The New Oil

A 2019 study from Stanford University challenged a random sampling of Facebook users to quit the site for a month. The results were mostly positive: people felt happier, interacted with friends and family more, and were less polarized in terms of news and politics. I often encourage my readers to ditch mainstream social media like Facebook, Twitter, TikTok, and similar sites if at all possible, as I have also felt those same effects. Particularly I noticed that my conversations with friends and family became significantly more meaningful and felt more genuine and sincere. But there was one major downside the study found that I also noticed: people felt less informed. While we all know that Big Tech is feeding us selective headlines based on our algorithms, it can still be helpful to get even a few major, biased headlines to help us know generally what’s going on in the world. When you give up social media, that information is no longer fed to you, and it becomes your job to find out how to stay informed. So this week, I want to share what works for me to help stay informed without sacrificing my privacy so much.

Newsletters

An obvious method we often forget about is newsletters. Most organizations that you may want to follow – like non-profits and companies – offer newsletters. If your first reaction to that was “ugh, my inbox is already cluttered,” then you will have to go through and start unsubscribing to stuff. Once you do that, I encourage you to use an email masking service (so that you can burn the address if it gets breached or starts spamming you) and start signing up to newsletters you care about. Feel free to unsubscribe to any of them if you stop caring. The companies won’t hound you, I promise. They’re focused on other stuff.

Bonus tip: most email providers offer folders and rules that allow you to keep your inbox organized. For example, as a freelancer I have certain recurring client emails automatically drop into a freelance folder. That way I can open that folder and see ONLY emails pertaining to work, clients, contracts, upcoming events, etc. I don’t have to see that folder interspersed with a bunch of newsletters, personal emails, etc. Likewise, you can create a folder and have all your newsletters go straight there so you can check them at your leisure and/or keep them out of your main inbox so it doesn’t get cluttered.

Please note that many emails of all kinds – not just newsletters – come with tracking pixels and analytics built into them. Make sure you have your email client or inbox set to not load remote content automatically and instead load it manually. This will prevent much of this tracking and give you a much more private experience.

Alternate Social Media

I’m a big fan of Mastodon. It’s like a privacy-respecting Twitter. I’ve met some really cool people, seen some neat ideas, and overall had a positive experience. One cool thing about Mastodon is that many people have created mirrors which basically just copy and repost content from Twitter. There’s several BBC News mirrors, for example, so I can still subscribe to BBC if I wanted to and get their tweets. Some privacy-conscious companies even manage their Mastodon directly, like Tutanota and Nextcloud. This is not limited to Mastodon. For videos, some people cross-post or mirror their content from YouTube to PeerTube. This isn’t always a guarantee, but it’s worth looking into. You’d be surprised sometimes what has been mirrored or has a fediverse account.

RSS

Alright, this is the power-user option where you’ll probably get the best results. It sounds harder than it is, so don’t panic. RSS stands for Really Simple Syndication, and it used to be all the rage back in the mid 2000s. These days it’s less common, but still widely supported. First, you’ll need an RSS reader. Unfortunately there’s not a lot of open source, privacy respecting options here. As far as I know, there’s only two: Tiny Tiny RSS and Thunderbird. I personally lean toward Thunderbird as I tend to use it for email as well, so it kills two birds with one stone, but admittedly it’s not the prettiest solution. At any rate, for most websites I simply search “[website name] rss” and that usually pops up a direct link to their feed. For example, here’s a Brave Search for “Wired RSS”. Most websites don’t advertise their RSS feeds anymore, so I’ve found this to be the most direct and least-frustrating way of finding it. From there, you can add that link to your RSS reader of choice and set the options to your liking: how often to check for new stories, how far back to keep old stories, etc.

But wait, there’s more! You don’t need to limit your RSS experience to just news sites. I also use RSS to keep up with Twitter accounts, subreddits, and even YouTube channels. Let's start with Reddit because that one is easiest. Simply go to the subreddit you wish to follow, such as the Privacy subreddit, and add “/.rss” to the end and add it to your reader: https://www.reddit.com/r/privacy/.rss. There are additional tips you can add here, such as to only pull the top posts each day if you’d like to filter out some of the lower-level content. Michael Bazzell talks about some of these configurations in his own podcast episode about RSS here.

For Twitter, you’ll need to pick a Nitter instance. Any instance will do so long as it’s reliable. Then you find the account you wish to follow. In this case, we’ll use mine as an example. Then you’ll add “/rss” to the end and add it to your RSS reader: https://nitter.nixnet.services/thenewoil1/rss. Bam! You are now following my Twitter account without needing an account of your own! (Note: I encourage you to follow me on Mastodon, instead. It’s the same content. I only use Twitter so I can schedule posts and mirror them to Mastodon.)

YouTube was a little trickier and took me some time to track down. In this scenario, we’ll use The Hated One, a popular YouTuber who produces content about Big Tech and privacy. After a lot of searching, I found the following code that seems to work for me: https://www.youtube.com/feeds/videos.xml?channel_id=Channel_ID. Where it says “Channel_ID,” we’ll replace that with the link at the end of The Hated One’s channel from above. It now becomes https://www.youtube.com/feeds/videos.xml?channel_id=UCjr2bPAyPV7t35MvcgT3W8Q. So that means to make that link work with any channel, simply copy the channel ID. For example, Techlore’s YouTube channel is https://www.youtube.com/channel/UCs6KfncB4OV6Vug4o_bzijg, so the new RSS link becomes https://www.youtube.com/feeds/videos.xml?channel_id=UCs6KfncB4OV6Vug4o_bzijg. My own channel is https://www.youtube.com/channel/UCH5DsMZAgdx5Fkk9wwMNwCA, so my RSS link would become https://www.youtube.com/feeds/videos.xml?channel_id=UCH5DsMZAgdx5Fkk9wwMNwCA. (Alternately, you can just get the RSS link directly from my PeerTube channel with no trickery or fuss.)

Podcasts

Last but not least, let’s not ignore podcasts. Many news outlets – and a variety of other creators and brands – offer regular podcasts, ranging from twice a day to once every other week, where they share top stories. This can also be a great place for you to get your information, especially if you’re on the go and rarely have time to sit down and sort through an RSS feed. Unfortunately the podcast landscape is getting invasive. Spotify and Apple are the two biggest podcast apps, and both of those are already quite invasive (with Spotify becoming more and more so each year). Spotify is even going a step further by offering many podcast series contracts to become “Spotify exclusive,” further locking listeners into their data-sucking monopoly. Many privacy-respecting podcasts share RSS links so you can listen to them without the invasive tracking, but again we’re now back in that same position of using an RSS reader. Of course, you could always download the episode and upload it to your media player of choice for listening on the go, but that may be more than some readers are willing to do. The point is: podcasts are an option, but they are not without privacy risks. Beware.

Conclusion

That’s all there is to it, honestly. Those are all the tricks I personally use to stay educated. RSS is my main option, as it gives me the chance to sort through things on a protected desktop environment at my own pace, but as with everything in privacy that may not be right for everyone. If I missed any tricks (or RSS readers), feel free to let me know. Good luck out there and stay safe!

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

I ended up delisting them. So instead, I want to take this week to remind both my readers and myself about the mission behind The New Oil and to make sure I'm staying true to that.

Why Delist Mailbox.org?

Mailbox.org is a perfectly fine service. In fact, I’ve even had some readers argue that Mailbox is a better choice than Proton or Tutanota for… reasons? I didn’t really get their argument, it was confusing and circular, but the point is there is nothing wrong with Mailbox.org. So why delist them? Because zero-knowledge and PGP were not activated by default and actually required some intentional setup on behalf of the user. Just as how many critics say that Telegram not enabling end-to-end encryption by default lulls inexperienced users into a false sense of security, I think this falls into the same category. This is not a problem for my more advanced readers, but it can very confusing and overwhelming for newbies, and while I welcome advanced readers and value your feedback, frankly The New Oil isn’t aimed at you.

The Vision

I’ve once heard it described as “The Grandparent Test.” This doesn’t appear to be a popular phrase, but I think it should be. The Grandparent Test asks “can your grandparents get started and continue using it with little or no help?” I think most of us have at least some firsthand experience with helping someone who is not tech-savvy get started on something. Maybe you had to help fix Excel for your coworker or show your grandma how to send an email. As someone who’s been moderately techy my entire life, I have had many of these experiences. It only got more common as I became a privacy advocate: helping people find Signal in the app store, helping my mom try Matrix, etc.

My goal for The New Oil was and is, ultimately, to pass The Grandparent Test. I mentioned in a recent Decentralize Today blog post that at the time I started TNO, I was not aware of any websites that offered comprehensive, user-friendly information. PrivacyTools.io was – and largely is – a list of tools with no instruction or context. Michael Bazzell is at times too hardcore and makes his money from book sales so the information wasn’t freely available (you can learn a lot from his podcast but it’s still not comprehensive). I couldn’t direct my mother, grandmother, brother, or anyone to any of these sites and say “here’s a starting point to learn at your own pace.” They needed me to translate, which was inconvenient for both them and me. I wanted to create a website that said “hey, you know nothing? Cool. Here’s what you need to know to get started” and people could move at their own pace.

I also wanted to stop there. I know firsthand – and I’m sure many of my readers do, too – that if you try to create a tool that does everything, you end up creating a tool that does almost everything but really poorly. It’s best to create something that focuses on solving one specific problem, and refine that tool until it solves that one problem really well. This is why The New Oil doesn’t offer tips on how to adjust the about:config of your Firefox browser, how to use uBlock’s advanced mode, how to use virtual machines, or any of that stuff (although I would look to create an “advanced tips & tricks” series of videos on PeerTube in the future that covers this sort of stuff). I want to help people who don’t understand digital privacy to understand it and get started and that’s it, no extra information or overwhelming optional stuff. Personally I think I do that well. If you disagree, I recently open sourced the website. Feel free to submit an issue for suggested improvement. So why did I delist Mailbox.org? Because it wasn’t user-friendly. It’s a fine service, and I see no reason that my more advanced readers shouldn’t use it or should switch, but I wouldn’t feel comfortable telling my mother to use it because it would be too easy for her to overlook changing the PGP settings and then having a false sense of security.

Reviews

This also brings up an issue I’ve been tossing around in my head for quite some time: consistency and criteria. During a discussion with one of the community managers of PrivacyTools, they pointed out that I didn’t have any kind of publicly listed criteria for how to I decide what tools to list and what tools not to. They made a really good point, and that’s been on my mind ever since. And to their defense, I didn’t really have a criteria. I knew I wanted to go with open source whenever possible (the VoIP section is pretty much the only one that doesn’t meet this criteria), and I mainly base my recommendations on tools that have been vetted and have a good reputation in the privacy community. Of course I did my own research, too, but there was no hard and fast “here’s the rules.” So, thanks in no small part to the feedback from my wonderful Matrix community, I’ve decided to remedy that. I have added a Wiki on GitLab explaining the criteria I use to judge each section and what allows an app to be listed on my site. Furthermore, the review criteria for my twice-monthly reviews are in the process of being standardized and will be posted in each review, as well as being available on the GitLab Wiki. As always, if you have any suggestions, feel free to share.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

I apologize. Last month for Mother’s Day I wrote “Mom’s Guide to Online Child Safety,” a post meant to capitalize on the holiday (as I often do). This of course meant that in order to be equal, I had to do something for Father’s Day. While fathers of course love their children just as much as mothers do, I had already done that topic. So instead my mind went straight into the cliché of “cool toys for dad.” I’m sorry. I hate the stereotype of of the manly dad who tinkers with tech and power tools and all that crap while mom just makes breakfast and cleans. Women can be techy, too. Nonbinary people can be techy. (And men can cook and clean.) I’ve met girls who know more about tech than I’ll ever forget. All that to say: I apologize for perpetuating stereotypes and gender roles. Gender roles suck and they’re dumb. Moms can enjoy these items as much as dads. I’m sorry for not thinking ahead and playing into the stereotypes. Having said that, I still think this is a cool blog idea worth sharing, so I’m gonna lean into it.

As my long-time readers probably already know, I don’t believe that privacy is an app, product, or service. I think privacy is a lifestyle. It’s about making decisions that protect your data, like “I want to protect my messages” or “I’m going to pay in cash.” It’s not about the app: it’s about the reason for using the app and how you execute the usage. Having said that, apps are fun. Toys are fun. Gadgets are fun. And they’re not always mutually exclusive. There are plenty of apps, toys, gadgets, gizmos, whosits, whatsits, kerjiggers and more that can help enhance your privacy and/or security. Here’s a few such toys that aren’t necessarily “must haves,” but they’re cool and fun and can take your journey to the next level. Many of them will require some work to set up, but if you like a challenge, consider these for your next purchase or gift. As usual, these are in no particular order.

Flashing a Custom OS

Most of our lives are dominated by two or three choices of operating system: Mac or Windows, iPhone or Android. But almost all of your electronic devices can actually be modified with custom, open-source operating systems (OS’s) that open up a world of privacy, security, and new features. I will list these in order of easiest to hardest based on my experience.

Desktop

Unless you use highly specialized software, Linux can do everything that a mainstream OS can do: save and open pictures, save and open movies, access the web for streaming, emailing, word processing, you name it. For most people, I recommend Debian as it has the easiest support for common programs like Discord, Slack, and gaming. However, Fedora does offer better security, so if you’re feeling up to the challenge, definitely look into that. It should still be able to support all the common programs, but it may require a little more work. (Even if you do use specialized software, I encourage you to consider dual-booting. I'll discuss that another day.)

Router

There are a few variations of Linux available for various routers. My personal favorite is DD-WRT. According to my research, it has the most support both from the community and the number of routers it can work with. DD-WRT can take even a relatively inexpensive home router and turn it into a pretty powerful enterprise-grade router with pages upon pages of settings and features. You can create a powerful firewall, segment your whole network into VLANs, load up a VPN to cover the network (or certain parts of it), and much more. I’ve had mine since Christmas and I’m honestly still learning my way around it. This should keep you occupied for a while unless you have an extensive background in networking.

Mobile

This is the holy grail of privacy for many. Putting a custom ROM on your phone will remove all the tracking from companies like Apple and Google (unless of course you choose to download their apps afterward) and will remove the “bloatware” of preinstalled apps. My recommended ROM is Calyx OS, which offers a blend of high security and usability. Keep in mind that this won’t make your phone untrackable – your cell carrier will still track your phone via location data – but it will reduce the amount of tracking and telemetry by A LOT.

Honorable Mention: Pine64 Devices

If you like the idea of de-Googled/de-Appled devices but want something a little less risky or involved, consider Pine 64 devices. Pine64 sells the PinePhone, PineBook, PineTab, and PineTime for a complete Linux ecosystem replacement for your current smart devices. As an added bonus, there are several community-driven projects that cater specifically to Pine64, meaning that if one operating system isn’t your cup of tea, there’s about half a dozen others to choose from. And they’re all made specifically for Pine64 devices, so they’re almost guaranteed to work and if they don’t, there’s a thriving community ready to help.

Hardware 2FA Tokens

If you’re ready to take your account security to the max and you don’t mind tinkering a bit with configuration, hardware keys are top of the line. You may be familiar with the brand Yubikey, but there’s also three open source options called OnlyKey Nitrokey and SoloKey. These will take some work to set up, and I always recommend buying them in pairs to keep the second as a backup (configured, of course), but once you have these configured your accounts will be about as secure as you can possibly make them. In fact, this is one way that Google has managed to avoid any major data breaches in all their years: all employees are required to use a Yubikey on company accounts. You can even program your computer to require a hardware key to unlock for the ultimate in device security (and with the OnlyKey, you can do considerably more than with a typical hardware key). You can’t get much more secure than this.

Raspberry Pi

This one is fun. For anywhere between $35 – $100, you can get a microcomputer known as a Raspberry Pi. “What does it do?” you may ask, to which I would reply with “what do you want it to do?” Raspberry Pis are designed to be full-featured computers – they won’t do any video editing or gaming or anything super hardcore like that, but they can do just about anything else a regular computer can do. Do you want your own custom DNS for maximum ad and tracker blocking? Raspberry Pi. Want to self-host your own Nextcloud, Matrix, XMPP, Mastodon, PeerTube, etc instance? Raspberry Pi. Maybe a travel router? Raspberry Pi. If a computer can do it, so can a Raspberry Pi, and the possibilities are limited only to your imagination. This is is a MUST consider device for any tinkerer, especially those who want more control over their home network or are interested in self hosting.

This is just the tip of the iceberg. Whatever particular part of technology interests you, I encourage you to go out looking for privacy-respecting and open-source alternatives and sink your energy into that. In fact, you may find that a project already exists but needs some help improving and that’s where you can come in. We can all make the world a better place in terms of privacy and security, sometimes just by using these projects instead of their Big Tech counterparts, and sometimes by actively contributing to them. Whatever role you choose to play in that world, I encourage you to go looking. You may be pleasantly surprised at what you find.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Even if you’re not big into privacy or security, you’ve likely at least heard of Signal. The WhatsApp/Telegram competitor rose to mainstream prominence earlier this year, when WhatsApp announced planned changes to their privacy policy and Elon Musk almost immediately tweeted “Use Signal.” Though the app had been around for years, these two factors combined to catapult Signal into the mainstream consciousness overnight, hitting the number one spot in multiple countries’ app stores and even crashing the servers for a weekend. So what is Signal, should you use it (and why, if yes), and how does it rank for those who value their privacy and security?

The Service

Signal is an end-to-end encrypted messenger, similar to WhatsApp or (arguably) Telegram. Based in the US, it was founded by Moxie Marlinspike around July 2014. It allows voice, text, or video chat to any other user (one-to-one or up to five at once) and has a variety of features that might appeal to mainstream users like stickers and GIFs. Signal is based on the Signal Protocol encryption, which I will discuss more in a moment.

The Good

Actually, let’s just go ahead and start there. Signal’s encryption is good. Like, really good. So good that according to the Vault 7 leaks, the CIA has considered pretty much every insane idea to circumvent it because they can’t actually crack it. While Signal has its fair share of detractors and criticisms (some of them valid, many of them not), you can’t knock them for their encryption. It is world-class, and is even used by WhatsApp, Facebook Secret Messages, Skype, and even Google (they know a thing or two about security). The app itself is used by the EU Commission, numerous politicians, journalists, whistleblowers, and law enforcement. Unarguably, you can’t get much better security than Signal.

Setup is – as I like to call it – insultingly easy. Seriously. If you’ve never tried Signal before, go do it right now just so you can see how ridiculously easy set up is. You download it, you basically hit “next” three or four times, and you’re ready to go. On Android, you can even make Signal your default messenger so that if you text another Signal user but don’t know they use Signal, it will automatically make use of the encryption. Actually using the app is also incredibly easy, with very intuitive and plain-English buttons, menus, and options.

Signal is fast, stable, and if you don’t want to use your SIM number (I’ll mention that in a second), you can use a VoIP number with no additional work except that you have to manually enter the verification code rather than Signal pulling it automatically. Messages are end-to-end encrypted by default, unlike services such as Telegram which require you to enable encryption. Perhaps most importantly, Signal as a company has a proven track record of not logging any user data and having virtually nothing to turn over to police when requested.

The Bad

Signal’s downsides are, in my opinion, far and few between. However, they are legitimate and worth noting. One “bad thing” that some people note is that Signal is based in the US. Given that Signal is open source, audited, and has proven themselves to respect user privacy, I personally don’t think this is a big deal. However, the US government is a notorious enemy of privacy. For the vast majority of people, I wouldn’t consider this a reason not to use Signal, but it is worth being aware of what laws Signal is subject to and the hostility the company faces from the government.

The next most obvious flaw is that Signal requires a phone number to use. Phone numbers are as good as social security numbers these days and a quick web search of a phone number can turn up tons of identifying information. While one can use a VoIP number (as I mentioned above), most people won’t (not to mention that this alienates people who don’t have a valid phone number and can’t get a VoIP number). This is a realistic potential privacy and security risk for every user, and while Signal has said they plan to roll out usernames in the future, they’re not here yet and last time I checked there was no real word on when “the future” would arrive.

Let’s address the elephant in the room: the Mobilecoin incident. For those who don’t know, Signal went almost a year between Spring 2020 – Spring 2021 without publicly posting the source code for their server. They continued to share the client source code, and those who examined it found it was still secure, however the client very obviously was contacting an updated server version than the one that was posted and Signal refused to say why they hadn’t updated it. Speculation ran rampant about malicious backdoors, government gag orders, and more. It turned out that Signal was laying the groundwork to integrate a privacy-respecting payment platform with a cryptocurrency called Mobilecoin. This move was considered highly controversial for a number of reasons. Among some of the most valid and popular reasons: it was considered highly unethical and shady to keep users in the dark about the server code updates, integrating cryptocurrency can attract unwanted attention from government regulators like the IRS and FTC, and many users expressed concerns about what impact this would have on the security of Signal and the possibility that this was all a “pump and dump” financing scheme. You can find my take on this story here and you can find a (in my opinion somewhat sensational but factually correct) deep dive here. Here’s the takeway from all this: while this incident – at this time – does not indicate any sort of technical compromise with Signal’s privacy or security, it definitely cast a lot of doubt on them as an organization ethically.

Last but not least, there’s also been a lot of rightful accusations and concerns about Signal’s infrastructure, such as using services like AWS and Google to support their cloud. While – again – there’s no reason to suspect that Amazon or Google have any access to user messages or data, it is understandably troubling that using Signal also means supporting some of the biggest enemies of privacy on the planet by proxy. One could consider this the necessary evil of making Signal reliably available to the masses, but it’s still not comforting. Moxie has also been very strict about refusing to allow Signal to be decentralized or federated, even going so far as to legally pursue and shut down forks that attempt to be interoperable with Signal. Once again, this is done in the name of keeping Signal scalable and reliably secure (if everyone can run their own server, some servers will inevitably fall out of date due to lack of administrative maintenance which will create security risks for everyone involved) but it’s still a ding for people who value decentralization.

Final Verdict

I’ll be honest: I like Signal. The stability, the ease of use, it can’t be matched. I use Signal for 90% of my conversations with friends, family, and even a good chunk of The New Oil conversations. There’s never any issues with key exchange, the messages arrive quickly, the call quality is clear, communication is reliable, and it’s just so freaking easy. There’s no easier messenger out there. However, I’m not a Signal fanboy who will defend them to the ends of the Earth. Their opacity during the Mobilecoin incident was inexcusable, and I’ve already gotten all my close family to sign up for Matrix in the event that we ever have to jump ship on Signal (if Session rolls out voice calls any time soon then I’ll move them all to that instead, Session is also easy to set up). I like Signal, but as soon as I see any reasonable indication that they've been compromised, I'm out.

The moral is this: Signal is not a perfect company. To their defense, I’ve yet to find a “perfect” company or “perfect” anything really. They've made some ethically questionable business decisions and they could check more privacy-enthusiast boxes if they did things differently. But they are reputable, proven, and perfect for the masses. If you have a high threat model or like to go to the extreme for your privacy, Signal may not be for you (at least not yet). But for 95% of people reading this, Signal is just fine. They take user privacy and security seriously and they’re easy to use with a plethora of features. I whole-heartedly recommend Signal to most people. If you’re still looking for a messenger, I think this one is worthy of your consideration.

You can download Signal here.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Amazon’s now-legendary “Prime Day” was just announced this week: June 21-22. Much like Black Friday or Cyber Monday, this means sales on lots of items on Amazon’s vast marketplace, and as such many people flock to the giant’s website to get sweet deals on everything from computers to small kitchen appliances and more. But this year, I urge you to resist the allure. Far be it from me to tell you what to spend your money on or where, but in this week’s post I hope to lay out a compelling case for everyone for why Amazon is full-stop evil, no caveats, and is undeserving of your money on a moral and ethical level. Amazon needs to be stopped, and legislation will not do so. Only its loyal consumers – who keep the beast alive – can do that by taking their money elsewhere.

Here are five reasons that you should stop supporting Amazon with your money and purchases.

Amazon Is An Enemy of Black Lives Matter

Do you believe that black lives matter? Do you think police have too much funding, too little oversight, are a tool of an oppressive regime, and/or are a private police force for the rich to keep the poor and minorities in line? Well guess what: up until last year Amazon proudly sold their Rekognition facial recognition software to law enforcement agencies all cross the country. Like every other facial recognition software out there, this system was notoriously bad at accurately identifying minorities, including people of color and women. Amazon only stopped for PR reasons at the start of the George Floyd protests, and even then they only issued a “one-year moratorium.” This has since been extended indefinitely, but frankly that doesn’t matter. It’s still just PR. Why do I say that? Because for one, that ban only applies to the US. Amazon is still free to sell their faulty facial recognition services to other countries and industries. Second, Amazon still gives police across the nation unfettered access to Ring doorbells, allowing police to have vast real-time surveillance networks paid for by private citizens who may not even know law enforcement has this sort of access. Amazon is actively helping police spy on and identify – poorly – everyone, even peaceful protesters.

Amazon Is An Enemy of Small Businesses

“Well I think all lives matter,” you may say to yourself, “and I support our law enforcement officers.” That’s cool. If you’re more right-leaning, you probably believe in the free market and you’ll likely be furious to know that Amazon actively crushes small businesses. Amazon has been repeatedly proven to use data gathered from small merchants who use their marketplace to create competing products, avoiding the financial hit of the mistakes that those smaller businesses may have already made in marketing, pricing, or production. Not that it matters, because Amazon can also just use their massive empire to undercut the competition, selling products at a massive loss until the competitor is eventually driven out of business, then bouncing prices back up to profit-making levels once there’s no alternatives to compete with. The use of this data in the first place isn’t just free market sorting itself out, it’s straight up corporate espionage. It’s one thing if I left my job to work for a competitor and said “we learned that our customers respond better to blue than red.” It would be completely different for me to take a copy of all our business records, marketing documents, and passwords with me. That’s basically what Amazon does. They leverage their highly-invasive platform (which is so ubiquitous that to NOT sell on Amazon is practically a death sentence) to harvest sensitive business data and then use their resources to take the hit until the smaller guys can’t anymore and fold. In any other scenario, this would be corporate spying and illegal monopolizing. Even if it wasn’t illegal, I’d have a hard time believing any free-market enthusiast actually has no problem with this.

Amazon Is An Enemy of Human Rights

Maybe you’re an apolitical person (there’s really no such thing and that’s actually a very “privileged” stance to take, but I digress). In this situation, you can probably agree that we’re all human beings. We all deserve to be treated with respect, no matter what. Well, Amazon is unbelievably hostile to worker’s rights. For years, Amazon Prime delivery drivers have been reporting unrealistic expectations like being expected to deliver 200 packages in a 9-hour shift (that’s about 1 package every 3 minutes), missing pay, intimidation, favoritism, and buggy AI tracking their “performance” (even off the clock). Many of them have reported having to pee in bottles to try to stay on schedule. One reported a hospital-worthy injury where he was advised to finish his deliveries (several hours’ worth) before seeking medical treatment. Warehouse workers report timed bathroom breaks and not being allowed sit down for a few minutes outside of breaks (I’m all about hard work ethic, but you’ve seriously never had a day where you just needed five minutes to gather yourself?). Amazon took it one step further with patented wearables in the workplace to spy on employees and make them work even harder. (For the record, there’s no evidence they plan to roll this out yet but the fact that they expressed an interest in controlling the rights to this technology is unsettling.) When workers expressed an interest in unionizing so they could force more humane working conditions (aren’t there already supposed to be labor laws in the first place?) Amazon used their powerful surveillance network to spy on and infiltrate those groups and even attempted to put cameras over the ballot boxes to “ensure integrity.” Amazon doesn’t give a crap about their employees, it’s all about the bottom line and quite frankly I’m surprised they haven’t just moved overseas to sweat shops.

Amazon Is An Enemy of Democracy

“Wow, we really need some regulation on Amazon!” you might be thinking. Yeah, that’d be cool, except that at this point Amazon is more powerful than the US government. Amazon spent $18 million in 2020 on lobbying – for those who live outside the US, “lobbying” is a fancy word for “legal bribery.” I’m not making that up. It started off with good intentions and it does make sense, but it gets abused constantly and in laughably transparent ways that make every American citizen wonder how the hell this practice is legal. Anyways, that’s not the point. Have you ever wondered why the “settlement” amounts in corporate lawsuits are always so obnoxiously low? It’s because corporations hire GOOD lawyers. They can afford to hire lawyers who are field experts and can pay them to focus all their time and attention only on that one company and that one subject/department. Then they can pour even more resources into filing new paperwork, doing research, fighting the case, etc. Eventually the court costs start to pile up and the idea of dragging this out for years and spending millions of dollars becomes arduous, frustrating, and impractical. Look at the recent Home Depot data breach settlement – 10 years later! This is compounded even more when you’re an elected official. “You’ve spent HOW MUCH taxpayer money on fighting over some silly case that doesn’t even concern me – the voter – in a way I can comprehend when that money could’ve gone to better roads, schools, healthcare, national defense, etc?” The fact is that these cases do matter and do concern everyone, but it’s hard to care when you’re buying new rims because you damaged the old one on a pothole, or when your kid brings home a history book from 1989, or when you work 60 hours a week and still don’t qualify for basic healthcare coverage. Amazon can’t be reigned in by regulation because they can outspend the government in time, fines, lobbying, and any other area that they need to. The government has to answer for their tax money spent (in theory). Amazon only has to answer to shareholders and only one question: “how much more money did you make me this quarter?” They can afford to hire lobbyists who shape the laws, and if they fail that they can always drag the court case into oblivion until it just gets settled.

You Are Part of The Problem

Do you remember when Chris Brown beat Rihanna? When that was still top news and I met people who listened to his music I’d always ask them “don’t have you an issue with him beating up Rihanna?” and without fail they’d always answer “Of course! But I just like his music, I don't support what he did.” Here’s the thing though: it’s impossible in situations like that to benefit without supporting the person in question. Every album purchase, every stream, every shirt purchased, every YouTube view, these are all metrics he can use to justify his popularity and book large venues with large guarantees. Honestly I’d even leverage illegal downloads if I was his booking agent. “They can download a song, they can’t download a concert. Those are potentially paying fans.” The same is true with Amazon. In no way can you give any money to Amazon and NOT be directly contributing to these problems I’ve listed above. Every penny you spend can be directed towards developing new surveillance tech or hiring new sales people to score new government contracts. Every purchase you make says that you’re okay with how things are currently working at Amazon and shows them that you’re willing to spend money there. Even using Alexa is sharing your data, which Amazon then uses to refine their products or serve you more ads (which they get paid for). There is absolutely no way for you to use Amazon that doesn’t tell their shareholders “I’m okay with this. Keep the course.” The only way that we can ever hope to affect change is to force their hand by taking your money elsewhere.

Reality and Next Steps

Look, I’m a realist, okay? I know that sometimes there are things that you absolutely cannot get anywhere else except Amazon (or if you can, it costs significantly more). First off, I’d ask you to weigh your definition of “significantly.” Paying $5 more on a $100 product is not “significant.” Furthermore, depending on your financial situation, paying $5 more on a $20 product may also not be much for you. In these cases, I urge you to take the ethical path and not give into Amazon. It’s worth paying a little extra for a good cause. Having said that, paying $50 more for a $10 product, that’s understandably different. If you must use Amazon, here’s my suggestions: First off, if you already have an account, you’re probably fine to leave it active. Your history will stay there, but frankly if you create a new account, it’s likely to get flagged and suspended or if you do it wrong Amazon will still trace it back to you anyways. Feel free to keep your current account, but go ahead and make sure you use good practices like 2FA, strong passwords, and forwarding e-mail addresses.

If you’re making a new account, I recommend using a forwarding email address or an old, already very-publicly exposed email address for credibility purposes (like an old Gmail address). I’ve had good success with buying pre-paid Amazon gift cards in cash at 7/11 and using those to make my purchases, however I’ve heard some people have still had their accounts flagged regardless in those situations, so don’t put too much money in right away in case that happens. You can attempt to make new accounts for every purchase (since ideally this should be rare for you anyways), or you can attempt to make one account and just keep topping it up as needed. Michael Bazzell offers more details on what's worked for him on this podcast episode.

Last but not least, I encourage you not only to avoid Amazon itself, but avoid their subsidiaries as using them will still contribute to Amazon’s unethical empire. Unfortunately this includes popular brands like Twitch, Audible, IMDB, GoodReads, Zappos, and over 100 others. I know it’s a lot and it can be hard, but as I outlined before we can’t keep hoping someone else will reign them in. It’s going to take a collective, serious effort to hit them where it hurts (the wallet) and force them to start being a more ethical company.

Prime Day is later this month. Please, avoid it.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Two weeks ago, I decided to pit all of the commonly-promoted “privacy-respecting” iOS browsers against each other to see if I could determine empirically which one was actually the most private. Unsurprisingly, within minutes of posting I received feedback. Surprisingly, most of it wasn’t “you suck and you’re wrong because I’m loyal to my browser.” Rather, it was “you forgot one.” Allow me to remedy that situation. This week, I will be reviewing SnowHaze. If you need a reminder of my methodology, you can check the blog in question here.

Privacy Policy

SnowHaze starts off strong out the gate by claiming to collect absolutely no information about you, anonymous or otherwise. In this respect, SnowHaze easily usurps Brave to win the privacy policy category.

Winner: SnowHaze

Loser: Safari

Not to much say here. SnowHaze is the obvious winner and Safari is still abysmal.

Browser Fingerprinting

Things get really weird in this section. SnowHaze offers an ungodly amount of granular control over the browser’s privacy settings – which I will discuss in the “Features” section. When highly configured, I was unable to run Cover Your Tracks at all, which leads me to assume (without evidence, for the record) that this means fingerprinting you at all has become relatively impossible for most sites, or at least quite difficult (from what I understand, many common fingerprint methods rely on Javascript). However, this also causes significant breakage across many sites. After tinkering for a few weeks, I finally found some settings that mostly work across most sites. The particular settings that seems to matter for testing sites like Cover Your Tracks and Speedometer mostly seem to boil down to the Content Blockers section. At the time of this test, I was only able to disable Fonts and still get a score. Remember that as always your results may vary, especially depending on how you configure the vast settings options.

SnowHaze: 17.96

Winner: Safari

Loser: Brave/DuckDuckGo

Based on this score, SnowHaze ranks second worst just above Safari. However, it’s worth noting that I suspect this score is not truly reflective of my average browsing experience. As I said above, I was only able to get a score by enabling everything except Fonts. In my daily browsing, I usually have Raw/XHR disabled, and often third-party scripts as well. I also have SnowHaze set not to load any Javascript unless I manually approve it on a per-site basis (another Feature we’ll discuss later). And last but not least, SnowHaze can be set to spoof User Agents, so much like Brave's fingerprint is large but fake, I suspect that SnowHaze works in a similar fashion. While this score seems particularly bad, I suspect it's not.

Browser Speed

SnowHaze: 48.35 (+/–.47)

Winner: SnowHaze

Loser: DuckDuckGo

Once again, I had to severely dial back the number of content blockers I was using in order for Speedometer 2.0 to finish its test without stalling. I assume part of the test includes loading XHR and third-party scripts. From what I understand this means that with more aggressive content blockers your speed should actually improve because you’re loading less content. Either way, SnowHaze easily comes in on par with or dramatically ahead of Brave, the previous winner, who had a score of 49 (+/–.53).

Features

Alright, this is where SnowHaze really puts the rest to shame. SnowHaze has granular features for controlling the browser that I have never seen before on a mobile browser. While Brave and DuckDuckGo do offer some good features like control over what data is retained, the ability to add protected sites, and stuff like that, SnowHaze goes all out. SnowHaze offers the usual general features like search engine selection and appearance, but also the ability to lock your browser with a passcode, the ability to spoof your User Agent (and to select which agents to spoof), granular history and tracking control, additional content blockers that I alluded to above including CSS, third party javascript, fonts, etc, and even has an experimental Tor integration feature (which I don’t recommend but it’s cool that they offer it). And those are just the highlights. You have the ability to disable Javascript by default and then enable it on a site-by-site basis, and you can even easily add custom search engines like SearX! Hands down SnowHaze has the most features out of any browser I reviewed for this study, and the amount of control it gives you over your browsing experience makes it laugh in the face of lesser browsers. SnowHaze offers all the same features that any other given browser would and then some.

Winner: SnowHaze

Loser: Firefox Focus

Final Verdict

Winner: SnowHaze

I can think of one situation where I would recommend Brave over SnowHaze: ease. Because of the massive amount of of options, setting up SnowHaze can be a bit daunting. The default settings are – in my opinion – not ideal. I understand the desire to create a browser that’s basically ready to go out of the box, but I think SnowHaze could afford to tighten up their default settings a bit and still retain functionality for the average person. Even so, I commonly recommend that any time you set up a new account or download a new app you should make time to go through the settings and tweak them. This means any person downloading SnowHaze for the first time can quickly become overwhelmed by the exhaustive number of options to be examined, interpreted, and possibly changed. Even moreso, those settings will likely change as they browse and realize a certain functionality they want/need broke. I personally pretty much only use my browser to surf webcomics and Reddit when I’m bored (which is rare) and to make quick, important searches when I’m away from my desk. Despite that limited usage, I quickly found myself changing settings to make more and more sites work properly as I went, finally finding a mostly-happy medium after about a week or so. The average person may be frustrated by the constant tweaking and want something that just works.

Hands down, I think SnowHaze is the most superior iOS browser I’ve found so far, and thank you to the multiple readers who alerted me to overlooking it. This has been a lifechanging experiment. I highly encourage you to make the switch if you use iOS, and here’s what I recommend: keep Brave for a short time as a fallback. Download Snowhaze, change the settings, get used to it, but until you get it dialed in just right be sure to have a backup for when you can’t afford to experiment to find what’s breaking the site. Once you get SnowHaze dialed in just right, go ahead and delete Brave. That’s what I did. (Well, DuckDuckGo for me if you recall the last blog, but same concept). SnowHaze is truly an incredible piece of work. Well done, devs.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Disclosure: I have an affiliate link with SimpleLogin that gives me credit towards my own SL account. You do not have to use this link, I provide a non-affiliate link at the end, and I tried my best to be unbiased in this review.

In this review, I’ve decided to lump both AnonAddy and SimpleLogin into the same review because they’re so incredibly similar in their offerings and features, though I will note any differences between them. I don’t think of this blog as “AnonAddy vs SimpleLogin,” though I’m sure it will help anyone who’s on the fence decide between the two. Rather, I present this as simply two tools you can use to achieve the same protection. I keep referring to AnonAddy first because I’m listing them in alphabetical order.

The Services

AnonAddy and SimpleLogin are both email forwarding services. Having an account allows you to create an email address – such as “f9f24233-d80b-4e17-a689-b7f1d0cc04c8@anonaddy.me” or “panguingue_graphostatic@aleeas.com.” These email addresses then forward any mail they receive to the mailbox of your choice, such as thenewoil@protonmail.com. I highly encourage the use of one – or both – of these services or a comparable alternative (these are just the ones I’ve found that are the most feature rich and seem to be rejected less often on most of the sites I use). The practical reason is that for most of us, email is the central hub of our lives. Everything is managed from that one inbox, from newsletters and Netflix marketing emails to doctor’s appointments, job offers, and important correspondence. The compromise of an email account is the digital equivalent of getting kicked out of your own house. If your email address gets exposed in a data breach – which it certainly will if it hasn’t already – that’s half of the required login exposed, leaving only the password to be guessed for access. This can be mitigated by using strong, unique passwords and two-factor authentication, but the exposure of an email address can still be used in other ways, such as tracking you across the various accounts and websites, leading to stalking by both individuals and companies.

The Good

Both services offer a free tier with premium, paid features. AnonAddy offers Lite ($12/year or $1/month) and Pro ($48/year or $4/month) paid plans, while SimpleLogin offers only a single Premium paid plan for $30/year (or $4/month). In addition, both offer F-Droid apps, as well as Play Store and App Store apps, allowing you to create masked addresses on the go. Both allow you to import your public PGP key, both support the use of custom domains, and both allow catch-all email addresses (meaning if I make up an email address on the spot, that email address will be created and forwarded to me as soon as the first email is sent without any interaction from me). AnonAddy offers you the option to replace email subjects (so that the true subject isn’t visible (a shortcoming of PGP). SimpleLogin supports hardware security keys (like Yubikey) and offers browser extensions for Chrome, Firefox, and Safari. SimpleLogin also offers enterprise solutions if you happen to be responsible for a company.

The Bad

AnonAddy’s apps are fan-made and not officially supported. AnonAddy also has a limited number of custom domains, a limited amount of bandwidth (except for the Pro plan), and a limited number of email addresses you can receive to. The bandwidth thing is probably not an issue for most people, but keep in mind that if your bandwidth is exceeded that means they won’t forward any emails for you for the rest of the month. The bigger issue to me is the limited number of emails you can send and receive – 20/50. While most people probably don’t send 50 or even 20 emails in a single month, it’s something to be aware of if you’re a power user. The drawbacks of SimpleLogin are that it is less feature-rich than AnonAddy (can’t change the email subject, can’t disable catch-all). SimpleLogin’s free tier is also much more restrictive than AnonAddy’s (can’t use PGP, 1 recipient to AnonAddy’s 2). But they do make up for it by offering unlimited bandwidth and unlimited reply/send even on the free tier.

Final Verdict

I use both of these services, and honestly I find them almost identical. Being that I consider a custom domain to be a valuable part of a privacy strategy, I think the average user could get away with AnonAddy’s Lite tier ($12/year, $1/month), but SimpleLogin’s Premium will be the better bang for the buck for power users with all the unlimited features. Neither service is bad and they really come down to what you want or need out of them and the price you’re willing to pay for those features you want. I’ve found both to be extremely user friendly and affordable, and I use them pretty interchangeably myself. I encourage you to explore their pricing options for yourself, and maybe even sign up for a free account for both to decide which is best for you.

You can check out AnonAddy’s Pricing here and SimpleLogin’s Pricing here and sign up for each service at their respective websites. If you decide to sign up with SimpleLogin, please consider using my affiliate link. I will not see any information about you, but I will get a few bucks added to my SimpleLogin account if you purchase a paid plan, which means more money I can put toward other The New Oil-related projects. Of course, I understand that not everyone is a fan of affiliate links, so no hard feelings if you choose not to use it. The important thing is that you use one of these services and start protecting yourself.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

The “best browser” is a never-ending and often very heated debate that occurs often in the privacy community. When it comes to desktop, it’s generally agreed upon that either Brave or Firefox (with honorable mentions for Tor and Ungoogled Chromium) is best, depending on how you feel about the companies behind each and what you’re looking for. Once you take the debate to mobile, the argument changes considerably, particularly with iOS. One advantage that Android enjoys over iOS is a very relaxed environment. This can be problematic for security, but for privacy it means more access to various apps that typically offer more flexibility and freedom. For example, in Android you can run Firefox with all the same plugins as desktop (and I recommend that). With iOS, you can only run stock Firefox. Even I will admit that without my set of recommended plugins, I’m hesitant to label Firefox the best choice.

So what is the best browser for iOS for those of us who want privacy? Well, that’s been on my mind a lot lately and I decided to finally figure this out myself with empirical evidence. So this week, I downloaded Brave, DuckDuckGo, Firefox Focus, and Safari onto my iPhone 6S put them through a series of objective tests. I will be organizing each section by alphabetical order (Brave, DDG, Firefox, then Safari). This is not order of preference. Keep in mind that results may vary based on your own device and configuration.

Privacy Policy

I firmly believe that privacy policies are always the best first place to start when it comes to vetting a new app. They may not always be telling the truth, but if Company A has a privacy policy a mile long that basically says “we collect and share everything we can get our hands on” and Company B has one that says “we try to collect and share as little as possible unless ordered to by a court,” that’s a pretty indicator where to start. With that said, Apple recently gifted us non-lawyers with a pretty rad little tool called “Privacy Labels.” So let’s start there.

Brave

Brave claims – according to their privacy label – to collect only two pieces of data: “Other Usage Data” and “User ID.” User ID isn’t a big deal as based on Apple’s explanation of the categories, this likely refers to information you voluntarily provide like a Brave account name, but “Other Usage Data” is very vague as Brave doesn’t overtly say in their complete privacy policy what information that details.

DuckDuckGo

DuckDuckGo says it collects “Product Interaction” and “Other Usage Data,” “Other Diagnostic Data,” “Crash Data” and “Performance Data.” The big one here that really bugs me is “Product Interaction” data. While it is useful for a developer to have this information, if one claims to be a privacy-respecting service you have to expect that you’re going to have do without that data. Again, according to Apple, that includes “app launches, taps, clicks, scrolling information, music listening data, video views, saved place in a game, video, or song, or other information about how the user interacts with the app.” Not very privacy respecting. The crash analytics I don’t really mind – it’s important for a developer to be able to identify why a service isn’t working to fix it. “Other” data and “Performance” data are also vague and tip off a small red flag.

Firefox Focus

Firefox Focus’s privacy label is more or less similar to DuckDuckGo’s, just in different categories. As with DDG, I don’t like that they collect “Product Interaction” data. I also don’t understand why they collect “Crash Data” as part of their analytics rather than app fuctionality. According to Apple, analytics are used to understand how users interact with the app and improve it, functionality would include minimizing crashes, performing customer support, and other such uses that would be more acceptable in my opinion. Then again, maybe Mozilla just didn't know which category best fit and decided it made more sense in analytics. I guess the actual use matters more than the label. A rose by any other name is still a rose.

Safari

The fact that I had to take two screenshots to capture all of Apple’s collected data should tell you everything you need to know right off the bat. Safari offers virtually no privacy, collecting “User Content,” “Device ID,” “product interaction,” “Browsing History,” and even “Coarse Location.” I’m not even gonna bother going into detail here. Safari is obviously out.

Winner: Brave

Loser: Safari

Brave is the clear winner by collecting so little data, and most of it being voluntary. While DuckDuckGo and Firefox Focus aren't as good, they're still miles ahead of Safari's invasive policies. And Apple is marketing themselves as a privacy-respecting company...

Browser Fingerprinting

But protecting your data from Apple is probably the lowest concern, honestly. Apple conceivably could already have access to everything on your device. How does your browser protect you from others? For this portion, I used EFF’s Cover Your Tracks to test the level of browser fingerprinting each browser revealed. I chose this tool because unlike other tools, it doesn’t give you a result based on other visitors – which is obviously a biased result (the vast majority of people don't visit those sites, so you're getting a skewed sample right off the bat) – but rather based on commonly used and known tracking technologies to give you an objective score based on how many points of data you leak. So in other words: the less points of data, the better.

There isn’t much to say about each section, I didn’t want to go into detailed results, so instead I’ll just list them. Surprisingly, Safari comes out on top here with only 15.7 bits of information. An interesting thing worth noting: when I originally ran this test, I forgot to shut off my AdGuard DNS and tell Firefox Focus not to integrate with Safari, which resulted in a much higher number (16.02, if I remember correctly). So remember that sometimes doing too much makes you stand out more.

Brave: 18.03 DuckDuckGo: 16.03 Firefox Focus: 16.02 Safari: 15.7

Winner: Safari

Loser: Brave/DuckDuckGo

The reason I call the loser here a toss-up is because it turns out that Brave has a built-in fingerprint randomization feature. So while Brave technically leaks more bits of data, that data should – in theory – be different every time, making it effectively useless for tracking. Personally I would prefer my browser simply leak as little data as possible, and if you agree then Brave is the clear loser here. However, if you see the value in a randomized fingerprint – which I think is a clever solution to the problem – then DuckDuckGo is the loser here by a narrow margin.

Browser Speed

For my last objective test, I decided I wanted to see what browser was fastest. For this, I used Speedometer 2.0, a general browser speed test developed by Apple that simulates a variety of user actions and measures the speed of various points like CSS, JavaScript, and DOM APIs. The results are measured in “runs per minute” with a margin of error. As with everything on this list, your exact speeds may vary with your hardware and internet connection (I used an iPhone 6S on a gigabit wifi network), but I tried my best to pick a service that would remove those variables as much as possible from the equation.

Brave: 49 (+/–.53) DuckDuckGo: 54.4 (+/– .81) Firefox Focus: 53.86 (+/– .5) Safari: 51.8 (+/– 1.9)

Winner: Brave

Loser: DuckDuckGo

Features

Now let’s get down to some subjective features that are harder to quantify.

Brave

Brave has the unique feature of being built privacy-first. Brave ships by default with an ad-blocker and HTTPS Everywhere, meaning it will automatically upgrade all sites eligible to a secure connection, as well as some light script blocking. That’s definitely something most browsers can’t say. However, the ad-blocking can be easily replicated with the mobile DNS of your choice, and HTTPS Everywhere isn’t really necessary in today’s day and age where 95%+ of the average user’s time on the internet is encrypted. I do have a couple of deal-breaker issues with Brave, but based on my research I think these are bugs (possibly based on my having such an older device) rather than actual shortcomings. First is that I was unable to easily find a way to clear my entire history. I think it’s been removed in the newest mobile version for my device. Personally I view having web history in general to be a huge risk. Past malware – both desktop and mobile – and malicious apps have been able to scoop that up before. So for me I value having a browser that will clear my history without me thinking about it. One way to get around this – which brings us to my second issue – is to use Private Browsing, however as soon as you close and reopen the app you end up back in regular browsing mode. Others have not reported this issue – either the history clearing or the private mode – but this ticket shows that I’m not the only one with this issue.

DuckDuckgo

DuckDuckGo has a few unique features that I actually like, and I don’t really have anything to knock it for. I’m sketchy of DDG as a company overall, if we’re being honest, but they seem to have built a really solid browser. First off, DDG is another company that like Brave was built with user privacy in mind. The browser comes prepackaged with tracker blocking software, as well as HTTPS Everywhere. In fact, DDG and EFF recently teamed up to use DDG’s web-crawling bot to make HTTPS Everywhere even more effective and comprehensive – constantly learning via AI rather than occasionally updating with crowdsourcing. And DDG has two ways to clear your browsing data: automatically (upon app exit, optionally with a time delay) or manually with the simple tap of a button. As a neat little UI feature, they also tell you everything they’ve blocked on each site (though Brave does also give you both a site total as well as an overall total when you first open the app).

Firefox Focus

Firefox Focus is a pretty standard browser with a couple of drawbacks that I could live with but would prefer not to. First the good side: it automatically clears data on close without any prompting, and it offers to integrate with Safari so that anything that opens in Safari will benefit from Mozilla’s tracking protection. The downsides: there are no tabs (you only get the single page you’re on), you can’t download images by holding them and saving them to the camera roll, and Mozilla has straight up said that Focus is a low priority for them, so even though it claims to be extra focused on privacy (no pun intended), it rarely gets updates, which includes the tracking protection lists. For example, the last four update versions at the time of writing were released as follows: April 13, 2021; November 13, 2020; September 1, 2020; and February 26, 2020. DuckDuckGo, by comparison, seems to push out updates at least once per month, usually two or three times. All this to say that while Firefox Focus is not a “hard pass” for me, I don’t think it’s the best choice.

Safari

As far as I’m concerned, Safari only has two things that make it worthwhile: it naturally integrates very well into the iOS platform, and the private mode stays active even when you leave the app. If I set Safari into private mode and close it, when I re-open it it will stay in private mode (remember that for most users, Brave will do this, too, but if Brave doesn't for whatever reason Safari should). I will still be responsible for manually closing out my tabs, and I will have to enable HTTPS Everywhere via the menu. Likewise, I will need to use an alternate DNS if I want to block any ads. As of iOS 14, Safari does block some third party trackers so there is a baseline level of privacy there. The only major ding I can think of on Safari is that the app integration doesn’t preserve Private Browsing. For example, if I peruse Mastodon and see a link I want to click on, the link will natively open in Mastodon but will not open in a private browsing window, meaning that link now goes on my browser history and the data gets preserved until I manually go in and clear my browsing data, at which point I have to also set back to a private-browsing tab.

Winner: Brave/DuckDuckGo

Loser: Firefox Focus

Putting aside my personal bugs that I experienced with Brave, I think Brave and DDG both offer competitive results in terms of features. Tabs, ability to clear history automatically, built-in security and privacy features, etc. I think the only small edge DDG has is the one-click burner button that allows you to clear your current session instantly (and maybe the fact that it doesn't save your history by default, though I guess some people may want to save their history for whatever reason). With Brave you would have to close it out and re-open it to simulate the same effect. Firefox is clearly the loser here as it has almost no features or advantages and in fact has a few drawbacks (the lack of image saving and the single tab).

Final Verdict

Winner: Brave

Brave won the privacy policy section, but only by a thin margin (compared to DDG and Firefox Focus). Safari won the fingerprinting section by an impressive shot, but I think Brave’s low performance can be excused when you remember that the fingerprint is randomized every time, meaning that tracking is considerably more difficult and the bits shared may vary depending on the fingerprint used. For the speed portion, Brave blew everyone out of the water. However, I think the features section is where things start to get muddy. Due to the major issues I – and others – have with Brave’s functionality, I do want to list my suggested runner-up: DuckDuckGo. While DDG scored mediocre on most of the tests, I found the wide range of features and functionality made it superior to Firefox Focus, and compared to Safari you lose almost no features but gain a massive privacy improvement. If Brave works correctly for you (ex, clears your history and allows for always-private mode), I think Brave is the winner. But I think DDG makes a very close runner-up and is acceptable if Brave doesn't work for you for any number of reasons.

“But WebKit...”

There are two main arguments for why you should just use Safari on iOS as opposed to any of the other popular choices, and while I know this blog is getting long, I want to address them here and now.

1) “It’s all WebKit.” Basically, Apple has locked down their ecosystem so tightly – at least in part due to security – that all browsers are essentially just forks of Safari. This is true. But the logical assumption is that because it’s a fork of Safari, Apple can see anything you do on that browser as well. As far as my research can tell, this does not happen. I was unable to determine if that’s due to Apple’s policies or due to technical limitations, but at this point in time unless someone comes forward with an empirical, documented case and not just anecdotal evidence or hypothetical conjecture, I’m forced to conclude that this is a non-issue. I don't like to spend too much time on unsubstantiated “what-ifs.” It makes things paranoid and untrustworthy very quickly.

2) JavaScript. Once upon a time, Apple would hamstring competition by forcing them to use WebKit’s older version of JavaScript instead of the new JavaScript Nitro, which was reserved for Safari alone. This however stopped being true as of iOS 8. Therefore this is also a non-issue.

Conclusion

The entire idea of a mobile browser is that you use it in emergencies, limited situations, or as an alternative to an app. Ideally, you should use your mobile device as a whole, including the browser, as little as possible. Rather, you should browse on desktop where you have significantly more control over things like blocking JavaScript, using Containers, virtual machines (if necessary), and stronger anti-virus. I realize that for some people that’s not an option, but for those who do have that luxury, use it!

I realize that browsers are one of those areas where everybody’s going to have an opinion. It’s also important to remember that what matters to you remains a critical factor here. In my situation, Brave wasn’t the winner – despite objective superiority – due to bugs. In your situation, you may prefer Firefox because you don’t trust Brave or DuckDuckGo. Some people may be willing to give up some privacy for Safari so they can have the integration or sync across the Apple ecosystem for whatever reason. My goal with this site was never to tell you what to think, only to give you the tools you needed to make an educated decision. You now have some information. Good luck!

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Tomorrow is Mother’s Day here in the US. (That was your last reminder to buy a card.) Happy Mother’s Day to all the moms out there! As a general rule, most mothers care deeply about their children and want them to be safe, happy, and successful. And as a general rule, today we are faced with a myriad of threats that we never before faced online, some more likely, more dangerous, or harder to defend against than others. So this year, I’d like to offer all the moms out there some encouragement with a quick guide on how to help protect your kiddos online. This post assumes your kids are coming up on or around the preteen age – basically still at that age where you are heavily involved in their decision making but it's time to start teaching them to be independent.

Freeze Your Credit

This is something I harp on a lot but with good reason. Identity theft of minors is still on the rise and is a hugely lucrative market. Think about it: if your kid is five and I steal their identity, I can open up credit cards in their name that won’t be detected for at least ten years. Credit freezes are non-negotiable – and free – if you’re a US resident. Equifax and TransUnion will require you to create an account, but Experian still uses a PIN-based model. I recommend doing this for your child and holding onto this information until they’re old enough to start doing things like getting jobs and opening bank accounts. You can find more information about the process here.

Operational Security (aka OPSEC)

I’m sure this goes without saying but this really is the biggest and most obvious thing out there: make sure your kids know not to give any details to strangers. “Details” varies from person to person. For example, saying you’re from New York City is probably fairly safe – there’s over 10 million people in the city. Saying you’re in Brooklyn or Mountain View, Idaho – probably less safe. Interests, I think, are probably less dangerous than personal information like real names (especially if the name is unique), dates of birth, schedules, and locations. Again, this is probably common sense for parents these days, but it’s worth saying.

Disinformation

In fact, I would argue that it’s valuable to actively encourage your child to engage in disinformation online. Say you’re from Los Angeles if you’re really from San Diego. Say your name is Jake when it’s really John. If there’s anything we’re learning it’s that disinformation is becoming vital to outsmarting people search sites and data aggregators these days. Not to mention the rampant data breaches which are becoming an almost daily occurrence. It’s only a matter of time before that forum your kid signed up for gets hacked. Train your kids young how to use disinformation effectively and when to use it. And on that topic…

Compartmentalize

This is more something you may want to do with your kids rather than just talking to them and leaving it up to them, but teach your kids the value and proper execution of compartmentalizing. They want to sign up for a new game? This is a good opportunity to teach them how to use AnonAddy or SimpleLogin and Bitwarden. Teach them how to randomly generate usernames that don’t reveal anything about them by using Bitwarden to generate a passphrase and then use two of the words. My recommendation is to have a unique forwarding email, unique password, and unique username on every site, all recorded in your password manager. This will make any potential stalker's job significantly harder – though not impossible.

VPNs

Normally I say VPNs are a lower concern, but when we’re talking about keeping kids safe I think they’re a bit more important. Realistically, the odds that your kid is facing attention from a sophisticated predator are low, but technology is getting easier and more user-friendly by the day. Something like figuring out your IP address was a monumental task ten years ago. These days it’s as easy as getting your kid to click on a link – which is probably pretty easy. Kids are kids. Even if you educate them, they’ll make mistakes. Keeping your kids’ devices safely behind a VPN at all times will reduce the risk that if they slip up, a predator can grab their IP address and therefore their real location (sometimes accurate within a couple blocks).

Apps

Up til now, I’ve framed most of my recommendations in the context of protecting your kids from predators, but those same techniques can be used to help your kids defend against the ever-growing surveillance capitalist state. One super important thing you can do to help protect your kids is to teach them to be judicious with the apps they install. Kids are fickle and are not prone to thinking ahead. If all their friends are all jumping on the TikTok bandwagon, they may want to as well without realizing how incredibly invasive social media and other such apps can be (and also how quickly these fads will blow over. Anyone remember Snapchat? Or Vero?). Create an environment where you talk about every app they want to download and you can help them see that it may not be worth it, or how to mitigate the risks (ex, only using Facebook on desktop rather than the app).

Settings

Another major life skill you can teach them is to evaluate the settings on any new account. If your kid wants to sign up for something and you have talked to them and approved it, go through the account settings with them and help them figure out which settings they can safely disable (like public posts). The key there was to go through it with them, not for them. The goal is to teach your kids to be smart, critical-thinking, productive members of society who can look out for themselves. Don’t just make changes and hand the phone back to them. Talk to them about each setting, what are the benefits and risks of each, etc. You’re not always going to be there to make decisions for them. Teach them how to make their own decisions.

Schools

Schools are not immune to the data breach phenomenon. In fact, they’re a big target because they contain so much sensitive information. I don’t know exactly what information is required to register a child in school, but honestly I think you should lie on as much of it as possible. I personally think everyone should have a PO Box if possible, so use that for your home address. Or use the address of a relative who doesn’t have kids (with their consent). Or a local hotel. I realize that one is tricky cause it may put your kid in a different school district, so plan ahead there. Put in a Voice-over-IP phone number instead of your SIM number. Recently several schools have suffered data breaches that resulted in information as sensitive as age, date of birth, and home address. That could make your child a perfect target for a predator and lead them literally right to your home. Make sure to obfuscate anything that might lead a predator back to your child. I also strongly encourage you to make specific email accounts and VOIP numbers for school-related business for this same reason.

Schools Devices

A big concern with schools these days has become technology and online learning. Schools have begun using Chromebooks as their defacto devices because Chromebooks are cheap, but there are many concerns that this has a “get ‘em while they’re young” effect, turning children into lifelong Google users with a long, ripe trail of data to be harvested. This has become a threat unto itself. There are a lot of questions and concerns about how to use a school-issued Chromebook right, which I addressed in this blog post late last year. If your situation allows, personally I wouldn’t even use the school-issued device. I’d create a virtual machine on your home computer, or use your backup browser (such as Brave or Firefox) for online meetings. Resist the urge to sign up for Zoom or download the app, even if it sounds convenient.

Conclusion

Personally I don’t believe in “the good old days.” I think society has always had problems, even if they were better hidden. We all look back at the past through rose-colored nostalgia glasses. Having said that, I really do think we live in times with a new set of threats to beware of. Not to be an alarmist, but I also think it’s worth noting that statistically, a person is most likely to be victimized by someone they know rather than a total stranger on the internet. It’s a common human fallacy to misjudge what the real threat is or how serious that threat is. But that's not to say your children today don't face a wide variety of threats from both corporations attempting to hook, track, and control them from the get-go and from posting something that could come back to harm them in the future, either at the hands of a predator or at the rejection of a potential job or school. As a parent, it is your responsibility to protect your children and teach them to be responsible, both online and off. I hope this post hasn’t been too alarmist and makes you feel more equipped to know what threats to look for and gives you some starting points on how to mitigate them.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Recently, I posted an article on Mastodon about how the US Postal Service is scanning Americans’ social media accounts looking for “inflammatory” posts, typically relating to plans to attend or organize protests, ostensibly under the pretense of “national security.” The article attracted this short discussion wherein one of my readers asserted that this story was not a privacy invasion – nor even a privacy issue – because the information was posted in a public place – a public social media profile. I do agree with this person to some extent, so this made me think: why does this feel such an invasion of privacy even though it’s kind of technically not?

The “Expectation of Privacy” is a legal test that began in 1967 with the US case Katz v United States. Charles Katz had used a public phone booth near his Los Angeles apartment to submit gambling information across the country to bookies in both Boston and Miami. What he didn’t know was that the FBI had begun to investigate his illegal gambling and had wiretapped the phone booth without a warrant. This is where things got sticky. The FBI believed that since the phone booth was public, it therefore constituted a public place where you should have no expectation of privacy. However, Katz felt that the phone booth suggested a reasonable expectation of privacy – which makes sense, honestly. The doors close and stuff, who wouldn’t expect at least SOME privacy in that situation? You would certainly be annoyed and offended if some stranger stuck their ear to the door to try and eavesdrop, right?

The Expectation of Privacy test has two parts, and the second part is – I think – what really makes it work: “the expectation is one that society is prepared to recognize as reasonable.” I can drop my pants and start urinating in Times Square and expect privacy, but society doesn’t agree. Just as with debates about crime and legalization of various vices, there are obvious situations where we as a society can all generally agree that you have no expectation of privacy. We all may disagree on whether or not hard drugs should be legal, but we can all generally agree that murder should not be. We may all disagree on whether or not scraping public social media is a privacy violation or not, but we all generally agree that scraping texts without some kind of legal validation definitely is.

Let me back up: this blog post is not here to argue where the expectation of privacy begins and ends. Smarter people than me have spent decades fighting over that and likely will spend decades more. Rather, this post is to argue that what we experience today is not a violation of our expectation of privacy: it’s a violation of our expectation of not being stalked. And that is what bugs me about USPS – or any public (particularly government) entity – scraping public social media posts. It’s one thing for someone to stumble across a violent post and go “whoa, somebody needs to take a look at this.” It’s another thing for someone to look at every post with the intention of finding a problem.

About a year ago, a friend randomly texted me as I was leaving the grocery store to say that she had seen me. My first thought was “how did she recognize me? Everyone is wearing a mask!” Then I immediately remembered I have very unique, prominent, and often-visible arm tattoos. I don’t remember what my reply was, but obviously it wasn’t offense. I was at the grocery store in a T-shirt, I had no expectation of being anonymous or not-recognized. Just because I wasn’t going around wearing a name tag doesn’t mean I expected not to be seen or noticed. However, my friend didn’t follow me home from there. She didn’t write it down in a notebook and go “1:15 PM: saw Nate at the grocery store on the intersection of Main and 6th.” She didn’t ask me what I bought or why I was there. And this is what makes the abuse of our public use of technology so offensive to me.

In the above story, the USPS is actively scanning people’s public posts and looking for information. This is the issue that I personally have with surveillance, and I don’t think it’s a stretch to assume that most of my readers will agree with me on this. I have no issue with the public space being legally open to scrutiny. If I drive my car down a street, I fully expect that somebody will see it, and maybe even say that in court as part of a witness testimony about something. But imagine if every person I passed on the street posted to a Twitter account saying “Nate’s car was at this intersection at this time,” especially if there's nothing noteworthy happening. That’s different. There’s a huge difference between happening to notice or see something in a public space and actively stalking someone in a public space. And furthermore, there’s a huge difference between saying “I noticed that guy acting suspicious, let me follow up on that” and following up on every person you see even if they haven’t done anything suspicious. As most of us know, if you go looking for a specific problem, you can probably find it.

As I mentioned, I have tattoos. Let’s say someone sees my tattoos and goes “oh that guy’s a thug, he’s up to no good” and begins to follow me around. This may come as a shock to some of you, but I am not a perfect person. If you follow me for long enough, you’ll certainly find me doing something wrong – either an illegal turn, speeding a little over the speed limit, jaywalking to the convenience store across the street, etc. But actually, a stalker could very easily catch me planning arson on any given day at work. I regularly joke at my day job about just burning down the building when the project starts to get stressful or go wrong. I realize that may not be funny to everyone, I have a very dark sense of humor. My coworkers, however, have worked with me for almost two years. They know I’m not a pyromaniac, they know I have no interest in actually burning anything down, and they know I’m just venting, but imagine a total stranger who – again – just says “that guy is sus cause of his tattoos.” Aha! He said ‘let’s just burn the building down, no more problem!’ Clearly he’s planning arson! Context matters. Now granted, this is not a one-to-one comparison. The arson joke is one I only make when there’s nobody around – no clients, no other contractors from other companies, etc – and only to my coworkers. I expect that I have some privacy because I’m being careful where I make that joke. But the point is, if somebody wanted to find illegal behavior from me, they don’t have to look hard to make a case. Probably not one that would stand up in court, but still.

This is what companies do to us every day, and this is what USPS is doing and I have a lot of issues with this (as you probably do, if you've read this far). I have no issues with someone seeing me do something wrong in public and reporting it. I have no expectation of privacy. But I do have an expectation to not be stalked, especially if I’m not doing anything wrong. The ever-annoying “nothing to hide” argument says that if you aren’t doing anything wrong, you have nothing to fear. However, I view it the other way around: if I’m not doing anything wrong, you have no reason to be looking at me. If I’m under suspicion, it should be – and is – very easy to get a warrant to do some digging. And if you come to my door with a warrant, I will begrudgingly let you in. However, I take great offense to somebody keeping tabs on me “just because.” Maybe someday I might maybe possible do something wrong possibly in some way maybe. So let’s keep a permanent record of this person and watch them just in case. There's no way that can go wrong.

This is the opposite of freedom. This is a panopticon, and studies have shown that people who believe they are under surveillance act differently. They are more afraid to educate themselves, even on important issues, lest they be mistaken for a troublemaker. They’re more afraid to speak out because it might come back to haunt them. They’re more afraid to stand up for something unpopular that they believe is right. Just because nobody has put a physical gun to your head doesn’t make this any less coercion or threat. When I step out my door or post something to a public forum, I have no expectation of privacy. I accept that I have no control over who will see me, what they’ll say, who’ll they’ll tell, or any of that. But I think the moment that person decides to target me – to start following me, taking notes, trying to find all my accounts across various sites, and stalking me – for any reason, whether it’s “for my own safety” or “because I look a certain suspicious” or whatever – now we have a problem. I have no expectation of privacy in public, but I do expect not to be stalked.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...