The New Oil

What REALLY is the Best iOS Browser?

May 15, 2021

The “best browser” is a never-ending and often very heated debate that occurs often in the privacy community. When it comes to desktop, it’s generally agreed upon that either Brave or Firefox (with honorable mentions for Tor and Ungoogled Chromium) is best, depending on how you feel about the companies behind each and what you’re looking for. Once you take the debate to mobile, the argument changes considerably, particularly with iOS. One advantage that Android enjoys over iOS is a very relaxed environment. This can be problematic for security, but for privacy it means more access to various apps that typically offer more flexibility and freedom. For example, in Android you can run Firefox with all the same plugins as desktop (and I recommend that). With iOS, you can only run stock Firefox. Even I will admit that without my set of recommended plugins, I’m hesitant to label Firefox the best choice.

So what is the best browser for iOS for those of us who want privacy? Well, that’s been on my mind a lot lately and I decided to finally figure this out myself with empirical evidence. So this week, I downloaded Brave, DuckDuckGo, Firefox Focus, and Safari onto my iPhone 6S put them through a series of objective tests. I will be organizing each section by alphabetical order (Brave, DDG, Firefox, then Safari). This is not order of preference. Keep in mind that results may vary based on your own device and configuration.

Privacy Policy

I firmly believe that privacy policies are always the best first place to start when it comes to vetting a new app. They may not always be telling the truth, but if Company A has a privacy policy a mile long that basically says “we collect and share everything we can get our hands on” and Company B has one that says “we try to collect and share as little as possible unless ordered to by a court,” that’s a pretty indicator where to start. With that said, Apple recently gifted us non-lawyers with a pretty rad little tool called “Privacy Labels.” So let’s start there.

Brave

Brave claims – according to their privacy label – to collect only two pieces of data: “Other Usage Data” and “User ID.” User ID isn’t a big deal as based on Apple’s explanation of the categories, this likely refers to information you voluntarily provide like a Brave account name, but “Other Usage Data” is very vague as Brave doesn’t overtly say in their complete privacy policy what information that details.

DuckDuckGo

DuckDuckGo says it collects “Product Interaction” and “Other Usage Data,” “Other Diagnostic Data,” “Crash Data” and “Performance Data.” The big one here that really bugs me is “Product Interaction” data. While it is useful for a developer to have this information, if one claims to be a privacy-respecting service you have to expect that you’re going to have do without that data. Again, according to Apple, that includes “app launches, taps, clicks, scrolling information, music listening data, video views, saved place in a game, video, or song, or other information about how the user interacts with the app.” Not very privacy respecting. The crash analytics I don’t really mind – it’s important for a developer to be able to identify why a service isn’t working to fix it. “Other” data and “Performance” data are also vague and tip off a small red flag.

Firefox Focus

Firefox Focus’s privacy label is more or less similar to DuckDuckGo’s, just in different categories. As with DDG, I don’t like that they collect “Product Interaction” data. I also don’t understand why they collect “Crash Data” as part of their analytics rather than app fuctionality. According to Apple, analytics are used to understand how users interact with the app and improve it, functionality would include minimizing crashes, performing customer support, and other such uses that would be more acceptable in my opinion. Then again, maybe Mozilla just didn't know which category best fit and decided it made more sense in analytics. I guess the actual use matters more than the label. A rose by any other name is still a rose.

Safari

The fact that I had to take two screenshots to capture all of Apple’s collected data should tell you everything you need to know right off the bat. Safari offers virtually no privacy, collecting “User Content,” “Device ID,” “product interaction,” “Browsing History,” and even “Coarse Location.” I’m not even gonna bother going into detail here. Safari is obviously out.

Winner: Brave

Loser: Safari

Brave is the clear winner by collecting so little data, and most of it being voluntary. While DuckDuckGo and Firefox Focus aren't as good, they're still miles ahead of Safari's invasive policies. And Apple is marketing themselves as a privacy-respecting company...

Browser Fingerprinting

But protecting your data from Apple is probably the lowest concern, honestly. Apple conceivably could already have access to everything on your device. How does your browser protect you from others? For this portion, I used EFF’s Cover Your Tracks to test the level of browser fingerprinting each browser revealed. I chose this tool because unlike other tools, it doesn’t give you a result based on other visitors – which is obviously a biased result (the vast majority of people don't visit those sites, so you're getting a skewed sample right off the bat) – but rather based on commonly used and known tracking technologies to give you an objective score based on how many points of data you leak. So in other words: the less points of data, the better.

There isn’t much to say about each section, I didn’t want to go into detailed results, so instead I’ll just list them. Surprisingly, Safari comes out on top here with only 15.7 bits of information. An interesting thing worth noting: when I originally ran this test, I forgot to shut off my AdGuard DNS and tell Firefox Focus not to integrate with Safari, which resulted in a much higher number (16.02, if I remember correctly). So remember that sometimes doing too much makes you stand out more.

Brave: 18.03 DuckDuckGo: 16.03 Firefox Focus: 16.02 Safari: 15.7

Winner: Safari

Loser: Brave/DuckDuckGo

The reason I call the loser here a toss-up is because it turns out that Brave has a built-in fingerprint randomization feature. So while Brave technically leaks more bits of data, that data should – in theory – be different every time, making it effectively useless for tracking. Personally I would prefer my browser simply leak as little data as possible, and if you agree then Brave is the clear loser here. However, if you see the value in a randomized fingerprint – which I think is a clever solution to the problem – then DuckDuckGo is the loser here by a narrow margin.

Browser Speed

For my last objective test, I decided I wanted to see what browser was fastest. For this, I used Speedometer 2.0, a general browser speed test developed by Apple that simulates a variety of user actions and measures the speed of various points like CSS, JavaScript, and DOM APIs. The results are measured in “runs per minute” with a margin of error. As with everything on this list, your exact speeds may vary with your hardware and internet connection (I used an iPhone 6S on a gigabit wifi network), but I tried my best to pick a service that would remove those variables as much as possible from the equation.

Brave: 49 (+/–.53) DuckDuckGo: 54.4 (+/– .81) Firefox Focus: 53.86 (+/– .5) Safari: 51.8 (+/– 1.9)

Winner: Brave

Loser: DuckDuckGo

Features

Now let’s get down to some subjective features that are harder to quantify.

Brave

Brave has the unique feature of being built privacy-first. Brave ships by default with an ad-blocker and HTTPS Everywhere, meaning it will automatically upgrade all sites eligible to a secure connection, as well as some light script blocking. That’s definitely something most browsers can’t say. However, the ad-blocking can be easily replicated with the mobile DNS of your choice, and HTTPS Everywhere isn’t really necessary in today’s day and age where 95%+ of the average user’s time on the internet is encrypted. I do have a couple of deal-breaker issues with Brave, but based on my research I think these are bugs (possibly based on my having such an older device) rather than actual shortcomings. First is that I was unable to easily find a way to clear my entire history. I think it’s been removed in the newest mobile version for my device. Personally I view having web history in general to be a huge risk. Past malware – both desktop and mobile – and malicious apps have been able to scoop that up before. So for me I value having a browser that will clear my history without me thinking about it. One way to get around this – which brings us to my second issue – is to use Private Browsing, however as soon as you close and reopen the app you end up back in regular browsing mode. Others have not reported this issue – either the history clearing or the private mode – but this ticket shows that I’m not the only one with this issue.

DuckDuckgo

DuckDuckGo has a few unique features that I actually like, and I don’t really have anything to knock it for. I’m sketchy of DDG as a company overall, if we’re being honest, but they seem to have built a really solid browser. First off, DDG is another company that like Brave was built with user privacy in mind. The browser comes prepackaged with tracker blocking software, as well as HTTPS Everywhere. In fact, DDG and EFF recently teamed up to use DDG’s web-crawling bot to make HTTPS Everywhere even more effective and comprehensive – constantly learning via AI rather than occasionally updating with crowdsourcing. And DDG has two ways to clear your browsing data: automatically (upon app exit, optionally with a time delay) or manually with the simple tap of a button. As a neat little UI feature, they also tell you everything they’ve blocked on each site (though Brave does also give you both a site total as well as an overall total when you first open the app).

Firefox Focus

Firefox Focus is a pretty standard browser with a couple of drawbacks that I could live with but would prefer not to. First the good side: it automatically clears data on close without any prompting, and it offers to integrate with Safari so that anything that opens in Safari will benefit from Mozilla’s tracking protection. The downsides: there are no tabs (you only get the single page you’re on), you can’t download images by holding them and saving them to the camera roll, and Mozilla has straight up said that Focus is a low priority for them, so even though it claims to be extra focused on privacy (no pun intended), it rarely gets updates, which includes the tracking protection lists. For example, the last four update versions at the time of writing were released as follows: April 13, 2021; November 13, 2020; September 1, 2020; and February 26, 2020. DuckDuckGo, by comparison, seems to push out updates at least once per month, usually two or three times. All this to say that while Firefox Focus is not a “hard pass” for me, I don’t think it’s the best choice.

Safari

As far as I’m concerned, Safari only has two things that make it worthwhile: it naturally integrates very well into the iOS platform, and the private mode stays active even when you leave the app. If I set Safari into private mode and close it, when I re-open it it will stay in private mode (remember that for most users, Brave will do this, too, but if Brave doesn't for whatever reason Safari should). I will still be responsible for manually closing out my tabs, and I will have to enable HTTPS Everywhere via the menu. Likewise, I will need to use an alternate DNS if I want to block any ads. As of iOS 14, Safari does block some third party trackers so there is a baseline level of privacy there. The only major ding I can think of on Safari is that the app integration doesn’t preserve Private Browsing. For example, if I peruse Mastodon and see a link I want to click on, the link will natively open in Mastodon but will not open in a private browsing window, meaning that link now goes on my browser history and the data gets preserved until I manually go in and clear my browsing data, at which point I have to also set back to a private-browsing tab.

Winner: Brave/DuckDuckGo

Loser: Firefox Focus

Putting aside my personal bugs that I experienced with Brave, I think Brave and DDG both offer competitive results in terms of features. Tabs, ability to clear history automatically, built-in security and privacy features, etc. I think the only small edge DDG has is the one-click burner button that allows you to clear your current session instantly (and maybe the fact that it doesn't save your history by default, though I guess some people may want to save their history for whatever reason). With Brave you would have to close it out and re-open it to simulate the same effect. Firefox is clearly the loser here as it has almost no features or advantages and in fact has a few drawbacks (the lack of image saving and the single tab).

Final Verdict

Winner: Brave

Brave won the privacy policy section, but only by a thin margin (compared to DDG and Firefox Focus). Safari won the fingerprinting section by an impressive shot, but I think Brave’s low performance can be excused when you remember that the fingerprint is randomized every time, meaning that tracking is considerably more difficult and the bits shared may vary depending on the fingerprint used. For the speed portion, Brave blew everyone out of the water. However, I think the features section is where things start to get muddy. Due to the major issues I – and others – have with Brave’s functionality, I do want to list my suggested runner-up: DuckDuckGo. While DDG scored mediocre on most of the tests, I found the wide range of features and functionality made it superior to Firefox Focus, and compared to Safari you lose almost no features but gain a massive privacy improvement. If Brave works correctly for you (ex, clears your history and allows for always-private mode), I think Brave is the winner. But I think DDG makes a very close runner-up and is acceptable if Brave doesn't work for you for any number of reasons.

“But WebKit...”

There are two main arguments for why you should just use Safari on iOS as opposed to any of the other popular choices, and while I know this blog is getting long, I want to address them here and now.

1) “It’s all WebKit.” Basically, Apple has locked down their ecosystem so tightly – at least in part due to security – that all browsers are essentially just forks of Safari. This is true. But the logical assumption is that because it’s a fork of Safari, Apple can see anything you do on that browser as well. As far as my research can tell, this does not happen. I was unable to determine if that’s due to Apple’s policies or due to technical limitations, but at this point in time unless someone comes forward with an empirical, documented case and not just anecdotal evidence or hypothetical conjecture, I’m forced to conclude that this is a non-issue. I don't like to spend too much time on unsubstantiated “what-ifs.” It makes things paranoid and untrustworthy very quickly.

2) JavaScript. Once upon a time, Apple would hamstring competition by forcing them to use WebKit’s older version of JavaScript instead of the new JavaScript Nitro, which was reserved for Safari alone. This however stopped being true as of iOS 8. Therefore this is also a non-issue.

Conclusion

The entire idea of a mobile browser is that you use it in emergencies, limited situations, or as an alternative to an app. Ideally, you should use your mobile device as a whole, including the browser, as little as possible. Rather, you should browse on desktop where you have significantly more control over things like blocking JavaScript, using Containers, virtual machines (if necessary), and stronger anti-virus. I realize that for some people that’s not an option, but for those who do have that luxury, use it!

I realize that browsers are one of those areas where everybody’s going to have an opinion. It’s also important to remember that what matters to you remains a critical factor here. In my situation, Brave wasn’t the winner – despite objective superiority – due to bugs. In your situation, you may prefer Firefox because you don’t trust Brave or DuckDuckGo. Some people may be willing to give up some privacy for Safari so they can have the integration or sync across the Apple ecosystem for whatever reason. My goal with this site was never to tell you what to think, only to give you the tools you needed to make an educated decision. You now have some information. Good luck!

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Mom’s Guide to Online Child Safety

May 8, 2021

Tomorrow is Mother’s Day here in the US. (That was your last reminder to buy a card.) Happy Mother’s Day to all the moms out there! As a general rule, most mothers care deeply about their children and want them to be safe, happy, and successful. And as a general rule, today we are faced with a myriad of threats that we never before faced online, some more likely, more dangerous, or harder to defend against than others. So this year, I’d like to offer all the moms out there some encouragement with a quick guide on how to help protect your kiddos online. This post assumes your kids are coming up on or around the preteen age – basically still at that age where you are heavily involved in their decision making but it's time to start teaching them to be independent.

Freeze Your Credit

This is something I harp on a lot but with good reason. Identity theft of minors is still on the rise and is a hugely lucrative market. Think about it: if your kid is five and I steal their identity, I can open up credit cards in their name that won’t be detected for at least ten years. Credit freezes are non-negotiable – and free – if you’re a US resident. Equifax and TransUnion will require you to create an account, but Experian still uses a PIN-based model. I recommend doing this for your child and holding onto this information until they’re old enough to start doing things like getting jobs and opening bank accounts. You can find more information about the process here.

Operational Security (aka OPSEC)

I’m sure this goes without saying but this really is the biggest and most obvious thing out there: make sure your kids know not to give any details to strangers. “Details” varies from person to person. For example, saying you’re from New York City is probably fairly safe – there’s over 10 million people in the city. Saying you’re in Brooklyn or Mountain View, Idaho – probably less safe. Interests, I think, are probably less dangerous than personal information like real names (especially if the name is unique), dates of birth, schedules, and locations. Again, this is probably common sense for parents these days, but it’s worth saying.

Disinformation

In fact, I would argue that it’s valuable to actively encourage your child to engage in disinformation online. Say you’re from Los Angeles if you’re really from San Diego. Say your name is Jake when it’s really John. If there’s anything we’re learning it’s that disinformation is becoming vital to outsmarting people search sites and data aggregators these days. Not to mention the rampant data breaches which are becoming an almost daily occurrence. It’s only a matter of time before that forum your kid signed up for gets hacked. Train your kids young how to use disinformation effectively and when to use it. And on that topic…

Compartmentalize

This is more something you may want to do with your kids rather than just talking to them and leaving it up to them, but teach your kids the value and proper execution of compartmentalizing. They want to sign up for a new game? This is a good opportunity to teach them how to use AnonAddy or SimpleLogin and Bitwarden. Teach them how to randomly generate usernames that don’t reveal anything about them by using Bitwarden to generate a passphrase and then use two of the words. My recommendation is to have a unique forwarding email, unique password, and unique username on every site, all recorded in your password manager. This will make any potential stalker's job significantly harder – though not impossible.

VPNs

Normally I say VPNs are a lower concern, but when we’re talking about keeping kids safe I think they’re a bit more important. Realistically, the odds that your kid is facing attention from a sophisticated predator are low, but technology is getting easier and more user-friendly by the day. Something like figuring out your IP address was a monumental task ten years ago. These days it’s as easy as getting your kid to click on a link – which is probably pretty easy. Kids are kids. Even if you educate them, they’ll make mistakes. Keeping your kids’ devices safely behind a VPN at all times will reduce the risk that if they slip up, a predator can grab their IP address and therefore their real location (sometimes accurate within a couple blocks).

Apps

Up til now, I’ve framed most of my recommendations in the context of protecting your kids from predators, but those same techniques can be used to help your kids defend against the ever-growing surveillance capitalist state. One super important thing you can do to help protect your kids is to teach them to be judicious with the apps they install. Kids are fickle and are not prone to thinking ahead. If all their friends are all jumping on the TikTok bandwagon, they may want to as well without realizing how incredibly invasive social media and other such apps can be (and also how quickly these fads will blow over. Anyone remember Snapchat? Or Vero?). Create an environment where you talk about every app they want to download and you can help them see that it may not be worth it, or how to mitigate the risks (ex, only using Facebook on desktop rather than the app).

Settings

Another major life skill you can teach them is to evaluate the settings on any new account. If your kid wants to sign up for something and you have talked to them and approved it, go through the account settings with them and help them figure out which settings they can safely disable (like public posts). The key there was to go through it with them, not for them. The goal is to teach your kids to be smart, critical-thinking, productive members of society who can look out for themselves. Don’t just make changes and hand the phone back to them. Talk to them about each setting, what are the benefits and risks of each, etc. You’re not always going to be there to make decisions for them. Teach them how to make their own decisions.

Schools

Schools are not immune to the data breach phenomenon. In fact, they’re a big target because they contain so much sensitive information. I don’t know exactly what information is required to register a child in school, but honestly I think you should lie on as much of it as possible. I personally think everyone should have a PO Box if possible, so use that for your home address. Or use the address of a relative who doesn’t have kids (with their consent). Or a local hotel. I realize that one is tricky cause it may put your kid in a different school district, so plan ahead there. Put in a Voice-over-IP phone number instead of your SIM number. Recently several schools have suffered data breaches that resulted in information as sensitive as age, date of birth, and home address. That could make your child a perfect target for a predator and lead them literally right to your home. Make sure to obfuscate anything that might lead a predator back to your child. I also strongly encourage you to make specific email accounts and VOIP numbers for school-related business for this same reason.

Schools Devices

A big concern with schools these days has become technology and online learning. Schools have begun using Chromebooks as their defacto devices because Chromebooks are cheap, but there are many concerns that this has a “get ‘em while they’re young” effect, turning children into lifelong Google users with a long, ripe trail of data to be harvested. This has become a threat unto itself. There are a lot of questions and concerns about how to use a school-issued Chromebook right, which I addressed in this blog post late last year. If your situation allows, personally I wouldn’t even use the school-issued device. I’d create a virtual machine on your home computer, or use your backup browser (such as Brave or Firefox) for online meetings. Resist the urge to sign up for Zoom or download the app, even if it sounds convenient.

Conclusion

Personally I don’t believe in “the good old days.” I think society has always had problems, even if they were better hidden. We all look back at the past through rose-colored nostalgia glasses. Having said that, I really do think we live in times with a new set of threats to beware of. Not to be an alarmist, but I also think it’s worth noting that statistically, a person is most likely to be victimized by someone they know rather than a total stranger on the internet. It’s a common human fallacy to misjudge what the real threat is or how serious that threat is. But that's not to say your children today don't face a wide variety of threats from both corporations attempting to hook, track, and control them from the get-go and from posting something that could come back to harm them in the future, either at the hands of a predator or at the rejection of a potential job or school. As a parent, it is your responsibility to protect your children and teach them to be responsible, both online and off. I hope this post hasn’t been too alarmist and makes you feel more equipped to know what threats to look for and gives you some starting points on how to mitigate them.

The Expectation of Stalking

May 1, 2021

Recently, I posted an article on Mastodon about how the US Postal Service is scanning Americans’ social media accounts looking for “inflammatory” posts, typically relating to plans to attend or organize protests, ostensibly under the pretense of “national security.” The article attracted this short discussion wherein one of my readers asserted that this story was not a privacy invasion – nor even a privacy issue – because the information was posted in a public place – a public social media profile. I do agree with this person to some extent, so this made me think: why does this feel such an invasion of privacy even though it’s kind of technically not?

The “Expectation of Privacy” is a legal test that began in 1967 with the US case Katz v United States. Charles Katz had used a public phone booth near his Los Angeles apartment to submit gambling information across the country to bookies in both Boston and Miami. What he didn’t know was that the FBI had begun to investigate his illegal gambling and had wiretapped the phone booth without a warrant. This is where things got sticky. The FBI believed that since the phone booth was public, it therefore constituted a public place where you should have no expectation of privacy. However, Katz felt that the phone booth suggested a reasonable expectation of privacy – which makes sense, honestly. The doors close and stuff, who wouldn’t expect at least SOME privacy in that situation? You would certainly be annoyed and offended if some stranger stuck their ear to the door to try and eavesdrop, right?

The Expectation of Privacy test has two parts, and the second part is – I think – what really makes it work: “the expectation is one that society is prepared to recognize as reasonable.” I can drop my pants and start urinating in Times Square and expect privacy, but society doesn’t agree. Just as with debates about crime and legalization of various vices, there are obvious situations where we as a society can all generally agree that you have no expectation of privacy. We all may disagree on whether or not hard drugs should be legal, but we can all generally agree that murder should not be. We may all disagree on whether or not scraping public social media is a privacy violation or not, but we all generally agree that scraping texts without some kind of legal validation definitely is.

Let me back up: this blog post is not here to argue where the expectation of privacy begins and ends. Smarter people than me have spent decades fighting over that and likely will spend decades more. Rather, this post is to argue that what we experience today is not a violation of our expectation of privacy: it’s a violation of our expectation of not being stalked. And that is what bugs me about USPS – or any public (particularly government) entity – scraping public social media posts. It’s one thing for someone to stumble across a violent post and go “whoa, somebody needs to take a look at this.” It’s another thing for someone to look at every post with the intention of finding a problem.

About a year ago, a friend randomly texted me as I was leaving the grocery store to say that she had seen me. My first thought was “how did she recognize me? Everyone is wearing a mask!” Then I immediately remembered I have very unique, prominent, and often-visible arm tattoos. I don’t remember what my reply was, but obviously it wasn’t offense. I was at the grocery store in a T-shirt, I had no expectation of being anonymous or not-recognized. Just because I wasn’t going around wearing a name tag doesn’t mean I expected not to be seen or noticed. However, my friend didn’t follow me home from there. She didn’t write it down in a notebook and go “1:15 PM: saw Nate at the grocery store on the intersection of Main and 6th.” She didn’t ask me what I bought or why I was there. And this is what makes the abuse of our public use of technology so offensive to me.

In the above story, the USPS is actively scanning people’s public posts and looking for information. This is the issue that I personally have with surveillance, and I don’t think it’s a stretch to assume that most of my readers will agree with me on this. I have no issue with the public space being legally open to scrutiny. If I drive my car down a street, I fully expect that somebody will see it, and maybe even say that in court as part of a witness testimony about something. But imagine if every person I passed on the street posted to a Twitter account saying “Nate’s car was at this intersection at this time,” especially if there's nothing noteworthy happening. That’s different. There’s a huge difference between happening to notice or see something in a public space and actively stalking someone in a public space. And furthermore, there’s a huge difference between saying “I noticed that guy acting suspicious, let me follow up on that” and following up on every person you see even if they haven’t done anything suspicious. As most of us know, if you go looking for a specific problem, you can probably find it.

As I mentioned, I have tattoos. Let’s say someone sees my tattoos and goes “oh that guy’s a thug, he’s up to no good” and begins to follow me around. This may come as a shock to some of you, but I am not a perfect person. If you follow me for long enough, you’ll certainly find me doing something wrong – either an illegal turn, speeding a little over the speed limit, jaywalking to the convenience store across the street, etc. But actually, a stalker could very easily catch me planning arson on any given day at work. I regularly joke at my day job about just burning down the building when the project starts to get stressful or go wrong. I realize that may not be funny to everyone, I have a very dark sense of humor. My coworkers, however, have worked with me for almost two years. They know I’m not a pyromaniac, they know I have no interest in actually burning anything down, and they know I’m just venting, but imagine a total stranger who – again – just says “that guy is sus cause of his tattoos.” Aha! He said ‘let’s just burn the building down, no more problem!’ Clearly he’s planning arson! Context matters. Now granted, this is not a one-to-one comparison. The arson joke is one I only make when there’s nobody around – no clients, no other contractors from other companies, etc – and only to my coworkers. I expect that I have some privacy because I’m being careful where I make that joke. But the point is, if somebody wanted to find illegal behavior from me, they don’t have to look hard to make a case. Probably not one that would stand up in court, but still.

This is what companies do to us every day, and this is what USPS is doing and I have a lot of issues with this (as you probably do, if you've read this far). I have no issues with someone seeing me do something wrong in public and reporting it. I have no expectation of privacy. But I do have an expectation to not be stalked, especially if I’m not doing anything wrong. The ever-annoying “nothing to hide” argument says that if you aren’t doing anything wrong, you have nothing to fear. However, I view it the other way around: if I’m not doing anything wrong, you have no reason to be looking at me. If I’m under suspicion, it should be – and is – very easy to get a warrant to do some digging. And if you come to my door with a warrant, I will begrudgingly let you in. However, I take great offense to somebody keeping tabs on me “just because.” Maybe someday I might maybe possible do something wrong possibly in some way maybe. So let’s keep a permanent record of this person and watch them just in case. There's no way that can go wrong.

This is the opposite of freedom. This is a panopticon, and studies have shown that people who believe they are under surveillance act differently. They are more afraid to educate themselves, even on important issues, lest they be mistaken for a troublemaker. They’re more afraid to speak out because it might come back to haunt them. They’re more afraid to stand up for something unpopular that they believe is right. Just because nobody has put a physical gun to your head doesn’t make this any less coercion or threat. When I step out my door or post something to a public forum, I have no expectation of privacy. I accept that I have no control over who will see me, what they’ll say, who’ll they’ll tell, or any of that. But I think the moment that person decides to target me – to start following me, taking notes, trying to find all my accounts across various sites, and stalking me – for any reason, whether it’s “for my own safety” or “because I look a certain suspicious” or whatever – now we have a problem. I have no expectation of privacy in public, but I do expect not to be stalked.

The Privacy Paradox

April 18, 2021

I try to end most of my blogs on some kind of uplifting “call to action,” either to keep up the good fight, better your own privacy and security, or something similar. I don’t expect this post will end the same way.

I’ve never heard this term before but I’ve certainly experienced it and you probably have, too. Recently, a Reddit user posted about “the privacy paradox.” This user shared their story about how they were discussing user engagement in a Discord server with some friends, so they decided to download the chat history and analyze how much each user contributed to the conversation. Much to the surprise of the storyteller, the other members of the channel took extreme offense to this and viewed it as a violation of trust, expelling the person from the server and even losing some friendships. Yet, as the post points out, this was public information, and information Discord already had. What was the difference between a server member analyzing the data for fun and a random Discord employee reading it for marketing? It was total hypocrisy.

If you’ve been into privacy and security for any amount of time and tried to get somebody to switch to a better service, product, or solution, you’ve likely been met with this exact same type of behavior, though maybe to a lesser reaction. Someone I know had their card number stolen from the PlayStation marketplace last year. When I tried to preach to them the value of privacy.com (referral link) in such a situation, I was met with unbelievable pushback about how this is rare, how normally that person is so good about not saving payment information on any websites, blah blah blah. I kept coming back to “and yet, a mistake was made and it happened.” Why so much pushback on something that’s free and could easily save you so much headache in the future? Rather than having to cancel your card and get a new one sent to you a week later and having to put in your card information every time you pay the electric bill, why?

I have never understood the way some people fight me so hard on my attempts to make their lives easier. I’ve mentioned in the past that the way that I commonly push Bitwarden is by explaining how it makes your life more convenient: “tired of trying to remember your passwords? Use Bitwarden. And as an added bonus, you can make better, more secure passwords.” And yet, somehow I still get so much resistance to just trying it. “Eh, then I gotta import all my passwords and change them all and blah blah blah.” Dude, it’s free! Start by adding them one a time, change them later. Nobody ever said you have to sit down and do them all in one sitting. And even then it somehow still takes them a month before they go “so I decided to try out Bitwarden… and I love it.”

Normally when I talk about these topics, I share the solutions I’ve found or heard others say worked. But this time I don’t have one. I mentioned in the past that my partner only began to aggressively use Signal and a VPN on her device after being told that the company monitored the WiFi. Despite the fact that I had told her this many times before, somehow hearing it directly from her boss made it real. It was amazing watching my brother attend a local Black Lives Matter protest last year (with his Android phone in his pocket, probably) while still posting on Facebook and shopping on Amazon. Granted, that last one is more about political views than privacy, but the point is that it’s just amazing to me how people are so resistant to change for any reason, whether that’s to make their own lives easier or even just to simply be more aligned with their own ethics.

I grew up Protestant Christian. (That means “not Catholic” for those who don’t know.) A major tenant of Christianity is to proselytize to others: to spread the “Good News.” I don’t really have any issues with this, but I decided real quick what my method of evangelism would be: setting the example, “walking the walk.” Matthew 5:16 says “let your light shine before others, so that they may see your good works and give glory to your Father who is in heaven.” (ESV) In other words, set a good example and others will notice. My style was not to pass out to flyers on the street corner or yell at strangers with a megaphone – I hated that back then and I still hate it now – but my style was to live in such a way that people went “wow, you really believe this stuff, let’s talk about that.” Believe it or not, it was quite effective. I had many friends who would never step foot in a church or open a Bible come to me often and ask serious, genuine questions: “What does the Bible really say about X?” “What’s your opinion on Y?” “Why Z?” They knew that I wouldn’t judge them, that I wasn’t trying to force my beliefs on them, and that I was educated enough to give them not only my opinion but also any popular alternate interpretations.

I bring that up to say this: I think the best way to handle the privacy paradox is to be the light yourself. A lot of people suggest a good way to reach your friends and family is to do dumb sh*t like start recording them when you’re together, go through their phones, hack their Facebook, etc. That’s awful. The privacy paradox is very real, and it just proves that your friends – or soon-to-be ex-friends – will think you’re a colossal ass and stop hanging out with you while continuing to use Facebook or Google or Amazon. It’s infuriating, it really is, but it’s beyond your control. You can’t forcibly change somebody’s mind by beating them over the head with your opinions, even if they are right opinions. The best you can do is to let them know where you stand and work on yourself. Hopefully, in time, they’ll ask you about it and maybe you can even sway a few people. This is a topic that overlaps a number of other blogs I’ve written, such as Why Your Individual Privacy Matters for the Wider Population, Why You (Yes You, Reading This) Need to Take the Lead in Privacy & Security, and How I’ve Convinced People Around Me to Care About Privacy.

Ultimately, as I said up top, this blog is not a call to action, rather is to raise awareness. The privacy paradox – whatever name it goes by – is a real thing that you should be aware of. Your friends may be hemorrhaging data to Big Tech and living in hypocrisy – either out of ignorance or convenience – but that doesn’t mean you should take them up on that lifestyle, whether for a good purpose or to show them the error of their ways. It’s ultimately something you’ll just have to accept. Personally I have a reputation for being kind of a jerk among my social circles: Nate is a guy who will tell you the truth without sugarcoating it. “Yeah, that dress does kind of make you look fat.” “Yeah, you are kind of in the wrong in this argument.” “Yeah, that was a really stupid thing to say/do and you should probably apologize.” I’m fortunate enough that me going “hey, just wanted to make sure you’re aware: Amazon is licensing racist facial recognition technology to cops, so if you’re gonna be all ‘defund the police’ that means you gotta stop using Amazon” is actually a pretty common thing for me to say where my friends will typically roll their eyes and go “yeah, I know” to which I say “okay, just making sure you were aware. You do you.” I don’t keep harping on it, I don’t go “but don’t you see the hypocrisy?” They know that whenever they want to make a change, I’ll be more than happy to recommend alternatives or help them mitigate the existing services. And sometimes they go “oh, actually I didn’t know that” and I can go “yeah, I can send you a few articles if you want.” And that opens the door for us to talk about alternatives to Amazon or ways to reduce their data collection.

I feel like this blog was a little all-over-the-place and I apologize, but when I read that Reddit post earlier it stuck with me because I, too, have seen that mentality in action. Like I said, this post is to call attention to it. It’s a real thing that we have to be aware of as we interact with non-privacy people. It doesn’t make sense and it’s frustrating, but humans are illogical creatures and that means we have to learn how to deal with that fact as we push for change and progress in the future. Live long and prosper, I guess.

Movie Review: Coded Bias

April 10, 2021

A new documentary about the intersection of technology and privacy has hit Netflix. “Coded Bias” released on April 5, 2021 on Netflix and immediately became buzzed about# Movie Review: Coded Bias

A new documentary about the intersection of technology and privacy has hit Netflix. “Coded Bias” released on April 5, 2021 on Netflix and immediately attracted buzz – it's currently high on the Top 10 (I think #4?) in the US as I write this. Even my partner noticed it and alerted me to check it out. Ironic that Netflix pushed a movie about the dangers of algorithms so hard, but here we are. So how does it stack up? Is it worth watching? Does it tackle the issues well? Is it a good resource for your non-privacy/non-techy friends and family? Here's my thoughts.

About the Director & the Film

The film was directed by Shalini Kantayya, an environmental activist “whose films explore human rights at the intersection of water, food, and renewable energy.” She has a master’s degree in Film Direction, and has received recognition from the Sundance Documentary Program, IFP Spotlight on Documentary, New York Women in Film and Television, John D. and Catherine T. MacArthur Foundation, and the Jerome Hill Centennial. She is a Sundance Fellow, TED Fellow, a finalist for the ABC | DGA Directing Fellowship, and a William D. Fulbright Scholar.

Coded Bias primarily follows Joy Boulamwini, a Ghanian-American computer scientist and Ph.D candidate at the MIT Media Lab. According to the opening minutes of the film, Boulamwini first discovered racial bias in facial recognition algorithms when she attempted to make a proof-of-concept art project that relied on the technology. The camera almost never detected her face no matter the lighting conditions – until she put on a plain white mask. This prompted her to dig deeper. The movie follows Boulamwini’s journey and features a number of interviews from experts in the field and real footage of real-life events as she goes.

The Good

I think perhaps the coolest thing to me is the real life, on-the-ground footage of certain events. For example, at several points in the movie, the filmmakers are in London alongside a civil rights group called Big Brother Watch. The group stands outside an area where the police are using facial recognition cameras – clearly marked with signs – and tries to hand out flyers and inform people of the flaws and risks of facial recognition. At one point, the crew gets firsthand footage of a man who pulled his shirt up over his face when he saw the signs as the police follow him and force himself to identify himself. Later, a black teenager is pulled aside and ID’d because the cameras falsely identified him in a face match database. Seeing these situations happen firsthand – not through re-enactments or interviews – really got my blood boiling. And that’s good. Humans are emotional creatures. The 1976 film Network is about the media, its sensationalism, and its exploitative relationship with viewers. At the climax of the film, the star makes a legendary speech, at one point declaring “I don't know what to do about the depression and the inflation and the Russians and the crime in the street. All I know is that first, you've got to get mad. I want you to get up right now and go to the window, open it, and stick your head out and yell, “I'm as mad as hell, and I'm not going to take this anymore!!” Personally, I think this is where we are as a society. First, we’ve got to get mad. We’ve got to touch on that human emotion that spurs people into action where we say “enough is enough,” and I personally was blown away at the film’s ability to do that, to show firsthand, real-world, actual situations where algorithms have gone wrong. Sure, there’s plenty of “think of the bad things that might happen,” but none of that is as powerful as watching a slightly traumatized 14-year-old black kid get pulled over by three plain-clothed police offers who then come back and try to stop the representative from Big Brother Watch from giving the kid a flyer and explaining what the hell just happened. I’m getting mad just remembering it. Let’s move on.

Relating to that previous point, I think the film does a great job of presenting a variety of stories – real stories, not just hypotheticals. They show the two incidents in London I mentioned. They go to an apartment building in Brooklyn that tried to use facial recognition in lieu of keys and to maintain order among residents. They even visit China and ask one girl’s opinion on the Chinese use of social credit and the daily ubiquity of facial recognition. Surprisingly, this girl presents some very positive aspects – I admire a film that can present both sides of the argument. The film then moves to the protests in Hong Kong and shows the dark side that China has used this technology for. The film is obviously overwhelmingly in favor of reigning in algorithms and putting some regulation on it, but I still appreciate that they took even a few minutes to show the other side of the argument rather than just painting a biased “doom and gloom” picture the entire time.

The film also makes a point of continuously reminding the viewers that algorithms aren’t just used by police and advertisers, algorithms are used everywhere. They’re used to determine your credit limit, your mortgage, your insurance rates, your employment, whether or not your resume gets seen by a person, and more. I’m glad they drove that point home. A lot of people think of privacy in terms of “well I’ve got nothing to hide,” but the continual reminder of how much algorithms have permeated our culture shows viewers that this does affect you, even if you’re not an activist or a government employee or you live in a good neighborhood.

The Bad

The film is obviously – and ironically – biased. Of course, every documentary is. If you’ve never realized that every documentary you’ve ever seen has been made with an agenda to make you think a certain way, consider this your wakeup call. Every documentary has a spin. Even Planet Earth’s goal is to make you realize how cool nature is and make you appreciate and want to protect it. I think if the film really wanted a more balanced approach, they could’ve spent a little more time explaining the good sides of algorithms. That’s not say I think algorithms are good – the film very clearly and plainly lays out why they’re problematic with both rhetorical and empirical evidence – but they could’ve done a slightly better job of presenting a less-biased story.

I think my biggest complaint is the pacing. The clips in London that made my blood boil were few and far between. Much of the movie is spent watching Boulamwini stare at a Macbook screen while talking about how she slowly began to realize the amount of control that the algorithms have over us, even in our daily lives and even here in the “land of the free.” There’s a lot of distracting jumping around with camera angles during the interviews, as if attempting to make the film more exciting and feel more energetic. All it did for me was make me motion sick. (Not literally, but it was a bit disorienting.) The first 15 minutes of the film are also painfully slow, it’s not until they get to London that things start to become engaging with the man who hid from the camera with his shirt.

Final Verdict

Despite the pacing issues, I whole-heartedly recommend this film. Force yourself to watch the whole thing, even if you find it boring. The topics covered are incredibly relevant and – as mentioned – permeate every part of our daily lives. There is nobody not affected by this issue, and it’s only in the last couple years that major attention has to come to the issues with algorithms – from facial recognition to resume softwares, and this documentary barely scratches the surface. This technology is being used to score future criminals, rate students, determine college admissions, etc. I sometimes catch heat in the privacy community because I’m not 100% against certain technologies. This technology is a perfect example. It has its uses – I don’t think all possible applications of it are good, but some can be – but it also has a long way to go before even those few good applications are ready. This stuff has some serious bugs that need to be worked out, and until we as a collective society can shine a light on those and have those discussions we’ll never be able to even get that far. This is a conversation that we as a society desperately need to have. For those who are unfamiliar with this subject, I think this documentary is an excellent starting point.

More on the Movie

You can visit Coded Bias’s official website here. It is currently viewable on Netflix.

An Important Update About Credit Freezes in the United States

April 3, 2021

This will be a short but important post. This past week, I was forced to use my credit for fiber internet. I’ll be moving to a new place shortly, and while we had two choices of internet provider (both terrible), only one offered fiber for this location and I’ve become rather spoiled by my current fiber speeds (my current ISP is not available at the new location). After a couple failed attempts at social engineering, I agreed to go ahead and submit to a credit check. My threat model is relatively low, and I take other measures to protect myself – such as freezing my credit and using a reputable VPN on my entire router – so while I didn’t want to hand over my information I was willing to in this case knowing that my resulting exposure – even in a data breach – would be relatively low and my other options weren’t great. I was surprised to learn that there have been some changes to the credit freeze management process since the last time I did it, and I wanted to make my other privacy-minded people aware of it.

How it Used to Work

If you're unfamiliar with a what a credit freeze does or how it works, in short it makes it impossible to open a new account or even check your credit report without being unlocked first. As many of my readers my know – especially if you’ve read my site – it used to be that all three major agencies (Equifax, Experian, and TransUnion) worked the same: you apply for a credit freeze, they send you the PIN, you guard that PIN with your life cause I can speak from experience that replacing it is a long and painful process, and if you ever want/need to unfreeze your credit for any reason – like to open a new account or buy a house – you use that PIN to unfreeze it. I also strongly encourage my readers to institute a fraud alert every year as a second layer of protection as some clever social engineers have found ways around the PIN requirement.

What’s New

Currently, Experian still works on the PIN-based method. You can go their website and create or lift a freeze without ever creating an account or signing in. Equifax and TransUnion however, now require you to make an account to manage your freezes with them. It’s an annoying but straightforward change.

No doubt some will be asking if I think this is a change worth worrying about. Should we stop freezing our credit because we have to make an account? Should we resist making an account? First off, you should still absolutely freeze your credit. The 2017 Equifax data breach proved that these companies have garbage security, do not take your privacy or security seriously, will face absolutely no consequences when they screw up, and you will not receive any kind of compensation or have any recourse (I’m still waiting on my <$10 settlement payment that was agreed to in July of 2019). These companies don’t care about you, won’t protect you, and have no incentive to do so. Take the responsibility into your own hands.

Having said that, my advice is to make your accounts right now for two reasons. First is the fact that these companies already know everything about you and are tracking you. Whether you sign up for an account or not doesn’t change that. Just to clarify: there are ways to severely limit how effectively these companies can stalk you. I outline several on my website, and there are countless other great resources I recommend that expand on these principles and have even more advice. What I’m not saying is “they’re gonna track you and there’s nothing you can do about it,” what I am saying is that whether or not you create an account has no impact on the quantity or quality of their efforts to track you. You have nothing to lose by signing up for an account, but rather you have something to gain: control of that account. Even if you plan to never use your credit ever again, it’s best to plant your flag now. Security expert Brian Krebs describes “planting your flag” as basically making an account so that nobody else can pretend to be you later. This is a perfect example. If you feel that you never plan to use credit again and therefore you don’t need an account to manage a freeze, a criminal who finds your information on the dark web could still theoretically make that account on your behalf and now they can manage your freeze and disable it to open new accounts in your name – classic identity theft. It’s better for you to create that account with an email address you control and a strong password than to risk letting a criminal find enough information to pose as you and take control of that account. Thanks to the 2017 Equifax data breach and public record people search sites, it’s very conceivable that a criminal could find all the information they need to easily create that account and control your credit. Plant your flag even if you never plan to use credit again.

If you do plan to use your credit someday in the future but not right now, I still encourage you to go ahead and make those accounts now that you’ve read this. As I can promise you from my experience this past week, it sucks to want access to your credit right now and be unable to do so. Apparently I had already created an Equifax account and lost the login information, and both their automated systems and human were unable to verify me so I had to mail in documentation. At the time of writing I’m still waiting for that to resolve. All for some stupid fiber internet. Thank god this isn’t an emergency like needing to replace a car or find housing. Now that you’re aware of this, please make sure to take care of this now before you need it, or plant your flag before cybercriminals do. Also, I don’t normally ask this, but please share this blog around with your American friends and family. This is a change that completely flew below my radar and while I don’t claim to be Mr Know-It-All, if I missed it I’m certain almost everyone else has, too. I’m sure that Equifax and TransUnion made zero effort to broadcast this change. Let’s let everyone know so they don’t get blindsided or caught unaware.

Click here to create a MyEquifax account and click here to create a TransUnion account, or alternately just search for them yourself on your preferred privacy-respecting search engine.

The Peripheral Benefits of Privacy

March 27, 2021

Before the pandemic started, I was a freelancer. And one day at work, my backpack vanished with my laptop in it. My laptop was around $1500 brand new. It has an i7 with 16 GB of RAM, a 500 GB SSD and at the time a 2 TB HDD (which has since been replaced with a 240 SSD that runs my daily Linux driver). For those who don’t speak tech, all you have to know is that when this laptop came out it was almost as top-of-the-line as you could get without buying custom, and even to this day it’s still on the upper side of mid-range. As a freelancer, this laptop was not just my time killer for movies and games, but also a critical tool for my job. I had dozens of programs, video clips, slides, and other things that I regularly used to do my job with the level of excellence that allowed me to be a successful freelancer.

When I got home, I was understandably upset but not for the reasons you might think. I was upset that I would have to go to bed without any background noise (I often use my laptop as a sleeping aid because it automatically shuts down when the battery dies, probably not the best use of it, I’m aware). I was upset that I had to spend over a thousand dollars that I didn’t have to buy a new one – again, because that laptop was also a job tool. But there were other things I wasn’t even remotely upset about. I wasn’t worried about my sensitive emails with clients discussing upcoming gigs, payments, or contracts. I wasn’t worried about my passwords. You see – as I’m sure is no surprise to anyone reading this who’s familiar with me – my laptop was full disk encrypted with Veracrypt. AES-256 with a randomly-generated six-word passphrase. NOBODY was getting into that computer. Not to mention that by this point in my life I was keeping regular backups and when this happened I was only about a week out of date. In a half hour, I could’ve had 99% of my life back.

Much of the advice regarding privacy and security that I see on the internet is framed in the context of civil rights or government overreach. Most sites talk about how to protect yourself from corrupt (or ignorant) cops at a protest, how to prevent the NSA from spying on you, or how to stop Google and Facebook from stalking you. This is good, and I agree with all of these things. I firmly believe that privacy is owed to you as a human right, that governments often tend to overstep their responsibilities, and that you are responsible for your own protection. But I think that solely focusing on this aspect of privacy and security does a major disservice to the other practical aspects of it.

Quite frankly, people as a general rule suck at abstract thinking. In 2019 an app called FaceApp went viral. It’s a pretty straightforward app – it makes you look like an older version of yourself. How such a simple app went viral is beyond me, but for a few weeks everybody was sharing and posting photos of themselves fifty years from now. But this had an unexpected side effect: it made people start saving for retirement. Most people don’t think about their futures – not in any kind of real, tangible way – but when faced with a realistic age-progressed photo suddenly retirement became a real thing. It wasn’t just some foreign concept the way that a country you've never visited or “the cloud” is, but rather it was an actual upcoming event that could not be avoided and had to be dealt with. This is the same reason I’ve plastered my front page with links about real-world privacy abuses and the consequences of them, so people can see it and wrap their heads around it.

The funny thing is, people are also laughably bad at properly evaluating risk. For example, did you know that in most crimes the victim and perpetrator know each other? A 1987 study found that less than half of all violent crime was committed by total strangers. That’s why cops always look at the spouse/partner when someone goes missing or dies. The last person you texted is more likely to murder you than the stranger you passed on the street. Yet that doesn’t stop us from locking our doors, hiding our valuables in the car, and spending billions of dollars every year in security services, an industry that only continues to grow year after year. In fact, your odds of being murdered in any given year – murdered at all by anyone – is .005%. If we look at home robbery, the odds to bump up dramatically to a staggering 2.8%. The average loss is a mere $2661.

But yet, 25% of people are likely to be caught up in a data breach and have their personal information – which could be used to steal their identity and open bank accounts and rack up fraudulent charges in the thousands or more. In fact, most cybertheft cost over $10,000. 1.4% of people are stalked every year in the US. And what’s our response? Posting more selfies on new platforms. More videos on TikTok. More views. More likes. More comments. “Send me an invite to Clubhouse if you’ve got it!” (Author’s note: don’t waste your time.)

It’s time for a shift in focus. Yes, protesting matters. Yes, freedoms matter. But if we ever want privacy and security to reach the mainstream, we need to start speaking the language of our target audience. I’ve successfully gotten a number of people around me to switch to Bitwarden and literally every one of them has thanked me for it and some have even pushed it to their friends without me having to say a word. How did I manage this miracle? “Forgot your password? Mind if I offer a solution?” That simple. Who hasn’t forgotten a password? Or struggled to come up with a “secure” password that meets the requirements? “With Bitwarden it only takes a few clicks to create and save a secure password and you never have to remember it again.” Boom.

This goes for everything. Sure, encryption will keep the cops out of your laptop. It will also stop the rando who steals it. Maybe they’ll still pawn it, but at least your bank details and porn collection are safe. Same for having a good password or PIN on your phone. It won’t stop a criminal from pawning it, but it will stop them from opening your bank app or messages. Remember how years ago people would post on Facebook that they were going on vacation and criminals would use that to target homes to rob? Being careful on social media isn’t just about privacy, it’s about preventing crime. Not having Instagram isn’t just a moral principle, it’s about not opening the door for cyberbullying or harassment. I don’t think we should ever back down from our moral message of privacy and security. Privacy is a human right, and things can change in the blink of an eye. Often when a dictatorship rises to power, people are punished for sins of the past – things they said or wrote years before the party came into office. But frankly, just that one sentence is hard for the average westerner to come to terms with. We need to start framing privacy in a practical way that makes people realize that it’s not ALL about avoiding the algorithms and thwarting corrupt officials. Sometimes it’s just about not having to remember my password or not having to panic when my computer gets stolen. Those are threats the average person can relate to.

Oh by the way, my computer didn’t get stolen. It got accidentally picked up by somebody who thought it was one of their bags. It was returned to security same night and they were very apologetic. I slept great with Futurama in the background.

Financial Privacy

March 20, 2021

With tax season around the corner in the US, I wanted to do something related to taxes and privacy, but I quickly realized that this is a complex topic with very little wiggle room and I don’t feel comfortable giving people any advice on something that can easily land them in hot water legally. Plus, it’s an even more US-centric topic than I usually post. So here’s my two sentence summary on doing taxes privately in the US: use paper forms and do it yourself. If you need a professional AND maximum privacy, find a tax lawyer and make sure you arrange with them to hire them in such a way that you benefit from attorney-client privilege.

Instead, I decided that this week I’ll deep dive (somewhat) into financial privacy in general. This should be a much more widely-applicable topic to my non-US readers and it’s far less likely to land you in legal trouble. Now please note: this is a deep, nuanced topic. Just in the US alone I could probably write a small book on this topic, so there's no way this post is going to be comprehensive, but I hope I can cover most of the major pillars for most of my readers.

Do You Need a Bank Account?

Let’s start off at the top. Well, if we wanted to start at the very top, we’d have to begin with getting a job. I wrote about my opinions on privacy in the workplace in a previous blog, so feel free to check that out if you need. But let’s assume you’ve got a source of income and now you’re deciding how best to store and use that income. Should you get a bank? My general opinion is yes. While any bank is going to involve surrendering some privacy – you’ll have to hand over a lot of personal information to help them detect and prevent fraud – a bank still offers the best security for your money. At least here in the US, we have what’s called FDIC Insurance, which means any liquid cash you put in an account with that bank is guaranteed up to $250,000. In other words, any cash you store at the bank is guaranteed to be yours no matter if the bank goes bankrupt, burns down, gets robbed, etc. Putting cash under your mattress offers you zero protection against damage or theft and Bitcoin… just don’t use Bitcoin as your primary financial method. If you qualify for a bank account, ninety-nine times out of one hundred that’s going to be the best move for you. I have no doubt that most countries around the world offer some parallel to FDIC Insurance so make sure yours does and go with that.

Big Banks or Small Banks?

Of course, not all banks are equal. Here in the US, we have big national chains like Chase, Wells Fargo, and Bank of America. We also have smaller, local chains. Here in my state, for example, we have chains like Frost Bank or Velocity Credit Union. On that note, we also have banks and credit unions. There’s a lot of choices. As far as big banks vs small banks go, I think that’s a personal choice. Assuming that both are FDIC Insured, typically small banks will value you more as a customer and treat you better. They also make for smaller targets by cybercriminals. On the other side, bigger banks invest more money into cybersecurity because they’re bigger targets, and there is the whole advantage of being a needle in a haystack if you’re being specifically targeted. If I bank with Frost, for example, there’s a lot less customer records to wade through to find me than if I banked with Chase. Assuming you’re not being targeted by a technologically-advanced enemy, I would say that the biggest advantage to a national bank would be if you travel frequently. Frost doesn’t exist outside of my state – or at least not that I’m aware of – so if I have to make a deposit or some other in-person banking issue, I have to wait til I get home and withdrawing money from an ATM will incur a charge. Not so with a bank like Chase which exists practically next to every Starbucks.

Without being too US-centric, I also generally encourage credit unions over traditional banks. They typically have requirements to join – for example you have to work in a certain job field or area – but they offer numerous advantages. In addition to better customer service, they typically have better interest and savings rates and other perks like car insurance discounts with certain companies and stuff like that.

Paper or Plastic

Debit cards are generally regarded as a bad move by both privacy advocates and personal finance experts. Personal finance experts encourage the use of credit over debit – assuming that you’re able to control yourself and not spend too much – because they offer rewards and purchase protections. I’ll get to that in a moment. Privacy advocates discourage the use of both because financial institutions are increasingly tracking customer data for a variety of reasons, such as getting a more accurate credit score for borrowers, offering better services, and predicting consumer habits. These are valid, understandable uses. However, I firmly believe this has a dark side that is only beginning to emerge. In the realm of reality, banks have been known to penalize customers for shopping at “deadbeat” locations like Walmart. Financial information is also used in the UK to attempt to catch people defrauding the welfare system, which can be so extreme that it can disqualify people because they dared to take a vacation, buy name-brand foods instead of off-brand, or treat themselves to a nice dinner. I’m sure there’s also other negative impacts of the privacy violation that I’m not currently aware of. In the realm of speculation, it is a well-known fact that your health insurance rates are higher if you’re a smoker. How long before banks start selling your purchase history to health insurance companies, who then use your purchases to determine if you’re a smoker or not? Or if you drink too much by their standards? Your purchases can be used to determine incredible amounts of information about you, and your habits. I believe – though this is just conspiracy theory on my part for now – that someday the amount of alcohol or types of food you buy will help determine your health insurance coverage and/or rates, the brands you buy will help determine your credit score, and more. All this is to say that the best way to spend your money is in cash. Every payday, calculate how much you’ll need and go withdraw that from the ATM. Use that to pay for gas, groceries, and more.

Online & Non-Cash Payments

Sometimes you have no choice but to pay with a card. Some places don’t accept in-person or cash payments, or sometimes you have to buy something online that you just can’t get locally. There’s a lot of options here. Popular options include digital card issuers like Privacy.com, MySudo, Abine Blur, Revolut, and others. I discuss all of these, how they work, and why you should use them on this page of my website. If you don’t qualify for or don’t trust one of these services, the next best option is a prepaid gift card. Visa and Mastercard both sell “Vanilla” gift cards that can be purchased in cash at almost any grocery store or gas station in the US. There’s also gift cards if you plan to use the money toward a specific purchase, like Netflix, Amazon, or Steam. The only drawback to Vanilla cards is that I’ve heard that you’re required to register them online before using them for online purchases. I haven’t attempted this myself, though I plan to in the future. This could tie the purchases back to you, but it’s still a good solution for protecting your actual debit card number and using compartmentalization as a security tactic.

Using Plastic Right

I have always aimed for The New Oil to be a site dedicated to “the average person.” The average person, in my experience, does not have an advanced stalker and is much more worried about identity theft than surveillance capitalism and exploitation. On a similar note, I am a mild personal finance nerd. I love thinking about how to best handle my money to provide the most value for my dollar as well as to create the life I want to live. For example, my partner wants to travel. That’s not cheap. All this is to say that I understand why some people may want to use credit cards. As I said before, personal finance experts recommend using credit cards generously because they offer purchase protection and many of them offer cashback or reward points. The system they recommend is to get several credit cards and use them based on what they offer. For example, if Card 1 offers 10% cashback on gas and Card 2 offers 5% on gas, use Card 1 for buying gas. If Card 2 offers rewards points for buying groceries and Card 1 doesn’t, use Card 2 for buying groceries each week. There are of course caveats to this: pay attention to annual fees, reward terms, and what exactly the purchase protection plans cover; use the credit cards as if they were cash (don’t buy everything in the store when your budget is only $200); and pay them off in full each month to avoid interest. There’s more, but this isn’t a personal finance blog, I’m just pointing out some examples.

With this in mind, I think the average person can benefit from gaming the system and taking advantage of the recommended credit card system at the same time. For example, I mentioned that I believe in the near future we will see health insurance rates and eligibility affected by purchase patterns (among other things). So maybe divide your groceries up into two parts: healthy, generic-brand stuff and others. Use your grocery credit card to buy the healthy stuff and cash to buy the beer. This will create a pattern of transactions showing that you buy healthy food while leaving out the more indulgent parts of your purchases. Or perhaps divide your purchases up by location. For example, if you shop at Whole Foods – first don’t as Amazon is a garbage company – second, put that one on your credit card. Then go to the liquor store or Walmart to buy your beer where it’s cheaper and pay that in cash. (I know keep using beer a lot as an example, it just seems easiest.) I think there’s a lot of ways you can use this system to your advantage.

Of course, in a perfect world, companies would respect our privacy and not sell our financial information in the first place, which would leave us free to take advantage of credit cards and other financial hacks without risking our futures. But unfortunately part of life means playing the hand you’re dealt, good or bad. I think that for most people this half-truth approach of mindfully using credit cards to both gain points AND create a picture of a healthier, more responsible you is the way to go. This offers the best blend of privacy and functionality in today’s data-driven world. However, for those who want to go full-in on principle – or out of necessity – I hope this post has given you some ideas, approaches, and insight on how to make your money work for you instead of letting third party companies use it as a Trojan horse to steal your data.

Review: Mullvad VPN 2021 – Insultingly Easy

February 27, 2021

When I set out to make The New Oil, one of my goals was to review various products and services in depth to help people make a decision about what tool is right for them. I haven’t done that in a very long while and I apologize. So to start fixing that, for the past month I have been using Mullvad VPN as my primary VPN provider to test it out. Here’s what I found.

The Good

Mullvad VPN is a popular name in the privacy community for a number of reasons. As I began to sign up for an account, several of those reasons immediately jumped out at me. They are based in Sweden, which is a 14-Eyes country, but that's certainly better than 5 or 9. Next, literally no information was required to sign up. Not even a username. They generate an account number for you, and that acts as your login. There’s no email, phone, or anything required. Next is payment. One thing that Mullvad did that I thought was super awesome was they give the option to make a one-time payment, so if you want to just check it out for one month like I did and not run the risk of forgetting to cancel, no worries. They also accept Bitcoin and Cash as payment options, as well as card, PayPal, bank wire, Swish, and vouchers. And of course, the price point is exceptionally reasonable for a VPN – $5/month. Period. No “Premium” plan or anything. $5 gets you everything.

Mullvad is incredibly easy to use. So much so it actually kind of stressed me out. There are no options in the account settings except the options to make a payment, and the apps are incredibly minimalist. They pretty much only offer options like “launch app on start-up” and “notifications.” Apps are available for all operating systems – including Debian and Fedora-based linux distros – and they even have instructions on how to set up the apps for Qubes and DD-WRT, which was fantastic for me as I use both daily.

Mullvad was also one of the first providers to support Wireguard – a new and highly celebrated VPN tunneling protocol that’s supposed to be faster, more efficient, and safer (because the code is smaller). But you can choose to go with OpenVPN if you prefer something more tested and true.

I didn’t run any kind of speed test, but I didn’t notice any sort of slower performance from Proton (my usual VPN choice) to Mullvad, both seem to function just fine in that sense both over internet and cell data. Torrenting seemed to work on any server.

The Bad

Let’s address the elephant in the room: Mullvad has a serious server problem. I went through every single Wireguard server in Dallas. Over half of them didn’t connect at all, of those that did a few claimed to be routing me through Utah (based on an IP check online). This is concerning, to say the least. When I brought this issue up to them, they admitted that they rent many of their servers (most VPN providers do so this wasn’t worrisome to me) and as such they often have a hard time keeping their lists up to date.

On that note, Mullvad’s lack of connectivity options was a bit disappointing. You can easily select individual servers or servers based on city or country, but you can’t – for example – say “just connect me to the fastest server.”

On iOS, I also found that Mullvad competes with Lockdown – my firewall app of choice – on VPN levels. With Proton – my usual VPN provider – I was able to run both Lockdown and ProtonVPN at the same time for maximum protection. With Mullvad, I had to pick between one or the other. On that note, I didn’t have a choice of connecting protocols either. I was forced to use Wireguard on mobile. If you’re not comfortable with Wireguard for any number of reasons, that’s not comforting.

I also dislike that split-tunneling was available on Android and Linux, but not Windows, Mac, or iOS (without some technical effort on the user end). Maybe this is a personal thing, but as a Qubes user I don’t worry about split tunneling. Perhaps the only thing easier in Qubes than any other OS is splitting up and configuring your routing any way you want. Rather, I wish I had that capability on Windows, which I use most often for things like Jitsi meetings or gaming.

For those value streaming, Mullvad seemed to be just like Proton in the sense of how services handle them. In my experience, Netflix is usually pretty VPN friendly – if a bit slow – while Hulu almost never works from behind a VPN. This experience held up with all the Mullvad servers I tried – once again meaning that if I wanted to watch something while working or gaming on Windows, I had to disable the app entirely as split tunneling is once again not available on Windows.

And while we’re looking for things to poke holes in, Mullvad’s subscription only accepts card and PayPal, meaning if you want to continue to use Bitcoin or Cash for privacy reasons, you can’t “set it and forget it.”

Final Verdict

Honestly, Mullvad’s server consistency issues was a huge turn off to me. I live in Texas, and as such I like using Texas servers. In my experience, they tend to be faster because they’re closer, and I feel like it’s less suspicious if anyone – be it my bank or a troll – checks my IP. Maybe that’s just in my head, but still I like it. The fact that I can pick “Dallas” in the Mullvad app and still get an IP in Utah, that’s unsettling to me. To their defense, it worked no issue and I have no reason to believe that my traffic was ever unprotected at any time, but it still wasn’t a fun feeling.

Having said all that, my final verdict is that Mullvad is a solid choice for the average person. The service is shockingly easy to set up and use, you can be rolling in minutes, and the price is outstandingly low. The support was fantastic and helpful – if a bit slow at times. And the important VPN features that I would look for in a VPN client for any given person – kill switch, auto-start, etc – are all there. As with most privacy tools, this is purely a matter of what you need it to do and what you prefer. Personally I would say Mullvad is ideal for people who want something that “just works” or for people who want as much anonymity from their VPN provider as possible.

Click here to check out Mullvad for yourself.

Lessons in Disasters and Redundancy

February 20, 2021

I live in Central Texas. While this is not something I parade around typically, I’m pretty sure this is something I’ve mentioned before. This week, in case you didn’t hear, my state got bombarded with days of below-freezing temperature which put unprecedented stress on our power grid. Between that and political ineptitude, long story short: I went 60+ hours with no power and another 73 (at the time of this editing) after that without heat. My apartment never peaked above 45 degrees Fahrenheit until today (it went to a whopping 48). Good times. Only emergency services had power for about four days. Fortunately someone close to me quickly regained power (as they shared a circuit with emergency services) and I was able to go stay with them and get warm and get internet. This is also why there was a two day gap in my article sharing this week and why I’m currently playing catch-up. Sorry.

During the course of this week, I found many things I wish I had done differently, some of them privacy/security related and some not. I will, of course, be skipping the non-privacy related stuff because this is not a disaster-prep website/blog and it serves no purpose here. However, I did want to share the privacy-related stuff that I learned this week. The fact is that we will all almost certainly be faced with some kind of major disaster in our lives if we haven’t already. Whether that’s a winter storm that almost threatens to kill you while your politicians flee to Cancun, or whether that’s a more localized house fire, we will all face something that dramatically alters our lives and affects us, so it’s important to think now about how we can plan for those disasters and avoid or mitigate them now while we still have time. During this snowstorm it was too late for me to buy chains for my tires, but some of the other steps I’ve taken did actually come in handy. So this week, I’m gonna walk through my some of my experiences this week and discuss some of the privacy steps I took that helped me and some that I wish I had taken beforehand. My hope is that this helps you evaluate your own practices and decide which ones might cause problems and how to handle that or adjust accordingly.

SIM Data

It began for us at 2 am local time on Monday morning. We know this because we were woken by every fire alarm in the apartment going off in our pitch-black apartment. Our apartment literally gets zero light at night, so we have a few nightlights to help us navigate after dark for things like bathroom or kitchen. So based on the level of darkness, we deduced the power was out. We quickly took the batteries out of the smoke alarms, ensured there was no actual fire, and went back to bed. At the time we had been warned of possible rolling blackouts so we didn’t think much of it. Then we woke up in the morning and things got bad. Power was still out. We quickly piled blankets on the bed and began to trap all the heat we could in the room. We have a ball python, who we quickly moved into a shoebox and put under the covers so she could stay warm with us. As I write this story, I realize that this is where the first major lesson comes in: SIM data.

I long for a world where my phone doesn’t spy on me, and in many cases I’ve considered just not having a phone altogether. Well, after this week, that fantasy is out the window. When the power died, so did the internet, which meant that I would’ve had zero communication with the outside world to know what was happening, why I had no power, when to expect it, or eventually where to go for reprieve. So I guess my lesson here isn’t “you must have a cell phone,” but I do think you should have cell data handy if possible. Maybe have an emergency prepaid SIM card in your closet that you can quickly toss into your phone if the power goes down. It’s important to have a way to communicate with the world if the internet is not accessible.

Cash

The next thing we did right was cash. As the temperatures began to plummet, it quickly became obvious that our only choice was to lay in bed and be warm. As such we began to eat less, because our choices were “stay in bed and stay warm” or “freeze over and eat then warm back up.” This resulted in us eating less both in volume and frequency. I visibly lost weight in just the couple days we didn’t eat. When the worst of the storm was over and the stores began to reopen, they didn’t have power and they were running cash only. Well fortunately, one disaster-prep thing I have done is to have an envelope safely stashed in my apartment with emergency cash. This meant that when the stores reopened, I didn’t need an ATM. I had cash ready to go down and shop. I know this probably isn’t healthy but due to the circumstances when we did eat, we wanted to eat things that were ready-to-eat, light, and easy to eat. This meant canned soups, protein bars, Pop Tarts, and pretty much anything else that was quick and easy. I often preach on my site to use cash. Well, this is a time when having cash on hand was king.

Self-hosting

The first thing that went wrong was Nextcloud. I self-host my own Nextcloud server in my home, which meant from the moment I woke up on Monday I was dead in the water. This is not a critical thing in my case, but I remember wanting to take notes about things that we should buy or do to help this situation in the future as it came to me and realizing that I didn’t have that option since my server was down.

Direct Communication

Around day 2 was when the first day I heard rumors that the power grid might fail completely and that cell towers might be next on the chopping block. Fortunately these rumors turned out to be untrue, but this was when my next privacy failure came to light: I had failed to find a peer-to-peer messenger in case the cell towers ever went down. Unfortunately at this time I don’t have a solution for this. I’ve been told that Briar is P2P, but it’s Android and Desktop only, so as an iOS user that doesn’t do me any freaking good. I experimented with another app called Jami but it appears to require cell data. I’m currently on the prowl for a good solution there. I’m still not sure if this would serve any purpose. I suppose if my message can bounce far enough then maybe I could get an outsider to relay news to me, but really this doesn’t serve much purpose other than to make sure my partner safely got to the car to get warm. Either way, this is something that’s now on my radar more than before.

Knowing the Neighbors

Another personal weakness of mine that fell through the cracks was getting to know my neighbors. Personal networking coach Jordan Harbinger has a phrase: “dig your well before you’re thirsty.” Getting to know your neighbors is a double-edged sword. On the one hand, it provides great security and community. Neighbors who know you can be asked for favors, like “Hey we’re going out of town, can you keep an eye on our place for burglars?” or – potentially in our case – “hey do you have any firewood?” On the other hand, getting to know your neighbors can potentially be a privacy risk, and trying to make up an entirely fake persona or name with them can be very difficult for some. For me, I’m simply an introvert. As long as I had a computer and internet, I never saw a need to get to know my neighbors. I’m not sure knowing my neighbors would’ve actually helped in this case, but I don’t think it could’ve hurt and it’s something I’d like to experiment more with in the future.

Privacy Was Not Paramount

The most important thing that stuck out to me was that privacy didn’t matter. I didn’t have the VPN on my phone for days so that I could maximize battery life and get notifications in a timely manner. I used my SIM card number to make phone calls to – again – save battery and maximize efficiency. Not to be dramatic, but this was literally a life-or-death experience. At least a handful of people in our area did die from hypothermia, at least one of which was not homeless from what I understand. Several more died in house fires trying to keep their homes warm and others died from carbon monoxide poisoning. The last thing I gave a f*ck about was privacy at that moment.

This may seem anathema to some. There are some serious privacy extremists out there who treat privacy as the end-all be-all, more important than gold or convenience or family or even job opportunities. In some cases and instances, that may not be a bad call. I’d rather give up a mediocre job opportunity that doesn’t respect my privacy so I can get another mediocre one that does. I’d also rather cut out a relatively crappy friend who won’t use Signal than keep them on SMS. However, there is a line. That line varies from person to person – which is a blog I plan to post another day – but there comes a point where you have to put privacy aside and be a functional, decent human being. I hope you never face a life-or-death situation that forces you to make that call, but you will probably be faced with choices in your privacy journey that make you pick between X and privacy. And sometimes, it’s worth it. Again, I’m not here to tell you where that line is. Privacy is a human right. But so is heat and food and water. Don’t get carried away with privacy to a toxic degree.

Conclusion

As I said before, this was a learning experience for me. I firmly believe that everything in life – or nearly everything – is a learning experience if you let it be. I hope you’ll learn from my experience and find ways to harden your own private life and prepare for the worst. One resource I recently added to my site that I found helpful in the area of preparing your digital life for redundancy is The Personal Digital Resilience Handbook. That might be a good place to start if this is new to you. Either way, take this time to examine what the shortcomings in your privacy and security strategies are and how you can patch those up now before the snowstorms hit.

Privacy Policy

Brave

DuckDuckGo

Firefox Focus

Safari

Winner: Brave

Loser: Safari

Browser Fingerprinting

Winner: Safari

Loser: Brave/DuckDuckGo

Browser Speed

Winner: Brave

Loser: DuckDuckGo

Features

Brave

DuckDuckgo

Firefox Focus

Safari

Winner: Brave/DuckDuckGo

Loser: Firefox Focus

Final Verdict

Winner: Brave

“But WebKit...”

Conclusion

Freeze Your Credit

Operational Security (aka OPSEC)

Disinformation

Compartmentalize

VPNs

Apps

Settings

Schools

Schools Devices

Conclusion

About the Director & the Film

The Good

The Bad

Final Verdict

More on the Movie

How it Used to Work

What’s New

What I Recommend

Do You Need a Bank Account?

Big Banks or Small Banks?

Paper or Plastic

Online & Non-Cash Payments

Using Plastic Right

The Good

The Bad

Final Verdict

SIM Data

Cash

Self-hosting

Direct Communication

Knowing the Neighbors

Privacy Was Not Paramount

Conclusion