The New Oil

What’s the Buzz About Bitcoin?

January 9, 2021

You may have heard the news lately: Bitcoin is at an all-time high. Like REALLY all-time high. Previously, it peaked just under $20,000 USD toward the end of 2017. As I type this, it’s broken $40,000 USD. That means a single Bitcoin is worth more than most cars. So why is this, what is Bitcoin, and why do I still not talk about it much on my website?

What is Bitcoin?

Bitcoin is a decentralized digital currency. It’s not super complicated, but it’s complicated enough that I’m not going to dive into the details of how it works. The short version is that there is no country or bank responsible for issuing it. The value is entirely dependent on supply and demand, and it is entirely maintained by the users. Consider the following: You have a wallet in which you place cash. You can then freely trade that cash with other people for any number of reasons: you can donate it to a cause, you can buy a soda with it, or you can hold onto it. Now replace “cash” with “Bitcoin.” Congratulations, that’s exactly how Bitcoin works. A Bitcoin wallet can be an app, an online service, or a hardware USB-like device. Each has their advantages and disadvantages, and I’m not going to go into that here.

Why is Bitcoin Suddenly so Popular?

I’m not going to pretend to know. I’m sure there is an answer, but I don’t know it. I tried to do some research for this blog, but frankly nobody seems to have a good answer. One common answer is “it’s becoming more widely accepted” but nobody seems to explain why that is. Another answer is that “it’s fraud resistant.” I guess that makes sense, but so is a good old-fashioned bank transfer. Short version: I don’t know. And quite frankly, I’ve heard a lot of personal finances educators claim that nobody REALLY understands the market. Some people can make some educated guesses based on current events, previous trends, or whatever, but in the end it’s all just speculation. The market does what the market does, and I guess the market is favoring Bitcoin right now.

Is Bitcoin Really Private?

Short answer: no. Bitcoin is, by design, more private than almost any other form of electronic payment. However, as with anything electronic, there are other considerations for true “privacy.” For example, the most common way to get started with Bitcoin is to go sign up for an exchange, like Coinbase or Ledger. But these are US-based companies, which means that they are required to verify your real identity in order to prevent fraud. So while the person you’re trading with may not know you, your real-world identity is very much linked to your wallet. That’s not very private. Even if you self-host a wallet, it’s important to note that using the same address creates a web of activity and relationships. Think of it like a regular bank account: if I’m constantly getting gas at the same gas station once per week, you can safely assume that I live or work near that gas station. If I’m constantly sending Bitcoin to the same address – an address that belongs to the EFF, for example – you can safely assume that I’m interested in digital rights advocacy. That by itself won’t tell you much, but it is a piece of a puzzle, and combined with other pieces the picture begins to emerge. There are other steps you can take. I know some cryptocurrencies – I believe Bitcoin is one of them – allow you to create multiple wallet addresses with the intention of being able to break up this profile, but it requires a lot of work and it’s not included by default in most services like Coinbase. Furthermore, Bitcoin is a public ledger There are tons of tools out there to enter in any Bitcoin wallet address and see how much money it has. That was always the point of Bitcoin: transparency, security, and decentralization, not privacy or anonymity.

So Why Don’t You Talk About Bitcoin on Your Site?

A lot of people who are interested in Bitcoin attempt to use it in a “day trader” type format: that is, they buy low and sell high without ever using Bitcoin to actually buy any goods or services. Does this work? Sure, for some people. But not for most people. Warren Buffet famously made his fortune by investing and playing the stock market, yet even he is not convinced that “active management” – aka trading your stocks manually the way that day traders do – is a better route. I don’t believe Bitcoin is a good investment tool. After its all-time high in 2017, it crashed all the way back down to the mid thousands (around $6,000 USD) for quite some time. Granted, that was still significantly higher than the below $1000 it was at before that climb, but look at the trend: $700, $20,000, $6,000, $40,000. Those are highly volatile numbers, and it’s hard to know when to buy in and cash out. Most average people – my target audience – don’t have the time or expertise to watch the market so closely and try to guess when to pull out. And as I said above, I don’t think anyone does. Who knows exactly when the bubble will burst, and if it will be a temporary setback or a long-term one? Financial advisers are historically awful at outperforming the market, so the odds of an average person who isn’t closely watching and studying the market 40 hours per week being able to do better is slim to none. It’s just gambling, and I would hate to tell my readers “you should use some Bitcoin to improve your privacy” when A) it won’t really improve their privacy (especially since most readers will use an existing exchange with “Know Your Customer” laws) and B) they might lose hundreds or even thousands of dollars as the market fluctuates. It just feels irresponsible of me to do that to people who are uneducated on the matter and expecting me to give them good advice. Also not to brush past this one, but while Bitcoin certainly is becoming more acceptable and mainstream, there are still many places where it is not accepted. I dream of the day I can pay for my groceries with Bitcoin. I doubt I would, but man it’d be cool.

So is Bitcoin Bad?

Absolutely not! For starters, I love the idea of a secure, decentralized, and transparent currency with almost no barriers to entry. An associate of mine once shared that they live in an economically disadvantaged part of the world where Bitcoin has been a godsend. A major problem with today’s increasingly digital world is that many in poverty don’t have access to bank accounts, which leaves them out of many online transactions and other financial opportunities. But most people manage to access a smartphone. According to Statista, over 3.5 billion people worldwide have a smartphone in 2020. That’s over half the global population. And that’s total population, so if we removed minors from that number the percentage of adults who own a smartphone is probably pretty high. And yet, according to Gallup, only 62% of adults have a bank account. So the rise in available wallets means a rise in access to digital funds for anyone with access to a smartphone, which is most people. A digital wallet is arguably more secure than cash under a mattress, so the rise of cryptocurrency allows for a narrowing of economic opportunities between rich and poor, especially when we’re talking about something globally-recognized like Bitcoin. No exchange rates or international taxes to change from one currency to another. Having said that, I suspect that most of my readers and target audience do not have this problem. Many or most of them probably have access to a bank account or cash, and many probably live in areas where Bitcoin is not universally accepted. Finding places to spend that Bitcoin may be hard. I like the idea of Bitcoin as a currency, not as a traded stock.

Conclusion

So what if you’re reading this and you’re like “okay, I recognize the risks and practicalities of Bitcoin but I’m still really interested and I want to learn more and get involved? Can you write about it?” No. I still want to keep my website aimed at beginners and introductory stuff, and I just don’t think that Bitcoin falls into that category. Furthermore, because I have chosen not to invest my time into studying cryptocurrency, I don’t think I’m really qualified to give any advice on it aside from “be careful.” But I am fortunate enough to have fallen in with a crowd who seem really knowledgeable and passionate about the subject. So if all the current talk about the latest astronomical rise of Bitcoin has you curious and interested, I highly encourage you to head over to Decentralize Today and see what they have to say about Bitcoin and other cryptocurrencies, or check out Opt Out Podcast, which is hosted by the highly knowledgeable Seth For Privacy and many of his first season interviews discuss a variety of cryptocurrencies and technologies and how to best get started using them. These sources are far more knowledgeable than I am and I think they can probably help you get started with understanding how it works, what the advantages and disadvantages are, and maybe offer some educated speculation on what the future might hold.

Is it Bitcoin worth all the buzz? It depends. It certainly has its potential and its uses, but it’s not right for everyone, and while I personally don’t think it’s my place to get involved I didn’t want to just ignore this important and widely-discussed piece of the privacy puzzle. So I hope that this blog post has given my readers some information to make their own informed decisions with. Good luck, and move forward with caution! As always, there’s lots of bad people out there looking to make a quick buck off a buzzword. Make sure you’re armed with knowledge before you rush into anything.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

2020 Recap/2021 Plans

January 2, 2021

What a year this has been, in more ways than one. But I’m not here to talk about the obvious, global stuff. In what I hope to make an annual tradition, I’m here to look back at my calendar year and see how well I met my goals, and set new ones for the upcoming here. I will be making these judgments based on my blog post from January of this year.

Looking Back: What Worked

One of my stated goals was to host quarterly cryptoparties in my area. Well, obviously that didn’t 100% pan out thanks to the pandemic and lockdown rules. I did, however, move those cryptoparties online to become webinars. I originally set my aim for 3 of them in 2020 beginning in Q2. I mostly met this goal. I missed my Q3 webinar due to lack of preparedness on my end (I have no excuse, it snuck up on me). I did, however, do both Q2 and Q4 and I have my next scheduled for Q1 2021. So even though I didn’t 100% nail it, I’m willing to call this a success for getting back up and sticking with it.

I said that I hoped to attract more financial support (I will have a financial breakdown at the end), and I did. At the time of publication, I have 4 patrons on Liberapay and make $3.95 USD per week. So also a win. (Also that's a bad goal cause that's not really something I can control, but c'est la vie.)

While I didn’t state these goals, these were some additional successes I had: I started a weekly current events podcast that I have thus far managed to maintain regularly, I continued to post blogs weekly, and I was invited to be a regular contributor on Decentralize Today which I am attempting to write for weekly on privacy topics in 2021.

In digital growth, I went from just over 100 followers in January to over 650 at the time of this post! That’s over 500% growth in a year! Holy cow! But it’s not just that. The blog has 16 fediverse followers and 15 email subscribers with over 21,000 views! The podcast has a combined total of almost 50 listeners and over 2,000 listens across the available platforms. And most incredibly, the site itself has steadily grown with 923 unique visitors in January and just shy of 5,000 last month! That’s a total of over 28,000 unique visitors this year! (Don’t panic, I asked my hosting provider what analytics they collect and it’s only IP address, so that’s all the information I have access to and frankly more than I want). This year has been mindbogglingly incredible. I know this is something everyone says and it sounds cliché but seriously, thank you SO MUCH! This is incredible and I’m so grateful for all of you!

What Didn’t Work

As I said, I missed one webinar totally, and even the ones I did run had a few technical mishaps getting up and running. Such is life when you run multiple operating systems and only stream a few times a year. Even so, I hope to smooth out that process and get it right as I move forward.

I had mentioned I was hoping to add a second Tor relay. I did not do that. I am still hoping to rent an offsite server and host an exit node. Sadly that has not come to fruition yet, mainly because I’m waiting for a server to open up in New York – I think we need more US-based servers (you can take or leave that opinion, that’s okay) and I think New York makes the most sense since it has the highest population in the US and therefore traffic coming from there would blend more easily, I hope. Either way, the provider has said they’re fine with me running an exit node so at least I don’t have to worry about that.

I also mentioned possibly adding to the list of federated services like Mastodon, Peertube, or more. Sadly I was also unable to do that. They are still very much goals of mine.

Financial Transparency

This year, I made $119.96 USD through Liberapay. I did not receive any other compensation related to this project.

I incur the following costs directly related to this project Web hosting: $52.82/year Write.As Pro: $45/year

All leftover income ($22.14) went towards covering my own personal, peripheral expenses such as internet, housing, food, time, and I pay for ProtonMail Plus which is connected to my TheNewOil@protonmail.com email address. In the future, if my income continues to grow, I will be more transparent with these costs but I trust at this time that you all are convinced that $22 did not cover any one of these expenses completely. (Fun side note: it wasn’t until I typed this out that I realized that technically this project is now solvent. I guess that means it’s time to expand.)

Goals for 2021

My goals for 2021 are basically the same as they were last year: continue to grow. Thanks to feedback from my wonderful readers like you, I have made dramatic improvements to the site both in content and design. I am also hoping to launch a new podcast series in late Q1 or Q2 in addition to my weekly segment. I am hoping to launch a series of video tutorials and in-depth blog posts to add more depth to my site. I am going to begin consulting services in 2021. I am also continuing to attempt to reach out into the real world and speak at conferences, organizations, and pretty much anyone who’s interested in hearing my message.

I am also working on ways to ethically monetize this project. I am currently seeking affiliation status with some of the services I offer, but I will continue to offer non-affiliate links for those who are uncomfortable using affiliate links. I’ve also been asked about possibly translating the site into other languages. This is something I would love to do. I think far too many privacy sites are western-focused, specifically in America. I need to check with my hosting provider about the best way to do this, but if you speak another language and are familiar with the various privacy practices that are legal there and the cultural norms, I would be very interested in having your help with this. And as, mentioned in last year’s report, I am still involved with my local EFF chapter. I hope to get us organized toward a facial recognition ban in my area, but I’ll help with whatever they need from me.

This past year has been incredible and humbling. The support I have experienced from all of you is just mind-boggling and I cannot express enough how sincerely, from-the-bottom-of-my-heart grateful I am to all of you. This growth would not have happened without all of you: without you sharing my site, sharing my blog posts, sharing my podcast, and of course contributing to my Liberapay. I am so eternally thankful. I don’t fully know what all the future holds, but I promise you that I am not planning to abandon this project any time soon, so I look forward to a successful 2021 filled with more growth, more security, more privacy, and more changing the world one person at a time. Thanks for being part of this with me. Cheers!

How to Fail at Privacy & Security

December 26, 2020

Often times we look at success stories and go “this is what this person did right and why they succeeded.” This is great, and there’s a lot to be learned from that. However, I do believe there’s also a lot of benefit in examining failure and learning what went wrong. I’m a firm believer that a failure is only a failure if you fail to learn a lesson from it, even if that lesson is “don’t invade Russia in the winter.” So this week, let’s look at some of the top ways that you can fail in securing your own data and how to avoid them. As usual, this list is in no particular order.

Accepting the Default Settings

One of the easiest things you can do to take control of your own security and data is to browse the settings on your accounts. When was the last time you checked any of your app or account settings? Personally that’s usually the first place I go. In addition to doing things like enabling two-factor and dark mode, the settings are where you can often find really basic privacy settings like “make my profile private” or “don’t share my data with advertisers.” These settings alone will not make you as private as you can be, but they help a lot and they’re easy to change. Start small and stop the most obvious data streams you can find.

Never Making Requests

Most privacy and security products only work if both parties are using it. For example, end-to-end encrypted services like Signal or ProtonMail are only truly end-to-end encrypted if both parties are using Signal or ProtonMail (or another PGP-based email account). So if you never ask the people around you to switch to the same service as you, you’re not really getting the full benefit. There’s definitely still benefits, but it never hurts to ask the people around you to respect your values and consider switching. Often times – especially for people with social anxiety or low self esteem – it can be hard to ask other people for favors because you think you’ll be inconveniencing them, but just asking is not a big deal. So don’t be afraid to make your privacy preferences known by asking people to respect it. “Hey, would you mind using Signal to text me from now on?” “Hey, can we try using Jitsi for the weekly staff meeting instead of Zoom?” “Would you mind unplugging Alexa when I come over to visit?” The worst you’ll get is a polite “no.” Often you’ll get a “what’s that/why?” and then you can explain what the service you’re suggesting is and why it would benefit the person you’re making the request of. More often than not, you’ll be surprised by the amount of “yes”es you receive. There is definitely a fine line between making a request and bugging someone. If you ask to use Jitsi instead of Zoom every week, your boss may get tired of hearing it. But bringing it up once or twice will rarely offend anyone, and if you don’t ask the answer will always be no.

Not Doing Your Research

My partner is a big consumer of media. Hulu, Netflix, CrunchyRoll, YouTube, she loves it all. I’m more discerning with my content, but out of love for her I agreed to acquiesce and get a smart TV when we began living together. We made a few compromises: no microphones, no cameras, and I get to pick the TV. Ultimately, after a lot of research, I settled on a Roku TCL. There’s a specific reason I chose this TV. First off, Samsung TVs were right out due to having known NSA backdoors. I don’t think I’m a target of the NSA, but there’s no such thing as a backdoor that only good guys have the keys for. If the weakness exists, bad guys can exploit it, too. Second, I wanted a TV that had a solid history of receiving manufacturer updates to the software. Of course, I also took responsibility for setting up the device, which meant putting it on a VLAN, creating an account using a masked email and strong password, never putting in any payment details, and disabling all the data-sharing options I could. This isn’t an ad for Roku, this is an explanation of my research process. Imagine if I hadn’t done my research and instead just looked for the best deal at my local store: I could’ve walked out with a TV that never gets updated. This isn’t just a security risk. Our TV has had its fair share of bugs: freezes, crashes, twice we’ve even had the mute get stuck on. But our experience is improving as time goes on and Roku keeps pushing out new updates. Very few other TVs get updates, so we’d still be living with those bugs if we had gotten a different TV. We also never have to look at our TV and go “man, I really hope nobody is on the other side of the camera taking snapshots of us in our underwear.” Finally, as I mentioned above, I took the time to disable many of the more invasive “features,” which means I also have less concern about the data being recorded. (For the record, I do still have some concern, but I sleep a little better knowing we’re spewing out less data than the default).

Now of course, this was a multi-hundred dollar investment. I expect that the research will be proportional to the cost and sensitivity of the tool. I spent less time investigating my XMPP server because I don’t really use it very much. I spent much more time investigating ProtonMail and Tutanota because I do use email a lot, and sometimes for very sensitive purposes like banking and medical. You don’t have to spend forever deep diving into every single tool out there: figure out what you want from it, determine how much trust you’re placing in it, then do the appropriate amount of research.

Not Making Time to Implement

My dad imparted one phenomenal piece of advice that has stuck with me for decades: “If something is important to you, you’ll make time for it. If it’s not, you won’t.” To my dad, there was no such thing as “I don’t have the time,” but rather “I don’t want to make the time.” And that’s totally fair if you don’t want to make the time for something. But if there’s something you actually really want to do and you don’t make time for it, then you’re just doing yourself a disservice. If you want to make your life more private and secure and you don’t make time to actually do this stuff, then you’re only cheating yourself. I totally understand that some of this stuff takes work. Signal can be downloaded and set up during a Hulu commercial break, so there’s really no excuse for that one. But signing up for a password manager or moving email accounts, that can take some work and that may not be something you want to do after a hard day of work. I totally respect that. But if you don’t put it on your calendar and say “okay, this weekend I’m gonna migrate to Tutanota/ProtonMail/whatever,” you’re failing yourself. Make time to make the changes you want to make. Don’t keep telling yourself “tomorrow.” Put it on the calendar and let your roommates know you’re busy that afternoon.

Failure is only failure if you don’t learn from it. Maybe you’ve been guilty of some of these things in your own life so far. Maybe you haven’t made time to implement, or you’ve only been using tools others recommend instead of researching it for yourself. But now you’re aware and you can use that awareness to break the cycle. Remember to always seek room for improvement, both in your own personal growth and in your security.

Privacy-Respecting Video Chat Apps for the Holidays

December 19, 2020

Hopefully the end is in sight for the COVID-19 pandemic. In my state, the vaccines arrived on Monday. I know it’s still going to be a months-long process, and I’m not even going to comment on how politics has shaped the issue. The point being, while the end may be near, it definitely won’t be here before Christmas and New Years. As such, many people will be spending this year alone, isolated away from family members who are elderly, immuno-compromised, or otherwise at risk just to play it safe. But that’s no excuse not to literally see your family. So this year, I explore some of the best privacy-respecting options for video chat that can help you and your family stay a little better connected this year, even from a distance. This listed is presented in alphabetical order, not any sort of order of superiority.

Jitsi

Jitsi gained almost overnight popularity in the privacy community around the start of the pandemic as an open-source, privacy-respecting alternative to Zoom. Jitsi offers lobbies and password-protected rooms, as well as end-to-end encryption. You can self-host your own instance or use the default instance (or you can use any other publicly-available instance – shoutout to The Calyx Institute – but the default public instance is fine for most people). My favorite feature of Jitsi is that it offers the ability to share your screen with audio AND your camera and audio at the same time. So Jitsi offers a great way to stream a movie with family while still being able to communicate. Oh and the best part? No app or account needed. You can use it straight from your browser. I'm gonna be honest: for 90% of people, Jitsi is going to be your best, easiest, and most feature-rich option. However, other options do exist.

Honorable Mention: Brave Together

I’m still very much on the fence when it comes to Brave. On the one hand, the company is a for-profit that has done some things in the past that I personally find very intentionally malicious and unethical. On the other hand, they are really on the bleeding edge of privacy and security features for a browser, and they’re basically a “set it and forget it” tool. In recent weeks, I’ve come to compromise on this by saying “Brave is best for non-tech people who care about their privacy but REALLY don’t trust themselves with even the basics.” As such, it’s worth mentioning that Brave comes prepackaged with Jitsi built into the browser, able to host or join a Jitsi meeting with just a few short keystrokes. Personally I don’t think this counts as a reason to use Brave, given that Jitsi doesn’t require any sort of app or account to begin with, but if you already have a loved one using Brave, this might be an easy way to get them to the video call.

MySudo (iOS Only)

MySudo is one of those apps I personally can’t live without. It’s not open source, which is a huge bummer, but it allows you to create up to 9 phone numbers (with email addresses) that are capable of supporting both phone calls and text messages. This app is essential to me in my personal life, allowing me to compartmentalize banking, work, personal, online selling, etc. These features cost money, but fortunately there are other features that don’t cost money: contacting other users. If you’re an iOS user, MySudo is now allowing group video calling of up to 5 users. I expect the feature will roll out to Android in the future. Anonyome seems to focus on iOS then Android. Even if your entire family isn’t using iPhone, MySudo still offers unlimited, free, end-to-end encrypted calls and texts between MySudo users. It’s worth checking into.

Signal

Signal, one of the golden standards of secure communication in the privacy and security community, offers some of the best encryption the world has to offer. The app is regularly used by politicians and law enforcement in the US, the entire EU Commission, and the encryption itself has been integrated into WhatsApp, Facebook Secret Messages, Skype Private Conversations, and Google’s new Android competitor to iMessage, as well as numerous other high-profile messengers. This year, Signal finally rolled out the ability to use video on desktop and just this month rolled out the ability to have group calls of up to five people. The downside to Signal is that it currently does require your phone number, but since the context of this blog post is talking to family members, I suspect that probably won’t be a huge problem for most of my readers.

Honorable Mention: Apple's Facetime

Let's be 100% honest: Apple is not a privacy-friendly company. They claim they are, and they are definitely a step above Android. Apple has repeatedly fought back on creating encryption backdoors for the FBI, and many cybersecurity experts claim that Apple is more private because they sell hardware at a premium rather than selling your data. Having said that, Apple has repeatedly been caught in numerous privacy scandals, and they still record far more data than necessary. Point blank: I think literally any other suggestion in this blog post would be better than using an Apple app. Having said that, Apple's Facetime communications are end-to-end encrypted. If you have a wide level of Apple usage in your family, I would recommend using Facetime over Zoom, Skype, Facebook, Portal, or any of the other mainstream video chat apps out there. Once again, I still think you'll get better protection by using Jitsi or Signal, but if your family refuses to use those and does have Apple products, I think Facetime is the lesser evil. (Although, personal opinion, if your family refuses to use Jitsi they're really not even trying and you should reconsider your relationship with them. But this is a data privacy site, not a family relationship site, so enough on that.)

Hopefully this post helps you find a way to keep in touch with your loved ones this year as the world continues to grapple with the pandemic. Hopefully next year things won't be so dire and we can all move back to in-person meetings. Until then, stay safe and stay connected – why not at the same time?

“There’s A Problem With Your Package From Amazon”

December 12, 2020

Security researchers at Check Point have warned that phishing attacks related to online shopping and shipping of goods has risen 440% in November, indicating a huge rise as people are shopping for the holidays – even moreso online with the global pandemic this year. As such, this seems like a great time for all of us take a moment to remember the basics of phishing and how to protect ourselves.

What is Phishing?

Phishing is a technique almost as old as the internet itself. Phishing is when a malicious actor attempts to get someone to click on a link for malicious reasons. A few common examples you may have seen may include “there’s a problem with your PayPal account, login here to resolve it” and then it takes you a login page that looks real but actually forwards your login credentials to the attacker, or an email that says “here’s those files you wanted” and then includes what appears to be a Word document but it’s actually a virus. Typically, the goal of phishing is to get access to a person’s account, but sometimes the goal can be to plant ransomware, make a botnet, or pretty much any nefarious purpose. Don't underestimate phishing: it may seem silly and hard to fall for, but it's been one of the top methods of “hacking” since forever. I forget where I read this so I won't quote it as fact, but I do remember reading once that a former NSA officer admitted that it was the NSA's primary method of gaining access to a targeted account, even over all the other fancy hacks and resources available to the agency.

So What are the Defenses?

The main defenses against phishing come down to three major principles:

1. Vet your emails. If you get an email from FedEx about a problem with your package, first off did you order a package? Second, did it get shipped FedEx? As a more year-round example, if you get an email from a coworker with an attachment, were you actually expecting that attachment? Don’t be afraid to ask questions. If you weren’t expecting that email, call them and ask to make sure it was them.

2. Don’t click the link. Instead, go directly to the website and log in. For example, if you get an email from Amazon saying there’s a problem, go directly to Amazon and log in there. If the email was legit and there really was a problem, you’ll be alerted to it as soon as you log in. If you click the link, it might take you to a page that looks exactly the same but isn’t and scammers have gotten real good at faking it. Don’t trust yourself to catch it. These guys get rich off scamming people smarter than both you and me. Don’t risk it. If it’s an attachment, I think most of the time it’s probably safe to open (assuming you verified you were expecting it), but if you’re fairly tech savvy it could be a good idea to set up a virtual machine that you use strictly for opening email attachments to ensure that they’re safe.

3. Keep your antivirus updated. New malware is being built and discovered constantly, and no matter what antivirus service you use, they are doing their best to keep their definitions updated. By keeping your antivirus software up to date, you ensure it that it has the most recent definitions and it has the best chance of spotting a virus before it even gets in.

Advanced Defense

As with almost anything in privacy, there’s also a higher level of work you can do. For starters, using Linux greatly reduces the number of threats aimed at you. This is not a silver bullet. Malwares targeting Linux do exist. However, since Windows has over 75% of the market share (and is most commonly used by governments, educators, and other industries), most attackers focus their attention there. This means that just by using Linux, a great number of malware isn’t compatible.

Another advanced technique would be to use Virtual Machines. You can create a Fedora virtual machine for free in minutes and it will not only provide you with the excellent security of the Fedora Linux distribution, but also the additional advanced security of having a virtual machine. Think of a virtual machine as a computer within a computer, totally isolated from the device that it’s actually running in. While breaking outside of a virtual machine is not impossible for malware, it is incredibly difficult. You can create a virtual machine that you use exclusively for opening suspicious emails and attachments and further enhance your security.

Of course, whether you stick to the basics or try some advanced techniques, you should be using strong passwords and two-factor authentication on all your accounts. That way, even with the virtual machine strategy, your email account is unlikely to be compromised or taken over by malware. Remember to be on guard this holiday season, and I hope all your packages arrive on time and unbroken.

“Open Source” Does Not Always Equal “Safe”

December 5, 2020

On this website, and on many other privacy and security websites, you will find people espousing the gospel of open source technology. This is an important thing. This year, Switzerland suffered two separate scandals where the US Central Intelligence Agency was found to be operating shell corporations within the country who sold tech equipment to foreign governments and armies that were equipped with encryption backdoors, giving the American intelligence community easy, front-row access to the sensitive communications of other nations. Open source could’ve prevented this. Open source software would’ve allowed anyone to look at the programming and operating system on the device and say “hey, something’s not right here.” However, I think that sometimes the privacy community oversells open source.

I often see privacy newbies espousing open source without knowing why. I see people say things like “I heard [X Service] is bad because it’s not open source,” but they don’t actually know why that is. The answer is that open source – as a general rule – tends to respect your privacy more than the average person. Because the code is open, anyone can examine it to ensure that it does what it says. Additionally, because anyone can examine it, people are more likely to find bugs and offer fixes that can be quickly implemented. However, the operative word in there was “can.”

A recent study from GitHub found that on average, vulnerabilities exist in open source software for over four years before being patched. Now it’s important to understand the context of this study: GitHub examined 56 million developers and over 60 million repositories. Out of those 60 million codes I'm certain that many of them are just hobbies, uploaded by the creator as a backup, abandoned, or even as a “I made this for myself but if anyone else wants here, it is” thing. Those all probably came with “buyer beware” terms. But even that can only account for maybe a few ten thousand, at the most. Most of these codes were probably uploaded with the intention of being shared and spread around.

Here is where we run into an interesting issue. I believe in supporting the little guy. Everyone was once a little guy. Walmart, Starbucks, Microsoft, everyone. And you can believe that those big guys have since lost their way, and maybe that’s true, but the point is that they were once little guys. Even in the open source communities, the rockstars – Ubuntu, Bitwarden, Signal – they were all once nobodies. The little guys need our support to become sustainable and successful. I firmly believe and respect that. But the little guys come with risks that need to be recognized. Security researchers are people, too. They have day jobs (usually, some of them are lucky enough to be full time researchers), they have personal lives, and they only have so much time they can devote to examining code. The smaller the developer, the less popular the code, and that means the less eyes on it examining it for weaknesses. In a big, well known project like Signal and Mastodon, there’s thousands or even millions of people using it and laying eyes on it – not to mention many of them can afford to pay for proper security audits. But in smaller, lesser popular projects not so much.

So no, open source doesn’t automatically mean privacy respecting or secure. Most malware is, by definition, open source. Once a malware gets discovered, there’s websites where researches can share it so that other researchers can examine it, pick it apart, update their own virus definitions, and otherwise study it. Malware is literally “malicious software.” It’s a perfect example of how open source does not automatically mean private, secure, or safe. So does it still matter? Yes! All things being equal, open source is always better. The potential still exists for the code to be reviewed by someone who understands this stuff and to be improved upon. The potential also exists for someone else to come along and go “hey, this is a great project but this particular thing could be better, here’s my fork of it.” This is why there’s a billion web browsers out there, because someone saw something open source like Firefox and Chromium and said “could be better.”

Is it actually better? That’s a tough question. That’s where threat modeling comes in. But it’s important that you be educated when building your threat model. Open source is better, unarguably, but it doesn’t mean you should blindly trust it anymore than the use of the word “encrypted.” It’s how the encryption is implemented that matters, and it’s how the open source nature of the software is used to better the software that determines if it can be trusted. You still need to consider what information you’re planning to entrust to that software, what could go wrong, as well as a host of other considerations like update frequency, reputation, and more. As a fellow little guy, I’m not saying don’t trust the little guys. But I am saying to exercise caution.

Five Privacy Respecting Gift Ideas

November 28, 2020

It’s the gift-giving season, and so this week I think I’ll stay on topic. Now of course, your mileage may vary. Not everyone will appreciate these or have the tech savvy to use them. It’s up to you to know what gifts are right for what person and what would actually make a good gift. But below are some items that I personally have dealt with or have my eye on that might also make good gifts for yourself, your home, or a tech-loving loved one around you. These gifts are not listed in any specific order.

iPhone SE: $400

I’m gonna piss off a lot of privacy people right off the bat with this one, so let me remind my readers that this site is aimed at normal, not-tech savvy people. If you can convince your friend or family member to use CalyxOS or a Pinephone – or you yourself are willing to do so – please do. But chances are that if you’re reading this, you’re either not comfortable flashing a phone yourself or you have family members who wouldn’t be comfortable using a flashed phone. When it comes to stock operating systems, I personally preach iOS over Android every single time simply because iOS has better security. They’re both pretty abysmal for privacy, so iOS has the edge in the security department. As such, if someone you know is in the market for a new mobile device, the iPhone SE series is my recommendation. It’s inexpensive (for a smart phone), and unless your loved one is a heavy app user it’ll do the job perfectly.

Silent Pocket Products: $10-$400

Silent Pocket sells a wide variety of items that help keep your devices off the grid to various degrees. This could include wallets that resist RFID tracking and wireless credit card chip skimming all the way up to full-on Faraday bags for laptops that black ALL wireless signals. If you’re reading this, you probably don’t see the need for a Faraday bag and personally I think that’s outside my own threat level, too, but like I said they have a lot of other really amazing products like phone cases, wallets, passport card holders, backpacks, and a multitool that has spots for your keys. If you or someone know is really into gifts that have a practical use, definitely check this site out.

A Better Router: $150-$515

The internet in our homes is something we typically don’t think about until it goes out. But it’s also one of the most critical things we have these days. Most people don’t think about their router or the settings, but you can do your family a huge favor by getting them a new router and securing it for them. They’ll probably never even notice, but you’ll rest easier knowing they’ve gained a new level of privacy and security. The routers I’ve linked here come pre-loaded with DD-WRT, an open-source firmware that allows you to do all kinds of powerful things like a load a VPN or a firewall or VLANs onto the router itself, meaning that any device that connects to it will automatically be protected. This is probably the most technical suggestion on this list, but if you can figure out your own router settings you can definitely figure out these ones, too. All the hard work has already been done for you.

A Pinebook Pro: $200

Pine64 is a nonprofit that aims to make ethical, open source Linux machines accessible and affordable to the masses. To that end, they have released the Pinebook Pro, a $200 laptop that ships with Debian, which is an operating system I recommend anyways. Just like the routers above, this is a device that you don’t have to worry about installing or setting up yourself. Debian is incredibly user friendly and there’s a ton of support online if you have any questions about it. However, it should be noted that the specs on this computer are slightly below average (in my opinion). If you or your intended gift recipient only uses your laptop for browsing the net, checking your email, and streaming Netflix this is more than enough. But if you use it for any kind of photo editing, video editing, gaming, or highly specific and specialized software that can only run on a Mac or Windows, this may not be the best gift idea.

Books

If you or someone you know is a big reader, there’s a wide range of privacy and security related books, ranging from philosophical to “how-to” to fiction. In the nonfiction category, we have “Click Here to Kill Everybody” by Bruce Schneier and “The Age of Surveillance Capitalism” by Shoshana Zuboff. In the How-To books, try “Extreme Privacy” by Michael Bazzell or “The Personal Digital Resilience Handbook” by David Wild. And for fiction, popular recommendations in the privacy community include Cory Doctorow’s “Little Brother” series and “The Circle” by Dave Eggers.

Like I said, not all of these are great ideas. It’s up to you to know the people in your life. But even if you know people who aren’t crazy about privacy, some of these ideas might still work. You could buy your sister a phone case or a wallet from Silent Pocket. You could get your brother “Little Brother” from Cory Doctorow. You could get your mom a Pinebook or an iPhone. Granted, the Pinebook may require some getting used to, so first make sure they’re willing to learn a new operating system, but it’s not hard to get used to once you get over that initial learning curve. Hopefully this list has at least given you a few ideas. Good luck on your gift shopping, and remember to shop smart.

Does the Country a Service is Headquartered in Matter?

November 21, 2020

On my website, I list the country a service is located in as either a point for or against them. As a sort-of explanation, I also link to the Wikipedia page about the Five Eyes intelligence community. Likewise, you will often see people in the privacy community asking questions or debating about the location of a company and why it pertains to the privacy of a specific product. So this week I ask: does it really matter?

What is “Five Eyes”?

If you didn’t click the link above – or just didn’t understand it – the “Five Eyes” refers to an intelligence agreement between the US, UK, Australia, Canada, and New Zealand. It was originally born out of the cold war as a way for democratic countries to keep an eye on the spread of communism, but the agreement lives on to this day. The basic premise of Five Eyes is that those five countries share intelligence with each other generously. The agreement is primarily aimed at “signals intelligence,” which means basically any form of electronic or telephony communication, but they're known to share other intelligence as well.

The problem that pertains particularly to privacy is what Edward Snowden revealed about the Five Eyes agreement in 2013, which basically boils down to “the Five Eyes countries spy on each other’s citizens then share with each other as a loophole.” In the US, the US intelligence agencies aren’t supposed to spy on US citizens without a reason. Same thing in the UK. But the US is totally free to spy on UK citizens and then share that data with the UK, and vice versa. That’s a simplified version of how it works.

There are also other “Eyes,” such as Nine and Fourteen, as well as specific “Eyes” aimed at certain counties (ex: “Five Eyes Plus Three Against North Korea”). All this really means is how many countries are involved. Typically the wider the Eyes, the less comprehensive the data sharing. So the Five Eyes are the most invasive countries and share the most openly, while the Fourteen eyes are less invasive and share less (but still invasive).

How Does This Relate to Privacy and Services?

Country of origin determines the laws and practices a company is subject to. A company based in the United States will be subject to US law – taxes, worker rights, and even surveillance. A US-based company will be caught up in the Five Eyes dragnet, and a US company will have to turn over any data requested by a warrant from a US law enforcement agency such as the FBI. For example: I run a Nextcloud server out of my home. It’s small and it’s only for friends and family. If my city, county, or state police or the FBI came to my door with a warrant and said “we need you to clone your mom’s data and give us a copy,” legally I’d be forced to comply. But if I move to Canada, the situation changes. My mother – who still lives in the US – is under investigation. If it’s a local investigation, police aren’t going to bother with the international red tape of asking me to hand over her data. They might ask, but since it crosses international lines and their resources are limited, they probably won’t bother making it an official, legally-binding request (unless they suspect the data I possess is key to their case). Even the FBI will meet a few more roadblocks in the process. Not many. They have the resources, and Canada is a friendly country with the US, so they’d probably get the approval. But it’s not as easy as it was before when I lived in the US.

As such, a lot of people in the privacy community prefer to pick services that are run by companies that are based outside of the various Eyes communities. The further outside, the better. A company in Germany is superior to a company in America because Germany is part of the Fourteen Eyes, which is better than the Five Eyes. But a company based in Switzerland or Finland is even better because those companies aren’t part of any Eyes. The roadblocks required to get the data – from both a legal and a surveillance perspective – are much higher.

Is This Actually Effective?

The short answer, in my opinion, is no. This stuff doesn’t really matter. As my long-time readers know, I don’t encourage breaking the law. Ideally you shouldn’t be doing anything that gets you on the law-enforcement radar in the first place (I’ll come back to that in a moment). But first let’s talk about surveillance: the Five Eyes are spying on EVERYONE. The idea that your data is somehow magically safe because the server is in Finland is as ridiculous as saying that I’m somehow magically safe because I put my seatbelt on when I drive. Obviously I do, seatbelts dramatically increase my odds of survival in a traffic collision, but the seatbelts don’t do a thing to stop someone from hitting me. Likewise, putting my data in Switzerland helps, but it's not a magic bullet.

Before I go on, I need to explain how the internet works at the global level. At the very top of the network food chain are “Tier 1 networks,” which are basically the internet service providers of the internet service providers you and I know and use like Comcast or Time Warner. According to Wikipedia, most Tier 1 networks are headquartered in Western countries like France, Germany, the UK, and the US. A couple are in places like India and Hong Kong. If you remember the list of eyes from before, this means that virtually every single Tier 1 provider is based in an eyes country, over half of them in Five Eyes alone. Choosing a country that’s outside Eyes jurisdiction does make surveillance slightly harder, but considering that literally all network traffic needs to route through a Tier 1 network and 88% of them belong to the Eyes, it also makes that surveillance relatively trivial. The Eyes own the internet. Not to mention there's absolutely nothing to stop state actors from setting up totally legal shell corporations in foreign, non-Eyes countries and then using those to spy on the locals.

So does that mean you shouldn’t care at all? Of course not. As I said, picking a country outside the Eyes does make surveillance a little bit harder. While the traffic still passes through Eyes infrastructure and into Eyes territory on your device, if you're doing it right that traffic is encrypted and the data itself rests outside of Eyes jurisdiction. That does count for something. Earlier I mentioned not to get yourself caught in the crosshairs of law enforcement, but we all know that law enforcement is not perfect and mistakes happen. People get wrongfully targeted, arrested, and convicted all the time. Putting your potentially-incriminating data outside the hands of the law so that they can’t use it against you is a great consideration.

However, you should consider the location of a service a lot like the color of a car: ideally you’d like to have one color, but it shouldn’t be the deciding factor. The deciding factors should be the other things I discuss when I list services on my site: how strong is the encryption? Is the company transparent? How is the privacy policy? What information do they log? Can they access your data? Under what circumstances will they hand over their logs/data? I fully expect any legitimate company to comply with a lawful warrant or request, but I also take comfort in knowing that a company will push back on a request it considers unfair (Tutanota and ProtonMail both have a documented history of this, by the way). So rather than “where are they located?” you should ask “what kinds of requests will they push back on?” How is the company’s reputation? And then, once all factors have been weighed, that’s when you should give the country of origin a thought. One reason a lot of people prefer companies based in Germany and Switzerland is because those countries have privacy laws that are superior to the US (though also not perfect). But if you're using companies who are zero-knowledge, don't log data (or log as little as possible for as short a time as possible), and use strong encryption, then the country means almost nothing.

Safe Shopping: 2020 Edition

November 14, 2020

Last year, I posted the below blog. After “Black Friday.” Whoops. This year, I thought it worth posting again – this time beforehand! – since my audience has grown dramatically (thank you so much! Seriously, I am so humbled!), but updated to reflect both advances in technology and the global pandemic where necessary. So without further adieu, the 2020 guide to safe holiday shopping!

With gift-giving season officially beginning in the United States (and at least a few other places, I presume), I figured this would be a great time to discuss safe shopping tactics. I don’t feel like this needs any sort of real introduction, it’s pretty self-explanatory, so let’s begin.

Pay with cash in person. There’s a large push for card usage in the US, and it has some personal finance benefits. Cards often come with cashback and purchase protection, and while the risk of skimming still exists, fintech (financial technology) security has come a long way. However, cards are still a privacy nightmare. Your shopping data will absolutely be sold by your bank to data brokers. As such, cash is king. But if you need some less-crazy, more practical reasons to use cash: if you’re buying a gift for someone who has access to your bank statements (significant other, parent, etc) it can help shield your purchases – both the site and the amount – and keep the gift a surprise. Furthermore, holiday spending and gift giving is often a source of debt in the new year, so using cash will help you stick to your budget. Personally I think racking up a boatload of new debt is a really crappy way to start the new year.
Of course, online shopping has long been popular, and even moreso this year. For online transactions, use pre-paid cards (such as the Vanilla card) or card-masking services like Privacy.com, Blur, MySudo, or ViaBuy (if you live in Europe) to avoid having your real information stolen. If a scammer steals your info, the effects could be as minimal as having to get a new card or as serious as draining your bank account, stealing your identity, or even stalking you. So I definitely encourage you to use a masking service of some kind. Be aware that Privacy.com and MySudo essentially function as banks in this scenario, so they will ask for some personal information that some people may not be comfortable with. Blur is a little less invasive, but you’re basically just creating digital pre-paid cards. Personally I’m a fan of Privacy.com for a lot of reasons, but this isn’t the time or place. Feel free to check out all of the solutions suggested and see if any of them are right for you.
Use HTTPS. HTTPS is a powerful and effective encryption method for data-in-transit (aka web traffic) that helps protect your sensitive information as it shoots across the web. The vast majority of the internet is now securely encrypted so you’re probably covered, but be vigilant anyways. Just this month I tried to order some food for takeout and the webmaster had accidentally let the certificate lapse, so they didn’t have HTTPS. Thanks to the browser plugin HTTPS Everywhere, I was alerted and avoiding sending my card information on a potentially unsecured website. This plugin will automatically ensure an HTTPS connection wherever it’s offered, regardless of search engine or browser settings, and alert you if one isn’t found so you can decide if you still want to use the site or not.
Use a PO Box. PO Boxes can serve tons of great purposes that you didn’t even know you needed. For starters, they start off inexpensive, in some places as little as $20/year. They can be handy because your packages don’t sit unguarded on your porch while you’re at work, they sit safely inside the building of your box. And of course, you don’t have to worry about some stranger on the internet snagging your home address, whether that’s the random person on Etsy, the rogue employee at Amazon, or the hacker who hopefully didn’t steal your information because you already implemented the above bullet points.
Don’t quit on December 26. The thing about these habits is that they’re great year-round, not just around the holidays. Shopping is something we do all the time, all year, and these strategies can be implemented there, too. You can pay cash at the grocery store. HTTPS can protect your Facebook login from a random hacker just as much as your card number. Online data breaches are quickly becoming a daily occurrence, so using card-masking can prevent your card number from getting permanently posted to the dark web (if you’re not worried about that, clearly you’ve never had the hassle of updating EVERY service you use after a card number changed for any reason). Even a PO Box can be a neat thing to have on hand if you rent and move in the same area frequently, if you need an address on file for work (again, data breaches), or freelance and need somewhere to send checks or a return address for merchandise you sell.

Take some time to think about which of these strategies can benefit you most. HTTPS is something that takes just a few minutes to set up and you never have to think about it again. A PO Box can be easily added into your routine by renting one nearby or on your way to/from work (if you have a concern about stalkers, you may want to consider getting one in a nearby town instead). Cash can be handy as well to help you stick to a budget. I hope these tips help keep you safer online this holiday season, and good luck finding that perfect gift!

A Detour into Diet Apps

November 7, 2020

One thing I really envy Android users on is their access to alternate app stores, like F-Droid and Aurora. My partner approached me earlier this week and asked if I’d be willing to go on a diet with her as a show of solidarity. Not the same diet, just a diet. As I stepped on the scale to begin, I begrudgingly admitted that she was on to something and I’ve put on more weight than I realized. Ever the one to look for a silver lining though, I figured this might be a good time to dig through some of the most popular diet-tracking apps in the iOS app store and see which one was the least offensive. So this week, I’m sharing that with you.

I chose my apps based on a combination of “top” lists found on DuckDuckGo and which apps popped up first when I searched in the app store. I am rating them based on their privacy policies, specifically “information we collect.” I have organized them by alphabetical order. I also only highlighted things that stuck out to me specifically. I’m not really surprised with stuff like “cookies, things you willingly add to your profile, and IP address.” That’s all pretty standard. I was looking for anything out of the ordinary or alarming.

Calorie Counter +

Information collected: “first name, email address, encrypted password, personal profile (your age, sex, height, start weight, goal weight, activity levels and any other boxes you tick during sign up), Photo (if you upload this to the forum or Live Club weigh-in on the website), IP address, Mobile device ID, Your browsing behaviour (when using the Nutracheck App and website).” Uses Google Analytics. Shares information with Google and Facebook to advertise “as you browse around the internet.”

The alarming parts to me here were the fact that they shared with Google and Facebook so they could advertise to you off-site. No thanks. Other than that, pretty standard stuff although I did notice that a lot of sites require information like gender and age. I guess that’s medically relevant, but it still makes me a bit uneasy. Also what does “encrypted password” mean? Do they actually store my encrypted password, or are they dumbing down “hashed” for readers? Cause frankly, storing my actual password – even encrypted – is unacceptable.

FatSecret

Information collected: “age, gender, postal code, current and goal weight.” “IP, ISP, browser type, OS, language, profile information, profile info, food and exercise, and “general use.” “integration with other services such as Apple’s HealthKit…other services such as Apple’s HealthKit API’s and Google’s Fit APIs (all together “Health Data Services”). FatSecret will not use or disclose health data gained through Health Data Services to third parties for advertising, marketing or other use-based data mining purposes other than improving health or for the purpose of health research.”

I found a few things in particular problematic here. Let’s go in order. First, “postal code.” I realize than IP address is as good as a physical address, but why go out of your way to collect that? Next, “ISP, browser type,” and “OS.” Again, I realize that knowing my IP address is enough to correlate who my ISP is, but why go out of your way? I also know that browser type is helpful to know to make sure your site is working correctly with that browser, but why OS? And also, with the rise of CSS, I feel like “browser compatibility” isn’t really a thing as much as it used to be (but I could be wrong, I'm clearly not a web developer). “Integration with other services” combined with “FatSecret will not use that data...” means that not only will they submit the data to your HealthKit, but they’ll collect data from it, too. Finally, “for the purpose of health research.” Um, no thanks. Please don’t take my health data and then share it.

Lifesum

Information collected: “your email address, first and last name, height, weight, date of birth, and gender” upon registration. “Device identifiers (i.e. information on what device, IP-address, etc. you use to register and log on to the Services), and technical information related to your use of your device which could be attributed to you (i.e. geo-location data, access history, search history, and information regarding your interaction with the application or advertisements) which is used to provide the Services and to allow Lifesum to market to you in accordance with this Privacy Policy.” You can opt out of marketing but not collection.

This is a pretty standard privacy policy, and if it seems like a lot, that’s because it is. Most privacy policies are this invasive at a base level. You’d be hard pressed to find a policy less invasive. Except for one part: “technical information related to your use of your device which could be attributed to you (i.e. geo-location data, access history, search history, and information regarding your interaction with the application or advertisements).” So from what I understand, that means Lifesum is monitoring not just the app, but the device: my searches on Firefox, my location, what other apps I use, and other ads, just so they can advertise to me even more. Unacceptable.

Lose It!

Information Collected: “We may also use and allow third parties to track your browsing history profile.” “Personal Diet Data”, including, birthdate, height and weight, sex, and specific details of the foods and drinks that you consume and your exercise, and genetic results. Test results generated from a user’s genetic data. Email address and Lose It! Password. IP addresses, browser type and your operating system. Pages visited on the Websites referring and exit pages, and the dates and times of the visits. Financial information, such as your credit/debit card number or other billing information for purchases and product upgrades. Any additional information relating to you and your use of the Websites, Apps or Lose It! Services that you provide to use directly through the Websites, Apps or Lose It! Services. Location data and other information about devices used to access and interact with the Websites or App. Information that you make publicly available or publicly post using tools made available on the Websites or via the App. Information you may provide in user-to-user messages. Information collected from promotions with third party companies.”

So once again, nothing terribly bad here except that they specifically cover genetic data. If I get a genetic test, they collect the results (I assume the test has to be done through them or with one of the parties they work with). No thanks. They also collect Browser type and OS, yet again. And Location data, why? Why do dieting apps want to know my location? What are you gonna send me a push notification? “We noticed you just entered a Wendy’s. Don’t do it, bro!” C’mon.

Nutrients

Information collected: None

So this app claims that they don’t collect ANY information and furthermore than all information you enter stays on your device and never gets transmitted. But I was a little put-off by the fact that there’s no HTTPS on their website. It’s 2020. There’s no excuse for that. Also, personal opinion territory here, I noticed that in the app store the developer has another app called Donald J Trump, which seems to be just a hub for all his social media posts or something like that. I don’t know, I didn’t pay for it. Personally, I don’t support Trump, and since the Nutrients app is paid, I wanted to do a little digging and make sure that I’m okay giving my money to an organization that obviously does support him. Once I started digging on that front, I quickly noticed that there is zero mention of the Donald J Trump app on their website, which to me is kind of questionable. At the time of my research this week, the app had been updated less than two months ago, so clearly this isn’t something they just put out once and have since abandoned. This is an app they actively maintain. Why aren’t they owning up to it? Personally, I found that alone shady enough to not want to give over my money. I don’t mind if a company wants to publicly endorse a candidate, but the fact that they weren’t being fully forthcoming with it in a situation where they should’ve (in this case, not listing the app on their site alongside all the others), that personally didn’t sit right with me.

MyFitnessPal

Information collected: ? But it is collected through third party or “publicly available” sources.

So this is the one thing that bugs me more than a generic privacy policy. Their privacy policy doesn’t even exactly state what they collected. It’s already bad enough when you say “IP address, Device ID, and other information,” but when you just straight up say “we collect information that cannot be used to identify you” (first off, that’s a lie) “but is used to determine aggregate data such as usage, blah blah blah,” that’s even worse. Now you’re not even saying what’s collected. If it’s not a big deal then why won’t you say what it is? Furthermore, you collect additional data through third party and “publicly available” sources? Why are you going out of your way to collect more information about me outside the app? Just tell me how many calories my damn burger has.

MyNetDiary

Information collected: ?

This service was equally as opaque as MyFitnessPal. The only saving difference was this service didn’t claim to collect additional information from outside the app, and they also claim they never share it. Personally I find a blanket “we never share your info” claim to be suspect – especially if they do admit to collect information – because I fully expect any remotely not-shady organization to share my information with law enforcement with a warrant. So to just flat out say “we never share your information ever” already means that at best you’re telling a half-truth.

MyPlate

Information collected: device registration data (for example, the type of mobile device you use, your mobile device’s unique device or advertising ID, IP address, operating system and browser type), device settings (for example, your language preference), mobile carrier, information about how you use the Services (for example, how many times you use the Services each day), requested and referring URLs, location data collected through your device (including, for example, precise location data such as GPS and WiFi information), information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access.”

So this is another one that’s not AWFUL but still not great. Let’s pick apart the more alarming parts. First, “OS and Browser, as well as mobile carrier.” Why? Does whether I use AT&T or Sprint or Verizon really affect how the app experience is for me as a user? “Requested and referring URLs,” so I admittedly am not an expert on this stuff and I have to do more learning in this area, but from what I understand this means that they can track where I came from and go to on the internet before and after their site. Why? “Location data, including GPS and WiFi information.” So in addition to my usual “why do you need my location” rant, this also suggests (or at least doesn’t rule out the possibility) that they might collect additional information about my WiFi network specifically, like SSID (aka “wifi name”), router info, and possibly even WiFi password and other devices on the network. Seems a bit unnecessary just to tell me I’m fat. Finally, “Traffic data, web logs, and other communication data.” Man that’s broad. Are you gonna access my browser history? What other traffic goes over the network? My text messages? This one is way overreaching.

SparkPeople

Information collected: We may collect your name, address, email address, telephone number and other contact information...” “We do not share your information with third parties except as set forth in this Privacy Policy.” You can opt out of direct marketing but not out of collection. “We may collect information automatically about the use of the Website, through, for example, “cookies” or “IP addresses” (as described below). SparkPeople also archives log files and uses non-personally identifying information in aggregate form to” blah blah blah, improve the website.

Sorry, but at this point in my research I was getting tired. The short version is, SparkPeople’s privacy policy is super generic. Nothing alarming, but nothing great either. Contact information, information you willingly fill out, cookies, IP address, etc.

Summary

So the moral of the story here is that everyone is tracking you. This could be an entire blog post in and of itself – and it is on many other great sites – but cookies alone were the first real way of tracking people across the web back in the early days and while new, more sophisticated ways exist, the old ones haven’t gone away. So even the most generic, inoffensive privacy policy still has a way to track you and pass that information along to data brokers, and quite frankly I’d be surprised if they didn’t. That’s easy money. I think what I found most alarming was not the generic tracking – I fully expected that – but rather how invasive some of the others get. Location data? Other device info? Network info? Why, man? Just why?

So what did I ultimately decide to go with? A spreadsheet made with LibreOffice. It’s not sexy. It doesn’t give me pie charts or histograms (I know, it could if I wanted to). It doesn’t automatically tabulate my weekly total. It doesn’t have a cute animal encouraging me or recommending tips to keep on track. That’s fine. I took it upon myself to go out and do research and use online calculators to see what my daily calorie intake is based on my goals and my body. I decided what metrics were important to me, then I went and found the daily recommendations. In fact, I got a few premium features that way. For example, one app I used in the past (which is on this list) charged extra to set goals (instead of simply counting) and to monitor my sodium and sugar. I have all those things now, plus more. It’s a little more work. I can’t just scan a barcode. But that’s okay. It works for me, and it forces me to be conscious and put in the work myself.

I hope someday that Apple will be more forgiving and allow us to include privacy-respecting apps or app stores. I know, I can dream at least. But I guess the main reason I wanted to share this – in addition to being relevant and interesting – was to remind you to read the privacy policy. You don’t have to take five hours and read the entire thing top to bottom along with the terms of service. But at least skim. What are the parts that matter to you? Look for those parts. Get a general idea of what they’re doing with your data. And not to end on a depressing note, but just remember that 99% of the time those – according to themselves – can change at any time without notice. So be on your guard.