The New Oil

How to Fail at Privacy & Security

December 26, 2020

Often times we look at success stories and go “this is what this person did right and why they succeeded.” This is great, and there’s a lot to be learned from that. However, I do believe there’s also a lot of benefit in examining failure and learning what went wrong. I’m a firm believer that a failure is only a failure if you fail to learn a lesson from it, even if that lesson is “don’t invade Russia in the winter.” So this week, let’s look at some of the top ways that you can fail in securing your own data and how to avoid them. As usual, this list is in no particular order.

Accepting the Default Settings

One of the easiest things you can do to take control of your own security and data is to browse the settings on your accounts. When was the last time you checked any of your app or account settings? Personally that’s usually the first place I go. In addition to doing things like enabling two-factor and dark mode, the settings are where you can often find really basic privacy settings like “make my profile private” or “don’t share my data with advertisers.” These settings alone will not make you as private as you can be, but they help a lot and they’re easy to change. Start small and stop the most obvious data streams you can find.

Never Making Requests

Most privacy and security products only work if both parties are using it. For example, end-to-end encrypted services like Signal or ProtonMail are only truly end-to-end encrypted if both parties are using Signal or ProtonMail (or another PGP-based email account). So if you never ask the people around you to switch to the same service as you, you’re not really getting the full benefit. There’s definitely still benefits, but it never hurts to ask the people around you to respect your values and consider switching. Often times – especially for people with social anxiety or low self esteem – it can be hard to ask other people for favors because you think you’ll be inconveniencing them, but just asking is not a big deal. So don’t be afraid to make your privacy preferences known by asking people to respect it. “Hey, would you mind using Signal to text me from now on?” “Hey, can we try using Jitsi for the weekly staff meeting instead of Zoom?” “Would you mind unplugging Alexa when I come over to visit?” The worst you’ll get is a polite “no.” Often you’ll get a “what’s that/why?” and then you can explain what the service you’re suggesting is and why it would benefit the person you’re making the request of. More often than not, you’ll be surprised by the amount of “yes”es you receive. There is definitely a fine line between making a request and bugging someone. If you ask to use Jitsi instead of Zoom every week, your boss may get tired of hearing it. But bringing it up once or twice will rarely offend anyone, and if you don’t ask the answer will always be no.

Not Doing Your Research

My partner is a big consumer of media. Hulu, Netflix, CrunchyRoll, YouTube, she loves it all. I’m more discerning with my content, but out of love for her I agreed to acquiesce and get a smart TV when we began living together. We made a few compromises: no microphones, no cameras, and I get to pick the TV. Ultimately, after a lot of research, I settled on a Roku TCL. There’s a specific reason I chose this TV. First off, Samsung TVs were right out due to having known NSA backdoors. I don’t think I’m a target of the NSA, but there’s no such thing as a backdoor that only good guys have the keys for. If the weakness exists, bad guys can exploit it, too. Second, I wanted a TV that had a solid history of receiving manufacturer updates to the software. Of course, I also took responsibility for setting up the device, which meant putting it on a VLAN, creating an account using a masked email and strong password, never putting in any payment details, and disabling all the data-sharing options I could. This isn’t an ad for Roku, this is an explanation of my research process. Imagine if I hadn’t done my research and instead just looked for the best deal at my local store: I could’ve walked out with a TV that never gets updated. This isn’t just a security risk. Our TV has had its fair share of bugs: freezes, crashes, twice we’ve even had the mute get stuck on. But our experience is improving as time goes on and Roku keeps pushing out new updates. Very few other TVs get updates, so we’d still be living with those bugs if we had gotten a different TV. We also never have to look at our TV and go “man, I really hope nobody is on the other side of the camera taking snapshots of us in our underwear.” Finally, as I mentioned above, I took the time to disable many of the more invasive “features,” which means I also have less concern about the data being recorded. (For the record, I do still have some concern, but I sleep a little better knowing we’re spewing out less data than the default).

Now of course, this was a multi-hundred dollar investment. I expect that the research will be proportional to the cost and sensitivity of the tool. I spent less time investigating my XMPP server because I don’t really use it very much. I spent much more time investigating ProtonMail and Tutanota because I do use email a lot, and sometimes for very sensitive purposes like banking and medical. You don’t have to spend forever deep diving into every single tool out there: figure out what you want from it, determine how much trust you’re placing in it, then do the appropriate amount of research.

Not Making Time to Implement

My dad imparted one phenomenal piece of advice that has stuck with me for decades: “If something is important to you, you’ll make time for it. If it’s not, you won’t.” To my dad, there was no such thing as “I don’t have the time,” but rather “I don’t want to make the time.” And that’s totally fair if you don’t want to make the time for something. But if there’s something you actually really want to do and you don’t make time for it, then you’re just doing yourself a disservice. If you want to make your life more private and secure and you don’t make time to actually do this stuff, then you’re only cheating yourself. I totally understand that some of this stuff takes work. Signal can be downloaded and set up during a Hulu commercial break, so there’s really no excuse for that one. But signing up for a password manager or moving email accounts, that can take some work and that may not be something you want to do after a hard day of work. I totally respect that. But if you don’t put it on your calendar and say “okay, this weekend I’m gonna migrate to Tutanota/ProtonMail/whatever,” you’re failing yourself. Make time to make the changes you want to make. Don’t keep telling yourself “tomorrow.” Put it on the calendar and let your roommates know you’re busy that afternoon.

Failure is only failure if you don’t learn from it. Maybe you’ve been guilty of some of these things in your own life so far. Maybe you haven’t made time to implement, or you’ve only been using tools others recommend instead of researching it for yourself. But now you’re aware and you can use that awareness to break the cycle. Remember to always seek room for improvement, both in your own personal growth and in your security.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Privacy-Respecting Video Chat Apps for the Holidays

December 19, 2020

Hopefully the end is in sight for the COVID-19 pandemic. In my state, the vaccines arrived on Monday. I know it’s still going to be a months-long process, and I’m not even going to comment on how politics has shaped the issue. The point being, while the end may be near, it definitely won’t be here before Christmas and New Years. As such, many people will be spending this year alone, isolated away from family members who are elderly, immuno-compromised, or otherwise at risk just to play it safe. But that’s no excuse not to literally see your family. So this year, I explore some of the best privacy-respecting options for video chat that can help you and your family stay a little better connected this year, even from a distance. This listed is presented in alphabetical order, not any sort of order of superiority.

Jitsi

Jitsi gained almost overnight popularity in the privacy community around the start of the pandemic as an open-source, privacy-respecting alternative to Zoom. Jitsi offers lobbies and password-protected rooms, as well as end-to-end encryption. You can self-host your own instance or use the default instance (or you can use any other publicly-available instance – shoutout to The Calyx Institute – but the default public instance is fine for most people). My favorite feature of Jitsi is that it offers the ability to share your screen with audio AND your camera and audio at the same time. So Jitsi offers a great way to stream a movie with family while still being able to communicate. Oh and the best part? No app or account needed. You can use it straight from your browser. I'm gonna be honest: for 90% of people, Jitsi is going to be your best, easiest, and most feature-rich option. However, other options do exist.

Honorable Mention: Brave Together

I’m still very much on the fence when it comes to Brave. On the one hand, the company is a for-profit that has done some things in the past that I personally find very intentionally malicious and unethical. On the other hand, they are really on the bleeding edge of privacy and security features for a browser, and they’re basically a “set it and forget it” tool. In recent weeks, I’ve come to compromise on this by saying “Brave is best for non-tech people who care about their privacy but REALLY don’t trust themselves with even the basics.” As such, it’s worth mentioning that Brave comes prepackaged with Jitsi built into the browser, able to host or join a Jitsi meeting with just a few short keystrokes. Personally I don’t think this counts as a reason to use Brave, given that Jitsi doesn’t require any sort of app or account to begin with, but if you already have a loved one using Brave, this might be an easy way to get them to the video call.

MySudo (iOS Only)

MySudo is one of those apps I personally can’t live without. It’s not open source, which is a huge bummer, but it allows you to create up to 9 phone numbers (with email addresses) that are capable of supporting both phone calls and text messages. This app is essential to me in my personal life, allowing me to compartmentalize banking, work, personal, online selling, etc. These features cost money, but fortunately there are other features that don’t cost money: contacting other users. If you’re an iOS user, MySudo is now allowing group video calling of up to 5 users. I expect the feature will roll out to Android in the future. Anonyome seems to focus on iOS then Android. Even if your entire family isn’t using iPhone, MySudo still offers unlimited, free, end-to-end encrypted calls and texts between MySudo users. It’s worth checking into.

Signal

Signal, one of the golden standards of secure communication in the privacy and security community, offers some of the best encryption the world has to offer. The app is regularly used by politicians and law enforcement in the US, the entire EU Commission, and the encryption itself has been integrated into WhatsApp, Facebook Secret Messages, Skype Private Conversations, and Google’s new Android competitor to iMessage, as well as numerous other high-profile messengers. This year, Signal finally rolled out the ability to use video on desktop and just this month rolled out the ability to have group calls of up to five people. The downside to Signal is that it currently does require your phone number, but since the context of this blog post is talking to family members, I suspect that probably won’t be a huge problem for most of my readers.

Honorable Mention: Apple's Facetime

Let's be 100% honest: Apple is not a privacy-friendly company. They claim they are, and they are definitely a step above Android. Apple has repeatedly fought back on creating encryption backdoors for the FBI, and many cybersecurity experts claim that Apple is more private because they sell hardware at a premium rather than selling your data. Having said that, Apple has repeatedly been caught in numerous privacy scandals, and they still record far more data than necessary. Point blank: I think literally any other suggestion in this blog post would be better than using an Apple app. Having said that, Apple's Facetime communications are end-to-end encrypted. If you have a wide level of Apple usage in your family, I would recommend using Facetime over Zoom, Skype, Facebook, Portal, or any of the other mainstream video chat apps out there. Once again, I still think you'll get better protection by using Jitsi or Signal, but if your family refuses to use those and does have Apple products, I think Facetime is the lesser evil. (Although, personal opinion, if your family refuses to use Jitsi they're really not even trying and you should reconsider your relationship with them. But this is a data privacy site, not a family relationship site, so enough on that.)

Hopefully this post helps you find a way to keep in touch with your loved ones this year as the world continues to grapple with the pandemic. Hopefully next year things won't be so dire and we can all move back to in-person meetings. Until then, stay safe and stay connected – why not at the same time?

“There’s A Problem With Your Package From Amazon”

December 12, 2020

Security researchers at Check Point have warned that phishing attacks related to online shopping and shipping of goods has risen 440% in November, indicating a huge rise as people are shopping for the holidays – even moreso online with the global pandemic this year. As such, this seems like a great time for all of us take a moment to remember the basics of phishing and how to protect ourselves.

What is Phishing?

Phishing is a technique almost as old as the internet itself. Phishing is when a malicious actor attempts to get someone to click on a link for malicious reasons. A few common examples you may have seen may include “there’s a problem with your PayPal account, login here to resolve it” and then it takes you a login page that looks real but actually forwards your login credentials to the attacker, or an email that says “here’s those files you wanted” and then includes what appears to be a Word document but it’s actually a virus. Typically, the goal of phishing is to get access to a person’s account, but sometimes the goal can be to plant ransomware, make a botnet, or pretty much any nefarious purpose. Don't underestimate phishing: it may seem silly and hard to fall for, but it's been one of the top methods of “hacking” since forever. I forget where I read this so I won't quote it as fact, but I do remember reading once that a former NSA officer admitted that it was the NSA's primary method of gaining access to a targeted account, even over all the other fancy hacks and resources available to the agency.

So What are the Defenses?

The main defenses against phishing come down to three major principles:

1. Vet your emails. If you get an email from FedEx about a problem with your package, first off did you order a package? Second, did it get shipped FedEx? As a more year-round example, if you get an email from a coworker with an attachment, were you actually expecting that attachment? Don’t be afraid to ask questions. If you weren’t expecting that email, call them and ask to make sure it was them.

2. Don’t click the link. Instead, go directly to the website and log in. For example, if you get an email from Amazon saying there’s a problem, go directly to Amazon and log in there. If the email was legit and there really was a problem, you’ll be alerted to it as soon as you log in. If you click the link, it might take you to a page that looks exactly the same but isn’t and scammers have gotten real good at faking it. Don’t trust yourself to catch it. These guys get rich off scamming people smarter than both you and me. Don’t risk it. If it’s an attachment, I think most of the time it’s probably safe to open (assuming you verified you were expecting it), but if you’re fairly tech savvy it could be a good idea to set up a virtual machine that you use strictly for opening email attachments to ensure that they’re safe.

3. Keep your antivirus updated. New malware is being built and discovered constantly, and no matter what antivirus service you use, they are doing their best to keep their definitions updated. By keeping your antivirus software up to date, you ensure it that it has the most recent definitions and it has the best chance of spotting a virus before it even gets in.

Advanced Defense

As with almost anything in privacy, there’s also a higher level of work you can do. For starters, using Linux greatly reduces the number of threats aimed at you. This is not a silver bullet. Malwares targeting Linux do exist. However, since Windows has over 75% of the market share (and is most commonly used by governments, educators, and other industries), most attackers focus their attention there. This means that just by using Linux, a great number of malware isn’t compatible.

Another advanced technique would be to use Virtual Machines. You can create a Fedora virtual machine for free in minutes and it will not only provide you with the excellent security of the Fedora Linux distribution, but also the additional advanced security of having a virtual machine. Think of a virtual machine as a computer within a computer, totally isolated from the device that it’s actually running in. While breaking outside of a virtual machine is not impossible for malware, it is incredibly difficult. You can create a virtual machine that you use exclusively for opening suspicious emails and attachments and further enhance your security.

Of course, whether you stick to the basics or try some advanced techniques, you should be using strong passwords and two-factor authentication on all your accounts. That way, even with the virtual machine strategy, your email account is unlikely to be compromised or taken over by malware. Remember to be on guard this holiday season, and I hope all your packages arrive on time and unbroken.

“Open Source” Does Not Always Equal “Safe”

December 5, 2020

On this website, and on many other privacy and security websites, you will find people espousing the gospel of open source technology. This is an important thing. This year, Switzerland suffered two separate scandals where the US Central Intelligence Agency was found to be operating shell corporations within the country who sold tech equipment to foreign governments and armies that were equipped with encryption backdoors, giving the American intelligence community easy, front-row access to the sensitive communications of other nations. Open source could’ve prevented this. Open source software would’ve allowed anyone to look at the programming and operating system on the device and say “hey, something’s not right here.” However, I think that sometimes the privacy community oversells open source.

I often see privacy newbies espousing open source without knowing why. I see people say things like “I heard [X Service] is bad because it’s not open source,” but they don’t actually know why that is. The answer is that open source – as a general rule – tends to respect your privacy more than the average person. Because the code is open, anyone can examine it to ensure that it does what it says. Additionally, because anyone can examine it, people are more likely to find bugs and offer fixes that can be quickly implemented. However, the operative word in there was “can.”

A recent study from GitHub found that on average, vulnerabilities exist in open source software for over four years before being patched. Now it’s important to understand the context of this study: GitHub examined 56 million developers and over 60 million repositories. Out of those 60 million codes I'm certain that many of them are just hobbies, uploaded by the creator as a backup, abandoned, or even as a “I made this for myself but if anyone else wants here, it is” thing. Those all probably came with “buyer beware” terms. But even that can only account for maybe a few ten thousand, at the most. Most of these codes were probably uploaded with the intention of being shared and spread around.

Here is where we run into an interesting issue. I believe in supporting the little guy. Everyone was once a little guy. Walmart, Starbucks, Microsoft, everyone. And you can believe that those big guys have since lost their way, and maybe that’s true, but the point is that they were once little guys. Even in the open source communities, the rockstars – Ubuntu, Bitwarden, Signal – they were all once nobodies. The little guys need our support to become sustainable and successful. I firmly believe and respect that. But the little guys come with risks that need to be recognized. Security researchers are people, too. They have day jobs (usually, some of them are lucky enough to be full time researchers), they have personal lives, and they only have so much time they can devote to examining code. The smaller the developer, the less popular the code, and that means the less eyes on it examining it for weaknesses. In a big, well known project like Signal and Mastodon, there’s thousands or even millions of people using it and laying eyes on it – not to mention many of them can afford to pay for proper security audits. But in smaller, lesser popular projects not so much.

So no, open source doesn’t automatically mean privacy respecting or secure. Most malware is, by definition, open source. Once a malware gets discovered, there’s websites where researches can share it so that other researchers can examine it, pick it apart, update their own virus definitions, and otherwise study it. Malware is literally “malicious software.” It’s a perfect example of how open source does not automatically mean private, secure, or safe. So does it still matter? Yes! All things being equal, open source is always better. The potential still exists for the code to be reviewed by someone who understands this stuff and to be improved upon. The potential also exists for someone else to come along and go “hey, this is a great project but this particular thing could be better, here’s my fork of it.” This is why there’s a billion web browsers out there, because someone saw something open source like Firefox and Chromium and said “could be better.”

Is it actually better? That’s a tough question. That’s where threat modeling comes in. But it’s important that you be educated when building your threat model. Open source is better, unarguably, but it doesn’t mean you should blindly trust it anymore than the use of the word “encrypted.” It’s how the encryption is implemented that matters, and it’s how the open source nature of the software is used to better the software that determines if it can be trusted. You still need to consider what information you’re planning to entrust to that software, what could go wrong, as well as a host of other considerations like update frequency, reputation, and more. As a fellow little guy, I’m not saying don’t trust the little guys. But I am saying to exercise caution.

Five Privacy Respecting Gift Ideas

November 28, 2020

It’s the gift-giving season, and so this week I think I’ll stay on topic. Now of course, your mileage may vary. Not everyone will appreciate these or have the tech savvy to use them. It’s up to you to know what gifts are right for what person and what would actually make a good gift. But below are some items that I personally have dealt with or have my eye on that might also make good gifts for yourself, your home, or a tech-loving loved one around you. These gifts are not listed in any specific order.

iPhone SE: $400

I’m gonna piss off a lot of privacy people right off the bat with this one, so let me remind my readers that this site is aimed at normal, not-tech savvy people. If you can convince your friend or family member to use CalyxOS or a Pinephone – or you yourself are willing to do so – please do. But chances are that if you’re reading this, you’re either not comfortable flashing a phone yourself or you have family members who wouldn’t be comfortable using a flashed phone. When it comes to stock operating systems, I personally preach iOS over Android every single time simply because iOS has better security. They’re both pretty abysmal for privacy, so iOS has the edge in the security department. As such, if someone you know is in the market for a new mobile device, the iPhone SE series is my recommendation. It’s inexpensive (for a smart phone), and unless your loved one is a heavy app user it’ll do the job perfectly.

Silent Pocket Products: $10-$400

Silent Pocket sells a wide variety of items that help keep your devices off the grid to various degrees. This could include wallets that resist RFID tracking and wireless credit card chip skimming all the way up to full-on Faraday bags for laptops that black ALL wireless signals. If you’re reading this, you probably don’t see the need for a Faraday bag and personally I think that’s outside my own threat level, too, but like I said they have a lot of other really amazing products like phone cases, wallets, passport card holders, backpacks, and a multitool that has spots for your keys. If you or someone know is really into gifts that have a practical use, definitely check this site out.

A Better Router: $150-$515

The internet in our homes is something we typically don’t think about until it goes out. But it’s also one of the most critical things we have these days. Most people don’t think about their router or the settings, but you can do your family a huge favor by getting them a new router and securing it for them. They’ll probably never even notice, but you’ll rest easier knowing they’ve gained a new level of privacy and security. The routers I’ve linked here come pre-loaded with DD-WRT, an open-source firmware that allows you to do all kinds of powerful things like a load a VPN or a firewall or VLANs onto the router itself, meaning that any device that connects to it will automatically be protected. This is probably the most technical suggestion on this list, but if you can figure out your own router settings you can definitely figure out these ones, too. All the hard work has already been done for you.

A Pinebook Pro: $200

Pine64 is a nonprofit that aims to make ethical, open source Linux machines accessible and affordable to the masses. To that end, they have released the Pinebook Pro, a $200 laptop that ships with Debian, which is an operating system I recommend anyways. Just like the routers above, this is a device that you don’t have to worry about installing or setting up yourself. Debian is incredibly user friendly and there’s a ton of support online if you have any questions about it. However, it should be noted that the specs on this computer are slightly below average (in my opinion). If you or your intended gift recipient only uses your laptop for browsing the net, checking your email, and streaming Netflix this is more than enough. But if you use it for any kind of photo editing, video editing, gaming, or highly specific and specialized software that can only run on a Mac or Windows, this may not be the best gift idea.

Books

If you or someone you know is a big reader, there’s a wide range of privacy and security related books, ranging from philosophical to “how-to” to fiction. In the nonfiction category, we have “Click Here to Kill Everybody” by Bruce Schneier and “The Age of Surveillance Capitalism” by Shoshana Zuboff. In the How-To books, try “Extreme Privacy” by Michael Bazzell or “The Personal Digital Resilience Handbook” by David Wild. And for fiction, popular recommendations in the privacy community include Cory Doctorow’s “Little Brother” series and “The Circle” by Dave Eggers.

Like I said, not all of these are great ideas. It’s up to you to know the people in your life. But even if you know people who aren’t crazy about privacy, some of these ideas might still work. You could buy your sister a phone case or a wallet from Silent Pocket. You could get your brother “Little Brother” from Cory Doctorow. You could get your mom a Pinebook or an iPhone. Granted, the Pinebook may require some getting used to, so first make sure they’re willing to learn a new operating system, but it’s not hard to get used to once you get over that initial learning curve. Hopefully this list has at least given you a few ideas. Good luck on your gift shopping, and remember to shop smart.

Does the Country a Service is Headquartered in Matter?

November 21, 2020

On my website, I list the country a service is located in as either a point for or against them. As a sort-of explanation, I also link to the Wikipedia page about the Five Eyes intelligence community. Likewise, you will often see people in the privacy community asking questions or debating about the location of a company and why it pertains to the privacy of a specific product. So this week I ask: does it really matter?

What is “Five Eyes”?

If you didn’t click the link above – or just didn’t understand it – the “Five Eyes” refers to an intelligence agreement between the US, UK, Australia, Canada, and New Zealand. It was originally born out of the cold war as a way for democratic countries to keep an eye on the spread of communism, but the agreement lives on to this day. The basic premise of Five Eyes is that those five countries share intelligence with each other generously. The agreement is primarily aimed at “signals intelligence,” which means basically any form of electronic or telephony communication, but they're known to share other intelligence as well.

The problem that pertains particularly to privacy is what Edward Snowden revealed about the Five Eyes agreement in 2013, which basically boils down to “the Five Eyes countries spy on each other’s citizens then share with each other as a loophole.” In the US, the US intelligence agencies aren’t supposed to spy on US citizens without a reason. Same thing in the UK. But the US is totally free to spy on UK citizens and then share that data with the UK, and vice versa. That’s a simplified version of how it works.

There are also other “Eyes,” such as Nine and Fourteen, as well as specific “Eyes” aimed at certain counties (ex: “Five Eyes Plus Three Against North Korea”). All this really means is how many countries are involved. Typically the wider the Eyes, the less comprehensive the data sharing. So the Five Eyes are the most invasive countries and share the most openly, while the Fourteen eyes are less invasive and share less (but still invasive).

How Does This Relate to Privacy and Services?

Country of origin determines the laws and practices a company is subject to. A company based in the United States will be subject to US law – taxes, worker rights, and even surveillance. A US-based company will be caught up in the Five Eyes dragnet, and a US company will have to turn over any data requested by a warrant from a US law enforcement agency such as the FBI. For example: I run a Nextcloud server out of my home. It’s small and it’s only for friends and family. If my city, county, or state police or the FBI came to my door with a warrant and said “we need you to clone your mom’s data and give us a copy,” legally I’d be forced to comply. But if I move to Canada, the situation changes. My mother – who still lives in the US – is under investigation. If it’s a local investigation, police aren’t going to bother with the international red tape of asking me to hand over her data. They might ask, but since it crosses international lines and their resources are limited, they probably won’t bother making it an official, legally-binding request (unless they suspect the data I possess is key to their case). Even the FBI will meet a few more roadblocks in the process. Not many. They have the resources, and Canada is a friendly country with the US, so they’d probably get the approval. But it’s not as easy as it was before when I lived in the US.

As such, a lot of people in the privacy community prefer to pick services that are run by companies that are based outside of the various Eyes communities. The further outside, the better. A company in Germany is superior to a company in America because Germany is part of the Fourteen Eyes, which is better than the Five Eyes. But a company based in Switzerland or Finland is even better because those companies aren’t part of any Eyes. The roadblocks required to get the data – from both a legal and a surveillance perspective – are much higher.

Is This Actually Effective?

The short answer, in my opinion, is no. This stuff doesn’t really matter. As my long-time readers know, I don’t encourage breaking the law. Ideally you shouldn’t be doing anything that gets you on the law-enforcement radar in the first place (I’ll come back to that in a moment). But first let’s talk about surveillance: the Five Eyes are spying on EVERYONE. The idea that your data is somehow magically safe because the server is in Finland is as ridiculous as saying that I’m somehow magically safe because I put my seatbelt on when I drive. Obviously I do, seatbelts dramatically increase my odds of survival in a traffic collision, but the seatbelts don’t do a thing to stop someone from hitting me. Likewise, putting my data in Switzerland helps, but it's not a magic bullet.

Before I go on, I need to explain how the internet works at the global level. At the very top of the network food chain are “Tier 1 networks,” which are basically the internet service providers of the internet service providers you and I know and use like Comcast or Time Warner. According to Wikipedia, most Tier 1 networks are headquartered in Western countries like France, Germany, the UK, and the US. A couple are in places like India and Hong Kong. If you remember the list of eyes from before, this means that virtually every single Tier 1 provider is based in an eyes country, over half of them in Five Eyes alone. Choosing a country that’s outside Eyes jurisdiction does make surveillance slightly harder, but considering that literally all network traffic needs to route through a Tier 1 network and 88% of them belong to the Eyes, it also makes that surveillance relatively trivial. The Eyes own the internet. Not to mention there's absolutely nothing to stop state actors from setting up totally legal shell corporations in foreign, non-Eyes countries and then using those to spy on the locals.

So does that mean you shouldn’t care at all? Of course not. As I said, picking a country outside the Eyes does make surveillance a little bit harder. While the traffic still passes through Eyes infrastructure and into Eyes territory on your device, if you're doing it right that traffic is encrypted and the data itself rests outside of Eyes jurisdiction. That does count for something. Earlier I mentioned not to get yourself caught in the crosshairs of law enforcement, but we all know that law enforcement is not perfect and mistakes happen. People get wrongfully targeted, arrested, and convicted all the time. Putting your potentially-incriminating data outside the hands of the law so that they can’t use it against you is a great consideration.

However, you should consider the location of a service a lot like the color of a car: ideally you’d like to have one color, but it shouldn’t be the deciding factor. The deciding factors should be the other things I discuss when I list services on my site: how strong is the encryption? Is the company transparent? How is the privacy policy? What information do they log? Can they access your data? Under what circumstances will they hand over their logs/data? I fully expect any legitimate company to comply with a lawful warrant or request, but I also take comfort in knowing that a company will push back on a request it considers unfair (Tutanota and ProtonMail both have a documented history of this, by the way). So rather than “where are they located?” you should ask “what kinds of requests will they push back on?” How is the company’s reputation? And then, once all factors have been weighed, that’s when you should give the country of origin a thought. One reason a lot of people prefer companies based in Germany and Switzerland is because those countries have privacy laws that are superior to the US (though also not perfect). But if you're using companies who are zero-knowledge, don't log data (or log as little as possible for as short a time as possible), and use strong encryption, then the country means almost nothing.

Safe Shopping: 2020 Edition

November 14, 2020

Last year, I posted the below blog. After “Black Friday.” Whoops. This year, I thought it worth posting again – this time beforehand! – since my audience has grown dramatically (thank you so much! Seriously, I am so humbled!), but updated to reflect both advances in technology and the global pandemic where necessary. So without further adieu, the 2020 guide to safe holiday shopping!

With gift-giving season officially beginning in the United States (and at least a few other places, I presume), I figured this would be a great time to discuss safe shopping tactics. I don’t feel like this needs any sort of real introduction, it’s pretty self-explanatory, so let’s begin.

Pay with cash in person. There’s a large push for card usage in the US, and it has some personal finance benefits. Cards often come with cashback and purchase protection, and while the risk of skimming still exists, fintech (financial technology) security has come a long way. However, cards are still a privacy nightmare. Your shopping data will absolutely be sold by your bank to data brokers. As such, cash is king. But if you need some less-crazy, more practical reasons to use cash: if you’re buying a gift for someone who has access to your bank statements (significant other, parent, etc) it can help shield your purchases – both the site and the amount – and keep the gift a surprise. Furthermore, holiday spending and gift giving is often a source of debt in the new year, so using cash will help you stick to your budget. Personally I think racking up a boatload of new debt is a really crappy way to start the new year.
Of course, online shopping has long been popular, and even moreso this year. For online transactions, use pre-paid cards (such as the Vanilla card) or card-masking services like Privacy.com, Blur, MySudo, or ViaBuy (if you live in Europe) to avoid having your real information stolen. If a scammer steals your info, the effects could be as minimal as having to get a new card or as serious as draining your bank account, stealing your identity, or even stalking you. So I definitely encourage you to use a masking service of some kind. Be aware that Privacy.com and MySudo essentially function as banks in this scenario, so they will ask for some personal information that some people may not be comfortable with. Blur is a little less invasive, but you’re basically just creating digital pre-paid cards. Personally I’m a fan of Privacy.com for a lot of reasons, but this isn’t the time or place. Feel free to check out all of the solutions suggested and see if any of them are right for you.
Use HTTPS. HTTPS is a powerful and effective encryption method for data-in-transit (aka web traffic) that helps protect your sensitive information as it shoots across the web. The vast majority of the internet is now securely encrypted so you’re probably covered, but be vigilant anyways. Just this month I tried to order some food for takeout and the webmaster had accidentally let the certificate lapse, so they didn’t have HTTPS. Thanks to the browser plugin HTTPS Everywhere, I was alerted and avoiding sending my card information on a potentially unsecured website. This plugin will automatically ensure an HTTPS connection wherever it’s offered, regardless of search engine or browser settings, and alert you if one isn’t found so you can decide if you still want to use the site or not.
Use a PO Box. PO Boxes can serve tons of great purposes that you didn’t even know you needed. For starters, they start off inexpensive, in some places as little as $20/year. They can be handy because your packages don’t sit unguarded on your porch while you’re at work, they sit safely inside the building of your box. And of course, you don’t have to worry about some stranger on the internet snagging your home address, whether that’s the random person on Etsy, the rogue employee at Amazon, or the hacker who hopefully didn’t steal your information because you already implemented the above bullet points.
Don’t quit on December 26. The thing about these habits is that they’re great year-round, not just around the holidays. Shopping is something we do all the time, all year, and these strategies can be implemented there, too. You can pay cash at the grocery store. HTTPS can protect your Facebook login from a random hacker just as much as your card number. Online data breaches are quickly becoming a daily occurrence, so using card-masking can prevent your card number from getting permanently posted to the dark web (if you’re not worried about that, clearly you’ve never had the hassle of updating EVERY service you use after a card number changed for any reason). Even a PO Box can be a neat thing to have on hand if you rent and move in the same area frequently, if you need an address on file for work (again, data breaches), or freelance and need somewhere to send checks or a return address for merchandise you sell.

Take some time to think about which of these strategies can benefit you most. HTTPS is something that takes just a few minutes to set up and you never have to think about it again. A PO Box can be easily added into your routine by renting one nearby or on your way to/from work (if you have a concern about stalkers, you may want to consider getting one in a nearby town instead). Cash can be handy as well to help you stick to a budget. I hope these tips help keep you safer online this holiday season, and good luck finding that perfect gift!

A Detour into Diet Apps

November 7, 2020

One thing I really envy Android users on is their access to alternate app stores, like F-Droid and Aurora. My partner approached me earlier this week and asked if I’d be willing to go on a diet with her as a show of solidarity. Not the same diet, just a diet. As I stepped on the scale to begin, I begrudgingly admitted that she was on to something and I’ve put on more weight than I realized. Ever the one to look for a silver lining though, I figured this might be a good time to dig through some of the most popular diet-tracking apps in the iOS app store and see which one was the least offensive. So this week, I’m sharing that with you.

I chose my apps based on a combination of “top” lists found on DuckDuckGo and which apps popped up first when I searched in the app store. I am rating them based on their privacy policies, specifically “information we collect.” I have organized them by alphabetical order. I also only highlighted things that stuck out to me specifically. I’m not really surprised with stuff like “cookies, things you willingly add to your profile, and IP address.” That’s all pretty standard. I was looking for anything out of the ordinary or alarming.

Calorie Counter +

Information collected: “first name, email address, encrypted password, personal profile (your age, sex, height, start weight, goal weight, activity levels and any other boxes you tick during sign up), Photo (if you upload this to the forum or Live Club weigh-in on the website), IP address, Mobile device ID, Your browsing behaviour (when using the Nutracheck App and website).” Uses Google Analytics. Shares information with Google and Facebook to advertise “as you browse around the internet.”

The alarming parts to me here were the fact that they shared with Google and Facebook so they could advertise to you off-site. No thanks. Other than that, pretty standard stuff although I did notice that a lot of sites require information like gender and age. I guess that’s medically relevant, but it still makes me a bit uneasy. Also what does “encrypted password” mean? Do they actually store my encrypted password, or are they dumbing down “hashed” for readers? Cause frankly, storing my actual password – even encrypted – is unacceptable.

FatSecret

Information collected: “age, gender, postal code, current and goal weight.” “IP, ISP, browser type, OS, language, profile information, profile info, food and exercise, and “general use.” “integration with other services such as Apple’s HealthKit…other services such as Apple’s HealthKit API’s and Google’s Fit APIs (all together “Health Data Services”). FatSecret will not use or disclose health data gained through Health Data Services to third parties for advertising, marketing or other use-based data mining purposes other than improving health or for the purpose of health research.”

I found a few things in particular problematic here. Let’s go in order. First, “postal code.” I realize than IP address is as good as a physical address, but why go out of your way to collect that? Next, “ISP, browser type,” and “OS.” Again, I realize that knowing my IP address is enough to correlate who my ISP is, but why go out of your way? I also know that browser type is helpful to know to make sure your site is working correctly with that browser, but why OS? And also, with the rise of CSS, I feel like “browser compatibility” isn’t really a thing as much as it used to be (but I could be wrong, I'm clearly not a web developer). “Integration with other services” combined with “FatSecret will not use that data...” means that not only will they submit the data to your HealthKit, but they’ll collect data from it, too. Finally, “for the purpose of health research.” Um, no thanks. Please don’t take my health data and then share it.

Lifesum

Information collected: “your email address, first and last name, height, weight, date of birth, and gender” upon registration. “Device identifiers (i.e. information on what device, IP-address, etc. you use to register and log on to the Services), and technical information related to your use of your device which could be attributed to you (i.e. geo-location data, access history, search history, and information regarding your interaction with the application or advertisements) which is used to provide the Services and to allow Lifesum to market to you in accordance with this Privacy Policy.” You can opt out of marketing but not collection.

This is a pretty standard privacy policy, and if it seems like a lot, that’s because it is. Most privacy policies are this invasive at a base level. You’d be hard pressed to find a policy less invasive. Except for one part: “technical information related to your use of your device which could be attributed to you (i.e. geo-location data, access history, search history, and information regarding your interaction with the application or advertisements).” So from what I understand, that means Lifesum is monitoring not just the app, but the device: my searches on Firefox, my location, what other apps I use, and other ads, just so they can advertise to me even more. Unacceptable.

Lose It!

Information Collected: “We may also use and allow third parties to track your browsing history profile.” “Personal Diet Data”, including, birthdate, height and weight, sex, and specific details of the foods and drinks that you consume and your exercise, and genetic results. Test results generated from a user’s genetic data. Email address and Lose It! Password. IP addresses, browser type and your operating system. Pages visited on the Websites referring and exit pages, and the dates and times of the visits. Financial information, such as your credit/debit card number or other billing information for purchases and product upgrades. Any additional information relating to you and your use of the Websites, Apps or Lose It! Services that you provide to use directly through the Websites, Apps or Lose It! Services. Location data and other information about devices used to access and interact with the Websites or App. Information that you make publicly available or publicly post using tools made available on the Websites or via the App. Information you may provide in user-to-user messages. Information collected from promotions with third party companies.”

So once again, nothing terribly bad here except that they specifically cover genetic data. If I get a genetic test, they collect the results (I assume the test has to be done through them or with one of the parties they work with). No thanks. They also collect Browser type and OS, yet again. And Location data, why? Why do dieting apps want to know my location? What are you gonna send me a push notification? “We noticed you just entered a Wendy’s. Don’t do it, bro!” C’mon.

Nutrients

Information collected: None

So this app claims that they don’t collect ANY information and furthermore than all information you enter stays on your device and never gets transmitted. But I was a little put-off by the fact that there’s no HTTPS on their website. It’s 2020. There’s no excuse for that. Also, personal opinion territory here, I noticed that in the app store the developer has another app called Donald J Trump, which seems to be just a hub for all his social media posts or something like that. I don’t know, I didn’t pay for it. Personally, I don’t support Trump, and since the Nutrients app is paid, I wanted to do a little digging and make sure that I’m okay giving my money to an organization that obviously does support him. Once I started digging on that front, I quickly noticed that there is zero mention of the Donald J Trump app on their website, which to me is kind of questionable. At the time of my research this week, the app had been updated less than two months ago, so clearly this isn’t something they just put out once and have since abandoned. This is an app they actively maintain. Why aren’t they owning up to it? Personally, I found that alone shady enough to not want to give over my money. I don’t mind if a company wants to publicly endorse a candidate, but the fact that they weren’t being fully forthcoming with it in a situation where they should’ve (in this case, not listing the app on their site alongside all the others), that personally didn’t sit right with me.

MyFitnessPal

Information collected: ? But it is collected through third party or “publicly available” sources.

So this is the one thing that bugs me more than a generic privacy policy. Their privacy policy doesn’t even exactly state what they collected. It’s already bad enough when you say “IP address, Device ID, and other information,” but when you just straight up say “we collect information that cannot be used to identify you” (first off, that’s a lie) “but is used to determine aggregate data such as usage, blah blah blah,” that’s even worse. Now you’re not even saying what’s collected. If it’s not a big deal then why won’t you say what it is? Furthermore, you collect additional data through third party and “publicly available” sources? Why are you going out of your way to collect more information about me outside the app? Just tell me how many calories my damn burger has.

MyNetDiary

Information collected: ?

This service was equally as opaque as MyFitnessPal. The only saving difference was this service didn’t claim to collect additional information from outside the app, and they also claim they never share it. Personally I find a blanket “we never share your info” claim to be suspect – especially if they do admit to collect information – because I fully expect any remotely not-shady organization to share my information with law enforcement with a warrant. So to just flat out say “we never share your information ever” already means that at best you’re telling a half-truth.

MyPlate

Information collected: device registration data (for example, the type of mobile device you use, your mobile device’s unique device or advertising ID, IP address, operating system and browser type), device settings (for example, your language preference), mobile carrier, information about how you use the Services (for example, how many times you use the Services each day), requested and referring URLs, location data collected through your device (including, for example, precise location data such as GPS and WiFi information), information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access.”

So this is another one that’s not AWFUL but still not great. Let’s pick apart the more alarming parts. First, “OS and Browser, as well as mobile carrier.” Why? Does whether I use AT&T or Sprint or Verizon really affect how the app experience is for me as a user? “Requested and referring URLs,” so I admittedly am not an expert on this stuff and I have to do more learning in this area, but from what I understand this means that they can track where I came from and go to on the internet before and after their site. Why? “Location data, including GPS and WiFi information.” So in addition to my usual “why do you need my location” rant, this also suggests (or at least doesn’t rule out the possibility) that they might collect additional information about my WiFi network specifically, like SSID (aka “wifi name”), router info, and possibly even WiFi password and other devices on the network. Seems a bit unnecessary just to tell me I’m fat. Finally, “Traffic data, web logs, and other communication data.” Man that’s broad. Are you gonna access my browser history? What other traffic goes over the network? My text messages? This one is way overreaching.

SparkPeople

Information collected: We may collect your name, address, email address, telephone number and other contact information...” “We do not share your information with third parties except as set forth in this Privacy Policy.” You can opt out of direct marketing but not out of collection. “We may collect information automatically about the use of the Website, through, for example, “cookies” or “IP addresses” (as described below). SparkPeople also archives log files and uses non-personally identifying information in aggregate form to” blah blah blah, improve the website.

Sorry, but at this point in my research I was getting tired. The short version is, SparkPeople’s privacy policy is super generic. Nothing alarming, but nothing great either. Contact information, information you willingly fill out, cookies, IP address, etc.

Summary

So the moral of the story here is that everyone is tracking you. This could be an entire blog post in and of itself – and it is on many other great sites – but cookies alone were the first real way of tracking people across the web back in the early days and while new, more sophisticated ways exist, the old ones haven’t gone away. So even the most generic, inoffensive privacy policy still has a way to track you and pass that information along to data brokers, and quite frankly I’d be surprised if they didn’t. That’s easy money. I think what I found most alarming was not the generic tracking – I fully expected that – but rather how invasive some of the others get. Location data? Other device info? Network info? Why, man? Just why?

So what did I ultimately decide to go with? A spreadsheet made with LibreOffice. It’s not sexy. It doesn’t give me pie charts or histograms (I know, it could if I wanted to). It doesn’t automatically tabulate my weekly total. It doesn’t have a cute animal encouraging me or recommending tips to keep on track. That’s fine. I took it upon myself to go out and do research and use online calculators to see what my daily calorie intake is based on my goals and my body. I decided what metrics were important to me, then I went and found the daily recommendations. In fact, I got a few premium features that way. For example, one app I used in the past (which is on this list) charged extra to set goals (instead of simply counting) and to monitor my sodium and sugar. I have all those things now, plus more. It’s a little more work. I can’t just scan a barcode. But that’s okay. It works for me, and it forces me to be conscious and put in the work myself.

I hope someday that Apple will be more forgiving and allow us to include privacy-respecting apps or app stores. I know, I can dream at least. But I guess the main reason I wanted to share this – in addition to being relevant and interesting – was to remind you to read the privacy policy. You don’t have to take five hours and read the entire thing top to bottom along with the terms of service. But at least skim. What are the parts that matter to you? Look for those parts. Get a general idea of what they’re doing with your data. And not to end on a depressing note, but just remember that 99% of the time those – according to themselves – can change at any time without notice. So be on your guard.

Should You Use Biometric Locks on Your Devices?

October 31, 2020

I considered buying a fingerprint-based door lock the other week. It was not cloud-connected or “smart” or anything like that, and ultimately I decided $200 was a bit too much to spend on a whim, but I did stare at it and read the box for quite some time. When I told this to various friends and family, they all seemed floored that I even considered an electronic lock. Truthfully, I know how to pick locks so I’m painfully aware of how grossly insecure my traditional cylinder lock is. I’ve spent many hours pondering the better solution with the appropriate balance of risk and reward.

The fact is that just like cylinder locks, our common digital locks (aka passwords) suck. They’re hard to remember. If you can remember them, they're too weak. If you can't, you're placing your trust in a password manager to not get hacked or corrupted. Furthermore, they have no real guarantee of safety. My significant other can log into this account and post a blog just as easily as I can, provided she has my password and any multifactor devices. As such, many cybersecurity experts actually recommend biometric locks like fingerprint, face scan, or retina scan instead. There’s a reason they were so popular back in 90’s spy movies. And honestly, that's not wrong. But there’s also a myriad of studies and evidence out there to prove that they’re not without risk, either. So this week I thought this might be a good topic to tackle.

What’s A Biometric Lock?

For those who haven’t figured it out based on context clues, a biometric lock is a lock that only opens when it confirms your biological identity: fingerprint, face scan, and iris being some of the most common. Almost all modern phones come with the capability.

On its face (no pun intended), a biometric lock is unarguably more secure. A social engineer can guess my password or security questions (unless you’re using the techniques I recommend on my website) and similarly, an attacker can steal my password and decrypt it using rainbow tables and brute forcing. But the odds that a malicious hacker or social engineer can chop off my finger or somehow copy my fingerprint? Sure, it’s possible. Again, I reference the 90’s spy movies. But that’s relatively advanced stuff – even by today's standards – and honestly this comes down to threat model. I’ve said before that this website is not designed for the hardcore Snowden-level whistleblower who needs to disappear. It’s for the average person who just wants to regain some privacy and security. The odds that anyone is going to go through those kinds of hoops to get their hands on your biometric identity is almost nonexistant. Having said that, I encourage you to ask yourself what the odds of that are. Even if you’re not a journalist, you might have a really driven stalker who would go to some pretty extreme lengths.

Not All Biometrics Are Equal

Despite what I said just a moment ago, not all biometrics are equal when it comes to how well they can protect you. I’m not even talking about click-baity articles that talk about how the iPhone can be unlocked in less than two minutes (]by pointing it at the sleeping owner’s face](https://www.forbes.com/sites/daveywinder/2019/08/10/apples-iphone-faceid-hacked-in-less-than-120-seconds/)). It’s important to note that literally everything is hackable and finding out that any system can be hacked by using twelve Androids, a home-cooked app, and direct access to a user’s device is kind of a no-brainer. It’s a real-life version of the infinite monkey theorem (except much more likely). Anybody with sufficient time and resources can hack anything.

No, I’m not talking about theoretical hacks and advanced exploits. I’m talking about actual, legitimate threats that could be posed to the average user. Consider this story about a woman who unlocked her husband’s phone while he was sleeping via his fingerprint scan and discovered he was cheating. Or this clip from sitcom Brooklyn Nine-Nine where one character unlocks another’s phone simply by pointing the camera at her face. Now it should go without saying that I’m neither endorsing nor encouraging cheating or any kind of illegal or unethical activity. But suppose my partner unlocks my phone while I’m napping and sees what I’m getting her for Christmas? There’s plenty of valid, legal reasons for you to want to control who has access to your device. If you’re a parent and you have small children, do you want just anyone to be able to pick up your phone and look through it at pictures of your kids or texts with them? I understand that in an ideal world, you would maintain positive control of your device but that’s not always possible. People make mistakes, get wrapped up and leave things laying around on their desks while they run to the bathroom. I leave my phone plugged in to charge overnight in another room. Or even at work sometimes I'll leave it plugged in while I work in another spot far away from an outlet.

So Should You Use Biometrics?

This as a question I’ve wrestled with for a while now. The answer is I don’t know. First off, it depends on your threat model. I think my threat model is very low. I don’t think anyone will go out of their way to lift my fingerprint and make a rubber copy. On the other hand, I am politically active and I wouldn’t feel comfortable with face lock because I know that if I ever got detained a cop could simply flash the phone at my face to unlock it. So personally, I’m comfortable with fingerprint lock but facial ID. But then there’s the question of who has access to my biometrics and what are they doing with it? I use an iPhone. Apple claims they never have a copy of my fingerprint and that what they store is simply a digital signature – sort of like a password hash. However Apple has also claimed that they don’t have humans listen to Siri recordings, which turned out to be a lie, so I don’t know how much I trust them. Would I use biometrics like fingerprint on an air-gapped machine like the lock I mentioned earlier or a laptop I use for backups? Probably.

I wish I could give a more concrete answer. Usually I can at least say “here’s what I’d do, but you do you.” In this case, I don’t think that applies. There’s just too many variables. But so many people in the privacy community are opposed to biometrics (and often for good reason) that I wanted to discuss them in a more in-depth fashion. As with almost all technology, biometric identification isn’t bad. Who uses it, how, and what they do with the data can be. No matter what protection you go with for your devices – be it password, PIN, or biometric lock – make sure that you’ve done your research. Know the shortcomings both technologically, practically, and legally. Know what the risks and benefits are, know the company and how it’s supported, and most importantly make sure it’s secure. Fingerprint is unarguably more secure than a phone PIN of “0000.” But a 16-character alphanumeric passphrase might be more secure than a face print if you’re a celebrity. As with many things I discuss, there is no one size fits all, only education so you can decide what size you need.

How I’ve Convinced People Around Me to Care About Privacy

October 24, 2020

As many of my long-time readers know, I love to write about personal experiences as a way to give real-world context to many of the subjects I cover. This week, I want to talk about my successes in getting the people around me to care about privacy. In the past I’ve mentioned how one of the recurring questions I see in the privacy community is “how do I get my friends/family/significant other/etc to care about privacy?” My partner has gone from publicly posting everything online to using encrypted messengers, using a VPN on all her devices, almost completely eliminating Facebook (she still needs it to connect with one specific group), and slowly transitioning to ProtonMail. Just this week alone, both of my coworkers stated their intentions to start taking their privacy more seriously after Chrome’s move to give advertisers full access to your device files. And in a move I never thought I’d see, my own brother said he wants to move away from using GAFAM (Google, Amazon, Facebook, Apple, Microsoft) products so heavily. I doubt I’ll see him completely abandon said products, but he did ask me if ProtonMail has a free tier and said he was switching to DuckDuckGo and Firefox. So this week, I want to take a moment to report what I think worked on all of these success stories.

Disclaimer: Before I dive in, I want to say that you should never do anything expecting to change someone’s mind. That’s just asking for disappointment and hurt feelings. You should enter into these discussions with the mindset that you’re here to exchange and consider ideas and viewpoints. If you approach subjects attempting to change someone’s mind, they’ll often feel attacked, get defensive, and double down. But if you go into it going “we’re equals, whatever you believe is up to you, but here’s what I believe and why” they’re much more open to listen to you and what you have to say. That’s not guaranteeing success, but it does guarantee a much better time in my experience.

Respect

On that note, I respect people’s choices even if I disagree with them. I really got on my brother’s case. He claims to be an ally of minorities, the oppressed, and other such groups. So, I made it no secret that he was perpetuating that same oppression by using services like Amazon, Facebook, and Google. It’s not enough to vote Democrat when you’re perpetuating systems that allow right wing extremism to flourish and shopping at companies that oppress their workers. That’s an argument for another day that I’m currently working on, but the point is that while I made these opinions known to my brother I was always quick to follow it up with “I love you, you do what you want, these are just my views.” Same thing with my partner. I have never forced her to use a password manager, I simply presented her with password managers as a tool of convenience and security, explaining what they do and how they can improve your life, and left it up to her. Don’t get me wrong, there’s still a lot of things I wish the people around me would do differently. I wish my partner would stop using TikTok. I wish my mom would switch to Linux (there's nothing she does on Windows that Linux can't do). But I respect that everybody is at a different place and I can’t force them to do anything. I can only present them with the facts and let them make that decision (it’s almost like I made an entire website out of that philosophy).

Time: Mere Exposure

I think most often when people ask that question, what they’re asking for is the epiphany moment. Chances are that very few of us reading this were introduced to the concept of privacy the same day we started taking it seriously. Think hard. I know I can vaguely remember some conversations I had with a friend about how the founding fathers never could’ve successfully revolted if they were subjected to the same level of surveillance in 1775 that we are today. I also did some time in the military, meaning that I was very familiar with the concept of having my communications monitored at some level. The point is, privacy was not a new concept to me. I heard at least a few arguments about why it matters and as an avid sci-fi fan, I was well aware of some of the potential negative ramifications of not having it.

It can be frustrating repeating yourself over and over as it falls on deaf ears. I live with my partner, and therefore she hears me rant about privacy constantly. As she’s begun to care more in recent months, we frequently have conversations where I rant about something privacy-related that upsets me, she says she didn't know that, and I remind her that I've definitely mentioned this before. I don’t rant with the expectation of changing my partner’s mind, I just rant to get it off my chest and I’ve made that very clear to her. But it’s still frustrating to know that most of it doesn’t stick. I think that’s why most people ask the question. “How can I trigger that ‘a-ha!’ moment that finally makes my family care?” And the fact is you can’t. It’s impossible to tell.

So instead of viewing these discussion as “this might be the moment,” view them as just general discussion like I mentioned at the top. If I’m talking to someone who complains about passwords, I throw out password managers. Just the other day someone on a job site mentioned that they do a lot of online shopping, so I encouraged them to check out Privacy.com. The goal is to expose them to it repeatedly. It’s called “The Mere Exposure Effect.” Basically the idea is that just by being exposed to something, your opinions on it strengthen. If there’s someone you sort of like, working around them frequently will make them like you more. The idea is to expose them to the ideas of privacy more and more so it grows on them. I know it sounds kind of manipulative, but that’s not my intention. That’s just a fact. The fact is that Mere Exposure can go the other way: working around someone you sort of dislike can make you grow to hate them, so if someone is clearly pushing back on privacy stuff and gets vocally upset by it, drop it. You’re not gonna win them over with Stockholm Syndrome. You’re going to push them away.

Time: The Epiphany

You know what made my brother care? The same argument I’ve made a hundred times before. Maybe I worded it a little differently but there was nothing new in my argument. No new concepts, no new information. It was just timing. This happened to be the time that my brother was in the right headspace, the right frame of mind, with the right set of pressures, information, and circumstances to decide “you know what? Nate’s right. I can’t be part of this system anymore.” I mentioned before in a different blog that my partner made the full-time jump to Signal after her boss informed her that the company reads text messages. When she told me this, we had another “I told you this a long time ago” conversation which actually ended with her going “yeah but somehow it felt different being told by the company themselves.”

The fact is you can’t predict what’s going to finally get through to someone. There’s no use in trying to guess what that magic epiphany will be. When I told my coworkers about the new Chrome “feature,” I actually made a point of saying “I don’t even care about the privacy aspect, this is a serious security risk.” I then explained drive-by malvertising. The next day, one coworker mentioned his plans to switch to ProtonMail this weekend and the other said he had removed as many Google apps off his phone as he could (he still kept Drive and Gmail for work stuff, but he removed other stuff like Maps). I would’ve never guessed that would be the story that would’ve got through to them, although honestly it probably wasn’t.

Honestly, most epiphany moments are straws that break the camel’s back. I don’t know if my own was or what. But in all my time of winning people over, it usually comes down to them hearing enough stories (usually from me, guilty as charged) that they finally go “I’m over this, I’m willing to make some changes.” This could be another blog topic in itself but when you get that win, be sure not to push it too hard. I've learned that when somebody tells me they want to start taking their privacy more seriously, the best response is to go “I'm happy to hear that. Let me know if I can help.” (That's actually when my brother asked if Proton had a free tier.) Don't get excited and go “ohmygosh! Now you have to check out Wire and Mullvad and XMPP and this and that and switch to Linux and...” Just let them know you support them and you're happy to share whatever you know.

I want to reiterate that you should never go into this expecting people to change. Also, it’s healthy to have other topics. While I frequently return to the topic of surveillance and privacy, I’m also capable of talking about music, video games, movies, TV shows, politics, and sharing personal stories of my time living in various other places. It’s not like all I can talk about is surveillance. Basic people skills come into play here. The best way to get the people around you to care is to not force it on them and let them come to their own decisions. But hopefully my experience will help you see how that can happen.