I Was Supposed to Review Mailbox.org This Week.

I ended up delisting them. So instead, I want to take this week to remind both my readers and myself about the mission behind The New Oil and to make sure I'm staying true to that.

Why Delist Mailbox.org?

Mailbox.org is a perfectly fine service. In fact, I’ve even had some readers argue that Mailbox is a better choice than Proton or Tutanota for… reasons? I didn’t really get their argument, it was confusing and circular, but the point is there is nothing wrong with Mailbox.org. So why delist them? Because zero-knowledge and PGP were not activated by default and actually required some intentional setup on behalf of the user. Just as how many critics say that Telegram not enabling end-to-end encryption by default lulls inexperienced users into a false sense of security, I think this falls into the same category. This is not a problem for my more advanced readers, but it can very confusing and overwhelming for newbies, and while I welcome advanced readers and value your feedback, frankly The New Oil isn’t aimed at you.

The Vision

I’ve once heard it described as “The Grandparent Test.” This doesn’t appear to be a popular phrase, but I think it should be. The Grandparent Test asks “can your grandparents get started and continue using it with little or no help?” I think most of us have at least some firsthand experience with helping someone who is not tech-savvy get started on something. Maybe you had to help fix Excel for your coworker or show your grandma how to send an email. As someone who’s been moderately techy my entire life, I have had many of these experiences. It only got more common as I became a privacy advocate: helping people find Signal in the app store, helping my mom try Matrix, etc.

My goal for The New Oil was and is, ultimately, to pass The Grandparent Test. I mentioned in a recent Decentralize Today blog post that at the time I started TNO, I was not aware of any websites that offered comprehensive, user-friendly information. PrivacyTools.io was – and largely is – a list of tools with no instruction or context. Michael Bazzell is at times too hardcore and makes his money from book sales so the information wasn’t freely available (you can learn a lot from his podcast but it’s still not comprehensive). I couldn’t direct my mother, grandmother, brother, or anyone to any of these sites and say “here’s a starting point to learn at your own pace.” They needed me to translate, which was inconvenient for both them and me. I wanted to create a website that said “hey, you know nothing? Cool. Here’s what you need to know to get started” and people could move at their own pace.

I also wanted to stop there. I know firsthand – and I’m sure many of my readers do, too – that if you try to create a tool that does everything, you end up creating a tool that does almost everything but really poorly. It’s best to create something that focuses on solving one specific problem, and refine that tool until it solves that one problem really well. This is why The New Oil doesn’t offer tips on how to adjust the about:config of your Firefox browser, how to use uBlock’s advanced mode, how to use virtual machines, or any of that stuff (although I would look to create an “advanced tips & tricks” series of videos on PeerTube in the future that covers this sort of stuff). I want to help people who don’t understand digital privacy to understand it and get started and that’s it, no extra information or overwhelming optional stuff. Personally I think I do that well. If you disagree, I recently open sourced the website. Feel free to submit an issue for suggested improvement. So why did I delist Mailbox.org? Because it wasn’t user-friendly. It’s a fine service, and I see no reason that my more advanced readers shouldn’t use it or should switch, but I wouldn’t feel comfortable telling my mother to use it because it would be too easy for her to overlook changing the PGP settings and then having a false sense of security.


This also brings up an issue I’ve been tossing around in my head for quite some time: consistency and criteria. During a discussion with one of the community managers of PrivacyTools, they pointed out that I didn’t have any kind of publicly listed criteria for how to I decide what tools to list and what tools not to. They made a really good point, and that’s been on my mind ever since. And to their defense, I didn’t really have a criteria. I knew I wanted to go with open source whenever possible (the VoIP section is pretty much the only one that doesn’t meet this criteria), and I mainly base my recommendations on tools that have been vetted and have a good reputation in the privacy community. Of course I did my own research, too, but there was no hard and fast “here’s the rules.” So, thanks in no small part to the feedback from my wonderful Matrix community, I’ve decided to remedy that. I have added a Wiki on GitLab explaining the criteria I use to judge each section and what allows an app to be listed on my site. Furthermore, the review criteria for my twice-monthly reviews are in the process of being standardized and will be posted in each review, as well as being available on the GitLab Wiki. As always, if you have any suggestions, feel free to share.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.