The New Oil

What REALLY is the Best iOS Browser? Addendum: SnowHaze

May 29, 2021

Two weeks ago, I decided to pit all of the commonly-promoted “privacy-respecting” iOS browsers against each other to see if I could determine empirically which one was actually the most private. Unsurprisingly, within minutes of posting I received feedback. Surprisingly, most of it wasn’t “you suck and you’re wrong because I’m loyal to my browser.” Rather, it was “you forgot one.” Allow me to remedy that situation. This week, I will be reviewing SnowHaze. If you need a reminder of my methodology, you can check the blog in question here.

Privacy Policy

SnowHaze starts off strong out the gate by claiming to collect absolutely no information about you, anonymous or otherwise. In this respect, SnowHaze easily usurps Brave to win the privacy policy category.

Winner: SnowHaze

Loser: Safari

Not to much say here. SnowHaze is the obvious winner and Safari is still abysmal.

Browser Fingerprinting

Things get really weird in this section. SnowHaze offers an ungodly amount of granular control over the browser’s privacy settings – which I will discuss in the “Features” section. When highly configured, I was unable to run Cover Your Tracks at all, which leads me to assume (without evidence, for the record) that this means fingerprinting you at all has become relatively impossible for most sites, or at least quite difficult (from what I understand, many common fingerprint methods rely on Javascript). However, this also causes significant breakage across many sites. After tinkering for a few weeks, I finally found some settings that mostly work across most sites. The particular settings that seems to matter for testing sites like Cover Your Tracks and Speedometer mostly seem to boil down to the Content Blockers section. At the time of this test, I was only able to disable Fonts and still get a score. Remember that as always your results may vary, especially depending on how you configure the vast settings options.

SnowHaze: 17.96

Winner: Safari

Loser: Brave/DuckDuckGo

Based on this score, SnowHaze ranks second worst just above Safari. However, it’s worth noting that I suspect this score is not truly reflective of my average browsing experience. As I said above, I was only able to get a score by enabling everything except Fonts. In my daily browsing, I usually have Raw/XHR disabled, and often third-party scripts as well. I also have SnowHaze set not to load any Javascript unless I manually approve it on a per-site basis (another Feature we’ll discuss later). And last but not least, SnowHaze can be set to spoof User Agents, so much like Brave's fingerprint is large but fake, I suspect that SnowHaze works in a similar fashion. While this score seems particularly bad, I suspect it's not.

Browser Speed

SnowHaze: 48.35 (+/–.47)

Winner: SnowHaze

Loser: DuckDuckGo

Once again, I had to severely dial back the number of content blockers I was using in order for Speedometer 2.0 to finish its test without stalling. I assume part of the test includes loading XHR and third-party scripts. From what I understand this means that with more aggressive content blockers your speed should actually improve because you’re loading less content. Either way, SnowHaze easily comes in on par with or dramatically ahead of Brave, the previous winner, who had a score of 49 (+/–.53).

Features

Alright, this is where SnowHaze really puts the rest to shame. SnowHaze has granular features for controlling the browser that I have never seen before on a mobile browser. While Brave and DuckDuckGo do offer some good features like control over what data is retained, the ability to add protected sites, and stuff like that, SnowHaze goes all out. SnowHaze offers the usual general features like search engine selection and appearance, but also the ability to lock your browser with a passcode, the ability to spoof your User Agent (and to select which agents to spoof), granular history and tracking control, additional content blockers that I alluded to above including CSS, third party javascript, fonts, etc, and even has an experimental Tor integration feature (which I don’t recommend but it’s cool that they offer it). And those are just the highlights. You have the ability to disable Javascript by default and then enable it on a site-by-site basis, and you can even easily add custom search engines like SearX! Hands down SnowHaze has the most features out of any browser I reviewed for this study, and the amount of control it gives you over your browsing experience makes it laugh in the face of lesser browsers. SnowHaze offers all the same features that any other given browser would and then some.

Winner: SnowHaze

Loser: Firefox Focus

Final Verdict

Winner: SnowHaze

I can think of one situation where I would recommend Brave over SnowHaze: ease. Because of the massive amount of of options, setting up SnowHaze can be a bit daunting. The default settings are – in my opinion – not ideal. I understand the desire to create a browser that’s basically ready to go out of the box, but I think SnowHaze could afford to tighten up their default settings a bit and still retain functionality for the average person. Even so, I commonly recommend that any time you set up a new account or download a new app you should make time to go through the settings and tweak them. This means any person downloading SnowHaze for the first time can quickly become overwhelmed by the exhaustive number of options to be examined, interpreted, and possibly changed. Even moreso, those settings will likely change as they browse and realize a certain functionality they want/need broke. I personally pretty much only use my browser to surf webcomics and Reddit when I’m bored (which is rare) and to make quick, important searches when I’m away from my desk. Despite that limited usage, I quickly found myself changing settings to make more and more sites work properly as I went, finally finding a mostly-happy medium after about a week or so. The average person may be frustrated by the constant tweaking and want something that just works.

Hands down, I think SnowHaze is the most superior iOS browser I’ve found so far, and thank you to the multiple readers who alerted me to overlooking it. This has been a lifechanging experiment. I highly encourage you to make the switch if you use iOS, and here’s what I recommend: keep Brave for a short time as a fallback. Download Snowhaze, change the settings, get used to it, but until you get it dialed in just right be sure to have a backup for when you can’t afford to experiment to find what’s breaking the site. Once you get SnowHaze dialed in just right, go ahead and delete Brave. That’s what I did. (Well, DuckDuckGo for me if you recall the last blog, but same concept). SnowHaze is truly an incredible piece of work. Well done, devs.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

2021 Review: AnonAddy & SimpleLogin

May 22, 2021

Disclosure: I have an affiliate link with SimpleLogin that gives me credit towards my own SL account. You do not have to use this link, I provide a non-affiliate link at the end, and I tried my best to be unbiased in this review.

In this review, I’ve decided to lump both AnonAddy and SimpleLogin into the same review because they’re so incredibly similar in their offerings and features, though I will note any differences between them. I don’t think of this blog as “AnonAddy vs SimpleLogin,” though I’m sure it will help anyone who’s on the fence decide between the two. Rather, I present this as simply two tools you can use to achieve the same protection. I keep referring to AnonAddy first because I’m listing them in alphabetical order.

The Services

AnonAddy and SimpleLogin are both email forwarding services. Having an account allows you to create an email address – such as “f9f24233-d80b-4e17-a689-b7f1d0cc04c8@anonaddy.me” or “panguingue_graphostatic@aleeas.com.” These email addresses then forward any mail they receive to the mailbox of your choice, such as thenewoil@protonmail.com. I highly encourage the use of one – or both – of these services or a comparable alternative (these are just the ones I’ve found that are the most feature rich and seem to be rejected less often on most of the sites I use). The practical reason is that for most of us, email is the central hub of our lives. Everything is managed from that one inbox, from newsletters and Netflix marketing emails to doctor’s appointments, job offers, and important correspondence. The compromise of an email account is the digital equivalent of getting kicked out of your own house. If your email address gets exposed in a data breach – which it certainly will if it hasn’t already – that’s half of the required login exposed, leaving only the password to be guessed for access. This can be mitigated by using strong, unique passwords and two-factor authentication, but the exposure of an email address can still be used in other ways, such as tracking you across the various accounts and websites, leading to stalking by both individuals and companies.

The Good

Both services offer a free tier with premium, paid features. AnonAddy offers Lite ($12/year or $1/month) and Pro ($48/year or $4/month) paid plans, while SimpleLogin offers only a single Premium paid plan for $30/year (or $4/month). In addition, both offer F-Droid apps, as well as Play Store and App Store apps, allowing you to create masked addresses on the go. Both allow you to import your public PGP key, both support the use of custom domains, and both allow catch-all email addresses (meaning if I make up an email address on the spot, that email address will be created and forwarded to me as soon as the first email is sent without any interaction from me). AnonAddy offers you the option to replace email subjects (so that the true subject isn’t visible (a shortcoming of PGP). SimpleLogin supports hardware security keys (like Yubikey) and offers browser extensions for Chrome, Firefox, and Safari. SimpleLogin also offers enterprise solutions if you happen to be responsible for a company.

The Bad

AnonAddy’s apps are fan-made and not officially supported. AnonAddy also has a limited number of custom domains, a limited amount of bandwidth (except for the Pro plan), and a limited number of email addresses you can receive to. The bandwidth thing is probably not an issue for most people, but keep in mind that if your bandwidth is exceeded that means they won’t forward any emails for you for the rest of the month. The bigger issue to me is the limited number of emails you can send and receive – 20/50. While most people probably don’t send 50 or even 20 emails in a single month, it’s something to be aware of if you’re a power user. The drawbacks of SimpleLogin are that it is less feature-rich than AnonAddy (can’t change the email subject, can’t disable catch-all). SimpleLogin’s free tier is also much more restrictive than AnonAddy’s (can’t use PGP, 1 recipient to AnonAddy’s 2). But they do make up for it by offering unlimited bandwidth and unlimited reply/send even on the free tier.

Final Verdict

I use both of these services, and honestly I find them almost identical. Being that I consider a custom domain to be a valuable part of a privacy strategy, I think the average user could get away with AnonAddy’s Lite tier ($12/year, $1/month), but SimpleLogin’s Premium will be the better bang for the buck for power users with all the unlimited features. Neither service is bad and they really come down to what you want or need out of them and the price you’re willing to pay for those features you want. I’ve found both to be extremely user friendly and affordable, and I use them pretty interchangeably myself. I encourage you to explore their pricing options for yourself, and maybe even sign up for a free account for both to decide which is best for you.

You can check out AnonAddy’s Pricing here and SimpleLogin’s Pricing here and sign up for each service at their respective websites. If you decide to sign up with SimpleLogin, please consider using my affiliate link. I will not see any information about you, but I will get a few bucks added to my SimpleLogin account if you purchase a paid plan, which means more money I can put toward other The New Oil-related projects. Of course, I understand that not everyone is a fan of affiliate links, so no hard feelings if you choose not to use it. The important thing is that you use one of these services and start protecting yourself.

What REALLY is the Best iOS Browser?

May 15, 2021

The “best browser” is a never-ending and often very heated debate that occurs often in the privacy community. When it comes to desktop, it’s generally agreed upon that either Brave or Firefox (with honorable mentions for Tor and Ungoogled Chromium) is best, depending on how you feel about the companies behind each and what you’re looking for. Once you take the debate to mobile, the argument changes considerably, particularly with iOS. One advantage that Android enjoys over iOS is a very relaxed environment. This can be problematic for security, but for privacy it means more access to various apps that typically offer more flexibility and freedom. For example, in Android you can run Firefox with all the same plugins as desktop (and I recommend that). With iOS, you can only run stock Firefox. Even I will admit that without my set of recommended plugins, I’m hesitant to label Firefox the best choice.

So what is the best browser for iOS for those of us who want privacy? Well, that’s been on my mind a lot lately and I decided to finally figure this out myself with empirical evidence. So this week, I downloaded Brave, DuckDuckGo, Firefox Focus, and Safari onto my iPhone 6S put them through a series of objective tests. I will be organizing each section by alphabetical order (Brave, DDG, Firefox, then Safari). This is not order of preference. Keep in mind that results may vary based on your own device and configuration.

Privacy Policy

I firmly believe that privacy policies are always the best first place to start when it comes to vetting a new app. They may not always be telling the truth, but if Company A has a privacy policy a mile long that basically says “we collect and share everything we can get our hands on” and Company B has one that says “we try to collect and share as little as possible unless ordered to by a court,” that’s a pretty indicator where to start. With that said, Apple recently gifted us non-lawyers with a pretty rad little tool called “Privacy Labels.” So let’s start there.

Brave

Brave claims – according to their privacy label – to collect only two pieces of data: “Other Usage Data” and “User ID.” User ID isn’t a big deal as based on Apple’s explanation of the categories, this likely refers to information you voluntarily provide like a Brave account name, but “Other Usage Data” is very vague as Brave doesn’t overtly say in their complete privacy policy what information that details.

DuckDuckGo

DuckDuckGo says it collects “Product Interaction” and “Other Usage Data,” “Other Diagnostic Data,” “Crash Data” and “Performance Data.” The big one here that really bugs me is “Product Interaction” data. While it is useful for a developer to have this information, if one claims to be a privacy-respecting service you have to expect that you’re going to have do without that data. Again, according to Apple, that includes “app launches, taps, clicks, scrolling information, music listening data, video views, saved place in a game, video, or song, or other information about how the user interacts with the app.” Not very privacy respecting. The crash analytics I don’t really mind – it’s important for a developer to be able to identify why a service isn’t working to fix it. “Other” data and “Performance” data are also vague and tip off a small red flag.

Firefox Focus

Firefox Focus’s privacy label is more or less similar to DuckDuckGo’s, just in different categories. As with DDG, I don’t like that they collect “Product Interaction” data. I also don’t understand why they collect “Crash Data” as part of their analytics rather than app fuctionality. According to Apple, analytics are used to understand how users interact with the app and improve it, functionality would include minimizing crashes, performing customer support, and other such uses that would be more acceptable in my opinion. Then again, maybe Mozilla just didn't know which category best fit and decided it made more sense in analytics. I guess the actual use matters more than the label. A rose by any other name is still a rose.

Safari

The fact that I had to take two screenshots to capture all of Apple’s collected data should tell you everything you need to know right off the bat. Safari offers virtually no privacy, collecting “User Content,” “Device ID,” “product interaction,” “Browsing History,” and even “Coarse Location.” I’m not even gonna bother going into detail here. Safari is obviously out.

Winner: Brave

Loser: Safari

Brave is the clear winner by collecting so little data, and most of it being voluntary. While DuckDuckGo and Firefox Focus aren't as good, they're still miles ahead of Safari's invasive policies. And Apple is marketing themselves as a privacy-respecting company...

Browser Fingerprinting

But protecting your data from Apple is probably the lowest concern, honestly. Apple conceivably could already have access to everything on your device. How does your browser protect you from others? For this portion, I used EFF’s Cover Your Tracks to test the level of browser fingerprinting each browser revealed. I chose this tool because unlike other tools, it doesn’t give you a result based on other visitors – which is obviously a biased result (the vast majority of people don't visit those sites, so you're getting a skewed sample right off the bat) – but rather based on commonly used and known tracking technologies to give you an objective score based on how many points of data you leak. So in other words: the less points of data, the better.

There isn’t much to say about each section, I didn’t want to go into detailed results, so instead I’ll just list them. Surprisingly, Safari comes out on top here with only 15.7 bits of information. An interesting thing worth noting: when I originally ran this test, I forgot to shut off my AdGuard DNS and tell Firefox Focus not to integrate with Safari, which resulted in a much higher number (16.02, if I remember correctly). So remember that sometimes doing too much makes you stand out more.

Brave: 18.03 DuckDuckGo: 16.03 Firefox Focus: 16.02 Safari: 15.7

Winner: Safari

Loser: Brave/DuckDuckGo

The reason I call the loser here a toss-up is because it turns out that Brave has a built-in fingerprint randomization feature. So while Brave technically leaks more bits of data, that data should – in theory – be different every time, making it effectively useless for tracking. Personally I would prefer my browser simply leak as little data as possible, and if you agree then Brave is the clear loser here. However, if you see the value in a randomized fingerprint – which I think is a clever solution to the problem – then DuckDuckGo is the loser here by a narrow margin.

Browser Speed

For my last objective test, I decided I wanted to see what browser was fastest. For this, I used Speedometer 2.0, a general browser speed test developed by Apple that simulates a variety of user actions and measures the speed of various points like CSS, JavaScript, and DOM APIs. The results are measured in “runs per minute” with a margin of error. As with everything on this list, your exact speeds may vary with your hardware and internet connection (I used an iPhone 6S on a gigabit wifi network), but I tried my best to pick a service that would remove those variables as much as possible from the equation.

Brave: 49 (+/–.53) DuckDuckGo: 54.4 (+/– .81) Firefox Focus: 53.86 (+/– .5) Safari: 51.8 (+/– 1.9)

Winner: Brave

Loser: DuckDuckGo

Features

Now let’s get down to some subjective features that are harder to quantify.

Brave

Brave has the unique feature of being built privacy-first. Brave ships by default with an ad-blocker and HTTPS Everywhere, meaning it will automatically upgrade all sites eligible to a secure connection, as well as some light script blocking. That’s definitely something most browsers can’t say. However, the ad-blocking can be easily replicated with the mobile DNS of your choice, and HTTPS Everywhere isn’t really necessary in today’s day and age where 95%+ of the average user’s time on the internet is encrypted. I do have a couple of deal-breaker issues with Brave, but based on my research I think these are bugs (possibly based on my having such an older device) rather than actual shortcomings. First is that I was unable to easily find a way to clear my entire history. I think it’s been removed in the newest mobile version for my device. Personally I view having web history in general to be a huge risk. Past malware – both desktop and mobile – and malicious apps have been able to scoop that up before. So for me I value having a browser that will clear my history without me thinking about it. One way to get around this – which brings us to my second issue – is to use Private Browsing, however as soon as you close and reopen the app you end up back in regular browsing mode. Others have not reported this issue – either the history clearing or the private mode – but this ticket shows that I’m not the only one with this issue.

DuckDuckgo

DuckDuckGo has a few unique features that I actually like, and I don’t really have anything to knock it for. I’m sketchy of DDG as a company overall, if we’re being honest, but they seem to have built a really solid browser. First off, DDG is another company that like Brave was built with user privacy in mind. The browser comes prepackaged with tracker blocking software, as well as HTTPS Everywhere. In fact, DDG and EFF recently teamed up to use DDG’s web-crawling bot to make HTTPS Everywhere even more effective and comprehensive – constantly learning via AI rather than occasionally updating with crowdsourcing. And DDG has two ways to clear your browsing data: automatically (upon app exit, optionally with a time delay) or manually with the simple tap of a button. As a neat little UI feature, they also tell you everything they’ve blocked on each site (though Brave does also give you both a site total as well as an overall total when you first open the app).

Firefox Focus

Firefox Focus is a pretty standard browser with a couple of drawbacks that I could live with but would prefer not to. First the good side: it automatically clears data on close without any prompting, and it offers to integrate with Safari so that anything that opens in Safari will benefit from Mozilla’s tracking protection. The downsides: there are no tabs (you only get the single page you’re on), you can’t download images by holding them and saving them to the camera roll, and Mozilla has straight up said that Focus is a low priority for them, so even though it claims to be extra focused on privacy (no pun intended), it rarely gets updates, which includes the tracking protection lists. For example, the last four update versions at the time of writing were released as follows: April 13, 2021; November 13, 2020; September 1, 2020; and February 26, 2020. DuckDuckGo, by comparison, seems to push out updates at least once per month, usually two or three times. All this to say that while Firefox Focus is not a “hard pass” for me, I don’t think it’s the best choice.

Safari

As far as I’m concerned, Safari only has two things that make it worthwhile: it naturally integrates very well into the iOS platform, and the private mode stays active even when you leave the app. If I set Safari into private mode and close it, when I re-open it it will stay in private mode (remember that for most users, Brave will do this, too, but if Brave doesn't for whatever reason Safari should). I will still be responsible for manually closing out my tabs, and I will have to enable HTTPS Everywhere via the menu. Likewise, I will need to use an alternate DNS if I want to block any ads. As of iOS 14, Safari does block some third party trackers so there is a baseline level of privacy there. The only major ding I can think of on Safari is that the app integration doesn’t preserve Private Browsing. For example, if I peruse Mastodon and see a link I want to click on, the link will natively open in Mastodon but will not open in a private browsing window, meaning that link now goes on my browser history and the data gets preserved until I manually go in and clear my browsing data, at which point I have to also set back to a private-browsing tab.

Winner: Brave/DuckDuckGo

Loser: Firefox Focus

Putting aside my personal bugs that I experienced with Brave, I think Brave and DDG both offer competitive results in terms of features. Tabs, ability to clear history automatically, built-in security and privacy features, etc. I think the only small edge DDG has is the one-click burner button that allows you to clear your current session instantly (and maybe the fact that it doesn't save your history by default, though I guess some people may want to save their history for whatever reason). With Brave you would have to close it out and re-open it to simulate the same effect. Firefox is clearly the loser here as it has almost no features or advantages and in fact has a few drawbacks (the lack of image saving and the single tab).

Final Verdict

Winner: Brave

Brave won the privacy policy section, but only by a thin margin (compared to DDG and Firefox Focus). Safari won the fingerprinting section by an impressive shot, but I think Brave’s low performance can be excused when you remember that the fingerprint is randomized every time, meaning that tracking is considerably more difficult and the bits shared may vary depending on the fingerprint used. For the speed portion, Brave blew everyone out of the water. However, I think the features section is where things start to get muddy. Due to the major issues I – and others – have with Brave’s functionality, I do want to list my suggested runner-up: DuckDuckGo. While DDG scored mediocre on most of the tests, I found the wide range of features and functionality made it superior to Firefox Focus, and compared to Safari you lose almost no features but gain a massive privacy improvement. If Brave works correctly for you (ex, clears your history and allows for always-private mode), I think Brave is the winner. But I think DDG makes a very close runner-up and is acceptable if Brave doesn't work for you for any number of reasons.

“But WebKit...”

There are two main arguments for why you should just use Safari on iOS as opposed to any of the other popular choices, and while I know this blog is getting long, I want to address them here and now.

1) “It’s all WebKit.” Basically, Apple has locked down their ecosystem so tightly – at least in part due to security – that all browsers are essentially just forks of Safari. This is true. But the logical assumption is that because it’s a fork of Safari, Apple can see anything you do on that browser as well. As far as my research can tell, this does not happen. I was unable to determine if that’s due to Apple’s policies or due to technical limitations, but at this point in time unless someone comes forward with an empirical, documented case and not just anecdotal evidence or hypothetical conjecture, I’m forced to conclude that this is a non-issue. I don't like to spend too much time on unsubstantiated “what-ifs.” It makes things paranoid and untrustworthy very quickly.

2) JavaScript. Once upon a time, Apple would hamstring competition by forcing them to use WebKit’s older version of JavaScript instead of the new JavaScript Nitro, which was reserved for Safari alone. This however stopped being true as of iOS 8. Therefore this is also a non-issue.

Conclusion

The entire idea of a mobile browser is that you use it in emergencies, limited situations, or as an alternative to an app. Ideally, you should use your mobile device as a whole, including the browser, as little as possible. Rather, you should browse on desktop where you have significantly more control over things like blocking JavaScript, using Containers, virtual machines (if necessary), and stronger anti-virus. I realize that for some people that’s not an option, but for those who do have that luxury, use it!

I realize that browsers are one of those areas where everybody’s going to have an opinion. It’s also important to remember that what matters to you remains a critical factor here. In my situation, Brave wasn’t the winner – despite objective superiority – due to bugs. In your situation, you may prefer Firefox because you don’t trust Brave or DuckDuckGo. Some people may be willing to give up some privacy for Safari so they can have the integration or sync across the Apple ecosystem for whatever reason. My goal with this site was never to tell you what to think, only to give you the tools you needed to make an educated decision. You now have some information. Good luck!

Mom’s Guide to Online Child Safety

May 8, 2021

Tomorrow is Mother’s Day here in the US. (That was your last reminder to buy a card.) Happy Mother’s Day to all the moms out there! As a general rule, most mothers care deeply about their children and want them to be safe, happy, and successful. And as a general rule, today we are faced with a myriad of threats that we never before faced online, some more likely, more dangerous, or harder to defend against than others. So this year, I’d like to offer all the moms out there some encouragement with a quick guide on how to help protect your kiddos online. This post assumes your kids are coming up on or around the preteen age – basically still at that age where you are heavily involved in their decision making but it's time to start teaching them to be independent.

Freeze Your Credit

This is something I harp on a lot but with good reason. Identity theft of minors is still on the rise and is a hugely lucrative market. Think about it: if your kid is five and I steal their identity, I can open up credit cards in their name that won’t be detected for at least ten years. Credit freezes are non-negotiable – and free – if you’re a US resident. Equifax and TransUnion will require you to create an account, but Experian still uses a PIN-based model. I recommend doing this for your child and holding onto this information until they’re old enough to start doing things like getting jobs and opening bank accounts. You can find more information about the process here.

Operational Security (aka OPSEC)

I’m sure this goes without saying but this really is the biggest and most obvious thing out there: make sure your kids know not to give any details to strangers. “Details” varies from person to person. For example, saying you’re from New York City is probably fairly safe – there’s over 10 million people in the city. Saying you’re in Brooklyn or Mountain View, Idaho – probably less safe. Interests, I think, are probably less dangerous than personal information like real names (especially if the name is unique), dates of birth, schedules, and locations. Again, this is probably common sense for parents these days, but it’s worth saying.

Disinformation

In fact, I would argue that it’s valuable to actively encourage your child to engage in disinformation online. Say you’re from Los Angeles if you’re really from San Diego. Say your name is Jake when it’s really John. If there’s anything we’re learning it’s that disinformation is becoming vital to outsmarting people search sites and data aggregators these days. Not to mention the rampant data breaches which are becoming an almost daily occurrence. It’s only a matter of time before that forum your kid signed up for gets hacked. Train your kids young how to use disinformation effectively and when to use it. And on that topic…

Compartmentalize

This is more something you may want to do with your kids rather than just talking to them and leaving it up to them, but teach your kids the value and proper execution of compartmentalizing. They want to sign up for a new game? This is a good opportunity to teach them how to use AnonAddy or SimpleLogin and Bitwarden. Teach them how to randomly generate usernames that don’t reveal anything about them by using Bitwarden to generate a passphrase and then use two of the words. My recommendation is to have a unique forwarding email, unique password, and unique username on every site, all recorded in your password manager. This will make any potential stalker's job significantly harder – though not impossible.

VPNs

Normally I say VPNs are a lower concern, but when we’re talking about keeping kids safe I think they’re a bit more important. Realistically, the odds that your kid is facing attention from a sophisticated predator are low, but technology is getting easier and more user-friendly by the day. Something like figuring out your IP address was a monumental task ten years ago. These days it’s as easy as getting your kid to click on a link – which is probably pretty easy. Kids are kids. Even if you educate them, they’ll make mistakes. Keeping your kids’ devices safely behind a VPN at all times will reduce the risk that if they slip up, a predator can grab their IP address and therefore their real location (sometimes accurate within a couple blocks).

Apps

Up til now, I’ve framed most of my recommendations in the context of protecting your kids from predators, but those same techniques can be used to help your kids defend against the ever-growing surveillance capitalist state. One super important thing you can do to help protect your kids is to teach them to be judicious with the apps they install. Kids are fickle and are not prone to thinking ahead. If all their friends are all jumping on the TikTok bandwagon, they may want to as well without realizing how incredibly invasive social media and other such apps can be (and also how quickly these fads will blow over. Anyone remember Snapchat? Or Vero?). Create an environment where you talk about every app they want to download and you can help them see that it may not be worth it, or how to mitigate the risks (ex, only using Facebook on desktop rather than the app).

Settings

Another major life skill you can teach them is to evaluate the settings on any new account. If your kid wants to sign up for something and you have talked to them and approved it, go through the account settings with them and help them figure out which settings they can safely disable (like public posts). The key there was to go through it with them, not for them. The goal is to teach your kids to be smart, critical-thinking, productive members of society who can look out for themselves. Don’t just make changes and hand the phone back to them. Talk to them about each setting, what are the benefits and risks of each, etc. You’re not always going to be there to make decisions for them. Teach them how to make their own decisions.

Schools

Schools are not immune to the data breach phenomenon. In fact, they’re a big target because they contain so much sensitive information. I don’t know exactly what information is required to register a child in school, but honestly I think you should lie on as much of it as possible. I personally think everyone should have a PO Box if possible, so use that for your home address. Or use the address of a relative who doesn’t have kids (with their consent). Or a local hotel. I realize that one is tricky cause it may put your kid in a different school district, so plan ahead there. Put in a Voice-over-IP phone number instead of your SIM number. Recently several schools have suffered data breaches that resulted in information as sensitive as age, date of birth, and home address. That could make your child a perfect target for a predator and lead them literally right to your home. Make sure to obfuscate anything that might lead a predator back to your child. I also strongly encourage you to make specific email accounts and VOIP numbers for school-related business for this same reason.

Schools Devices

A big concern with schools these days has become technology and online learning. Schools have begun using Chromebooks as their defacto devices because Chromebooks are cheap, but there are many concerns that this has a “get ‘em while they’re young” effect, turning children into lifelong Google users with a long, ripe trail of data to be harvested. This has become a threat unto itself. There are a lot of questions and concerns about how to use a school-issued Chromebook right, which I addressed in this blog post late last year. If your situation allows, personally I wouldn’t even use the school-issued device. I’d create a virtual machine on your home computer, or use your backup browser (such as Brave or Firefox) for online meetings. Resist the urge to sign up for Zoom or download the app, even if it sounds convenient.

Conclusion

Personally I don’t believe in “the good old days.” I think society has always had problems, even if they were better hidden. We all look back at the past through rose-colored nostalgia glasses. Having said that, I really do think we live in times with a new set of threats to beware of. Not to be an alarmist, but I also think it’s worth noting that statistically, a person is most likely to be victimized by someone they know rather than a total stranger on the internet. It’s a common human fallacy to misjudge what the real threat is or how serious that threat is. But that's not to say your children today don't face a wide variety of threats from both corporations attempting to hook, track, and control them from the get-go and from posting something that could come back to harm them in the future, either at the hands of a predator or at the rejection of a potential job or school. As a parent, it is your responsibility to protect your children and teach them to be responsible, both online and off. I hope this post hasn’t been too alarmist and makes you feel more equipped to know what threats to look for and gives you some starting points on how to mitigate them.

The Expectation of Stalking

May 1, 2021

Recently, I posted an article on Mastodon about how the US Postal Service is scanning Americans’ social media accounts looking for “inflammatory” posts, typically relating to plans to attend or organize protests, ostensibly under the pretense of “national security.” The article attracted this short discussion wherein one of my readers asserted that this story was not a privacy invasion – nor even a privacy issue – because the information was posted in a public place – a public social media profile. I do agree with this person to some extent, so this made me think: why does this feel such an invasion of privacy even though it’s kind of technically not?

The “Expectation of Privacy” is a legal test that began in 1967 with the US case Katz v United States. Charles Katz had used a public phone booth near his Los Angeles apartment to submit gambling information across the country to bookies in both Boston and Miami. What he didn’t know was that the FBI had begun to investigate his illegal gambling and had wiretapped the phone booth without a warrant. This is where things got sticky. The FBI believed that since the phone booth was public, it therefore constituted a public place where you should have no expectation of privacy. However, Katz felt that the phone booth suggested a reasonable expectation of privacy – which makes sense, honestly. The doors close and stuff, who wouldn’t expect at least SOME privacy in that situation? You would certainly be annoyed and offended if some stranger stuck their ear to the door to try and eavesdrop, right?

The Expectation of Privacy test has two parts, and the second part is – I think – what really makes it work: “the expectation is one that society is prepared to recognize as reasonable.” I can drop my pants and start urinating in Times Square and expect privacy, but society doesn’t agree. Just as with debates about crime and legalization of various vices, there are obvious situations where we as a society can all generally agree that you have no expectation of privacy. We all may disagree on whether or not hard drugs should be legal, but we can all generally agree that murder should not be. We may all disagree on whether or not scraping public social media is a privacy violation or not, but we all generally agree that scraping texts without some kind of legal validation definitely is.

Let me back up: this blog post is not here to argue where the expectation of privacy begins and ends. Smarter people than me have spent decades fighting over that and likely will spend decades more. Rather, this post is to argue that what we experience today is not a violation of our expectation of privacy: it’s a violation of our expectation of not being stalked. And that is what bugs me about USPS – or any public (particularly government) entity – scraping public social media posts. It’s one thing for someone to stumble across a violent post and go “whoa, somebody needs to take a look at this.” It’s another thing for someone to look at every post with the intention of finding a problem.

About a year ago, a friend randomly texted me as I was leaving the grocery store to say that she had seen me. My first thought was “how did she recognize me? Everyone is wearing a mask!” Then I immediately remembered I have very unique, prominent, and often-visible arm tattoos. I don’t remember what my reply was, but obviously it wasn’t offense. I was at the grocery store in a T-shirt, I had no expectation of being anonymous or not-recognized. Just because I wasn’t going around wearing a name tag doesn’t mean I expected not to be seen or noticed. However, my friend didn’t follow me home from there. She didn’t write it down in a notebook and go “1:15 PM: saw Nate at the grocery store on the intersection of Main and 6th.” She didn’t ask me what I bought or why I was there. And this is what makes the abuse of our public use of technology so offensive to me.

In the above story, the USPS is actively scanning people’s public posts and looking for information. This is the issue that I personally have with surveillance, and I don’t think it’s a stretch to assume that most of my readers will agree with me on this. I have no issue with the public space being legally open to scrutiny. If I drive my car down a street, I fully expect that somebody will see it, and maybe even say that in court as part of a witness testimony about something. But imagine if every person I passed on the street posted to a Twitter account saying “Nate’s car was at this intersection at this time,” especially if there's nothing noteworthy happening. That’s different. There’s a huge difference between happening to notice or see something in a public space and actively stalking someone in a public space. And furthermore, there’s a huge difference between saying “I noticed that guy acting suspicious, let me follow up on that” and following up on every person you see even if they haven’t done anything suspicious. As most of us know, if you go looking for a specific problem, you can probably find it.

As I mentioned, I have tattoos. Let’s say someone sees my tattoos and goes “oh that guy’s a thug, he’s up to no good” and begins to follow me around. This may come as a shock to some of you, but I am not a perfect person. If you follow me for long enough, you’ll certainly find me doing something wrong – either an illegal turn, speeding a little over the speed limit, jaywalking to the convenience store across the street, etc. But actually, a stalker could very easily catch me planning arson on any given day at work. I regularly joke at my day job about just burning down the building when the project starts to get stressful or go wrong. I realize that may not be funny to everyone, I have a very dark sense of humor. My coworkers, however, have worked with me for almost two years. They know I’m not a pyromaniac, they know I have no interest in actually burning anything down, and they know I’m just venting, but imagine a total stranger who – again – just says “that guy is sus cause of his tattoos.” Aha! He said ‘let’s just burn the building down, no more problem!’ Clearly he’s planning arson! Context matters. Now granted, this is not a one-to-one comparison. The arson joke is one I only make when there’s nobody around – no clients, no other contractors from other companies, etc – and only to my coworkers. I expect that I have some privacy because I’m being careful where I make that joke. But the point is, if somebody wanted to find illegal behavior from me, they don’t have to look hard to make a case. Probably not one that would stand up in court, but still.

This is what companies do to us every day, and this is what USPS is doing and I have a lot of issues with this (as you probably do, if you've read this far). I have no issues with someone seeing me do something wrong in public and reporting it. I have no expectation of privacy. But I do have an expectation to not be stalked, especially if I’m not doing anything wrong. The ever-annoying “nothing to hide” argument says that if you aren’t doing anything wrong, you have nothing to fear. However, I view it the other way around: if I’m not doing anything wrong, you have no reason to be looking at me. If I’m under suspicion, it should be – and is – very easy to get a warrant to do some digging. And if you come to my door with a warrant, I will begrudgingly let you in. However, I take great offense to somebody keeping tabs on me “just because.” Maybe someday I might maybe possible do something wrong possibly in some way maybe. So let’s keep a permanent record of this person and watch them just in case. There's no way that can go wrong.

This is the opposite of freedom. This is a panopticon, and studies have shown that people who believe they are under surveillance act differently. They are more afraid to educate themselves, even on important issues, lest they be mistaken for a troublemaker. They’re more afraid to speak out because it might come back to haunt them. They’re more afraid to stand up for something unpopular that they believe is right. Just because nobody has put a physical gun to your head doesn’t make this any less coercion or threat. When I step out my door or post something to a public forum, I have no expectation of privacy. I accept that I have no control over who will see me, what they’ll say, who’ll they’ll tell, or any of that. But I think the moment that person decides to target me – to start following me, taking notes, trying to find all my accounts across various sites, and stalking me – for any reason, whether it’s “for my own safety” or “because I look a certain suspicious” or whatever – now we have a problem. I have no expectation of privacy in public, but I do expect not to be stalked.

The Privacy Paradox

April 18, 2021

I try to end most of my blogs on some kind of uplifting “call to action,” either to keep up the good fight, better your own privacy and security, or something similar. I don’t expect this post will end the same way.

I’ve never heard this term before but I’ve certainly experienced it and you probably have, too. Recently, a Reddit user posted about “the privacy paradox.” This user shared their story about how they were discussing user engagement in a Discord server with some friends, so they decided to download the chat history and analyze how much each user contributed to the conversation. Much to the surprise of the storyteller, the other members of the channel took extreme offense to this and viewed it as a violation of trust, expelling the person from the server and even losing some friendships. Yet, as the post points out, this was public information, and information Discord already had. What was the difference between a server member analyzing the data for fun and a random Discord employee reading it for marketing? It was total hypocrisy.

If you’ve been into privacy and security for any amount of time and tried to get somebody to switch to a better service, product, or solution, you’ve likely been met with this exact same type of behavior, though maybe to a lesser reaction. Someone I know had their card number stolen from the PlayStation marketplace last year. When I tried to preach to them the value of privacy.com (referral link) in such a situation, I was met with unbelievable pushback about how this is rare, how normally that person is so good about not saving payment information on any websites, blah blah blah. I kept coming back to “and yet, a mistake was made and it happened.” Why so much pushback on something that’s free and could easily save you so much headache in the future? Rather than having to cancel your card and get a new one sent to you a week later and having to put in your card information every time you pay the electric bill, why?

I have never understood the way some people fight me so hard on my attempts to make their lives easier. I’ve mentioned in the past that the way that I commonly push Bitwarden is by explaining how it makes your life more convenient: “tired of trying to remember your passwords? Use Bitwarden. And as an added bonus, you can make better, more secure passwords.” And yet, somehow I still get so much resistance to just trying it. “Eh, then I gotta import all my passwords and change them all and blah blah blah.” Dude, it’s free! Start by adding them one a time, change them later. Nobody ever said you have to sit down and do them all in one sitting. And even then it somehow still takes them a month before they go “so I decided to try out Bitwarden… and I love it.”

Normally when I talk about these topics, I share the solutions I’ve found or heard others say worked. But this time I don’t have one. I mentioned in the past that my partner only began to aggressively use Signal and a VPN on her device after being told that the company monitored the WiFi. Despite the fact that I had told her this many times before, somehow hearing it directly from her boss made it real. It was amazing watching my brother attend a local Black Lives Matter protest last year (with his Android phone in his pocket, probably) while still posting on Facebook and shopping on Amazon. Granted, that last one is more about political views than privacy, but the point is that it’s just amazing to me how people are so resistant to change for any reason, whether that’s to make their own lives easier or even just to simply be more aligned with their own ethics.

I grew up Protestant Christian. (That means “not Catholic” for those who don’t know.) A major tenant of Christianity is to proselytize to others: to spread the “Good News.” I don’t really have any issues with this, but I decided real quick what my method of evangelism would be: setting the example, “walking the walk.” Matthew 5:16 says “let your light shine before others, so that they may see your good works and give glory to your Father who is in heaven.” (ESV) In other words, set a good example and others will notice. My style was not to pass out to flyers on the street corner or yell at strangers with a megaphone – I hated that back then and I still hate it now – but my style was to live in such a way that people went “wow, you really believe this stuff, let’s talk about that.” Believe it or not, it was quite effective. I had many friends who would never step foot in a church or open a Bible come to me often and ask serious, genuine questions: “What does the Bible really say about X?” “What’s your opinion on Y?” “Why Z?” They knew that I wouldn’t judge them, that I wasn’t trying to force my beliefs on them, and that I was educated enough to give them not only my opinion but also any popular alternate interpretations.

I bring that up to say this: I think the best way to handle the privacy paradox is to be the light yourself. A lot of people suggest a good way to reach your friends and family is to do dumb sh*t like start recording them when you’re together, go through their phones, hack their Facebook, etc. That’s awful. The privacy paradox is very real, and it just proves that your friends – or soon-to-be ex-friends – will think you’re a colossal ass and stop hanging out with you while continuing to use Facebook or Google or Amazon. It’s infuriating, it really is, but it’s beyond your control. You can’t forcibly change somebody’s mind by beating them over the head with your opinions, even if they are right opinions. The best you can do is to let them know where you stand and work on yourself. Hopefully, in time, they’ll ask you about it and maybe you can even sway a few people. This is a topic that overlaps a number of other blogs I’ve written, such as Why Your Individual Privacy Matters for the Wider Population, Why You (Yes You, Reading This) Need to Take the Lead in Privacy & Security, and How I’ve Convinced People Around Me to Care About Privacy.

Ultimately, as I said up top, this blog is not a call to action, rather is to raise awareness. The privacy paradox – whatever name it goes by – is a real thing that you should be aware of. Your friends may be hemorrhaging data to Big Tech and living in hypocrisy – either out of ignorance or convenience – but that doesn’t mean you should take them up on that lifestyle, whether for a good purpose or to show them the error of their ways. It’s ultimately something you’ll just have to accept. Personally I have a reputation for being kind of a jerk among my social circles: Nate is a guy who will tell you the truth without sugarcoating it. “Yeah, that dress does kind of make you look fat.” “Yeah, you are kind of in the wrong in this argument.” “Yeah, that was a really stupid thing to say/do and you should probably apologize.” I’m fortunate enough that me going “hey, just wanted to make sure you’re aware: Amazon is licensing racist facial recognition technology to cops, so if you’re gonna be all ‘defund the police’ that means you gotta stop using Amazon” is actually a pretty common thing for me to say where my friends will typically roll their eyes and go “yeah, I know” to which I say “okay, just making sure you were aware. You do you.” I don’t keep harping on it, I don’t go “but don’t you see the hypocrisy?” They know that whenever they want to make a change, I’ll be more than happy to recommend alternatives or help them mitigate the existing services. And sometimes they go “oh, actually I didn’t know that” and I can go “yeah, I can send you a few articles if you want.” And that opens the door for us to talk about alternatives to Amazon or ways to reduce their data collection.

I feel like this blog was a little all-over-the-place and I apologize, but when I read that Reddit post earlier it stuck with me because I, too, have seen that mentality in action. Like I said, this post is to call attention to it. It’s a real thing that we have to be aware of as we interact with non-privacy people. It doesn’t make sense and it’s frustrating, but humans are illogical creatures and that means we have to learn how to deal with that fact as we push for change and progress in the future. Live long and prosper, I guess.

Movie Review: Coded Bias

April 10, 2021

A new documentary about the intersection of technology and privacy has hit Netflix. “Coded Bias” released on April 5, 2021 on Netflix and immediately became buzzed about# Movie Review: Coded Bias

A new documentary about the intersection of technology and privacy has hit Netflix. “Coded Bias” released on April 5, 2021 on Netflix and immediately attracted buzz – it's currently high on the Top 10 (I think #4?) in the US as I write this. Even my partner noticed it and alerted me to check it out. Ironic that Netflix pushed a movie about the dangers of algorithms so hard, but here we are. So how does it stack up? Is it worth watching? Does it tackle the issues well? Is it a good resource for your non-privacy/non-techy friends and family? Here's my thoughts.

About the Director & the Film

The film was directed by Shalini Kantayya, an environmental activist “whose films explore human rights at the intersection of water, food, and renewable energy.” She has a master’s degree in Film Direction, and has received recognition from the Sundance Documentary Program, IFP Spotlight on Documentary, New York Women in Film and Television, John D. and Catherine T. MacArthur Foundation, and the Jerome Hill Centennial. She is a Sundance Fellow, TED Fellow, a finalist for the ABC | DGA Directing Fellowship, and a William D. Fulbright Scholar.

Coded Bias primarily follows Joy Boulamwini, a Ghanian-American computer scientist and Ph.D candidate at the MIT Media Lab. According to the opening minutes of the film, Boulamwini first discovered racial bias in facial recognition algorithms when she attempted to make a proof-of-concept art project that relied on the technology. The camera almost never detected her face no matter the lighting conditions – until she put on a plain white mask. This prompted her to dig deeper. The movie follows Boulamwini’s journey and features a number of interviews from experts in the field and real footage of real-life events as she goes.

The Good

I think perhaps the coolest thing to me is the real life, on-the-ground footage of certain events. For example, at several points in the movie, the filmmakers are in London alongside a civil rights group called Big Brother Watch. The group stands outside an area where the police are using facial recognition cameras – clearly marked with signs – and tries to hand out flyers and inform people of the flaws and risks of facial recognition. At one point, the crew gets firsthand footage of a man who pulled his shirt up over his face when he saw the signs as the police follow him and force himself to identify himself. Later, a black teenager is pulled aside and ID’d because the cameras falsely identified him in a face match database. Seeing these situations happen firsthand – not through re-enactments or interviews – really got my blood boiling. And that’s good. Humans are emotional creatures. The 1976 film Network is about the media, its sensationalism, and its exploitative relationship with viewers. At the climax of the film, the star makes a legendary speech, at one point declaring “I don't know what to do about the depression and the inflation and the Russians and the crime in the street. All I know is that first, you've got to get mad. I want you to get up right now and go to the window, open it, and stick your head out and yell, “I'm as mad as hell, and I'm not going to take this anymore!!” Personally, I think this is where we are as a society. First, we’ve got to get mad. We’ve got to touch on that human emotion that spurs people into action where we say “enough is enough,” and I personally was blown away at the film’s ability to do that, to show firsthand, real-world, actual situations where algorithms have gone wrong. Sure, there’s plenty of “think of the bad things that might happen,” but none of that is as powerful as watching a slightly traumatized 14-year-old black kid get pulled over by three plain-clothed police offers who then come back and try to stop the representative from Big Brother Watch from giving the kid a flyer and explaining what the hell just happened. I’m getting mad just remembering it. Let’s move on.

Relating to that previous point, I think the film does a great job of presenting a variety of stories – real stories, not just hypotheticals. They show the two incidents in London I mentioned. They go to an apartment building in Brooklyn that tried to use facial recognition in lieu of keys and to maintain order among residents. They even visit China and ask one girl’s opinion on the Chinese use of social credit and the daily ubiquity of facial recognition. Surprisingly, this girl presents some very positive aspects – I admire a film that can present both sides of the argument. The film then moves to the protests in Hong Kong and shows the dark side that China has used this technology for. The film is obviously overwhelmingly in favor of reigning in algorithms and putting some regulation on it, but I still appreciate that they took even a few minutes to show the other side of the argument rather than just painting a biased “doom and gloom” picture the entire time.

The film also makes a point of continuously reminding the viewers that algorithms aren’t just used by police and advertisers, algorithms are used everywhere. They’re used to determine your credit limit, your mortgage, your insurance rates, your employment, whether or not your resume gets seen by a person, and more. I’m glad they drove that point home. A lot of people think of privacy in terms of “well I’ve got nothing to hide,” but the continual reminder of how much algorithms have permeated our culture shows viewers that this does affect you, even if you’re not an activist or a government employee or you live in a good neighborhood.

The Bad

The film is obviously – and ironically – biased. Of course, every documentary is. If you’ve never realized that every documentary you’ve ever seen has been made with an agenda to make you think a certain way, consider this your wakeup call. Every documentary has a spin. Even Planet Earth’s goal is to make you realize how cool nature is and make you appreciate and want to protect it. I think if the film really wanted a more balanced approach, they could’ve spent a little more time explaining the good sides of algorithms. That’s not say I think algorithms are good – the film very clearly and plainly lays out why they’re problematic with both rhetorical and empirical evidence – but they could’ve done a slightly better job of presenting a less-biased story.

I think my biggest complaint is the pacing. The clips in London that made my blood boil were few and far between. Much of the movie is spent watching Boulamwini stare at a Macbook screen while talking about how she slowly began to realize the amount of control that the algorithms have over us, even in our daily lives and even here in the “land of the free.” There’s a lot of distracting jumping around with camera angles during the interviews, as if attempting to make the film more exciting and feel more energetic. All it did for me was make me motion sick. (Not literally, but it was a bit disorienting.) The first 15 minutes of the film are also painfully slow, it’s not until they get to London that things start to become engaging with the man who hid from the camera with his shirt.

Final Verdict

Despite the pacing issues, I whole-heartedly recommend this film. Force yourself to watch the whole thing, even if you find it boring. The topics covered are incredibly relevant and – as mentioned – permeate every part of our daily lives. There is nobody not affected by this issue, and it’s only in the last couple years that major attention has to come to the issues with algorithms – from facial recognition to resume softwares, and this documentary barely scratches the surface. This technology is being used to score future criminals, rate students, determine college admissions, etc. I sometimes catch heat in the privacy community because I’m not 100% against certain technologies. This technology is a perfect example. It has its uses – I don’t think all possible applications of it are good, but some can be – but it also has a long way to go before even those few good applications are ready. This stuff has some serious bugs that need to be worked out, and until we as a collective society can shine a light on those and have those discussions we’ll never be able to even get that far. This is a conversation that we as a society desperately need to have. For those who are unfamiliar with this subject, I think this documentary is an excellent starting point.

More on the Movie

You can visit Coded Bias’s official website here. It is currently viewable on Netflix.

An Important Update About Credit Freezes in the United States

April 3, 2021

This will be a short but important post. This past week, I was forced to use my credit for fiber internet. I’ll be moving to a new place shortly, and while we had two choices of internet provider (both terrible), only one offered fiber for this location and I’ve become rather spoiled by my current fiber speeds (my current ISP is not available at the new location). After a couple failed attempts at social engineering, I agreed to go ahead and submit to a credit check. My threat model is relatively low, and I take other measures to protect myself – such as freezing my credit and using a reputable VPN on my entire router – so while I didn’t want to hand over my information I was willing to in this case knowing that my resulting exposure – even in a data breach – would be relatively low and my other options weren’t great. I was surprised to learn that there have been some changes to the credit freeze management process since the last time I did it, and I wanted to make my other privacy-minded people aware of it.

How it Used to Work

If you're unfamiliar with a what a credit freeze does or how it works, in short it makes it impossible to open a new account or even check your credit report without being unlocked first. As many of my readers my know – especially if you’ve read my site – it used to be that all three major agencies (Equifax, Experian, and TransUnion) worked the same: you apply for a credit freeze, they send you the PIN, you guard that PIN with your life cause I can speak from experience that replacing it is a long and painful process, and if you ever want/need to unfreeze your credit for any reason – like to open a new account or buy a house – you use that PIN to unfreeze it. I also strongly encourage my readers to institute a fraud alert every year as a second layer of protection as some clever social engineers have found ways around the PIN requirement.

What’s New

Currently, Experian still works on the PIN-based method. You can go their website and create or lift a freeze without ever creating an account or signing in. Equifax and TransUnion however, now require you to make an account to manage your freezes with them. It’s an annoying but straightforward change.

No doubt some will be asking if I think this is a change worth worrying about. Should we stop freezing our credit because we have to make an account? Should we resist making an account? First off, you should still absolutely freeze your credit. The 2017 Equifax data breach proved that these companies have garbage security, do not take your privacy or security seriously, will face absolutely no consequences when they screw up, and you will not receive any kind of compensation or have any recourse (I’m still waiting on my <$10 settlement payment that was agreed to in July of 2019). These companies don’t care about you, won’t protect you, and have no incentive to do so. Take the responsibility into your own hands.

Having said that, my advice is to make your accounts right now for two reasons. First is the fact that these companies already know everything about you and are tracking you. Whether you sign up for an account or not doesn’t change that. Just to clarify: there are ways to severely limit how effectively these companies can stalk you. I outline several on my website, and there are countless other great resources I recommend that expand on these principles and have even more advice. What I’m not saying is “they’re gonna track you and there’s nothing you can do about it,” what I am saying is that whether or not you create an account has no impact on the quantity or quality of their efforts to track you. You have nothing to lose by signing up for an account, but rather you have something to gain: control of that account. Even if you plan to never use your credit ever again, it’s best to plant your flag now. Security expert Brian Krebs describes “planting your flag” as basically making an account so that nobody else can pretend to be you later. This is a perfect example. If you feel that you never plan to use credit again and therefore you don’t need an account to manage a freeze, a criminal who finds your information on the dark web could still theoretically make that account on your behalf and now they can manage your freeze and disable it to open new accounts in your name – classic identity theft. It’s better for you to create that account with an email address you control and a strong password than to risk letting a criminal find enough information to pose as you and take control of that account. Thanks to the 2017 Equifax data breach and public record people search sites, it’s very conceivable that a criminal could find all the information they need to easily create that account and control your credit. Plant your flag even if you never plan to use credit again.

If you do plan to use your credit someday in the future but not right now, I still encourage you to go ahead and make those accounts now that you’ve read this. As I can promise you from my experience this past week, it sucks to want access to your credit right now and be unable to do so. Apparently I had already created an Equifax account and lost the login information, and both their automated systems and human were unable to verify me so I had to mail in documentation. At the time of writing I’m still waiting for that to resolve. All for some stupid fiber internet. Thank god this isn’t an emergency like needing to replace a car or find housing. Now that you’re aware of this, please make sure to take care of this now before you need it, or plant your flag before cybercriminals do. Also, I don’t normally ask this, but please share this blog around with your American friends and family. This is a change that completely flew below my radar and while I don’t claim to be Mr Know-It-All, if I missed it I’m certain almost everyone else has, too. I’m sure that Equifax and TransUnion made zero effort to broadcast this change. Let’s let everyone know so they don’t get blindsided or caught unaware.

Click here to create a MyEquifax account and click here to create a TransUnion account, or alternately just search for them yourself on your preferred privacy-respecting search engine.

The Peripheral Benefits of Privacy

March 27, 2021

Before the pandemic started, I was a freelancer. And one day at work, my backpack vanished with my laptop in it. My laptop was around $1500 brand new. It has an i7 with 16 GB of RAM, a 500 GB SSD and at the time a 2 TB HDD (which has since been replaced with a 240 SSD that runs my daily Linux driver). For those who don’t speak tech, all you have to know is that when this laptop came out it was almost as top-of-the-line as you could get without buying custom, and even to this day it’s still on the upper side of mid-range. As a freelancer, this laptop was not just my time killer for movies and games, but also a critical tool for my job. I had dozens of programs, video clips, slides, and other things that I regularly used to do my job with the level of excellence that allowed me to be a successful freelancer.

When I got home, I was understandably upset but not for the reasons you might think. I was upset that I would have to go to bed without any background noise (I often use my laptop as a sleeping aid because it automatically shuts down when the battery dies, probably not the best use of it, I’m aware). I was upset that I had to spend over a thousand dollars that I didn’t have to buy a new one – again, because that laptop was also a job tool. But there were other things I wasn’t even remotely upset about. I wasn’t worried about my sensitive emails with clients discussing upcoming gigs, payments, or contracts. I wasn’t worried about my passwords. You see – as I’m sure is no surprise to anyone reading this who’s familiar with me – my laptop was full disk encrypted with Veracrypt. AES-256 with a randomly-generated six-word passphrase. NOBODY was getting into that computer. Not to mention that by this point in my life I was keeping regular backups and when this happened I was only about a week out of date. In a half hour, I could’ve had 99% of my life back.

Much of the advice regarding privacy and security that I see on the internet is framed in the context of civil rights or government overreach. Most sites talk about how to protect yourself from corrupt (or ignorant) cops at a protest, how to prevent the NSA from spying on you, or how to stop Google and Facebook from stalking you. This is good, and I agree with all of these things. I firmly believe that privacy is owed to you as a human right, that governments often tend to overstep their responsibilities, and that you are responsible for your own protection. But I think that solely focusing on this aspect of privacy and security does a major disservice to the other practical aspects of it.

Quite frankly, people as a general rule suck at abstract thinking. In 2019 an app called FaceApp went viral. It’s a pretty straightforward app – it makes you look like an older version of yourself. How such a simple app went viral is beyond me, but for a few weeks everybody was sharing and posting photos of themselves fifty years from now. But this had an unexpected side effect: it made people start saving for retirement. Most people don’t think about their futures – not in any kind of real, tangible way – but when faced with a realistic age-progressed photo suddenly retirement became a real thing. It wasn’t just some foreign concept the way that a country you've never visited or “the cloud” is, but rather it was an actual upcoming event that could not be avoided and had to be dealt with. This is the same reason I’ve plastered my front page with links about real-world privacy abuses and the consequences of them, so people can see it and wrap their heads around it.

The funny thing is, people are also laughably bad at properly evaluating risk. For example, did you know that in most crimes the victim and perpetrator know each other? A 1987 study found that less than half of all violent crime was committed by total strangers. That’s why cops always look at the spouse/partner when someone goes missing or dies. The last person you texted is more likely to murder you than the stranger you passed on the street. Yet that doesn’t stop us from locking our doors, hiding our valuables in the car, and spending billions of dollars every year in security services, an industry that only continues to grow year after year. In fact, your odds of being murdered in any given year – murdered at all by anyone – is .005%. If we look at home robbery, the odds to bump up dramatically to a staggering 2.8%. The average loss is a mere $2661.

But yet, 25% of people are likely to be caught up in a data breach and have their personal information – which could be used to steal their identity and open bank accounts and rack up fraudulent charges in the thousands or more. In fact, most cybertheft cost over $10,000. 1.4% of people are stalked every year in the US. And what’s our response? Posting more selfies on new platforms. More videos on TikTok. More views. More likes. More comments. “Send me an invite to Clubhouse if you’ve got it!” (Author’s note: don’t waste your time.)

It’s time for a shift in focus. Yes, protesting matters. Yes, freedoms matter. But if we ever want privacy and security to reach the mainstream, we need to start speaking the language of our target audience. I’ve successfully gotten a number of people around me to switch to Bitwarden and literally every one of them has thanked me for it and some have even pushed it to their friends without me having to say a word. How did I manage this miracle? “Forgot your password? Mind if I offer a solution?” That simple. Who hasn’t forgotten a password? Or struggled to come up with a “secure” password that meets the requirements? “With Bitwarden it only takes a few clicks to create and save a secure password and you never have to remember it again.” Boom.

This goes for everything. Sure, encryption will keep the cops out of your laptop. It will also stop the rando who steals it. Maybe they’ll still pawn it, but at least your bank details and porn collection are safe. Same for having a good password or PIN on your phone. It won’t stop a criminal from pawning it, but it will stop them from opening your bank app or messages. Remember how years ago people would post on Facebook that they were going on vacation and criminals would use that to target homes to rob? Being careful on social media isn’t just about privacy, it’s about preventing crime. Not having Instagram isn’t just a moral principle, it’s about not opening the door for cyberbullying or harassment. I don’t think we should ever back down from our moral message of privacy and security. Privacy is a human right, and things can change in the blink of an eye. Often when a dictatorship rises to power, people are punished for sins of the past – things they said or wrote years before the party came into office. But frankly, just that one sentence is hard for the average westerner to come to terms with. We need to start framing privacy in a practical way that makes people realize that it’s not ALL about avoiding the algorithms and thwarting corrupt officials. Sometimes it’s just about not having to remember my password or not having to panic when my computer gets stolen. Those are threats the average person can relate to.

Oh by the way, my computer didn’t get stolen. It got accidentally picked up by somebody who thought it was one of their bags. It was returned to security same night and they were very apologetic. I slept great with Futurama in the background.

Financial Privacy

March 20, 2021

With tax season around the corner in the US, I wanted to do something related to taxes and privacy, but I quickly realized that this is a complex topic with very little wiggle room and I don’t feel comfortable giving people any advice on something that can easily land them in hot water legally. Plus, it’s an even more US-centric topic than I usually post. So here’s my two sentence summary on doing taxes privately in the US: use paper forms and do it yourself. If you need a professional AND maximum privacy, find a tax lawyer and make sure you arrange with them to hire them in such a way that you benefit from attorney-client privilege.

Instead, I decided that this week I’ll deep dive (somewhat) into financial privacy in general. This should be a much more widely-applicable topic to my non-US readers and it’s far less likely to land you in legal trouble. Now please note: this is a deep, nuanced topic. Just in the US alone I could probably write a small book on this topic, so there's no way this post is going to be comprehensive, but I hope I can cover most of the major pillars for most of my readers.

Do You Need a Bank Account?

Let’s start off at the top. Well, if we wanted to start at the very top, we’d have to begin with getting a job. I wrote about my opinions on privacy in the workplace in a previous blog, so feel free to check that out if you need. But let’s assume you’ve got a source of income and now you’re deciding how best to store and use that income. Should you get a bank? My general opinion is yes. While any bank is going to involve surrendering some privacy – you’ll have to hand over a lot of personal information to help them detect and prevent fraud – a bank still offers the best security for your money. At least here in the US, we have what’s called FDIC Insurance, which means any liquid cash you put in an account with that bank is guaranteed up to $250,000. In other words, any cash you store at the bank is guaranteed to be yours no matter if the bank goes bankrupt, burns down, gets robbed, etc. Putting cash under your mattress offers you zero protection against damage or theft and Bitcoin… just don’t use Bitcoin as your primary financial method. If you qualify for a bank account, ninety-nine times out of one hundred that’s going to be the best move for you. I have no doubt that most countries around the world offer some parallel to FDIC Insurance so make sure yours does and go with that.

Big Banks or Small Banks?

Of course, not all banks are equal. Here in the US, we have big national chains like Chase, Wells Fargo, and Bank of America. We also have smaller, local chains. Here in my state, for example, we have chains like Frost Bank or Velocity Credit Union. On that note, we also have banks and credit unions. There’s a lot of choices. As far as big banks vs small banks go, I think that’s a personal choice. Assuming that both are FDIC Insured, typically small banks will value you more as a customer and treat you better. They also make for smaller targets by cybercriminals. On the other side, bigger banks invest more money into cybersecurity because they’re bigger targets, and there is the whole advantage of being a needle in a haystack if you’re being specifically targeted. If I bank with Frost, for example, there’s a lot less customer records to wade through to find me than if I banked with Chase. Assuming you’re not being targeted by a technologically-advanced enemy, I would say that the biggest advantage to a national bank would be if you travel frequently. Frost doesn’t exist outside of my state – or at least not that I’m aware of – so if I have to make a deposit or some other in-person banking issue, I have to wait til I get home and withdrawing money from an ATM will incur a charge. Not so with a bank like Chase which exists practically next to every Starbucks.

Without being too US-centric, I also generally encourage credit unions over traditional banks. They typically have requirements to join – for example you have to work in a certain job field or area – but they offer numerous advantages. In addition to better customer service, they typically have better interest and savings rates and other perks like car insurance discounts with certain companies and stuff like that.

Paper or Plastic

Debit cards are generally regarded as a bad move by both privacy advocates and personal finance experts. Personal finance experts encourage the use of credit over debit – assuming that you’re able to control yourself and not spend too much – because they offer rewards and purchase protections. I’ll get to that in a moment. Privacy advocates discourage the use of both because financial institutions are increasingly tracking customer data for a variety of reasons, such as getting a more accurate credit score for borrowers, offering better services, and predicting consumer habits. These are valid, understandable uses. However, I firmly believe this has a dark side that is only beginning to emerge. In the realm of reality, banks have been known to penalize customers for shopping at “deadbeat” locations like Walmart. Financial information is also used in the UK to attempt to catch people defrauding the welfare system, which can be so extreme that it can disqualify people because they dared to take a vacation, buy name-brand foods instead of off-brand, or treat themselves to a nice dinner. I’m sure there’s also other negative impacts of the privacy violation that I’m not currently aware of. In the realm of speculation, it is a well-known fact that your health insurance rates are higher if you’re a smoker. How long before banks start selling your purchase history to health insurance companies, who then use your purchases to determine if you’re a smoker or not? Or if you drink too much by their standards? Your purchases can be used to determine incredible amounts of information about you, and your habits. I believe – though this is just conspiracy theory on my part for now – that someday the amount of alcohol or types of food you buy will help determine your health insurance coverage and/or rates, the brands you buy will help determine your credit score, and more. All this is to say that the best way to spend your money is in cash. Every payday, calculate how much you’ll need and go withdraw that from the ATM. Use that to pay for gas, groceries, and more.

Online & Non-Cash Payments

Sometimes you have no choice but to pay with a card. Some places don’t accept in-person or cash payments, or sometimes you have to buy something online that you just can’t get locally. There’s a lot of options here. Popular options include digital card issuers like Privacy.com, MySudo, Abine Blur, Revolut, and others. I discuss all of these, how they work, and why you should use them on this page of my website. If you don’t qualify for or don’t trust one of these services, the next best option is a prepaid gift card. Visa and Mastercard both sell “Vanilla” gift cards that can be purchased in cash at almost any grocery store or gas station in the US. There’s also gift cards if you plan to use the money toward a specific purchase, like Netflix, Amazon, or Steam. The only drawback to Vanilla cards is that I’ve heard that you’re required to register them online before using them for online purchases. I haven’t attempted this myself, though I plan to in the future. This could tie the purchases back to you, but it’s still a good solution for protecting your actual debit card number and using compartmentalization as a security tactic.

Using Plastic Right

I have always aimed for The New Oil to be a site dedicated to “the average person.” The average person, in my experience, does not have an advanced stalker and is much more worried about identity theft than surveillance capitalism and exploitation. On a similar note, I am a mild personal finance nerd. I love thinking about how to best handle my money to provide the most value for my dollar as well as to create the life I want to live. For example, my partner wants to travel. That’s not cheap. All this is to say that I understand why some people may want to use credit cards. As I said before, personal finance experts recommend using credit cards generously because they offer purchase protection and many of them offer cashback or reward points. The system they recommend is to get several credit cards and use them based on what they offer. For example, if Card 1 offers 10% cashback on gas and Card 2 offers 5% on gas, use Card 1 for buying gas. If Card 2 offers rewards points for buying groceries and Card 1 doesn’t, use Card 2 for buying groceries each week. There are of course caveats to this: pay attention to annual fees, reward terms, and what exactly the purchase protection plans cover; use the credit cards as if they were cash (don’t buy everything in the store when your budget is only $200); and pay them off in full each month to avoid interest. There’s more, but this isn’t a personal finance blog, I’m just pointing out some examples.

With this in mind, I think the average person can benefit from gaming the system and taking advantage of the recommended credit card system at the same time. For example, I mentioned that I believe in the near future we will see health insurance rates and eligibility affected by purchase patterns (among other things). So maybe divide your groceries up into two parts: healthy, generic-brand stuff and others. Use your grocery credit card to buy the healthy stuff and cash to buy the beer. This will create a pattern of transactions showing that you buy healthy food while leaving out the more indulgent parts of your purchases. Or perhaps divide your purchases up by location. For example, if you shop at Whole Foods – first don’t as Amazon is a garbage company – second, put that one on your credit card. Then go to the liquor store or Walmart to buy your beer where it’s cheaper and pay that in cash. (I know keep using beer a lot as an example, it just seems easiest.) I think there’s a lot of ways you can use this system to your advantage.

Of course, in a perfect world, companies would respect our privacy and not sell our financial information in the first place, which would leave us free to take advantage of credit cards and other financial hacks without risking our futures. But unfortunately part of life means playing the hand you’re dealt, good or bad. I think that for most people this half-truth approach of mindfully using credit cards to both gain points AND create a picture of a healthier, more responsible you is the way to go. This offers the best blend of privacy and functionality in today’s data-driven world. However, for those who want to go full-in on principle – or out of necessity – I hope this post has given you some ideas, approaches, and insight on how to make your money work for you instead of letting third party companies use it as a Trojan horse to steal your data.

Privacy Policy

Winner: SnowHaze

Loser: Safari

Browser Fingerprinting

Winner: Safari

Loser: Brave/DuckDuckGo

Browser Speed

Winner: SnowHaze

Loser: DuckDuckGo

Features

Winner: SnowHaze

Loser: Firefox Focus

Final Verdict

Winner: SnowHaze

The Services

The Good

The Bad

Final Verdict

Privacy Policy

Brave

DuckDuckGo

Firefox Focus

Safari

Winner: Brave

Loser: Safari

Browser Fingerprinting

Winner: Safari

Loser: Brave/DuckDuckGo

Browser Speed

Winner: Brave

Loser: DuckDuckGo

Features

Brave

DuckDuckgo

Firefox Focus

Safari

Winner: Brave/DuckDuckGo

Loser: Firefox Focus

Final Verdict

Winner: Brave

“But WebKit...”

Conclusion

Freeze Your Credit

Operational Security (aka OPSEC)

Disinformation

Compartmentalize

VPNs

Apps

Settings

Schools

Schools Devices

Conclusion

About the Director & the Film

The Good

The Bad

Final Verdict

More on the Movie

How it Used to Work

What’s New

What I Recommend

Do You Need a Bank Account?

Big Banks or Small Banks?

Paper or Plastic

Online & Non-Cash Payments

Using Plastic Right