The New Oil

Privacy and security for everyone.
TheNewOil.org

Today is Data Privacy Day – as the title says – so I thought it only appropriate that I make another list. This time, I want this list to focus solely on ways to protect your privacy. Normally on this site I try to take a balanced approach to both privacy and security, usually leaning more on the security side. Privacy and security are almost never at odds, and in fact usually go hand-in-hand. But in honor of today, here’s a list of simple tools and steps you can take to really up your privacy game specifically.

Switch to a Privacy-Respecting Search Engine

Are you using Google, Bing, Yahoo, or similar? Boo! Switch to a privacy respecting search engine such as DuckDuckGo or Startpage. Already using those? Great! But believe it or not, you can actually do even better! DDG is not without their fair share of controversy, and Startpage has a questionable relationship with an advertising company. Instead, try SearX, a fully open source and decentralized search engine; MetaGer, a fully open source search engine; or even YaCy, which is designed to be self-hosted and peer-to-peer. If you have the technical skill, you can even self-host your own instances of all three of those.

Switch to a Privacy-Respecting Browser

Using Chrome? Ditch it for Brave, which is a Chrome fork that comes pre-built with advanced privacy and security tools. However, just like with search engines, Brave is not the perfect choice. Admittedly, there are no perfect choices in this category. Personally I’m a fan of Firefox, but researchers have proven that Firefox is technically not as secure as Chromium. This is one of those rare times when privacy and security diverge somewhat. Since this blog post is focusing on privacy, I’ll focus on why I recommend Firefox: I believe that Firefox can be made more private than Chromium-based browsers. In addition to user-friendly privacy controls in the preferences such as anti-fingerprinting and tracking protection, Firefox also offers a powerful “about:config” section which can be configured in advanced and powerful ways. Firefox may not be the perfect choice, especially for security, but for privacy I think it has the most potential by far.

Disable Invasive Settings

Here’s a quick question: when was the last time your phone updated? Don’t know? Do you know if any of the settings got changed when it updated? What about your computer? What about your social media profiles? Whenever you set up any new profile or device, you should always go straight to the settings and enable two-factor authentication, as well as disable any privacy-invading settings. Instagram really doesn’t need to know your location, and honestly life is just fine without Siri. Disable as many settings as you can to preserve your privacy. You should also make time to periodically check your settings, especially after updates, just to make sure there’s nothing new or no changes were made or reverted. Want to take it a step further? Learn how to live without your phone. Going to a movie? You’re gonna turn it off anyways, just leave it at home. Running a few quick errands? People can live without having instant access to you, they can leave a message.

Ditch the Mainstream Providers

Using Google? They’ve been accused of reading your emails to scan for keywords for advertising. Don’t mind them reading emails from your bank so they know your budget? Maybe you’ll mind the Yahoo employee who illegally ]accessed user accounts](https://mashable.com/article/yahoo-employee-account-hacker/) looking for nudes. The fact is that numerous privacy abuses can be cited for all the major tech companies because privacy abuse isn’t just rampant among them: it’s their business model. Skype was part of PRISM, the NSA program attempting to collect all data for mass surveillance revealed by Edward Snowden in 2013. Facebook’s privacy abuses are too numerous to list. Apple has been accused of listening to Siri recordings even after agreeing to stop (so much for their privacy-friendly marketing). Amazon is in Facebook territory with privacy concerns that would take entire websites to list. So the solution? Ditch all of them. Get rid of Gmail, Yahoo, or Outlook for a privacy-respecting email provider. Ditch Skype, Zoom, and Teams for Jitsi. Avoid home assistants. Sometimes the biggest privacy moves you can make are the most obvious.

Encrypt Everything

You should encrypt your devices, but in this case I’m talking about a favorite of the privacy community: encrypted communication. Whether you go with Signal, Wire, XMPP, or something else, I highly encourage you to use encrypted messaging. Your texts and emails are not private. They can be read by your cellular or internet providers, and in the case of SMS they can often be read by the owner of the Wi-Fi, local analysts, and basically anyone with a computer and a little free time. Encrypted messaging is a simple, effective way to regain a major level of privacy.

Change Your Mindset

Privacy (and security) is not just a few apps you download or services you switch to. It’s a state of mind. Literally. Try this: next time you sign up for a website or an online purchase, enter literally nothing. Click “next” and see what fields pop up as mandatory. You might be surprised what’s considered optional. Or next time you’re filling out a form – doctor, DMV, reservation at Chili’s – ask the person behind the counter what information is actually mandatory. Again, you might be surprised what’s optional. The fact is that we are conditioned. Humans like to be helpful by nature, so when people ask us for information, our impulse is to give it to them to be helpful. But the problem is that once we let go of that information, we have no control over it anymore. The recipient might promise not to sell your phone number to marketing companies, but if they do you have no real recourse. Now it’s out there. And you have no real control over who they hand it over to. Maybe they won’t sell your information, but if they’re using a third-party service for their database management, who’s to say that company won’t? You have to think of every piece of data you disclose as potentially public record, either by being handed off to another party or by being caught up in a data breach. And ultimately, the best privacy is to not reveal that information in the first place. The best privacy practices are to have total control over your data, who has it, and how they use it.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Last summer, news abounded on how to protect your phone at a protest. These included things like using a PIN instead of biometric locks, using encrypted messaging, and using a SIM PIN. The basic idea behind a SIM PIN is that while regular phone encryption can protect most content, the SIM itself is where the keys for that data are stored. Think of the SIM as your password manager: your bank account numbers may not be in there, but the password to log in to your bank account and get the numbers is. So Sunday night I decided to take my own advice and set up my SIM PIN. Let me share my journey and the lessons learned.

Lesson 1: Your Carrier Knows Your PIN (AKA “Should I Even Set Up a SIM PIN?”)

On Sunday, when I attempted to set the PIN, I was instantly locked out of my SIM card for doing it wrong. This effectively turned my phone into an overpriced iPod Touch. For some people, that’s fine. For me, long story short: not something I’m willing or able to commit to at this time. I was immediately informed that I had to contact my provider to get the PIN to unlock the SIM, which begs the question “what’s the point if someone else knows my password?” I would still argue this is a worthwhile thing to do. I think a lot of privacy enthusiasts get so caught up on “zero knowledge” that they lose sight of the fact that “less knowledge” is still better than “open knowledge.” Let me unpack that:

“Zero knowledge” means the provider can’t see it. For example, if you use one of the encrypted email providers I recommend on my website, the provider can’t see your inbox (though they may be able to see messages coming in and out, depending on the service and how you use it, that falls outside the scope of this post but is addressed on the page I linked). That’s “zero knowledge.” When I say “open knowledge,” I’m talking about something like your public Facebook page with the default settings: everyone can see your posts, everyone can see your pictures, anybody can see your likes and check-ins. There is no restriction to the information, it’s “wide open.” And so, by that logic, “less knowledge” would land somewhere in the middle: it’s not “zero knowledge” where only you have the information, but it’s not wide open for everyone to see either. Only specific people have access.

Zero knowledge is always preferable, but as I’ve discussed in the past, “don’t let perfect be the enemy of good.” A SIM PIN may not be zero-knowledge, but it’s not wide open either. It won’t protect you from police with a warrant or rogue employees, but it will protect you from the jerk at the concert who steals your phone or the stalker ex (depending on their capabilities).

Lesson 2: You Probably Already Have a PIN

The fact that my SIM got locked right off the bat tells me that my SIM already had a PIN. So if you’re planning to use this feature – and I recommend it – you should start by contacting your carrier and confirming what the PIN is. It probably has a default of “1234” or something like that. Because my SIM was locked, that meant I was COMPLETELY unable to make or receive phone calls. (I assume emergency services would’ve been exempted but I wasn’t about to test that out for obvious reasons.) My carrier, by policy, was only allowed to text me my PIN, which meant that unlocking it was now an impossible Catch-22. Then, once you learn the PIN, you’ll probably learn that it’s not very secure. In my case, it was an old PIN that I used to reuse everywhere back in my pre-security days. So I quickly changed it to something randomly generated and stored everything I needed to know in my password manager.

Lesson 3: Don’t Depend on Your SIM

While this was a very frustrating adventure, it was more inconvenient than anything. Despite being – as I called it – an “overpriced iPod Touch,” my actual life went virtually unaffected. I don’t use my SIM for anything other than actual cell data when I’m not on WiFi. I use Signal as my daily communication app. I use MySudo for work and other Voice-over-IP needs. I mainly rely on an offline password manager that’s only on my desktop. I have the passphrases to login to my desktop memorized. The point is, there was only one way that this experience actually impacted me while I was waiting to contact customer support: I was unable to receive the Catch-22 text. Other than that, this really didn’t impact me. I had to pick up a package from a friend so I messaged them in advance to let them know my travel route (they were stop #2). I had to pre-download my music from Spotify (yes, not privacy-friendly, I know) for my commute to work. Absolutely nothing else mattered, and frankly the only reason I even was so determined to fix the issue was because I need my phone to work while I’m on a job site and we don’t always have access to WiFi on job sites. Maybe for February I’ll challenge myself to remove the SIM card outside of office hours…

Conclusion

So I did finally unlock the SIM after several frustrating hours talking to tech support. As I mentioned before, the PIN I was using was insecure, and it turns out the first agent I spoke to gave me the wrong PUK (Personal Unlock Key, a unique number linked to your SIM card) so my PIN didn’t work. Once I got connected to an agent who gave me the correct PUK, I was able to easily guess my PIN. Would I recommend using a SIM PIN? Despite my initial hiccup, yes. As is often my style, I kind of charged into that one totally blind like the infamous Leroy Jenkins, but had I proceeded with caution I think this experience wouldn’t have even been on my radar, and no doubt my phone is now even more secure than it already was. One of my strong philosophies behind this site is the idea that these are the changes that matter – the little changes that you don’t even notice once they’re in place, but they dramatically improve your privacy and security. So don’t miss out another chance to take up your game. Just learn from my mistakes.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

This blog was originally posted November 16, 2019. With the recent controversies surrounding social media, I thought this might be worth revisiting. The post has been edited to reflect my most current opinions, views, and knowledge.

Limiting Social Media

Social media is a ubiquitous part of modern life. I am the last person here to decry the negative effects of it, though for the record there are some we should be aware of address outside of privacy and security. No, for an introvert and avowed hater-of-small-talk like myself, social media is a godsend. I hate calling or even texting someone to go “hey, I have no reason to be bugging you but what's new? Let's chat.” Instead I love the ability to peruse the timeline at my leisure and respond to whatever someone else felt was worth sharing, whether it's their latest meal, their child, or their trip to the brewery.

But we all know social media comes with wide-ranging risks, from cyber-stalking and cyber-bullying to full on identity theft. Many of us likely know someone who was or have been ourselves victims of someone pretending to be us on Facebook. This usually isn't a problem when you can just post “hey, that ain't me, don't give them money.” But what happens when you're a well-known, respected person and your social-media doppelganger is posting things you would never endorse in a million years? Well, it happens. And sometimes, it has nothing to do with you. Another common abuse of social media is to use the information one over-shares for “social engineering.” For example, I can check your Facebook page, see your banner picture is the Green Bay Packers, and if your website security question is “who is your favorite sports team?” I now have a pretty good guess. Or on a more complex level, I can assume that the Packers might be part of your password and I can use that for a dictionary or brute-force attack. And last but not least, let’s not forget how information you posted can come back to haunt you. Something dumb posted in high school can sour a potential employer doing some research on you, or messages sent can be used in court and taken out of context to make you look guilty. Yes, these things can and do happen, even if they sound crazy.

So am I here to tell you not to have social media? Well, sort of. Not to be “that guy” but the quality of my friendships has increased dramatically since I deleted Facebook. I find it much more meaningful when my friends personally invite me to hang out rather than send me a faceless, impersonal, mass event invite. We also put more intentionality into our talks, even our texts. It's more engaging than a casual like while lying in bed at night waiting to fall asleep. But having said that, even I have a personal Mastodon account I'm in no rush to delete.

At very least, I do encourage you to ditch traditional social medias like Facebook, Instagram, Twitter, TikTok, and Snapchat (and others) in favor of more privacy-respecting services like Mastodon, Friendica, Pleroma, PixelFed, and others. Traditional social media companies are terrifyingly abusive in both the ways and extents that they collect data about you and process it. But that's a post for another time. Instead, this post is about how to best-use your social media – be it Facebook or Mastodon – and how to be smart about it to enjoy the best aspects of it while avoiding some of the worst.

-Ditch mainstream. I know I already said that, but I assume some people are going to skim this post, and it bears repeating anyways. Seriously. Here's just one site full of good reasons why Facebook sucks, and there's plenty more where that came from from each major company.

-Think about your privacy settings. This one is pretty well-known these days so I'm not going to spend much time harping on it, but unless you're a public figure intentionally attempting to reach the masses, you may want to consider locking down your profile behind as much privacy as you can. Making your Twitter private may cost you some followers, but it will make you significantly safer and make your experience more enjoyable. While you’re at it, consider the parts of your profile that can’t be made private like your bio, header, and profile pic. Ultimately the goal is to expose as little information as possible.

-Think about what's really worth posting. Again, I'm not here to decry “the good old days” and make fun of people who post their lunch on Instagram all the time, but does it really make you happy? Does “vaguebooking” about your unhappiness really fix the problem? Does sharing that link (that you didn't even read or fact-check) actually change anyone's mind? Don't just impulsively dump things into your profile or feed. Take a few seconds to ask “do I really want to share this?”

-Think about what you're posting. Okay, so you've thought about it and you're REALLY feeling that selfie. Your hair has never looked so good. Great! But do you really need to angle the camera in such a way that the company logo is visible on your work shirt that you're wearing? Did you leave any mail or personally identifiable information in the background? Is everyone in the picture consenting to be in the picture? I don't care if my girlfriend posts a selfie to Facebook but I politely ask her to angle the camera in such a way that it leaves me out. Think about what information someone could potentially learn from that photo, such as where you live or work, and remember that people search websites are a tragically real thing. (I'll do a post about that someday too). Again though, it's not just you. When you post a picture of your child to Facebook, that picture stays on Facebook's servers forever. Someday your child will be grown, and they should have the right to decide if they want Facebook to have their facial recognition data on file. Carelessly posting even statuses or location check ins can sometimes reveal more information than you or the people you're with may be comfortable with. Be sure to think about what information you're revealing and be sure everyone involved is okay with it.

-Remember who your audience isn't. One big reason I dislike mainstream social media is the lack of privacy. If your profile isn't set to private, literally anyone can see your posts, pictures, likes, and more. “I don't care if my friends see where I work,” you say as you check-in with your latest tweet, but what about the stranger? The Guardian wrote an article reminding us how easily one can “stalk” someone – even by accident – with how much information social media reveals about us. But it actually goes so much deeper than that. Even if your information is set to private, it’s not private from the provider. Facebook can still see every single “Friends Only” photo you upload or status you post. They can read all your messages, and they will happily share everything if requested by law enforcement, or if someone finds a bug in their code and exploits it to download your non-public data.

-Remember who your audience might be. This story shows how even the best intentions can backfire when you overshare on social media. Even if you make a post privately or in a closed group, you can't guarantee that it won't be screenshotted, printed out, or otherwise shared with someone it was never intended to see. Always assume anything you put on the internet is wide open to the public, even if it isn't.

-The internet never forgets. So you had a little too much to drink last night, or maybe the anesthesia the dentist gave you was pretty strong, or maybe you just were real depressed and it felt cathartic to make some emo posts. You can just delete them later, or set your profile to private, right? Allow me to introduce you to the Wayback Machine. The Wayback Machine is a free service from Archive.org that automatically creates a copy of every page on the internet it can find at all times for the sake of history. It's not trying to make everyone remember that picture of you in 8th grade, it's trying to ensure that a hundred years from now we have a copy of the front-page news from major events in history and such. The problem is that it's a bot. It doesn't discriminate. Now obviously the bot can't be everywhere at once, and it can't possibly get everything all the time, but it tries hard. The longer you keep something online, the more likely it is to get swept up in archiving services, and the harder it will be to remove. And Wayback isn't the only service that does this. Anything you post, even briefly, has the potential to stay on the internet forever, if not on the social media provider's servers then on an archiving service. The odds of this increase as your social media presence grows – aka, if you're a notable figure of some kind (musician, actor, influencer, etc). Posting something online and then deciding later “nah, I don't really think I want to share that with the world after all” isn't really an option. It's there forever and whatever prompted you to remove it – such as personal information, non-consenting parties, or even just bad lighting – will be there forever to haunt that decision.

Once again, I'm not here to bash social media (completely). I'm not here to tell you to delete Facebook (though I do encourage it). But I do want you to take the time to think about what you're sharing and make sure you know what you're getting into. Be smart with your social media usage. As I said in my first ever blog post here, our goal is to reduce our “attack surface.” We want to make ourselves a less convenient target so that bad actors go after an easier target. Think twice about anything you post on any social media platform, and that alone will get you pretty far. And since I’m posting this at the beginning of the year, I challenge you: log out of social media for the rest of the month. Delete the app off your phone, log out in your browser, and just try to spend the rest of January without it. If you still miss it come February, go ahead and log back in. But I bet you’ll find you rather enjoy the time away. I hope the pointers above have been helpful in that regard and given you some factors to consider. Use wisely!

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

You may have heard the news lately: Bitcoin is at an all-time high. Like REALLY all-time high. Previously, it peaked just under $20,000 USD toward the end of 2017. As I type this, it’s broken $40,000 USD. That means a single Bitcoin is worth more than most cars. So why is this, what is Bitcoin, and why do I still not talk about it much on my website?

What is Bitcoin?

Bitcoin is a decentralized digital currency. It’s not super complicated, but it’s complicated enough that I’m not going to dive into the details of how it works. The short version is that there is no country or bank responsible for issuing it. The value is entirely dependent on supply and demand, and it is entirely maintained by the users. Consider the following: You have a wallet in which you place cash. You can then freely trade that cash with other people for any number of reasons: you can donate it to a cause, you can buy a soda with it, or you can hold onto it. Now replace “cash” with “Bitcoin.” Congratulations, that’s exactly how Bitcoin works. A Bitcoin wallet can be an app, an online service, or a hardware USB-like device. Each has their advantages and disadvantages, and I’m not going to go into that here.

I’m not going to pretend to know. I’m sure there is an answer, but I don’t know it. I tried to do some research for this blog, but frankly nobody seems to have a good answer. One common answer is “it’s becoming more widely accepted” but nobody seems to explain why that is. Another answer is that “it’s fraud resistant.” I guess that makes sense, but so is a good old-fashioned bank transfer. Short version: I don’t know. And quite frankly, I’ve heard a lot of personal finances educators claim that nobody REALLY understands the market. Some people can make some educated guesses based on current events, previous trends, or whatever, but in the end it’s all just speculation. The market does what the market does, and I guess the market is favoring Bitcoin right now.

Is Bitcoin Really Private?

Short answer: no. Bitcoin is, by design, more private than almost any other form of electronic payment. However, as with anything electronic, there are other considerations for true “privacy.” For example, the most common way to get started with Bitcoin is to go sign up for an exchange, like Coinbase or Ledger. But these are US-based companies, which means that they are required to verify your real identity in order to prevent fraud. So while the person you’re trading with may not know you, your real-world identity is very much linked to your wallet. That’s not very private. Even if you self-host a wallet, it’s important to note that using the same address creates a web of activity and relationships. Think of it like a regular bank account: if I’m constantly getting gas at the same gas station once per week, you can safely assume that I live or work near that gas station. If I’m constantly sending Bitcoin to the same address – an address that belongs to the EFF, for example – you can safely assume that I’m interested in digital rights advocacy. That by itself won’t tell you much, but it is a piece of a puzzle, and combined with other pieces the picture begins to emerge. There are other steps you can take. I know some cryptocurrencies – I believe Bitcoin is one of them – allow you to create multiple wallet addresses with the intention of being able to break up this profile, but it requires a lot of work and it’s not included by default in most services like Coinbase. Furthermore, Bitcoin is a public ledger There are tons of tools out there to enter in any Bitcoin wallet address and see how much money it has. That was always the point of Bitcoin: transparency, security, and decentralization, not privacy or anonymity.

So Why Don’t You Talk About Bitcoin on Your Site?

A lot of people who are interested in Bitcoin attempt to use it in a “day trader” type format: that is, they buy low and sell high without ever using Bitcoin to actually buy any goods or services. Does this work? Sure, for some people. But not for most people. Warren Buffet famously made his fortune by investing and playing the stock market, yet even he is not convinced that “active management” – aka trading your stocks manually the way that day traders do – is a better route. I don’t believe Bitcoin is a good investment tool. After its all-time high in 2017, it crashed all the way back down to the mid thousands (around $6,000 USD) for quite some time. Granted, that was still significantly higher than the below $1000 it was at before that climb, but look at the trend: $700, $20,000, $6,000, $40,000. Those are highly volatile numbers, and it’s hard to know when to buy in and cash out. Most average people – my target audience – don’t have the time or expertise to watch the market so closely and try to guess when to pull out. And as I said above, I don’t think anyone does. Who knows exactly when the bubble will burst, and if it will be a temporary setback or a long-term one? Financial advisers are historically awful at outperforming the market, so the odds of an average person who isn’t closely watching and studying the market 40 hours per week being able to do better is slim to none. It’s just gambling, and I would hate to tell my readers “you should use some Bitcoin to improve your privacy” when A) it won’t really improve their privacy (especially since most readers will use an existing exchange with “Know Your Customer” laws) and B) they might lose hundreds or even thousands of dollars as the market fluctuates. It just feels irresponsible of me to do that to people who are uneducated on the matter and expecting me to give them good advice. Also not to brush past this one, but while Bitcoin certainly is becoming more acceptable and mainstream, there are still many places where it is not accepted. I dream of the day I can pay for my groceries with Bitcoin. I doubt I would, but man it’d be cool.

So is Bitcoin Bad?

Absolutely not! For starters, I love the idea of a secure, decentralized, and transparent currency with almost no barriers to entry. An associate of mine once shared that they live in an economically disadvantaged part of the world where Bitcoin has been a godsend. A major problem with today’s increasingly digital world is that many in poverty don’t have access to bank accounts, which leaves them out of many online transactions and other financial opportunities. But most people manage to access a smartphone. According to Statista, over 3.5 billion people worldwide have a smartphone in 2020. That’s over half the global population. And that’s total population, so if we removed minors from that number the percentage of adults who own a smartphone is probably pretty high. And yet, according to Gallup, only 62% of adults have a bank account. So the rise in available wallets means a rise in access to digital funds for anyone with access to a smartphone, which is most people. A digital wallet is arguably more secure than cash under a mattress, so the rise of cryptocurrency allows for a narrowing of economic opportunities between rich and poor, especially when we’re talking about something globally-recognized like Bitcoin. No exchange rates or international taxes to change from one currency to another. Having said that, I suspect that most of my readers and target audience do not have this problem. Many or most of them probably have access to a bank account or cash, and many probably live in areas where Bitcoin is not universally accepted. Finding places to spend that Bitcoin may be hard. I like the idea of Bitcoin as a currency, not as a traded stock.

Conclusion

So what if you’re reading this and you’re like “okay, I recognize the risks and practicalities of Bitcoin but I’m still really interested and I want to learn more and get involved? Can you write about it?” No. I still want to keep my website aimed at beginners and introductory stuff, and I just don’t think that Bitcoin falls into that category. Furthermore, because I have chosen not to invest my time into studying cryptocurrency, I don’t think I’m really qualified to give any advice on it aside from “be careful.” But I am fortunate enough to have fallen in with a crowd who seem really knowledgeable and passionate about the subject. So if all the current talk about the latest astronomical rise of Bitcoin has you curious and interested, I highly encourage you to head over to Decentralize Today and see what they have to say about Bitcoin and other cryptocurrencies, or check out Opt Out Podcast, which is hosted by the highly knowledgeable Seth For Privacy and many of his first season interviews discuss a variety of cryptocurrencies and technologies and how to best get started using them. These sources are far more knowledgeable than I am and I think they can probably help you get started with understanding how it works, what the advantages and disadvantages are, and maybe offer some educated speculation on what the future might hold.

Is it Bitcoin worth all the buzz? It depends. It certainly has its potential and its uses, but it’s not right for everyone, and while I personally don’t think it’s my place to get involved I didn’t want to just ignore this important and widely-discussed piece of the privacy puzzle. So I hope that this blog post has given my readers some information to make their own informed decisions with. Good luck, and move forward with caution! As always, there’s lots of bad people out there looking to make a quick buck off a buzzword. Make sure you’re armed with knowledge before you rush into anything.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

What a year this has been, in more ways than one. But I’m not here to talk about the obvious, global stuff. In what I hope to make an annual tradition, I’m here to look back at my calendar year and see how well I met my goals, and set new ones for the upcoming here. I will be making these judgments based on my blog post from January of this year.

Looking Back: What Worked

One of my stated goals was to host quarterly cryptoparties in my area. Well, obviously that didn’t 100% pan out thanks to the pandemic and lockdown rules. I did, however, move those cryptoparties online to become webinars. I originally set my aim for 3 of them in 2020 beginning in Q2. I mostly met this goal. I missed my Q3 webinar due to lack of preparedness on my end (I have no excuse, it snuck up on me). I did, however, do both Q2 and Q4 and I have my next scheduled for Q1 2021. So even though I didn’t 100% nail it, I’m willing to call this a success for getting back up and sticking with it.

I said that I hoped to attract more financial support (I will have a financial breakdown at the end), and I did. At the time of publication, I have 4 patrons on Liberapay and make $3.95 USD per week. So also a win. (Also that's a bad goal cause that's not really something I can control, but c'est la vie.)

While I didn’t state these goals, these were some additional successes I had: I started a weekly current events podcast that I have thus far managed to maintain regularly, I continued to post blogs weekly, and I was invited to be a regular contributor on Decentralize Today which I am attempting to write for weekly on privacy topics in 2021.

In digital growth, I went from just over 100 followers in January to over 650 at the time of this post! That’s over 500% growth in a year! Holy cow! But it’s not just that. The blog has 16 fediverse followers and 15 email subscribers with over 21,000 views! The podcast has a combined total of almost 50 listeners and over 2,000 listens across the available platforms. And most incredibly, the site itself has steadily grown with 923 unique visitors in January and just shy of 5,000 last month! That’s a total of over 28,000 unique visitors this year! (Don’t panic, I asked my hosting provider what analytics they collect and it’s only IP address, so that’s all the information I have access to and frankly more than I want). This year has been mindbogglingly incredible. I know this is something everyone says and it sounds cliché but seriously, thank you SO MUCH! This is incredible and I’m so grateful for all of you!

What Didn’t Work

As I said, I missed one webinar totally, and even the ones I did run had a few technical mishaps getting up and running. Such is life when you run multiple operating systems and only stream a few times a year. Even so, I hope to smooth out that process and get it right as I move forward.

I had mentioned I was hoping to add a second Tor relay. I did not do that. I am still hoping to rent an offsite server and host an exit node. Sadly that has not come to fruition yet, mainly because I’m waiting for a server to open up in New York – I think we need more US-based servers (you can take or leave that opinion, that’s okay) and I think New York makes the most sense since it has the highest population in the US and therefore traffic coming from there would blend more easily, I hope. Either way, the provider has said they’re fine with me running an exit node so at least I don’t have to worry about that.

I also mentioned possibly adding to the list of federated services like Mastodon, Peertube, or more. Sadly I was also unable to do that. They are still very much goals of mine.

Financial Transparency

This year, I made $119.96 USD through Liberapay. I did not receive any other compensation related to this project.

I incur the following costs directly related to this project Web hosting: $52.82/year Write.As Pro: $45/year

All leftover income ($22.14) went towards covering my own personal, peripheral expenses such as internet, housing, food, time, and I pay for ProtonMail Plus which is connected to my TheNewOil@protonmail.com email address. In the future, if my income continues to grow, I will be more transparent with these costs but I trust at this time that you all are convinced that $22 did not cover any one of these expenses completely. (Fun side note: it wasn’t until I typed this out that I realized that technically this project is now solvent. I guess that means it’s time to expand.)

Goals for 2021

My goals for 2021 are basically the same as they were last year: continue to grow. Thanks to feedback from my wonderful readers like you, I have made dramatic improvements to the site both in content and design. I am also hoping to launch a new podcast series in late Q1 or Q2 in addition to my weekly segment. I am hoping to launch a series of video tutorials and in-depth blog posts to add more depth to my site. I am going to begin consulting services in 2021. I am also continuing to attempt to reach out into the real world and speak at conferences, organizations, and pretty much anyone who’s interested in hearing my message.

I am also working on ways to ethically monetize this project. I am currently seeking affiliation status with some of the services I offer, but I will continue to offer non-affiliate links for those who are uncomfortable using affiliate links. I’ve also been asked about possibly translating the site into other languages. This is something I would love to do. I think far too many privacy sites are western-focused, specifically in America. I need to check with my hosting provider about the best way to do this, but if you speak another language and are familiar with the various privacy practices that are legal there and the cultural norms, I would be very interested in having your help with this. And as, mentioned in last year’s report, I am still involved with my local EFF chapter. I hope to get us organized toward a facial recognition ban in my area, but I’ll help with whatever they need from me.

This past year has been incredible and humbling. The support I have experienced from all of you is just mind-boggling and I cannot express enough how sincerely, from-the-bottom-of-my-heart grateful I am to all of you. This growth would not have happened without all of you: without you sharing my site, sharing my blog posts, sharing my podcast, and of course contributing to my Liberapay. I am so eternally thankful. I don’t fully know what all the future holds, but I promise you that I am not planning to abandon this project any time soon, so I look forward to a successful 2021 filled with more growth, more security, more privacy, and more changing the world one person at a time. Thanks for being part of this with me. Cheers!

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Often times we look at success stories and go “this is what this person did right and why they succeeded.” This is great, and there’s a lot to be learned from that. However, I do believe there’s also a lot of benefit in examining failure and learning what went wrong. I’m a firm believer that a failure is only a failure if you fail to learn a lesson from it, even if that lesson is “don’t invade Russia in the winter.” So this week, let’s look at some of the top ways that you can fail in securing your own data and how to avoid them. As usual, this list is in no particular order.

Accepting the Default Settings

One of the easiest things you can do to take control of your own security and data is to browse the settings on your accounts. When was the last time you checked any of your app or account settings? Personally that’s usually the first place I go. In addition to doing things like enabling two-factor and dark mode, the settings are where you can often find really basic privacy settings like “make my profile private” or “don’t share my data with advertisers.” These settings alone will not make you as private as you can be, but they help a lot and they’re easy to change. Start small and stop the most obvious data streams you can find.

Never Making Requests

Most privacy and security products only work if both parties are using it. For example, end-to-end encrypted services like Signal or ProtonMail are only truly end-to-end encrypted if both parties are using Signal or ProtonMail (or another PGP-based email account). So if you never ask the people around you to switch to the same service as you, you’re not really getting the full benefit. There’s definitely still benefits, but it never hurts to ask the people around you to respect your values and consider switching. Often times – especially for people with social anxiety or low self esteem – it can be hard to ask other people for favors because you think you’ll be inconveniencing them, but just asking is not a big deal. So don’t be afraid to make your privacy preferences known by asking people to respect it. “Hey, would you mind using Signal to text me from now on?” “Hey, can we try using Jitsi for the weekly staff meeting instead of Zoom?” “Would you mind unplugging Alexa when I come over to visit?” The worst you’ll get is a polite “no.” Often you’ll get a “what’s that/why?” and then you can explain what the service you’re suggesting is and why it would benefit the person you’re making the request of. More often than not, you’ll be surprised by the amount of “yes”es you receive. There is definitely a fine line between making a request and bugging someone. If you ask to use Jitsi instead of Zoom every week, your boss may get tired of hearing it. But bringing it up once or twice will rarely offend anyone, and if you don’t ask the answer will always be no.

Not Doing Your Research

My partner is a big consumer of media. Hulu, Netflix, CrunchyRoll, YouTube, she loves it all. I’m more discerning with my content, but out of love for her I agreed to acquiesce and get a smart TV when we began living together. We made a few compromises: no microphones, no cameras, and I get to pick the TV. Ultimately, after a lot of research, I settled on a Roku TCL. There’s a specific reason I chose this TV. First off, Samsung TVs were right out due to having known NSA backdoors. I don’t think I’m a target of the NSA, but there’s no such thing as a backdoor that only good guys have the keys for. If the weakness exists, bad guys can exploit it, too. Second, I wanted a TV that had a solid history of receiving manufacturer updates to the software. Of course, I also took responsibility for setting up the device, which meant putting it on a VLAN, creating an account using a masked email and strong password, never putting in any payment details, and disabling all the data-sharing options I could. This isn’t an ad for Roku, this is an explanation of my research process. Imagine if I hadn’t done my research and instead just looked for the best deal at my local store: I could’ve walked out with a TV that never gets updated. This isn’t just a security risk. Our TV has had its fair share of bugs: freezes, crashes, twice we’ve even had the mute get stuck on. But our experience is improving as time goes on and Roku keeps pushing out new updates. Very few other TVs get updates, so we’d still be living with those bugs if we had gotten a different TV. We also never have to look at our TV and go “man, I really hope nobody is on the other side of the camera taking snapshots of us in our underwear.” Finally, as I mentioned above, I took the time to disable many of the more invasive “features,” which means I also have less concern about the data being recorded. (For the record, I do still have some concern, but I sleep a little better knowing we’re spewing out less data than the default).

Now of course, this was a multi-hundred dollar investment. I expect that the research will be proportional to the cost and sensitivity of the tool. I spent less time investigating my XMPP server because I don’t really use it very much. I spent much more time investigating ProtonMail and Tutanota because I do use email a lot, and sometimes for very sensitive purposes like banking and medical. You don’t have to spend forever deep diving into every single tool out there: figure out what you want from it, determine how much trust you’re placing in it, then do the appropriate amount of research.

Not Making Time to Implement

My dad imparted one phenomenal piece of advice that has stuck with me for decades: “If something is important to you, you’ll make time for it. If it’s not, you won’t.” To my dad, there was no such thing as “I don’t have the time,” but rather “I don’t want to make the time.” And that’s totally fair if you don’t want to make the time for something. But if there’s something you actually really want to do and you don’t make time for it, then you’re just doing yourself a disservice. If you want to make your life more private and secure and you don’t make time to actually do this stuff, then you’re only cheating yourself. I totally understand that some of this stuff takes work. Signal can be downloaded and set up during a Hulu commercial break, so there’s really no excuse for that one. But signing up for a password manager or moving email accounts, that can take some work and that may not be something you want to do after a hard day of work. I totally respect that. But if you don’t put it on your calendar and say “okay, this weekend I’m gonna migrate to Tutanota/ProtonMail/whatever,” you’re failing yourself. Make time to make the changes you want to make. Don’t keep telling yourself “tomorrow.” Put it on the calendar and let your roommates know you’re busy that afternoon.

Failure is only failure if you don’t learn from it. Maybe you’ve been guilty of some of these things in your own life so far. Maybe you haven’t made time to implement, or you’ve only been using tools others recommend instead of researching it for yourself. But now you’re aware and you can use that awareness to break the cycle. Remember to always seek room for improvement, both in your own personal growth and in your security.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Hopefully the end is in sight for the COVID-19 pandemic. In my state, the vaccines arrived on Monday. I know it’s still going to be a months-long process, and I’m not even going to comment on how politics has shaped the issue. The point being, while the end may be near, it definitely won’t be here before Christmas and New Years. As such, many people will be spending this year alone, isolated away from family members who are elderly, immuno-compromised, or otherwise at risk just to play it safe. But that’s no excuse not to literally see your family. So this year, I explore some of the best privacy-respecting options for video chat that can help you and your family stay a little better connected this year, even from a distance. This listed is presented in alphabetical order, not any sort of order of superiority.

Jitsi

Jitsi gained almost overnight popularity in the privacy community around the start of the pandemic as an open-source, privacy-respecting alternative to Zoom. Jitsi offers lobbies and password-protected rooms, as well as end-to-end encryption. You can self-host your own instance or use the default instance (or you can use any other publicly-available instance – shoutout to The Calyx Institute – but the default public instance is fine for most people). My favorite feature of Jitsi is that it offers the ability to share your screen with audio AND your camera and audio at the same time. So Jitsi offers a great way to stream a movie with family while still being able to communicate. Oh and the best part? No app or account needed. You can use it straight from your browser. I'm gonna be honest: for 90% of people, Jitsi is going to be your best, easiest, and most feature-rich option. However, other options do exist.

Honorable Mention: Brave Together

I’m still very much on the fence when it comes to Brave. On the one hand, the company is a for-profit that has done some things in the past that I personally find very intentionally malicious and unethical. On the other hand, they are really on the bleeding edge of privacy and security features for a browser, and they’re basically a “set it and forget it” tool. In recent weeks, I’ve come to compromise on this by saying “Brave is best for non-tech people who care about their privacy but REALLY don’t trust themselves with even the basics.” As such, it’s worth mentioning that Brave comes prepackaged with Jitsi built into the browser, able to host or join a Jitsi meeting with just a few short keystrokes. Personally I don’t think this counts as a reason to use Brave, given that Jitsi doesn’t require any sort of app or account to begin with, but if you already have a loved one using Brave, this might be an easy way to get them to the video call.

MySudo (iOS Only)

MySudo is one of those apps I personally can’t live without. It’s not open source, which is a huge bummer, but it allows you to create up to 9 phone numbers (with email addresses) that are capable of supporting both phone calls and text messages. This app is essential to me in my personal life, allowing me to compartmentalize banking, work, personal, online selling, etc. These features cost money, but fortunately there are other features that don’t cost money: contacting other users. If you’re an iOS user, MySudo is now allowing group video calling of up to 5 users. I expect the feature will roll out to Android in the future. Anonyome seems to focus on iOS then Android. Even if your entire family isn’t using iPhone, MySudo still offers unlimited, free, end-to-end encrypted calls and texts between MySudo users. It’s worth checking into.

Signal

Signal, one of the golden standards of secure communication in the privacy and security community, offers some of the best encryption the world has to offer. The app is regularly used by politicians and law enforcement in the US, the entire EU Commission, and the encryption itself has been integrated into WhatsApp, Facebook Secret Messages, Skype Private Conversations, and Google’s new Android competitor to iMessage, as well as numerous other high-profile messengers. This year, Signal finally rolled out the ability to use video on desktop and just this month rolled out the ability to have group calls of up to five people. The downside to Signal is that it currently does require your phone number, but since the context of this blog post is talking to family members, I suspect that probably won’t be a huge problem for most of my readers.

Honorable Mention: Apple's Facetime

Let's be 100% honest: Apple is not a privacy-friendly company. They claim they are, and they are definitely a step above Android. Apple has repeatedly fought back on creating encryption backdoors for the FBI, and many cybersecurity experts claim that Apple is more private because they sell hardware at a premium rather than selling your data. Having said that, Apple has repeatedly been caught in numerous privacy scandals, and they still record far more data than necessary. Point blank: I think literally any other suggestion in this blog post would be better than using an Apple app. Having said that, Apple's Facetime communications are end-to-end encrypted. If you have a wide level of Apple usage in your family, I would recommend using Facetime over Zoom, Skype, Facebook, Portal, or any of the other mainstream video chat apps out there. Once again, I still think you'll get better protection by using Jitsi or Signal, but if your family refuses to use those and does have Apple products, I think Facetime is the lesser evil. (Although, personal opinion, if your family refuses to use Jitsi they're really not even trying and you should reconsider your relationship with them. But this is a data privacy site, not a family relationship site, so enough on that.)

Hopefully this post helps you find a way to keep in touch with your loved ones this year as the world continues to grapple with the pandemic. Hopefully next year things won't be so dire and we can all move back to in-person meetings. Until then, stay safe and stay connected – why not at the same time?

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Security researchers at Check Point have warned that phishing attacks related to online shopping and shipping of goods has risen 440% in November, indicating a huge rise as people are shopping for the holidays – even moreso online with the global pandemic this year. As such, this seems like a great time for all of us take a moment to remember the basics of phishing and how to protect ourselves.

What is Phishing?

Phishing is a technique almost as old as the internet itself. Phishing is when a malicious actor attempts to get someone to click on a link for malicious reasons. A few common examples you may have seen may include “there’s a problem with your PayPal account, login here to resolve it” and then it takes you a login page that looks real but actually forwards your login credentials to the attacker, or an email that says “here’s those files you wanted” and then includes what appears to be a Word document but it’s actually a virus. Typically, the goal of phishing is to get access to a person’s account, but sometimes the goal can be to plant ransomware, make a botnet, or pretty much any nefarious purpose. Don't underestimate phishing: it may seem silly and hard to fall for, but it's been one of the top methods of “hacking” since forever. I forget where I read this so I won't quote it as fact, but I do remember reading once that a former NSA officer admitted that it was the NSA's primary method of gaining access to a targeted account, even over all the other fancy hacks and resources available to the agency.

So What are the Defenses?

The main defenses against phishing come down to three major principles:

1. Vet your emails. If you get an email from FedEx about a problem with your package, first off did you order a package? Second, did it get shipped FedEx? As a more year-round example, if you get an email from a coworker with an attachment, were you actually expecting that attachment? Don’t be afraid to ask questions. If you weren’t expecting that email, call them and ask to make sure it was them.

2. Don’t click the link. Instead, go directly to the website and log in. For example, if you get an email from Amazon saying there’s a problem, go directly to Amazon and log in there. If the email was legit and there really was a problem, you’ll be alerted to it as soon as you log in. If you click the link, it might take you to a page that looks exactly the same but isn’t and scammers have gotten real good at faking it. Don’t trust yourself to catch it. These guys get rich off scamming people smarter than both you and me. Don’t risk it. If it’s an attachment, I think most of the time it’s probably safe to open (assuming you verified you were expecting it), but if you’re fairly tech savvy it could be a good idea to set up a virtual machine that you use strictly for opening email attachments to ensure that they’re safe.

3. Keep your antivirus updated. New malware is being built and discovered constantly, and no matter what antivirus service you use, they are doing their best to keep their definitions updated. By keeping your antivirus software up to date, you ensure it that it has the most recent definitions and it has the best chance of spotting a virus before it even gets in.

Advanced Defense

As with almost anything in privacy, there’s also a higher level of work you can do. For starters, using Linux greatly reduces the number of threats aimed at you. This is not a silver bullet. Malwares targeting Linux do exist. However, since Windows has over 75% of the market share (and is most commonly used by governments, educators, and other industries), most attackers focus their attention there. This means that just by using Linux, a great number of malware isn’t compatible.

Another advanced technique would be to use Virtual Machines. You can create a Fedora virtual machine for free in minutes and it will not only provide you with the excellent security of the Fedora Linux distribution, but also the additional advanced security of having a virtual machine. Think of a virtual machine as a computer within a computer, totally isolated from the device that it’s actually running in. While breaking outside of a virtual machine is not impossible for malware, it is incredibly difficult. You can create a virtual machine that you use exclusively for opening suspicious emails and attachments and further enhance your security.

Of course, whether you stick to the basics or try some advanced techniques, you should be using strong passwords and two-factor authentication on all your accounts. That way, even with the virtual machine strategy, your email account is unlikely to be compromised or taken over by malware. Remember to be on guard this holiday season, and I hope all your packages arrive on time and unbroken.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

On this website, and on many other privacy and security websites, you will find people espousing the gospel of open source technology. This is an important thing. This year, Switzerland suffered two separate scandals where the US Central Intelligence Agency was found to be operating shell corporations within the country who sold tech equipment to foreign governments and armies that were equipped with encryption backdoors, giving the American intelligence community easy, front-row access to the sensitive communications of other nations. Open source could’ve prevented this. Open source software would’ve allowed anyone to look at the programming and operating system on the device and say “hey, something’s not right here.” However, I think that sometimes the privacy community oversells open source.

I often see privacy newbies espousing open source without knowing why. I see people say things like “I heard [X Service] is bad because it’s not open source,” but they don’t actually know why that is. The answer is that open source – as a general rule – tends to respect your privacy more than the average person. Because the code is open, anyone can examine it to ensure that it does what it says. Additionally, because anyone can examine it, people are more likely to find bugs and offer fixes that can be quickly implemented. However, the operative word in there was “can.”

A recent study from GitHub found that on average, vulnerabilities exist in open source software for over four years before being patched. Now it’s important to understand the context of this study: GitHub examined 56 million developers and over 60 million repositories. Out of those 60 million codes I'm certain that many of them are just hobbies, uploaded by the creator as a backup, abandoned, or even as a “I made this for myself but if anyone else wants here, it is” thing. Those all probably came with “buyer beware” terms. But even that can only account for maybe a few ten thousand, at the most. Most of these codes were probably uploaded with the intention of being shared and spread around.

Here is where we run into an interesting issue. I believe in supporting the little guy. Everyone was once a little guy. Walmart, Starbucks, Microsoft, everyone. And you can believe that those big guys have since lost their way, and maybe that’s true, but the point is that they were once little guys. Even in the open source communities, the rockstars – Ubuntu, Bitwarden, Signal – they were all once nobodies. The little guys need our support to become sustainable and successful. I firmly believe and respect that. But the little guys come with risks that need to be recognized. Security researchers are people, too. They have day jobs (usually, some of them are lucky enough to be full time researchers), they have personal lives, and they only have so much time they can devote to examining code. The smaller the developer, the less popular the code, and that means the less eyes on it examining it for weaknesses. In a big, well known project like Signal and Mastodon, there’s thousands or even millions of people using it and laying eyes on it – not to mention many of them can afford to pay for proper security audits. But in smaller, lesser popular projects not so much.

So no, open source doesn’t automatically mean privacy respecting or secure. Most malware is, by definition, open source. Once a malware gets discovered, there’s websites where researches can share it so that other researchers can examine it, pick it apart, update their own virus definitions, and otherwise study it. Malware is literally “malicious software.” It’s a perfect example of how open source does not automatically mean private, secure, or safe. So does it still matter? Yes! All things being equal, open source is always better. The potential still exists for the code to be reviewed by someone who understands this stuff and to be improved upon. The potential also exists for someone else to come along and go “hey, this is a great project but this particular thing could be better, here’s my fork of it.” This is why there’s a billion web browsers out there, because someone saw something open source like Firefox and Chromium and said “could be better.”

Is it actually better? That’s a tough question. That’s where threat modeling comes in. But it’s important that you be educated when building your threat model. Open source is better, unarguably, but it doesn’t mean you should blindly trust it anymore than the use of the word “encrypted.” It’s how the encryption is implemented that matters, and it’s how the open source nature of the software is used to better the software that determines if it can be trusted. You still need to consider what information you’re planning to entrust to that software, what could go wrong, as well as a host of other considerations like update frequency, reputation, and more. As a fellow little guy, I’m not saying don’t trust the little guys. But I am saying to exercise caution.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

It’s the gift-giving season, and so this week I think I’ll stay on topic. Now of course, your mileage may vary. Not everyone will appreciate these or have the tech savvy to use them. It’s up to you to know what gifts are right for what person and what would actually make a good gift. But below are some items that I personally have dealt with or have my eye on that might also make good gifts for yourself, your home, or a tech-loving loved one around you. These gifts are not listed in any specific order.

iPhone SE: $400

I’m gonna piss off a lot of privacy people right off the bat with this one, so let me remind my readers that this site is aimed at normal, not-tech savvy people. If you can convince your friend or family member to use CalyxOS or a Pinephone – or you yourself are willing to do so – please do. But chances are that if you’re reading this, you’re either not comfortable flashing a phone yourself or you have family members who wouldn’t be comfortable using a flashed phone. When it comes to stock operating systems, I personally preach iOS over Android every single time simply because iOS has better security. They’re both pretty abysmal for privacy, so iOS has the edge in the security department. As such, if someone you know is in the market for a new mobile device, the iPhone SE series is my recommendation. It’s inexpensive (for a smart phone), and unless your loved one is a heavy app user it’ll do the job perfectly.

Silent Pocket Products: $10-$400

Silent Pocket sells a wide variety of items that help keep your devices off the grid to various degrees. This could include wallets that resist RFID tracking and wireless credit card chip skimming all the way up to full-on Faraday bags for laptops that black ALL wireless signals. If you’re reading this, you probably don’t see the need for a Faraday bag and personally I think that’s outside my own threat level, too, but like I said they have a lot of other really amazing products like phone cases, wallets, passport card holders, backpacks, and a multitool that has spots for your keys. If you or someone know is really into gifts that have a practical use, definitely check this site out.

A Better Router: $150-$515

The internet in our homes is something we typically don’t think about until it goes out. But it’s also one of the most critical things we have these days. Most people don’t think about their router or the settings, but you can do your family a huge favor by getting them a new router and securing it for them. They’ll probably never even notice, but you’ll rest easier knowing they’ve gained a new level of privacy and security. The routers I’ve linked here come pre-loaded with DD-WRT, an open-source firmware that allows you to do all kinds of powerful things like a load a VPN or a firewall or VLANs onto the router itself, meaning that any device that connects to it will automatically be protected. This is probably the most technical suggestion on this list, but if you can figure out your own router settings you can definitely figure out these ones, too. All the hard work has already been done for you.

A Pinebook Pro: $200

Pine64 is a nonprofit that aims to make ethical, open source Linux machines accessible and affordable to the masses. To that end, they have released the Pinebook Pro, a $200 laptop that ships with Debian, which is an operating system I recommend anyways. Just like the routers above, this is a device that you don’t have to worry about installing or setting up yourself. Debian is incredibly user friendly and there’s a ton of support online if you have any questions about it. However, it should be noted that the specs on this computer are slightly below average (in my opinion). If you or your intended gift recipient only uses your laptop for browsing the net, checking your email, and streaming Netflix this is more than enough. But if you use it for any kind of photo editing, video editing, gaming, or highly specific and specialized software that can only run on a Mac or Windows, this may not be the best gift idea.

Books

If you or someone you know is a big reader, there’s a wide range of privacy and security related books, ranging from philosophical to “how-to” to fiction. In the nonfiction category, we have “Click Here to Kill Everybody” by Bruce Schneier and “The Age of Surveillance Capitalism” by Shoshana Zuboff. In the How-To books, try “Extreme Privacy” by Michael Bazzell or “The Personal Digital Resilience Handbook” by David Wild. And for fiction, popular recommendations in the privacy community include Cory Doctorow’s “Little Brother” series and “The Circle” by Dave Eggers.

Like I said, not all of these are great ideas. It’s up to you to know the people in your life. But even if you know people who aren’t crazy about privacy, some of these ideas might still work. You could buy your sister a phone case or a wallet from Silent Pocket. You could get your brother “Little Brother” from Cory Doctorow. You could get your mom a Pinebook or an iPhone. Granted, the Pinebook may require some getting used to, so first make sure they’re willing to learn a new operating system, but it’s not hard to get used to once you get over that initial learning curve. Hopefully this list has at least given you a few ideas. Good luck on your gift shopping, and remember to shop smart.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Enter your email to subscribe to updates.