The New Oil

The Privacy Paradox

April 18, 2021

I try to end most of my blogs on some kind of uplifting “call to action,” either to keep up the good fight, better your own privacy and security, or something similar. I don’t expect this post will end the same way.

I’ve never heard this term before but I’ve certainly experienced it and you probably have, too. Recently, a Reddit user posted about “the privacy paradox.” This user shared their story about how they were discussing user engagement in a Discord server with some friends, so they decided to download the chat history and analyze how much each user contributed to the conversation. Much to the surprise of the storyteller, the other members of the channel took extreme offense to this and viewed it as a violation of trust, expelling the person from the server and even losing some friendships. Yet, as the post points out, this was public information, and information Discord already had. What was the difference between a server member analyzing the data for fun and a random Discord employee reading it for marketing? It was total hypocrisy.

If you’ve been into privacy and security for any amount of time and tried to get somebody to switch to a better service, product, or solution, you’ve likely been met with this exact same type of behavior, though maybe to a lesser reaction. Someone I know had their card number stolen from the PlayStation marketplace last year. When I tried to preach to them the value of privacy.com (referral link) in such a situation, I was met with unbelievable pushback about how this is rare, how normally that person is so good about not saving payment information on any websites, blah blah blah. I kept coming back to “and yet, a mistake was made and it happened.” Why so much pushback on something that’s free and could easily save you so much headache in the future? Rather than having to cancel your card and get a new one sent to you a week later and having to put in your card information every time you pay the electric bill, why?

I have never understood the way some people fight me so hard on my attempts to make their lives easier. I’ve mentioned in the past that the way that I commonly push Bitwarden is by explaining how it makes your life more convenient: “tired of trying to remember your passwords? Use Bitwarden. And as an added bonus, you can make better, more secure passwords.” And yet, somehow I still get so much resistance to just trying it. “Eh, then I gotta import all my passwords and change them all and blah blah blah.” Dude, it’s free! Start by adding them one a time, change them later. Nobody ever said you have to sit down and do them all in one sitting. And even then it somehow still takes them a month before they go “so I decided to try out Bitwarden… and I love it.”

Normally when I talk about these topics, I share the solutions I’ve found or heard others say worked. But this time I don’t have one. I mentioned in the past that my partner only began to aggressively use Signal and a VPN on her device after being told that the company monitored the WiFi. Despite the fact that I had told her this many times before, somehow hearing it directly from her boss made it real. It was amazing watching my brother attend a local Black Lives Matter protest last year (with his Android phone in his pocket, probably) while still posting on Facebook and shopping on Amazon. Granted, that last one is more about political views than privacy, but the point is that it’s just amazing to me how people are so resistant to change for any reason, whether that’s to make their own lives easier or even just to simply be more aligned with their own ethics.

I grew up Protestant Christian. (That means “not Catholic” for those who don’t know.) A major tenant of Christianity is to proselytize to others: to spread the “Good News.” I don’t really have any issues with this, but I decided real quick what my method of evangelism would be: setting the example, “walking the walk.” Matthew 5:16 says “let your light shine before others, so that they may see your good works and give glory to your Father who is in heaven.” (ESV) In other words, set a good example and others will notice. My style was not to pass out to flyers on the street corner or yell at strangers with a megaphone – I hated that back then and I still hate it now – but my style was to live in such a way that people went “wow, you really believe this stuff, let’s talk about that.” Believe it or not, it was quite effective. I had many friends who would never step foot in a church or open a Bible come to me often and ask serious, genuine questions: “What does the Bible really say about X?” “What’s your opinion on Y?” “Why Z?” They knew that I wouldn’t judge them, that I wasn’t trying to force my beliefs on them, and that I was educated enough to give them not only my opinion but also any popular alternate interpretations.

I bring that up to say this: I think the best way to handle the privacy paradox is to be the light yourself. A lot of people suggest a good way to reach your friends and family is to do dumb sh*t like start recording them when you’re together, go through their phones, hack their Facebook, etc. That’s awful. The privacy paradox is very real, and it just proves that your friends – or soon-to-be ex-friends – will think you’re a colossal ass and stop hanging out with you while continuing to use Facebook or Google or Amazon. It’s infuriating, it really is, but it’s beyond your control. You can’t forcibly change somebody’s mind by beating them over the head with your opinions, even if they are right opinions. The best you can do is to let them know where you stand and work on yourself. Hopefully, in time, they’ll ask you about it and maybe you can even sway a few people. This is a topic that overlaps a number of other blogs I’ve written, such as Why Your Individual Privacy Matters for the Wider Population, Why You (Yes You, Reading This) Need to Take the Lead in Privacy & Security, and How I’ve Convinced People Around Me to Care About Privacy.

Ultimately, as I said up top, this blog is not a call to action, rather is to raise awareness. The privacy paradox – whatever name it goes by – is a real thing that you should be aware of. Your friends may be hemorrhaging data to Big Tech and living in hypocrisy – either out of ignorance or convenience – but that doesn’t mean you should take them up on that lifestyle, whether for a good purpose or to show them the error of their ways. It’s ultimately something you’ll just have to accept. Personally I have a reputation for being kind of a jerk among my social circles: Nate is a guy who will tell you the truth without sugarcoating it. “Yeah, that dress does kind of make you look fat.” “Yeah, you are kind of in the wrong in this argument.” “Yeah, that was a really stupid thing to say/do and you should probably apologize.” I’m fortunate enough that me going “hey, just wanted to make sure you’re aware: Amazon is licensing racist facial recognition technology to cops, so if you’re gonna be all ‘defund the police’ that means you gotta stop using Amazon” is actually a pretty common thing for me to say where my friends will typically roll their eyes and go “yeah, I know” to which I say “okay, just making sure you were aware. You do you.” I don’t keep harping on it, I don’t go “but don’t you see the hypocrisy?” They know that whenever they want to make a change, I’ll be more than happy to recommend alternatives or help them mitigate the existing services. And sometimes they go “oh, actually I didn’t know that” and I can go “yeah, I can send you a few articles if you want.” And that opens the door for us to talk about alternatives to Amazon or ways to reduce their data collection.

I feel like this blog was a little all-over-the-place and I apologize, but when I read that Reddit post earlier it stuck with me because I, too, have seen that mentality in action. Like I said, this post is to call attention to it. It’s a real thing that we have to be aware of as we interact with non-privacy people. It doesn’t make sense and it’s frustrating, but humans are illogical creatures and that means we have to learn how to deal with that fact as we push for change and progress in the future. Live long and prosper, I guess.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Movie Review: Coded Bias

April 10, 2021

A new documentary about the intersection of technology and privacy has hit Netflix. “Coded Bias” released on April 5, 2021 on Netflix and immediately became buzzed about# Movie Review: Coded Bias

A new documentary about the intersection of technology and privacy has hit Netflix. “Coded Bias” released on April 5, 2021 on Netflix and immediately attracted buzz – it's currently high on the Top 10 (I think #4?) in the US as I write this. Even my partner noticed it and alerted me to check it out. Ironic that Netflix pushed a movie about the dangers of algorithms so hard, but here we are. So how does it stack up? Is it worth watching? Does it tackle the issues well? Is it a good resource for your non-privacy/non-techy friends and family? Here's my thoughts.

About the Director & the Film

The film was directed by Shalini Kantayya, an environmental activist “whose films explore human rights at the intersection of water, food, and renewable energy.” She has a master’s degree in Film Direction, and has received recognition from the Sundance Documentary Program, IFP Spotlight on Documentary, New York Women in Film and Television, John D. and Catherine T. MacArthur Foundation, and the Jerome Hill Centennial. She is a Sundance Fellow, TED Fellow, a finalist for the ABC | DGA Directing Fellowship, and a William D. Fulbright Scholar.

Coded Bias primarily follows Joy Boulamwini, a Ghanian-American computer scientist and Ph.D candidate at the MIT Media Lab. According to the opening minutes of the film, Boulamwini first discovered racial bias in facial recognition algorithms when she attempted to make a proof-of-concept art project that relied on the technology. The camera almost never detected her face no matter the lighting conditions – until she put on a plain white mask. This prompted her to dig deeper. The movie follows Boulamwini’s journey and features a number of interviews from experts in the field and real footage of real-life events as she goes.

The Good

I think perhaps the coolest thing to me is the real life, on-the-ground footage of certain events. For example, at several points in the movie, the filmmakers are in London alongside a civil rights group called Big Brother Watch. The group stands outside an area where the police are using facial recognition cameras – clearly marked with signs – and tries to hand out flyers and inform people of the flaws and risks of facial recognition. At one point, the crew gets firsthand footage of a man who pulled his shirt up over his face when he saw the signs as the police follow him and force himself to identify himself. Later, a black teenager is pulled aside and ID’d because the cameras falsely identified him in a face match database. Seeing these situations happen firsthand – not through re-enactments or interviews – really got my blood boiling. And that’s good. Humans are emotional creatures. The 1976 film Network is about the media, its sensationalism, and its exploitative relationship with viewers. At the climax of the film, the star makes a legendary speech, at one point declaring “I don't know what to do about the depression and the inflation and the Russians and the crime in the street. All I know is that first, you've got to get mad. I want you to get up right now and go to the window, open it, and stick your head out and yell, “I'm as mad as hell, and I'm not going to take this anymore!!” Personally, I think this is where we are as a society. First, we’ve got to get mad. We’ve got to touch on that human emotion that spurs people into action where we say “enough is enough,” and I personally was blown away at the film’s ability to do that, to show firsthand, real-world, actual situations where algorithms have gone wrong. Sure, there’s plenty of “think of the bad things that might happen,” but none of that is as powerful as watching a slightly traumatized 14-year-old black kid get pulled over by three plain-clothed police offers who then come back and try to stop the representative from Big Brother Watch from giving the kid a flyer and explaining what the hell just happened. I’m getting mad just remembering it. Let’s move on.

Relating to that previous point, I think the film does a great job of presenting a variety of stories – real stories, not just hypotheticals. They show the two incidents in London I mentioned. They go to an apartment building in Brooklyn that tried to use facial recognition in lieu of keys and to maintain order among residents. They even visit China and ask one girl’s opinion on the Chinese use of social credit and the daily ubiquity of facial recognition. Surprisingly, this girl presents some very positive aspects – I admire a film that can present both sides of the argument. The film then moves to the protests in Hong Kong and shows the dark side that China has used this technology for. The film is obviously overwhelmingly in favor of reigning in algorithms and putting some regulation on it, but I still appreciate that they took even a few minutes to show the other side of the argument rather than just painting a biased “doom and gloom” picture the entire time.

The film also makes a point of continuously reminding the viewers that algorithms aren’t just used by police and advertisers, algorithms are used everywhere. They’re used to determine your credit limit, your mortgage, your insurance rates, your employment, whether or not your resume gets seen by a person, and more. I’m glad they drove that point home. A lot of people think of privacy in terms of “well I’ve got nothing to hide,” but the continual reminder of how much algorithms have permeated our culture shows viewers that this does affect you, even if you’re not an activist or a government employee or you live in a good neighborhood.

The Bad

The film is obviously – and ironically – biased. Of course, every documentary is. If you’ve never realized that every documentary you’ve ever seen has been made with an agenda to make you think a certain way, consider this your wakeup call. Every documentary has a spin. Even Planet Earth’s goal is to make you realize how cool nature is and make you appreciate and want to protect it. I think if the film really wanted a more balanced approach, they could’ve spent a little more time explaining the good sides of algorithms. That’s not say I think algorithms are good – the film very clearly and plainly lays out why they’re problematic with both rhetorical and empirical evidence – but they could’ve done a slightly better job of presenting a less-biased story.

I think my biggest complaint is the pacing. The clips in London that made my blood boil were few and far between. Much of the movie is spent watching Boulamwini stare at a Macbook screen while talking about how she slowly began to realize the amount of control that the algorithms have over us, even in our daily lives and even here in the “land of the free.” There’s a lot of distracting jumping around with camera angles during the interviews, as if attempting to make the film more exciting and feel more energetic. All it did for me was make me motion sick. (Not literally, but it was a bit disorienting.) The first 15 minutes of the film are also painfully slow, it’s not until they get to London that things start to become engaging with the man who hid from the camera with his shirt.

Final Verdict

Despite the pacing issues, I whole-heartedly recommend this film. Force yourself to watch the whole thing, even if you find it boring. The topics covered are incredibly relevant and – as mentioned – permeate every part of our daily lives. There is nobody not affected by this issue, and it’s only in the last couple years that major attention has to come to the issues with algorithms – from facial recognition to resume softwares, and this documentary barely scratches the surface. This technology is being used to score future criminals, rate students, determine college admissions, etc. I sometimes catch heat in the privacy community because I’m not 100% against certain technologies. This technology is a perfect example. It has its uses – I don’t think all possible applications of it are good, but some can be – but it also has a long way to go before even those few good applications are ready. This stuff has some serious bugs that need to be worked out, and until we as a collective society can shine a light on those and have those discussions we’ll never be able to even get that far. This is a conversation that we as a society desperately need to have. For those who are unfamiliar with this subject, I think this documentary is an excellent starting point.

More on the Movie

You can visit Coded Bias’s official website here. It is currently viewable on Netflix.

An Important Update About Credit Freezes in the United States

April 3, 2021

This will be a short but important post. This past week, I was forced to use my credit for fiber internet. I’ll be moving to a new place shortly, and while we had two choices of internet provider (both terrible), only one offered fiber for this location and I’ve become rather spoiled by my current fiber speeds (my current ISP is not available at the new location). After a couple failed attempts at social engineering, I agreed to go ahead and submit to a credit check. My threat model is relatively low, and I take other measures to protect myself – such as freezing my credit and using a reputable VPN on my entire router – so while I didn’t want to hand over my information I was willing to in this case knowing that my resulting exposure – even in a data breach – would be relatively low and my other options weren’t great. I was surprised to learn that there have been some changes to the credit freeze management process since the last time I did it, and I wanted to make my other privacy-minded people aware of it.

How it Used to Work

If you're unfamiliar with a what a credit freeze does or how it works, in short it makes it impossible to open a new account or even check your credit report without being unlocked first. As many of my readers my know – especially if you’ve read my site – it used to be that all three major agencies (Equifax, Experian, and TransUnion) worked the same: you apply for a credit freeze, they send you the PIN, you guard that PIN with your life cause I can speak from experience that replacing it is a long and painful process, and if you ever want/need to unfreeze your credit for any reason – like to open a new account or buy a house – you use that PIN to unfreeze it. I also strongly encourage my readers to institute a fraud alert every year as a second layer of protection as some clever social engineers have found ways around the PIN requirement.

What’s New

Currently, Experian still works on the PIN-based method. You can go their website and create or lift a freeze without ever creating an account or signing in. Equifax and TransUnion however, now require you to make an account to manage your freezes with them. It’s an annoying but straightforward change.

No doubt some will be asking if I think this is a change worth worrying about. Should we stop freezing our credit because we have to make an account? Should we resist making an account? First off, you should still absolutely freeze your credit. The 2017 Equifax data breach proved that these companies have garbage security, do not take your privacy or security seriously, will face absolutely no consequences when they screw up, and you will not receive any kind of compensation or have any recourse (I’m still waiting on my <$10 settlement payment that was agreed to in July of 2019). These companies don’t care about you, won’t protect you, and have no incentive to do so. Take the responsibility into your own hands.

Having said that, my advice is to make your accounts right now for two reasons. First is the fact that these companies already know everything about you and are tracking you. Whether you sign up for an account or not doesn’t change that. Just to clarify: there are ways to severely limit how effectively these companies can stalk you. I outline several on my website, and there are countless other great resources I recommend that expand on these principles and have even more advice. What I’m not saying is “they’re gonna track you and there’s nothing you can do about it,” what I am saying is that whether or not you create an account has no impact on the quantity or quality of their efforts to track you. You have nothing to lose by signing up for an account, but rather you have something to gain: control of that account. Even if you plan to never use your credit ever again, it’s best to plant your flag now. Security expert Brian Krebs describes “planting your flag” as basically making an account so that nobody else can pretend to be you later. This is a perfect example. If you feel that you never plan to use credit again and therefore you don’t need an account to manage a freeze, a criminal who finds your information on the dark web could still theoretically make that account on your behalf and now they can manage your freeze and disable it to open new accounts in your name – classic identity theft. It’s better for you to create that account with an email address you control and a strong password than to risk letting a criminal find enough information to pose as you and take control of that account. Thanks to the 2017 Equifax data breach and public record people search sites, it’s very conceivable that a criminal could find all the information they need to easily create that account and control your credit. Plant your flag even if you never plan to use credit again.

If you do plan to use your credit someday in the future but not right now, I still encourage you to go ahead and make those accounts now that you’ve read this. As I can promise you from my experience this past week, it sucks to want access to your credit right now and be unable to do so. Apparently I had already created an Equifax account and lost the login information, and both their automated systems and human were unable to verify me so I had to mail in documentation. At the time of writing I’m still waiting for that to resolve. All for some stupid fiber internet. Thank god this isn’t an emergency like needing to replace a car or find housing. Now that you’re aware of this, please make sure to take care of this now before you need it, or plant your flag before cybercriminals do. Also, I don’t normally ask this, but please share this blog around with your American friends and family. This is a change that completely flew below my radar and while I don’t claim to be Mr Know-It-All, if I missed it I’m certain almost everyone else has, too. I’m sure that Equifax and TransUnion made zero effort to broadcast this change. Let’s let everyone know so they don’t get blindsided or caught unaware.

Click here to create a MyEquifax account and click here to create a TransUnion account, or alternately just search for them yourself on your preferred privacy-respecting search engine.

The Peripheral Benefits of Privacy

March 27, 2021

Before the pandemic started, I was a freelancer. And one day at work, my backpack vanished with my laptop in it. My laptop was around $1500 brand new. It has an i7 with 16 GB of RAM, a 500 GB SSD and at the time a 2 TB HDD (which has since been replaced with a 240 SSD that runs my daily Linux driver). For those who don’t speak tech, all you have to know is that when this laptop came out it was almost as top-of-the-line as you could get without buying custom, and even to this day it’s still on the upper side of mid-range. As a freelancer, this laptop was not just my time killer for movies and games, but also a critical tool for my job. I had dozens of programs, video clips, slides, and other things that I regularly used to do my job with the level of excellence that allowed me to be a successful freelancer.

When I got home, I was understandably upset but not for the reasons you might think. I was upset that I would have to go to bed without any background noise (I often use my laptop as a sleeping aid because it automatically shuts down when the battery dies, probably not the best use of it, I’m aware). I was upset that I had to spend over a thousand dollars that I didn’t have to buy a new one – again, because that laptop was also a job tool. But there were other things I wasn’t even remotely upset about. I wasn’t worried about my sensitive emails with clients discussing upcoming gigs, payments, or contracts. I wasn’t worried about my passwords. You see – as I’m sure is no surprise to anyone reading this who’s familiar with me – my laptop was full disk encrypted with Veracrypt. AES-256 with a randomly-generated six-word passphrase. NOBODY was getting into that computer. Not to mention that by this point in my life I was keeping regular backups and when this happened I was only about a week out of date. In a half hour, I could’ve had 99% of my life back.

Much of the advice regarding privacy and security that I see on the internet is framed in the context of civil rights or government overreach. Most sites talk about how to protect yourself from corrupt (or ignorant) cops at a protest, how to prevent the NSA from spying on you, or how to stop Google and Facebook from stalking you. This is good, and I agree with all of these things. I firmly believe that privacy is owed to you as a human right, that governments often tend to overstep their responsibilities, and that you are responsible for your own protection. But I think that solely focusing on this aspect of privacy and security does a major disservice to the other practical aspects of it.

Quite frankly, people as a general rule suck at abstract thinking. In 2019 an app called FaceApp went viral. It’s a pretty straightforward app – it makes you look like an older version of yourself. How such a simple app went viral is beyond me, but for a few weeks everybody was sharing and posting photos of themselves fifty years from now. But this had an unexpected side effect: it made people start saving for retirement. Most people don’t think about their futures – not in any kind of real, tangible way – but when faced with a realistic age-progressed photo suddenly retirement became a real thing. It wasn’t just some foreign concept the way that a country you've never visited or “the cloud” is, but rather it was an actual upcoming event that could not be avoided and had to be dealt with. This is the same reason I’ve plastered my front page with links about real-world privacy abuses and the consequences of them, so people can see it and wrap their heads around it.

The funny thing is, people are also laughably bad at properly evaluating risk. For example, did you know that in most crimes the victim and perpetrator know each other? A 1987 study found that less than half of all violent crime was committed by total strangers. That’s why cops always look at the spouse/partner when someone goes missing or dies. The last person you texted is more likely to murder you than the stranger you passed on the street. Yet that doesn’t stop us from locking our doors, hiding our valuables in the car, and spending billions of dollars every year in security services, an industry that only continues to grow year after year. In fact, your odds of being murdered in any given year – murdered at all by anyone – is .005%. If we look at home robbery, the odds to bump up dramatically to a staggering 2.8%. The average loss is a mere $2661.

But yet, 25% of people are likely to be caught up in a data breach and have their personal information – which could be used to steal their identity and open bank accounts and rack up fraudulent charges in the thousands or more. In fact, most cybertheft cost over $10,000. 1.4% of people are stalked every year in the US. And what’s our response? Posting more selfies on new platforms. More videos on TikTok. More views. More likes. More comments. “Send me an invite to Clubhouse if you’ve got it!” (Author’s note: don’t waste your time.)

It’s time for a shift in focus. Yes, protesting matters. Yes, freedoms matter. But if we ever want privacy and security to reach the mainstream, we need to start speaking the language of our target audience. I’ve successfully gotten a number of people around me to switch to Bitwarden and literally every one of them has thanked me for it and some have even pushed it to their friends without me having to say a word. How did I manage this miracle? “Forgot your password? Mind if I offer a solution?” That simple. Who hasn’t forgotten a password? Or struggled to come up with a “secure” password that meets the requirements? “With Bitwarden it only takes a few clicks to create and save a secure password and you never have to remember it again.” Boom.

This goes for everything. Sure, encryption will keep the cops out of your laptop. It will also stop the rando who steals it. Maybe they’ll still pawn it, but at least your bank details and porn collection are safe. Same for having a good password or PIN on your phone. It won’t stop a criminal from pawning it, but it will stop them from opening your bank app or messages. Remember how years ago people would post on Facebook that they were going on vacation and criminals would use that to target homes to rob? Being careful on social media isn’t just about privacy, it’s about preventing crime. Not having Instagram isn’t just a moral principle, it’s about not opening the door for cyberbullying or harassment. I don’t think we should ever back down from our moral message of privacy and security. Privacy is a human right, and things can change in the blink of an eye. Often when a dictatorship rises to power, people are punished for sins of the past – things they said or wrote years before the party came into office. But frankly, just that one sentence is hard for the average westerner to come to terms with. We need to start framing privacy in a practical way that makes people realize that it’s not ALL about avoiding the algorithms and thwarting corrupt officials. Sometimes it’s just about not having to remember my password or not having to panic when my computer gets stolen. Those are threats the average person can relate to.

Oh by the way, my computer didn’t get stolen. It got accidentally picked up by somebody who thought it was one of their bags. It was returned to security same night and they were very apologetic. I slept great with Futurama in the background.

Financial Privacy

March 20, 2021

With tax season around the corner in the US, I wanted to do something related to taxes and privacy, but I quickly realized that this is a complex topic with very little wiggle room and I don’t feel comfortable giving people any advice on something that can easily land them in hot water legally. Plus, it’s an even more US-centric topic than I usually post. So here’s my two sentence summary on doing taxes privately in the US: use paper forms and do it yourself. If you need a professional AND maximum privacy, find a tax lawyer and make sure you arrange with them to hire them in such a way that you benefit from attorney-client privilege.

Instead, I decided that this week I’ll deep dive (somewhat) into financial privacy in general. This should be a much more widely-applicable topic to my non-US readers and it’s far less likely to land you in legal trouble. Now please note: this is a deep, nuanced topic. Just in the US alone I could probably write a small book on this topic, so there's no way this post is going to be comprehensive, but I hope I can cover most of the major pillars for most of my readers.

Do You Need a Bank Account?

Let’s start off at the top. Well, if we wanted to start at the very top, we’d have to begin with getting a job. I wrote about my opinions on privacy in the workplace in a previous blog, so feel free to check that out if you need. But let’s assume you’ve got a source of income and now you’re deciding how best to store and use that income. Should you get a bank? My general opinion is yes. While any bank is going to involve surrendering some privacy – you’ll have to hand over a lot of personal information to help them detect and prevent fraud – a bank still offers the best security for your money. At least here in the US, we have what’s called FDIC Insurance, which means any liquid cash you put in an account with that bank is guaranteed up to $250,000. In other words, any cash you store at the bank is guaranteed to be yours no matter if the bank goes bankrupt, burns down, gets robbed, etc. Putting cash under your mattress offers you zero protection against damage or theft and Bitcoin… just don’t use Bitcoin as your primary financial method. If you qualify for a bank account, ninety-nine times out of one hundred that’s going to be the best move for you. I have no doubt that most countries around the world offer some parallel to FDIC Insurance so make sure yours does and go with that.

Big Banks or Small Banks?

Of course, not all banks are equal. Here in the US, we have big national chains like Chase, Wells Fargo, and Bank of America. We also have smaller, local chains. Here in my state, for example, we have chains like Frost Bank or Velocity Credit Union. On that note, we also have banks and credit unions. There’s a lot of choices. As far as big banks vs small banks go, I think that’s a personal choice. Assuming that both are FDIC Insured, typically small banks will value you more as a customer and treat you better. They also make for smaller targets by cybercriminals. On the other side, bigger banks invest more money into cybersecurity because they’re bigger targets, and there is the whole advantage of being a needle in a haystack if you’re being specifically targeted. If I bank with Frost, for example, there’s a lot less customer records to wade through to find me than if I banked with Chase. Assuming you’re not being targeted by a technologically-advanced enemy, I would say that the biggest advantage to a national bank would be if you travel frequently. Frost doesn’t exist outside of my state – or at least not that I’m aware of – so if I have to make a deposit or some other in-person banking issue, I have to wait til I get home and withdrawing money from an ATM will incur a charge. Not so with a bank like Chase which exists practically next to every Starbucks.

Without being too US-centric, I also generally encourage credit unions over traditional banks. They typically have requirements to join – for example you have to work in a certain job field or area – but they offer numerous advantages. In addition to better customer service, they typically have better interest and savings rates and other perks like car insurance discounts with certain companies and stuff like that.

Paper or Plastic

Debit cards are generally regarded as a bad move by both privacy advocates and personal finance experts. Personal finance experts encourage the use of credit over debit – assuming that you’re able to control yourself and not spend too much – because they offer rewards and purchase protections. I’ll get to that in a moment. Privacy advocates discourage the use of both because financial institutions are increasingly tracking customer data for a variety of reasons, such as getting a more accurate credit score for borrowers, offering better services, and predicting consumer habits. These are valid, understandable uses. However, I firmly believe this has a dark side that is only beginning to emerge. In the realm of reality, banks have been known to penalize customers for shopping at “deadbeat” locations like Walmart. Financial information is also used in the UK to attempt to catch people defrauding the welfare system, which can be so extreme that it can disqualify people because they dared to take a vacation, buy name-brand foods instead of off-brand, or treat themselves to a nice dinner. I’m sure there’s also other negative impacts of the privacy violation that I’m not currently aware of. In the realm of speculation, it is a well-known fact that your health insurance rates are higher if you’re a smoker. How long before banks start selling your purchase history to health insurance companies, who then use your purchases to determine if you’re a smoker or not? Or if you drink too much by their standards? Your purchases can be used to determine incredible amounts of information about you, and your habits. I believe – though this is just conspiracy theory on my part for now – that someday the amount of alcohol or types of food you buy will help determine your health insurance coverage and/or rates, the brands you buy will help determine your credit score, and more. All this is to say that the best way to spend your money is in cash. Every payday, calculate how much you’ll need and go withdraw that from the ATM. Use that to pay for gas, groceries, and more.

Online & Non-Cash Payments

Sometimes you have no choice but to pay with a card. Some places don’t accept in-person or cash payments, or sometimes you have to buy something online that you just can’t get locally. There’s a lot of options here. Popular options include digital card issuers like Privacy.com, MySudo, Abine Blur, Revolut, and others. I discuss all of these, how they work, and why you should use them on this page of my website. If you don’t qualify for or don’t trust one of these services, the next best option is a prepaid gift card. Visa and Mastercard both sell “Vanilla” gift cards that can be purchased in cash at almost any grocery store or gas station in the US. There’s also gift cards if you plan to use the money toward a specific purchase, like Netflix, Amazon, or Steam. The only drawback to Vanilla cards is that I’ve heard that you’re required to register them online before using them for online purchases. I haven’t attempted this myself, though I plan to in the future. This could tie the purchases back to you, but it’s still a good solution for protecting your actual debit card number and using compartmentalization as a security tactic.

Using Plastic Right

I have always aimed for The New Oil to be a site dedicated to “the average person.” The average person, in my experience, does not have an advanced stalker and is much more worried about identity theft than surveillance capitalism and exploitation. On a similar note, I am a mild personal finance nerd. I love thinking about how to best handle my money to provide the most value for my dollar as well as to create the life I want to live. For example, my partner wants to travel. That’s not cheap. All this is to say that I understand why some people may want to use credit cards. As I said before, personal finance experts recommend using credit cards generously because they offer purchase protection and many of them offer cashback or reward points. The system they recommend is to get several credit cards and use them based on what they offer. For example, if Card 1 offers 10% cashback on gas and Card 2 offers 5% on gas, use Card 1 for buying gas. If Card 2 offers rewards points for buying groceries and Card 1 doesn’t, use Card 2 for buying groceries each week. There are of course caveats to this: pay attention to annual fees, reward terms, and what exactly the purchase protection plans cover; use the credit cards as if they were cash (don’t buy everything in the store when your budget is only $200); and pay them off in full each month to avoid interest. There’s more, but this isn’t a personal finance blog, I’m just pointing out some examples.

With this in mind, I think the average person can benefit from gaming the system and taking advantage of the recommended credit card system at the same time. For example, I mentioned that I believe in the near future we will see health insurance rates and eligibility affected by purchase patterns (among other things). So maybe divide your groceries up into two parts: healthy, generic-brand stuff and others. Use your grocery credit card to buy the healthy stuff and cash to buy the beer. This will create a pattern of transactions showing that you buy healthy food while leaving out the more indulgent parts of your purchases. Or perhaps divide your purchases up by location. For example, if you shop at Whole Foods – first don’t as Amazon is a garbage company – second, put that one on your credit card. Then go to the liquor store or Walmart to buy your beer where it’s cheaper and pay that in cash. (I know keep using beer a lot as an example, it just seems easiest.) I think there’s a lot of ways you can use this system to your advantage.

Of course, in a perfect world, companies would respect our privacy and not sell our financial information in the first place, which would leave us free to take advantage of credit cards and other financial hacks without risking our futures. But unfortunately part of life means playing the hand you’re dealt, good or bad. I think that for most people this half-truth approach of mindfully using credit cards to both gain points AND create a picture of a healthier, more responsible you is the way to go. This offers the best blend of privacy and functionality in today’s data-driven world. However, for those who want to go full-in on principle – or out of necessity – I hope this post has given you some ideas, approaches, and insight on how to make your money work for you instead of letting third party companies use it as a Trojan horse to steal your data.

Review: Mullvad VPN 2021 – Insultingly Easy

February 27, 2021

When I set out to make The New Oil, one of my goals was to review various products and services in depth to help people make a decision about what tool is right for them. I haven’t done that in a very long while and I apologize. So to start fixing that, for the past month I have been using Mullvad VPN as my primary VPN provider to test it out. Here’s what I found.

The Good

Mullvad VPN is a popular name in the privacy community for a number of reasons. As I began to sign up for an account, several of those reasons immediately jumped out at me. They are based in Sweden, which is a 14-Eyes country, but that's certainly better than 5 or 9. Next, literally no information was required to sign up. Not even a username. They generate an account number for you, and that acts as your login. There’s no email, phone, or anything required. Next is payment. One thing that Mullvad did that I thought was super awesome was they give the option to make a one-time payment, so if you want to just check it out for one month like I did and not run the risk of forgetting to cancel, no worries. They also accept Bitcoin and Cash as payment options, as well as card, PayPal, bank wire, Swish, and vouchers. And of course, the price point is exceptionally reasonable for a VPN – $5/month. Period. No “Premium” plan or anything. $5 gets you everything.

Mullvad is incredibly easy to use. So much so it actually kind of stressed me out. There are no options in the account settings except the options to make a payment, and the apps are incredibly minimalist. They pretty much only offer options like “launch app on start-up” and “notifications.” Apps are available for all operating systems – including Debian and Fedora-based linux distros – and they even have instructions on how to set up the apps for Qubes and DD-WRT, which was fantastic for me as I use both daily.

Mullvad was also one of the first providers to support Wireguard – a new and highly celebrated VPN tunneling protocol that’s supposed to be faster, more efficient, and safer (because the code is smaller). But you can choose to go with OpenVPN if you prefer something more tested and true.

I didn’t run any kind of speed test, but I didn’t notice any sort of slower performance from Proton (my usual VPN choice) to Mullvad, both seem to function just fine in that sense both over internet and cell data. Torrenting seemed to work on any server.

The Bad

Let’s address the elephant in the room: Mullvad has a serious server problem. I went through every single Wireguard server in Dallas. Over half of them didn’t connect at all, of those that did a few claimed to be routing me through Utah (based on an IP check online). This is concerning, to say the least. When I brought this issue up to them, they admitted that they rent many of their servers (most VPN providers do so this wasn’t worrisome to me) and as such they often have a hard time keeping their lists up to date.

On that note, Mullvad’s lack of connectivity options was a bit disappointing. You can easily select individual servers or servers based on city or country, but you can’t – for example – say “just connect me to the fastest server.”

On iOS, I also found that Mullvad competes with Lockdown – my firewall app of choice – on VPN levels. With Proton – my usual VPN provider – I was able to run both Lockdown and ProtonVPN at the same time for maximum protection. With Mullvad, I had to pick between one or the other. On that note, I didn’t have a choice of connecting protocols either. I was forced to use Wireguard on mobile. If you’re not comfortable with Wireguard for any number of reasons, that’s not comforting.

I also dislike that split-tunneling was available on Android and Linux, but not Windows, Mac, or iOS (without some technical effort on the user end). Maybe this is a personal thing, but as a Qubes user I don’t worry about split tunneling. Perhaps the only thing easier in Qubes than any other OS is splitting up and configuring your routing any way you want. Rather, I wish I had that capability on Windows, which I use most often for things like Jitsi meetings or gaming.

For those value streaming, Mullvad seemed to be just like Proton in the sense of how services handle them. In my experience, Netflix is usually pretty VPN friendly – if a bit slow – while Hulu almost never works from behind a VPN. This experience held up with all the Mullvad servers I tried – once again meaning that if I wanted to watch something while working or gaming on Windows, I had to disable the app entirely as split tunneling is once again not available on Windows.

And while we’re looking for things to poke holes in, Mullvad’s subscription only accepts card and PayPal, meaning if you want to continue to use Bitcoin or Cash for privacy reasons, you can’t “set it and forget it.”

Final Verdict

Honestly, Mullvad’s server consistency issues was a huge turn off to me. I live in Texas, and as such I like using Texas servers. In my experience, they tend to be faster because they’re closer, and I feel like it’s less suspicious if anyone – be it my bank or a troll – checks my IP. Maybe that’s just in my head, but still I like it. The fact that I can pick “Dallas” in the Mullvad app and still get an IP in Utah, that’s unsettling to me. To their defense, it worked no issue and I have no reason to believe that my traffic was ever unprotected at any time, but it still wasn’t a fun feeling.

Having said all that, my final verdict is that Mullvad is a solid choice for the average person. The service is shockingly easy to set up and use, you can be rolling in minutes, and the price is outstandingly low. The support was fantastic and helpful – if a bit slow at times. And the important VPN features that I would look for in a VPN client for any given person – kill switch, auto-start, etc – are all there. As with most privacy tools, this is purely a matter of what you need it to do and what you prefer. Personally I would say Mullvad is ideal for people who want something that “just works” or for people who want as much anonymity from their VPN provider as possible.

Click here to check out Mullvad for yourself.

Lessons in Disasters and Redundancy

February 20, 2021

I live in Central Texas. While this is not something I parade around typically, I’m pretty sure this is something I’ve mentioned before. This week, in case you didn’t hear, my state got bombarded with days of below-freezing temperature which put unprecedented stress on our power grid. Between that and political ineptitude, long story short: I went 60+ hours with no power and another 73 (at the time of this editing) after that without heat. My apartment never peaked above 45 degrees Fahrenheit until today (it went to a whopping 48). Good times. Only emergency services had power for about four days. Fortunately someone close to me quickly regained power (as they shared a circuit with emergency services) and I was able to go stay with them and get warm and get internet. This is also why there was a two day gap in my article sharing this week and why I’m currently playing catch-up. Sorry.

During the course of this week, I found many things I wish I had done differently, some of them privacy/security related and some not. I will, of course, be skipping the non-privacy related stuff because this is not a disaster-prep website/blog and it serves no purpose here. However, I did want to share the privacy-related stuff that I learned this week. The fact is that we will all almost certainly be faced with some kind of major disaster in our lives if we haven’t already. Whether that’s a winter storm that almost threatens to kill you while your politicians flee to Cancun, or whether that’s a more localized house fire, we will all face something that dramatically alters our lives and affects us, so it’s important to think now about how we can plan for those disasters and avoid or mitigate them now while we still have time. During this snowstorm it was too late for me to buy chains for my tires, but some of the other steps I’ve taken did actually come in handy. So this week, I’m gonna walk through my some of my experiences this week and discuss some of the privacy steps I took that helped me and some that I wish I had taken beforehand. My hope is that this helps you evaluate your own practices and decide which ones might cause problems and how to handle that or adjust accordingly.

SIM Data

It began for us at 2 am local time on Monday morning. We know this because we were woken by every fire alarm in the apartment going off in our pitch-black apartment. Our apartment literally gets zero light at night, so we have a few nightlights to help us navigate after dark for things like bathroom or kitchen. So based on the level of darkness, we deduced the power was out. We quickly took the batteries out of the smoke alarms, ensured there was no actual fire, and went back to bed. At the time we had been warned of possible rolling blackouts so we didn’t think much of it. Then we woke up in the morning and things got bad. Power was still out. We quickly piled blankets on the bed and began to trap all the heat we could in the room. We have a ball python, who we quickly moved into a shoebox and put under the covers so she could stay warm with us. As I write this story, I realize that this is where the first major lesson comes in: SIM data.

I long for a world where my phone doesn’t spy on me, and in many cases I’ve considered just not having a phone altogether. Well, after this week, that fantasy is out the window. When the power died, so did the internet, which meant that I would’ve had zero communication with the outside world to know what was happening, why I had no power, when to expect it, or eventually where to go for reprieve. So I guess my lesson here isn’t “you must have a cell phone,” but I do think you should have cell data handy if possible. Maybe have an emergency prepaid SIM card in your closet that you can quickly toss into your phone if the power goes down. It’s important to have a way to communicate with the world if the internet is not accessible.

Cash

The next thing we did right was cash. As the temperatures began to plummet, it quickly became obvious that our only choice was to lay in bed and be warm. As such we began to eat less, because our choices were “stay in bed and stay warm” or “freeze over and eat then warm back up.” This resulted in us eating less both in volume and frequency. I visibly lost weight in just the couple days we didn’t eat. When the worst of the storm was over and the stores began to reopen, they didn’t have power and they were running cash only. Well fortunately, one disaster-prep thing I have done is to have an envelope safely stashed in my apartment with emergency cash. This meant that when the stores reopened, I didn’t need an ATM. I had cash ready to go down and shop. I know this probably isn’t healthy but due to the circumstances when we did eat, we wanted to eat things that were ready-to-eat, light, and easy to eat. This meant canned soups, protein bars, Pop Tarts, and pretty much anything else that was quick and easy. I often preach on my site to use cash. Well, this is a time when having cash on hand was king.

Self-hosting

The first thing that went wrong was Nextcloud. I self-host my own Nextcloud server in my home, which meant from the moment I woke up on Monday I was dead in the water. This is not a critical thing in my case, but I remember wanting to take notes about things that we should buy or do to help this situation in the future as it came to me and realizing that I didn’t have that option since my server was down.

Direct Communication

Around day 2 was when the first day I heard rumors that the power grid might fail completely and that cell towers might be next on the chopping block. Fortunately these rumors turned out to be untrue, but this was when my next privacy failure came to light: I had failed to find a peer-to-peer messenger in case the cell towers ever went down. Unfortunately at this time I don’t have a solution for this. I’ve been told that Briar is P2P, but it’s Android and Desktop only, so as an iOS user that doesn’t do me any freaking good. I experimented with another app called Jami but it appears to require cell data. I’m currently on the prowl for a good solution there. I’m still not sure if this would serve any purpose. I suppose if my message can bounce far enough then maybe I could get an outsider to relay news to me, but really this doesn’t serve much purpose other than to make sure my partner safely got to the car to get warm. Either way, this is something that’s now on my radar more than before.

Knowing the Neighbors

Another personal weakness of mine that fell through the cracks was getting to know my neighbors. Personal networking coach Jordan Harbinger has a phrase: “dig your well before you’re thirsty.” Getting to know your neighbors is a double-edged sword. On the one hand, it provides great security and community. Neighbors who know you can be asked for favors, like “Hey we’re going out of town, can you keep an eye on our place for burglars?” or – potentially in our case – “hey do you have any firewood?” On the other hand, getting to know your neighbors can potentially be a privacy risk, and trying to make up an entirely fake persona or name with them can be very difficult for some. For me, I’m simply an introvert. As long as I had a computer and internet, I never saw a need to get to know my neighbors. I’m not sure knowing my neighbors would’ve actually helped in this case, but I don’t think it could’ve hurt and it’s something I’d like to experiment more with in the future.

Privacy Was Not Paramount

The most important thing that stuck out to me was that privacy didn’t matter. I didn’t have the VPN on my phone for days so that I could maximize battery life and get notifications in a timely manner. I used my SIM card number to make phone calls to – again – save battery and maximize efficiency. Not to be dramatic, but this was literally a life-or-death experience. At least a handful of people in our area did die from hypothermia, at least one of which was not homeless from what I understand. Several more died in house fires trying to keep their homes warm and others died from carbon monoxide poisoning. The last thing I gave a f*ck about was privacy at that moment.

This may seem anathema to some. There are some serious privacy extremists out there who treat privacy as the end-all be-all, more important than gold or convenience or family or even job opportunities. In some cases and instances, that may not be a bad call. I’d rather give up a mediocre job opportunity that doesn’t respect my privacy so I can get another mediocre one that does. I’d also rather cut out a relatively crappy friend who won’t use Signal than keep them on SMS. However, there is a line. That line varies from person to person – which is a blog I plan to post another day – but there comes a point where you have to put privacy aside and be a functional, decent human being. I hope you never face a life-or-death situation that forces you to make that call, but you will probably be faced with choices in your privacy journey that make you pick between X and privacy. And sometimes, it’s worth it. Again, I’m not here to tell you where that line is. Privacy is a human right. But so is heat and food and water. Don’t get carried away with privacy to a toxic degree.

Conclusion

As I said before, this was a learning experience for me. I firmly believe that everything in life – or nearly everything – is a learning experience if you let it be. I hope you’ll learn from my experience and find ways to harden your own private life and prepare for the worst. One resource I recently added to my site that I found helpful in the area of preparing your digital life for redundancy is The Personal Digital Resilience Handbook. That might be a good place to start if this is new to you. Either way, take this time to examine what the shortcomings in your privacy and security strategies are and how you can patch those up now before the snowstorms hit.

How to Handle Old Accounts

February 13, 2021

If you’re like me, you probably lived a very long (in digital terms), very public life before getting into privacy and security. That means now that you’re into privacy and security, you’ve got a long trail of old, unused accounts either from old services you stopped using (raise your hand if you still have MySpace) or from services you tried out and never came back to. So this week, let’s talk about how to find those old accounts and what to do with them.

Why Does It Matter?

Before we dive in, let’s talk about why you should bother finding and neutralizing old accounts anyways. The short answer is because these accounts are a risk. If you created these accounts back before you were into privacy, they probably contain a lot of personal information about you like family members, friends, where you live/lived, your lifestyle and interests, pictures of you, and so on. This information can be abused for anything from stalking to social engineering and identity theft. Furthermore, social media scans are now considered a common part of employment background checks. I don't know about you, but I would hate to get passed over for a job for something dumb I posted five years ago that I might not even believe anymore.

As I often say, you should treat anything you post online as public record. Data breaches are a thing. 2020 saw an average of 7 million records exposed per day – a “record” being a data point such as a name, date of birth, or email address. This means that the longer you have those old accounts sitting out there, the more likely they are to get swept up in a data breach, exposing old messages, photos, email addresses, and passwords. And again, since those accounts were probably made before you were into privacy and security, that means they’re probably using a weak password that you’ve reused on other sites, opening the door for a domino effect of stolen data, phishing scams, and stalkers. So yes, you should attempt to find and close as many of your old accounts as you can.

Seek…

In order to close old accounts, you must first find them. You can probably remember many of them just by thinking back on your life and remembering the services you used to use. MySpace, LastFM, LiveJournal, Tumblr, Yahoo, these are just a few services that enjoyed a period of large popularity but have since declined. They may not be gone, but they’re not what they used to be. Going through your head and looking back on your past will probably remind you of some of the more prominent ones. But what about the ones you forgot?

There’s two main ways of finding old accounts. As much as I discourage the use of Google, I think they are probably the best search engine to use for this step. If you’re like me, you probably had a small number of usernames you used almost exclusively back in the day. Start by going to Google and searching those usernames in quotes, one at a time. The quotation marks are important, because that tells Google “only search for this exact thing and show me exact matches.” Once you’ve started running out of relevant search results, do the same thing but this time with your email address(es). This will likely turn up any other accounts that were not username based.

Often times, especially if this is the first time you’ve done this, this will probably bring up several of your accounts. Make sure to dig deep. Don’t stop at page 1, I recommend going to at least page 5 or 10 depending on how large your internet presence has been in the past. Just keep going until you go through a couple pages in a row of results that have nothing to do with you. This strategy will also likely bring up your personal information – like full name, address, and phone number – on a lot of people search websites. This is something I plan to talk about in the future, but for now this falls outside the scope of this post. If you're freaked out and feeling the urge to act immediately, I recommend this workbook from Michael Bazzell. It’s the same one I use every year to check for and erase my own data.

...and Destroy

Once you’ve found these old accounts, you’ll probably be able to easily log into them. After all, you probably used the same easy-to-remember weak password (or variation thereof) all over the place. Once you’re in, it should be fairly easy to navigate the account settings and find a “delete my account option.”

Should I Blank My Information First?

There’s a lot of debate in the privacy community about whether you should delete your old data first or if you should just go straight to the account deletion option. I think for most people, just immediately deleting the account is plenty fine. If you have a history of stalkers or a similarly higher threat model (or you simply want to go the extra mile), it may not be a bad idea to erase all the information or fill it with false information first and let it sit for 30 days before deleting it. I certainly don't think you're hurting yourself or exposing yourself to any extra risk by doing so.

What if I Can’t Delete My Account?

Some websites make it a nightmare to delete your account (coughAmazoncough) but if you’re positive you’ll never use the site again (or you can easily re-sign up if needed), I encourage you to go through this process. On the other hand, it’s rare but some websites won’t allow you to delete your account even after contacting customer service. If you live in Europe you can try to pull the GDPR card, but personally I think at that point there’s a better solution: paint the walls, lock the door, and never look back. If a service refuses to let you delete the account, empty it as much as you can. Delete names, bios, pictures, emails, everything you can. If something can’t be deleted, then replace it with fake information – a black box instead of a photo (or a photo of a dog, not your dog), a fake name, a forwarding email address, etc. Finally, change the password to the longest, most complex password the service allows, log out, clear your cookies, and forget they exist. It may not be a bad idea to hold onto that login information just in case. Regardless, the point is to make your account useless to anyone who looks. Stalkers won’t find any useful information about you. Cybercriminals won’t be able to get into the account. As time goes on, any real information they may have had about you will become more stale, so even if they suffer a data breach the exposure will be minimal. It should be noted that this is not good advice if you’re facing a highly advanced and dangerous adversary, such as being actively targeted by a government, but for 90% of my readers – the “average person” – this is a perfectly good solution.

When Not to Delete Accounts

Real quick, it would be remiss of me to note that there are times I don’t recommend deleting your accounts. I was a Google user for over ten years. I made the privacy switch several years ago and I still get the occasional email at my Gmail address that I want: an old account I found that needs to be deleted, an old client looking to reconnect, etc. I don’t ever recommend deleting any accounts you used for contact, two-factor authentication, professional or official purposes, or that you actively used for long periods of time. I do recommend changing the information in those accounts – removing names and such – using strong passwords and two-factor on them, and changing how you use them (ex: that Gmail account forwards to my new primary email account and then deletes the message in Gmail. I respond from my primary account, cutting Google out of the picture entirely). You run a serious risk when deleting such important accounts that you may need them for something important at a later date. Make sure not to burn any important bridges.

Moving Forward

I preach privacy and redundancy. That means having multiple accounts in case something goes wrong with one of them. I have both ProtonMail and Tutanota. I have several messenger apps and accounts, and multiple VPN services. This is in both my personal life AND my life as The New Oil, so I’m not necessarily preaching digital minimalism. As we move through life new, better services will pop up. Existing services will discontinue or become less desirable for any number of reasons. That means we will constantly be making new accounts and abandoning old ones. The trick is to move forward responsibly. If you make an account with a new service to test it out and end up not using it, be sure to erase it. If you move on to a new service and decide not to keep the old one for whatever reason, be sure to erase it. Stay on top of your stuff so that you can be future-proof. Don’t let past mistakes come to haunt present-you.

Love is in the Air (via WiFi and Dating Apps)

February 6, 2021

It’s February, and among other things worth celebrating, that means in some parts of the world it’s Valentine’s Day. Also it’s still fairly early on in the year, which means many people are making promises to themselves to find love as a new year’s resolution. And of course, with the ongoing global pandemic people are turning to dating sites and apps in unusually high numbers. So if you’re reading this, there’s a good chance you either already have or have considered using online dating in the form of something like Tinder, Match, eHarmony, or other. Let’s talk this week about how to use online dating safely.

Picking a Service

There’s no shortage of dating services these days, each with a different target demographic and set of features. My recommendation would be to first start with a service that offers a desktop website rather than strictly a mobile app. I’ve covered numerous times on my site how apps are dangerous – they have a lot of access, and they almost always track you in invasive ways that get sold to advertisers. They can also be a serious attack vector for malware or data leaks. So start off by picking a company that lets you opt out of the app. It also couldn’t hurt to check the privacy policies and attempt to find the companies who most respect you, but I think just avoiding apps – combined with some of the other general browser advice on my site – will keep you pretty safe from most of the basic privacy invasions. And if you really think you need the app, I just want to point out that it’s a bit of a red flag if the person you’re chatting with can’t wait a few hours for you to return when you’re away from a computer. (If you don’t have a desktop and you must use the app, remember just to give it as few permissions as possible or disable them after using them – ex: upload a photo then revoke photo/camera access.)

Signing Up

This goes for just about any website, but extra so for dating websites. So you’ve picked the service you want to use and you’re ready to sign up. Start by creating an account with AnonAddy or SimpleLogin and use that as your email address to sign up. Next, use a password manager to create a strong password for your account. Once you’re in, also be sure to turn on two-factor authentication. We’ll talk more about account settings in a moment.

Filling Out Your Profile

Next you’ll probably be prompted to put in some information about yourself. This is where you need to think critically. If it’s a site that requires a real name, I recommend using a common nickname. For example, Alex. If you’re a girl, that means your name could be Alexandria, Alexandra, Alex, or other. If your name is spelled uniquely, like Alyx or Alecz (yes, I’ve seen both), spell it wrong (“normal”) on purpose. If your first name is unique and can’t be shortened to something common, use your middle name. I’ll talk about coming clean later. If the site asks for a username, randomly generate one. Have your password manager generate a passphrase and pick the first two words it comes up with.

When it comes to information about yourself, be honest but cautious. I mean, you’re here to find someone you want to spend (presumably) the rest of your life with, right? Why would you sabotage yourself here? Talk about your favorite books, movies, TV shows, hobbies, etc. Privacy Pro-Tip: this is a great place to start laying the foundation for your potential partner to brace themselves for your privacy-focused lifestyle. I used to word it something along the lines of “I’m really into cybersecurity, so if we end up hitting it off I’ll probably want to use an encrypted messenger like Signal at some point.” There’s a million ways to word this. We’ll talk about that switch to encrypted messaging later, too. Here’s the important thing: do NOT list any super personal information. “Super personal information” in this context includes where you work, where you went to school, or even your exact neighborhood. WHAT you do and GENERAL information is totally cool. “I graduated 4-year university and majored in computer science” is acceptable. “I went to X University and got my BS in Computer Science” not so much. “I work in technology” or even if you want to get specific and say “I make security software for businesses,” also okay. “I work at XYZ Corporation,” not okay. Remember that you have to give this person SOMETHING to work with. I ignored all profiles that say stuff like “ask and find out” or are just plain blank or too vague. It's just too much work to try and find common ground when you have literally nothing to start with. There’s plenty of middle ground in between leaving your profile blank and oversharing.

Last but not least, your photo. For dating sites, personally I think makes sense to post an actual photo of yourself for numerous reasons. Here’s my advice for that: first, TAKE A UNIQUE PHOTO! Don’t reuse a photo you have lying around, especially if it’s been posted online before. Google claims they don’t use facial recognition in their image search, but they do look for other places that exact image has been posted before. Second, be aware of what’s in the picture. Don’t post pictures that have your work shirt with the logo visible, show off the skyline outside your apartment, have mail with your address or real name lying in the background, etc. And make sure that if it’s a photo with you and another person that the other person has consented to you using their image, otherwise use GIMP and blank out their face. (You don’t want to the person you’re talking to to accidentally think you’re them anyways.)

Using The Service

So now that we’ve made a profile and we have access to actually start using it, there’s some additional considerations. First off, check your account and profile settings. As I mentioned before, you’ll want to enable 2FA, but also there’s usually a ton of default settings you can change that make your profile more private (from the site, other users, and non-users alike), disable some of the more generic tracking features, and opt out of annoying “features” like email notifications. Go through each setting carefully, read and understand it, and respond accordingly.

Some of the more respected dating sites will require payment, like Match and eHarmony. If that’s the case, remember to use a payment masking service or prepaid debit card to make the payment. You should always view any digital information – especially dating sites – as data breaches waiting to happen. Don’t give these people your real card number.

Finally, related to the point above: treat any information you put on this site as public record. If you and your new date start hitting it off and getting steamy and you want to trade some pictures, first get consent. Second, assume that picture will be made public. Maybe you’ll get lucky and it won’t. But you never really know if the person on the other end is gonna screenshot it and share it around, if the site will suffer a data breach, or if a rogue employee (an increasingly common problem) will peruse messages looking for stuff exactly like that. That goes for anything from your Netflix password to your personal information and images. Be careful what you share! Even if the person you’re talking to is trustworthy, there may be other eyes who aren’t.

Meeting Up

I would be remiss if I didn’t include a short section about getting together in person. When it comes time to meet up, I would be more concerned for safety than privacy. You may be familiar with some of these tips, but here they are in case you aren’t: meet up somewhere public first – a bar, a restaurant, a movie theater, whatever. These days you could even go with a park, a store (window shopping is fun), a fast-food place, etc. Tell someone close to you where you’re going and when you expect to return. If you may not return, arrange a check-in time. “Hey, if you haven’t heard back from me by 9 am, get worried.” Tell them who you’re seeing and whatever contact info you have about them. I know this is dark, but you gotta think worst case scenario. If you don’t come back, having that information gives investigators an automatic lead to start with. And finally, as with everything in life, pay in cash. I once had someone overhear the server at a social function call my real name when trying to return my debit card. Fortunately that person kept my secret but it just reminded me how through no malicious intent or fault of anyone that information can easily get shared.

Coming Clean

Okay, let’s say you guys have been going out for some time and you’re really hitting it off and you think they might be the one. How do you handle telling them you’ve been lying all this time? Short answer: by not lying and laying the groundwork early on. Remember how I said “mention your privacy lifestyle in your profile?” When you do that, you’re already planting the seeds that you care about this stuff. So after a few successful dates, say something like “hey, remember how on my profile I said that thing about encrypted messengers? Well I think things are going really well and I was wondering if you’d be willing to download Signal/Matrix/XMPP/Session/whatever and use that when talking to me. I’d be more than happy to help you set it up next time we see each other.” In my experience, I have never been met with a no.

“Okay but Signal is one thing, what about when they find out I’ve been lying about my name?” Also easy: you haven’t. “Hey, just so you know, I’ve actually been using my middle name. My first name is X.” LOTS of people go by nicknames or middle names, either because they don’t like their real name or it’s too hard for people to remember or spell or whatever the case. I don’t recommend lying and making things up. If you’ve never had a stalker before, don’t say you have. But if you have, feel free to use that as an excuse (even if that’s not actually why you got into privacy). Again, in my experience, I’ve never had anyone feel betrayed or lied to. I promise you, 90% of people don’t care and if that’s enough to make this person dump you, they weren’t the right one anyways.

If your relationship becomes seriously long-term, living together and being married is a challenge to navigate. The most important thing is to communicate. My partner respects that I value my privacy, and while I’ve gotten her to be more privacy-conscious she’s certainly nowhere near on my level. Whenever I do ANYTHING privacy-related that might impact her – such as putting a VPN on the router – I always communicate with her. It usually goes something like this: I say “hey, I want to do this thing.” She goes “okay, why?” I explain the privacy or security benefit. She goes “okay, will that impact my ability to do X? (use TikTok, watch Hulu, etc.)” I respond with “from what my research tells me, it shouldn’t. But if it does I can make adjustments.” I work with her to find out when is the best time for me to implement this thing so that I’m not adding more stress to her during a stressful time or messing up her days off. Once it’s implemented, I ask her to test the apps or whatever she was worried about. If they break, I disable my change and do more research. If they work, I tell her to tell me if that changes and move on to the next thing. All that to say: communication. She respects that I value privacy and I respect that she values convenience. We’re open and up front with each other and we work together to find the best balance. (Even if it means I have to spend a week researching smart TVs when the last TV show I watched was ten years ago.)

Conclusion

I’m sorry this blog post ran long this week, but there was a lot of ground to cover. If I had to sum it up, I’d say this: use the same good internet habits like strong passwords and being careful what you post, don’t lie to people but learn to blend in, and if things work out be sure to communicate openly. Relationships require trust, and I’m not saying to give out your social security number on the first date but if you can’t grow to trust that person then you shouldn’t waste their time and risk yourself. As you grow with and closer to someone, you should grow to trust them, and that means adjusting your threat model and letting your walls down – to some extent – to let them in. A potential partner is no different than a potential privacy solution you’re considering: you have to vet them, but eventually you have to trust them. If you can’t trust them, move on. And good luck out there. The dating scene is frustrating, often disappointing, and takes time. Your privacy wasn’t achieved overnight, neither will your happily ever after. But I’m rooting for you!

Burnout

January 30, 2021

A couple weeks ago, I burned out pretty hard. I know this is a blog about privacy and security, but the fact is that burnout is something that is pretty common in today’s world no matter your socioeconomic status, lifestyle, interests, job, or whatever. And in fact, it seems to be that burnout is even more prevalent in the tech and privacy communities. There’s always more to do, and if we’re being honest privacy can sometimes seem impossible, which only exacerbates the burnout. So this week, I want to take a few minutes to address burnout.

What is Burnout?

Most of us instinctively know what burnout feels like. We feel tired, overwhelmed, beat down, like we just don’t want to do anything. My personal favorite, Merriam-Webster, defines burnout as “exhaustion of physical or emotional strength or motivation usually as a result of prolonged stress or frustration.” Most of us are used to dealing with bursts of stress: traffic, running late somewhere, the store being out of your favorite coffee, so forth. But long-term stress can really wear us down. A project at work that demands overtime, a prolonged illness of a loved one, or really any negative event that just drags on can wear you down and chip away at you. And before you know it, you’re burned out.

Burnout presents in many ways. Exhaustion, lack of motivation, frustration, irritability to name some of the more common and mild ones. It could also include slipping job performance, increased drinking or use of sleeping aids, and even declining health. It’s not fun. In my own case, it resulted in me being unable to focus on The New Oil work, snapping at my partner a lot, and just feeling emotionally numb and exhausted. Your exact combination of symptoms may vary.

How to Handle Burnout

I am an incredibly busy person and I like it that way. Maybe I’m a workaholic or maybe I’m brainwashed by capitalism, but I seriously do like to be productive and do stuff. My whole life I’ve always felt like if I slept in past 9 am I was wasting the day. One time in college, I had a class cancel and two social commitments cancel, freeing up a massive five-hour block in my afternoon. I almost had a panic attack at first. I don’t do “free time.” Even my free time is planned on what game I’ll be playing or movie I’ll be watching.

This past week, Techlore shut down their communities in honor of Data Privacy Day. They encouraged people to step away, unwind, take a holiday, and not to fall for the marketing of other companies were capitalizing on the day. And honestly, I think they’re really onto something. The best way to handle burnout is to not get it in the first place. One way I’m able to sustain my own lifestyle of constant sprinting is because I’ve learned how to pace it and how to relax. I’m very careful to schedule time each night to unwind and watch mindless TV with a drink, and I’m also very good at recognizing when I’ve pushed too hard and my brain just can’t take anymore. An important thing I do that I would recommend to anyone is that I’ve build margin into my schedule: if I push too hard today and I don’t get something done, I have time to do it tomorrow. It might stress me out and get in the way of some free time, but it can still get done if it’s an emergency. And if it’s not, it slides off to the next available time slot.

Of course, I don’t expect everyone to go as much as I do. I’m able to sustain my pace because I love what I do and I never get tired of doing it. Tired? Yes. Tired of what I’m doing? Rarely. We can’t all be so lucky and even when we are we don’t all have the same capacity for stress or activity. However I do think it’s important for everyone to learn themselves and what their rhythm is. Learn to recognize when you’re getting too stressed, and learn how to find a rhythm that lets you sustain your lifestyle rather than doing a bunch at once, getting burned out, and then needing to crash and recover. And for the record, that doesn’t mean “learn how to go every single day.” Some people need their weekends. Some people need their cheat days. I can get by with about one total day off every few weeks. Not everyone is like that. “Finding your rhythm” isn’t about working every single day, it’s about finding a way to get what you need to get done without going through cycles of burnout and recovery. If you’re constantly burning out and using time off to recover, you’re doing it wrong. It shouldn’t be a flood followed by a drought, it should be a cycle of moderate rain and sunshine.

Having said that, burnout still sometimes happens. Over the Christmas week, we had an emergency project that was too good to pass up for our small, struggling business at work. We put in almost 40 hours in three days to make this project happen and get paid. I spent the next three days playing video games. Sometimes you have no choice but to push and deal with what’s in front of you and burnout is inevitable. But it shouldn’t be the norm.

When burnout strikes, the methods of dealing with it are as numerous as there are people, but I think I can sum it up into four words: take care of yourself. For some people that means making time to go for a walk or exercise. For some people that means meditation or a quiet night at home reading. For others that means binging video games or The Office. The point is to identify what de-stresses you and makes you happy and helps you unwind. I’m not a meditation person. It’s great, but getting me to sit still and clear my mind for any amount of time is rough. Meditation is not a de-stress for me, it just makes me feel like I’m wasting time when I could be tackling whatever thing is stressing me out. Video games are one of my hobbies. I can do that. Podcasts. I can do that. Watching Futurama for the ten millionth time. Definitely can do that. These are things I do when I need to unwind. And communication. I tell my partner that I’m burned out and I need some space to unwind by myself.

I wish I had something more concrete. As a data privacy educator, I’m used to being able to say “these are objective things.” “This solution is better here and that one is better there.” “Here’s the strengths and weaknesses of something.” But people don’t always function as cleanly as apps. And just as threat models vary from person to person, burnout threshold and coping mechanisms also vary. But I hope that this post has at least given you something to think about and helped you recognize some patterns and potential solutions in your own life. Things are not hopeless. But the battle is very much uphill. Be sure to take it one step at a time and give yourself plenty of margin to handle it all. You’re of no use to anyone else if you can’t take care of yourself.

About the Director & the Film

The Good

The Bad

Final Verdict

More on the Movie

How it Used to Work

What’s New

What I Recommend

Do You Need a Bank Account?

Big Banks or Small Banks?

Paper or Plastic

Online & Non-Cash Payments

Using Plastic Right

The Good

The Bad

Final Verdict

SIM Data

Cash

Self-hosting

Direct Communication

Knowing the Neighbors

Privacy Was Not Paramount

Conclusion

Why Does It Matter?

Seek…

...and Destroy

Should I Blank My Information First?

What if I Can’t Delete My Account?

When Not to Delete Accounts

Moving Forward

Picking a Service

Signing Up

Filling Out Your Profile

Using The Service

Meeting Up

Coming Clean

Conclusion

What is Burnout?

How to Handle Burnout