The New Oil

A Plea for Patience From a Privacy Enthusiast

May 16, 2020

Paranoid. Tin-foil hat. Crazy. Weird. Obsessive. Whatever you want to call me, I guarantee I’ve heard it before. And honestly I’ve called you things, too. Blind. Apathetic. In denial. Let me explain: one of the most common questions I see in the privacy community is something along the lines of “how do I get other people to care about their privacy?” The question usually goes something like “all my friends think I’m crazy because I don’t use Google and they don’t want to switch from WhatsApp to Signal. They think I’m being paranoid, like ‘why would anyone want to watch you? What are you hiding? What are you up to?’”

It’s a frustrating position for people on both sides of the fence. It’s frustrating to you, the person who doesn’t care about privacy, because your friend or loved one is asking you to do extra work just to chat or hang out. But it’s equally frustrating to us. So this is an open letter to all the folks who don’t care about privacy. I’m asking you to be patient with us privacy-minded folks. That doesn’t give us the right to bully you or be obnoxious, but respect is a two-way street. I want to try to explain why we’re so paranoid so you know where we’re coming from. This isn’t meant to sway you to our side, simply to consider things from our perspective and see if it might be worth taking some reasonable steps at the request of your loved ones.

It’s About Respect

Before I get into any concrete reasons for why we care about privacy, I think I should start with the most basic concept of all: respect. You are a sovereign person, meaning that you have the right to make decisions about yourself with zero justification whatsoever. You don’t have to justify to me why you want a tattoo, why you watch the shows you do, why you’re vegetarian, or why you go to church. That’s your right as a human being. Likewise, us privacy folks shouldn’t have to justify our choices either. If we ask you not to post pictures of us on the internet or not to gift our kids a Chromebook or something like that, you should respect it because that’s what decent human beings do. This doesn’t have anything to do with race, gender, politics, or age. It’s about being a good person. They’re called boundaries.

When it comes to two-way situations, such as encrypted messaging, I think it’s a decent human move to at least try it out or consider the request. Signal, for example, is insultingly easy to set up and use. It literally could not be any easier. I don’t think asking anyone to use Signal is an unrealistic request and those who take the five seconds to download and set it up will find it very reasonable and easy to use. Switching to PGP is a little more involved, and I understand if you say no to that one.

On that note, whatever happened to compromise? I made a deal with my mother that if I set up a ProtonMail account for her, she would use it when emailing me. She agreed, and she’s held up her end of that bargain. Setting up ProtonMail is not hard. It’s no harder than setting up any other email account. Yet I still made the offer. Likewise though, I respect her. If she uses her old email account to contact me, I don’t ignore it. I still respond. The point is, it’s mutual respect. I don’t hardline people and tell them “use encrypted messaging or I’ll never talk to you again.” I respect their wishes, and in turn they respect mine. That’s how human relationships work, and if you won’t at least consider your privacy-oriented friend’s request, honestly you’re being kind of a dick.

We’re Not Crazy (But We Are Abstract Thinkers)

Calling somebody a negative name is what’s known as a “thought-terminating cliché.” In other words, if I call you crazy, I have now discredited you. It doesn’t matter what you say, you’re crazy so there’s no point in listening to your argument, even if your argument is “the sky is blue.” You’re crazy, who cares what evidence you spout to support your claims?

Most of us are not crazy (though some of us are a little extreme). When we talk about things like how data collection can be abused, we’re not just being paranoid. We’ve seen it happen before dozens of times. The difference is that we realize it could happen here to us. Often when I talk about abuses of data in other countries, people go “yeah but that would never happen here.” You’d be amazed. China’s social credit system is on it’s way to America. Random strangers are routinely swatted or harassed for the smallest things. Even the federal governent itself has doxxed dissidents. It can happen here, and it can happen to us.

We’re Not Crazy, We’re Playing a Numbers Game

“Okay,” you think, “fine. It can happen here, it can happen to me. But is it really likely?” Maybe not. But consider this: your odds of dying in a plane crash are 1 in 11 million, yet society doesn’t find a fear of flying odd or paranoid. Meanwhile the odds of being caught up in a data breach are 1 in 4, yet somehow I’m viewed as weird because I reduce my odds by giving up as little information as possible to those companies so that less of my information gets leaked? Why is it the more likely and valid fear gets shunned and mocked? Is it because these companies have built the most powerful and wealthy businesses on the planet by you giving up your data willingly? The CIA sure is jealous of how readily we hand stuff over to Facebook. It’s almost as if these companies have a financial interest in making privacy weird and socially unacceptable.

Everyone Lies

“Okay, but it’s not just that you don’t have Facebook,” you say again. “It’s the fact that you give fake names and numbers. You go out of your way to hide. Why?” Because, in the words of famous Dr Gregory House: “everyone lies.” Famous hacker Kevin Mitnick writes in his book about a proprietary encryption software that claimed to use 56-bits of encryption. When Mitnick hacked their system and examined the code himself, he found out they were really only using 30. For context, that’s the difference between 2 seconds and 25 days for the attacker to guess that password. In the HBO Documentary “Kill Chain” it was mentioned how companies who make electronic voting machines love to advertise how secure and “unhackable” their machines are, yet this is routinely proven to be untrue – not only are the machines easily hackable, but the companies refuse to let cybersecurity experts audit and fix their security. (By the way, nothing is “unhackable,” but that's a topic for another day.)

We’re Trying to Meet You Halfway

So yeah, in light of all this, you’ll have to be patient with us when we don’t trust Apple’s claim that they’re going to start respecting privacy more. Or Google’s claim that they delete our data. Or Facebook’s claim that they won’t abuse your data (which has already been proven a lie numerous times). These are all companies who refuse to let us see behind the curtain. These companies and others just like them routinely get proven to be liars, and we just don’t trust them. Would you trust your friend who says he missed your party because he was sick after he accidentally sent you a selfie from the bar? Of course not! So why do we get blamed for not trusting companies that routinely get caught lying? We’re scared. We’re scared of what these companies aren’t telling us. We’re scared of when these companies change hands and now that data – which has the potential to essentially mind control us – is in the hands of someone who will do anything to make another buck, or win another term in office. We’re scared of when this stuff gets breached and now our sensitive information (including financial and government records) is on the public web through no fault of our own.

If you’re reading this and you’re scared, I get it. If you’re not scared, you should go back and click on some of the links I posted. We know this stuff can be overwhelming. When you’ve been in a certain field long enough, you forget how to talk to outsiders. If I asked you to explain how to do your job, you might struggle. It’s second nature to you, but to me it would be completely foreign. Things like DNS, onion routing, and psuedo-anonymous accounts are child’s play to me, but I’ve been living and breathing this field for the past few years. You may not have understood any of those terms. We’re sorry that sometimes we forget to simplify it or we fail to explain it well or we just get really overzealous. It’s empowering and exciting to feel like you’re improving yourself. A lot of this stuff is scary and overwhelming, but there’s hope and light and sometimes we get a little too excited when trying to share that. We’re not trying to overwhelm you, we’re trying to help you. And we need to respect it if you don’t want our help. That’s your choice to make. But when it comes to us, you should also respect our choices to be more private even if you don’t agree with them. The world would be a much better place, I think, if everyone was just a little more considerate of each other.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Privacy in the Workplace

May 10, 2020

I’ve been writing a lot of posts about abstract topics lately, so this week I want to come back down to earth and write something practical and helpful. Chances are that if you’re reading this, you have a job or are looking for one, which means this should be pretty applicable to most everyone. So without further ado, let’s talk about how to enter the workplace while still respecting your privacy as much as possible.

Fields of Work

In an ideal world, the most privacy-respecting job would be some sort of self-employment where you can funnel all payment and legal activity (taxes, invoicing, etc) through an LLC. The job itself would be something that focuses on your work and not you. For example, being an actor or an artist puts the focus on you and your skills. Owning an electrical company or being a freelance technician of some kind allows you to hide behind a brand (ABC Electrical or Smith Designs, for example). But most of us don’t have the desire to be self employed for any number of legitimate reasons. I’ve done it at least part-time consistently since I was out of college and it’s hard work. So if you’re self-employed or want to be, my advice would be to set up an LLC and funnel all your work and assets through that. It protects your privacy but also protects you and your possessions legally. I’m not an expert on this, and laws vary from place to place, so I’m not going to go into detail but do your own research if you think this might be for you. For the rest of us, let’s start at the beginning.

Searching for a Job

Most of us have to go find a job. Whether you go the networking route or sign up for job-hunting sites, from a privacy perspective, I would approach it the same way: get a work email and a work phone number. Your work email should be professional without giving away too much about you, ex “jsmith@protonmail.com” or “john.smith@tutanota.com.” You can get a work phone number using Voice-over-IP (VoIP).

Using separate contact information will serve three purposes. First, you can compartmentalize your life. When searching for a job, you’re going to have to sign up for a lot of sites and make accounts to submit applications and put your contact information out there publicly, which means you’re going to get lots of spam and get your information sold and resold. Having separate contacts means less crap in your personal email and less chance of your personal email getting caught up in data breaches, thereby possibly compromising your other personal accounts. Second, it allows you to set healthy work/life boundaries and turn work off after hours. If you have a separate work email and work phone number, you can simply ignore them or disable them when you’re off the clock (if you work one of those jobs where you’re not on call). Finally, your email and phone number are as good as your social security number these days. Using your personal email – even if it looks professional – or your personal phone number makes it easier for your potential employer to look you up and find all your social media accounts and personal information. I’m not saying you should hide your Facebook from your employer so you can talk bad about them on a bad day. Personally I find that both immature and unprofessional. But I do believe that what you do off the clock is none of your employer’s business and so they shouldn’t be entitled to be able to find and track you off the clock. Using alternate contact information will help maintain that boundary.

Paperwork

Filling out any paperwork nowadays essentially comes down to one question: “Does this person need this piece of information?” When it comes to employment information, the general answer is “yes.” Most of the time, they do need your legal name and your social security number for tax purposes. They do need your bank account for direct deposit (feel free to opt for a check instead, it will be slower but it’s technically one less data breach you need to worry about). Do they need your home address? In my experience, no. I’m not a lawyer, so I can’t guarantee the legality of this, but in my experience I’ve always given my PO Box and that’s always sufficed. Notice that I’m not giving them a fake address. Anything they send me will still reach me. I’m not dodging anything. But it’s not my boss’s concern where I lay my head at night. I show up on time and sober, I do my job, and I do it well. That’s where our relationship ends.

In the Office

Once you actually start work, the main thing I recommend is to establish a fake name right off the bat. Go by a middle name, or a nickname version of your real name (ex “Bob” instead of “Robert” or “Bill” instead of “William”). Nobody will question it, and most of the time when you meet someone new they ask what you prefer to go by anyways. Obviously if you go by “Shadow” or “Big Z” you might get some weird looks, but your middle name won’t really raise any eyebrows. This might seem overkill, but if you use a different name it makes it harder for someone to search you. Your coworkers probably aren’t going to stalk you, workplace stalking is thankfully relatively rare, but personally I fall into the camp of proactivity: in other words, if something happens you can’t erase whatever your coworkers learn about you. It’s better to decide on a case by case basis who you want to invite over for the barbecue at your place rather than decide later that one of your coworkers is targeting you for some reason and trying to get them to back off.

My only other piece of advice would be try to keep your workspace clear of identifying information. It’s probably safe to change your computer wallpaper to an NFL logo if you really like that team, and maybe hang up that drawing your toddler drew. But maybe think carefully about putting up pictures of your family on that last vacation, or even having a physical calendar with appointments on it, and definitely don’t leave sticky notes lying around with your passwords.

Devices

Let’s take a moment to talk about devices. The general rule of thumb is that if they want you to use a certain program, the company should supply a device. It is unfortunately very common for people to add their work email to their phones’ mail app, or to download an app to clock in and out. At the time of this writing, employers are increasingly turning to spyware to ensure that employees are actually working and being productive during company time.

I’m going to admit right off the bat: I’m speaking from a place for privilege. I have a good resume and excellent work ethic. Finding a new job is not particularly difficult for me.

If your employer is asking you to download ANYTHING on your device, I first recommend checking what it does. It may just be to clock in and out, or to allow you to view company project files in the field. Those are probably not as worrisome as a screen-mirroring software. Next, check the privacy policy and permissions of the app or software. Most privacy policies are not worded too confusingly, although they are pretty vague. Either way, it should give you enough information to decide if you’re comfortable putting that program on your personal device.

If you find anything concerning, approach your boss respectfully. Point out your concerns and ask if there’s an alternative or if they can provide a company device. If they refuse, you now have a choice to make. You can try to get an alternate device – such as an old phone lying around in the closet – or you can straight up refuse. Generally speaking, it is illegal for an employer to force you to download company programs to your personal devices. However keep in mind that finding a lawyer and taking the case to court can be costly and time consuming, and the company can find other excuses to fire you or make your life suck. Pick your battles. I recommend that a hard line in the sand be software designed to ensure your productivity – aka the screen-mirroring stuff I mentioned before that ensures you’re doing your work at home. I personally would quit before I’d agree to that. The company would have to provide me with a device. But as I said before, I also acknowledge that I’m coming from a place of privilege there and not everyone has that luxury. If your employer is drawing that line in the sand, see if you can find any lawyers who will take your case for cheap or pro bono. Most US states also have a legal aide society designed to help lower-income people get legal assistance for free or cheap. Check into that.

Personally, my recommendation is to keep your personal device as free of work stuff as possible. For example, don’t put work email on your phone. This goes back to the work/life balance thing. Try to keep your phone clear of apps as most of them do collect more information than they really need and apps can be a security risk anyways. If your employer asks you to use an app for legitimate purposes – again such as timekeeping – see if you can just use the mobile website instead.

Finally, if you are issued a company device, just assume that everything you do with it can be seen by your boss. Don’t use it for personal email or to check Facebook or any of that stuff. Use it for work only. Completely shut it down and store it safely when it’s not in use. Make sure to use the same security protocols on your work device as you do your personal one (VPN, strong passwords, privacy-respecting browser, etc).

Conclusion

The main ideas here can be summed up as “separate your work and personal lives.” A lot of this stuff may seem paranoid and overkill, and honestly it probably is. But you never know when you’ll have a disgruntled coworker, an unstable client who doxes you, or when the third-party service your HR department uses will have a data breach, or when your employer turns out to be crappy and tries to track your device without your consent. Additionally, as I said in the first point, compartmentalizing allows you to establish and, more importantly, enforce a healthy work/life balance. If you don’t have work email on your phone, you don’t check it on nights and weekends, and you turn off your work VoIP number after hours, people will have no choice but to respect that.

Decentralized Communication: The Way of the Future

May 3, 2020

I mentioned last week that Signal has earned my skepticism and I’ve decided to move on to Riot as a replacement. There were a number of factors that went into this decision, and I spent weeks doing my research. Factors considered included user friendliness, multi-platform support, security features, and privacy. But one of the biggest concerns that went into that choice was decentralization. You see, I think decentralized communication is the way of the future in the sense that it’s the safest way forward.

The Problem of the Past

In the past, communication has been largely centralized. While the message itself may bounce around from server to server, all the servers are controlled exclusively by a single entity or set of entities. When you, a Verizon subscriber, text your friend, a Sprint subscriber, the text stays isolated in those two networks. Because of the proprietary and monopolistic nature of those networks, they are extremely vulnerable to government and social pressure. In other words, it’s real easy for your text messages to be intercepted, read, and even altered or blocked for any reason. Maybe the government doesn’t like your activism. Or maybe you were just born a way the government didn’t like. Maybe you just hold socially unpopular opinions that the providers don’t want to help propagate, even if you have a legal right to hold those opinions.

The Solutions of the Future

Decentralization, as the name suggests, works by making a network run on a variety of providers rather than a single centralized network. Take the Tor network, for example. As I type this, I have an old computer under my desk at my feet running a tor middle relay. Nobody authorized me to do that, I didn’t have to get a license or register with the government. I just needed the hardware and an internet connection. And this applies to anyone in the world, so if the state government came knocking down my door and carried off my relay, people in other states could still run them. And if the federal government outlawed them, people in other countries could still run them. In fact, Tor is a popular tool used in countries like China to help bypass censorship. Because of its decentralized nature, Tor is extremely hard to squash.

We are facing an increasingly hostile environment in the privacy world. The California Consumer Protection Act is often called “GDPR Lite” because it gave California residents so much protection from the sale of their personal data by data broker companies, but the state organizations like the post office and the Department of Motor Vehicles were explicitly exempted from the rules. The FBI and Interpol have both declared end-to-end encryption to be a menace. The US is explicitly working on a bill that would allow them to outlaw end-to-end encryption. Governments around the world are beefing up their surveillance each day, and personally I find these developments disturbing. Even if you genuinely believe they aren’t doing anything bad with those capabilities right now, having the framework in place is dangerous, especially in the modern world where leadership and agendas change every few years. All it takes is one bad leader to abuse the power, and the infrastructure is already in place.

I’m not here to tell everyone to get off Signal or Wire and switch to Session or Riot. Those solutions are still valid, and hopefully all these anti-encryption efforts and censorship trends die off and become nothing. However, I sadly personally find myself regularly disappointed by people and their astounding ability to remain passive and apathetic to clear assaults on their civil liberties that should’ve warranted resistance many times over. So personally, I’m placing emphasis on self-hosted and decentralized solutions in the future to try to prepare for this eventuality.

Why You (Yes You, Reading This) Need to Take the Lead in Privacy & Security

April 26, 2020

I have a lot of my friends on encrypted messengers. Some of them even have an encrypted email provider. But for a lot of them, I’m the only person they communicate with using those services and when I try to convince them to get their friends and family to join, they respond with something along the lines of “they just don’t care about privacy or security.” But it’s up to you to lead the charge into an era of privacy and security, and here’s why:

1. They Probably Won’t Do it on Their Own

Humans are creatures of habit, and it almost always takes some sort of external force to get us to change our ways. That could be a simple as stepping on the scale one day and going “holy crap, I didn’t realize I put on so much weight” or as serious as a near-death experience that forces us to quit drinking and find Jesus. It could also be as simple as your close friend or family member asking you to download a messenger app, or explaining to you why Facebook is bad. Chances are you, the person reading this, didn’t just wake up one day and go “I should care about my privacy.” You probably read an article, saw a documentary, had a chat with a friend, or were a victim of some sort of data abuse. Your friends won’t just wake up one day and start using Signal. You have to guide them into it.

2. You Have to Normalize It

Even right now, with headlines about privacy and data abuse at an all-time high, I still regularly run into the same resistant arguments: “I have nothing to hide,” “they already know everything about me anyways,” “I like Facebook,” etc. But when you insist on this stuff, it normalizes it. I talked in another blog post about the idea that if everybody used encryption, it wouldn’t seem suspicious or weird. I used clothes as an example: nobody ever looks at somebody in a coat and goes “oh, what are they hiding?” They think “oh, that person must be cold. Fair enough.” (Unless maybe you’re wearing a coat in Miami in the summer.) When you insist on using privacy-protecting services and practices, it normalizes it and people respect that. Once, at work, the marketing guy asked if it was okay to post a picture of me on the company’s Facebook page celebrating that I had achieved a major certification. I’m sure legally he had every right to do so, but he respected my privacy and knew I hate Facebook and wanted to be sure I was okay with the information he was planning to share. (And, actually, the post was fine by my standards. I gave the okay.) When you normalize privacy, people will respect it and not think of it as strange.

3. It’s a Moral Issue

At the height of the 2016 election, when I was sadly still a Facebook user, I saw a meme that still makes me chuckle and I wish I had a copy of it. A friend of mine was third-party and was vehemently opposed to the “two party system” that US politics has evolved into. He posted a meme once of Jesus teaching the masses saying “when confronted with two awful candidates, always pick the lesser of two evils because doing the right thing is a waste if nobody else is doing it.” Privacy is the same. Just because Facebook already has your data or because nobody else cares about their privacy or security doesn’t mean you should sacrifice your own. Don’t be afraid to take a moral stance. Of course, don’t be a self-righteous dick. One of the reasons our marketing guy at work respected my views on Facebook is because I’m not arrogant about privacy. I will definitely tell people why I don’t want to use a certain product. When we finally started working from home in the wake of the pandemic, I sent my boss an email politely requesting that we not use Zoom, citing my reasons why, but also explaining that I knew we had to do what was best for the company in the end. Originally he had planned to use Zoom, but decided at the last minute that Google Meet was better for us since we already used G-Suite products anyways. I don’t know if I had anything to do with that decision, but I’m certain I didn’t do any harm. Stand up for your convictions, but also balance it out with a healthy dose of respect for others and reality of the situation.

4. Most People Will Humor You

Today, I messaged my mom on Signal and told her that I’d like to switch to Matrix. I explained that lately Signal has been doing some stuff that I don’t fully approve of, and I feel like Matrix better fits my values. I also explained, however, that I will be holding onto Signal for those couple of people who won’t bother to switch. Despite it’s recent issues, Signal still has top-notch security and I would rather people use Signal than Facebook, WhatsApp, or regular SMS, so I’ll be keeping Signal to talk to them. I definitely expected my mother to be one of the people who would reply with “no thanks, I’ll stick to Signal” but to my surprise she asked me to send her a link to a Matrix client. I had to walk her through some steps over the phone but eventually we did get an encrypted room set up for us to communicate and now we’re on Matrix. The point is, most people will humor you. More often than not, your friends value you and respect your values even if they don’t share them. Your friends probably won’t humor you if you ask them to delete Facebook, but if you ask them to switch to a user-friendly app like Wire or ask them to use an encrypted email provider like Proton or Tutanota, they probably will when talking to you. (I made the deal with my mom that if I set up a Proton account for her, she would be willing to use it, and she has.) And while they may only use these apps with you, that’s better than nothing. And it opens the door for you to explain to them why you want to use these apps, how it benefits them, and why they should get their friends and family to use them as well. But it all starts with you.

But How?

Honestly, my best experiences have always come with approaching it from a place of transparency and humility. When I started using encrypted messengers, I asked my friends and family if they’d be willing to switch, explaining that I don’t want my cell carrier reading my messages. Only one person resisted the change, and that was cause he didn’t have room on his phone for another app. Eventually even he came around once he had a bigger phone. When I start dating someone, I tell them up front that I’m very interested in data privacy and that if things go well I’ll probably ask them to use some type of encrypted messenger. You’d be amazed how often that person asks which one and starts trying to set it up without me even officially asking them to switch. It’s shocking. The important thing is to be patient with people, to explain to them why it’s important to you, and realize they’re doing you a favor. In the end, it may grow on them. My mother asked my sister to start using Signal without me prompting her at all. My partner got all of her coworkers and some of her Facebook friends on Signal with no input from me. But it all starts with you taking the lead and being the example.

Website Overhaul

April 12, 2020

Today, I don't have a blog about a new app, a new concept, or a news article. But I do have a current even to share: I have completely redesigned The New Oil from the ground up. I have deleted some of the old, redundant blogs but kept some of the others that cover things the website doesn't.

As you'll learn from visiting the new site, I have decided to change the site to a more e-book style layout. There's already a lot of great websites out there that have lists of tools, and they are fantastic at what they do. The problem with those sites is none of them (that I've seen, at any rate) help you make a decision. They just go “here's five encrypted messengers” and it's up to you to understand which one is right for you, what the pros and cons are, and why certain messengers are or aren't listed on the site. That was one thing I aimed to fix when I made this site, and it existed in the original version: a table that lists the pros and cons of each service to help you decide what's right for you.

However, more and more I'm seeing people get introduced to the privacy community with questions and comments like “where do I even start?” or “what are some behaviors I should change?” or, sometimes, “how do I do X?” not realizing that X requires behavior changes and not just an app. So I decided the site was due for an overhaul.

For a while now I've been considering writing a book (as everyone does) about these very subjects, but I realized that a book will quickly become outdated. Plus, I think important information should be free, and I think surveillance defense counts as important information. So I decided instead to roll these two projects into one. I rewrote the site to be an e-book, complete with links and everything. This will allow me to go in-depth into various concepts, subjects, behaviors, and recommendations, but because it's also an active website, I can keep the content current and updated.

As I say in the site/book, any major changes will be noted here on the blog. In the meantime, I will probably continue to use the blog to talk about things that fall outside the scope of the site, and maybe even discuss major current events relating to data privacy. I welcome all discussion about the site itself and the content within, so please feel free to let me know if you see any room for improvement. Just remember: this site is built for the “average person.” It's not aimed at people who are willing to set up a home server, self-host their email, put Lineage on their Android device, or any of the other more advanced techniques. It's designed for the people who are willing to switch email providers, download Signal on their iOS device, or use a password manager. Don't get too caught up in the weeds.

Thank you for your support, and I hope this new design continues to serve my audience well.

The EARN IT Act

March 21, 2020

If you are even slightly involved in the privacy community, you’ve probably heard by now about the EARN IT Act. If you’re relatively involved in the privacy community, you’re probably sick of hearing about it by now. But it’s important we need to talk about it: what it is and what to do about it either way.

What is the EARN IT Act?

S. 3398, also called the EARN IT Act of 2020, is “A bill to establish a National Commission on Online Sexual Exploitation Prevention, and for other purposes.” Basically, Senator Lindsey Graham and the National Center for Missing and Exploited Children have decided that end-to-end encryption is bad because it allows the proliferation of things like child sexual abuse, human trafficking, and drug trafficking. Without this side-tracking this post too much, the number of registered sex offenders in the US is less than a quarter of a percent of the population in 2018, and drug arrests account for only 1% of the US population (this post has more context, information, and my sources). So first of all, arguing that nobody should have encryption is a lot like saying nobody should have clothes because a few bad people use it to smuggle illegal items, or that nobody should have food because some people use silverware for murder. It’s ridiculous and blown out of proportion. But that’s exactly what the EARN-IT Act asserts. It’s a law that would ban end-to-end encryption, the most secure form of encryption around, and force all encryptions to have a “backdoor” for law enforcement. The problem is there’s no such thing as a backdoor that only the good guys can access. Just as your own house door can be broken into by a criminal, so can a technological door. The amount of personal liberty we’re giving up is not proportional to the amount of good it would do.

What to do about it

The bill was introduced earlier this month and is still in the very early phases of the legislative process. So that means there’s still tons of time left to fight it. The most effective way, of course, being to call your local politician and tell them you’re a voter in their district and you want them to vote against it. Don’t know who your politicians are? EFF has made this very handy site that will look them up and email them for you. But calls are more effective than emails, so use this site to find your representatives by zip code, and use this site to find your senators by state, then use DuckDuckGo or the direct links on the Senate and House websites to get the phone numbers of their offices nearest you. Then save them in your phone and set an alarm to call them every day and remind them you are against the EARN IT act. Typically all they ask is name, zip code, and your comment. You can leave it at “I disprove of it and want them to vote against it” or you can go on a whole diatribe about how it’s an assault on civil rights and statistically ridiculous. Just be polite. Finally, you can sign an official White House petition against the EARN-IT Act here. This alone won’t be enough to repeal it, but the more signatures it gets the more it shows that Americans don’t want this bill.

What to do if it passes

If this bill passes, we face some trouble, so it’s best to get your ducks in a row now. One solution is the previously-mentioned Firechat app that I shared in my COVID-19 post last week. Since this app stays off cell networks, it’s undetectable and therefore uncensorable. I first learned of it myself because of the role it plays in the ongoing Hong Kong protests.

Another open-source solution I mention on my site is Matrix. Encryption is not enabled by default but is activated easily with the click of a button, and with a little extra work it can bridge to a variety of apps and services.

The TOR Network is another valuable tool, but because it is easily recognizable it can also be easily blocked by internet service providers. So while that is a service to keep in our pockets, it’s important to have alternatives as well. VPNs are likely to not be affected as they are not end-to-end encrypted, but their no-logging policy may come under fire next.

Additionally now is a good time to get comfortable with PGP encryption, as this is a local type of encryption where the keys are stored on your device and you don’t have to rely on anyone else for the security or effectiveness of it. It is most commonly used via email, but it can be used for other types of data-at-rest encryption as well.

Mesh networks are a more complicated solution, but they are a potential solution and hopefully we’ll see them become more user-friendly in the future as a result of this attack.

As I said, now is the time to look into these solutions and start planning as it may be much harder to access these services if the bill gets passed. Hopefully we won’t need them, but better safe than sorry and preparation is key. I plan to put up more posts and tutorials on these subjects in the coming weeks. Up until now I’ve been putting them off as I didn’t think they concerned the average user, but clearly this is no longer the case. In the meantime, the best course of action is keep bugging your elected officials and hopefully this won’t be an issue in the near future.

Let’s (Not) Talk About COVID-19

March 14, 2020

I’m a little salty. The COVID-19 panic has finally hit my hometown late this week as three confirmed cases popped up in my relatively-large town of over 1 million people. Earlier this week I stopped by the grocery store and it was business as usual. Yesterday my partner gave me a play-by-play of all the people that almost ran her over and sent me pictures of the empty shelves. I’m frustrated because I personally fall into the camp of “the seasonal flu is statistically more dangerous at this point, this is just public panic over nothing.”

Over the past few months, I’ve been publishing a lot of articles on Mastodon about hospital data breaches. It’s a topic I’ve been mulling over, figuring out how to best address the situation. After all, you want to be honest with doctors to get the right treatment but you also don’t want your personal information posted on the dark web simply because you decided to be healthy.

So today I’ve decided to roll a number of topics together to talk about how to handle your privacy in times of a pandemic (or a media panic over nothing). This article is probably going to run a bit longer than my usual post, so bear with me.

How to Handle Hospitals

Even if you’re the type of person to “take an ibuprofen and tough it out,” chances are you will eventually have something serious enough to warrant visiting a hospital, even if just out of caution. So let’s start with how to handle those. Rule number one: don’t lie to your doctor. They became a doctor because they wanted to help people and you’re just wasting their time and risking your own life by lying. Having said that, not all information on a hospital form is mandatory. When they give you the paperwork to fill out, I would ask them what the absolutely essential parts are. I’d also ask if they have a form allowing you to opt out of any data-sharing agreements. They won’t advertise that stuff, but they usually have it. The questions might catch them off guard but ultimately as long as you’re polite and cooperative they don’t really care.

Get a PO Box

I’ve mentioned before some of the benefits of a PO Box. They’re cheap, and they put another layer of protection between your real home address and the public world. And at no additional cost (through USPS, private places may charge) you can sign up to use your PO Box as a street address, which means nobody will even notice that it’s not a real address. This is great for things like hospital forms or employer records as they give those people a legitimate way to get in touch with you without risking your home address showing up in a data breach.

Get a Voice-over-IP (VoIP) Number

This is a thing that deserves its own article and will get one someday. A VoIP number is, in short, a digital phone number that forwards to your real number. I recommend MySudo, but there are plenty of options out there. Keep in mind that no VoIP app is perfect for total privacy, but at least it removes your real number from potential data breaches and public records (I’ve got an article in the works about why that matters but for now just trust me that it does, it’s too much to get into in this already crowded article).

Freeze Your Credit

As is usual in times of chaos, scams are on the rise. So make sure to protect yourself and your dependents: freeze your credit and set fraud alerts. Thanks to the Equifax data breach, freezing your credit is now free by federal law in the US, and identity theft of minors is one of the leading cyber crimes. Freezing your credit will ensure that nobody can open an unauthorized account in your name. Even if you don't suspect yourself of being a target or you argue that your credit is too awful to be useful, rest assured that someone will always be able to open a high-interest account for you that a criminal has no intention of every paying off and now the task falls to you to jump through a million legal hoops and prove it wasn’t you. Just avoid it. Set up a credit freeze, and furthermore set up fraud alerts. Lately people have been finding very easy loopholes to unfreeze credit without a PIN – which defeats the whole purpose. A fraud alert is a second layer of protection to help defend against that.

Pay in Cash

This is kind of one of the foundational principles of privacy and data security. While credit cards do come with a lot of convenience and a few legal protections, the transaction information can and often is sold or shared from your bank to various third parties for advertising purposes. Paying with cash removes that tracking trail. I suspect – pardon my tin foil hat – that it’s only a matter of time before your shopping habits are used to determine things like approval and rates for loans, insurance, and other important aspects of daily life. While I realize that most people in the US can't afford to pay for a hospital visit in cash, you can probably at least buy things like your medication in cash, which helps.

Take Up a Passing Interest in Disaster Prepping and Personal Finance

Admittedly for some of us, this might be too little too late, and of course there's entire blogs, books, websites, and podcasts on both of these subjects so this isn't really going to be a detailed primer. But honestly, there’s a lot of overlap between the worlds of privacy, personal finance, and disaster prep. For example, disaster prep says “plan for the most likely scenarios first – emergency hospital visits, economic collapse, etc – before you plan for the zombie apocalypse.” Personal finance would agree with that logic 100%. Privacy says “use credit as little as possible because it tracks you,” and personal finance would agree that not relying on credit and staying out of small-time debt is a great idea (disaster prep agrees on that last one, too. If you have no debt, you have one less bill to worry about when the economy tanks). Disaster prep doesn’t mean building a doomsday bunker in the backyard with a thousand guns, it means having an emergency fund and a case of bottled water in the pantry just in case. Again, these are topics that are far too broad to get into in a single blog, and for the most part they are their own separate subjects that warrant pages and pages of discussion. Basically, these aren’t subjects I plan to get into too much ever because they simply fall outside the subject and scope of this site (maybe a few posts here and there in the future on relevant subjects). But they do offer some relevant advice on both the current situation and your privacy in general and I encourage you to look into the subjects.

The Aftermath

Okay, allow me to put on my tinfoil hat here, and if this section jumps the conspiracy-theory shark too much for you I completely understand and respect that and I hope you’ll still extract the meaningful advice in the rest of the article: I think we are going to see a suspension of civil liberties as a result of this epidemic. I think for the most part, it’s going to be well meant (and ineffective). However, just like the Patriot Act and the TSA, I think any such suspensions will be here to stay. In 2001, terrorists attacked the World Trade Center in New York and forever changed the course of history in both politics, war, surveillance, culture, and more. Many of our basic freedoms were suspended in the name of “The War on Terror” and to this day – nearly two decades later – we are still fighting to get many of them back. Already we have seen entire cities and regions quarantined, we’ve seen cities ban large gatherings (some as “large” as 500), we’ve seen the government demand more travel data from airlines to track the disease (many Asian countries have already ramped up their surveillance states to successfully combat the outbreak), and I wouldn’t be surprised to see curfews and other such things in the near future. Again, I’m certain that in most cases this is being done with the best intentions. But once Pandora’s Box has been opened, it is so damn hard to shut it again. So as the world scrambles to stop the spread of COVID-19, let’s be sure not to let our fear take us down that road again. Make sure that our civil rights continue to be respected, and make sure they are restored to us as the panic begins to wane. Hold your leaders accountable for that.

Conclusion

Again, I fall into the camp of “I think people are overreacting,” but whether I’m right or wrong we are facing some scary times ahead. Major events are being canceled worldwide, which will lead to economic implications (here in my town we’re already seeing the trickle down). Travel is being restricted, and whole areas are being quarantined. This is going to be a disruption to our daily lives, and it’s important to remember to protect our privacy as well as our health. Please, do visit a hospital if you think you need to. Buy some cold medicine to help with your symptoms. But remember to keep your privacy intact as we all push through this.

A Personal Note from the Author

I mentioned that in my hometown we are already seeing a trickle-down of economic impacts. Here in my home state, our capitol Austin has already canceled the legendary, multi-million-dollar South By Southwest (SXSW), an international week-long music and technology festival that happens every spring in. It’s a huge deal for their economy. This is the first time in over 30 years that’s happened. In response, SXSW had to lay off 1/3 of it’s permanent staff. Elsewhere, all of our local major events centers have canceled all their events for the rest of the year, including sports, concerts, expos, and more – we’re talking arenas that seat tens of thousands. We've also canceled tons of other major economically-advantageous events like rodeos, cities are urging gatherings of more than 250 people to cancel, schools are canceled (or moved online wherever possible), the Austin racing track – which hosts F-1 and Indy and all other international events – is closed. I've heard the Austin City Limits festival is also cancelled, but that's not until October so I don't know if that's true.

My day job is audio/video. I currently work for a small audio/video installer – “less than ten people” small. Yesterday our owner (who is very transparent, which I appreciate) sent out an all-hands email letting us know that times are already getting tough. One of our clients – which was one of these ten-thousand-seat arenas – is having to push back working with us because of funds lost due to cancelled events. Another client that was set to start this month – a college – is also having to push back because of the scramble to move to online classes. Two other clients that were set to start this month – both tech companies – are pushing back because of the disruption of the epidemic. Our owner is doing everything in his power to keep us afloat and not cut any hours, but he is admittedly worried. We were already in a slow season as it is, and now almost all of our upcoming projects (and certainly all of our highest-paying ones) are pushed back indefinitely.

Without going into detail, I assure you that if hours are cut or people are laid off, I will be first on the chopping block. I don’t think it has anything to do with the quality of my work, my work ethic, or me as a person. It’s just a logical choice and one that I wouldn’t blame the owner for making. It’s the same choice I’d make. And I have no doubt that we are not an island – this disruption is happening industry-wide, so despite my impressive resume (I’m serious, I have a fantastic resume) I don’t think I would have an easy time hopping to another job simply because I suspect nobody is hiring right now.

I say all that to say this: I realize times are about to be tough for everyone if they’re not already right now, but I’m facing a pretty scary time ahead as my industry is not essential and neither is my position with my day job. As such, I will be leaning very heavily on side projects like this one and the generosity of its supporters. So, if you are in a position to give anything to help support this project and myself during these times of uncertainty, it would be extremely appreciated. And if you are not in such a position, I get it. Just try to stay healthy and weather through it. Thank you for reading.

https://liberapay.com/thenewoil

Author's Update, May of 2021

I've meant to add this addendum for quite some time but never got around to it before out of a combination of laziness and business. I just wanted to say that obviously when I posted this, COVID was still in its early stages. I don't believe in revisionism, so I don't want to simply delete the arrogant and incorrect views I had at the time (ex, thinking that people were overreacting or that COVID was not a big deal). Especially now, over a year later, my vaccination side effects F*CKED. MY. WORLD. UP. If that's just a fraction of what COVID is like, then I cannot express how wrong I was. At any rate, I also didn't want to leave these views up unchecked so that people think that I still hold those views. So I just wanted to add this quick note to say: I was wrong. I'm not too proud to admit it. COVID was a big deal – if not medically then economically. I was wrong to brush it off, but at the time I simply didn't know. After seeing the scope and the effects, I know now. I'm sorry if anyone thought I was a jerk, I wasn't trying to be, I was simply uninformed. My views have since changed.

One Size Does Not Fit All

March 7, 2020

There’s a problem prevalent in some of the more experienced members of the privacy community: the problem of assuming that privacy and security are binary, that one size fits all. As I peruse questions from new people freshly introduced to privacy, I see more experienced people throw out ridiculous solutions. For example, I often see the question in other forums “should I use ProtonMail or Tutanota?” and without fail there’s always one person who says “self-host your own email. It’s more private cause you own your own data, and more secure because you don’t have to rely on anyone else and you’re not a target for attackers the same way a big company like Proton would be.” These answers aren’t technically wrong, but I find them ridiculous for a number of reasons. For one, there’s the technical obstacles: I have my own Nextcloud server at home and I promise you that was not easy to set up. No average person has the time, energy, resources, or sometimes courage to do that. For another, security is relative. I personally would rather trust a major company rather than trust myself to create a “secure” email. I am far from a cybersecurity expert. I think even a big target like Tutanota would be more secure than my garbage server at home. And there’s that: most people don’t have a spare computer lying around, and they’re not willing to go buy one just to spend weeks starting over and agonizing over how to get it barely working like a Rube Goldberg machine made of tinker toys and duct tape. The thing that most makes these solutions “ridiculous” however, is the egotistical assumption that their offered solution is perfect for everyone.

Privacy is Not Binary

Privacy is a sliding scale. Privacy is not a matter of “delete your Facebook and use Signal and now you’re secure.” Deleting Facebook from your phone makes you MORE secure than keeping Facebook’s app on your phone. Using Signal makes you MORE secure than using regular SMS. Doing both makes you MORE secure than doing just one. However, doing one is still better than doing neither. Deleting Facebook altogether is a great idea for so many reasons, but only accessing Facebook from your browser is MORE private than using the phone app. There is a gray area in between “go live in a cabin in the woods purchased under a fake name” and “post your Social Security number on Twitter.”

Privacy is Not One-Size Fits All

More importantly, privacy and security is not a one-size-fits-all solution. That’s exactly why I’ve organized my site in a “pros/cons” format. Using instant messaging as an example, Signal is world-renowned for their security and it’s ease of use, but it requires a phone number. That can be an issue for someone trying to maintain a degree of anonymity. Some people aren’t worried about that. My mom doesn’t care about privacy. If I want her to respect my private communications wishes, I have to find a solution that’s easy for her to adopt, and it doesn’t get much easier than Signal. In the early days of my career, I worked a job where work schedules and announcements were disseminated via a private Facebook group. If I didn’t at least have an account to access the group, I didn’t get my schedule or important updates. And that early in my career, I was still very much in the “take any job you can get” phase (these days I have a more robust resume and I can afford to be picky).

There are many, many valid reasons that a person may choose to keep their Facebook account. Or WhatsApp. Or Gmail. Or Windows operating system. There are even more valid reasons that a person may choose to use a service someone else created and hosts like Firefox, Wire, Tutanota, Bitwarden, and more. Privacy and security are not black-and-white “either you are secure or you aren’t.” In running this site, I have made myself less secure by creating a public image, posting regularly, and engaging with others. If I wanted total privacy and security, I wouldn’t do any of that. I would stay off the internet. But I’ve also reduced my “attack surface” by doing things like using services that don’t require a real name, using the Tor network to post, and using services that don’t track me such as Write.As and Mastodon.

I will always encourage you, my reader, to be as secure and private as possible because digital rights are human rights. But don’t let the more elitist hipsters of the privacy community fool you: if you’re reading their opinion online, they could be doing better as well. There are circumstances that sometimes require you to take a less secure option: work requires you to use Apple products, or your family simply refuses to leave WhatsApp, or you need Twitter to stay updated on a local issue, etc. I will always suggest you opt out of those things as much as possible and find workarounds, but I will also respect that that’s not always possible. And while you should try to be as strict with your privacy and security as you reasonably can, don’t beat yourself up. The fact that you’re here means you’re going in the right direction, and sometimes it’s enough just to lock your doors and windows.

The Question of Trust

February 29, 2020

About once a week or so, I see a post in the privacy community that says something along the lines of “If Product X is open source, how do we know The-Company-Behind-Product-X hasn’t just modified the public code to look good while secretly running something else on their servers?” The short answer is: we don’t.

You Always Trust Someone Somewhere. Always. Period.

My dad is one of those “I walked uphill in the snow both ways to school” types. To his defense, this is isn’t always a bad thing. His attitude taught me a lot about self-reliance, taking initiative and control of my own future, and self-improvement. That was a good thing. But I remember one time where I was completely broke through no fault of my own. I don’t believe in playing the victim. Almost always you got yourself into a situation and you should take responsibility for that.But sometimes things happen that are genuinely out of your control and you truly are the victim. It’s rare (on an individual level) but it happens. I had three sources of income at the time and all three failed to pay me for reasons that – in all three cases – were legitimately out of my hands. I’ll never forget my dad telling me that it was my fault, that I should never trust anyone for anything and there had to have been SOMETHING I could’ve or should’ve done differently. To this day, over a decade later, I insist my dad was full of crap about that particular situation.

The fact is, you ALWAYS put SOME measure of trust in SOMEONE SOMEWHERE. Always. Period. Without question. You trust that your boss is going to pay you when you show up for work. You trust the other drivers to stay in their lanes when you drive (for the most part). You trust the food you get at the grocery store to be safe. You trust the construction of your home. You are ALWAYS trusting SOMEONE at SOME POINT. Even if you demand to be paid up front, you’re trusting that the check won’t bounce. Or that the economy won’t suddenly spiral into a recession with hyper inflation. Or that your bank won’t spontaneously close your account. Or that they won’t give you counterfeit bills. You are ALWAYS trusting SOMEONE SOMEWHERE. End of story. Period.

Trust and Due Diligence

The privacy community is a paranoid one. Sometimes that’s good, and sometimes that’s bad. A little paranoia is a good thing in a world where data breaches aren’t disclosed, apps and services lie about what they’re really doing, and companies are aggressively going out of their way to track you. But too much paranoia is bad. Uncontrolled paranoia can lead to problems like anxiety, depression, suicidal thoughts, and other legitimate mental health concerns. (If you suspect you might be spiraling or have spiraled into that territory, please seek help. You are not alone.)

The point is that it’s about balance. Trust should not be blindly given in almost any context. You wouldn’t hire a random person off the street to babysit your kids, you wouldn’t pick a bank you’ve never heard of to manage your money, and you shouldn’t pick services you haven’t researched to safeguard your sensitive information, metadata, and communications. You should absolutely do your research. Is the company/app/service well respected? Do they have a track record of putting their money where their mouth is? They may be open source, but have they been audited? Has anyone expressed any legitimate concerns about their practices?

The key word there was “legitimate.” Lots of people dislike ProtonMail because it costs significantly more money than Tutanota, but their list of complaints ends there. While that may be a deciding factor for you, it doesn’t make ProtonMail any less trustworthy or reliable. As you research a product or service in the privacy community, you will find no shortage of people who have minor complaints about a product. “They’re based in the United States.” “They use X programming language instead of Y.” “They could be more secure if they did ABC.” It’s the privacy equivalent of someone who prefers vinyl over CD. They’re not technically wrong, but you risk getting lost in the weeds. If you’re so obsessed with finding the perfect turntable, cables, speakers, signal processing, and so forth you risk never actually listening to the music.

Instead, focus on legitimate complaints. Are they owned by an advertising company, or a company with a history of packaging malware? Has their code been audited? How do they make their money? If a product is free, you are the product, so if they don’t have a paid model of some kind they’re probably not very trustworthy. Are they using an encryption that’s known to be weak? Does their privacy policy state they log information that you find troubling? Are there credible whistle-blowers from inside the company that have made troubling claims or leaked documents that suggest troubling practices? These are all legitimate complaints. “They cost too much” or “I don’t like their mobile app” is not a legitimate complaint.

Trust Varies

There is something to be said for individual levels of trust and threat modeling. I use Signal as my primary messenger of choice. I do this because I have a VoIP number that I use only for Signal and nothing else. Anyone who searches my Signal number will find very little information about it or me. I can safely hand that phone number out like candy without fear of sacrificing my privacy. Not everyone has access to a VoIP number though, and thus they may only be able to use Signal by using their real phone number, and that may be a risk they don’t want to take. That’s not to say that Signal isn’t trustworthy. It has repeatedly stood up to scrutiny, auditing, data leaks, and has shown itself to be a reliable, secure messenger. But because of its limitations, it’s not right for everyone. Others may choose to use something like Wire or Wickr because they don’t rely on phone numbers. Your specific threat model determines what’s right for you, and picking one service over another doesn’t necessarily mean you don’t trust it.

At the end of the day however, you have to trust something somewhere along the line. The goal of this site is not to remove trust. That’s impossible. The goal is to teach you how to evaluate things for yourself and decide the right level of trust. If your goal is simply to communicate securely (and cheaply) with family in another country, Signal is great. Even something like WhatsApp or Telegram is technically acceptable. But if your goal is to protect a whistle-blower who’s revealing top-secret information to you, a journalist, then you need a higher standard of trust.

Your Phone is Not Your Friend

February 9, 2020

The other day I posted an article on my feed about how the US Immigration service is using cell phone location data to track immigrants. In light of this article, I feel it a good time to remind you that cell phones are not your friends.

The Problem

Cell phones are 24/7 GPS surveillance devices, constantly leaking data at all times. At any given time, your phone is broadcasting your location. It’s also usually broadcasting a bunch of other information such as WiFi connection information and usage data. Recently, Privacy International found that some devices and apps even transmit personally identifying information such as name, date of birth, and gender without using any type of encryption or security measures. Even within the device itself, there’s a messy web of apps requesting information that they don’t really need and transferring that information to their own creators, leaking even more information about people who didn’t consent to having their information shared to people who don’t need it. (Source, just one of many.)

The Reminder

Phones have made life incredibly easy and convenient in so many ways, and as usual I’m not here to decry the rise of technology. Technology is fantastic and I love it. I have a phone. I have a smart TV. I use decentralized social media. But remember that our phones have been usurped as surveillance devices, constantly betraying us. Our messages, our locations – which are then correlated with other phone locations to create a network of who we know, further creating a startlingly accurate guess at our socio-economic status and a whole host of other things – even the games we play and shows we watch. It’s all being collected at all times for various ends. Some companies just want to sell things to us, some agencies want to catch the bad guys, and a small few of powerful people want to control things. The more data they have, the easier it is to do that. If you need a reminder of how this power can be abused, just take a moment to browse through this page.

The Solution

It’s hard to recommend a course of action. I personally have taken to simply leaving my phone at home as much as possible. If I’m going out to dinner with my partner, I pay in cash and leave the phone at home. After all, my goal is to spend time with her. Leaving my phone not only ensures that “they” don’t know where I went, but also keeps me from getting an email or browsing memes when I should be spending time with her. I’ve also taken to doing as little as possible on my phone. I have Signal and Wire both loaded onto my computer, as well as my password manager. I try to keep my phone as clean as possible of apps, only keeping those that I absolutely need to do my job or be responsive as needed. Even though my phone still betrays my location, I try to replace my map app with something like OSMAnd, an open source navigator, to mitigate the amount of data reported. I believe I may have mentioned that I stopped sleeping with my phone in my room a few months ago and replaced it with an old-school digital alarm clock (not the smart kind, the $10 “just tells time and beeps real loud” kind).

As with most things, reasonably abandoning my phone hasn’t had any negative impacts and if anything has only made my life better. I sleep better, I focus more on where I’m at, and I tend to be more in-the-moment. Again, I’m the last person to decry technology, and obviously some of us can’t turn our phones off when we go home, but the goal of this post is not to tell you what to do. Just to give you a quick reminder that your phone, while undoubtedly having improved your life in many ways, is not your friend. Don’t forget that. Keep it on as short a leash as you reasonably can.