The New Oil

Data Privacy Week/Day Spotlight: Overrated Tools

January 28, 2022

This week is Data Privacy Week (and today is Data Privacy Day). To celebrate, this week I made a series of short blog posts highlighting tools, services, products, and techniques that I feel are underrated to help improve your privacy.

Today, as we wrap up the week with Data Privacy Day itself, I want to go in a different direction. I'm a strong believer that you can learn just as much in failure about what not to do as you can in success about what to do. So today I'm going to focus on three overrated tools and techniques that everybody focuses on very intently, probably a little too much.

Let's start with VPNs. A lot of VPN companies promise more than they can deliver like total anonymity, freedom online from censorship and tracking, and more. This is a lie. Even the best VPNs pretty much only do two things: hide your IP address from the websites you visit, and hide your traffic from local snoops such as your ISP or work router. That's it. And your IP address is only one small way that companies track you. Fortunately in recent years there have been a lot of writings about this very topic, but still many people seem to be lulled into putting too much faith into their VPN provider. Don't. See my page and IVPN's Do I Need A VPN? for more details.

Next let's talk about instant messaging. A lot of people put massive amounts of concern into their daily messengers. It seems like every day I see people having near meltdowns over very small, minuscule things in their messenger of choice: “X is centralized,” “Y is based in the US,” “Z uses Encryption A instead of Encryption B.” While I'm a big fan of using end-to-end encrypted messengers (it's a must for anyone who wants to be close to me personally), let's take a step back here: how often do any of us really send anything important? Granted, this argument could apply to every area of our digital lives, but some people really put an unjustified amount of work into protecting their daily communications when all they're sending is memes and “want anything from Wendy's?” There's no need to get bent out of shape over having something that's NSA-proof when it means so little. There's a reason I recently moved this category to the “least important” section of the website.

Finally, on that note, email providers. At least once per week, usually more, I see posts on Reddit of people asking “what email provider should I use?” Does it really matter? You're not sending state secrets, and unlike encrypted messaging you're probably not even securing both ends of the communication. Yes, it's important to cut that threat surface in half by using a zero-knowledge provider so that the rogue employee can't open my inbox, but the email I received from my bank is still plaintext on their end. The email I sent to my boss is still visible on Gmail's servers. Only one half of the contents are encrypted, and while that's definitely better than nothing, it's really not worth having a paranoid episode trying to pick the one server that's located in Antarctica and run by hedgehogs who can't read court orders.

Now, it should be noted: I endorse and encourage the use of all these services. I list all of them on my website and strongly encourage you to use them. Your privacy – even the stupid memes and grandma's chain letter – are yours and nobody should have the right or ability to read those without due process. I'm not saying this stuff isn't worth doing. What I am saying is that in my experience/opinion, I feel like people put way too much time, energy, and effort into these particular tools for what they get out of them. Like I said, people will dive deep into the history of every time an encrypted messenger's CEO took a dump, but all they're sending over the platform is inside jokes and plans to hang out. It's about being proportional. You don't need to put hundreds of hours of research into a platform that isn't going to be containing any sensitive data. Just a few solid hours of research is plenty. Time is the most valuable resource we have: we can never earn more or get it back. Don't put unnecessary amounts of time into things that will get you very little in return. Do your research and make smart choices, do use these products, but remember that in terms of protecting your privacy, there are many other areas that will give you much higher and more effective returns. Be smart with your time.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Data Privacy Week Spotlight: Disinformation

January 27, 2022

This week is Data Privacy Week. To celebrate, this week I will be making a series of short blog posts highlighting tools, services, products, and techniques that I feel are underrated to help improve your privacy.

Today I want to talk about disinformation. This is something that deserves a whole blog post itself, as I’ve said before, and I still plan to honor that at some point, but in the meantime I want to discuss some basics. Disinformation is – simply put – intentionally spreading false information to throw off tracking of any kind. There’s a few important caveats before you start using disinformation. First off, never ever lie to government or law enforcement figures. Do not give a cop a fake ID, do not put a fake name on your tax returns, etc. Second, on that note, don’t forge government IDs. Making a fake workplace or gym ID is totally fine. Making a fake driver’s license can land you in some really hot water. Finally, don’t commit fraud. The goal of disinformation is not to cheat anyone out of money or evade any legally-binding agreements, the goal is prevent companies from collecting data about you that they don’t actually need.

The amount of disinformation you employ will vary based on the situation. Are you buying a physical product online that will be shipped to you? Then you need to give them a real address you have access to, like a PO Box or workplace. Are you buying a digital product that will be downloaded, like an ebook, digital album, or video game? Then they don’t have any reason to know your address. You can use disinformation here. Whenever asked to give up information, ask yourself “does this person actually need this information?” If they don’t have a legitimate use for this data – like the aforementioned “sending you a product” – then find a way to not give it to them. Sometimes you can simply say “no thanks” or leave the spot blank. If that’s not an option, then this is where disinformation comes in.

In my experience, there are two main pieces of disinformation pretty much everybody will need to have ready to go, and three optional ones for those who wish to take it further. The main two are physical address and phone number. For physical address, I recommend a hotel. Whether that’s a hotel in town or in another town depends on your threat model and preferences. The reason for this is because some websites will demand a real, verified address or may flag you for using “123 Main Street” for looking suspicious. “28 N Franklin St” looks legitimate though, and that’s because it is. It’s the Hyatt in downtown Chicago. This is much more likely to pass in my experience. The second piece of disinformation to memorize is a phone number. My favorite is (248) 438-5508 – which plays “Never Gonna Give You Up” by Rick Astley – but Michael Bazzell also recommends (909) 661-0001 through (909) 661-0090 and (619) 364-0003 through (619) 364-0090.

The other three optional pieces are name, date of birth, and personal details. These are optional depending on your threat model or personal preferences. Date of birth is easy: Michael Bazzell recommends swapping the month and day and then adding or subtracting a year or two. For example, if your real date of birth is February 5, 2000 you can make it May 2, 1998, 99, 01, or 02. For name, I recommend using a shortened nickname or a middle name. If your real name is Alexandra Ashley, you can go by Alex or Ashley (Alex has the advantage of being gender-ambiguous). This is especially useful if you have a really unique, foreign name. I’ve met a few Indian people with names like “Raj” who Americanize it as “Ron” for simplicity. I don’t know if that’s common but it really helps to completely hide their real, unique names. Finally, for personal details, I recommend “fuzzing.” Instead of full-out lying and risking getting caught by someone who’s an area expert, just be vague or change small details. If you’re the head of the finance department at Sunshine Technologies Inc, say you work in accounting, or you work at a tech company. If you spent a few years in Seattle recently, say you grew up there. This ensures you don’t get caught in your lie (ex – claiming you’re a biologist then meeting a biology professor) and doesn’t give away anything too personally identifying in terms of details or timelines.

Again, this is a subject that warrants an entire blog post, and that will come. In the meantime, I hope you’ll look into this and start giving some thought to your own disinformation preparedness. Using disinformation can help protect you from spam, data breaches, and other forms of tracking. Happy Data Privacy Week!

Data Privacy Week Spotlight: Backups

January 26, 2022

Today I want to highlight backups. This is a little more security than privacy, but there’s still some privacy involved here, too. First off, let me say: backups are important. A lot of us overlook having good backup practices because it’s one of those things that you never really think about until you need it. Even I’m guilty of occasionally being late with making my backups. It happens to the best of us. There’s two good practices to follow with backups. First is the 3-2-1 rule: 3 copies of your data (one being your “live” in-use copy), 2 different mediums (like an external hard drive and a USB stick) and 1 offsite (such as a cloud). The second “best practice” is to use automatic backups if that’s available to you. This way you don’t have to worry about accidentally putting off your backups for too long and having outdated, useless backups when disaster strikes. I talk all about how to design good backup strategies on this page.

This is where privacy comes in. If you’re following the 3-2-1 rule, then you’re supposed to have at least one copy of your data stored offsite. How can you do this privately? There’s a few options. What I do is I have an encrypted 4 TB external hard drive that I keep at home where I store every backup, going back as far as possible, at least one year. Then, at my day job office, I store an encrypted USB with only the latest, most recent backup on it. It’s encrypted so that if we ever got robbed, if one of my coworkers started snooping, or if I just got suddenly fired and never returned to the office again, my data would still be safe. I’m usually in the office at least once per week, so I can keep that USB updated regularly. If you are 100% “work from home” or don’t work in an environment where it’s feasible to store your backup device you could also consider storing at a close friend’s house or something like that. Of course, these are just offline backup ideas. Storing on the cloud is much simpler and direct.

No matter where you choose to store your data – be it at a physical location you frequent and update or on the cloud – the biggest concern is keeping it private. When I make my backups, EVERYTHING is there. I’ve mentioned before that I have a small interest in disaster prepping, which means that in addition my password database I also have lots of sensitive documents like scans of passports and social security cards, digitized medical records, and documentation on things like insurance and leases. (There’s also things like backups of emails with consulting clients and other confidential communications.) I don’t want this information exposed, so no matter how I decide to backup my data, I have to make sure this stuff is protected. As I said, my preferred solution is to be entirely offline, but others may want something more convenient and readily accessible for any number of reasons: aka, “The Cloud.” My ideal recommendation for cloud backups is something zero-knowledge. Nextcloud is the poster child for the privacy community, but ProtonDrive, Sync.com, or even Filen.io are all popular choices. However, as noted on the page I listed earlier, each of these services comes with drawbacks. While you may decide these are not dealbreakers, some may want to pick more vetted, reliable services like Google Drive or Dropbox. In this case, I recommend the use of a service like Cryptomater or Veracrypt to ensure that your files are hidden from possible rogue employees, unwanted snooping, and automated scanning. Again, I go in-depth on how to set up an encrypted container on the Backups page of my website, so consult that for details.

No matter what option you go with, remember to keep regular backups and keep them protected from prying eyes. This is a critical but frequently overlooked technique in the privacy community. Happy Data Privacy Week!

Data Privacy Week Spotlight: Mobile Habits

January 25, 2022

Today I want to talk about mobile habits. As most privacy enthusiasts know, phones are some of the most effective surveillance devices out there, recording everywhere you go, everyone you talk to, every app you use – which can betray your interests and more – and in some cases can even infer information about you like sexual orientation and health. Truthfully, I think many privacy types dream of being able to live without a cell phone, but sadly for most of us that’s just not reasonable. If you can, good for you. But many cannot. While there are a number of steps we can take to reduce phone data collection – like using a deGoogle OS or even just changing a few settings – there’s also a lot of tricks that frequently get ignored, and those mainly involve mobile habits.

On the website, I offer a number of behavioral suggestions to help reduce the tracking of your phone. The biggest one, in my opinion, is simply to use it less. While you may need your phone at work to get important messages, there’s no need to take it to the grocery store or out to dinner. You can safely leave it at home and bring a paper grocery list, talk to your dinner date, or bring a book if you’re eating alone. Another technique is simply to rely on less apps. While some apps have a place – like encrypted messaging or a more private browser – some may not really be necessary. Most of my loved ones use Signal, therefore I see no reason to have Matrix and Session on there too since I rarely get messages there. I also removed all email from my phone. Phones these days come with a stock mail app, but email was never designed to be realtime communication. If you’re emailing me, then that tells me whatever you’re asking can wait. Instead of swapping a bad email app for an encrypted one, I just deleted it altogether. Desktop only now. And on that note, I mentioned a privacy browser. Just because you have a better browser right there doesn’t mean you should always use it. Sure, I use it to find items in the store when I’m at work or to check what time the store closes on the way home, but I try not to use it figure out what Daniel Radcliffe has been up to since Harry Potter ended (note: Miracle Workers. It’s hilarious. I highly recommend it) or what’s the furthest object ever observed in space. Point being: I try not to do things on my phone unless it’s an emergency or highly important. If it can wait til I’m at my desktop, I try to do that because I have more control over my data there. Phones are difficult to harden in a really meaningful, effective way. No matter what apps we download or steps we take, we should always be skeptical of them.

Hopefully this article has given you some thought and helped you rethink your relationship with your miniature surveillance device. Don’t get me wrong: I’m grateful for my phone. It has made my life easier in so many ways, providing endless hours of entertainment and contact with those I care about nearly 24/7. But it’s important that I stay in control of it and not the other way around. Happy Data Privacy Week, hopefully this helps you protect your privacy just a little better!

Data Privacy Week Spotlight: Settings

January 24, 2022

Today I want to highlight settings, specifically changing and checking them. There's nothing like a fresh device. It's what “new car smell” feels like. I love a freshly installed OS, and I love doing all the hardening steps. On Windows (which I use strictly for gaming and production), my usual routine is Windows Spy Blocker, W10 Privacy, Bulk Crap Uninstaller, and lately I've been delving into Portmaster. Then I move on to things like Firefox, VLC, etc. But as fun as these things are and as empowering as it feels to help take back control of my device and regain a little bit of privacy from invasive analytics, there's a less exciting step: settings. You see, many of us in the privacy community get a new device and we get eager to start customizing it and locking it down: firewalls, VPNs, encrypted messengers, etc. These are all great and important steps, but it's important not to overlook the simple steps. Whether on desktop or mobile, don't underestimate the value of changing your settings. Why do you think companies like Google pay millions of dollars each year to be the default browser in Firefox? Because settings matter. Most people don't bother to change the default settings, but simple changes – like changing your default search engine or video program, turning off analytics, or having the device lock after a minute of inactivity – can offer simple yet powerful protections to your privacy (and as a bonus, they can reduce your attack surface by not requiring you to use extra plugins or third-party software to replicate the same behavior). So as fun as it is to start going straight to all the hardcore, power-user tweaks, don't overlook the basics and review your default settings.

Unfortunately it doesn't stop there. It's a well-known phenomenon that sometimes updates can revert your settings back to default. In my opinion, this is probably usually a bug as it seems to only happen to certain people and programs inconsistently, though sometimes it is certainly intentional. In my experience, this usually seems most prevalent when doing major updates (for example, going from Version 14 to Version 15), but it can happen at any time. So even if you've already checked your settings and made your adjustments, be sure to review them periodically – particularly after an update if you know you've just had one. This is a great way to spot any new settings worth adjusting and catch any settings that were reverted.

Happy Data Privacy Week, hopefully this helps you protect your privacy just a little better!

2022 Review: IVPN

January 22, 2022

Disclosure: The New Oil is sponsored by IVPN. Per the terms of this agreement, IVPN does not have any input on our review, but we want to disclose any possible conflicts of interest up front. You can read all of our guidelines for sponsorships here.

What is IVPN?

A VPN – or Virtual Private Network – is a service that creates an encrypted tunnel between the device – be it a phone, computer, or router – and the VPN server. From there, your traffic continues on to your desired destination – such as TheNewOil.org – like normal. IVPN is a service headquartered in Gibraltar, a mostly-autonomous British territory. IVPN offers two plans, Standard and Pro. Both plans offer all protocols (Wireguard, OpenVPN, PPTP, and IPSec IKEv2) and the anti-tracker no-logs DNS service. The Standard Plan covers 2 devices while Pro covers 7 and includes port forwarding and multi-hop servers.

Why Do You Need a VPN?

You may not, to be honest. (Interestingly, IVPN openly shares this opinion. Check out their site “Do I Need a VPN?” here). A lot of people really hype VPNs as one of those absolutely, must-have, life-changing things that will solve all your problems. In all honesty, while I do believe that VPNs are an essential piece of your privacy strategy, there are many other free or low-cost strategies that will give you significantly more protection. A VPN these days pretty much only has two purposes: changing your IP address and protecting your traffic from local snoops. Changing your IP address is a valuable part of avoiding tracking, but it’s just one way and a VPN won’t protect you against those others like browser fingerprinting, tracking pixels, cookies, and more. Likewise, while it can be great to protect your traffic from your Internet Service Provider or a local cybercriminal, from a security perspective you’re already pretty well covered so long as you enable your browser’s HTTPS-Only mode and make sure you’re using the correct sites and not spoofed sites. Having said all that, I do still consider a VPN to be a critical part of your privacy and security posture. It can bypass censorship, stop your ISP from selling your browsing data, help obscure your IP address from tracking and logging, and protect your traffic from local attackers.

Why Not Tor?

Some people prefer Tor over VPNs. Tor is definitely right in certain situations, but not all of them. For one, many essential services – like banks – block known Tor IP addresses to prevent fraud and abuse, making using those services nearly impossible. Second, Tor loses almost – if not – all of its anonymity once you login to something. If you login to your email and then your Reddit account in the same session, they’re now tied to together and you’ve lost your anonymity benefit. For this reason, I recommend reputable VPNs for any services that are tied to your real identity or sensitive and Tor for random searches or accounts that are not tied to your real identity.

The Good

IVPN has some really impressive positive aspects. For one, they are committed to ethical marketing. Their site talks about how they don’t believe in paying for reviews or unethical ads, their commitment to transparency, and as I linked above they even have a website that aims to dispel many of the myths surrounding VPNs and what they can and can’t do – even if it costs them potential customers. They’d rather lose an educated customer who knows that IVPN won’t solve their problems than dupe a paying customer who won’t get the protection they really need.

IVPN’s security is also top notch. We have covered numerous stories on Surveillance Report about vulnerabilities in widespread VPN protocols or infrastructure, and nearly every one has noted “IVPN is not vulnerable to this,” usually because they patched their systems months ago or have some other mitigation in place that just so happens to protect against the vulnerability in question. (Of course, IVPN is not the only one immune to these bugs, but out of the three we endorse on The New Oil they’re the only one that is consistently ahead of the curve). I was also pleased to see that Wireguard was their default protocol – which is a recently-developed VPN protocol that’s considered to be faster, lighter, and because the code is so small it’s more easily auditable, which hopefully in the long run will mean less vulnerabilities. Though of course, the other protocols listed above are still available for those who want something a bit more time-tested or have a different need.

The information required at signup is none. Seriously. You can click “generate an IVPN account” on their homepage and it just does. They also accept Monero directly without a third-party exchange being involved, which means that if done right, IVPN is easily 100% anonymous. Of course, you can add an email if you feel so inclined, and you can pay with a card (including a privacy.com card), but at no point do they require any of this from you. It’s totally voluntary.

Finally, their country of origin – Gibraltar – offers some redeeming aspects. Gibraltar is legally a UK territory, but they are given a long leash by the government and operate mostly as an autonomous region. This turned out to be a good thing when post-Brexit, Gibraltar decided to legally adopt GDPR for themselves. From what I understand, it was largely untouched except for a few legal definitions to clarify that it was being applied to Gibraltar.

A few other neat things I noticed in my time testing them out:

IVPN offers single week, single month, single year, and multi-year plans. This is fantastic for people who want to try it out for a short period of time before committing. They also offer a 30-day money-back guarantee, so really there’s no risk at all.
They offer ability to pause your connection for a pre-determined amount of time. This is great if you need to turn it off to watch a movie or something like that so you don’t have to remember to turn it back on. (Not available on iOS, sadly.)
They do annual security audits.
They offer split-tunneling.
They offer “trusted Wi-Fi networks.” Say for example that you’re like me and you have a VPN on your home Wi-Fi. You can mark your home network as “trusted” so that when you get home and connect, IVPN will automatically turn off so as not to be redundant. Then, once you disconnect, it pops right back on.
Lastly, hardcore mode. This mode will block ALL the Big Tech companies, including their back infrastructures – like AWS or Azure. It’s not really feasible for most people, but it could be fun to do for a day or a few hours. It’ll really open your eyes to how deep Big Tech has their tendrils in your daily life.

The Bad

IVPN does have a few drawbacks, but they’re very few and far between. The most noticeable one, in my opinion, is the low server selection. They offer only 77 servers in 31 countries. I personally didn’t find this to be an issue at all, but when going up against other providers who offer hundreds of servers in well over fifty countries, it's a bit surprising. IVPN also makes no promises of working on streaming services, and I can confirm this. One time, I put IVPN on pause for 3 hours while Henry and I recorded Surveillance Report. After we were done, I moved on and started watching a movie on HBO Max. After about an hour, HBO Max suddenly brought me to an error page. After a moment of frustrated confusion, I realized IVPN had turned back on and HBO Max had stopped buffering. Oops. Ultimately I’m still glad it came back on without me having to remember. I've also had a few issues sometimes with Spotify not loading, but usually this was as simple as turning the VPN off and back on. Finally, as a Qubes user, I was disappointed to see they offered no Qubes support, especially since they place such a high emphasis on security.

Now let’s talk about the speed test. A lot of people have come to expect blazing fast internet these days, and unfortunately I have found a noticeable – though personally minimal – decline in speed with IVPN. Using Speedtest.net, without the IVPN app even running, I was connected to Kapper.net in Vienna (I suspect this means that IVPN made some permanent changes to my DNS, you’ll see why in a second). My ping was 135ms, download speed was 281.09 Mbps, and upload speed was 21.90 Mbps. (Once again: dear ISP, if you’re reading this, I’m paying you for gigabit.) I then opened the IVPN app, which had previously been completely closed out, connected to the fastest server (which for some reason is in Vienna despite me being in Arizona). Running the test again, I was still connected to Kapper.net but my new speeds became a ping of 172 ms, a download speed of 45.62Mbps, and an upload speed of 16.84Mbps. Yikes. Having said that, I’m not an online gamer or streamer, so these speeds are not critical to me. Everything loaded in a reasonable time, from videos to web pages and apps. It was noticeable compared to my usual VPN, but it was certainly nothing debilitating that I couldn’t get used to and live with. Then again, I know some people expect their pages to load completely in less than a second from initial click to “finished loading.” If you’re one of these people who has not yet learned the art patience, this may not be the VPN for you.

Perhaps the biggest drawback lies in their home country. As I said before, Gibraltar operates largely autonomously and did go out of their way to legally apply GDPR to themselves after Brexit. However, they are still a UK territory. Hong Kong used to be mostly independent, too, until they weren’t. At the time of this writing, the UK is conducting a massive surge in anti-encryption rhetoric, with the government paying over a half-million pounds to a powerful marketing firm to launch a smear campaign against encryption and turn the public opinion against it. The reason we list a country of origin as a pro or con based on their Eyes affiliation is because it sets a tone. If a country is part of the Eyes, it shows that they have a lower regard for the privacy of their citizens and they are willing to share data and violate privacy. Likewise, while Gibraltar may value privacy, they belong to a country that clearly does not, and if the UK decides to crack down on their anti-privacy stance in Gibraltar, this could be very damaging to IVPN. Keep in mind: this is pure speculation. There is no evidence at this time that the UK is pressuring Gibraltar or IVPN or what forms that kind of pressure might take if it did come to pass. I also have zero doubt that Gibraltar and IVPN would push back against these unethical requests. However, at the end of the day, they fall under UK jurisdiction, and if they lose these battles, it could be a problem. Again, I cannot stress enough that this purely a “what if” scenario, but given the UK’s open and outright hostility against privacy, it’s worth having this concern on your radar.

Conclusion

My last couple weeks of using IVPN has been pretty pleasant. There were some roadblocks to overcome as I made the switch from my usual provider – probably mostly just cause of that human urge to resist change. I will be keeping Proton on the router for the sake of using streaming services, but overall my IVPN experience was great. Signup was shockingly smooth, apps were easy to find and install, and settings were explained well and straightforward. If you’re looking for a streaming-friendly VPN, Proton is probably the way to go. But if you’re not a big streamer and you want maximum security, IVPN is probably the best out there.

You can learn more and sign up for IVPN here. No affiliate link.

Reducing Streaming Services’ Tracking

January 15, 2022

Guest blog post by our moderator Uncover

Streaming services. Many of us love them, though sometimes we get frustrated with them (I’m looking at you, Hulu ads). Regardless of your personal feelings towards a specific platform, they have became a staple in many of our daily lives. For all the laughter and joy we get from them, the tracking and data collection – while varied – can create a accurate portrayal of a consumer’s likes and dislikes. With that in mind, here are some easy “in-house” methods on each of the top 10 platforms (by subscriber count) to somewhat limit the amount of tracking that takes place. All of these instructions are done from a desktop web browser, as this typically gives you the most control over your account settings.

Netflix

I consider Netflix to be one of the more mild streaming services in terms of the amount of collected data. Unfortunately there’s no real ability to opt out of data collection, but you can remove your viewing history, which will also prevent the algorithms from learning. You’ll have to repeat this process periodically, you cannot tell Netflix not to save your viewing history.

Visit Netflix.com and sign in to your account
Choose your profile, hover over the profile icon in the upper-right corner, and scroll down to Account.
Scroll down to Profile and Parental Controls, and click your profile picture.
Click Viewing Activity.
Click the circle icon on the right of each entry to remove it from your watch history. To remove your entire watch history, scroll down and click hide all.
Repeat the process for each profile on your account.

Amazon Prime Video

Amazon tracks all your activity by default (on any and all platforms they can get their hands on). It saves all searches, things viewed recently, shows and movies watched, and categories you looked through. In my opinion they are one of the worst for tracking (here and everywhere else they can). This data helps Amazon create targeted ads. That’s why you’ll see products and suggestions similar to what you’ve watched or looked up. Here’s how to help limit Amazon from tracking your browsing activity:

Visit PrimeVideo.com and sign into your account.
Hover over Accounts & Lists in the top right corner and select Browsing History from the menu.
Click the Manage history drop-down arrow.
Toggle Turn Browsing History on/off to the Off position.

You can also disable personalized ads to stop your data from being used for advertising.

Hover over Accounts & Lists and click Account.
Under Communication and content, click on Advertising preferences.
Choose Do not show me interest-based ads provided by Amazon and click Submit.

Crunchyroll

Crunchyroll is a bit of niche streaming service focusing exclusively on anime, but according to our source this freemium service ranks #3 in terms of subscriber numbers.

Go to Crunchryoll.com and log in.
Once signed in, you may be on the video-watching platform, which has limited options. If so, navigate to crunchyroll.com/editprofile/?tab=basic.
Empty out your profile of as much information as possible, or – if that’s not an option – fill it with false information.
Under Privacy Settings, toggle Online Status to Offline and check Achievement Privacy so that Achievements are private and visible only to you.
Under Social Integrations, I recommend unlinking your Twitter if is already linked.
Check My Devices and ensure there are no old or unfamiliar devices authorized. If you do not recognize any of the devices, deactivate them.

Hulu:

Ah Hulu, the wannabe underdog of streaming. The service that will always be in the “friend zone” of streaming giants. Out of the box it collects quite a bit of data but gives some options to disable some of the data collection.

Visit Hulu.com and sign into your account.
Hover over your profile picture in the top right corner and select Account.
On the right side, under Privacy And Settings, select Manage Nielsen Measurement and click OPT OUT.
Next, select California Privacy Rights.
Under Manage Activity, click Watch History and Clear Selected. Like Netflix, this will affect your algorithm but you will regain some privacy.
On the same page, under Right to Opt Out, click Change Status.
Click OPT OUT.

Apple TV+

AppleTV is another relatively-privacy-friendly option. While Apple does collect some data, they get a lot of points from most experts because they don’t use that data to create advertising profiles or sell ad space. However, as privacy advocates, we’re typically not fans of any unnecessary data collection at all, and in that sense Apple does collect more data than they probably need.

Log in to tv.apple.com.
Click on your profile picture in the top right corner and select Settings.
Under Account Access select Sign Out of All Browser.
Under Play History select Clear Play History. This will likely remove your algorithmic recommendations, just as with Hulu and Netflix.

You can ask Apple more questions about your data here.

Honorable Mention: YouTube

While not a “streaming service” in the same sense as the above services, YouTube remains one of the most popular platforms for content on the planet. YouTube is owned by Google (yuck), who uses your search history, browser history (if you use Chrome), and more to build a detailed ad profile about you. This personalizes the ads, recommendations, and even search results you see. With Google having one of the furthest reaching hands in the internet, they are able to pull your info from all over the web and your viewing data is just one more juicy morsel to them. If you want to help clear out what YouTube knows about you, you have to visit your Google Account.

First lets check the search and activity page

Log in at myactivity.google.com.
You will see check marks next to Web & App Activity, Location History, and YouTube History. Click each one to change your settings. You can toggle each of them off to stop Google from tracking you.
On the menu that appears in the left sidebar, click on Delete activity by. Choose how far back you would like to delete your history in the pop-up menu (I highly recommend the longest option available). Then click Delete to confirm your changes.

Next, lets turn off personalized ads. This is how Google serves you ads based on your activity and history.

On the menu on the left, click Google Account then select Privacy & personalization.
Scroll down until you see Ad settings.
Select Ad personalization and turn it off.

You may have noticed that we said “top 10 streaming services” at the beginning, but didn’t list 10. That’s because five of them – Disney+, Peacock, HBO Max, Discovery+, and ESPN+ – didn’t offer any privacy settings whatsoever except one. All of these services offered a “Do not sell my data” option that was relatively obscured. A few other services did, too. Here, we’ve included a direct link to this option for each service, including any additional advertising opt-out links.

Crunchyroll Interest-based advertising Disney+ Interest-based advertising (Requires 3rd Party Cookies) Peacock HBO Max Discovery+ Interest-based advertising ESPN+ Nielsen Measurements Interest-based Advertising

Wrapping Up

These are “big dogs” of the streaming entertainment scene. Use this knowledge and apply it to other streaming services you use that we haven’t listed. Your mileage may vary or may have no success at all (some sites don’t offer any clear options).

As a final note, here's a few universal tips for protecting your privacy while streaming regardless of the service.. First is watching in a browser on your computer whenever possible. When you’re on a “desktop” environment, you use firewalls, ad blockers (like uBlock Origin) and other browser hardening tricks to take it a step further. This is especially useful for the services that don’t offer any privacy controls. (Editor’s note: uBlock Origin blocks Hulu ads. 10/10 recommend.)

The next tip is to set your browser to clear all cookies on exit. This will sign you out of everything, which some people may find incredibly inconvenient. You can allowlist (or whitelist) certain sites to keep their cookies, but this may defeat the purpose from a tracking perspective so I recommend clearing all cookies if you’re willing to put up with the mild inconvenience of signing back in each day. Even if you do allowlist certain sites, that's still an improvement though, so definitely look into this option on your browser.

A final more advanced tip is to use a VPN. Not all VPNs work with streaming services. ProtonVPN, one of the few we recommend, proudly advertises that they are streaming-service friendly, and their DNS comes with an ad, tracker, and malware blocker that will help reduce (but not eliminate) more ads and tracking from each of these services. (Here’s an affiliate link if you want to get ProtonVPN and support us at the same time, but don't feel obligated.) You can also add this to your router (if your router supports VPNs) to protect all the devices on your network, like Smart TVs and game consoles.

I hope this was helpful and can provide some insight in an area not typically discussed in the privacy/security community. Stay private and stay safe.

-Uncover

(Proofreading and additions added by Nate B)

Transparency Report: 2021 (And Goals for 2022)

January 1, 2022

“What a year.” My annual catchphrase. I always say that this project has exploded in ways I never expected, and that never stops being true. So where are we now?

Looking Back: What Worked (And Didn't)

According to last year’s blog post, my main goal for 2021 was to “continue to grow.” Kind of a crappy goal, but technically a success. I’ll get numbers in a moment. I also stated a goal to add a new podcast series. That ended up being much more work than I expected. The good news is, the writing is now done for Season 1 and production was SUPPOSED to be this month. Instead it is now being pushed to January with a goal to release in Spring 2022. (Hopefully I can start pushing out episodes sometime between late March and early May, depending on how my schedule allows). I mentioned my goals to add videos and in-depth blog posts. I didn’t do the in-depth blog posts, but I did start making video content on YouTube, Odysee, and PeerTube. Video production is a lot of work, but I’m thankful for the warm reception I’ve gotten. Thank you to everyone who subscribes, watches, comments, etc.

Next I mentioned plans to start consulting, which I did (you can view the submission form here) and I mentioned plans to speak more in the real world. I did do one livestream round table, but that was about it. C’est la vie.

The next goal I mentioned was plans to ethically monetize. In addition to tons of donation methods, we also added affiliate links (with non-affiliate links, all transparently marked, as promised) and even added sponsorships and had our first sponsor, IVPN! I’m pretty excited. I’m a big fan of IVPN. I love their commitment to ethics and transparency and the fact that every time we cover a VPN story, it almost always turns out that IVPN has already fixed the issue or never had it in the first place because of their security. Great company. I’m hoping to partner with more amazing companies like them in the future to keep growing and bringing more and better content. Of course, I also want to make sure we’re doing this in an ethical way, so you can check out our rules for sponsorships here.

I mentioned translating the site. This is still on the to-do list, and every time I start we do major changes and make it so I have to start over. Ugh. Oh well. I’m hoping to have the Spanish site up in early 2022, maybe end of January if I’m lucky. I’ve even had one amazing Spanish-speaking reader offer to help translate the blog post. You can check that out here and donate some Monero directly to them to thank them for their time.

Thankfully, I don’t see a lot of “what didn’t work” stuff. I met most of my goals, and the ones I didn’t meet weren’t really hard goals anyways. I think I’ll skip that section this year, but just know that technically there were a few “it’d be nice” goals that I didn’t quite hit. I already mentioned them above.

Growth

Alright, let’s get to the exciting numbers: how did I grow? According to last year’s post, I had over 650 Mastodon followers at the start of the year. The blog had 16 Fediverse followers, 15 email subscribers, 21,000 views, and the podcast had 50 listeners and 2,000 total listens. The site itself peaked at just under 5,000 unique visitors in December. Prepare to have those numbers blown out of the water.

My Mastodon account now boasts over 1800 followers. I also started a Twitter account – mostly to schedule posts in Mastodon easier (for some reason my instance’s scheduler doesn’t work) – and that has grown from 0 to over 1100 followers. It’s also proven to be a great way to reach new people.

The English blog (which are you reading) now has 25 Fediverse followers and 36 email subscribers. (Hey email subscribers, did you know you can reply to this post and message me directly? Neat!). Total stats are hard to get with write.as because of the way they prioritize privacy-respecting analytics, but I think the lifetime reads are more than 34,000. I get over 500 monthly visitors and about 1,000 monthly reads.

The site stayed relatively steady all year. Most months were at least 5,000 unique monthly visitors ranging up to 6,500 on average, though if I’m reading the numbers right I was just shy of 7,400 in October. Wow! Altogether, we had over 72,000 unique visitors throughout 2021. Many of you may have also noticed we moved from .xyz to .org. This is because many readers were reporting that .xyz is flagged by a number of security organizations as a spam domain. We thought that moving to .org might look more professional and also reduce the number of issues readers were having.

Oh, and the weekly podcast! How could I forget? Well, early in 2021 I retired my own podcast to join forces with Henry of Techlore. You see, Henry was already making a weekly current-events podcast very similar to mine called Surveillance Report. Unlike mine, however, Surveillance Report was very hit-or-miss in terms of consistent, weekly releases. So I reached out to Henry with the idea that maybe I could come on board and help bring some consistency to Surveillance Report. With my consistency and his audience, I thought we could have a real impact there, and I guess I was right. Since I’ve joined, we’ve put out an episode almost every single week and the podcast has grown to have over 10,000 views on YouTube alone each week! You can listen to SR on all the major podcast outlets (Spotify, Apple, etc) as well as RSS and Youtube, Odysee, and Peertube.

In previous years I haven’t noted community stats. This year, at the time of writing, we have over 400 members in our primary Matrix room and two moderators, one of whom has become a very eager advisor and has been a person that has helped me bounce ideas and get feedback on plans. So the internal team is starting to grow. TNO is no longer 100% just me, though I remain the captain at the helm.

Financial Transparency

This year was also wildly successful new territory for The New Oil financially. We raised the following funds:

We raised $351.30 in cryptocurrency. This money was never cashed out into fiat currency. Thus, according to US tax code, the value of these donations for tax purposes is calculated based on the value at the time of donation, which I calculated according to Yahoo Finance.

We made $1963.07 in USD. $213.28 came from sponsorships, and $1015.96 came from Techlore for my work on Surveillance Report. For the record, I never demanded any money from Henry. He willingly donates to The New Oil in recognition of the work I put in. We both contribute articles and notes, and we both take turns editing the videos each week. The amount he donates is an attempt to share any potential revenue generated from Surveillance Report. I'm not sure if this counts as a donation, sponsorship, or something else, so I thought it might be best to disclose it separately from the other categories. The remaining money ($733.83) came from either donations or consulting. For the sake of preserving privacy, I won’t give a breakdown of how much came from where. (I suspect that technically stating consultation earnings – even in bulk and without any further details – can give one insight into how many clients I had or how many sessions I had with each client.)

Expenses were as follows: * Write.As Pro (for the blog): $45 * Web hosting & domain name (.xyz, main site): 43.95 * Web hosting (PeerTube): $92.44 * ProtonMail/VPN Plus: $30.60 Total: $211.99 Remaining: $2102.38

The Proton number is derived based on rough, low estimates of how much time I spend working on The New Oil.

A few miscellaneous donations and compensations include a Brave Heart Edition Pinephone (valued at $199.99, I think) and the .org TLD, which I will pay for moving forward using TNO funds. I also purchased a computer off an associate for $500. Given the specs on the device, this was a steal for me. I’m not sure if I should include this device – at least partially – in business expenses. While I do some leisure stuff on it, like watch streaming services and play video games, I spend the vast majority of my time working on The New Oil: filming and editing videos, collecting and posting articles, writing blog posts, etc.

The left over $2102.38 seems like a huge number at first. Admittedly, it feels like a big number to me and I wish I had tracked it better so I could’ve better allocated it to things I want/need for The New Oil – like some of the expenses I discuss next. However, in terms of money I pocketed, know that the living wage for my area is about $47,000 a year. Assuming I worked on The New Oil part time (20 hours a week) for the whole year, that means I made $2.02/hr. When you put it like that, I think it’s fair to say that while I could’ve and should’ve spent the money better, pocketing it doesn’t exactly count as an abuse of funds. (Though, for those interested, my rent is about 33% below market average for my area, I drive a deacade-old non-luxury sedan, and I buy off-brand food at the local grocery store, so I’m pretty frugal. It’s not like I’m out here living in a condo downtown driving a luxury car).

Goals for 2022

Most of 2022 will be spent staying the course and delivering on the promises mentioned above, like the new podcast series and translating the site. As I said, I hope to have both of those at least started by spring. I’m also hoping to continue to grow financially – but ethically – so I can continue to devote time to this project. I actually took some paid time off work during the holidays, mostly to burn some PTO but also to use that time to catch up on TNO stuff that I had fallen critically behind on. The last week and a half has been absolutely wonderful. Normally I’d wake up at 5-6 am (depending on the day) to an alarm, go to work where of course my day job expects me to do work for them and not my own stuff, and then have to cram in all the TNO stuff in a few hours at the end of the day when I’m already mentally exhausted – trying to be creative, make decisions, and then hoping I have enough time and energy after that to shower, meal prep, and spend time with the partner. This past week, I woke up on my own time with no alarm, cooked a warm breakfast each morning, worked on TNO all day, ran errands as needed, and at the end of the day I can actually close the computer and spend time with my partner. Not to air my dirty laundry or tell a sob story, but my partner and I have actually had conflict in the past multiple times over how much time I spend working on TNO and not spending time with her (and she’s not wrong, for the record. Some nights I go straight to bed and barely acknowledge her at all. I’ve been trying my best to better manage my time). This past week has been zero conflict because I can actually set daily goals, finish them, and then “clock out” and spend time relaxing with her. All that to say: please, please, please donate if you can. This is the dream and while I love my industry I am absolutely dreading going back to work Monday. Having had a taste of working on The New Oil full time, I absolutely would love to do that. So TL;DR: one of my goals for 2022 is continue monetizing so I can eventually move down to part time – or even contract or quitting my day job entirely – so I can do TNO full time.

[Note for those rereading: this goal has been removed out of an abundance of caution, however I will still be announcing it upon completion.]

There are two other brand new goals I have for 2022. One is delving into TikTok. I know, I know, it’s literally the worst, but multiple people have suggested trying it to reach the people who need this stuff most, and my partner is constantly showing me videos of people who are surprised by data abuses of all kinds so clearly there’s a need for someone to explain how it works. As such, I’m gonna try it and see if it helps anyone. If people find it helpful and I can get just a few more people to take their privacy seriously, then I’ll call that a win. (This will not be a major focus for me. Videos will not be high-production value and I will not be posting them on a regular schedule, rather only when I have time and something to say.)

The other major goal will be a merch store. I will likely use BigCartel – at least at first as a test run – though I will also have other channels for those who wish to use cryptocurrency or don’t want to trust BigCartel (I think some of their themes use Google fonts). This will start small – stickers, maybe a few shirt designs but at least one – and if it proves successful I’ll keep it going and look into more privacy-respecting store options. This will be something that will be a bit of an up-front startup cost as in order to be as privacy-preserving as possible, I’ll need to order the merch in bulk up front then sell it myself, unlike some other sites where the merch is made on-demand when you order it. (This will also mean lower prices for you.)

Oh, one last small goal for 2022: I plan to buy a shotgun microphone soon so that I can record high-quality audio for videos but keep the mic out of frame. That’s gonna be cool.

Wrap Up

I always laugh at small, unsigned bands when they break up, not because I enjoy their failure but because they always say something like “this project went further than we ever could’ve imagined.” Please. We all know you had dreams of stadium shows, European tours, and being the next Metallica. Quit lying. But imagination and expectation are two different things. The New Oil is not my first business venture, but it is by far my most successful. While I can imagine some pretty lofty dreams – public speaking, TV appearances, conferences, if we’re being honest – I’ve done enough rodeos that I knew what to expect realistically: a handful of regular readers, a few hundred hits per month, and maybe $20/month in donations if I’m lucky. And then this happened. The New Oil continued to grow and grow. I’m so thankful for every single one of you who has made this grow. Believe it or not, you guys challenge and educate me, too. Every person who writes in to say “hey you were incorrect about this, here’s how it really works,” or every person that says “what do you think of this?” and makes me go learn about something new, you all help to make me smarter and better informed. It’s amazing hearing people’s ideas, strategies, opinions, and feedback on various tools, tricks, and tips. It makes us all better in the long run.

Thank you for being part of The New Oil. Here’s to bigger and better heights in 2022.

Some Christmas Gift Tips

December 25, 2021

According to The Atlantic, there are an estimated 526,000,000 kids under 14 who celebrate Christmas and therefore receive presents around the world. Logically, if we expand that number to include adults who receive presents on or around December 25 – regardless of religion – that number rises exponentially. While traditions (and even exact dates) vary around the world, gift giving around the Christmas season seems to have become a pretty common global phenomenon. Therefore, if you’re reading this blog post, it’s highly likely that you yourself got some gifts recently. So this week, I want to share some tips for any electronic gifts you may have received.

1. Be Mindful of Your Trash

First and foremost, let’s talk about a bit of practical advice: the left over trash. If anything can be recycled, please do. (Don’t bother with plastics.) If anything can be re-used – like gift bags or boxes – I encourage you to stash them away for next year. (Maybe make note of who gave the bag to you so you don’t look cheap by regifting them the same bag next year.) But for big, expensive items, don’t put the boxes and bags on the street corner for trash pickup. Things like TV boxes, for example. There’s an urban legend – even acknowledge by the police – that thieves look for such items to help pick which house to target next. If you’ve got a bunch of boxes for new computers, Alexas, and Smart TVs, you’re basically waving a big flag to rob you. While Snopes argues that there’s no evidence that this has ever happened, why take the risk? I strongly encourage you to break down your trash and make it less obvious.

2. Internet Connected Devices

Whatever gifts you got this year, I’m willing to bet that at least one item has internet connectivity. Maybe it’s the new Smart TV or a toy for your kids. It seems like every few years people just latch onto some trendy buzzword and then everything has to have that thing shoved into it regardless of whether it actually needs it or not: apps, blockchain, internet connectivity, etc. Many, many toys and items these days come with internet connectivity and apps, even if they have no reason to. (I once heard an ethical hacker say he got access to a target by exploiting the coffee pot, which was – of course – running an admin account on the company WiFi.) So the first question you should ask yourself before rushing to connect that [insert item here that obviously doesn’t need an internet connection] to the internet is “does it actually need it?” Sure, your smart TV can connect to the internet, but do you even use streaming services? If you’re not a streamer, leave it offline. Your kid’s toys 100% do not need to be connected to the internet (with a few exceptions, like tablets). If it doesn’t actually need internet, don’t connect it in the first place. (Note: some devices unfortunately will connect to any open WiFi whether you approve it or not, so first make sure your device isn’t already attempting to do so. If you have a device that does this, I encourage you to connect it to your own network and follow the rest of the tips in this post to prevent someone else from connecting to and abusing your device.)

Side Note: Why Does It Matter?

You may be wondering “why would anyone even bother connecting to my device in the first place?” First off, if a criminal accesses one device in your home, they’ll frequently be able to use that to access other devices. Think of it like your physical home: if you get through the front door, you can usually use that access to easily walk into other rooms of the house unimpeded. Just like your physical home, once a criminal has access to one unimportant device – say your Smart TV – they can pivot into other devices that do hold sensitive information, like your computer where you check your bank account or your smart phone that has sensitive photos.

“But I’m not even doing anything interesting,” you might say. “Why would they bother hacking my smart TV in the first place?” Maybe you’re not. But the internet has made the criminal’s investment in attacking you negligible. Continuing with the physical home example, unlike your physical home the internet connects all parts of the world instantaneously. In the physical space, you only have to worry about nearby threats – in other words, the world’s best lockpicker isn’t going to fly in from Australia or Spain to come pick your lock (credit to Bruce Schneier for this analogy). You’re just not worth it. But in the digital space, that flight takes about two seconds and absolutely no cost. Suddenly it does become worth it just to give it a quick try. So while you may not be a famous celebrity or a business tycoon, attempting to hack you is pretty much the same as trying the doorknob of every door you pass while walking by. It’s not hard, it takes very little time or effort, so why not? (And unlike trying every door you walk past IRL, an attacker is highly unlikely to be noticed and flagged by the Neighborhood Watch.) In fact, most attacks these days are automated, so “hacking you” isn’t even something that a criminal does in the sense you’re thinking of. Most criminals “hack you” while they’re busy making a sandwich, sleeping, or watching Netflix. Their machine does 90% of the work automatically – sometimes even trying out different username/password combos. The attacker just checks the reports every so often to see what was found and what they have to work with.

So what they do when they get in? It depends. The vast majority of these automated accesses result in planting malware on your device, usually for use in a DDoS attack (the ones where millions of devices ping a website at the same time and cause it to go down) or mining cryptocurrency. These typically result in slower devices and network speeds for you, so even if you don’t care about the ethics or legality of these abuses you still suffer negative impacts for it. More advanced malwares may attempt to intercept the traffic on your network or place malware on other devices and look for additional data and credentials, like your bank login or sensitive communications. Then they can blackmail, drain your bank account, any number of malicious things.

Now that we’ve had this talk, let’s get back to the advice.

3. Default Credentials

Right now, there’s an epidemic of exposed devices online. How are they exposed? Is it through malicious software? Open ports? Outdated firmware? Well yes, but there’s another reason that’s far more prevalent than any of those: default login credentials. You see, a lot of people get a new device and just plug it in, get it going, and call it good. Little do they know that quick Google search for “[make and model number] default login” can often turn up the factory-preset credentials. And most routers, for example, will show you the exact make and model number on the login page. In other words: as I mentioned earlier, criminals have bots that automatically scan every IP address and port number they can think of to check for any hits. Once they get a hit, they can easily see the make/model of the device and software, then they can quickly search dozens of totally free, totally legal databases for the default password, and then come back and try it. Again, this is often 100% automated, and now your device is compromised. And to think, you can prevent almost all of this just by taking five seconds to change the default password. For more information on how to pick a good password and remember it, check out this page.

4. VLANs (& VPNs)

Virtual Local Area Networks, or VLANs, are on of the most criminally underrated things that are available to modern consumers. Once again, using the physical house analogy, think of VLANs like shutting and locking the doors to each room. By putting different devices on different VLANs – all cell phones on one, all computers on another, all IoT devices on a third, etc – you’re effectively compartmentalizing each device. So now, let’s say that an attacker gets access to your Smart TV – which in the house example is a bedroom. In addition to the initial hassle of finding and accessing your one room, the attacker now has the additional challenge of opening each door into each other room to gain access to all of those devices and their data, too. Most mid-level and higher routers now come with the ability to set up multiple VLANs and configure them any number of way. To give you some ideas, in my home we have a guest WiFi VLAN, our own WiFi VLAN we use for our phones, a VLAN for the Smart TV (our only IoT device), and a VLAN for the game consoles. If your router doesn’t support VLANs, a cheap alternative is to simply go buy a second router, connect it to your main router, and then put all your IoT devices on the second router. This will accomplish the same goal, and can be done for the cost a $20 router from Target.

Note: a subnet and a VLAN are similar, but different. A VLAN is actually separated and firewalled from other VLANs on the network. So if you’re tech savvy and you simply decide to assign different subnets yourself, that may help to some extent but it’s not the same as an actual VLAN.

You may also wish to put all your devices on a VPN. This is an entire discussion worthy of a separate blog post, but long story short is that a VPN only does two things: hides your traffic from your Internet Service Provider (ISP) and gives you a different IP address. Both are valuable things that I believe are worthwhile, and I strongly encourage you to put a VPN on your router to protect your IoT devices, but just remember that VPNs – no matter where you put them – are not silver bullets that magically make you hacker- or tracker-proof.

5. Default Settings (& The Privacy Policy)

Finally, the last tip I have for you is to carefully check each setting on your new device. Many devices nowadays come with an option to disable or limit the sharing of information. While I’m skeptical that this will completely eliminate data sharing, it reduce some of it and helps make a statement that you don’t wish to be tracked. Two factor authentication is another powerful security measure that’s becoming more widely available in recent years, so be sure to check your account settings for the new device and see if you can enable that. Needless to say the exact range of options varies from device to device and company to company, but be sure to sit down and know what your options are and tweak them for an appropriate level of privacy and security.

The last thing to do before unleashing your new device gift into the wilderness of your home is to read the privacy policy. As I write this, I suddenly realize I’ve never written a blog post about how to read a privacy policy. That’s now on my schedule and I will rectify that. In the meantime, know that there are two main sections I pay attention to: “What Data We Collect” and “How We Use That Data.” (The exact names of each section may vary, but it’s usually something along those lines.) Most privacy policies are intentionally written to be very vague to give the company more leeway and less culpability, but they will still give you a pretty good idea of what the company collects and how (ex, “any information you willingly add to your online account such as name and email address” or “geolocation data collected from the app.”) This will help you make responsible decisions about when and where the device can and should be used and any additional protections you may need to take for it.

Hopefully this post has been helpful. Hopefully you were given some gifts that actually add value to your life. Technology is a double edged sword, and it can bring some really cool, convenient, and even life-changing or life-saving things into our lives, but it can also bring some trouble, harms, and risks, too. Be sure to do everything your power to manage those risks and make technology serve you instead of the other way around. Happy holidays to all those who celebrate (and for those who don’t, happy Saturday).

I Doxxed Myself This Week

December 11, 2021

Did you know I started putting out video content this year? You can view it on PeerTube, Odysee, and YouTube. If you do so, you may notice that I reuploaded my Bitwarden video. That’s because, this week, I accidentally lightly doxxed myself. And I want to talk about what we can learn from it.

What Was It & Damage Control

Let’s start by answering the question I’m sure everyone’s wondering: “What got exposed?” Well, I’ll answer because there’s a lot we can learn there, too. It was my email address – including a custom domain – for my personal Bitwarden account. My response – once someone more attentive than me caught this mistake – was to pull the video, blur out the email address, and reupload it. Hence, the reupload file.

So What Can We Learn?

1. Mistakes can happen to anyone. This is gonna sound a little narcissistic but bear with me: The New Oil’s success has made me a bit of an authority. While I try to be very open about the limits of my expertise, that doesn’t stop people from constantly contacting me to ask my opinion on a variety of privacy- and security-related topics. That’s fine, I enjoy sharing what I know, but the point is that nobody is immune to mistakes. Even being an “expert” or “authority” in this space does not make me immune to slip ups. I’ve said it a million times and I’ll continue saying it: nothing is unhackable. No matter how much you’ve done, you will still have weaknesses, and sometimes that weakness is yourself. Always be vigilant, always look for ways to improve. (But be careful not to get paranoid and carried away.) On that topic:

2. Risk management. When this leak was pointed out to me, I wasn’t scared. I was more upset at myself for missing it in editing. That’s because the information that was leaked was very non essential. It’s a personal email address, but it wasn’t a password, and my account is protected behind two-factor authentication. Furthermore, I don’t keep any essential passwords in Bitwarden. I mainly use it to share passwords with my partner – like the Netflix password or grocery list – and sync passwords to Windows for my audio stuff. I don’t have any banking passwords, sensitive account passwords, or anything like that. I’ve managed the risk: when I’m on Windows (which I am every time I produce a video), there’s very little sensitive information to expose. That’s by design. Risk management. Finally:

3. Non-descript usernames and domain names. The main reason this leak wasn’t a big deal though, and one of the biggest takeaways I want to discuss is the nondescript nature of it. I’m a big fan of purchasing your real name as a domain to plant your flag, but I’m also a big fan of not using it unless you have a reason. As such, I have another domain that I use for emails that are important to me and I don’t want to lose control of, but I also don’t necessarily want it tied to my real name.

I hope this blog has been helpful. We all make mistakes, but hopefully you can learn from mine. Be vigilant, cut yourself some slack when you fail, and try to fix it so it doesn’t happen twice. The only true failure is not learning from a failure.