The New Oil

Does the Country a Service is Headquartered in Matter?

November 21, 2020

On my website, I list the country a service is located in as either a point for or against them. As a sort-of explanation, I also link to the Wikipedia page about the Five Eyes intelligence community. Likewise, you will often see people in the privacy community asking questions or debating about the location of a company and why it pertains to the privacy of a specific product. So this week I ask: does it really matter?

What is “Five Eyes”?

If you didn’t click the link above – or just didn’t understand it – the “Five Eyes” refers to an intelligence agreement between the US, UK, Australia, Canada, and New Zealand. It was originally born out of the cold war as a way for democratic countries to keep an eye on the spread of communism, but the agreement lives on to this day. The basic premise of Five Eyes is that those five countries share intelligence with each other generously. The agreement is primarily aimed at “signals intelligence,” which means basically any form of electronic or telephony communication, but they're known to share other intelligence as well.

The problem that pertains particularly to privacy is what Edward Snowden revealed about the Five Eyes agreement in 2013, which basically boils down to “the Five Eyes countries spy on each other’s citizens then share with each other as a loophole.” In the US, the US intelligence agencies aren’t supposed to spy on US citizens without a reason. Same thing in the UK. But the US is totally free to spy on UK citizens and then share that data with the UK, and vice versa. That’s a simplified version of how it works.

There are also other “Eyes,” such as Nine and Fourteen, as well as specific “Eyes” aimed at certain counties (ex: “Five Eyes Plus Three Against North Korea”). All this really means is how many countries are involved. Typically the wider the Eyes, the less comprehensive the data sharing. So the Five Eyes are the most invasive countries and share the most openly, while the Fourteen eyes are less invasive and share less (but still invasive).

How Does This Relate to Privacy and Services?

Country of origin determines the laws and practices a company is subject to. A company based in the United States will be subject to US law – taxes, worker rights, and even surveillance. A US-based company will be caught up in the Five Eyes dragnet, and a US company will have to turn over any data requested by a warrant from a US law enforcement agency such as the FBI. For example: I run a Nextcloud server out of my home. It’s small and it’s only for friends and family. If my city, county, or state police or the FBI came to my door with a warrant and said “we need you to clone your mom’s data and give us a copy,” legally I’d be forced to comply. But if I move to Canada, the situation changes. My mother – who still lives in the US – is under investigation. If it’s a local investigation, police aren’t going to bother with the international red tape of asking me to hand over her data. They might ask, but since it crosses international lines and their resources are limited, they probably won’t bother making it an official, legally-binding request (unless they suspect the data I possess is key to their case). Even the FBI will meet a few more roadblocks in the process. Not many. They have the resources, and Canada is a friendly country with the US, so they’d probably get the approval. But it’s not as easy as it was before when I lived in the US.

As such, a lot of people in the privacy community prefer to pick services that are run by companies that are based outside of the various Eyes communities. The further outside, the better. A company in Germany is superior to a company in America because Germany is part of the Fourteen Eyes, which is better than the Five Eyes. But a company based in Switzerland or Finland is even better because those companies aren’t part of any Eyes. The roadblocks required to get the data – from both a legal and a surveillance perspective – are much higher.

Is This Actually Effective?

The short answer, in my opinion, is no. This stuff doesn’t really matter. As my long-time readers know, I don’t encourage breaking the law. Ideally you shouldn’t be doing anything that gets you on the law-enforcement radar in the first place (I’ll come back to that in a moment). But first let’s talk about surveillance: the Five Eyes are spying on EVERYONE. The idea that your data is somehow magically safe because the server is in Finland is as ridiculous as saying that I’m somehow magically safe because I put my seatbelt on when I drive. Obviously I do, seatbelts dramatically increase my odds of survival in a traffic collision, but the seatbelts don’t do a thing to stop someone from hitting me. Likewise, putting my data in Switzerland helps, but it's not a magic bullet.

Before I go on, I need to explain how the internet works at the global level. At the very top of the network food chain are “Tier 1 networks,” which are basically the internet service providers of the internet service providers you and I know and use like Comcast or Time Warner. According to Wikipedia, most Tier 1 networks are headquartered in Western countries like France, Germany, the UK, and the US. A couple are in places like India and Hong Kong. If you remember the list of eyes from before, this means that virtually every single Tier 1 provider is based in an eyes country, over half of them in Five Eyes alone. Choosing a country that’s outside Eyes jurisdiction does make surveillance slightly harder, but considering that literally all network traffic needs to route through a Tier 1 network and 88% of them belong to the Eyes, it also makes that surveillance relatively trivial. The Eyes own the internet. Not to mention there's absolutely nothing to stop state actors from setting up totally legal shell corporations in foreign, non-Eyes countries and then using those to spy on the locals.

So does that mean you shouldn’t care at all? Of course not. As I said, picking a country outside the Eyes does make surveillance a little bit harder. While the traffic still passes through Eyes infrastructure and into Eyes territory on your device, if you're doing it right that traffic is encrypted and the data itself rests outside of Eyes jurisdiction. That does count for something. Earlier I mentioned not to get yourself caught in the crosshairs of law enforcement, but we all know that law enforcement is not perfect and mistakes happen. People get wrongfully targeted, arrested, and convicted all the time. Putting your potentially-incriminating data outside the hands of the law so that they can’t use it against you is a great consideration.

However, you should consider the location of a service a lot like the color of a car: ideally you’d like to have one color, but it shouldn’t be the deciding factor. The deciding factors should be the other things I discuss when I list services on my site: how strong is the encryption? Is the company transparent? How is the privacy policy? What information do they log? Can they access your data? Under what circumstances will they hand over their logs/data? I fully expect any legitimate company to comply with a lawful warrant or request, but I also take comfort in knowing that a company will push back on a request it considers unfair (Tutanota and ProtonMail both have a documented history of this, by the way). So rather than “where are they located?” you should ask “what kinds of requests will they push back on?” How is the company’s reputation? And then, once all factors have been weighed, that’s when you should give the country of origin a thought. One reason a lot of people prefer companies based in Germany and Switzerland is because those countries have privacy laws that are superior to the US (though also not perfect). But if you're using companies who are zero-knowledge, don't log data (or log as little as possible for as short a time as possible), and use strong encryption, then the country means almost nothing.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Safe Shopping: 2020 Edition

November 14, 2020

Last year, I posted the below blog. After “Black Friday.” Whoops. This year, I thought it worth posting again – this time beforehand! – since my audience has grown dramatically (thank you so much! Seriously, I am so humbled!), but updated to reflect both advances in technology and the global pandemic where necessary. So without further adieu, the 2020 guide to safe holiday shopping!

With gift-giving season officially beginning in the United States (and at least a few other places, I presume), I figured this would be a great time to discuss safe shopping tactics. I don’t feel like this needs any sort of real introduction, it’s pretty self-explanatory, so let’s begin.

Pay with cash in person. There’s a large push for card usage in the US, and it has some personal finance benefits. Cards often come with cashback and purchase protection, and while the risk of skimming still exists, fintech (financial technology) security has come a long way. However, cards are still a privacy nightmare. Your shopping data will absolutely be sold by your bank to data brokers. As such, cash is king. But if you need some less-crazy, more practical reasons to use cash: if you’re buying a gift for someone who has access to your bank statements (significant other, parent, etc) it can help shield your purchases – both the site and the amount – and keep the gift a surprise. Furthermore, holiday spending and gift giving is often a source of debt in the new year, so using cash will help you stick to your budget. Personally I think racking up a boatload of new debt is a really crappy way to start the new year.
Of course, online shopping has long been popular, and even moreso this year. For online transactions, use pre-paid cards (such as the Vanilla card) or card-masking services like Privacy.com, Blur, MySudo, or ViaBuy (if you live in Europe) to avoid having your real information stolen. If a scammer steals your info, the effects could be as minimal as having to get a new card or as serious as draining your bank account, stealing your identity, or even stalking you. So I definitely encourage you to use a masking service of some kind. Be aware that Privacy.com and MySudo essentially function as banks in this scenario, so they will ask for some personal information that some people may not be comfortable with. Blur is a little less invasive, but you’re basically just creating digital pre-paid cards. Personally I’m a fan of Privacy.com for a lot of reasons, but this isn’t the time or place. Feel free to check out all of the solutions suggested and see if any of them are right for you.
Use HTTPS. HTTPS is a powerful and effective encryption method for data-in-transit (aka web traffic) that helps protect your sensitive information as it shoots across the web. The vast majority of the internet is now securely encrypted so you’re probably covered, but be vigilant anyways. Just this month I tried to order some food for takeout and the webmaster had accidentally let the certificate lapse, so they didn’t have HTTPS. Thanks to the browser plugin HTTPS Everywhere, I was alerted and avoiding sending my card information on a potentially unsecured website. This plugin will automatically ensure an HTTPS connection wherever it’s offered, regardless of search engine or browser settings, and alert you if one isn’t found so you can decide if you still want to use the site or not.
Use a PO Box. PO Boxes can serve tons of great purposes that you didn’t even know you needed. For starters, they start off inexpensive, in some places as little as $20/year. They can be handy because your packages don’t sit unguarded on your porch while you’re at work, they sit safely inside the building of your box. And of course, you don’t have to worry about some stranger on the internet snagging your home address, whether that’s the random person on Etsy, the rogue employee at Amazon, or the hacker who hopefully didn’t steal your information because you already implemented the above bullet points.
Don’t quit on December 26. The thing about these habits is that they’re great year-round, not just around the holidays. Shopping is something we do all the time, all year, and these strategies can be implemented there, too. You can pay cash at the grocery store. HTTPS can protect your Facebook login from a random hacker just as much as your card number. Online data breaches are quickly becoming a daily occurrence, so using card-masking can prevent your card number from getting permanently posted to the dark web (if you’re not worried about that, clearly you’ve never had the hassle of updating EVERY service you use after a card number changed for any reason). Even a PO Box can be a neat thing to have on hand if you rent and move in the same area frequently, if you need an address on file for work (again, data breaches), or freelance and need somewhere to send checks or a return address for merchandise you sell.

Take some time to think about which of these strategies can benefit you most. HTTPS is something that takes just a few minutes to set up and you never have to think about it again. A PO Box can be easily added into your routine by renting one nearby or on your way to/from work (if you have a concern about stalkers, you may want to consider getting one in a nearby town instead). Cash can be handy as well to help you stick to a budget. I hope these tips help keep you safer online this holiday season, and good luck finding that perfect gift!

A Detour into Diet Apps

November 7, 2020

One thing I really envy Android users on is their access to alternate app stores, like F-Droid and Aurora. My partner approached me earlier this week and asked if I’d be willing to go on a diet with her as a show of solidarity. Not the same diet, just a diet. As I stepped on the scale to begin, I begrudgingly admitted that she was on to something and I’ve put on more weight than I realized. Ever the one to look for a silver lining though, I figured this might be a good time to dig through some of the most popular diet-tracking apps in the iOS app store and see which one was the least offensive. So this week, I’m sharing that with you.

I chose my apps based on a combination of “top” lists found on DuckDuckGo and which apps popped up first when I searched in the app store. I am rating them based on their privacy policies, specifically “information we collect.” I have organized them by alphabetical order. I also only highlighted things that stuck out to me specifically. I’m not really surprised with stuff like “cookies, things you willingly add to your profile, and IP address.” That’s all pretty standard. I was looking for anything out of the ordinary or alarming.

Calorie Counter +

Information collected: “first name, email address, encrypted password, personal profile (your age, sex, height, start weight, goal weight, activity levels and any other boxes you tick during sign up), Photo (if you upload this to the forum or Live Club weigh-in on the website), IP address, Mobile device ID, Your browsing behaviour (when using the Nutracheck App and website).” Uses Google Analytics. Shares information with Google and Facebook to advertise “as you browse around the internet.”

The alarming parts to me here were the fact that they shared with Google and Facebook so they could advertise to you off-site. No thanks. Other than that, pretty standard stuff although I did notice that a lot of sites require information like gender and age. I guess that’s medically relevant, but it still makes me a bit uneasy. Also what does “encrypted password” mean? Do they actually store my encrypted password, or are they dumbing down “hashed” for readers? Cause frankly, storing my actual password – even encrypted – is unacceptable.

FatSecret

Information collected: “age, gender, postal code, current and goal weight.” “IP, ISP, browser type, OS, language, profile information, profile info, food and exercise, and “general use.” “integration with other services such as Apple’s HealthKit…other services such as Apple’s HealthKit API’s and Google’s Fit APIs (all together “Health Data Services”). FatSecret will not use or disclose health data gained through Health Data Services to third parties for advertising, marketing or other use-based data mining purposes other than improving health or for the purpose of health research.”

I found a few things in particular problematic here. Let’s go in order. First, “postal code.” I realize than IP address is as good as a physical address, but why go out of your way to collect that? Next, “ISP, browser type,” and “OS.” Again, I realize that knowing my IP address is enough to correlate who my ISP is, but why go out of your way? I also know that browser type is helpful to know to make sure your site is working correctly with that browser, but why OS? And also, with the rise of CSS, I feel like “browser compatibility” isn’t really a thing as much as it used to be (but I could be wrong, I'm clearly not a web developer). “Integration with other services” combined with “FatSecret will not use that data...” means that not only will they submit the data to your HealthKit, but they’ll collect data from it, too. Finally, “for the purpose of health research.” Um, no thanks. Please don’t take my health data and then share it.

Lifesum

Information collected: “your email address, first and last name, height, weight, date of birth, and gender” upon registration. “Device identifiers (i.e. information on what device, IP-address, etc. you use to register and log on to the Services), and technical information related to your use of your device which could be attributed to you (i.e. geo-location data, access history, search history, and information regarding your interaction with the application or advertisements) which is used to provide the Services and to allow Lifesum to market to you in accordance with this Privacy Policy.” You can opt out of marketing but not collection.

This is a pretty standard privacy policy, and if it seems like a lot, that’s because it is. Most privacy policies are this invasive at a base level. You’d be hard pressed to find a policy less invasive. Except for one part: “technical information related to your use of your device which could be attributed to you (i.e. geo-location data, access history, search history, and information regarding your interaction with the application or advertisements).” So from what I understand, that means Lifesum is monitoring not just the app, but the device: my searches on Firefox, my location, what other apps I use, and other ads, just so they can advertise to me even more. Unacceptable.

Lose It!

Information Collected: “We may also use and allow third parties to track your browsing history profile.” “Personal Diet Data”, including, birthdate, height and weight, sex, and specific details of the foods and drinks that you consume and your exercise, and genetic results. Test results generated from a user’s genetic data. Email address and Lose It! Password. IP addresses, browser type and your operating system. Pages visited on the Websites referring and exit pages, and the dates and times of the visits. Financial information, such as your credit/debit card number or other billing information for purchases and product upgrades. Any additional information relating to you and your use of the Websites, Apps or Lose It! Services that you provide to use directly through the Websites, Apps or Lose It! Services. Location data and other information about devices used to access and interact with the Websites or App. Information that you make publicly available or publicly post using tools made available on the Websites or via the App. Information you may provide in user-to-user messages. Information collected from promotions with third party companies.”

So once again, nothing terribly bad here except that they specifically cover genetic data. If I get a genetic test, they collect the results (I assume the test has to be done through them or with one of the parties they work with). No thanks. They also collect Browser type and OS, yet again. And Location data, why? Why do dieting apps want to know my location? What are you gonna send me a push notification? “We noticed you just entered a Wendy’s. Don’t do it, bro!” C’mon.

Nutrients

Information collected: None

So this app claims that they don’t collect ANY information and furthermore than all information you enter stays on your device and never gets transmitted. But I was a little put-off by the fact that there’s no HTTPS on their website. It’s 2020. There’s no excuse for that. Also, personal opinion territory here, I noticed that in the app store the developer has another app called Donald J Trump, which seems to be just a hub for all his social media posts or something like that. I don’t know, I didn’t pay for it. Personally, I don’t support Trump, and since the Nutrients app is paid, I wanted to do a little digging and make sure that I’m okay giving my money to an organization that obviously does support him. Once I started digging on that front, I quickly noticed that there is zero mention of the Donald J Trump app on their website, which to me is kind of questionable. At the time of my research this week, the app had been updated less than two months ago, so clearly this isn’t something they just put out once and have since abandoned. This is an app they actively maintain. Why aren’t they owning up to it? Personally, I found that alone shady enough to not want to give over my money. I don’t mind if a company wants to publicly endorse a candidate, but the fact that they weren’t being fully forthcoming with it in a situation where they should’ve (in this case, not listing the app on their site alongside all the others), that personally didn’t sit right with me.

MyFitnessPal

Information collected: ? But it is collected through third party or “publicly available” sources.

So this is the one thing that bugs me more than a generic privacy policy. Their privacy policy doesn’t even exactly state what they collected. It’s already bad enough when you say “IP address, Device ID, and other information,” but when you just straight up say “we collect information that cannot be used to identify you” (first off, that’s a lie) “but is used to determine aggregate data such as usage, blah blah blah,” that’s even worse. Now you’re not even saying what’s collected. If it’s not a big deal then why won’t you say what it is? Furthermore, you collect additional data through third party and “publicly available” sources? Why are you going out of your way to collect more information about me outside the app? Just tell me how many calories my damn burger has.

MyNetDiary

Information collected: ?

This service was equally as opaque as MyFitnessPal. The only saving difference was this service didn’t claim to collect additional information from outside the app, and they also claim they never share it. Personally I find a blanket “we never share your info” claim to be suspect – especially if they do admit to collect information – because I fully expect any remotely not-shady organization to share my information with law enforcement with a warrant. So to just flat out say “we never share your information ever” already means that at best you’re telling a half-truth.

MyPlate

Information collected: device registration data (for example, the type of mobile device you use, your mobile device’s unique device or advertising ID, IP address, operating system and browser type), device settings (for example, your language preference), mobile carrier, information about how you use the Services (for example, how many times you use the Services each day), requested and referring URLs, location data collected through your device (including, for example, precise location data such as GPS and WiFi information), information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access.”

So this is another one that’s not AWFUL but still not great. Let’s pick apart the more alarming parts. First, “OS and Browser, as well as mobile carrier.” Why? Does whether I use AT&T or Sprint or Verizon really affect how the app experience is for me as a user? “Requested and referring URLs,” so I admittedly am not an expert on this stuff and I have to do more learning in this area, but from what I understand this means that they can track where I came from and go to on the internet before and after their site. Why? “Location data, including GPS and WiFi information.” So in addition to my usual “why do you need my location” rant, this also suggests (or at least doesn’t rule out the possibility) that they might collect additional information about my WiFi network specifically, like SSID (aka “wifi name”), router info, and possibly even WiFi password and other devices on the network. Seems a bit unnecessary just to tell me I’m fat. Finally, “Traffic data, web logs, and other communication data.” Man that’s broad. Are you gonna access my browser history? What other traffic goes over the network? My text messages? This one is way overreaching.

SparkPeople

Information collected: We may collect your name, address, email address, telephone number and other contact information...” “We do not share your information with third parties except as set forth in this Privacy Policy.” You can opt out of direct marketing but not out of collection. “We may collect information automatically about the use of the Website, through, for example, “cookies” or “IP addresses” (as described below). SparkPeople also archives log files and uses non-personally identifying information in aggregate form to” blah blah blah, improve the website.

Sorry, but at this point in my research I was getting tired. The short version is, SparkPeople’s privacy policy is super generic. Nothing alarming, but nothing great either. Contact information, information you willingly fill out, cookies, IP address, etc.

Summary

So the moral of the story here is that everyone is tracking you. This could be an entire blog post in and of itself – and it is on many other great sites – but cookies alone were the first real way of tracking people across the web back in the early days and while new, more sophisticated ways exist, the old ones haven’t gone away. So even the most generic, inoffensive privacy policy still has a way to track you and pass that information along to data brokers, and quite frankly I’d be surprised if they didn’t. That’s easy money. I think what I found most alarming was not the generic tracking – I fully expected that – but rather how invasive some of the others get. Location data? Other device info? Network info? Why, man? Just why?

So what did I ultimately decide to go with? A spreadsheet made with LibreOffice. It’s not sexy. It doesn’t give me pie charts or histograms (I know, it could if I wanted to). It doesn’t automatically tabulate my weekly total. It doesn’t have a cute animal encouraging me or recommending tips to keep on track. That’s fine. I took it upon myself to go out and do research and use online calculators to see what my daily calorie intake is based on my goals and my body. I decided what metrics were important to me, then I went and found the daily recommendations. In fact, I got a few premium features that way. For example, one app I used in the past (which is on this list) charged extra to set goals (instead of simply counting) and to monitor my sodium and sugar. I have all those things now, plus more. It’s a little more work. I can’t just scan a barcode. But that’s okay. It works for me, and it forces me to be conscious and put in the work myself.

I hope someday that Apple will be more forgiving and allow us to include privacy-respecting apps or app stores. I know, I can dream at least. But I guess the main reason I wanted to share this – in addition to being relevant and interesting – was to remind you to read the privacy policy. You don’t have to take five hours and read the entire thing top to bottom along with the terms of service. But at least skim. What are the parts that matter to you? Look for those parts. Get a general idea of what they’re doing with your data. And not to end on a depressing note, but just remember that 99% of the time those – according to themselves – can change at any time without notice. So be on your guard.

Should You Use Biometric Locks on Your Devices?

October 31, 2020

I considered buying a fingerprint-based door lock the other week. It was not cloud-connected or “smart” or anything like that, and ultimately I decided $200 was a bit too much to spend on a whim, but I did stare at it and read the box for quite some time. When I told this to various friends and family, they all seemed floored that I even considered an electronic lock. Truthfully, I know how to pick locks so I’m painfully aware of how grossly insecure my traditional cylinder lock is. I’ve spent many hours pondering the better solution with the appropriate balance of risk and reward.

The fact is that just like cylinder locks, our common digital locks (aka passwords) suck. They’re hard to remember. If you can remember them, they're too weak. If you can't, you're placing your trust in a password manager to not get hacked or corrupted. Furthermore, they have no real guarantee of safety. My significant other can log into this account and post a blog just as easily as I can, provided she has my password and any multifactor devices. As such, many cybersecurity experts actually recommend biometric locks like fingerprint, face scan, or retina scan instead. There’s a reason they were so popular back in 90’s spy movies. And honestly, that's not wrong. But there’s also a myriad of studies and evidence out there to prove that they’re not without risk, either. So this week I thought this might be a good topic to tackle.

What’s A Biometric Lock?

For those who haven’t figured it out based on context clues, a biometric lock is a lock that only opens when it confirms your biological identity: fingerprint, face scan, and iris being some of the most common. Almost all modern phones come with the capability.

On its face (no pun intended), a biometric lock is unarguably more secure. A social engineer can guess my password or security questions (unless you’re using the techniques I recommend on my website) and similarly, an attacker can steal my password and decrypt it using rainbow tables and brute forcing. But the odds that a malicious hacker or social engineer can chop off my finger or somehow copy my fingerprint? Sure, it’s possible. Again, I reference the 90’s spy movies. But that’s relatively advanced stuff – even by today's standards – and honestly this comes down to threat model. I’ve said before that this website is not designed for the hardcore Snowden-level whistleblower who needs to disappear. It’s for the average person who just wants to regain some privacy and security. The odds that anyone is going to go through those kinds of hoops to get their hands on your biometric identity is almost nonexistant. Having said that, I encourage you to ask yourself what the odds of that are. Even if you’re not a journalist, you might have a really driven stalker who would go to some pretty extreme lengths.

Not All Biometrics Are Equal

Despite what I said just a moment ago, not all biometrics are equal when it comes to how well they can protect you. I’m not even talking about click-baity articles that talk about how the iPhone can be unlocked in less than two minutes (]by pointing it at the sleeping owner’s face](https://www.forbes.com/sites/daveywinder/2019/08/10/apples-iphone-faceid-hacked-in-less-than-120-seconds/)). It’s important to note that literally everything is hackable and finding out that any system can be hacked by using twelve Androids, a home-cooked app, and direct access to a user’s device is kind of a no-brainer. It’s a real-life version of the infinite monkey theorem (except much more likely). Anybody with sufficient time and resources can hack anything.

No, I’m not talking about theoretical hacks and advanced exploits. I’m talking about actual, legitimate threats that could be posed to the average user. Consider this story about a woman who unlocked her husband’s phone while he was sleeping via his fingerprint scan and discovered he was cheating. Or this clip from sitcom Brooklyn Nine-Nine where one character unlocks another’s phone simply by pointing the camera at her face. Now it should go without saying that I’m neither endorsing nor encouraging cheating or any kind of illegal or unethical activity. But suppose my partner unlocks my phone while I’m napping and sees what I’m getting her for Christmas? There’s plenty of valid, legal reasons for you to want to control who has access to your device. If you’re a parent and you have small children, do you want just anyone to be able to pick up your phone and look through it at pictures of your kids or texts with them? I understand that in an ideal world, you would maintain positive control of your device but that’s not always possible. People make mistakes, get wrapped up and leave things laying around on their desks while they run to the bathroom. I leave my phone plugged in to charge overnight in another room. Or even at work sometimes I'll leave it plugged in while I work in another spot far away from an outlet.

So Should You Use Biometrics?

This as a question I’ve wrestled with for a while now. The answer is I don’t know. First off, it depends on your threat model. I think my threat model is very low. I don’t think anyone will go out of their way to lift my fingerprint and make a rubber copy. On the other hand, I am politically active and I wouldn’t feel comfortable with face lock because I know that if I ever got detained a cop could simply flash the phone at my face to unlock it. So personally, I’m comfortable with fingerprint lock but facial ID. But then there’s the question of who has access to my biometrics and what are they doing with it? I use an iPhone. Apple claims they never have a copy of my fingerprint and that what they store is simply a digital signature – sort of like a password hash. However Apple has also claimed that they don’t have humans listen to Siri recordings, which turned out to be a lie, so I don’t know how much I trust them. Would I use biometrics like fingerprint on an air-gapped machine like the lock I mentioned earlier or a laptop I use for backups? Probably.

I wish I could give a more concrete answer. Usually I can at least say “here’s what I’d do, but you do you.” In this case, I don’t think that applies. There’s just too many variables. But so many people in the privacy community are opposed to biometrics (and often for good reason) that I wanted to discuss them in a more in-depth fashion. As with almost all technology, biometric identification isn’t bad. Who uses it, how, and what they do with the data can be. No matter what protection you go with for your devices – be it password, PIN, or biometric lock – make sure that you’ve done your research. Know the shortcomings both technologically, practically, and legally. Know what the risks and benefits are, know the company and how it’s supported, and most importantly make sure it’s secure. Fingerprint is unarguably more secure than a phone PIN of “0000.” But a 16-character alphanumeric passphrase might be more secure than a face print if you’re a celebrity. As with many things I discuss, there is no one size fits all, only education so you can decide what size you need.

How I’ve Convinced People Around Me to Care About Privacy

October 24, 2020

As many of my long-time readers know, I love to write about personal experiences as a way to give real-world context to many of the subjects I cover. This week, I want to talk about my successes in getting the people around me to care about privacy. In the past I’ve mentioned how one of the recurring questions I see in the privacy community is “how do I get my friends/family/significant other/etc to care about privacy?” My partner has gone from publicly posting everything online to using encrypted messengers, using a VPN on all her devices, almost completely eliminating Facebook (she still needs it to connect with one specific group), and slowly transitioning to ProtonMail. Just this week alone, both of my coworkers stated their intentions to start taking their privacy more seriously after Chrome’s move to give advertisers full access to your device files. And in a move I never thought I’d see, my own brother said he wants to move away from using GAFAM (Google, Amazon, Facebook, Apple, Microsoft) products so heavily. I doubt I’ll see him completely abandon said products, but he did ask me if ProtonMail has a free tier and said he was switching to DuckDuckGo and Firefox. So this week, I want to take a moment to report what I think worked on all of these success stories.

Disclaimer: Before I dive in, I want to say that you should never do anything expecting to change someone’s mind. That’s just asking for disappointment and hurt feelings. You should enter into these discussions with the mindset that you’re here to exchange and consider ideas and viewpoints. If you approach subjects attempting to change someone’s mind, they’ll often feel attacked, get defensive, and double down. But if you go into it going “we’re equals, whatever you believe is up to you, but here’s what I believe and why” they’re much more open to listen to you and what you have to say. That’s not guaranteeing success, but it does guarantee a much better time in my experience.

Respect

On that note, I respect people’s choices even if I disagree with them. I really got on my brother’s case. He claims to be an ally of minorities, the oppressed, and other such groups. So, I made it no secret that he was perpetuating that same oppression by using services like Amazon, Facebook, and Google. It’s not enough to vote Democrat when you’re perpetuating systems that allow right wing extremism to flourish and shopping at companies that oppress their workers. That’s an argument for another day that I’m currently working on, but the point is that while I made these opinions known to my brother I was always quick to follow it up with “I love you, you do what you want, these are just my views.” Same thing with my partner. I have never forced her to use a password manager, I simply presented her with password managers as a tool of convenience and security, explaining what they do and how they can improve your life, and left it up to her. Don’t get me wrong, there’s still a lot of things I wish the people around me would do differently. I wish my partner would stop using TikTok. I wish my mom would switch to Linux (there's nothing she does on Windows that Linux can't do). But I respect that everybody is at a different place and I can’t force them to do anything. I can only present them with the facts and let them make that decision (it’s almost like I made an entire website out of that philosophy).

Time: Mere Exposure

I think most often when people ask that question, what they’re asking for is the epiphany moment. Chances are that very few of us reading this were introduced to the concept of privacy the same day we started taking it seriously. Think hard. I know I can vaguely remember some conversations I had with a friend about how the founding fathers never could’ve successfully revolted if they were subjected to the same level of surveillance in 1775 that we are today. I also did some time in the military, meaning that I was very familiar with the concept of having my communications monitored at some level. The point is, privacy was not a new concept to me. I heard at least a few arguments about why it matters and as an avid sci-fi fan, I was well aware of some of the potential negative ramifications of not having it.

It can be frustrating repeating yourself over and over as it falls on deaf ears. I live with my partner, and therefore she hears me rant about privacy constantly. As she’s begun to care more in recent months, we frequently have conversations where I rant about something privacy-related that upsets me, she says she didn't know that, and I remind her that I've definitely mentioned this before. I don’t rant with the expectation of changing my partner’s mind, I just rant to get it off my chest and I’ve made that very clear to her. But it’s still frustrating to know that most of it doesn’t stick. I think that’s why most people ask the question. “How can I trigger that ‘a-ha!’ moment that finally makes my family care?” And the fact is you can’t. It’s impossible to tell.

So instead of viewing these discussion as “this might be the moment,” view them as just general discussion like I mentioned at the top. If I’m talking to someone who complains about passwords, I throw out password managers. Just the other day someone on a job site mentioned that they do a lot of online shopping, so I encouraged them to check out Privacy.com. The goal is to expose them to it repeatedly. It’s called “The Mere Exposure Effect.” Basically the idea is that just by being exposed to something, your opinions on it strengthen. If there’s someone you sort of like, working around them frequently will make them like you more. The idea is to expose them to the ideas of privacy more and more so it grows on them. I know it sounds kind of manipulative, but that’s not my intention. That’s just a fact. The fact is that Mere Exposure can go the other way: working around someone you sort of dislike can make you grow to hate them, so if someone is clearly pushing back on privacy stuff and gets vocally upset by it, drop it. You’re not gonna win them over with Stockholm Syndrome. You’re going to push them away.

Time: The Epiphany

You know what made my brother care? The same argument I’ve made a hundred times before. Maybe I worded it a little differently but there was nothing new in my argument. No new concepts, no new information. It was just timing. This happened to be the time that my brother was in the right headspace, the right frame of mind, with the right set of pressures, information, and circumstances to decide “you know what? Nate’s right. I can’t be part of this system anymore.” I mentioned before in a different blog that my partner made the full-time jump to Signal after her boss informed her that the company reads text messages. When she told me this, we had another “I told you this a long time ago” conversation which actually ended with her going “yeah but somehow it felt different being told by the company themselves.”

The fact is you can’t predict what’s going to finally get through to someone. There’s no use in trying to guess what that magic epiphany will be. When I told my coworkers about the new Chrome “feature,” I actually made a point of saying “I don’t even care about the privacy aspect, this is a serious security risk.” I then explained drive-by malvertising. The next day, one coworker mentioned his plans to switch to ProtonMail this weekend and the other said he had removed as many Google apps off his phone as he could (he still kept Drive and Gmail for work stuff, but he removed other stuff like Maps). I would’ve never guessed that would be the story that would’ve got through to them, although honestly it probably wasn’t.

Honestly, most epiphany moments are straws that break the camel’s back. I don’t know if my own was or what. But in all my time of winning people over, it usually comes down to them hearing enough stories (usually from me, guilty as charged) that they finally go “I’m over this, I’m willing to make some changes.” This could be another blog topic in itself but when you get that win, be sure not to push it too hard. I've learned that when somebody tells me they want to start taking their privacy more seriously, the best response is to go “I'm happy to hear that. Let me know if I can help.” (That's actually when my brother asked if Proton had a free tier.) Don't get excited and go “ohmygosh! Now you have to check out Wire and Mullvad and XMPP and this and that and switch to Linux and...” Just let them know you support them and you're happy to share whatever you know.

I want to reiterate that you should never go into this expecting people to change. Also, it’s healthy to have other topics. While I frequently return to the topic of surveillance and privacy, I’m also capable of talking about music, video games, movies, TV shows, politics, and sharing personal stories of my time living in various other places. It’s not like all I can talk about is surveillance. Basic people skills come into play here. The best way to get the people around you to care is to not force it on them and let them come to their own decisions. But hopefully my experience will help you see how that can happen.

Interacting With Non-Privacy People

October 17, 2020

For some people, like myself, jumping into something new is exhilarating and you sink yourself into it 100%. This is where I found myself a few years ago when I first got into privacy, and where you might find yourself. In time, I eventually dialed back a bit and relaxed as I got more comfortable with this stuff, figured out what did and didn’t work, and made convenience adjustments as my threat model allowed. Regardless of where you end up settling on the privacy spectrum, it can sometimes be difficult interacting with people who aren’t privacy-minded. It can be hard to explain why you don’t have a Facebook, why you don’t want them posting your picture online, or asking loved ones to use an encrypted messenger. So this week I wanted to talk about how to interact with non-privacy-minded people. Specifically, I want to talk about how to decide where to draw the line and demand who does or doesn’t need to be using privacy techniques.

Preaching Privacy

Let’s go ahead and start with the hard truth. You can’t evangelize privacy to people like a pastor on the street. Most people just don’t care and beating them over the head with it repeatedly isn’t going to give them Stockholm Syndrome for your message. Furthermore, people aren’t logical. I’ve seen ridiculous suggestions like to hack your friends, start browsing their phone without asking, or start recording them. Nobody is going to go “wow, you’re right, I’m being a hypocrite and I do value my privacy.” They’re going to call you an asshole and stop talking to you. I’ve personally found that the best strategy is just to live your life, make your opinions known respectfully, and let people come to you. A few months ago I wrote a blog post about Ron and his dating conundrum. Ron wasn’t actually my friend, he was a friend of my partner. He had a problem, and my partner knew that I was the most qualified person she knew to solve it. When your friends have problems, they’ll know they come to you to ask. That’s when you can offer solutions. And it doesn’t hurt to ask your friends “hey, are you familiar with password managers?” and offer some advice, but don’t repeatedly bash them with it. They’ll move at their own pace, and quite frankly their security isn’t your problem.

Levels of Closeness

It’s important to remember that not everyone in your life has the same level of closeness with you. Your significant other is closer to you than your coworkers. Your family is closer than your friends (for most people). And your friends are closer than your barber. This should be an important factor when you decide how to deal with people who aren’t privacy-minded. Do you need your significant other using an encrypted messenger as you text throughout the day? Yes. Especially if they like to send you risque stuff and you use company WiFi. Do you need your favorite barber to use encrypted messaging? Probably not. They probably don’t even need your phone number. It’s important to pick your battles.

Context of Power

Do your coworkers need to use encrypted messengers? This becomes a gray area. I mentioned once that when the pandemic started in the US, I asked my boss if we could not use Zoom but I also realized that we have to do what’s best for the company. My coworkers – and my boss – are used to me being tin-foil hat crazy. They don’t mind me suggesting things like Privacy.com, Bitwarden, or Signal. But I also realize that I have no power there. I’m not the IT guy. I’m not the VP or COO. I’m at the bottom of the ladder, and I keep that in check whenever I suggest anything. My coworkers and I chat fairly frequently outside of work – we send each other memes or articles we found interesting and stuff like that – so I don’t think there would be any issue if I said “hey, could we move this conversation to Signal” or “Can we set up PGP keys for stuff like this that isn’t company-related?” I don’t even think anyone would really complain if I suggested setting up PGP keys for inter-office email and opened that option to the outside world (though, for the record, I highly doubt anyone would be on board). But the point is, I realize that when it comes to company policy I have no power, and while I am free to voice my opinion I have to realize that it is not my way or the highway.

Additional Context

I think those two things are the biggest deciding factors when deciding where to draw your privacy line, but there is additional context. When dealing with medical or financial professionals, I don’t see anything wrong in seeking a person who is willing to use encrypted email. I also think age and tech-savvy plays a factor. I mentioned in a prior blog that I was able to switch my mother to ProtonMail by offering to set it up for her and let her take over, and she has been using it ever since. My grandmother, on the other hand, is in her 90s. I love her and I mean no disrespect, but she has one foot in the grave. We also speak about twice a year. I see absolutely no value in fighting over her about using ProtonMail, Signal, or anything else. Think about that: I just said you should get your doctor – who you probably see once or twice a year if you’re healthy – to use encryption but not your grandma. Obviously this varies from person to person. For some people, their grandparents raised them as if they were the actual parents, and those same grandparents are fairly tech competent and can be trained to use encryption reasonably. The point is to measure things with context. It’s impossible to draw a universal line in the sand and say “family MUST use encryption while strangers you only talk to once a month don’t have to.” What you’re communicating, frequency, and audience all matter.

I often see people ask “how do I get my family/friends/significant other/coworkers/etc to care about privacy,” but I rarely see anyone ask “should you get them to care at all?” It’s an important question. Before you ask how to convince them, you should start by asking if you even need to. Now obviously, I would prefer a world where everyone defaults to encryption whenever possible, but that’s not the world we live in right now and I have to pick my battles. It’s just like threat modeling: obviously it’d be nice if we could protect against all threats, but first you have to ask what threats are actually pressing and need to be addressed first and which ones can wait (if be dealt with at all).

I’m sorry this blog was a little scattered, I try to keep my blogs somewhere between 1,000 and 1,500 words and this topic is huge and complex. As I said, I can’t simply say “here’s when you should and shouldn’t demand privacy from others.” It’s almost all one big gray area that varies from person to person. But I hope I’ve at least given you some thoughts and tools to figure out where they gray area ends and the black and white lie for you.

School-Issued Chromebooks and Privacy

October 10, 2020

Lately students have been returning to school, but as I’m sure I don’t need to tell my readers, things are a little different this year. Many schools are looking to online or hybrid classes as a way to protect students and staff from the still-ongoing pandemic. Unfortunately, schools are often underfunded. Unfortunately, Google has stepped in and offered Chromebooks at low prices to schools to offset this problem. Personally, I don’t blame the schools. Teaching is a difficult thing, and the US federal government certainly isn’t making that problem any easier. Schools are doing their best. But I am pretty upset at Google. We all know that Google is one of the largest and most aggressive privacy offenders, which means that there is no doubt in my mind that Google has an ulterior motive with their charitable donation: they want to get kids rooted in the Google ecosystem early so they stay there. Income stream for life. Sadly this isn’t much of a conspiracy theory, it’s basically a given in the tech community (source, source, source, source). As students have begun to return to school, I’ve seen a lot of questions – and even had a few directed at me – regarding the privacy implications of these devices, including what’s possible and how to use them as privately as possible. So this week, I’m going to discuss that.

What Can It See?

The most common question I get/see regarding Chromebooks and privacy is what else they can see on the network. If I get issued a Chromebook and use it at home, can the school/Google see other devices and network traffic? The short answer is no. Technically it is possible, but once again schools are highly underfunded and they really have no motivation and nothing to gain from such intrusive programs. I have no doubt that the school can see almost everything you do on the device itself, but that’s probably where the school’s eyes end.

Google, on the other hand, is a bit more invasive but not as invasive as some might think. Without having any sources to back me up, but based on what I know about how surveillance capitalism currently works, Google can see everything the school can, as well as network information. For example, Google can probably see your SSID, information about your network (such as password encryption protocol, router info, IP address, and more), and I wouldn’t be surprised if Google can also see what other devices are on that network, such as a Roku TV, a Windows 10 machine, an iPhone, etc. However, as for the actual traffic, I would be surprise if Google sees the traffic from those other devices. The technical ability exists, but I suspect Google’s tentacles on every type of device are already so deep that they gain nothing from that kind of spying. It’s easier just to have each device report individually and connect the dots on Google’s end. After all, if you have two devices reporting from the same IP, then obviously they’re on the same network, and you can be much more invasive tracking the device locally than spying from the router.

Best Practices

In a moment, I’m going to list a bunch of settings I recommend changing, but first let’s talk about how to use your Chromebook in the most privacy-respecting and secure way possible. It should go without saying that you should consider everything you do on the device compromised. Google’s Chrome OS is proprietary, so we don’t fully know what goes on behind the scenes. You should assume anything you do on the device can be seen by Google, just to be safe. Of course, I want us all to have a sanity check: I highly doubt Google is waiting for you to log into your bank on their device so they can screenshot your balance or steal your account numbers. Don’t get overly paranoid about using the device and run yourself ragged. But at the same time, be aware that you’re giving up some privacy by using it. If you are truly concerned about the traffic issue I talked about above, then you can put the device on a separate subnet or VLAN, but again I personally don’t think that’s much of an issue.

I also encourage you to use a dedicated account on the machine. If the device was issued by a school and you have an account with the school, I think it’s safe to use that account. The school already knows the device was issued to you, and as mentioned before I don’t think they have any interest in making sure the IP address you used matches the records on your paperwork (though I would use a VPN in case of data breach). If the school did not issue you a Google account, I would make a new one.

I want it to be noted that Google has some of the best security out there. The privacy is virtually nonexistent, but the security is top notch. However, we should never get complacent. It should go without saying that all of my usual advice applies here. Strong passwords, two-factor authentication, VPNs, all are still useful here.

There are additional challenges and considerations for people attempting to lead a “Google-free,” lifestyle. At that point, it’s really an individual question. I’ve heard people consider only using the device on public networks (such as libraries and coffee shops) or using a phone hotspot. I don’t think those are bad ideas, but they can still create a pattern that Google can make use of. Of course, a pattern of using the public library every day at 2 pm is far less revealing than an IP address and what other devices are on the network in my opinion. You’ll have to make the decision for yourself on the lesser evil.

Settings

Google Chrome OS: Version 76.0.3809.136

Bluetooth: Off

Connected Evices: None

People: Don't sign in if possible, use a unique or school account if you must

Screen lock: Show lock screen when waking from sleep

Screen lock: Screen lock options: either

Autofill: All off

Device: Storage Management: Browsing Data: Advanced: Clear All

Search and Assitant: Search Engine: DuckDuckGo, Searx, or MetaGer

Search and Assitant: Google Assistant: Disabled

Privacy & Security: Disable all settings

Privacy and Security: Manage Security Key: Create PIN

Privacy and Security: Site Settings: Cookies: Keep local data only until you quit your browser: enabled

Privacy and Security: Site Settings: Cookies:Block third party cookies: enabled

Privacy and Security: Site Settings: Location: Off

Privacy and Security: Site Settings: Camera: Ask before accessing

Privacy and Security: Site Settings: Microphone: Ask before accessing

Privacy and Security: Site Settings: Motion sensors: Off

Privacy and Security: Site Settings: Notifications: Off

Privacy and Security: Site Settings: Flash: Off

Privacy and Security: Site Settings: Pop-ups and redirects: Off

Privacy and Security: Site Settings: Ads: Off

Privacy and Security: Site Settings: Unsanboxed plugin access: Off

Privacy and Security: Site Settings: Handlers: Off

Privacy and Security: Site Settings: MIDI devices: Off

Privacy and Security: Site Settings: Payment handlers: Off

Language and input: Spell check: Off

Downloads: Ask where to save each file before downloading

Downloads: Disconnect Google Drive account: enable

When returning it, Powerwash it under the “About Chrome OS” page.

Back to the Basics

October 3, 2020

This week, nothing particularly explosive happened in the privacy or cybersecurity world. Governments and major service providers continued to be hit with malware, data brokers continued to swoop up people’s personal information without so much as a blink from the law, and people continued to feel as if they have no choice to but to submit the abuses of surveillance medias like Facebook and Twitter (news flash: humanity existed just fine before Facebook, you can go back to not having it. But that’s a rant for another day).

So I’ve decided this week is a great opportunity to take advantage of the calm and remind ourselves of some basic habits. In the military, troops are continually trained on basic stuff like how to handle and shoot a weapon, how to build and guard a temporary encampment, how to conduct patrols, and more. This is because any skill – when left unpracticed – gets forgotten and rusty. It’s never enough to say “oh, I learned this basic, day-one, 101-type skill, I’m good.” You have to keep coming back to it and keep it sharp, make it habit. So this week, let’s go back to some of the basic stuff and make sure we’ve got our fundamentals tight.

Security

As some of my readers probably noticed, I tend to take a more security-focused approach on my website. I view privacy as an important part of your security model, as well as a fundamental human right, but while some resources say “it’s most important that you use encrypted messaging to prevent your cell carrier from reading your messages,” I say “it’s most important to prevent identity or account theft.” So with that focus in mind, I’ll start our refresher with best security practices.

First off, any American reading this should freeze your credit. In my time promoting this to people (especially parents with children), I’ve learned that a “credit freeze” is actually a misnomer. Many people assume based on the name that freezing your credit means that nobody, not even you, can access your credit. This is disastrous for people who are trying to get out of debt, building their wealth, boost their credit scores, or otherwise still in the process of actually using their credit. However, that’s not the case. Rather, a credit freeze is like adding two-factor authentication to your credit file. Nobody can open any new accounts without the PIN they issue you upon freezing your credit, but changes can still be made such as updates to accounts, debts paid off, or changed addresses or scores. (Friendly reminder from personal experience: don’t lose the PIN they send you. It can be replaced but it’s a nightmare process.)

On the topic of two-factor authentication, literally every online account you use that offers two-factor authentication should be using it. Fortunately, in recent years, 2FA has become more widely accepted and many places offer some form of it (even if it’s only a weak, privacy-violating form such as email or SMS). Honestly, if you use two-factor correctly, you can get away with having a weak password. I don’t think you should, but you can. That’s how important it is.

Privacy

For privacy, I would argue that the most basic, important thing you can do is to look at the settings on your phone and pay attention to them. While phones are virtually impossible to make private by nature of what they do and how they work, you can dramatically reduce the amount of data that it leaks and that the apps themselves collect. You can change a variety of settings to restrict apps to only having access to the things they actually need and to collect less data by default. Additionally, you should remove any apps you don’t actually need or use regularly. Apps are the biggest attack vector for malware and other security and privacy breaches on mobile devices. My general rule is if you can wait and do it on a desktop where you have better security and more control, you should. On that note, be sure to examine the settings on your desktop machine as well.

Habits

It’s important to know that privacy and security aren’t just a bunch of apps or products you buy, they’re also habits you develop. In the classic TV show “Seinfeld,” there’s an episode where the titular character’s apartment gets robbed while he’s away because his friend Kramer had failed to close the door. When Kramer asks Seinfeld if he has insurance to cover the losses, Seinfeld’s incredulous retort to Kramer has stuck with me since childhood: “I spent my money on the Clapgo D. 29, it's the most impenetrable lock on the market today...it has only one design flaw: the door...[shuts the door] must be CLOSED.”

You can invest in all the best tools, hardware, and services but if you don’t use them correctly it’s all for naught. In the studio audio world, there’s a saying that a good recording is the result of a hundred tiny good decisions. Good privacy and security are the continual result of a bunch of tiny decisions. Just as with dieting, it’s not about running ten miles every day and eating salads. It’s about switching to diet sodas instead of regular, or passing on the fries with the burger. With privacy and security fundamentals, it’s important to make habits. Fortunately all of the stuff I listed here is pretty passive – you uninstall an app and you never think about it, or you enable 2FA and it works. But there’s other, effective basics like considering metadata, or using good internet practices. There is general agreement among the cybersecurity community that the NSA – elite, well funded, and advanced as they are – probably uses common tactics like credential stuffing or phishing more often than not to access a target’s accounts. It makes sense. Even as we near 2021, people are still falling for this stuff. So while you’re taking the time to examine your basic steps, don’t forget to check your habits and make sure that you’re not undoing all your hard work with bad habits that make the good steps you took meaningless.

Avoiding Robocalls

September 26, 2020

I have one of those day jobs where the rules regarding phone use are pretty relaxed. As long as the work gets done and you’re not overdoing it, nobody really minds if you send a text or step out to take a call for a moment. As such, at least a few times a week I’m treated to the following from one or both of my coworkers: “Hold on a second,” (answers phone), “hello?” (hangs up a moment later) “Robocall.” I, on the other hand, rarely get unwanted texts or calls. It seems everyone I know is really struggling with unwanted, annoying phone calls and texts, especially as the election looms closer here in the US (let me tell you how many times your unwarranted, North Korea-esque political texts have changed my mind about who to vote for). So in this blog post, I want to share what I’ve personally done that I think has brought my robocall/robotext amount down to near zero. Keep in mind, I said “near zero.” I still get one here and there, but it’s almost nonexistent compared to others I know.

What Not To Do

Let’s start with what not to do: please, please, please for the love of god do not download one of those stupid “caller verifier” apps. You know the ones I’m talking about: RoboKiller, Truecaller, Call Filter, etc. Do these apps work? I suppose. But they work using the network effect. In other words, these apps read your contacts list and add it to their database. They’re aiming to make a database of every phone number out there and who it belongs to so they know which ones are legit and which ones aren’t. I’ve said on my website that your carrier-issued cell number is essentially as good as a social security number these days and I stand by that statement. As such, some of the more privacy-minded people in your contacts list may not appreciate having their phone number shared to an unknown (and probably unsecured) database without their consent. I could make a lot of arguments here about metadata and relationship mapping, but it basically goes back to “don’t be a dick.” Assume that your contacts consider this information personal and don’t share it without their consent.

What To Do

If you’re like I was, you’ve probably been using the same phone number generously for years, maybe even decades. In this case, your number is already out there and while there are still good defenses (just cause you didn’t notice the leak before doesn’t mean you don’t patch it when you find it), it probably won’t do much for you. My SIM phone number that I’ve had since 2009 still gets a couple robocalls a week and a few texts per month. So you’ll need to get a new phone number if you want to truly get rid of robocalls and texts to the extent that I have. I strongly encourage the use of Voice-over-IP numbers, such as MySudo or Hushed, and I explain more about that reasoning on this page. The important thing, whether you go with VoIP or ask your carrier for a new number, is that you follow good habits regarding your new number. I’ll talk about that in a second.

One reason I like the VoIP method, and the reason it’s been so effective for me, is because Apple offers a way to shut off incoming calls to your SIM number. Go to Settings > Phone > “Notifications: Off” & “Silence Unknown Callers: On.” For Android I haven’t yet found a perfect solution. The most effective method that will probably work for most readers is to turn on “Do Not Disturb.”

Next, depending on how serious your problem is, there are a few higher-level solutions you can try. These might be a little privacy invasive to some people so they may not be ideal for the hardcore privacy enthusiast, but for the average person they’re probably acceptable solutions. The first one is to register for the National Do Not Call Registry if you live in the US. This is actually much more effective than you would think. It won’t stop scammers who are outside US legal jurisdiction, but it does stop many of the more legitimate (but still unwanted) callers. This list does need your email address, so as always I encourage the use of masked email addresses if you go this route. Second, many cell carriers are now offering programs where they help block known or suspected spam numbers. You can call your carrier and ask if they can activate this feature for you.

Privacy Isn’t Products and Services, It’s a Lifestyle

Between all these steps, you should have seriously reduced the number of robocalls coming in and bugging you throughout the day. But unless you make some behavioral changes, it won’t take long for them to come back. You can keep playing whack-a-mole with new VoIP numbers, or you can retrain yourself and never have to think about it again. As I said before, most of us are conditioned to hand out our phone numbers like candy, but this is dangerous and it quickly puts your phone number back in robocall and scam databases. I mentioned also that your phone number is basically a social security number these days, and you should start thinking of and treating it like so.

At it’s purest form, protecting your phone number is simply a matter of asking “does this person really need my phone number?” A lot of places ask for your phone number, and almost none of them actually need it. For example, if you go out to eat at a restaurant and there’s a wait, they ask for your phone number so they can text you when your table is ready. You can opt out of this and ask them to just call your name instead. When you place an order online for food, they ask for your phone number in case there’s any questions or issues with the order. They never call or have questions. Give them a fake number. Your area code plus 867-5309 is always a safe bet (it’s an 80’s pop song). If phone number is optional, don’t give them anything. Even when ordering a package online, unless it’s a vitally important package that you can’t afford to lose (such as medicine), you can safely put a fake number in the order form. Other important areas where you should use a legitimate number are things like banking, healthcare providers, and work. By being judicious about who you give your phone number to and having a backup fake number ready to go, you’ll do an excellent job of keeping your new number from populating into databases where it will be abused and used to annoy you.

Movie Review: The Social Dilemma

September 19, 2020

If you’re remotely plugged into any kind of culture at all, you’ve probably heard about the new documentary The Social Dilemma. At the time of this writing, the show has broken into the Top 10 trending in the US (I know it hit at least Number 4 but was unable to confirm it’s peak position), and holds a 90% on Rotten Tomatoes, receiving rave reviews from many critics. There’s already a variety of reviews online from top-notch sites like The New York Times, The Wall Street Journal, and even legendary film critic Roger Ebert. Even so, I felt that I could offer a unique opinion on it as someone who both lives and breathes privacy but also strives to make those topics accessible to “the average person.”

About the Director & the Film

Jeff Orlowski is an experienced documentary film maker. Some of his more well-known works include Chasing Ice and Chasing Coral, both films about the impact of climate change on the natural world. He has done work for big companies like Apple, National Geographic, and Stanford and founded his own production company aimed at producing “socially relevant” films.

The Social Dilemma premiered on Netflix on September 9, 2020. The documentary features interviews with some of the most influential names in Silicon Valley, like the creator of the Facebook “Like” button, the founder of Pinterest, and the former “Design Ethicist” at Google. These are some of the very people who worked to make social media as addictive as it currently is. The documentary mainly focuses on Facebook and Instagram, though it does briefly mention other social media platforms, and discusses the addictive nature of social media, how it got to be that way, how it works currently, and the impact that addiction and algorithmic nature has on the real world ranging from rising depression rates in teens to social and political division and violence.

The Good

Before I saw the film, the thing that most piqued my interest was the people interviewed. While the film does bring in a few privacy proponents such as Shoshana Zuboff and Jaron Lanier, it primarily focuses on the former Silicon Valley executives. I personally think it carries a lot of weight when the very creator of something publicly says “this is not what I intended and it needs to change.” That’s very different from a completely removed person saying the same thing.

I also really like that the documentary doesn’t focus on privacy or security at all. I find frequently in my discussions with non-privacy people that such subjects aren’t very interesting to them. They feel intangible, nebulous, and unconnected. The average person doesn’t feel like they are at risk of being doxxed, stalked, or targeted. But things like political division, depression, and screen addiction: these are things that many people struggle with, and in the off chance that you don’t struggle with one of these issues personally you probably know someone close to you who does. These issues hit home for almost everyone, and I think this was a fantastic approach for the documentary to take.

The Bad

Let’s start off with something everyone can agree with: the re-enactments were a bad idea. I suspect the goal of the re-enactments was to create context for the interviews, give concrete examples and visualizations of how this stuff works, and to create something that the viewers could relate to rather than a bunch of white men talking about how this wasn’t what they meant to create. Instead, I found them very “after-school PSA” in their feel, their oversimplification, and their hyperbole. I’m not sure if the issue was the writing or the re-enactments themselves, but they didn’t really help the movie.

Despite the effort to create watchable content, two of the three people I personally know who watched the movie didn’t make it through. I want to caution against using anecdotal evidence – the movie hit #4 so clearly many people did finish it – but I think that says something. Out of those three people, the one who did finish watching it was thoroughly freaked out by it and is now very concerned about her privacy and use of social media. Of the two who didn’t finish, one said that it was boring and the other said it felt like the film was repeating itself. Both made it about halfway through the film. While I realize you can’t please everyone – and while I personally disagree with both of the negative reviews I was given by the two people – it is worth noting if you’re losing your very target audience to examine why. I constantly seek feedback on my site from people because I want to know where I’m failing to communicate what I feel are important issues and reach as many people as possible and convince them.

Final Verdict

I personally greatly enjoyed the documentary and I recommend it. For people within the privacy community, there isn’t much new to learn here. For people who aren’t, some of it will be obvious, the kind of stuff we’ve suspected all along but never confirmed. But for some people, some or much of the information will be eye-opening and brand new. A lot of what is said in the movie would sound like tin-foil hat conspiracy theories coming from someone like me, but it’s not coming from me; it’s coming from the people who built the system. Are they also being paranoid? It gives the claims a new level of weight and authority. I think that alone makes it worth watching.

More on the Movie

You can visit The Social Dilemma’s official website here. It is currently viewable on Netflix.