The New Oil

Review: Mullvad VPN 2021 – Insultingly Easy

February 27, 2021

When I set out to make The New Oil, one of my goals was to review various products and services in depth to help people make a decision about what tool is right for them. I haven’t done that in a very long while and I apologize. So to start fixing that, for the past month I have been using Mullvad VPN as my primary VPN provider to test it out. Here’s what I found.

The Good

Mullvad VPN is a popular name in the privacy community for a number of reasons. As I began to sign up for an account, several of those reasons immediately jumped out at me. They are based in Sweden, which is a 14-Eyes country, but that's certainly better than 5 or 9. Next, literally no information was required to sign up. Not even a username. They generate an account number for you, and that acts as your login. There’s no email, phone, or anything required. Next is payment. One thing that Mullvad did that I thought was super awesome was they give the option to make a one-time payment, so if you want to just check it out for one month like I did and not run the risk of forgetting to cancel, no worries. They also accept Bitcoin and Cash as payment options, as well as card, PayPal, bank wire, Swish, and vouchers. And of course, the price point is exceptionally reasonable for a VPN – $5/month. Period. No “Premium” plan or anything. $5 gets you everything.

Mullvad is incredibly easy to use. So much so it actually kind of stressed me out. There are no options in the account settings except the options to make a payment, and the apps are incredibly minimalist. They pretty much only offer options like “launch app on start-up” and “notifications.” Apps are available for all operating systems – including Debian and Fedora-based linux distros – and they even have instructions on how to set up the apps for Qubes and DD-WRT, which was fantastic for me as I use both daily.

Mullvad was also one of the first providers to support Wireguard – a new and highly celebrated VPN tunneling protocol that’s supposed to be faster, more efficient, and safer (because the code is smaller). But you can choose to go with OpenVPN if you prefer something more tested and true.

I didn’t run any kind of speed test, but I didn’t notice any sort of slower performance from Proton (my usual VPN choice) to Mullvad, both seem to function just fine in that sense both over internet and cell data. Torrenting seemed to work on any server.

The Bad

Let’s address the elephant in the room: Mullvad has a serious server problem. I went through every single Wireguard server in Dallas. Over half of them didn’t connect at all, of those that did a few claimed to be routing me through Utah (based on an IP check online). This is concerning, to say the least. When I brought this issue up to them, they admitted that they rent many of their servers (most VPN providers do so this wasn’t worrisome to me) and as such they often have a hard time keeping their lists up to date.

On that note, Mullvad’s lack of connectivity options was a bit disappointing. You can easily select individual servers or servers based on city or country, but you can’t – for example – say “just connect me to the fastest server.”

On iOS, I also found that Mullvad competes with Lockdown – my firewall app of choice – on VPN levels. With Proton – my usual VPN provider – I was able to run both Lockdown and ProtonVPN at the same time for maximum protection. With Mullvad, I had to pick between one or the other. On that note, I didn’t have a choice of connecting protocols either. I was forced to use Wireguard on mobile. If you’re not comfortable with Wireguard for any number of reasons, that’s not comforting.

I also dislike that split-tunneling was available on Android and Linux, but not Windows, Mac, or iOS (without some technical effort on the user end). Maybe this is a personal thing, but as a Qubes user I don’t worry about split tunneling. Perhaps the only thing easier in Qubes than any other OS is splitting up and configuring your routing any way you want. Rather, I wish I had that capability on Windows, which I use most often for things like Jitsi meetings or gaming.

For those value streaming, Mullvad seemed to be just like Proton in the sense of how services handle them. In my experience, Netflix is usually pretty VPN friendly – if a bit slow – while Hulu almost never works from behind a VPN. This experience held up with all the Mullvad servers I tried – once again meaning that if I wanted to watch something while working or gaming on Windows, I had to disable the app entirely as split tunneling is once again not available on Windows.

And while we’re looking for things to poke holes in, Mullvad’s subscription only accepts card and PayPal, meaning if you want to continue to use Bitcoin or Cash for privacy reasons, you can’t “set it and forget it.”

Final Verdict

Honestly, Mullvad’s server consistency issues was a huge turn off to me. I live in Texas, and as such I like using Texas servers. In my experience, they tend to be faster because they’re closer, and I feel like it’s less suspicious if anyone – be it my bank or a troll – checks my IP. Maybe that’s just in my head, but still I like it. The fact that I can pick “Dallas” in the Mullvad app and still get an IP in Utah, that’s unsettling to me. To their defense, it worked no issue and I have no reason to believe that my traffic was ever unprotected at any time, but it still wasn’t a fun feeling.

Having said all that, my final verdict is that Mullvad is a solid choice for the average person. The service is shockingly easy to set up and use, you can be rolling in minutes, and the price is outstandingly low. The support was fantastic and helpful – if a bit slow at times. And the important VPN features that I would look for in a VPN client for any given person – kill switch, auto-start, etc – are all there. As with most privacy tools, this is purely a matter of what you need it to do and what you prefer. Personally I would say Mullvad is ideal for people who want something that “just works” or for people who want as much anonymity from their VPN provider as possible.

Click here to check out Mullvad for yourself.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Lessons in Disasters and Redundancy

February 20, 2021

I live in Central Texas. While this is not something I parade around typically, I’m pretty sure this is something I’ve mentioned before. This week, in case you didn’t hear, my state got bombarded with days of below-freezing temperature which put unprecedented stress on our power grid. Between that and political ineptitude, long story short: I went 60+ hours with no power and another 73 (at the time of this editing) after that without heat. My apartment never peaked above 45 degrees Fahrenheit until today (it went to a whopping 48). Good times. Only emergency services had power for about four days. Fortunately someone close to me quickly regained power (as they shared a circuit with emergency services) and I was able to go stay with them and get warm and get internet. This is also why there was a two day gap in my article sharing this week and why I’m currently playing catch-up. Sorry.

During the course of this week, I found many things I wish I had done differently, some of them privacy/security related and some not. I will, of course, be skipping the non-privacy related stuff because this is not a disaster-prep website/blog and it serves no purpose here. However, I did want to share the privacy-related stuff that I learned this week. The fact is that we will all almost certainly be faced with some kind of major disaster in our lives if we haven’t already. Whether that’s a winter storm that almost threatens to kill you while your politicians flee to Cancun, or whether that’s a more localized house fire, we will all face something that dramatically alters our lives and affects us, so it’s important to think now about how we can plan for those disasters and avoid or mitigate them now while we still have time. During this snowstorm it was too late for me to buy chains for my tires, but some of the other steps I’ve taken did actually come in handy. So this week, I’m gonna walk through my some of my experiences this week and discuss some of the privacy steps I took that helped me and some that I wish I had taken beforehand. My hope is that this helps you evaluate your own practices and decide which ones might cause problems and how to handle that or adjust accordingly.

SIM Data

It began for us at 2 am local time on Monday morning. We know this because we were woken by every fire alarm in the apartment going off in our pitch-black apartment. Our apartment literally gets zero light at night, so we have a few nightlights to help us navigate after dark for things like bathroom or kitchen. So based on the level of darkness, we deduced the power was out. We quickly took the batteries out of the smoke alarms, ensured there was no actual fire, and went back to bed. At the time we had been warned of possible rolling blackouts so we didn’t think much of it. Then we woke up in the morning and things got bad. Power was still out. We quickly piled blankets on the bed and began to trap all the heat we could in the room. We have a ball python, who we quickly moved into a shoebox and put under the covers so she could stay warm with us. As I write this story, I realize that this is where the first major lesson comes in: SIM data.

I long for a world where my phone doesn’t spy on me, and in many cases I’ve considered just not having a phone altogether. Well, after this week, that fantasy is out the window. When the power died, so did the internet, which meant that I would’ve had zero communication with the outside world to know what was happening, why I had no power, when to expect it, or eventually where to go for reprieve. So I guess my lesson here isn’t “you must have a cell phone,” but I do think you should have cell data handy if possible. Maybe have an emergency prepaid SIM card in your closet that you can quickly toss into your phone if the power goes down. It’s important to have a way to communicate with the world if the internet is not accessible.

Cash

The next thing we did right was cash. As the temperatures began to plummet, it quickly became obvious that our only choice was to lay in bed and be warm. As such we began to eat less, because our choices were “stay in bed and stay warm” or “freeze over and eat then warm back up.” This resulted in us eating less both in volume and frequency. I visibly lost weight in just the couple days we didn’t eat. When the worst of the storm was over and the stores began to reopen, they didn’t have power and they were running cash only. Well fortunately, one disaster-prep thing I have done is to have an envelope safely stashed in my apartment with emergency cash. This meant that when the stores reopened, I didn’t need an ATM. I had cash ready to go down and shop. I know this probably isn’t healthy but due to the circumstances when we did eat, we wanted to eat things that were ready-to-eat, light, and easy to eat. This meant canned soups, protein bars, Pop Tarts, and pretty much anything else that was quick and easy. I often preach on my site to use cash. Well, this is a time when having cash on hand was king.

Self-hosting

The first thing that went wrong was Nextcloud. I self-host my own Nextcloud server in my home, which meant from the moment I woke up on Monday I was dead in the water. This is not a critical thing in my case, but I remember wanting to take notes about things that we should buy or do to help this situation in the future as it came to me and realizing that I didn’t have that option since my server was down.

Direct Communication

Around day 2 was when the first day I heard rumors that the power grid might fail completely and that cell towers might be next on the chopping block. Fortunately these rumors turned out to be untrue, but this was when my next privacy failure came to light: I had failed to find a peer-to-peer messenger in case the cell towers ever went down. Unfortunately at this time I don’t have a solution for this. I’ve been told that Briar is P2P, but it’s Android and Desktop only, so as an iOS user that doesn’t do me any freaking good. I experimented with another app called Jami but it appears to require cell data. I’m currently on the prowl for a good solution there. I’m still not sure if this would serve any purpose. I suppose if my message can bounce far enough then maybe I could get an outsider to relay news to me, but really this doesn’t serve much purpose other than to make sure my partner safely got to the car to get warm. Either way, this is something that’s now on my radar more than before.

Knowing the Neighbors

Another personal weakness of mine that fell through the cracks was getting to know my neighbors. Personal networking coach Jordan Harbinger has a phrase: “dig your well before you’re thirsty.” Getting to know your neighbors is a double-edged sword. On the one hand, it provides great security and community. Neighbors who know you can be asked for favors, like “Hey we’re going out of town, can you keep an eye on our place for burglars?” or – potentially in our case – “hey do you have any firewood?” On the other hand, getting to know your neighbors can potentially be a privacy risk, and trying to make up an entirely fake persona or name with them can be very difficult for some. For me, I’m simply an introvert. As long as I had a computer and internet, I never saw a need to get to know my neighbors. I’m not sure knowing my neighbors would’ve actually helped in this case, but I don’t think it could’ve hurt and it’s something I’d like to experiment more with in the future.

Privacy Was Not Paramount

The most important thing that stuck out to me was that privacy didn’t matter. I didn’t have the VPN on my phone for days so that I could maximize battery life and get notifications in a timely manner. I used my SIM card number to make phone calls to – again – save battery and maximize efficiency. Not to be dramatic, but this was literally a life-or-death experience. At least a handful of people in our area did die from hypothermia, at least one of which was not homeless from what I understand. Several more died in house fires trying to keep their homes warm and others died from carbon monoxide poisoning. The last thing I gave a f*ck about was privacy at that moment.

This may seem anathema to some. There are some serious privacy extremists out there who treat privacy as the end-all be-all, more important than gold or convenience or family or even job opportunities. In some cases and instances, that may not be a bad call. I’d rather give up a mediocre job opportunity that doesn’t respect my privacy so I can get another mediocre one that does. I’d also rather cut out a relatively crappy friend who won’t use Signal than keep them on SMS. However, there is a line. That line varies from person to person – which is a blog I plan to post another day – but there comes a point where you have to put privacy aside and be a functional, decent human being. I hope you never face a life-or-death situation that forces you to make that call, but you will probably be faced with choices in your privacy journey that make you pick between X and privacy. And sometimes, it’s worth it. Again, I’m not here to tell you where that line is. Privacy is a human right. But so is heat and food and water. Don’t get carried away with privacy to a toxic degree.

Conclusion

As I said before, this was a learning experience for me. I firmly believe that everything in life – or nearly everything – is a learning experience if you let it be. I hope you’ll learn from my experience and find ways to harden your own private life and prepare for the worst. One resource I recently added to my site that I found helpful in the area of preparing your digital life for redundancy is The Personal Digital Resilience Handbook. That might be a good place to start if this is new to you. Either way, take this time to examine what the shortcomings in your privacy and security strategies are and how you can patch those up now before the snowstorms hit.

How to Handle Old Accounts

February 13, 2021

If you’re like me, you probably lived a very long (in digital terms), very public life before getting into privacy and security. That means now that you’re into privacy and security, you’ve got a long trail of old, unused accounts either from old services you stopped using (raise your hand if you still have MySpace) or from services you tried out and never came back to. So this week, let’s talk about how to find those old accounts and what to do with them.

Why Does It Matter?

Before we dive in, let’s talk about why you should bother finding and neutralizing old accounts anyways. The short answer is because these accounts are a risk. If you created these accounts back before you were into privacy, they probably contain a lot of personal information about you like family members, friends, where you live/lived, your lifestyle and interests, pictures of you, and so on. This information can be abused for anything from stalking to social engineering and identity theft. Furthermore, social media scans are now considered a common part of employment background checks. I don't know about you, but I would hate to get passed over for a job for something dumb I posted five years ago that I might not even believe anymore.

As I often say, you should treat anything you post online as public record. Data breaches are a thing. 2020 saw an average of 7 million records exposed per day – a “record” being a data point such as a name, date of birth, or email address. This means that the longer you have those old accounts sitting out there, the more likely they are to get swept up in a data breach, exposing old messages, photos, email addresses, and passwords. And again, since those accounts were probably made before you were into privacy and security, that means they’re probably using a weak password that you’ve reused on other sites, opening the door for a domino effect of stolen data, phishing scams, and stalkers. So yes, you should attempt to find and close as many of your old accounts as you can.

Seek…

In order to close old accounts, you must first find them. You can probably remember many of them just by thinking back on your life and remembering the services you used to use. MySpace, LastFM, LiveJournal, Tumblr, Yahoo, these are just a few services that enjoyed a period of large popularity but have since declined. They may not be gone, but they’re not what they used to be. Going through your head and looking back on your past will probably remind you of some of the more prominent ones. But what about the ones you forgot?

There’s two main ways of finding old accounts. As much as I discourage the use of Google, I think they are probably the best search engine to use for this step. If you’re like me, you probably had a small number of usernames you used almost exclusively back in the day. Start by going to Google and searching those usernames in quotes, one at a time. The quotation marks are important, because that tells Google “only search for this exact thing and show me exact matches.” Once you’ve started running out of relevant search results, do the same thing but this time with your email address(es). This will likely turn up any other accounts that were not username based.

Often times, especially if this is the first time you’ve done this, this will probably bring up several of your accounts. Make sure to dig deep. Don’t stop at page 1, I recommend going to at least page 5 or 10 depending on how large your internet presence has been in the past. Just keep going until you go through a couple pages in a row of results that have nothing to do with you. This strategy will also likely bring up your personal information – like full name, address, and phone number – on a lot of people search websites. This is something I plan to talk about in the future, but for now this falls outside the scope of this post. If you're freaked out and feeling the urge to act immediately, I recommend this workbook from Michael Bazzell. It’s the same one I use every year to check for and erase my own data.

...and Destroy

Once you’ve found these old accounts, you’ll probably be able to easily log into them. After all, you probably used the same easy-to-remember weak password (or variation thereof) all over the place. Once you’re in, it should be fairly easy to navigate the account settings and find a “delete my account option.”

Should I Blank My Information First?

There’s a lot of debate in the privacy community about whether you should delete your old data first or if you should just go straight to the account deletion option. I think for most people, just immediately deleting the account is plenty fine. If you have a history of stalkers or a similarly higher threat model (or you simply want to go the extra mile), it may not be a bad idea to erase all the information or fill it with false information first and let it sit for 30 days before deleting it. I certainly don't think you're hurting yourself or exposing yourself to any extra risk by doing so.

What if I Can’t Delete My Account?

Some websites make it a nightmare to delete your account (coughAmazoncough) but if you’re positive you’ll never use the site again (or you can easily re-sign up if needed), I encourage you to go through this process. On the other hand, it’s rare but some websites won’t allow you to delete your account even after contacting customer service. If you live in Europe you can try to pull the GDPR card, but personally I think at that point there’s a better solution: paint the walls, lock the door, and never look back. If a service refuses to let you delete the account, empty it as much as you can. Delete names, bios, pictures, emails, everything you can. If something can’t be deleted, then replace it with fake information – a black box instead of a photo (or a photo of a dog, not your dog), a fake name, a forwarding email address, etc. Finally, change the password to the longest, most complex password the service allows, log out, clear your cookies, and forget they exist. It may not be a bad idea to hold onto that login information just in case. Regardless, the point is to make your account useless to anyone who looks. Stalkers won’t find any useful information about you. Cybercriminals won’t be able to get into the account. As time goes on, any real information they may have had about you will become more stale, so even if they suffer a data breach the exposure will be minimal. It should be noted that this is not good advice if you’re facing a highly advanced and dangerous adversary, such as being actively targeted by a government, but for 90% of my readers – the “average person” – this is a perfectly good solution.

When Not to Delete Accounts

Real quick, it would be remiss of me to note that there are times I don’t recommend deleting your accounts. I was a Google user for over ten years. I made the privacy switch several years ago and I still get the occasional email at my Gmail address that I want: an old account I found that needs to be deleted, an old client looking to reconnect, etc. I don’t ever recommend deleting any accounts you used for contact, two-factor authentication, professional or official purposes, or that you actively used for long periods of time. I do recommend changing the information in those accounts – removing names and such – using strong passwords and two-factor on them, and changing how you use them (ex: that Gmail account forwards to my new primary email account and then deletes the message in Gmail. I respond from my primary account, cutting Google out of the picture entirely). You run a serious risk when deleting such important accounts that you may need them for something important at a later date. Make sure not to burn any important bridges.

Moving Forward

I preach privacy and redundancy. That means having multiple accounts in case something goes wrong with one of them. I have both ProtonMail and Tutanota. I have several messenger apps and accounts, and multiple VPN services. This is in both my personal life AND my life as The New Oil, so I’m not necessarily preaching digital minimalism. As we move through life new, better services will pop up. Existing services will discontinue or become less desirable for any number of reasons. That means we will constantly be making new accounts and abandoning old ones. The trick is to move forward responsibly. If you make an account with a new service to test it out and end up not using it, be sure to erase it. If you move on to a new service and decide not to keep the old one for whatever reason, be sure to erase it. Stay on top of your stuff so that you can be future-proof. Don’t let past mistakes come to haunt present-you.

Love is in the Air (via WiFi and Dating Apps)

February 6, 2021

It’s February, and among other things worth celebrating, that means in some parts of the world it’s Valentine’s Day. Also it’s still fairly early on in the year, which means many people are making promises to themselves to find love as a new year’s resolution. And of course, with the ongoing global pandemic people are turning to dating sites and apps in unusually high numbers. So if you’re reading this, there’s a good chance you either already have or have considered using online dating in the form of something like Tinder, Match, eHarmony, or other. Let’s talk this week about how to use online dating safely.

Picking a Service

There’s no shortage of dating services these days, each with a different target demographic and set of features. My recommendation would be to first start with a service that offers a desktop website rather than strictly a mobile app. I’ve covered numerous times on my site how apps are dangerous – they have a lot of access, and they almost always track you in invasive ways that get sold to advertisers. They can also be a serious attack vector for malware or data leaks. So start off by picking a company that lets you opt out of the app. It also couldn’t hurt to check the privacy policies and attempt to find the companies who most respect you, but I think just avoiding apps – combined with some of the other general browser advice on my site – will keep you pretty safe from most of the basic privacy invasions. And if you really think you need the app, I just want to point out that it’s a bit of a red flag if the person you’re chatting with can’t wait a few hours for you to return when you’re away from a computer. (If you don’t have a desktop and you must use the app, remember just to give it as few permissions as possible or disable them after using them – ex: upload a photo then revoke photo/camera access.)

Signing Up

This goes for just about any website, but extra so for dating websites. So you’ve picked the service you want to use and you’re ready to sign up. Start by creating an account with AnonAddy or SimpleLogin and use that as your email address to sign up. Next, use a password manager to create a strong password for your account. Once you’re in, also be sure to turn on two-factor authentication. We’ll talk more about account settings in a moment.

Filling Out Your Profile

Next you’ll probably be prompted to put in some information about yourself. This is where you need to think critically. If it’s a site that requires a real name, I recommend using a common nickname. For example, Alex. If you’re a girl, that means your name could be Alexandria, Alexandra, Alex, or other. If your name is spelled uniquely, like Alyx or Alecz (yes, I’ve seen both), spell it wrong (“normal”) on purpose. If your first name is unique and can’t be shortened to something common, use your middle name. I’ll talk about coming clean later. If the site asks for a username, randomly generate one. Have your password manager generate a passphrase and pick the first two words it comes up with.

When it comes to information about yourself, be honest but cautious. I mean, you’re here to find someone you want to spend (presumably) the rest of your life with, right? Why would you sabotage yourself here? Talk about your favorite books, movies, TV shows, hobbies, etc. Privacy Pro-Tip: this is a great place to start laying the foundation for your potential partner to brace themselves for your privacy-focused lifestyle. I used to word it something along the lines of “I’m really into cybersecurity, so if we end up hitting it off I’ll probably want to use an encrypted messenger like Signal at some point.” There’s a million ways to word this. We’ll talk about that switch to encrypted messaging later, too. Here’s the important thing: do NOT list any super personal information. “Super personal information” in this context includes where you work, where you went to school, or even your exact neighborhood. WHAT you do and GENERAL information is totally cool. “I graduated 4-year university and majored in computer science” is acceptable. “I went to X University and got my BS in Computer Science” not so much. “I work in technology” or even if you want to get specific and say “I make security software for businesses,” also okay. “I work at XYZ Corporation,” not okay. Remember that you have to give this person SOMETHING to work with. I ignored all profiles that say stuff like “ask and find out” or are just plain blank or too vague. It's just too much work to try and find common ground when you have literally nothing to start with. There’s plenty of middle ground in between leaving your profile blank and oversharing.

Last but not least, your photo. For dating sites, personally I think makes sense to post an actual photo of yourself for numerous reasons. Here’s my advice for that: first, TAKE A UNIQUE PHOTO! Don’t reuse a photo you have lying around, especially if it’s been posted online before. Google claims they don’t use facial recognition in their image search, but they do look for other places that exact image has been posted before. Second, be aware of what’s in the picture. Don’t post pictures that have your work shirt with the logo visible, show off the skyline outside your apartment, have mail with your address or real name lying in the background, etc. And make sure that if it’s a photo with you and another person that the other person has consented to you using their image, otherwise use GIMP and blank out their face. (You don’t want to the person you’re talking to to accidentally think you’re them anyways.)

Using The Service

So now that we’ve made a profile and we have access to actually start using it, there’s some additional considerations. First off, check your account and profile settings. As I mentioned before, you’ll want to enable 2FA, but also there’s usually a ton of default settings you can change that make your profile more private (from the site, other users, and non-users alike), disable some of the more generic tracking features, and opt out of annoying “features” like email notifications. Go through each setting carefully, read and understand it, and respond accordingly.

Some of the more respected dating sites will require payment, like Match and eHarmony. If that’s the case, remember to use a payment masking service or prepaid debit card to make the payment. You should always view any digital information – especially dating sites – as data breaches waiting to happen. Don’t give these people your real card number.

Finally, related to the point above: treat any information you put on this site as public record. If you and your new date start hitting it off and getting steamy and you want to trade some pictures, first get consent. Second, assume that picture will be made public. Maybe you’ll get lucky and it won’t. But you never really know if the person on the other end is gonna screenshot it and share it around, if the site will suffer a data breach, or if a rogue employee (an increasingly common problem) will peruse messages looking for stuff exactly like that. That goes for anything from your Netflix password to your personal information and images. Be careful what you share! Even if the person you’re talking to is trustworthy, there may be other eyes who aren’t.

Meeting Up

I would be remiss if I didn’t include a short section about getting together in person. When it comes time to meet up, I would be more concerned for safety than privacy. You may be familiar with some of these tips, but here they are in case you aren’t: meet up somewhere public first – a bar, a restaurant, a movie theater, whatever. These days you could even go with a park, a store (window shopping is fun), a fast-food place, etc. Tell someone close to you where you’re going and when you expect to return. If you may not return, arrange a check-in time. “Hey, if you haven’t heard back from me by 9 am, get worried.” Tell them who you’re seeing and whatever contact info you have about them. I know this is dark, but you gotta think worst case scenario. If you don’t come back, having that information gives investigators an automatic lead to start with. And finally, as with everything in life, pay in cash. I once had someone overhear the server at a social function call my real name when trying to return my debit card. Fortunately that person kept my secret but it just reminded me how through no malicious intent or fault of anyone that information can easily get shared.

Coming Clean

Okay, let’s say you guys have been going out for some time and you’re really hitting it off and you think they might be the one. How do you handle telling them you’ve been lying all this time? Short answer: by not lying and laying the groundwork early on. Remember how I said “mention your privacy lifestyle in your profile?” When you do that, you’re already planting the seeds that you care about this stuff. So after a few successful dates, say something like “hey, remember how on my profile I said that thing about encrypted messengers? Well I think things are going really well and I was wondering if you’d be willing to download Signal/Matrix/XMPP/Session/whatever and use that when talking to me. I’d be more than happy to help you set it up next time we see each other.” In my experience, I have never been met with a no.

“Okay but Signal is one thing, what about when they find out I’ve been lying about my name?” Also easy: you haven’t. “Hey, just so you know, I’ve actually been using my middle name. My first name is X.” LOTS of people go by nicknames or middle names, either because they don’t like their real name or it’s too hard for people to remember or spell or whatever the case. I don’t recommend lying and making things up. If you’ve never had a stalker before, don’t say you have. But if you have, feel free to use that as an excuse (even if that’s not actually why you got into privacy). Again, in my experience, I’ve never had anyone feel betrayed or lied to. I promise you, 90% of people don’t care and if that’s enough to make this person dump you, they weren’t the right one anyways.

If your relationship becomes seriously long-term, living together and being married is a challenge to navigate. The most important thing is to communicate. My partner respects that I value my privacy, and while I’ve gotten her to be more privacy-conscious she’s certainly nowhere near on my level. Whenever I do ANYTHING privacy-related that might impact her – such as putting a VPN on the router – I always communicate with her. It usually goes something like this: I say “hey, I want to do this thing.” She goes “okay, why?” I explain the privacy or security benefit. She goes “okay, will that impact my ability to do X? (use TikTok, watch Hulu, etc.)” I respond with “from what my research tells me, it shouldn’t. But if it does I can make adjustments.” I work with her to find out when is the best time for me to implement this thing so that I’m not adding more stress to her during a stressful time or messing up her days off. Once it’s implemented, I ask her to test the apps or whatever she was worried about. If they break, I disable my change and do more research. If they work, I tell her to tell me if that changes and move on to the next thing. All that to say: communication. She respects that I value privacy and I respect that she values convenience. We’re open and up front with each other and we work together to find the best balance. (Even if it means I have to spend a week researching smart TVs when the last TV show I watched was ten years ago.)

Conclusion

I’m sorry this blog post ran long this week, but there was a lot of ground to cover. If I had to sum it up, I’d say this: use the same good internet habits like strong passwords and being careful what you post, don’t lie to people but learn to blend in, and if things work out be sure to communicate openly. Relationships require trust, and I’m not saying to give out your social security number on the first date but if you can’t grow to trust that person then you shouldn’t waste their time and risk yourself. As you grow with and closer to someone, you should grow to trust them, and that means adjusting your threat model and letting your walls down – to some extent – to let them in. A potential partner is no different than a potential privacy solution you’re considering: you have to vet them, but eventually you have to trust them. If you can’t trust them, move on. And good luck out there. The dating scene is frustrating, often disappointing, and takes time. Your privacy wasn’t achieved overnight, neither will your happily ever after. But I’m rooting for you!

Burnout

January 30, 2021

A couple weeks ago, I burned out pretty hard. I know this is a blog about privacy and security, but the fact is that burnout is something that is pretty common in today’s world no matter your socioeconomic status, lifestyle, interests, job, or whatever. And in fact, it seems to be that burnout is even more prevalent in the tech and privacy communities. There’s always more to do, and if we’re being honest privacy can sometimes seem impossible, which only exacerbates the burnout. So this week, I want to take a few minutes to address burnout.

What is Burnout?

Most of us instinctively know what burnout feels like. We feel tired, overwhelmed, beat down, like we just don’t want to do anything. My personal favorite, Merriam-Webster, defines burnout as “exhaustion of physical or emotional strength or motivation usually as a result of prolonged stress or frustration.” Most of us are used to dealing with bursts of stress: traffic, running late somewhere, the store being out of your favorite coffee, so forth. But long-term stress can really wear us down. A project at work that demands overtime, a prolonged illness of a loved one, or really any negative event that just drags on can wear you down and chip away at you. And before you know it, you’re burned out.

Burnout presents in many ways. Exhaustion, lack of motivation, frustration, irritability to name some of the more common and mild ones. It could also include slipping job performance, increased drinking or use of sleeping aids, and even declining health. It’s not fun. In my own case, it resulted in me being unable to focus on The New Oil work, snapping at my partner a lot, and just feeling emotionally numb and exhausted. Your exact combination of symptoms may vary.

How to Handle Burnout

I am an incredibly busy person and I like it that way. Maybe I’m a workaholic or maybe I’m brainwashed by capitalism, but I seriously do like to be productive and do stuff. My whole life I’ve always felt like if I slept in past 9 am I was wasting the day. One time in college, I had a class cancel and two social commitments cancel, freeing up a massive five-hour block in my afternoon. I almost had a panic attack at first. I don’t do “free time.” Even my free time is planned on what game I’ll be playing or movie I’ll be watching.

This past week, Techlore shut down their communities in honor of Data Privacy Day. They encouraged people to step away, unwind, take a holiday, and not to fall for the marketing of other companies were capitalizing on the day. And honestly, I think they’re really onto something. The best way to handle burnout is to not get it in the first place. One way I’m able to sustain my own lifestyle of constant sprinting is because I’ve learned how to pace it and how to relax. I’m very careful to schedule time each night to unwind and watch mindless TV with a drink, and I’m also very good at recognizing when I’ve pushed too hard and my brain just can’t take anymore. An important thing I do that I would recommend to anyone is that I’ve build margin into my schedule: if I push too hard today and I don’t get something done, I have time to do it tomorrow. It might stress me out and get in the way of some free time, but it can still get done if it’s an emergency. And if it’s not, it slides off to the next available time slot.

Of course, I don’t expect everyone to go as much as I do. I’m able to sustain my pace because I love what I do and I never get tired of doing it. Tired? Yes. Tired of what I’m doing? Rarely. We can’t all be so lucky and even when we are we don’t all have the same capacity for stress or activity. However I do think it’s important for everyone to learn themselves and what their rhythm is. Learn to recognize when you’re getting too stressed, and learn how to find a rhythm that lets you sustain your lifestyle rather than doing a bunch at once, getting burned out, and then needing to crash and recover. And for the record, that doesn’t mean “learn how to go every single day.” Some people need their weekends. Some people need their cheat days. I can get by with about one total day off every few weeks. Not everyone is like that. “Finding your rhythm” isn’t about working every single day, it’s about finding a way to get what you need to get done without going through cycles of burnout and recovery. If you’re constantly burning out and using time off to recover, you’re doing it wrong. It shouldn’t be a flood followed by a drought, it should be a cycle of moderate rain and sunshine.

Having said that, burnout still sometimes happens. Over the Christmas week, we had an emergency project that was too good to pass up for our small, struggling business at work. We put in almost 40 hours in three days to make this project happen and get paid. I spent the next three days playing video games. Sometimes you have no choice but to push and deal with what’s in front of you and burnout is inevitable. But it shouldn’t be the norm.

When burnout strikes, the methods of dealing with it are as numerous as there are people, but I think I can sum it up into four words: take care of yourself. For some people that means making time to go for a walk or exercise. For some people that means meditation or a quiet night at home reading. For others that means binging video games or The Office. The point is to identify what de-stresses you and makes you happy and helps you unwind. I’m not a meditation person. It’s great, but getting me to sit still and clear my mind for any amount of time is rough. Meditation is not a de-stress for me, it just makes me feel like I’m wasting time when I could be tackling whatever thing is stressing me out. Video games are one of my hobbies. I can do that. Podcasts. I can do that. Watching Futurama for the ten millionth time. Definitely can do that. These are things I do when I need to unwind. And communication. I tell my partner that I’m burned out and I need some space to unwind by myself.

I wish I had something more concrete. As a data privacy educator, I’m used to being able to say “these are objective things.” “This solution is better here and that one is better there.” “Here’s the strengths and weaknesses of something.” But people don’t always function as cleanly as apps. And just as threat models vary from person to person, burnout threshold and coping mechanisms also vary. But I hope that this post has at least given you something to think about and helped you recognize some patterns and potential solutions in your own life. Things are not hopeless. But the battle is very much uphill. Be sure to take it one step at a time and give yourself plenty of margin to handle it all. You’re of no use to anyone else if you can’t take care of yourself.

Today is Data Privacy Day. Here’s Another List

January 28, 2021

Today is Data Privacy Day – as the title says – so I thought it only appropriate that I make another list. This time, I want this list to focus solely on ways to protect your privacy. Normally on this site I try to take a balanced approach to both privacy and security, usually leaning more on the security side. Privacy and security are almost never at odds, and in fact usually go hand-in-hand. But in honor of today, here’s a list of simple tools and steps you can take to really up your privacy game specifically.

Switch to a Privacy-Respecting Search Engine

Are you using Google, Bing, Yahoo, or similar? Boo! Switch to a privacy respecting search engine such as DuckDuckGo or Startpage. Already using those? Great! But believe it or not, you can actually do even better! DDG is not without their fair share of controversy, and Startpage has a questionable relationship with an advertising company. Instead, try SearX, a fully open source and decentralized search engine; MetaGer, a fully open source search engine; or even YaCy, which is designed to be self-hosted and peer-to-peer. If you have the technical skill, you can even self-host your own instances of all three of those.

Switch to a Privacy-Respecting Browser

Using Chrome? Ditch it for Brave, which is a Chrome fork that comes pre-built with advanced privacy and security tools. However, just like with search engines, Brave is not the perfect choice. Admittedly, there are no perfect choices in this category. Personally I’m a fan of Firefox, but researchers have proven that Firefox is technically not as secure as Chromium. This is one of those rare times when privacy and security diverge somewhat. Since this blog post is focusing on privacy, I’ll focus on why I recommend Firefox: I believe that Firefox can be made more private than Chromium-based browsers. In addition to user-friendly privacy controls in the preferences such as anti-fingerprinting and tracking protection, Firefox also offers a powerful “about:config” section which can be configured in advanced and powerful ways. Firefox may not be the perfect choice, especially for security, but for privacy I think it has the most potential by far.

Disable Invasive Settings

Here’s a quick question: when was the last time your phone updated? Don’t know? Do you know if any of the settings got changed when it updated? What about your computer? What about your social media profiles? Whenever you set up any new profile or device, you should always go straight to the settings and enable two-factor authentication, as well as disable any privacy-invading settings. Instagram really doesn’t need to know your location, and honestly life is just fine without Siri. Disable as many settings as you can to preserve your privacy. You should also make time to periodically check your settings, especially after updates, just to make sure there’s nothing new or no changes were made or reverted. Want to take it a step further? Learn how to live without your phone. Going to a movie? You’re gonna turn it off anyways, just leave it at home. Running a few quick errands? People can live without having instant access to you, they can leave a message.

Ditch the Mainstream Providers

Using Google? They’ve been accused of reading your emails to scan for keywords for advertising. Don’t mind them reading emails from your bank so they know your budget? Maybe you’ll mind the Yahoo employee who illegally ]accessed user accounts](https://mashable.com/article/yahoo-employee-account-hacker/) looking for nudes. The fact is that numerous privacy abuses can be cited for all the major tech companies because privacy abuse isn’t just rampant among them: it’s their business model. Skype was part of PRISM, the NSA program attempting to collect all data for mass surveillance revealed by Edward Snowden in 2013. Facebook’s privacy abuses are too numerous to list. Apple has been accused of listening to Siri recordings even after agreeing to stop (so much for their privacy-friendly marketing). Amazon is in Facebook territory with privacy concerns that would take entire websites to list. So the solution? Ditch all of them. Get rid of Gmail, Yahoo, or Outlook for a privacy-respecting email provider. Ditch Skype, Zoom, and Teams for Jitsi. Avoid home assistants. Sometimes the biggest privacy moves you can make are the most obvious.

Encrypt Everything

You should encrypt your devices, but in this case I’m talking about a favorite of the privacy community: encrypted communication. Whether you go with Signal, Wire, XMPP, or something else, I highly encourage you to use encrypted messaging. Your texts and emails are not private. They can be read by your cellular or internet providers, and in the case of SMS they can often be read by the owner of the Wi-Fi, local analysts, and basically anyone with a computer and a little free time. Encrypted messaging is a simple, effective way to regain a major level of privacy.

Change Your Mindset

Privacy (and security) is not just a few apps you download or services you switch to. It’s a state of mind. Literally. Try this: next time you sign up for a website or an online purchase, enter literally nothing. Click “next” and see what fields pop up as mandatory. You might be surprised what’s considered optional. Or next time you’re filling out a form – doctor, DMV, reservation at Chili’s – ask the person behind the counter what information is actually mandatory. Again, you might be surprised what’s optional. The fact is that we are conditioned. Humans like to be helpful by nature, so when people ask us for information, our impulse is to give it to them to be helpful. But the problem is that once we let go of that information, we have no control over it anymore. The recipient might promise not to sell your phone number to marketing companies, but if they do you have no real recourse. Now it’s out there. And you have no real control over who they hand it over to. Maybe they won’t sell your information, but if they’re using a third-party service for their database management, who’s to say that company won’t? You have to think of every piece of data you disclose as potentially public record, either by being handed off to another party or by being caught up in a data breach. And ultimately, the best privacy is to not reveal that information in the first place. The best privacy practices are to have total control over your data, who has it, and how they use it.

I Locked Myself Out of My SIM Card This Weekend

January 23, 2021

Last summer, news abounded on how to protect your phone at a protest. These included things like using a PIN instead of biometric locks, using encrypted messaging, and using a SIM PIN. The basic idea behind a SIM PIN is that while regular phone encryption can protect most content, the SIM itself is where the keys for that data are stored. Think of the SIM as your password manager: your bank account numbers may not be in there, but the password to log in to your bank account and get the numbers is. So Sunday night I decided to take my own advice and set up my SIM PIN. Let me share my journey and the lessons learned.

Lesson 1: Your Carrier Knows Your PIN (AKA “Should I Even Set Up a SIM PIN?”)

On Sunday, when I attempted to set the PIN, I was instantly locked out of my SIM card for doing it wrong. This effectively turned my phone into an overpriced iPod Touch. For some people, that’s fine. For me, long story short: not something I’m willing or able to commit to at this time. I was immediately informed that I had to contact my provider to get the PIN to unlock the SIM, which begs the question “what’s the point if someone else knows my password?” I would still argue this is a worthwhile thing to do. I think a lot of privacy enthusiasts get so caught up on “zero knowledge” that they lose sight of the fact that “less knowledge” is still better than “open knowledge.” Let me unpack that:

“Zero knowledge” means the provider can’t see it. For example, if you use one of the encrypted email providers I recommend on my website, the provider can’t see your inbox (though they may be able to see messages coming in and out, depending on the service and how you use it, that falls outside the scope of this post but is addressed on the page I linked). That’s “zero knowledge.” When I say “open knowledge,” I’m talking about something like your public Facebook page with the default settings: everyone can see your posts, everyone can see your pictures, anybody can see your likes and check-ins. There is no restriction to the information, it’s “wide open.” And so, by that logic, “less knowledge” would land somewhere in the middle: it’s not “zero knowledge” where only you have the information, but it’s not wide open for everyone to see either. Only specific people have access.

Zero knowledge is always preferable, but as I’ve discussed in the past, “don’t let perfect be the enemy of good.” A SIM PIN may not be zero-knowledge, but it’s not wide open either. It won’t protect you from police with a warrant or rogue employees, but it will protect you from the jerk at the concert who steals your phone or the stalker ex (depending on their capabilities).

Lesson 2: You Probably Already Have a PIN

The fact that my SIM got locked right off the bat tells me that my SIM already had a PIN. So if you’re planning to use this feature – and I recommend it – you should start by contacting your carrier and confirming what the PIN is. It probably has a default of “1234” or something like that. Because my SIM was locked, that meant I was COMPLETELY unable to make or receive phone calls. (I assume emergency services would’ve been exempted but I wasn’t about to test that out for obvious reasons.) My carrier, by policy, was only allowed to text me my PIN, which meant that unlocking it was now an impossible Catch-22. Then, once you learn the PIN, you’ll probably learn that it’s not very secure. In my case, it was an old PIN that I used to reuse everywhere back in my pre-security days. So I quickly changed it to something randomly generated and stored everything I needed to know in my password manager.

Lesson 3: Don’t Depend on Your SIM

While this was a very frustrating adventure, it was more inconvenient than anything. Despite being – as I called it – an “overpriced iPod Touch,” my actual life went virtually unaffected. I don’t use my SIM for anything other than actual cell data when I’m not on WiFi. I use Signal as my daily communication app. I use MySudo for work and other Voice-over-IP needs. I mainly rely on an offline password manager that’s only on my desktop. I have the passphrases to login to my desktop memorized. The point is, there was only one way that this experience actually impacted me while I was waiting to contact customer support: I was unable to receive the Catch-22 text. Other than that, this really didn’t impact me. I had to pick up a package from a friend so I messaged them in advance to let them know my travel route (they were stop #2). I had to pre-download my music from Spotify (yes, not privacy-friendly, I know) for my commute to work. Absolutely nothing else mattered, and frankly the only reason I even was so determined to fix the issue was because I need my phone to work while I’m on a job site and we don’t always have access to WiFi on job sites. Maybe for February I’ll challenge myself to remove the SIM card outside of office hours…

Conclusion

So I did finally unlock the SIM after several frustrating hours talking to tech support. As I mentioned before, the PIN I was using was insecure, and it turns out the first agent I spoke to gave me the wrong PUK (Personal Unlock Key, a unique number linked to your SIM card) so my PIN didn’t work. Once I got connected to an agent who gave me the correct PUK, I was able to easily guess my PIN. Would I recommend using a SIM PIN? Despite my initial hiccup, yes. As is often my style, I kind of charged into that one totally blind like the infamous Leroy Jenkins, but had I proceeded with caution I think this experience wouldn’t have even been on my radar, and no doubt my phone is now even more secure than it already was. One of my strong philosophies behind this site is the idea that these are the changes that matter – the little changes that you don’t even notice once they’re in place, but they dramatically improve your privacy and security. So don’t miss out another chance to take up your game. Just learn from my mistakes.

Privacy & Security 101: Social Media

January 16, 2021

This blog was originally posted November 16, 2019. With the recent controversies surrounding social media, I thought this might be worth revisiting. The post has been edited to reflect my most current opinions, views, and knowledge.

Social media is a ubiquitous part of modern life. I am the last person here to decry the negative effects of it, though for the record there are some we should be aware of address outside of privacy and security. No, for an introvert and avowed hater-of-small-talk like myself, social media is a godsend. I hate calling or even texting someone to go “hey, I have no reason to be bugging you but what's new? Let's chat.” Instead I love the ability to peruse the timeline at my leisure and respond to whatever someone else felt was worth sharing, whether it's their latest meal, their child, or their trip to the brewery.

But we all know social media comes with wide-ranging risks, from cyber-stalking and cyber-bullying to full on identity theft. Many of us likely know someone who was or have been ourselves victims of someone pretending to be us on Facebook. This usually isn't a problem when you can just post “hey, that ain't me, don't give them money.” But what happens when you're a well-known, respected person and your social-media doppelganger is posting things you would never endorse in a million years? Well, it happens. And sometimes, it has nothing to do with you. Another common abuse of social media is to use the information one over-shares for “social engineering.” For example, I can check your Facebook page, see your banner picture is the Green Bay Packers, and if your website security question is “who is your favorite sports team?” I now have a pretty good guess. Or on a more complex level, I can assume that the Packers might be part of your password and I can use that for a dictionary or brute-force attack. And last but not least, let’s not forget how information you posted can come back to haunt you. Something dumb posted in high school can sour a potential employer doing some research on you, or messages sent can be used in court and taken out of context to make you look guilty. Yes, these things can and do happen, even if they sound crazy.

So am I here to tell you not to have social media? Well, sort of. Not to be “that guy” but the quality of my friendships has increased dramatically since I deleted Facebook. I find it much more meaningful when my friends personally invite me to hang out rather than send me a faceless, impersonal, mass event invite. We also put more intentionality into our talks, even our texts. It's more engaging than a casual like while lying in bed at night waiting to fall asleep. But having said that, even I have a personal Mastodon account I'm in no rush to delete.

At very least, I do encourage you to ditch traditional social medias like Facebook, Instagram, Twitter, TikTok, and Snapchat (and others) in favor of more privacy-respecting services like Mastodon, Friendica, Pleroma, PixelFed, and others. Traditional social media companies are terrifyingly abusive in both the ways and extents that they collect data about you and process it. But that's a post for another time. Instead, this post is about how to best-use your social media – be it Facebook or Mastodon – and how to be smart about it to enjoy the best aspects of it while avoiding some of the worst.

-Ditch mainstream. I know I already said that, but I assume some people are going to skim this post, and it bears repeating anyways. Seriously. Here's just one site full of good reasons why Facebook sucks, and there's plenty more where that came from from each major company.

-Think about your privacy settings. This one is pretty well-known these days so I'm not going to spend much time harping on it, but unless you're a public figure intentionally attempting to reach the masses, you may want to consider locking down your profile behind as much privacy as you can. Making your Twitter private may cost you some followers, but it will make you significantly safer and make your experience more enjoyable. While you’re at it, consider the parts of your profile that can’t be made private like your bio, header, and profile pic. Ultimately the goal is to expose as little information as possible.

-Think about what's really worth posting. Again, I'm not here to decry “the good old days” and make fun of people who post their lunch on Instagram all the time, but does it really make you happy? Does “vaguebooking” about your unhappiness really fix the problem? Does sharing that link (that you didn't even read or fact-check) actually change anyone's mind? Don't just impulsively dump things into your profile or feed. Take a few seconds to ask “do I really want to share this?”

-Think about what you're posting. Okay, so you've thought about it and you're REALLY feeling that selfie. Your hair has never looked so good. Great! But do you really need to angle the camera in such a way that the company logo is visible on your work shirt that you're wearing? Did you leave any mail or personally identifiable information in the background? Is everyone in the picture consenting to be in the picture? I don't care if my girlfriend posts a selfie to Facebook but I politely ask her to angle the camera in such a way that it leaves me out. Think about what information someone could potentially learn from that photo, such as where you live or work, and remember that people search websites are a tragically real thing. (I'll do a post about that someday too). Again though, it's not just you. When you post a picture of your child to Facebook, that picture stays on Facebook's servers forever. Someday your child will be grown, and they should have the right to decide if they want Facebook to have their facial recognition data on file. Carelessly posting even statuses or location check ins can sometimes reveal more information than you or the people you're with may be comfortable with. Be sure to think about what information you're revealing and be sure everyone involved is okay with it.

-Remember who your audience isn't. One big reason I dislike mainstream social media is the lack of privacy. If your profile isn't set to private, literally anyone can see your posts, pictures, likes, and more. “I don't care if my friends see where I work,” you say as you check-in with your latest tweet, but what about the stranger? The Guardian wrote an article reminding us how easily one can “stalk” someone – even by accident – with how much information social media reveals about us. But it actually goes so much deeper than that. Even if your information is set to private, it’s not private from the provider. Facebook can still see every single “Friends Only” photo you upload or status you post. They can read all your messages, and they will happily share everything if requested by law enforcement, or if someone finds a bug in their code and exploits it to download your non-public data.

-Remember who your audience might be. This story shows how even the best intentions can backfire when you overshare on social media. Even if you make a post privately or in a closed group, you can't guarantee that it won't be screenshotted, printed out, or otherwise shared with someone it was never intended to see. Always assume anything you put on the internet is wide open to the public, even if it isn't.

-The internet never forgets. So you had a little too much to drink last night, or maybe the anesthesia the dentist gave you was pretty strong, or maybe you just were real depressed and it felt cathartic to make some emo posts. You can just delete them later, or set your profile to private, right? Allow me to introduce you to the Wayback Machine. The Wayback Machine is a free service from Archive.org that automatically creates a copy of every page on the internet it can find at all times for the sake of history. It's not trying to make everyone remember that picture of you in 8th grade, it's trying to ensure that a hundred years from now we have a copy of the front-page news from major events in history and such. The problem is that it's a bot. It doesn't discriminate. Now obviously the bot can't be everywhere at once, and it can't possibly get everything all the time, but it tries hard. The longer you keep something online, the more likely it is to get swept up in archiving services, and the harder it will be to remove. And Wayback isn't the only service that does this. Anything you post, even briefly, has the potential to stay on the internet forever, if not on the social media provider's servers then on an archiving service. The odds of this increase as your social media presence grows – aka, if you're a notable figure of some kind (musician, actor, influencer, etc). Posting something online and then deciding later “nah, I don't really think I want to share that with the world after all” isn't really an option. It's there forever and whatever prompted you to remove it – such as personal information, non-consenting parties, or even just bad lighting – will be there forever to haunt that decision.

Once again, I'm not here to bash social media (completely). I'm not here to tell you to delete Facebook (though I do encourage it). But I do want you to take the time to think about what you're sharing and make sure you know what you're getting into. Be smart with your social media usage. As I said in my first ever blog post here, our goal is to reduce our “attack surface.” We want to make ourselves a less convenient target so that bad actors go after an easier target. Think twice about anything you post on any social media platform, and that alone will get you pretty far. And since I’m posting this at the beginning of the year, I challenge you: log out of social media for the rest of the month. Delete the app off your phone, log out in your browser, and just try to spend the rest of January without it. If you still miss it come February, go ahead and log back in. But I bet you’ll find you rather enjoy the time away. I hope the pointers above have been helpful in that regard and given you some factors to consider. Use wisely!

What’s the Buzz About Bitcoin?

January 9, 2021

You may have heard the news lately: Bitcoin is at an all-time high. Like REALLY all-time high. Previously, it peaked just under $20,000 USD toward the end of 2017. As I type this, it’s broken $40,000 USD. That means a single Bitcoin is worth more than most cars. So why is this, what is Bitcoin, and why do I still not talk about it much on my website?

What is Bitcoin?

Bitcoin is a decentralized digital currency. It’s not super complicated, but it’s complicated enough that I’m not going to dive into the details of how it works. The short version is that there is no country or bank responsible for issuing it. The value is entirely dependent on supply and demand, and it is entirely maintained by the users. Consider the following: You have a wallet in which you place cash. You can then freely trade that cash with other people for any number of reasons: you can donate it to a cause, you can buy a soda with it, or you can hold onto it. Now replace “cash” with “Bitcoin.” Congratulations, that’s exactly how Bitcoin works. A Bitcoin wallet can be an app, an online service, or a hardware USB-like device. Each has their advantages and disadvantages, and I’m not going to go into that here.

Why is Bitcoin Suddenly so Popular?

I’m not going to pretend to know. I’m sure there is an answer, but I don’t know it. I tried to do some research for this blog, but frankly nobody seems to have a good answer. One common answer is “it’s becoming more widely accepted” but nobody seems to explain why that is. Another answer is that “it’s fraud resistant.” I guess that makes sense, but so is a good old-fashioned bank transfer. Short version: I don’t know. And quite frankly, I’ve heard a lot of personal finances educators claim that nobody REALLY understands the market. Some people can make some educated guesses based on current events, previous trends, or whatever, but in the end it’s all just speculation. The market does what the market does, and I guess the market is favoring Bitcoin right now.

Is Bitcoin Really Private?

Short answer: no. Bitcoin is, by design, more private than almost any other form of electronic payment. However, as with anything electronic, there are other considerations for true “privacy.” For example, the most common way to get started with Bitcoin is to go sign up for an exchange, like Coinbase or Ledger. But these are US-based companies, which means that they are required to verify your real identity in order to prevent fraud. So while the person you’re trading with may not know you, your real-world identity is very much linked to your wallet. That’s not very private. Even if you self-host a wallet, it’s important to note that using the same address creates a web of activity and relationships. Think of it like a regular bank account: if I’m constantly getting gas at the same gas station once per week, you can safely assume that I live or work near that gas station. If I’m constantly sending Bitcoin to the same address – an address that belongs to the EFF, for example – you can safely assume that I’m interested in digital rights advocacy. That by itself won’t tell you much, but it is a piece of a puzzle, and combined with other pieces the picture begins to emerge. There are other steps you can take. I know some cryptocurrencies – I believe Bitcoin is one of them – allow you to create multiple wallet addresses with the intention of being able to break up this profile, but it requires a lot of work and it’s not included by default in most services like Coinbase. Furthermore, Bitcoin is a public ledger There are tons of tools out there to enter in any Bitcoin wallet address and see how much money it has. That was always the point of Bitcoin: transparency, security, and decentralization, not privacy or anonymity.

So Why Don’t You Talk About Bitcoin on Your Site?

A lot of people who are interested in Bitcoin attempt to use it in a “day trader” type format: that is, they buy low and sell high without ever using Bitcoin to actually buy any goods or services. Does this work? Sure, for some people. But not for most people. Warren Buffet famously made his fortune by investing and playing the stock market, yet even he is not convinced that “active management” – aka trading your stocks manually the way that day traders do – is a better route. I don’t believe Bitcoin is a good investment tool. After its all-time high in 2017, it crashed all the way back down to the mid thousands (around $6,000 USD) for quite some time. Granted, that was still significantly higher than the below $1000 it was at before that climb, but look at the trend: $700, $20,000, $6,000, $40,000. Those are highly volatile numbers, and it’s hard to know when to buy in and cash out. Most average people – my target audience – don’t have the time or expertise to watch the market so closely and try to guess when to pull out. And as I said above, I don’t think anyone does. Who knows exactly when the bubble will burst, and if it will be a temporary setback or a long-term one? Financial advisers are historically awful at outperforming the market, so the odds of an average person who isn’t closely watching and studying the market 40 hours per week being able to do better is slim to none. It’s just gambling, and I would hate to tell my readers “you should use some Bitcoin to improve your privacy” when A) it won’t really improve their privacy (especially since most readers will use an existing exchange with “Know Your Customer” laws) and B) they might lose hundreds or even thousands of dollars as the market fluctuates. It just feels irresponsible of me to do that to people who are uneducated on the matter and expecting me to give them good advice. Also not to brush past this one, but while Bitcoin certainly is becoming more acceptable and mainstream, there are still many places where it is not accepted. I dream of the day I can pay for my groceries with Bitcoin. I doubt I would, but man it’d be cool.

So is Bitcoin Bad?

Absolutely not! For starters, I love the idea of a secure, decentralized, and transparent currency with almost no barriers to entry. An associate of mine once shared that they live in an economically disadvantaged part of the world where Bitcoin has been a godsend. A major problem with today’s increasingly digital world is that many in poverty don’t have access to bank accounts, which leaves them out of many online transactions and other financial opportunities. But most people manage to access a smartphone. According to Statista, over 3.5 billion people worldwide have a smartphone in 2020. That’s over half the global population. And that’s total population, so if we removed minors from that number the percentage of adults who own a smartphone is probably pretty high. And yet, according to Gallup, only 62% of adults have a bank account. So the rise in available wallets means a rise in access to digital funds for anyone with access to a smartphone, which is most people. A digital wallet is arguably more secure than cash under a mattress, so the rise of cryptocurrency allows for a narrowing of economic opportunities between rich and poor, especially when we’re talking about something globally-recognized like Bitcoin. No exchange rates or international taxes to change from one currency to another. Having said that, I suspect that most of my readers and target audience do not have this problem. Many or most of them probably have access to a bank account or cash, and many probably live in areas where Bitcoin is not universally accepted. Finding places to spend that Bitcoin may be hard. I like the idea of Bitcoin as a currency, not as a traded stock.

Conclusion

So what if you’re reading this and you’re like “okay, I recognize the risks and practicalities of Bitcoin but I’m still really interested and I want to learn more and get involved? Can you write about it?” No. I still want to keep my website aimed at beginners and introductory stuff, and I just don’t think that Bitcoin falls into that category. Furthermore, because I have chosen not to invest my time into studying cryptocurrency, I don’t think I’m really qualified to give any advice on it aside from “be careful.” But I am fortunate enough to have fallen in with a crowd who seem really knowledgeable and passionate about the subject. So if all the current talk about the latest astronomical rise of Bitcoin has you curious and interested, I highly encourage you to head over to Decentralize Today and see what they have to say about Bitcoin and other cryptocurrencies, or check out Opt Out Podcast, which is hosted by the highly knowledgeable Seth For Privacy and many of his first season interviews discuss a variety of cryptocurrencies and technologies and how to best get started using them. These sources are far more knowledgeable than I am and I think they can probably help you get started with understanding how it works, what the advantages and disadvantages are, and maybe offer some educated speculation on what the future might hold.

Is it Bitcoin worth all the buzz? It depends. It certainly has its potential and its uses, but it’s not right for everyone, and while I personally don’t think it’s my place to get involved I didn’t want to just ignore this important and widely-discussed piece of the privacy puzzle. So I hope that this blog post has given my readers some information to make their own informed decisions with. Good luck, and move forward with caution! As always, there’s lots of bad people out there looking to make a quick buck off a buzzword. Make sure you’re armed with knowledge before you rush into anything.

2020 Recap/2021 Plans

January 2, 2021

What a year this has been, in more ways than one. But I’m not here to talk about the obvious, global stuff. In what I hope to make an annual tradition, I’m here to look back at my calendar year and see how well I met my goals, and set new ones for the upcoming here. I will be making these judgments based on my blog post from January of this year.

Looking Back: What Worked

One of my stated goals was to host quarterly cryptoparties in my area. Well, obviously that didn’t 100% pan out thanks to the pandemic and lockdown rules. I did, however, move those cryptoparties online to become webinars. I originally set my aim for 3 of them in 2020 beginning in Q2. I mostly met this goal. I missed my Q3 webinar due to lack of preparedness on my end (I have no excuse, it snuck up on me). I did, however, do both Q2 and Q4 and I have my next scheduled for Q1 2021. So even though I didn’t 100% nail it, I’m willing to call this a success for getting back up and sticking with it.

I said that I hoped to attract more financial support (I will have a financial breakdown at the end), and I did. At the time of publication, I have 4 patrons on Liberapay and make $3.95 USD per week. So also a win. (Also that's a bad goal cause that's not really something I can control, but c'est la vie.)

While I didn’t state these goals, these were some additional successes I had: I started a weekly current events podcast that I have thus far managed to maintain regularly, I continued to post blogs weekly, and I was invited to be a regular contributor on Decentralize Today which I am attempting to write for weekly on privacy topics in 2021.

In digital growth, I went from just over 100 followers in January to over 650 at the time of this post! That’s over 500% growth in a year! Holy cow! But it’s not just that. The blog has 16 fediverse followers and 15 email subscribers with over 21,000 views! The podcast has a combined total of almost 50 listeners and over 2,000 listens across the available platforms. And most incredibly, the site itself has steadily grown with 923 unique visitors in January and just shy of 5,000 last month! That’s a total of over 28,000 unique visitors this year! (Don’t panic, I asked my hosting provider what analytics they collect and it’s only IP address, so that’s all the information I have access to and frankly more than I want). This year has been mindbogglingly incredible. I know this is something everyone says and it sounds cliché but seriously, thank you SO MUCH! This is incredible and I’m so grateful for all of you!

What Didn’t Work

As I said, I missed one webinar totally, and even the ones I did run had a few technical mishaps getting up and running. Such is life when you run multiple operating systems and only stream a few times a year. Even so, I hope to smooth out that process and get it right as I move forward.

I had mentioned I was hoping to add a second Tor relay. I did not do that. I am still hoping to rent an offsite server and host an exit node. Sadly that has not come to fruition yet, mainly because I’m waiting for a server to open up in New York – I think we need more US-based servers (you can take or leave that opinion, that’s okay) and I think New York makes the most sense since it has the highest population in the US and therefore traffic coming from there would blend more easily, I hope. Either way, the provider has said they’re fine with me running an exit node so at least I don’t have to worry about that.

I also mentioned possibly adding to the list of federated services like Mastodon, Peertube, or more. Sadly I was also unable to do that. They are still very much goals of mine.

Financial Transparency

This year, I made $119.96 USD through Liberapay. I did not receive any other compensation related to this project.

I incur the following costs directly related to this project Web hosting: $52.82/year Write.As Pro: $45/year

All leftover income ($22.14) went towards covering my own personal, peripheral expenses such as internet, housing, food, time, and I pay for ProtonMail Plus which is connected to my TheNewOil@protonmail.com email address. In the future, if my income continues to grow, I will be more transparent with these costs but I trust at this time that you all are convinced that $22 did not cover any one of these expenses completely. (Fun side note: it wasn’t until I typed this out that I realized that technically this project is now solvent. I guess that means it’s time to expand.)

Goals for 2021

My goals for 2021 are basically the same as they were last year: continue to grow. Thanks to feedback from my wonderful readers like you, I have made dramatic improvements to the site both in content and design. I am also hoping to launch a new podcast series in late Q1 or Q2 in addition to my weekly segment. I am hoping to launch a series of video tutorials and in-depth blog posts to add more depth to my site. I am going to begin consulting services in 2021. I am also continuing to attempt to reach out into the real world and speak at conferences, organizations, and pretty much anyone who’s interested in hearing my message.

I am also working on ways to ethically monetize this project. I am currently seeking affiliation status with some of the services I offer, but I will continue to offer non-affiliate links for those who are uncomfortable using affiliate links. I’ve also been asked about possibly translating the site into other languages. This is something I would love to do. I think far too many privacy sites are western-focused, specifically in America. I need to check with my hosting provider about the best way to do this, but if you speak another language and are familiar with the various privacy practices that are legal there and the cultural norms, I would be very interested in having your help with this. And as, mentioned in last year’s report, I am still involved with my local EFF chapter. I hope to get us organized toward a facial recognition ban in my area, but I’ll help with whatever they need from me.

This past year has been incredible and humbling. The support I have experienced from all of you is just mind-boggling and I cannot express enough how sincerely, from-the-bottom-of-my-heart grateful I am to all of you. This growth would not have happened without all of you: without you sharing my site, sharing my blog posts, sharing my podcast, and of course contributing to my Liberapay. I am so eternally thankful. I don’t fully know what all the future holds, but I promise you that I am not planning to abandon this project any time soon, so I look forward to a successful 2021 filled with more growth, more security, more privacy, and more changing the world one person at a time. Thanks for being part of this with me. Cheers!

The Good

The Bad

Final Verdict

SIM Data

Cash

Self-hosting

Direct Communication

Knowing the Neighbors

Privacy Was Not Paramount

Conclusion

Why Does It Matter?

Seek…

...and Destroy

Should I Blank My Information First?

What if I Can’t Delete My Account?

When Not to Delete Accounts

Moving Forward

Picking a Service

Signing Up

Filling Out Your Profile

Using The Service

Meeting Up

Coming Clean

Conclusion

What is Burnout?

How to Handle Burnout

Switch to a Privacy-Respecting Search Engine

Switch to a Privacy-Respecting Browser

Disable Invasive Settings

Ditch the Mainstream Providers

Encrypt Everything

Change Your Mindset

Lesson 1: Your Carrier Knows Your PIN (AKA “Should I Even Set Up a SIM PIN?”)

Lesson 2: You Probably Already Have a PIN

Lesson 3: Don’t Depend on Your SIM

Conclusion

Limiting Social Media

What is Bitcoin?

Why is Bitcoin Suddenly so Popular?

Is Bitcoin Really Private?

So Why Don’t You Talk About Bitcoin on Your Site?

So is Bitcoin Bad?

Conclusion

Looking Back: What Worked

What Didn’t Work

Financial Transparency

Goals for 2021