pretty common” and “yeah, so what if they know all that information about me?” It doesn’t truly convey how effective this type of advertising is and how invasive the data actually is. Take a moment real quick to skim this article from Signal about targeted advertising on Instagram for some better context about how granular and invasive ads can be.

And look, I’m with you. I don’t mind targeted ads. The problem is when ads don’t look like ads. Because that’s – in my opinion – one of the biggest issues that made the Cambridge Analytica incident so successful. It’s one thing to say “sponsored post” at the top. It’s also okay to say “and now a word from our sponsors.” But what happens when a post looks like any other post? What happens when you think someone is genuinely saying “I think Trump is God’s candidate” and you don’t know that person is actually an atheist leftist being paid to post that to help someone else win a position of power? How do you know that person really shares your values if they’re willing to invest so much time and resources into lying about it just to get that seat? I’m not trying to be political here, I think we can all agree that this is disingenuous and destructive. It’s a betrayal of trust for your own ends. And sure, all politicians are liars – claiming to be “believers” when they aren’t just for votes – but that’s not the point. Focus here. The problem is that you’re being assaulted with it, 24/7 and often in very subtle ways. We’re not as smart as we think we are. We can’t always detect it. And if you aren’t aware of what’s happening, how can you defend against it?

Cambridge Analytica was not an isolated incident. There are still many companies and intelligence agencies – many from Russia, China, and Iran – that run fake social media profiles and organizations designed to sew chaos and disruption. They question facts, promote candidates, and sew disinformation and sensationalized headlines all in an effort to cause further division and confusion. I said at the top this post would sound like tin-foil hat stuff, but it’s not. This is real. It’s still happening all around the world as we speak.

So how can privacy help us fight back? In two ways: first, by closing the door. They say that the average person sees 6,000 – 10,000 ads per day. Remember that in this context, “ads” includes everything from billboards, t-shirts with logos, radio ads, TV commercials, and yes – those fake videos and posts that claim to be legitimate endorsements but are really paid ads. One of the major tenants of digital privacy is minimalism: don’t sign up for an account unless you really need it. Do you really need Facebook AND Instagram AND Twitter AND TikTok AND Snapchat AND…? Probably not. Pick the one or two you use and stick to those. (Better yet, delete social media altogether because those companies are highly invasive to your privacy – don’t forget that Cambridge Analytica didn’t collect all this data themselves, they stole it from Facebook.) By limiting the number of accounts you have – whether that’s social media accounts, streaming accounts, online shopping, etc – you’ll be exposed to fewer ads targeted specifically to you.

Second: the targeting. If you must use an invasive advertising platform like Twitter or Hulu, privacy helps reduce the accuracy of the information. By blocking trackers and ads, opting out of invasive platforms that collect data, and using privacy tools like encrypted email and VPNs, you’re reducing the amount of data flowing to these organizations, which makes it harder for them to build an accurate profile on you and thus harder for them to accurately advertise to you. Like most of you, I get tons of political campaign SMS messages around election season. These people seem to think I’m a black Democrat from Ohio. (Spoiler alert: I’m white from Texas, I won’t disclose my political leanings but I will say it’s not “Democrat.”) If you’re pro-life, it’s pretty hard to fall for a pro-choice ad no matter how subtle. If you’re an “ACAB” person (for those who don’t know, that basically means “vehemently anti-cop,”) then a “back the blue” ad is just gonna make you laugh in derision. By regaining your privacy, you’re reducing the chances that they can accurately serve you an ad that actually sways you.

Before I go: I think changing your mind is good and healthy. I don’t think anyone knows everything. I have my political opinions, and I’m sure some of them are wrong. But I don’t think that it’s good to have your mind changed subliminally by people who just want power and money. I think your mind should be changed by healthy, transparent discussions and evidence. So whatever your political leanings reading this: be open-minded. Be willing to change your opinions. But protect your privacy so that people aren’t manipulating you, changing your opinions for you, and tricking you by taking advantage of your loyalties to make you do things you wouldn’t normally otherwise do.

Privacy matters. I’m sorry for the long post, and I apologize if it seemed very messy and paranoid. Like I said, this stuff sounds hard to believe for some, and for many it’s hard to wrap our minds around how it could work so well, but it did and it does. Don’t let it happen again. Protect your privacy.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

I always say that the privacy and security landscapes are constantly evolving, so it seems only fitting that my annual “safe shopping” blog post should become a yearly tradition.

With gift-giving season officially beginning in the United States (and at least a few other places, I presume), I figure this would be a great time to discuss safe shopping tactics. I don’t feel like this needs any sort of real introduction, it’s pretty self-explanatory, so let’s begin.

  • Pay with cash in person. There’s a large push for card usage in the US, and it has some personal finance benefits. Cards often come with cashback and purchase protection, and while the risk of skimming still exists, fintech (financial technology) security has come a long way. However, cards are still a privacy nightmare. Your shopping data will absolutely be sold by your bank to data brokers. As such, cash is king. But if you need some less-crazy, more practical reasons to use cash: if you’re buying a gift for someone who has access to your bank statements (significant other, parent, etc) it can help shield your purchases – both the site and the amount – and keep the gift a surprise. Furthermore, holiday spending and gift giving is often a source of debt in the new year, so using cash will help you stick to your budget. Personally I think racking up a boatload of new debt is a really crappy way to start the new year.

  • Of course, online shopping has long been popular, and even moreso this year. For online transactions, use pre-paid cards (such as the Vanilla card) or card-masking services like Privacy.com, MySudo, Blur, Revolut or LastCard to avoid having your real information stolen. If a scammer steals your information, the effects could be as minimal as having to get a new card or as serious as draining your bank account, stealing your identity, or even stalking you. Be aware that all of these services have to adhere to various Know Your Customer laws, so they will ask for some personal information that some people may not be comfortable with. I have a comparison of these different services here so you can find the one for you.

  • Use a masked email address. All that online shopping data will be sold to anyone and everyone you can imagine. By using a masked email address, you're getting a number of advantages. First, you can break up your “marketing profile” by making it harder (but not impossible) for companies to correlate purchases (if you use the same email/card on two websites, that's obviously you). Second, you can more easily control phishing – and more practically, spam. Once an address gets sold or leaked and starts getting Nigerian prince emails or nonstop marketing “here's other crap you don't care about” messages, you can simply shut it off. Poof! Goodbye spam! Finally, you make it harder for a malicious actor to track you across multiple sites or know which email service you use to attack you. Email forwarding services are a subtle but powerful tool in the data privacy and protection arsenal.

  • Use a PO Box. PO Boxes can serve tons of great purposes that you didn’t even know you needed. For starters, they start off inexpensive, in some places as little as $20/year. They can be handy because your packages don’t sit unguarded on your porch while you’re at work, they sit safely inside the building of your box. And of course, you don’t have to worry about some stranger on the internet snagging your home address, whether that’s the random person on Etsy, the rogue employee at Amazon, or the cybercriminal who hopefully didn’t steal your information because you already implemented the above bullet points.

  • Don’t quit on December 26. The thing about these habits is that they’re great year-round, not just around the holidays. Shopping is something we do all the time, all year, and these strategies can be implemented there, too. You can pay cash at the grocery store. Forwarding email addresses can be used year-round to manage newsletters, giveaways, various accounts you use, etc. Online data breaches are quickly becoming a daily occurrence, so using card-masking can prevent your card number from getting permanently posted to the dark web (if you’re not worried about that, clearly you’ve never had the hassle of updating EVERY service you use after a card number changed for any reason). Even a PO Box can be a neat thing to have on hand if you rent and move in the same area frequently, if you need an address on file for work (again, data breaches), or freelance and need somewhere to send checks or a return address for merchandise you sell.

Take some time to think about which of these strategies can benefit you most. The email masking services I recommend offer apps and plugins for quick,easy use in your day-to-day. A PO Box can be easily added into your routine by renting one nearby or on your way to/from work (if you have a concern about stalkers, you may want to consider getting one in a nearby town instead). Cash can be handy as well to help you stick to a budget. I hope these tips help keep you safer online this holiday season, and good luck finding that perfect gift!

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

What is XMPP?

Trying to review XMPP is a lot like saying I’m gonna review soda. Sure, it’s a drink, but after that there’s so much variation that it’s hard to give a blanket review. With that in mind, let me attempt to review soda this week.

XMPP is a chat protocol – like Matrix. In fact, it is a pretty old school protocol and has been around since the early days when the internet belonged to the nerds alone. Don’t let that fool you, though, you’ve likely used it. A large number of tools you use in your daily life are powered by it, including Google and Apple push notifications and Google Cloud Messaging (now called Firebase). In the past AOL, Skype, and Facebook all experimented with supporting XMPP.

The Good

There’s a lot to love about XMPP. For starters, it can be anonymous. The key word there was “can be.” As with 99% of privacy, it’s not the tool itself but how you use it. Most servers don’t require any information to sign up, except maybe an email address and I’ve never seen one that actually verified it or rejected it for being a forwarding email address. So assuming you use a VPN, a clean hardened browser, and a unique username, congratulations. You’re more or less anonymous except against the most advanced threats. You may actually be hidden from them, too, but there are other factors involved there and this isn’t really the time or place. The point is the potential is there, probably moreso than any other chat option.

The next great thing about XMPP is that it’s decentralized. Easily. You can easily host your own server, or use any available server. This also means that some servers are located in privacy-respecting countries like Switzerland, Germany, or Iceland. Or you can host your own in one of those countries.

The final pro is the apps. Because XMPP is open source, so are the apps, which means there’s a variety to pick from. Monal (iOS) and Conversations (Android) are among the most polished and common, and should be easy to use for almost any moderately tech-comfortable user. Some of them even offer phone calling capabilities – assuming your server also offers this – allowing for a total VoIP solution for those willing to put in the work to set it up.

The Bad

XMPP’s strengths also make for its weaknesses. Because it is freely decentralized, not all servers support the same features like voice calling – or even have the latest security updates. Likewise, some are in privacy-unfriendly countries like the US or Australia. Additionally, end-to-end encryption must be manually enabled with each conversation – and depending on the client you use, that can sometimes be glitchy. Finally, on the topic of servers and decentralization, never forget that a server admin can easily see all your data, so make sure you use encryption and that you really trust the server.

To the best of my knowledge, the XMPP protocol has not been audited – though some of the clients have been. If this is incorrect, please someone contact me and let me know (with sources) and I’ll update both this blog and the site accordingly. Finally, XMPP is not always user friendly. While joining an existing server is a pretty straightforward process – and most of the best apps have made signing into that account (or making a new one) equally simple – those who are not confident with technology may be easily scared off by XMPP. It can be overwhelming, as they do not offer a default server like Matrix does. It’s entirely on the user to get set up, and unless you’re guiding someone through it they might feel overwhelmed.

Conclusion

XMPP is honestly probably the near-perfect, near-ideal solution for privacy. It’s decentralized, self-hostable (is that a word?), capable of end-to-end encryption, capable of voice calls, and open source. Perhaps the only thing keeping it from mainstream adoption is that the sheer freedom it offers can make it daunting to those who don't consider themselves “techy.” If you’ve never tried out XMPP but you’re confident with your software tinkering skills, I highly encourage you to check it out. If you like it and feel comfortable, perhaps you can be the one who guides those around you into it.

You can learn more about XMPP here and get started with their recommendations for clients and servers here.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

As we round out cybersecurity awareness month, I wanted to close out by bringing different types of security strategies to the attention of my readers. In my opinion, all of these strategies have good aspects and all of them should be used to varying degrees, but not one is perfect. Before I explain further, it would be helpful to know what I'm talking about. So let’s go through some of the most common security strategies out there. This is probably not a comprehensive list, just the ones I see and hear about the most. This list is in no particular order.

1. Security Through Obscurity

This is probably the most commonly talked about strategy. Security Through Obscurity relies on secrecy as the first line of defense. For example, proprietary software. The first line of defense is that the source code is not open. It cannot be easily reproduced or audited, thereby leaving an attacker (or researcher) to simply take a guess at the best point to begin their attack. In the privacy world, we often see this strategy employed with data removal. Once we’ve gone through the basic, “easy” stuff like adopting secure passwords and switching to encrypted providers, it’s common for people to start taking an interest in removing themselves from the internet. This could take the form of deleting old accounts or removing their information from people search websites. It's hard to steal my identity when you can’t find it in the first place, after all.

It’s worth noting that in many circles, “Security Through Obscurity” refers specifically to purposely covering up known flaws. I think this still applies with my data removal example. After all, my identity is my identity. I can’t change my birthday or social security number. They’re weak spots. The only way I can harden them (aside from a credit freeze) is to hide them. Security Through Obscurity is sometimes a lazy out, but sometimes it’s the only (or last) solution available.

2. Security Through Obfuscation

I don’t know if this is a real term, but I’m referring to disinformation. This is a blog post I still need to make in full as I think this is a strategy that is often unspoken and under-represented in the privacy community. Disinformation in this context refers to intentionally (but legally) spreading fake information about yourself to poison any marketing profiles or waste the time and resources of any potential attackers. That attacker could be a private investigator or simply an angry internet troll. In both cases, they have finite resources – the amount of money the client has to spend or the amount of time they can waste on doxxing you, for example. The more time they waste chasing fake information, the more likely they are to run out of resources before they find anything useful on you.

3. Security Through Obsolescence

Fun fact, in a nearby town there’s a “Floppy Disk Repair Store.” I am 100% convinced that this store is some kind of front for illegal activity. Probably money laundering. No one can convince me otherwise. Has anyone even seen a floppy disk in the last decade other than the save button icon? But believe it or not, many government agencies still use severely outdated technologies like analog tape or floppy disks. In some cases, this is because of lack of funding, but in many cases this is intentional. If something is so old that modern cracking tools don’t work on it, then it becomes secure simply by that virtue alone. Sure, maybe your floppy disks aren’t encrypted, but who cares when it’s literally impossible to get your hands on a device to even plug the floppy disk in and read it? At least, that’s the logic. Some of the most important government devices are using technology that goes as far back as the 1980s for this reason. Like I said, there’s other reasons peppered in there – stability, funding, etc – but that’s definitely one of them.

“Ogres Are Like Onions...”

So which of these strategies is best? None of them. Security Through Obscurity relies on you being 100% hidden 100% of the time, which is basically impossible for anyone. Security Through Obfuscation hinges on the idea that the attacker will run out of resources before they find your real information, which may not be the case if your real information is equally as prevalent. And Security Through Obsolescence makes a lot of other tradeoffs and assumptions.

The best strategy, in my opinion, is a mixture. Take Obscurity and Obfuscation for example: I try to remove as much personal data from the internet as I can. In return, I seed a lot of disinformation. I use fake names, fake address or PO Boxes, fake or burner phone numbers, fake birthdays, etc. By combining both of these strategies, I create a lot of “noise” that any attacker would have to sift through, burying any real information that accidentally gets overlooked by my Obscurity practices. This makes it more likely to not get noticed, or to get dismissed as more fake information.

What about Obsolescence? Is there a place for that in our lives? Yes, but with a caveat: it largely depends on your threat model. For example, keeping a physical calendar may prevent your sensitive appointments from being caught up in a data breach, but if you have a high risk of a physical stalker or attacker, leaving your calendar in an unencrypted, anyone-can-access-it format might be incredibly risky. Another example would be keeping your finances in an offline spreadsheet. It may be great to protect your privacy from data-hungry financial services, but if you’re secretly stashing away money to leave your abusive partner then leaving that on a shared computer could be a recipe for disaster.

Even with a low threat model, Obsolescence requires a balance. Keeping a copy of Windows XP because it has less telemetry than Windows 10 is incredibly dangerous, especially if that device is connected to the internet. It no longer receives security updates, making it risky and vulnerable to attack. Even making it air-gapped (disconnected from the internet) may not be a good solution as researchers are continually finding new (and interesting) side-channel attacks that compromise air-gapped machines. Remember: nothing is unhackable.

So ultimately, just remember that there’s rarely one way to do things. When I was younger and early in my career, I got a great piece of advice: “you’re gonna have some great bosses, and you’re gonna have some terrible ones. When you get the great ones, figure out what makes them great and copy that aspect of them. When you meet the terrible ones, figure out why they suck and make an effort to avoid doing that.” Privacy and security are the same way: don’t take an entire strategy or solution as gospel. Figure out the bits and pieces that work and figure out how to use them to make your security posture better. And likewise, when you learn of someone’s failure, take lessons from what they did wrong and learn how to avoid those same mistakes.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

What is Zero-Knowledge/End-to-End Encrypted Email & Why Do You Need It?

Tutanota is one of the more popular end-to-end encrypted (E2EE)/zero-knowledge email providers out there, largely considered the main competitor to ProtonMail. A zero-knowledge provider means that they can’t read your inbox, which is – in my opinion – a must-have for any person who values their privacy and security. Many people argue that zero-knowledge email providers are overhyped – or worse – because you’re only securing half of the chain. If I email someone at a Gmail address, the contents are still exposed on Google’s servers. However, in my opinion, that’s still cutting your attack surface in half. If we’re both using Gmail – or if one of us is using another provider like Yahoo – that’s just twice the opportunity for a data breach, warrants, or an insider threat. Sure, you may not get the full benefit without both parties using encryption, but it still counts for something.

The Good

The main thing that sets Tutanota apart from other recommended email providers, in my opinion, is that they use a modified version of PGP that encrypts more content than usual. Normal PGP does not encrypt metadata, specifically the subject line, sender, and recipient (source). This is much more than Proton or Ctemplar’s simpler “content and attachments” policies.

Just like Proton, Tutanota also offers a zero-knowledge calendar which – unlike Proton – is accessible within the app for both iOS and Android. Like Proton, Tutanota is powered by renewable energy (if that’s a thing you care about) and like both Proton and CTemplar, Tutanota offers a way for you to initiate secure conversations with non-Tutanota users. They are also based in Germany, which has strong consumer privacy laws, and they are known for having a much lower price than Proton (great for those on a budget) and having outstanding customer service. (I can attest to both: while both offer great customer service, I have personally noticed that Tutanota seems to go above and beyond in my experience). Tutanota has further expressed their support for the open source community by offering free Premium features to open source software projects (source). They also offer submission forms, and while they may cost a bit too much for my own basically soloprenuer project, they should be easily affordable for most small/medium-sized businesses, which means companies now have an easy, drag-and-drop solution for clients to securely contact them. Also they created their own alternative to the CAPTCHA to further de-Google themselves, so that’s cool.

The Bad

I like Tutanota, I really do, but as with every review I do, nobody is perfect. Let’s start with the two biggest dings for me: the first is their modified encryption. Since Tutanota is not based on pure PGP, that means there is absolutely no way for a non-Tutanota user to initiate secure communication with Tutanota users. With Proton or CTemplar, I can post my public key and any PGP user – even those who don’t use the same service – can email me securely and start the conversation. With Tutanota, the only way to start a secure conversation with me is to also be a Tutanota user.

Next, Germany. While Germany does indeed have strong privacy laws, they have also repeatedly expressed their eagerness to join the Five Eyes intelligence community. It’s pretty hard to accept that a country who wants to be part of the most invasive, illegal, unethical, and comprehensive surveillance network ever seen also has my privacy in mind. Now of course, that doesn’t mean Tutanota is a sham. I’m a US citizen and yet I personally take privacy very seriously. The country you’re based out of doesn’t necessarily reflect your own values. However, it does mean that you are subject to their rules, which has already come back to bite Tutanota at least once.

Finally, there are a few other small dings against Tutanota that largely come down to personal preference. They do have a desktop app, but it’s Electron-based. As a non-programmer, from what I understand that means it’s basically just the website wrapped in an app and generally insecure. Their mobile app is notoriously slow. Tutanota’s web client has been audited, but not their servers (though one could make the argument that if the client is secure and does what it claims then the servers hardly matter) and not their mobile apps (though they claim their mobile apps use the same protocols and standards as the web app, so they should – in theory – be equally secure). And, this is just personal experience, Tutanota seems to get DDoS’d a lot. At least once every couple months. For most of us, I don’t think we do anything so time-sensitive that this matters, they usually have it fixed within a couple hours, and I guess there’s also the argument to be made that when you’re meeting resistance you’re probably headed in the right direction (video game logic), but still, that can be an issue for some.

Conclusion

Email is not secure. I think that’s worth pointing out. Email was never designed to be 100% secure. You never know who might print it or forward it, and there’s also a bunch of super-technical issues with both email itself and PGP that literally cannot be fixed. You should never trust your life to email (which is why Snowden didn’t just email his documents to people). But also, email is still a widely-used tool that permeates almost every service we use in some way, shape, or form. For that reason alone, it’s worth trying to get a secure email provider to mitigate the risks as much as possible. And, truth be told, you can’t do much better than Tutanota. There are a few niche things that make other providers more appealing – more features, better jurisdictions – but Tutanota has repeatedly proven themselves to be advocates and friends of privacy, with an equally long history of striving to be as secure, private, and user-friendly as possible. In your quest for an encrypted email provider, you’d be making a huge mistake not to check out Tutanota and give them a chance.

You can learn more and sign up for Tutanota here.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.

Enter your email to subscribe to updates.