The New Oil

Valentine’s Day Q&A

February 20, 2022

or: Interview With An “Average” Non-Privacy Person

If you follow me on Twitter or Mastodon, you likely saw over the last 6 weeks or so that I was planning to do a Valentine's Day Q&A with my partner featuring listener submitted questions. My partner humors me about privacy stuff, and she does care a little bit (for example, she often sends me links to apps and asks me to identify any serious privacy concerns about them) but overall she's nowhere as privacy-minded as myself. A lot of people seem to struggle with connecting with non-privacy people, and that can be especially devastating when you comes to someone you love. So while I don’t consider myself a flawless paragon of anything, I do have reason to believe that my partner and I have a very healthy, strong relationship and thus I decided it might be helpful (and fun) to have her answer reader questions so you can get a first-hand account of what goes through the head of someone who’s not a privacy enthusiast and how we make it work.

Bonus: at the last minute, my partner asked to make this a video interview, so if you prefer video content (or you’re just curious what my better half looks like), you can watch the interview on YouTube, Odysee, and PeerTube. Without further adieu, let’s jump in.

Q: How do you feel about the whole “privacy” thing?

A: When you first introduced it to me, it was kind of scary to realize that all of this stuff is happening behind the scenes and I had no idea! Now it’s kind of part of my day-to-day life. I guess for other people who are also actually into privacy, like Nate, it just kind of feels like an everyday thing now.

Nate: For the record, that just reaffirms my belief that more people would care if they knew how bad it was. I firmly believe that a lot of people who say “I have nothing to hide” or “I don’t really care,” you don’t care because you don’t understand how invasive it is.

A: Especially me, remember when I got really scared, I had my privacy scare. I thought that my job was looking at my text messages and I was like “oh my god” and I think after that I started using a VPN more. But I think it was one of those things that they could only see it if you’re logged into the [company] WiFi or something? It was like “well I’m gonna start using a VPN because I don’t want to use my data so I’m still gonna be logged into the WiFi but you can’t see me.” Though I think it was just an empty threat.

How much of my security posture has rubbed off on you?

A: I guess just the things that you listed: ProtonVPN and Signal. And I guess – because [Nate’s] the more technical one between us so you know what you’re looking for – I do allow you to actually get on my computer and my phone for any tracker kind of situation, with Windows and Firefox and things like that. I guess just kind of those things – Signal and ProtonVPN and whatever it is that you feel you need to do to keep me safe.

Note from Nate: I use the same stuff I recommend on this page and this page of the website to secure her computer with minimal disruption.

What privacy advice did you actually end up implementing in your life?

A: Signal and ProtonVPN. Well actually, I remember you set up a ProtonMail for me, so I guess that kind of counts in a way.

Nate: Yeah, you’ve been using that a lot more.

A: Oh yeah and SimpleLogin, too, I just remembered that.

Nate: Oh yeah, you actually asked me about that one.

A: Yeah, and Privacy.com cards. So there’s a lot more than just those two things. Very little by little.

What compromises have you had to make with me for privacy?

A: I feel like you’ve made more compromises than I have.

Nate: I mean that is… yeah, that’s true. I’ll be honest.

A: The reason why I say that is because – for anybody who is watching this who is a privacy person and they’re kind of wanting their partner to also be very privacy-centric, it is kind of that whole “trying to compromise” thing but you also have to let your partner be their own person. Definitely one of the biggest compromises, I think, is definitely TikTok.

Nate: Do we compromise on that?

A: In a way, because I guess to me you could always be worse and not want me to have that ever and be mean about it. I feel like if you had more of your way, you just would not let me have that app at all. Again, I just feel like you compromise more. If it wasn’t for me, we wouldn’t have a Roku TV. Compromises have mostly been on your side rather than mine.

What privacy measures that I take do you find the most annoying?

A: This probably would fall more under the compromise one: I really, really loved using Google Assistant on my Android and that’s kind of a compromise for me that I took is I don’t really do that anymore but I really loved Google Assistant in the sense of some of the funny things that she would say. The biggest thing: the f’ing VPN on the damn internet. It was just one of those things for me – especially when we first got the router – you were messing with it so much-

Nate: That I can understand.

A: Mostly because I would be on an off day and I just wanted to do whatever on the computer or the phone or whatever and I could not do it because there was no f’ing internet and I was trying not to just scream at you like “please, just stop! Let me have my day off! You can do this tomorrow, I don’t care! I’ll be at work tomorrow!”

Nate: That was a lesson I did have to learn was to wait until you weren’t having a day off.

A: If any of y’all ever get a DD-WRT router, please make sure that anybody in your household who also uses the internet: don’t torment them with this because it was a very difficult setup, it was really hard for me – it was that and, I guess I’m irritated about the VPN because of so many issues we’ve had with it. Really I think it’s just those two. Granted, I kind of would’ve liked a Google Home, but that’s a dream that’s dead.

Note from Nate: I am not as tech-savvy as a lot of my readers (or as some of you think I am). A DD-WRT router is not terribly difficult, but for me this was uncharted territory. I have never set up anything on a router prior to this besides the DNS, the WiFi name, and the password. When I got the DD-WRT device, I flashed it (which was remarkably simple), then I set up VLANs, VPNs only on certain ports and WiFi networks, port-forwarding for self-hosted networks, etc. Depending on your skill level and experience, this may or may not be difficult. There was a lot of trial and error for me, but if you have experience with networking you’re unlikely to encounter the same level of difficulty I did.

Where do you draw the line between privacy and convenience?

A: That’s a great question because I don’t know because I don’t think that line has been crossed. I guess in a way that’s kind of already been answered with the whole internet thing. There’s not really anything you have done that has completely impacted my life severely where I’m just like mad mad. I mean, there’s small inconveniences but those are usually fixed.

What do you think about Linux phones?

A: I don’t have an opinion because I’ve never messed with it. I don’t know if I would like it mostly because I don’t have any experience with Linux as a whole.

Nate: I can say from my experience that the Pinephone is not ready for the average user but in terms of a “linux-like” experience it really depends which one you go with because Ubuntu Touch, for example, you can’t use the terminal. It’s actually so locked down it is not designed to work that way. You have to use all the graphic interface stuff like the app store and stuff. So something like that, once it’s a little more polished, I think would be – assuming it had all the same apps and everything – it would be virtually indistinguishable from an Android or an iPhone, it would just be another option. Then there’s other ones like Mobian that are very heavy on the terminal and that’s a much more traditional “linux-like” experience. At least, in my experience.

A: If the day comes when it does become more user-friendly – that I don’t have to use the terminal or something to update all of this stuff and it just kind of updates automatically or at least tells me that it needs an update – if it’s something more like that…

Note from Nate: We got off topic here talking about how Android alerts users to updates, but I think the implication is that she’d be willing to try a Linux phone under these conditions.

Do you watch Surveillance Report?

A: I saw [this question] and I laughed so much and my answer to that is: I kind of technically have a front row seat to at least half of it, so no. My Surveillance Report is technically this [gestures at Nate] anyway. I don’t need to listen to the podcast when I live with half of the team. So, no.

What made you care about privacy? (In other words: “how can someone like me convince the people around them to care?”)

A: That is a difficult question because I didn’t truly start caring until it affected me. I’m gonna sound very braggy here: the only reason that I managed to get one of Nate’s friends on Signal at all was because I knew how to kind of “work it” in such a way that “it does this and that and whatever.” “There’s these things that I like about it personally that maybe you might like about it.” Like recently, with Tiktok videos, especially with a lot of them being three minutes long. For example, Nate doesn’t have TikTok, but there are some TikToks that I find that I really want to share with him. Since [Nate] doesn’t have the app, and you’d rather me not send them to you with a link anyways, I just download the video if I can and just send to you and I can actually send it versus if it’s just regular MMS, you can’t do that cause it’s like “oh the video’s too big! I can’t handle it!” and Signal on the other hand is over here like “la la la la!” just doing the thing. And the voice message, too. The voice message feature, I know most phones already have that but I’ve run into a problem if I’m sending a voice message to someone either on Instagram or even Facebook Messenger, you can’t do that. You can’t send long voice messages, you have a very limited amount of time to do that. It’s just really hard to get someone to care, it really is. It’s kind of like the whole “you can’t help people who don’t want to be helped” thing. If somebody is just stubborn like that and they don’t want to hear about it and they don’t care no matter how many times you try to drill it in their head that Facebook is bad and this is bad, the way that you’re doing this thing – if it has not affected them personally yet, it’s not gonna matter. Again, I didn’t start using ProtonVPN or get really, really terrified about my privacy being invaded until I was told to my face that my job reads my text messages. We all love our creature comforts and unfortunately a lot of them are very privacy invasive. I usually just say “hey, here’s an app, you can download it if you want to.” Like Signal, “here’s all the things I like about it,” and if they still don’t get it, then I’m just like “okay.” Keep fighting the fight. This is not me saying “stop fighting.” Clearly a lot of people care because otherwise we would not be sitting here right now talking about privacy.

Nate: For readers, the part of that that really jumped out to me – and this is something I’ve noticed when you get people on Signal – is you focus, like you said, on the features. A lot people criticize Signal, for example, because – it does have shortcomings, like requiring a phone number. They promised us usernames like three years ago, or maybe even more than that. What the heck, guys? But as she’s pointed out, all these features they keep prioritizing that seem really stupid that nobody wanted like GIPHY integration, those are the little features that reel people in. When we’re trying to spread privacy to the average person, they want the features. I kind of like the fact that Signal focuses on the features because that’s what’s going to reel in people that maybe don’t care about their privacy as much – or at least not right now – but now they’ve got that protection because they’re like “all my friends are on Signal, I can join group chats, I can send massive video files.” Those little features get them in and to an extent I personally don’t even care what gets people to start using this stuff. It’s a net win for them and for everybody when they start protecting their privacy, even if they’re doing it inadvertently. That’s my opinion.

A: Go look at all of the things that you use and be like “these features are amazing and this is what makes it amazing for me!” The way that people are wired is that they want to know why something works for you and how they can also benefit from it. That’s why everybody loves Facebook because they “benefit” from it. Especially for people who could potentially be making other products for privacy, figure out what you can do to get the average person who doesn’t really care about privacy, see what you can do to market that. “Why do I want Signal on my phone? Why should I use it? I don’t know anybody who’s using it!” Features are always important.

Did you have anything else you wanted to say?

A: If anybody ever has any more questions for me, just ask Nate and I can definitely respond. I don’t mind being asked these questions. It’s times like these where I’m like “maybe I should join The New Oil’s Matrix room...”

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Ain't Nobody Perfect

February 9, 2022

At the time of this writing, the following article has not posted to my Twitter/Mastodon feed yet, but will in a day or so: https://www.zdnet.com/article/best-browser-for-privacy/. This article from ZDNet claims to compare the “best” privacy browsers in 2022, with an honorable mention at the beginning for NoScript. Now, I already think ZDNet's “best X of [Year]” articles are either a joke or paid adverts (how many “best VPN” articles have they done and never once mentioned IVPN but mentioned Nord, Express, and Surfshark every time?), and this article is also not without imperfections: namely no mention whatsoever of Tor browser (not even an honorable mention), the inclusion of Microsoft Edge, and favoring NoScript over the much more user-friendly uBlock Origin. But I'm gonna share it anyways, and I'm gonna explain why in this quick, out-of-band blog post so that next time somebody goes “wow, really? You shared an article that lists X/doesn't list Y?” I can just send them this and stop repeating myself.

If I wanted to create a list of suggestions for a service that I think is perfect, I'd do it. Oh wait, I did. It's called TheNewOil.org. (Actually I don't believe this website is perfect, which is why it's open to suggestion and improvement, but the point is that I do strongly believe in every item listed there and will add or remove items as I become aware of their fitness or lack thereof.) I share these “best of” lists from time to time because it's a way to keep this stuff in people's minds and make sure people remember to check their fundamentals and maybe hear about some new options or angles they weren't aware of before.

Do these lists have flaws? Sure. Do I skip them altogether sometimes for having too many flaws? Oh yeah. Frequently. But what if they're mostly good except for one or two bad suggestions? Well then I probably share them. Because privacy isn't about being perfect, it's about doing your best. I don't think it's productive to hardline and say “I can't share this article that has six good suggestions because Suggestion #7 is bad.” What kind of a world would we have if we threw out every privacy tool that wasn't 100% perfect? One without any privacy at all, that's what. Because no privacy tool is 100% perfect. We'd have no universally-acclaimed Signal protocol because Signal requires phone numbers. We'd have no XMPP because it's too buggy and user-unfriendly. We'd have no VPNs or Tor because both have drawbacks, and no strong passwords because they can – in theory – be compromised by keyloggers. We'd have no encryption at all because weak passwords render it useless. Nothing is 100% foolproof or perfect, and if we “throw out the baby with the bathwater” as my mom used to say, we'd have nothing.

It's not about being perfect, it's about raising awareness and reminding readers to stay informed and continually check their basic foundations to see if there's room for improvement. If you don't like the things I share or the lists I've made, please start your own privacy project. There is plenty of room for good, level-headed, evidence-based content that's not sensationalist or extremist. I don't claim to be the expert or end-all-be-all of privacy, handing out godlike judgements over what is or isn't acceptable. Feel free to add your own voice with your own blog or page. But that's why I'm willing to let a little not-so-great slip in with the good, because to me it's a net gain if we get people to care a little more in the process, and I'd rather people start with a less-great solution and then eventually move onto a better one once they feel comfortable than not even try because people are telling that the barrier to entry is absolute perfection from day one. And who knows, maybe these types of posts will remind them that they can do better.

Thank you for coming to my TED Talk.

Relationships 101

February 5, 2022

When we talk about privacy, we tend to think of technology: VPNs, messengers, metadata, and cameras. When we do think about relationships, we tend to think of them in terms of social engineering. But the fact is that most of us are not Elliot Alderson or Thomas Anderson. Most of us have jobs, hobbies, and an innate need for social interaction. Humans are social creatures, and while the amount of human connection we need varies from person to person, most of us still need it to lead an emotionally healthy and fulfilling life. Unfortunately, it seems that a number of people in the privacy community struggle to find connection once they’ve become passionate about privacy. To their defense, it’s not hard to see why. Our society has become increasingly digital: “Netflix and chill,” “add me on Facebook,” “Google it,” and more. Choosing to live a privacy-conscious life can be a one-way ticket to isolation if you let it. The good news is, it doesn’t have to be and you don’t have to let it. In this blog post, I want to talk about a few people skills and life hacks I’ve picked up along the way that have made my life socially fulfilling without compromising too much on my privacy goals. These skills can be applied to various levels to help you find love or simply be part of the workplace. This blog post can also work in conjunction with some other “people skills” posts I’ve made in the past, like “How I’ve Convinced People Around Me to Care About Privacy” and “Interacting With Non-Privacy People.” For some of you, you may have already mastered some or all of these skills. Congrats. But for those who struggle to find connection, read on.

Let’s start with the most obvious, basic things: if you’re not a likeable person, nobody’s going to want to connect with you. There are three skills I’ve found that can make a person likeable: sense of humor, breadth of knowledge, and diplomacy. I want it to be noted that I had virtually none of these skills growing up. I had to learn them all. These are not natural traits like height or skin color that you’re born with and can’t change. You can learn them if you put your mind to it.

Humor

Let’s talk about humor first, because in my experience this is where you get the most mileage. Humor consists primarily of subverting expectations. Consider the following joke:

Two farmers are talking to each other about their size of their land. One farmer brags “well I start driving the property before sun-up, right after breakfast. After driving for hours and hours, we pause for lunch, then keep driving. We just keep driving and driving til supper time, then we drive some more until the sun goes down.” The other farmer nods and goes “yup, I used to have a truck just like that.”

Now admittedly, this joke isn’t the funniest thing I’ve ever heard but I bet you that if you told it to most people they’d at least get a chuckle. That’s because humor is about breaking the tension with something unexpected and surprising. In this joke, the tension suddenly shifts from the incredible size of the farmer’s land to the poor quality of his truck. Consider this other joke: “there at 10 types of people in the world: those who understand binary and those who don’t.” The humor occurs when a person is expecting me to list off ten different types of people or personality traits, but instead I make it about a binary where there are only two options. The joke is further compounded by the fact that I clearly don’t understand Binary myself.

There are, of course, different types of humor. I thrive on sarcasm and dark humor. There’s also puns, stand-up, actual jokes with a setup and punchline, etc. There’s a million ways to tell jokes, but at the end of the day they all come down to a break of tension. This is why a lot of speakers start with a joke or funny story. It breaks the tension and makes everyone feel at home. The most important thing is to know your audience. Telling a dark joke in an HR meeting is probably not a good idea, and telling a tech joke to non-techies probably won’t go over well (my mom would not understand that binary joke to save her life). Not everybody is a master of every kind of humor. I couldn’t do stand-up comedy, but I am a master of situational humor. And not every joke is going to land. That doesn’t mean you aren’t a funny person, it could mean the people who heard it weren’t paying attention, didn’t get it, or aren’t in the right headspace for jokes. But if you can learn how to crack a well-timed joke tailored for the right audience, that’s a good way to get people to like you. This is probably the nerdiest thing I’ve ever said, but if you struggle to be funny I recommend “500 Clean Jokes and Humorous Stories: And How to Tell Them” by Russel and Linda Wright. I read this book as a child and it helped me understand why humor works and what makes people laugh.

Breadth of Knowledge

When I started high school, I was a hardcore gamer. I didn’t know anything about politics, I didn’t have a job, and I didn’t (and still don’t) like sports. If it didn’t concern X-Box, Gamecube, or PlayStation 2 then I didn’t care. While there’s nothing wrong with being a gamer, this made me incredibly difficult to talk to for anyone who wasn’t a gamer. I didn’t know any movies or TV shows, I had no additional hobbies. I really can’t stress how hard this made it for me to carry on a conversation with anyone that wasn’t about a video game. These days, I’m much more well-rounded. I’ve seen a wide variety of movies and TV shows (mostly scifi and horror), I’ve read classics like Dracula and Frankenstein as well as modern books like American Gods (as well as all of HP Lovecraft and Edgar Allan Poe). I read enough news to know what’s going on in the world broadly. This means that I can now carry on a functional conversation with almost anybody about almost anything, from current events to pop culture. No matter who I’m talking to, we can typically find something to talk about. Keep in mind, I never pretend to be an expert, but I know enough to talk and have an opinion.

A lot of people in privacy who struggle to make friends seem to lack this. They’ve fallen so far down the rabbit hole of privacy that that’s all they can talk about anymore. Don’t get me wrong: I can talk about privacy for hours – and admittedly I probably steer the conversation toward it more often than I should – but it’s far from the only thing I can talk about. If every time anyone mentions anything you inevitably tie it back to Big Tech and encryption, you may need to develop some other hobbies. Take up gaming, fitness, reading, psychology, cars, anything. If you want to connect with people on any kind of level and make them like you, you have to be able to talk about more than just a few niche topics. For this, I strongly recommend the podcast “Stuff You Should Know.” They lean left politically, for those who care, but they usually don’t cover political topics and they’ve been on the air for over a decade, so they’ve covered everything from grass (like the kind that grows in your front yard) to serial killers in deep, well-researched detail. This podcast should give you a great passing knowledge of a variety of topics. You don’t even have to listen to every episode, just pick whatever sounds mildly interesting.

Diplomacy

Last but not least, let’s talk about diplomacy. Winston Churchill once famously described diplomacy as “the ability to tell someone to go to hell in such a way that they look forward to the trip.” In this case that’s probably not the message we want to share, but the point is that it’s the ability to delivery a message in an amicable way, even if it’s an unwelcome one. For example, earlier I mentioned that I’m not into sports. When I’m trying to connect with someone and they say something like “did you see the game this weekend?” I usually reply with something like “nah, I’m not really into sportsball, but my dad was a big Sooners fan growing up.” This serves two purposes. One, it injects some humor with the phrase “sportsball” (which a word that usually implies “I know absolutely nothing about sports of any kind, not even what they’re actually called”), and two, it tells them I’m probably from Oklahoma because the Sooners are a college team from University of Oklahoma. That naturally leads them to ask “oh, are you from Oklahoma?” and turn the topic toward where we grew up, which is something else we can talk about and find common ground over. Maybe they didn’t grow up there, but they might have visited. Or maybe they have a friend from there.

The lesson here is that diplomacy is subtle. It’s not an instant, hard shut down of communication (ex, “no I don’t do sports.” End of statement, end of conversation) nor is it some kind of awkward question dodge (ex “you see the game last week?” “Nope, so where are you from?”). It’s a natural flow to the conversation, directing it in the direction you want to go. It’s almost like social engineering, except the goal isn’t to extract any specific piece of information from a person, only more information that you can both share.

Connection

Throughout this article, I’ve used the term “connect” multiple times. That’s because it’s important to remember what the goal of communication ultimately is: connection. No matter the form of communication – film, text, or spoken word – the goal is to create a relationship with a person and transfer a message. Sometimes the message can be about society, sometimes it’s about trying to impart the importance of privacy, sometimes it’s trying to say “I’m someone you’d get along with and you should hang out with more often.” But unless you can find a way to relate to that person, that message won’t stick. And that’s really what communication and connection is all about: finding common ground. If you both like Italian food and cooking, that’s a connection. If you both like black-and-white horror films, that’s a connection. Finding and cultivating these connections is ultimately what will make people like you and want to spend more time around you, and fills that social need.

Privacy is important. Privacy is a human right. But it doesn’t have to mean being alone and isolated from the world. You can be private and still have friends, family, and fall in love. It just takes some practice. And the more you do it, the better you get. Assuming it’s safe to do so with the pandemic and all, getting out is the best way to practice and develop new connections. Figure out your interests, then figure out where those people gather: concerts, old movie screenings, EFF meetups, cooking classes, you name it. It just takes a little intentionality.

Data Privacy Week/Day Spotlight: Overrated Tools

January 28, 2022

This week is Data Privacy Week (and today is Data Privacy Day). To celebrate, this week I made a series of short blog posts highlighting tools, services, products, and techniques that I feel are underrated to help improve your privacy.

Today, as we wrap up the week with Data Privacy Day itself, I want to go in a different direction. I'm a strong believer that you can learn just as much in failure about what not to do as you can in success about what to do. So today I'm going to focus on three overrated tools and techniques that everybody focuses on very intently, probably a little too much.

Let's start with VPNs. A lot of VPN companies promise more than they can deliver like total anonymity, freedom online from censorship and tracking, and more. This is a lie. Even the best VPNs pretty much only do two things: hide your IP address from the websites you visit, and hide your traffic from local snoops such as your ISP or work router. That's it. And your IP address is only one small way that companies track you. Fortunately in recent years there have been a lot of writings about this very topic, but still many people seem to be lulled into putting too much faith into their VPN provider. Don't. See my page and IVPN's Do I Need A VPN? for more details.

Next let's talk about instant messaging. A lot of people put massive amounts of concern into their daily messengers. It seems like every day I see people having near meltdowns over very small, minuscule things in their messenger of choice: “X is centralized,” “Y is based in the US,” “Z uses Encryption A instead of Encryption B.” While I'm a big fan of using end-to-end encrypted messengers (it's a must for anyone who wants to be close to me personally), let's take a step back here: how often do any of us really send anything important? Granted, this argument could apply to every area of our digital lives, but some people really put an unjustified amount of work into protecting their daily communications when all they're sending is memes and “want anything from Wendy's?” There's no need to get bent out of shape over having something that's NSA-proof when it means so little. There's a reason I recently moved this category to the “least important” section of the website.

Finally, on that note, email providers. At least once per week, usually more, I see posts on Reddit of people asking “what email provider should I use?” Does it really matter? You're not sending state secrets, and unlike encrypted messaging you're probably not even securing both ends of the communication. Yes, it's important to cut that threat surface in half by using a zero-knowledge provider so that the rogue employee can't open my inbox, but the email I received from my bank is still plaintext on their end. The email I sent to my boss is still visible on Gmail's servers. Only one half of the contents are encrypted, and while that's definitely better than nothing, it's really not worth having a paranoid episode trying to pick the one server that's located in Antarctica and run by hedgehogs who can't read court orders.

Now, it should be noted: I endorse and encourage the use of all these services. I list all of them on my website and strongly encourage you to use them. Your privacy – even the stupid memes and grandma's chain letter – are yours and nobody should have the right or ability to read those without due process. I'm not saying this stuff isn't worth doing. What I am saying is that in my experience/opinion, I feel like people put way too much time, energy, and effort into these particular tools for what they get out of them. Like I said, people will dive deep into the history of every time an encrypted messenger's CEO took a dump, but all they're sending over the platform is inside jokes and plans to hang out. It's about being proportional. You don't need to put hundreds of hours of research into a platform that isn't going to be containing any sensitive data. Just a few solid hours of research is plenty. Time is the most valuable resource we have: we can never earn more or get it back. Don't put unnecessary amounts of time into things that will get you very little in return. Do your research and make smart choices, do use these products, but remember that in terms of protecting your privacy, there are many other areas that will give you much higher and more effective returns. Be smart with your time.

Data Privacy Week Spotlight: Disinformation

January 27, 2022

This week is Data Privacy Week. To celebrate, this week I will be making a series of short blog posts highlighting tools, services, products, and techniques that I feel are underrated to help improve your privacy.

Today I want to talk about disinformation. This is something that deserves a whole blog post itself, as I’ve said before, and I still plan to honor that at some point, but in the meantime I want to discuss some basics. Disinformation is – simply put – intentionally spreading false information to throw off tracking of any kind. There’s a few important caveats before you start using disinformation. First off, never ever lie to government or law enforcement figures. Do not give a cop a fake ID, do not put a fake name on your tax returns, etc. Second, on that note, don’t forge government IDs. Making a fake workplace or gym ID is totally fine. Making a fake driver’s license can land you in some really hot water. Finally, don’t commit fraud. The goal of disinformation is not to cheat anyone out of money or evade any legally-binding agreements, the goal is prevent companies from collecting data about you that they don’t actually need.

The amount of disinformation you employ will vary based on the situation. Are you buying a physical product online that will be shipped to you? Then you need to give them a real address you have access to, like a PO Box or workplace. Are you buying a digital product that will be downloaded, like an ebook, digital album, or video game? Then they don’t have any reason to know your address. You can use disinformation here. Whenever asked to give up information, ask yourself “does this person actually need this information?” If they don’t have a legitimate use for this data – like the aforementioned “sending you a product” – then find a way to not give it to them. Sometimes you can simply say “no thanks” or leave the spot blank. If that’s not an option, then this is where disinformation comes in.

In my experience, there are two main pieces of disinformation pretty much everybody will need to have ready to go, and three optional ones for those who wish to take it further. The main two are physical address and phone number. For physical address, I recommend a hotel. Whether that’s a hotel in town or in another town depends on your threat model and preferences. The reason for this is because some websites will demand a real, verified address or may flag you for using “123 Main Street” for looking suspicious. “28 N Franklin St” looks legitimate though, and that’s because it is. It’s the Hyatt in downtown Chicago. This is much more likely to pass in my experience. The second piece of disinformation to memorize is a phone number. My favorite is (248) 438-5508 – which plays “Never Gonna Give You Up” by Rick Astley – but Michael Bazzell also recommends (909) 661-0001 through (909) 661-0090 and (619) 364-0003 through (619) 364-0090.

The other three optional pieces are name, date of birth, and personal details. These are optional depending on your threat model or personal preferences. Date of birth is easy: Michael Bazzell recommends swapping the month and day and then adding or subtracting a year or two. For example, if your real date of birth is February 5, 2000 you can make it May 2, 1998, 99, 01, or 02. For name, I recommend using a shortened nickname or a middle name. If your real name is Alexandra Ashley, you can go by Alex or Ashley (Alex has the advantage of being gender-ambiguous). This is especially useful if you have a really unique, foreign name. I’ve met a few Indian people with names like “Raj” who Americanize it as “Ron” for simplicity. I don’t know if that’s common but it really helps to completely hide their real, unique names. Finally, for personal details, I recommend “fuzzing.” Instead of full-out lying and risking getting caught by someone who’s an area expert, just be vague or change small details. If you’re the head of the finance department at Sunshine Technologies Inc, say you work in accounting, or you work at a tech company. If you spent a few years in Seattle recently, say you grew up there. This ensures you don’t get caught in your lie (ex – claiming you’re a biologist then meeting a biology professor) and doesn’t give away anything too personally identifying in terms of details or timelines.

Again, this is a subject that warrants an entire blog post, and that will come. In the meantime, I hope you’ll look into this and start giving some thought to your own disinformation preparedness. Using disinformation can help protect you from spam, data breaches, and other forms of tracking. Happy Data Privacy Week!

Data Privacy Week Spotlight: Backups

January 26, 2022

Today I want to highlight backups. This is a little more security than privacy, but there’s still some privacy involved here, too. First off, let me say: backups are important. A lot of us overlook having good backup practices because it’s one of those things that you never really think about until you need it. Even I’m guilty of occasionally being late with making my backups. It happens to the best of us. There’s two good practices to follow with backups. First is the 3-2-1 rule: 3 copies of your data (one being your “live” in-use copy), 2 different mediums (like an external hard drive and a USB stick) and 1 offsite (such as a cloud). The second “best practice” is to use automatic backups if that’s available to you. This way you don’t have to worry about accidentally putting off your backups for too long and having outdated, useless backups when disaster strikes. I talk all about how to design good backup strategies on this page.

This is where privacy comes in. If you’re following the 3-2-1 rule, then you’re supposed to have at least one copy of your data stored offsite. How can you do this privately? There’s a few options. What I do is I have an encrypted 4 TB external hard drive that I keep at home where I store every backup, going back as far as possible, at least one year. Then, at my day job office, I store an encrypted USB with only the latest, most recent backup on it. It’s encrypted so that if we ever got robbed, if one of my coworkers started snooping, or if I just got suddenly fired and never returned to the office again, my data would still be safe. I’m usually in the office at least once per week, so I can keep that USB updated regularly. If you are 100% “work from home” or don’t work in an environment where it’s feasible to store your backup device you could also consider storing at a close friend’s house or something like that. Of course, these are just offline backup ideas. Storing on the cloud is much simpler and direct.

No matter where you choose to store your data – be it at a physical location you frequent and update or on the cloud – the biggest concern is keeping it private. When I make my backups, EVERYTHING is there. I’ve mentioned before that I have a small interest in disaster prepping, which means that in addition my password database I also have lots of sensitive documents like scans of passports and social security cards, digitized medical records, and documentation on things like insurance and leases. (There’s also things like backups of emails with consulting clients and other confidential communications.) I don’t want this information exposed, so no matter how I decide to backup my data, I have to make sure this stuff is protected. As I said, my preferred solution is to be entirely offline, but others may want something more convenient and readily accessible for any number of reasons: aka, “The Cloud.” My ideal recommendation for cloud backups is something zero-knowledge. Nextcloud is the poster child for the privacy community, but ProtonDrive, Sync.com, or even Filen.io are all popular choices. However, as noted on the page I listed earlier, each of these services comes with drawbacks. While you may decide these are not dealbreakers, some may want to pick more vetted, reliable services like Google Drive or Dropbox. In this case, I recommend the use of a service like Cryptomater or Veracrypt to ensure that your files are hidden from possible rogue employees, unwanted snooping, and automated scanning. Again, I go in-depth on how to set up an encrypted container on the Backups page of my website, so consult that for details.

No matter what option you go with, remember to keep regular backups and keep them protected from prying eyes. This is a critical but frequently overlooked technique in the privacy community. Happy Data Privacy Week!

Data Privacy Week Spotlight: Mobile Habits

January 25, 2022

Today I want to talk about mobile habits. As most privacy enthusiasts know, phones are some of the most effective surveillance devices out there, recording everywhere you go, everyone you talk to, every app you use – which can betray your interests and more – and in some cases can even infer information about you like sexual orientation and health. Truthfully, I think many privacy types dream of being able to live without a cell phone, but sadly for most of us that’s just not reasonable. If you can, good for you. But many cannot. While there are a number of steps we can take to reduce phone data collection – like using a deGoogle OS or even just changing a few settings – there’s also a lot of tricks that frequently get ignored, and those mainly involve mobile habits.

On the website, I offer a number of behavioral suggestions to help reduce the tracking of your phone. The biggest one, in my opinion, is simply to use it less. While you may need your phone at work to get important messages, there’s no need to take it to the grocery store or out to dinner. You can safely leave it at home and bring a paper grocery list, talk to your dinner date, or bring a book if you’re eating alone. Another technique is simply to rely on less apps. While some apps have a place – like encrypted messaging or a more private browser – some may not really be necessary. Most of my loved ones use Signal, therefore I see no reason to have Matrix and Session on there too since I rarely get messages there. I also removed all email from my phone. Phones these days come with a stock mail app, but email was never designed to be realtime communication. If you’re emailing me, then that tells me whatever you’re asking can wait. Instead of swapping a bad email app for an encrypted one, I just deleted it altogether. Desktop only now. And on that note, I mentioned a privacy browser. Just because you have a better browser right there doesn’t mean you should always use it. Sure, I use it to find items in the store when I’m at work or to check what time the store closes on the way home, but I try not to use it figure out what Daniel Radcliffe has been up to since Harry Potter ended (note: Miracle Workers. It’s hilarious. I highly recommend it) or what’s the furthest object ever observed in space. Point being: I try not to do things on my phone unless it’s an emergency or highly important. If it can wait til I’m at my desktop, I try to do that because I have more control over my data there. Phones are difficult to harden in a really meaningful, effective way. No matter what apps we download or steps we take, we should always be skeptical of them.

Hopefully this article has given you some thought and helped you rethink your relationship with your miniature surveillance device. Don’t get me wrong: I’m grateful for my phone. It has made my life easier in so many ways, providing endless hours of entertainment and contact with those I care about nearly 24/7. But it’s important that I stay in control of it and not the other way around. Happy Data Privacy Week, hopefully this helps you protect your privacy just a little better!

Data Privacy Week Spotlight: Settings

January 24, 2022

Today I want to highlight settings, specifically changing and checking them. There's nothing like a fresh device. It's what “new car smell” feels like. I love a freshly installed OS, and I love doing all the hardening steps. On Windows (which I use strictly for gaming and production), my usual routine is Windows Spy Blocker, W10 Privacy, Bulk Crap Uninstaller, and lately I've been delving into Portmaster. Then I move on to things like Firefox, VLC, etc. But as fun as these things are and as empowering as it feels to help take back control of my device and regain a little bit of privacy from invasive analytics, there's a less exciting step: settings. You see, many of us in the privacy community get a new device and we get eager to start customizing it and locking it down: firewalls, VPNs, encrypted messengers, etc. These are all great and important steps, but it's important not to overlook the simple steps. Whether on desktop or mobile, don't underestimate the value of changing your settings. Why do you think companies like Google pay millions of dollars each year to be the default browser in Firefox? Because settings matter. Most people don't bother to change the default settings, but simple changes – like changing your default search engine or video program, turning off analytics, or having the device lock after a minute of inactivity – can offer simple yet powerful protections to your privacy (and as a bonus, they can reduce your attack surface by not requiring you to use extra plugins or third-party software to replicate the same behavior). So as fun as it is to start going straight to all the hardcore, power-user tweaks, don't overlook the basics and review your default settings.

Unfortunately it doesn't stop there. It's a well-known phenomenon that sometimes updates can revert your settings back to default. In my opinion, this is probably usually a bug as it seems to only happen to certain people and programs inconsistently, though sometimes it is certainly intentional. In my experience, this usually seems most prevalent when doing major updates (for example, going from Version 14 to Version 15), but it can happen at any time. So even if you've already checked your settings and made your adjustments, be sure to review them periodically – particularly after an update if you know you've just had one. This is a great way to spot any new settings worth adjusting and catch any settings that were reverted.

Happy Data Privacy Week, hopefully this helps you protect your privacy just a little better!

2022 Review: IVPN

January 22, 2022

Disclosure: The New Oil is sponsored by IVPN. Per the terms of this agreement, IVPN does not have any input on our review, but we want to disclose any possible conflicts of interest up front. You can read all of our guidelines for sponsorships here.

What is IVPN?

A VPN – or Virtual Private Network – is a service that creates an encrypted tunnel between the device – be it a phone, computer, or router – and the VPN server. From there, your traffic continues on to your desired destination – such as TheNewOil.org – like normal. IVPN is a service headquartered in Gibraltar, a mostly-autonomous British territory. IVPN offers two plans, Standard and Pro. Both plans offer all protocols (Wireguard, OpenVPN, PPTP, and IPSec IKEv2) and the anti-tracker no-logs DNS service. The Standard Plan covers 2 devices while Pro covers 7 and includes port forwarding and multi-hop servers.

Why Do You Need a VPN?

You may not, to be honest. (Interestingly, IVPN openly shares this opinion. Check out their site “Do I Need a VPN?” here). A lot of people really hype VPNs as one of those absolutely, must-have, life-changing things that will solve all your problems. In all honesty, while I do believe that VPNs are an essential piece of your privacy strategy, there are many other free or low-cost strategies that will give you significantly more protection. A VPN these days pretty much only has two purposes: changing your IP address and protecting your traffic from local snoops. Changing your IP address is a valuable part of avoiding tracking, but it’s just one way and a VPN won’t protect you against those others like browser fingerprinting, tracking pixels, cookies, and more. Likewise, while it can be great to protect your traffic from your Internet Service Provider or a local cybercriminal, from a security perspective you’re already pretty well covered so long as you enable your browser’s HTTPS-Only mode and make sure you’re using the correct sites and not spoofed sites. Having said all that, I do still consider a VPN to be a critical part of your privacy and security posture. It can bypass censorship, stop your ISP from selling your browsing data, help obscure your IP address from tracking and logging, and protect your traffic from local attackers.

Why Not Tor?

Some people prefer Tor over VPNs. Tor is definitely right in certain situations, but not all of them. For one, many essential services – like banks – block known Tor IP addresses to prevent fraud and abuse, making using those services nearly impossible. Second, Tor loses almost – if not – all of its anonymity once you login to something. If you login to your email and then your Reddit account in the same session, they’re now tied to together and you’ve lost your anonymity benefit. For this reason, I recommend reputable VPNs for any services that are tied to your real identity or sensitive and Tor for random searches or accounts that are not tied to your real identity.

The Good

IVPN has some really impressive positive aspects. For one, they are committed to ethical marketing. Their site talks about how they don’t believe in paying for reviews or unethical ads, their commitment to transparency, and as I linked above they even have a website that aims to dispel many of the myths surrounding VPNs and what they can and can’t do – even if it costs them potential customers. They’d rather lose an educated customer who knows that IVPN won’t solve their problems than dupe a paying customer who won’t get the protection they really need.

IVPN’s security is also top notch. We have covered numerous stories on Surveillance Report about vulnerabilities in widespread VPN protocols or infrastructure, and nearly every one has noted “IVPN is not vulnerable to this,” usually because they patched their systems months ago or have some other mitigation in place that just so happens to protect against the vulnerability in question. (Of course, IVPN is not the only one immune to these bugs, but out of the three we endorse on The New Oil they’re the only one that is consistently ahead of the curve). I was also pleased to see that Wireguard was their default protocol – which is a recently-developed VPN protocol that’s considered to be faster, lighter, and because the code is so small it’s more easily auditable, which hopefully in the long run will mean less vulnerabilities. Though of course, the other protocols listed above are still available for those who want something a bit more time-tested or have a different need.

The information required at signup is none. Seriously. You can click “generate an IVPN account” on their homepage and it just does. They also accept Monero directly without a third-party exchange being involved, which means that if done right, IVPN is easily 100% anonymous. Of course, you can add an email if you feel so inclined, and you can pay with a card (including a privacy.com card), but at no point do they require any of this from you. It’s totally voluntary.

Finally, their country of origin – Gibraltar – offers some redeeming aspects. Gibraltar is legally a UK territory, but they are given a long leash by the government and operate mostly as an autonomous region. This turned out to be a good thing when post-Brexit, Gibraltar decided to legally adopt GDPR for themselves. From what I understand, it was largely untouched except for a few legal definitions to clarify that it was being applied to Gibraltar.

A few other neat things I noticed in my time testing them out:

IVPN offers single week, single month, single year, and multi-year plans. This is fantastic for people who want to try it out for a short period of time before committing. They also offer a 30-day money-back guarantee, so really there’s no risk at all.
They offer ability to pause your connection for a pre-determined amount of time. This is great if you need to turn it off to watch a movie or something like that so you don’t have to remember to turn it back on. (Not available on iOS, sadly.)
They do annual security audits.
They offer split-tunneling.
They offer “trusted Wi-Fi networks.” Say for example that you’re like me and you have a VPN on your home Wi-Fi. You can mark your home network as “trusted” so that when you get home and connect, IVPN will automatically turn off so as not to be redundant. Then, once you disconnect, it pops right back on.
Lastly, hardcore mode. This mode will block ALL the Big Tech companies, including their back infrastructures – like AWS or Azure. It’s not really feasible for most people, but it could be fun to do for a day or a few hours. It’ll really open your eyes to how deep Big Tech has their tendrils in your daily life.

The Bad

IVPN does have a few drawbacks, but they’re very few and far between. The most noticeable one, in my opinion, is the low server selection. They offer only 77 servers in 31 countries. I personally didn’t find this to be an issue at all, but when going up against other providers who offer hundreds of servers in well over fifty countries, it's a bit surprising. IVPN also makes no promises of working on streaming services, and I can confirm this. One time, I put IVPN on pause for 3 hours while Henry and I recorded Surveillance Report. After we were done, I moved on and started watching a movie on HBO Max. After about an hour, HBO Max suddenly brought me to an error page. After a moment of frustrated confusion, I realized IVPN had turned back on and HBO Max had stopped buffering. Oops. Ultimately I’m still glad it came back on without me having to remember. I've also had a few issues sometimes with Spotify not loading, but usually this was as simple as turning the VPN off and back on. Finally, as a Qubes user, I was disappointed to see they offered no Qubes support, especially since they place such a high emphasis on security.

Now let’s talk about the speed test. A lot of people have come to expect blazing fast internet these days, and unfortunately I have found a noticeable – though personally minimal – decline in speed with IVPN. Using Speedtest.net, without the IVPN app even running, I was connected to Kapper.net in Vienna (I suspect this means that IVPN made some permanent changes to my DNS, you’ll see why in a second). My ping was 135ms, download speed was 281.09 Mbps, and upload speed was 21.90 Mbps. (Once again: dear ISP, if you’re reading this, I’m paying you for gigabit.) I then opened the IVPN app, which had previously been completely closed out, connected to the fastest server (which for some reason is in Vienna despite me being in Arizona). Running the test again, I was still connected to Kapper.net but my new speeds became a ping of 172 ms, a download speed of 45.62Mbps, and an upload speed of 16.84Mbps. Yikes. Having said that, I’m not an online gamer or streamer, so these speeds are not critical to me. Everything loaded in a reasonable time, from videos to web pages and apps. It was noticeable compared to my usual VPN, but it was certainly nothing debilitating that I couldn’t get used to and live with. Then again, I know some people expect their pages to load completely in less than a second from initial click to “finished loading.” If you’re one of these people who has not yet learned the art patience, this may not be the VPN for you.

Perhaps the biggest drawback lies in their home country. As I said before, Gibraltar operates largely autonomously and did go out of their way to legally apply GDPR to themselves after Brexit. However, they are still a UK territory. Hong Kong used to be mostly independent, too, until they weren’t. At the time of this writing, the UK is conducting a massive surge in anti-encryption rhetoric, with the government paying over a half-million pounds to a powerful marketing firm to launch a smear campaign against encryption and turn the public opinion against it. The reason we list a country of origin as a pro or con based on their Eyes affiliation is because it sets a tone. If a country is part of the Eyes, it shows that they have a lower regard for the privacy of their citizens and they are willing to share data and violate privacy. Likewise, while Gibraltar may value privacy, they belong to a country that clearly does not, and if the UK decides to crack down on their anti-privacy stance in Gibraltar, this could be very damaging to IVPN. Keep in mind: this is pure speculation. There is no evidence at this time that the UK is pressuring Gibraltar or IVPN or what forms that kind of pressure might take if it did come to pass. I also have zero doubt that Gibraltar and IVPN would push back against these unethical requests. However, at the end of the day, they fall under UK jurisdiction, and if they lose these battles, it could be a problem. Again, I cannot stress enough that this purely a “what if” scenario, but given the UK’s open and outright hostility against privacy, it’s worth having this concern on your radar.

Conclusion

My last couple weeks of using IVPN has been pretty pleasant. There were some roadblocks to overcome as I made the switch from my usual provider – probably mostly just cause of that human urge to resist change. I will be keeping Proton on the router for the sake of using streaming services, but overall my IVPN experience was great. Signup was shockingly smooth, apps were easy to find and install, and settings were explained well and straightforward. If you’re looking for a streaming-friendly VPN, Proton is probably the way to go. But if you’re not a big streamer and you want maximum security, IVPN is probably the best out there.

You can learn more and sign up for IVPN here. No affiliate link.

Reducing Streaming Services’ Tracking

January 15, 2022

Guest blog post by our moderator Uncover

Streaming services. Many of us love them, though sometimes we get frustrated with them (I’m looking at you, Hulu ads). Regardless of your personal feelings towards a specific platform, they have became a staple in many of our daily lives. For all the laughter and joy we get from them, the tracking and data collection – while varied – can create a accurate portrayal of a consumer’s likes and dislikes. With that in mind, here are some easy “in-house” methods on each of the top 10 platforms (by subscriber count) to somewhat limit the amount of tracking that takes place. All of these instructions are done from a desktop web browser, as this typically gives you the most control over your account settings.

Netflix

I consider Netflix to be one of the more mild streaming services in terms of the amount of collected data. Unfortunately there’s no real ability to opt out of data collection, but you can remove your viewing history, which will also prevent the algorithms from learning. You’ll have to repeat this process periodically, you cannot tell Netflix not to save your viewing history.

Visit Netflix.com and sign in to your account
Choose your profile, hover over the profile icon in the upper-right corner, and scroll down to Account.
Scroll down to Profile and Parental Controls, and click your profile picture.
Click Viewing Activity.
Click the circle icon on the right of each entry to remove it from your watch history. To remove your entire watch history, scroll down and click hide all.
Repeat the process for each profile on your account.

Amazon Prime Video

Amazon tracks all your activity by default (on any and all platforms they can get their hands on). It saves all searches, things viewed recently, shows and movies watched, and categories you looked through. In my opinion they are one of the worst for tracking (here and everywhere else they can). This data helps Amazon create targeted ads. That’s why you’ll see products and suggestions similar to what you’ve watched or looked up. Here’s how to help limit Amazon from tracking your browsing activity:

Visit PrimeVideo.com and sign into your account.
Hover over Accounts & Lists in the top right corner and select Browsing History from the menu.
Click the Manage history drop-down arrow.
Toggle Turn Browsing History on/off to the Off position.

You can also disable personalized ads to stop your data from being used for advertising.

Hover over Accounts & Lists and click Account.
Under Communication and content, click on Advertising preferences.
Choose Do not show me interest-based ads provided by Amazon and click Submit.

Crunchyroll

Crunchyroll is a bit of niche streaming service focusing exclusively on anime, but according to our source this freemium service ranks #3 in terms of subscriber numbers.

Go to Crunchryoll.com and log in.
Once signed in, you may be on the video-watching platform, which has limited options. If so, navigate to crunchyroll.com/editprofile/?tab=basic.
Empty out your profile of as much information as possible, or – if that’s not an option – fill it with false information.
Under Privacy Settings, toggle Online Status to Offline and check Achievement Privacy so that Achievements are private and visible only to you.
Under Social Integrations, I recommend unlinking your Twitter if is already linked.
Check My Devices and ensure there are no old or unfamiliar devices authorized. If you do not recognize any of the devices, deactivate them.

Hulu:

Ah Hulu, the wannabe underdog of streaming. The service that will always be in the “friend zone” of streaming giants. Out of the box it collects quite a bit of data but gives some options to disable some of the data collection.

Visit Hulu.com and sign into your account.
Hover over your profile picture in the top right corner and select Account.
On the right side, under Privacy And Settings, select Manage Nielsen Measurement and click OPT OUT.
Next, select California Privacy Rights.
Under Manage Activity, click Watch History and Clear Selected. Like Netflix, this will affect your algorithm but you will regain some privacy.
On the same page, under Right to Opt Out, click Change Status.
Click OPT OUT.

Apple TV+

AppleTV is another relatively-privacy-friendly option. While Apple does collect some data, they get a lot of points from most experts because they don’t use that data to create advertising profiles or sell ad space. However, as privacy advocates, we’re typically not fans of any unnecessary data collection at all, and in that sense Apple does collect more data than they probably need.

Log in to tv.apple.com.
Click on your profile picture in the top right corner and select Settings.
Under Account Access select Sign Out of All Browser.
Under Play History select Clear Play History. This will likely remove your algorithmic recommendations, just as with Hulu and Netflix.

You can ask Apple more questions about your data here.

Honorable Mention: YouTube

While not a “streaming service” in the same sense as the above services, YouTube remains one of the most popular platforms for content on the planet. YouTube is owned by Google (yuck), who uses your search history, browser history (if you use Chrome), and more to build a detailed ad profile about you. This personalizes the ads, recommendations, and even search results you see. With Google having one of the furthest reaching hands in the internet, they are able to pull your info from all over the web and your viewing data is just one more juicy morsel to them. If you want to help clear out what YouTube knows about you, you have to visit your Google Account.

First lets check the search and activity page

Log in at myactivity.google.com.
You will see check marks next to Web & App Activity, Location History, and YouTube History. Click each one to change your settings. You can toggle each of them off to stop Google from tracking you.
On the menu that appears in the left sidebar, click on Delete activity by. Choose how far back you would like to delete your history in the pop-up menu (I highly recommend the longest option available). Then click Delete to confirm your changes.

Next, lets turn off personalized ads. This is how Google serves you ads based on your activity and history.

On the menu on the left, click Google Account then select Privacy & personalization.
Scroll down until you see Ad settings.
Select Ad personalization and turn it off.

You may have noticed that we said “top 10 streaming services” at the beginning, but didn’t list 10. That’s because five of them – Disney+, Peacock, HBO Max, Discovery+, and ESPN+ – didn’t offer any privacy settings whatsoever except one. All of these services offered a “Do not sell my data” option that was relatively obscured. A few other services did, too. Here, we’ve included a direct link to this option for each service, including any additional advertising opt-out links.

Crunchyroll Interest-based advertising Disney+ Interest-based advertising (Requires 3rd Party Cookies) Peacock HBO Max Discovery+ Interest-based advertising ESPN+ Nielsen Measurements Interest-based Advertising

Wrapping Up

These are “big dogs” of the streaming entertainment scene. Use this knowledge and apply it to other streaming services you use that we haven’t listed. Your mileage may vary or may have no success at all (some sites don’t offer any clear options).

As a final note, here's a few universal tips for protecting your privacy while streaming regardless of the service.. First is watching in a browser on your computer whenever possible. When you’re on a “desktop” environment, you use firewalls, ad blockers (like uBlock Origin) and other browser hardening tricks to take it a step further. This is especially useful for the services that don’t offer any privacy controls. (Editor’s note: uBlock Origin blocks Hulu ads. 10/10 recommend.)

The next tip is to set your browser to clear all cookies on exit. This will sign you out of everything, which some people may find incredibly inconvenient. You can allowlist (or whitelist) certain sites to keep their cookies, but this may defeat the purpose from a tracking perspective so I recommend clearing all cookies if you’re willing to put up with the mild inconvenience of signing back in each day. Even if you do allowlist certain sites, that's still an improvement though, so definitely look into this option on your browser.

A final more advanced tip is to use a VPN. Not all VPNs work with streaming services. ProtonVPN, one of the few we recommend, proudly advertises that they are streaming-service friendly, and their DNS comes with an ad, tracker, and malware blocker that will help reduce (but not eliminate) more ads and tracking from each of these services. (Here’s an affiliate link if you want to get ProtonVPN and support us at the same time, but don't feel obligated.) You can also add this to your router (if your router supports VPNs) to protect all the devices on your network, like Smart TVs and game consoles.

I hope this was helpful and can provide some insight in an area not typically discussed in the privacy/security community. Stay private and stay safe.

-Uncover

(Proofreading and additions added by Nate B)