The New Oil

Data privacy & cybesecurity for normal people
TheNewOil.org

What is Wire & Why Do You Need It?

Wire is an end-to-end encrypted (E2EE) messenger available on Linux, Mac, Windows, Android, and iOS. I have long touted the need for E2EE in your daily communications for both practical and philosophical reasons. For practical reasons, it can protect sensitive communications like financial discussions, upcoming plans, and NSFW pics/texts if that’s your thing. For philosophical reasons, I think that everyone should use encryption whenever possible to normalize it and make mass surveillance less feasible/practical/economical.

The Good

Wire has a lot of valuable features. In addition to the obvious things that make it recommended by this site such as being open source and audited, one major advantage of Wire is that it is username based. You can sign up entirely anonymously by signing up on desktop, using a VPN (or Tor), and using a throwaway email. Even without hardcore anonymous signup, you can still retain a great deal of privacy by using a forwarding email address and not submitting a phone number or real name. And because you pick a username, that means you can privately communicate with others without having to provide any personal information like a phone number to that person. You can also have up to three accounts on a single device, allowing you to easily compartmentalize work and personal life.

Image Wire on Android

According to their privacy policy, Wire does not retain any encryption keys, and uses TLS to encrypt metadata when possible. They claim not to retain copies of encrypted data after it has been delivered, and to only keep technical logs for 72 hours for the purposes of troubleshooting and abuse-prevention. Analytics (sending crash reports on iOS and keeping troubleshooting logs on Android) were opt-in (not on by default) when I signed up for an account. Speaking of Android, Wire is available for F-Droid and seems to work just fine without MicroG or Play services, meaning it should work without issue on any degoogled device.

In my review last year, I noted that Wire was slow. This no longer seems to be an issue – or at least, not a Wire-specific one. When I first started testing it – admittedly during a slow stretch at the day job – I noticed right away that my Android device took a little longer to send and receive messages than my iPhone. But once I got home on a different network, they both worked just fine. I also noted last year that Wire was feature-deprived. Specifically I noted a lack of voice messaging and poor GIF support. This also seems to have been fixed. GIFs use GIPHY (probably not proxied like Signal, so use at your own risk), and voice messages have been added. They even have a little drawing board so you can hand-write notes and a “ping” feature to get someone’s attention (if you prefer not to simply say “hey man, you there?”).

Ultimately, I think Wire’s biggest features are the universal availability in terms of devices and the support of usernames. These two features alone make it a powerful choice worth considering.

The Bad

Image Wire on Windows 10

However, Wire is not without its drawbacks, and there are quite a few worth considering. Let’s start with a recent development: who owns Wire? A few years back, Wire took a significant amount of investment from a venture capital firm (who hates VPNs, by the way) called Morpheus Ventures, who’s other investments seem to be pretty heavy on the “privacy invasive” side of the spectrum, apps and companies who try to use data to tackle various “problems.” The nature of this relationship was never really fully explained, and it remains that way. Currently Wire is listed under the “Other investments made by Morpheus, our founders or funds previously managed by them.” Pretty vague. Is Wire “previously managed”? Or are they “other investments”? Additionally, around the same time as this investment, Wire had moved their headquarters to the US so they could qualify for said investment (and others), but now their website states they are headquartered in Berlin, Germany. Where is Wire based? Who owns how much of it? These question are unclear. I reached out to them for clarification a few weeks back, but never got an answer since I’m not a paying user. (You can read more about the initial investment and move here, but be aware that this article is from 2019.) It’s also important to know what got Wire booted from Privacy Guides in the first place: changing the privacy policy without announcing it. While this is common for many services, it’s troubling for privacy- and security-advocating services in particular.

Finally, it’s worth noting that Wire is centralized. A premium feature does allow it to be federated for enterprises, but for the average free user, the main centralized server is your only choice.

Conclusion

Wire is far from perfect, but to be honest there is no perfect messenger in the privacy space. The ones that are user-friendly usually have glaring flaws, and the ones that are almost perfect are usually nightmarish to implement and/or use. Wire is definitely not for everybody, however I think it offers some powerful advantages – much of the metadata collection can be outsmarted with a simple VPN and a forwarding email address (and by using it on desktop only, if your threat model is that severe) – and the ability to have a username instead of a phone number is something that can’t be discredited. However, I don’t think Wire is right for everyone. Ultimately I think Wire might be a good trade-off between Matrix and Signal: a little more user-friendly than Matrix, but doesn’t require a mobile device like Signal does. Ultimately, as always, it depends on your needs and threat model.

You can learn more and download Wire here.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates on Mastodon or support my work in a variety of ways here.

Perhaps one of the most underrated and feared things in the quest to protect your privacy is the dreaded privacy policy. Many a question I see – namely the “what do you guys think of [insert service here]?” on Reddit – could be quickly and easily solved by simply taking a couple short minutes to peruse the privacy policy. So this week, I want to talk about how to read a privacy policy – or more accurately, how I read a privacy policy. While privacy policies don’t hold all the answers to your questions, I strongly believe they are an invaluable starting point when researching any new product or service.

Read more...

What is Voice-Over-IP (VoIP) and Why Do You Need It?

Voice-over-IP – or VoIP – is basically phone calls over the internet or cell data rather than via traditional phone technologies. The technology is far from new – it’s been used in business for decades – but it’s also available for consumers for a relatively low cost.

While VoIP does come with a few drawbacks – primarily the fact that your call quality depends heavily on your internet strength (via mobile data, for example), the benefits, in my opinion, cannot be overstated. In no particular order, VoIP can be used to compartmentalize your life, set healthy work/life boundaries, protect yourself from spam calls and robotexts, and protect your overall privacy. For example: if you have a VoIP number you use for work, you can disable that number each night when you get off the clock. You can also use a VoIP number for dating or selling things online, which prevents you from being stalked or harassed if things go south. There is no reason I can think of not to use VoIP of some kind if it’s available in your country.

MySudo is a popular VoIP app in the privacy community for iOS and Android that offers up to nine digital identities. I say “identities” because to say “phone numbers” is to discredit MySudo’s other features: an inbox, a web browser, and virtual cards.

Image Photo courtesy of MySudo

The Good

I think the most obvious advantage of MySudo is the number of identities you can have. Having so many different phone numbers at your disposal offers a lot of flexibility. I believe most people could get away with the MySudo Pro plan (three phone numbers with 200 messages and 200 minutes per month) depending on how many minutes you need. You could use these for work, personal, and other, and for most people that’s plenty. But as I said, the configurations are near infinite and can be whatever you need them to be. You could do a dedicated Signal number, shopping, burners, travel, really whatever your heart desires. Even if you can only afford the SudoGo plan (1 number, 100 messages & 30 minutes), that still reduces the odds of a SIM-swapping attack, so maybe you'd use that for all services that only offer SMS 2FA. It really largely depends on how many minutes you need and how much messaging you do, but there should be a plan that nearly anyone can make use of.

When contacting other MySudo users, you get the advantages of group messaging, end-to-end encryption, self-destructing messages, and even video chat. With non-users, you get SMS, MMS, and voice calling (no group chats or calls and no disappearing messages). You also have an email address for each identity that you can customize (ex, nbartram@sudomail.com) which are end-to-end encrypted for other MySudo users, and a web browser for each identity that claims to block third party ads and trackers. Each identity can also create masked virtual cards that you can use online to help prevent tracking and card theft. Unlike privacy.com, these cards are not linked to a single merchant but can be reused as many times as you want. Finally, MySudo claims that all your data is stored in a zero-knowledge format and that they don’t log your incoming and outgoing messages. So while your messages may not be end-to-end encrypted coming and going, they are safely free of MySudo’s prying eyes once they’re in your inbox.

The Bad

I am biased toward MySudo. I personally use it in my daily life and depend on it very heavily. Having said that, it’s not without drawbacks.

For starters, MySudo is heavily dependent on stock operating systems like Android and iOS. In order to get a paid plan, you have to go through either the App or Play Stores, but once you’ve done that you can move to a new device as long as the billing plan stays active. However, the actual usability of MySudo with custom ROMs seems to be hit or miss. While MySudo does offer direct downloads for both Graphene and Calyx, I’m also told it doesn’t work on Graphene OS at all. I’m unsure about other custom ROMs. Either way, this presents a challenge for those who wish to take their privacy to the max and truly get as Big Tech-free as possible.

MySudo is also an inconvenience for those who prefer to be as phone-free as possible in general. There’s a web app you can use on desktop, but it has to be synced up manually each time you use it, so I can’t just turn my phone off at the end of the work day or get rid of my phone entirely. Sure, I have most of my most important contacts on Signal, Matrix, or some other desktop-ready communication platform but I’m one of those people lucky enough to work a job that generally respects work/life balance. That means that when I get a late-night text, it’s usually kind of important, so I’d like to be able to have a desktop app where I can get this information in real time without depending on my phone.

Image Photo courtesy of MySudo

There’s also the issue of price, as always. There is a free tier, but it’s pretty useless since you can’t call or text non-Sudo users at all. As I said above, I think most people can do just fine with SudoPro, which is $5/month ($50/year) and gives you 300 messages per month and 200 minutes per month with non-Sudo users, as well as 3 virtual cards and 3 identities. However, I am a firm believer that privacy should not be a luxury and should be available to all. Obviously services like MySudo are not cheap to run and must be paid for somehow, but it still makes me sad that the free level is so restrictive. I always want to be considerate of people who truly are that tight on money. The virtual card feature costs money, too: 2.99% of the purchase price plus $0.31. Again, I understand that nothing is free, but I wonder why they can’t just take a cut off the back end like Privacy.com does.

Then there’s the concerns about the limitations of who can use MySudo: MySudo phone numbers are only available for US, UK, and Canadian phone numbers, and you can only sign up for a paid plan in the US, UK, or Canada (UK pricing is not listed on their site, which makes me wonder what other countries are available that we don't know about), while the virtual cards are only available for US users. The app is available for download in New Zealand, Singapore, and South Korea, though, but I guess at that point it would function like any other encrypted messenger, requiring both users to have the app, and at that point I would advocate for nearly any other encrypted messenger instead for that use case.

Finally, a word about MySudo's “other features” like email and web browsing: while they certainly are added value, I think they're pointless. Because MySudo lacks a strong desktop app, using the emails is clunky and annoying. The web browser claims to block ads and trackers, but has no publicly-visible list to check. There are other open-source browsers who do this just as easily like Brave, Bromite, or Mull (or hardened Safari). MySudo's real use is compartmentalization, therefore I see no reason to put all your eggs in one basket. I would still recommend an open source, trusted encrypted email provider and an open source, privacy-focused browser over MySudo's offerings. Therefore – again – while they are nifty features, they mostly collect dust in my use case. Likewise, I use privacy.com for virtual cards, which offers me significantly more options, better protections, and no fees. Given that virtual cards are only available in the US, I don't know why anyone would bother using MySudo over privacy.com (unless you don't trust privacy.com, and I'm not sure why you trust MySudo more in that case as they both require your personal information to comply with anti-money-laundering laws).

Conclusion

It’s important to remember that VoIP is not meant to a be a replacement for an end-to-end encrypted messenger. A lot of people bash on MySudo because it’s not open source or zero-knowledge, but in my opinion that’s missing the point. What VoIP is meant to be is a way to compartmentalize your life and protect you against data breaches, stalkers, and set healthy boundaries in your own life. In that sense, I personally have found MySudo to more than meet my needs and exceed. Due to the price, location restrictions, and operating system restrictions it may not be for everyone but I strongly encourage those who still use a stock iOS or Android and live in an area that MySudo services to look into it. It’s a powerful tool and it may come in extremely handy to have in your arsenal.

You can learn more and download MySudo here.

Updated on Oct 9, 2022 to reflect that a UK paid plan is available. Previously I was led to believe it was not.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates on Mastodon or support my work in a variety of ways here.

Times change. If you're reading this, well, you can read. And I'm willing to bet so can almost everyone else you know and work and associate with, and probably nearly every person you've ever met. In fact, for most people reading this, you've probably never met someone who can't read – excluding small children – and if you did, they were probably the only person you met in such a situation (exceptions, of course, for those who've traveled extensively in less privileged parts of the world). According to Wikipedia, the global literacy rate for all persons aged 15 and above is 86.3% as of 2015.

As most of us know, this wasn’t always the case. According to Our World in Data, the global literacy rate was only 12% in 1820. There were a lot of factors that contributed to the rise of literacy, but a driving force was the Industrial Revolution (1760-1840). Paper production technology improved and mass production of books became cheaper. At the same time, machines made work faster and easier, requiring fewer hands. Children could be sent off to school – where they would learn to read and write – while adults put out of work by machines (or who simply wanted better opportunities) had to learn new skills to compete for better jobs – skills like reading and writing. Fast forward two hundred years or so and here we are.

Times change, and they've changed again. These days, everything is digital. Not just our day-to-day lives, but our economy, our infrastructure, our pay, everything. Everything is digital. If the internet suddenly disappeared for any reason, it would be absolute global chaos on par with a nuclear holocaust. And thus, I argue, the bar has been raised.

Image Photo by Thomas Jensen on Unsplash

In the past, I’ve been “the family IT guy,” but also the work IT guy. I’ve shown coworkers how to organize their Excel spreadsheet entries alphabetically or numerically, I’ve gotten Bitwarden adopted into the workplace at a former day job where we were using abysmal passwords on all of our accounts, and I’ve helped friends and family recover data off old hard drives or remove malware from their computers. And maybe ten or twenty years ago, that was fine. But not anymore. It’s not okay anymore to not know that you can use a search engine to understand and resolve most error codes, to just accept the default settings on your device without verifying them, or to not know terms like “DNS” or understand the basics of encryption such as what a “key” is or what “hashing” is.

Before I get too far on my soapbox, let me state that I’m a reasonable person. I doubt that the wave of new readers in the 1800s were lining up to read and debate the finer philosophical themes of The Diving Comedy, Shakespeare, or The Odysee. I suspect (though I have not done my research) that the first mass-waves of the literate probably had only a functional level of literacy – enough to read public notices, warning signs at work, and the Bible. And likewise, I’m not for a second saying that it’s time for all of our grandparents and parents to rush out and learn how to self-host their own servers, learn to code and read cyptography, or learn how to compile a kernel from scratch. (It may surprised most of my readers that I only know how to do one of those things with any degree of confidence or competency, and even then I need heavy hand-holding).

What I am saying, however, is that it’s time to level up as a collective society. The bar has risen. When computers were new – a novelty, a toy that only a few nerds played with – it didn’t matter so much. It was about as important as where Captain Kirk was born or the context of why Chewbacca was part of the Rebellion. But that’s not the case anymore. Computers are no longer just hobbies or reserved for the wealthy corporations. You’re almost certainly reading this on one. Your economy depends on one, as does your job, your recreation, and your social network. In some way, the internet touches nearly every part of nearly everyone’s lives.

Image Captain James Tiberius Kirk was born in Riverside, Iowa. Image courtesy of Wikipedia.

This is why it’s critical that our tech literacy rate go up collectively. We all wish for the good old days – even if it’s a misguided, nostalgia-fueled myth that we’ve blinded ourselves with via rose-colored glasses – but they’re not coming back. Pandora’s box has been opened, for good or bad. Re-using garbage passwords was fine twenty years ago. It’s not anymore. New threats come for all of us, whether it’s as benign as annoying spam or as serious as phishing, ransomware, and identity theft. They’re not going away any time soon, if ever. It’s no longer acceptable to flap your arms in frustration and go “I’m just not good with computers! Someone needs to help me!” Most of us, if we screwed up a set of instructions, wouldn’t cower behind the defense of “I’m just not good with words! Why didn’t the English guys come help me?” (Except maybe those with actual disabilities such as dyslexia.) Such an excuse would get you a look of “are you serious?” and possibly a prompt dismissal depending on how bad the screw up was.

Again, I’m not saying we all need to become cybersecurity experts, and I’m not suggesting it needs to happen overnight. I have no expectation that my mom will wake up tomorrow and know how to outfox the Equation Group. But I do expect that sometime soon, she’ll know what makes a good password and use strong, unique passwords across all her accounts with the help of a password manager. There are certain basic criteria for all areas of life: you don’t hit people, you don’t tell that dark joke at work, you know how to politely excuse yourself to use the restroom. It’s time that all of us accepted that the basic criteria for functioning in a digital world have been raised. It may be uncomfortable, maybe even difficult for some. But the bar is not going to lower any time soon. We can no longer cower behind fear of the unknown and intimidation of new things as an excuse to continue letting ourselves and those around us be unprotected. Times have changed, the bar has risen. We must all rise to meet it, and help those around us as needed.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates on Mastodon or support my work in a variety of ways here.

Disclosure: I have an affiliate link with ProtonVPN that gives me a small financial incentive if you sign up for a paid plan using it. You do not have to use this link, I provide a non-affiliate link at the end, and I tried my best to be unbiased in this review.

What is Proton VPN?

A VPN is a service that creates an encrypted tunnel between the device and the provider's server, protecting all your traffic from prying eyes along the way like your Internet Service Provider (ISP) or whoever owns the router (think public Wi-Fi, for example). After reaching the provider's server, your traffic continues on to your desired destination like normal. Proton is one such service, very popular in the privacy community because they offer a number of features as well as an entire ecosystem (which will, of course, be touched on here).

Why Do You Need a VPN?

You may not, to be honest. I recommend you check out IVPN's site “Do I Need a VPN?” here. A lot of people really hype VPNs as one of those absolutely, must-have, life-changing things that will solve all your problems. Some mainstream providers even make ridiculous, outright false claims like “it'll make you anonymous” or “it'll protect you from viruses.” In all honesty, while I do believe that VPNs are an essential piece of your privacy strategy, there are many other free or low-cost strategies that will give you significantly more protection. A VPN these days pretty much only has two purposes: changing your IP address and protecting your traffic from local snoops. Changing your IP address is a valuable part of avoiding tracking, but it’s just one way and a VPN won’t protect you against those other methods like browser fingerprinting, tracking pixels, cookies, and more. Likewise, while it can be great to protect your traffic from your ISP or a local cybercriminal, from a security perspective you’re already pretty well covered so long as you enable your browser’s HTTPS-Only mode and make sure you’re using the correct sites instead of spoofed/phishing sites. Having said all that, I do still consider a VPN to be a useful and recommended part of your privacy and security posture if you can afford one. It can bypass censorship, stop your ISP from selling your browsing data, help obscure your IP address from tracking and logging, and protect your traffic from certain attacks.

Image

Why Not Tor?

Some people prefer Tor over VPNs. Tor is a great service, but it also has some issues that make it the wrong tool for certain situations. For example, many essential services – like banks – block known Tor IP addresses to prevent fraud and abuse, making those services nearly impossible with Tor. Second, Tor loses almost – if not – all of its anonymity once you login to something. If you login to your email and then your Reddit account in the same session, they’re now tied to together and you’ve lost your anonymity benefit. For this reason, I recommend reputable VPNs for any services that are tied to your real identity or sensitive and Tor for random searches or accounts that are not tied to your real identity.

The Good

There's a reason Proton is a titan in the privacy community. Lots of them, actually. ProtonVPN is based in Switzerland – a country renowned for having strong privacy laws. They offer over 1,700 servers in 64 countries – including India, which they recently announced a workaround for so they could still serve Indian users without violating privacy or Indian law. Their apps are available on all operating systems and feature a very clean, modern look. They even offer a free tier to let you try out the service and see if you like it. All their apps are open source and they regularly do third-party audits.

ProtonVPN offers NetShield, a DNS-based ad/malware/tracker blocker. They offer tons of documentation for things like putting a VPN on your router or making use of various features. They offer unlimited bandwidth and even offer a “VPN Accelerator” tool that claims to ensure you're always getting the best speed possible. Proton offers tools like P2P servers, Tor-over-VPN, kill switches, I mean honestly, if you want it out of a VPN, Proton likely offers it. In fact, Proton is the only VPN we recommend at The New Oil who proudly guarantees that you can still stream services like Netflix and Hulu. (I can attest that this works very well.) They also allow you to use the IKEv2 protocol on their iOS app, meaning you can use ProtonVPN alongside a content blocker such as Lockdown or Blokada.

Proton goes a step further by offering a total ecosystem. Your Proton account doesn't just get you a VPN, it gets you email, calendar, and a cloud storage system. As I've mentioned in previous blog posts, sometimes the presence of apps on various operating systems can be inconsistent – for example, at the time of writing Drive is available as an Android app but not desktop or iOS – but still. The whole ecosystem is available and growing, and in the privacy community that's no small thing. Proton is increasingly becoming the all-in-one privacy alternative to services like Google and Apple that the average person wants – simple, elegant, and user friendly.

Image

The Bad

Don't get me wrong though, Proton is not a perfect service. Nothing is. For starters, right out the gate, their Linux app sucked. When I tried to download their VPN app, it simply didn't work. At first I thought this was my fault (I use Qubes as my Linux distribution of choice, so I'm used to running into extra challenges that most people don't), but when I tweeted them for help other users quickly confirmed this is not new or unique. Bummer. I appreciate Proton making privacy more accessible, but they seem to be only operating on a small window of skill. Once you advance past their target audience, time to move on.

I'm also incredibly disappointed that they don't support hardware tokens for two-factor authentication They do support TOTP, which is fantastic, but I'd like to see them offer more advanced security for those who need (or want) it. On the note of offering their users maximum privacy/security, their signup could be better. They don't accept Monero (but they do accept Bitcoin and cash) and new accounts require verification, either via a phone number, recovery email, or payment. That makes creating a truly anonymous account difficult – impossible, in practice, for the average user they seem to be targeting.

Finally, there are drawbacks to being the big guy. As I type this, I tried to do a Brave Search but was met with one of those “drag the slider to confirm you're not a robot” captchas. I gave up after ten and went to SearXNG. This unfortunately happens frequently, especially on mobile, but I never notice any such captchas with other VPN providers like Mullvad and IVPN. I can only assume that because they are the big guys with free servers they get abused a lot more, necessitating such measures.

Conclusion

Proton is a common VPN choice in the privacy community, with good reason. Between open source apps, great jurisdiction, and a mountain of features I really have few bad things to say about them (other than what I already noted above). They're a great choice if you're still looking for a VPN provider – especially if you're a big streamer – and the included ecosystem really cements why they're one of the top dogs in the privacy community. If you're in the market for a good VPN, you'd be remiss not to at least give Proton a glance. They're one of the more expensive options we recommend, but they're worth every penny in my opinion.

You can learn more and sign up for ProtonVPN here. If you want to support us when signing up, we have an affiliate link available here.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates on Mastodon or support my work in a variety of ways here.

In this review, I’ve decided to lump both Bitwarden and KeePass into the same review because of their vast similarities. However, there are some key differences that I will outline below. I don’t think of this blog as “Bitwarden vs KeePass.” In fact, I use both myself for different purposes. I hope that discussing this below will help you decide which is right for you, or if both are – like in my case – how to use them to their maximum potential.

A quick note, in this review I am using “KeePass” as a general term to refer to any KeePass client. Personally I use KeePassXC and therefore will base all my information on that experience, but the same general trends should hold true for other forks as well.

The Products

Bitwarden and KeePass are both password managers. A password manager is a critical piece of technology that I would argue is mandatory in today’s world, as they give a secure place to store your login (and other) information. This serves several purposes. The first and most obvious is account security. Modern cybersecurity advice says that passwords should be at least 8 characters (more, depending on who’s advice you listen to); contain a mix of uppercase and lowercase letters, numbers, and special characters; and should not be reused anywhere. This makes the idea of remembering your passwords laughable – even those with the best memory would struggle after a few accounts, and less-used accounts would be quickly forgotten. A good password manager will help you adhere to best password practices and keep track of all your accounts with zero effort on your end. It is a commonly held piece of wisdom that if you know your passwords, they aren’t strong enough (with the exception of passphrases used to log into your password manager and devices). Password managers can also serve numerous other purposes like help preventing phishing and keeping track of other critical information like 2FA seeds, security answers, and more.

The Good

Bitwarden and KeePass both start off with a lot of positives in common, like being open source and free. Bitwarden has a premium tier we’ll get to later, but even their free tier should offer all the functionality an average user would need. Both allow unlimited entries, multiple devices, folders, and much more. Both also feature browser plugins, which can help prevent you from falling prey to a phishing attack. (This works because if you click a link and it’s not accurate, the plugin won’t offer to auto-fill your login details, tipping you off that something’s not right.) Bitwarden can also be self-hosted if you like the product itself but want a little more control over your data.

In terms of functionality, KeePass is the clear winner. Because KeePass is fully free in every sense of the word, there is no functionality hidden behind a paywall. You can add your 2FA seeds, unlock your password vault with a hardware token, and more.

In terms of look, Bitwarden outdoes KeePass by a long shot. KeePass works, but it’s not the prettiest program ever. Bitwarden, meanwhile, looks much more modern and sleek, and even has different entry types so you can easily store common information like names, credit cards, and notes. KeePass can technically be made to do all this stuff, but you’re really using a password entry while Bitwarden has these entries already modified to look right. For example, I store my emergency credit card information in Bitwarden in case I ever need it while I’m not home. In KeePass, this would require me to enter the credit card number in a field normally used for logins, like “Password,” “Username,” or maybe the “Notes” field if I want. While there’s no real issue with this, it does bug my perfectionist nature a little bit. In Bitwarden, there’s an actual credit card entry that has fields like “Cardholder Name” and “Number” and “Expiration.” Same with Notes, and Identity. (Pro Tip: you can use the “Identity” entries to keep track of your various disinformation identities, like how Nathan Bartram lives at 350 West Wolf Point Plaza in Chicago.) Bitwarden also automatically pulls login icons for websites, while KeePass must be made to do this. Admittedly, this is either a pro or a con depending on your threat model and preferences, which brings me to my next point.

Let’s get to the elephant in the room: cloud syncing. Depending on your threat model and/or level of caution, cloud syncing is either a pro or a con for you. If you have a low threat model and value convenience, Bitwarden is the clear winner here. They are cloud based, with apps on Android and iOS, as well as Mac, Windows, Linux, and the aforementioned browser extension. Bitwarden is password security on easy mode. If you don’t trust the cloud – or you don’t trust Bitwarden for whatever reason – KeePass is going to be the best choice for you. You can manually sync your vault between devices by either plugging them in and uploading them, or by using a cloud service like Nextcloud or Filen.

The Bad

Let’s start with KeePass’s drawbacks because I think there are fewer of them. The most obvious, I already noted, is the UI. However, there’s also the cloud sync and plethora of forks. Because KeePass is not cloud-based, it’s up to you to make sure that you’re keeping good backups in case your device ever dies, becomes corrupted, gets stolen, etc. I discuss this on the site, but it can never be overstated. Losing your passwords is hard to bounce back from. It can also be tedious syncing your database, even if you have a good system in place. At one point, I was keeping my database in a cloud folder so it would always sync up automatically, then using Strongbox/KeePassDX on my mobile devices. Even with this near-realtime-cloud setup, I would still have to routinely import the newest version of my vault into the mobile apps to ensure I had the latest entries, and I would also have to be careful not to save over them. And on that note, KeePass is mostly a community-driven project in that sense that there is no universal KeePass client that works everywhere. KeePassXC is the closest you’ll get, as it works on Linux, Mac, and Windows, but for mobile you’ll need to find another client such as Strongbox for iOS or KeePassDX for Android. It’s definitely not as smooth and seamless of an experience. KeePass also doesn’t come with any sort of automatic sharing features like Bitwarden. If I wanted to share a login with someone, I’d have to export it somehow and send it to them over a secure channel.

Now let’s talk about Bitwarden. I’ll start by addressing the cloud part, since that’s a double-edged sword. Bitwarden is cloud-based. If you value convenience, this is great. But it also comes with some risks. For example, since Bitwarden is centralized, that means if they ever suffer a data breach, your vault could be at risk since they store it for you. Now just to be clear, if Bitwarden is encrypting your vault properly – and personally believe they are – then you have nothing to fear in the event of this happening. Still, it’s a very unsettling thought. Your vault has the keys to your entire digital life – which could include things like bank logins, logins for sensitive accounts and communications, and more. Even if it is practically unhackable, I still wouldn’t exactly be comfortable handing out a copy of that to just anyone. And of course, again, this is predicated on the assumption that they’ve implemented their encryption correctly. Bitwarden is very popular, meaning a lot of experts have no doubt laid eyes on the code, and they’ve even been audited, but all it takes is one slip up to create a vulnerability. It’s a lot of trust you’re placing in someone.

On that note, let me address a complaint I’ve seen float around a few times: there’s allegations that Bitwarden’s website is not properly protected against a possible malicious Javascript hijacking, which could allow an attacker to steal your login credentials. This is concerning, for sure, because as the end user you’d really have no way of knowing. However, in my experience, people love apps. I suspect that most people who use Bitwarden won’t be using the website except to make serious changes to their account like buying a premium plan or changing their password. I know that’s my use case. This seriously reduces the risk of this attack, and between that fact and my belief that the gains from using a password manager outweigh the risks in this usage model, I would still strongly encourage people who are considering Bitwarden to go ahead and use it. I preach Bitwarden to everyone I know without reservation, and as far as I know nobody I’ve convinced to use it uses the website. They all download the app and the browser plugin. Having said that, if you’re reading this and you work for Bitwarden, I strongly urge you to consider addressing this attack. It’s only a matter of time before it gets abused, and when you does you guys are gonna look pretty stupid for brushing it off all these years. Surely you can afford it now.

Finally, I should address that some of Bitwarden’s features are premium only. As I said earlier, the core functionality of Bitwarden is free – unlimited entries, unlimited devices, etc – and there’s really no reason that this shouldn’t work just fine for the vast majority of people. However, there are some paid features that would either increase user security or make life a lot easier for users. For example, being able to lock your vault with a hardware token is a paid feature. Such a feature increases your vault security exponentially. Another paid feature is the ability to store your 2FA seeds in your password vault. While this is potentially risky as it creates a single point of failure, it also makes using 2FA nearly effortless, and it’s something I would encourage if it’ll make the user more likely to use 2FA (assuming they also have a strong vault passphrase and 2FA enabled on the vault, too, for maximum protection). It’s a bummer to see such powerful features locked behind a paywall, but I suppose it’s somewhat fair. TOTP 2FA (the kind where you get a new code every thirty seconds) is still supported on the free account, and Bitwarden has to make money somehow, and also you could always just self-host it if you really want those features for “free” (in quotations because we’re not counting the cost of the server/VPS, time spent, etc). Again, the important functionalities are free, and that’s what matters.

As a last note, it should be noted that Bitwarden offers an emergency access feature. I can set another Bitwarden user – like my spouse – to be the emergency contact. If she requests access and I don’t respond within a certain time frame (I think it’s 7 days), she’ll automatically be given access to my vault. This is to ensure that if anything happens to me, she’ll be able to login to stuff like the bank, my email, and whatever other accounts she needs to handle our affairs. KeePass, being offline, does not offer such a feature. In either case, I encourage you to think about this kind of stuff and have a plan in place should the worst happen. I discussed this more in my blog post here.

Final Verdict

As I said above, I use both password managers. For those curious, here’s a quick explanation of how I do it (quick piece of context: I dualboot both Linux and Windows. I use Windows for gaming and for producing videos and music): I use KeePassXC for all of my passwords, even the ones I also have in Bitwarden. This is the vault I export regularly as part of my routine backup schedule. Anything that I need to access on a different device – like Windows or mobile – or anything that I need to share with my wife, I put in Bitwarden. So for example, my Discord and Matrix logins are saved in both KeePassXC and Bitwarden, because I like being logged into my communities on Windows so that I can keep an eye on them and respond if necessary even when I’m doing stuff on Windows. I also have things like Proton in there so I can access Drive or my email when on Windows to transfer files between my two OS’s easily. Then there’s the stuff I share with my wife, like the electric company login, the emergency credit card, and Netflix. Bitwarden makes it easy to sync logins between operating systems and to share them, but for the extra sensitive stuff like bank logins or accounts I don’t need immediate 24/7 access to, there’s always KeePass, where I can ensure more control over my vault and more easily integrate the backups into my workflow (for the record, Bitwarden does backups just as easily as KeePass, KeePass just works better for my personal workflow). I trust Bitwarden, but personally I also err on the side of “why take unecessary risks?” If I don’t need regular, sudden access to the account, then I prefer to keep it offline just in case. But that’s just me.

In the end, I believe that both password managers are excellent choices, and really the deciding factor is your preferences. If you prefer not to trust the cloud, you have good backup procedures in place, and you don’t mind some inconvenience when it comes to syncing your passwords across devices or sharing them with others, KeePass is the clear winner for you. If you want something easy that looks sharp and syncs across devices with no effort on your end but also has a strong reputation and good security, Bitwarden is the right choice. Regardless of which one you pick, I hope I’ve helped lay out the differences of each and helped make the choice a little bit easier for you. Remember to keep your vault secure. Password managers are game changers in making your digital life safer and more convenient, but they’re also putting all your eggs in one basket if you don’t take securing them seriously. With that said, be sure to check out these two password managers if you still haven’t adopted one yet.

You can check out Bitwarden here and KeePass here.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates on Mastodon or support my work in a variety of ways here.

Privacy can be overwhelming. It seems like every company out there is intent on collecting as much data as possible. For example, this morning I noticed that GasBuddy – the app that helps you find the cheapest gas for your car – wants permissions to access your Apple Health fitness data. Because apparently I plan to run to the gas station and carry the fuel back to my car, I guess? On top of that, we’re routinely subject to companies flat-out lying about their data collection and use policies – like when Twitter claimed they’ll only use your phone number for 2FA (spoiler alert: they used it for advertising) or when TikTok claimed they don’t send user data to China (spoiler alert: that was also a lie). And it’s only getting worse.

It’s for that reason (that privacy can be overwhelming at times) that I strongly emphasize a focus on mental health. The surveillance state wasn’t built in a day, and odds are that the mistakes you made in feeding data into it didn’t happen all at once either. It’s going to take time to climb back out of that hole, to erase any data you want to and find the right tools and techniques to protect yourself going forward. One technique I strongly preach to help manage the deluge of options and rabbit holes to study is to take it step by step. I also strongly encourage people to focus on yourselves. I’m not sure I’ve ever publicly issued this statement before except in response to forum posts and the like – such as the infamous “I can’t get my family to switch to Signal” (I’ve address that specific one before) – but this is one of those “more art than science” delicate balances we each have to find in our own lives. There’s nothing wrong with asking friends and family to use things like Signal or ProtonMail to contact you – maybe even offer to help get them set up with it – but at the end of the day we can’t force them to do anything. You may have heard the popular “Serenity Prayer”: “Grant me the serenity to accept the things I cannot change, the courage to change the things I can, and the wisdom to know the difference.” Good words to live by in almost any area of life.

Unfortunately, accepting that we are not in control of the actions of others (unless you’re in some sort of BDSM power dynamic) means that we are frequently faced with a choice: to accept it, or to walk away. (Technically “fighting it” is also an option, but I’m assuming you already did that in the form of asking people to make a certain privacy-oriented change, and if you push the issue too hard you end up pushing people away, ultimately resulting in the “walk away” option being chosen for you.) The real friction arises here when we realize that nothing happens in a vacuum. I strongly believe that everything is intersectional and causal. In other words: I don’t believe anyone just wakes up and does anything without reason, and in nearly every situation, whatever they do impacts someone else. Those impacts may be positive or they may be negative, but they’re still impacting someone somewhere to some degree.

And this brings us to privacy: when the people around you refuse to use encrypted messaging, or choose to use social media, or pretty much any other privacy-adjacent choice is made by them, this impacts you. Here’s an easy example: if someone you know downloads TrueCaller (or a similar robocaller-blocking app), your name and number will get caught up in that database without your consent. If my mom refuses to use Signal, I have two choices: I can accept that and text her anyways using insecure SMS, or I can simply stop talking to her. Now for the record, I am a huge believer that “family” is an overrated concept – the fact that you share some DNA with a group of people due to complete coincidence that was beyond your control or choice does not give those people the right to take advantage of you. If someone’s a toxic person who doesn’t belong in your life, you should cut them out like the malignant tumor they are regardless if they’re family, coworker, or other. But that’s not privacy related, that’s just called self-respect and knowing your worth. In my case, my mom is not a toxic person. She’s supportive, caring, and enriches my life by being part of it. So I don’t want to stop talking to her. But her choices are impacting my privacy. Her refusal to use Signal is leaving some of my communications exposed.

For the record, my mother is actually a consistent Signal user, she even got some of my other family members on it without me being involved. This was just a thought experiment. But these are the kinds of real choices we will all face as we try to protect our privacy in this world. And the extent of these risks vary. Most of the privacy enthusiasts I meet – likely including you reading this – generally have pretty good practices. We use strong passwords, we 2FA everything we can, we encrypt every text and email we can as well as our devices, we’re mindful of what we post and what we put online. Most of the people I talk to are either in a good spot or are on the way to getting where they want to be. Which is great! But you’re only as strong as your weakest link, and for many of us that means our family members. In some cases, this weakness may be trivial: maybe your boss doesn’t use Signal, but you guys pretty much only ever text to say “hey the meeting tomorrow got rescheduled for Friday” and other non-sensitive stuff like that. In more extreme cases, maybe your parents are posting pictures of your kids on Facebook despite you expressing your wishes that they wouldn’t. That’s a lot bigger of a problem, in my opinion.

This is one of my more “philosophical” posts in that I won’t be leaving you with any specific recommendations. That’s because the exact nature of your threat varies, as well as your threat model. I’m very fortunate. Last time my mother visited, she didn’t just visit me, she visited a lot of other family and friends in the state. Later when she sent the pics to the rest of the family, she explicitly wrote in her email “please don’t upload any pictures with Nate to Facebook or any other sites.” I didn’t even ask, I had no idea she was going to send photos to people. I’m lucky to have people in my life who respect my craziness, even if they don’t understand it or don’t care as much as I do. But I’m the exception. I’ve heard lots of people say things like “my parents uploaded pictures of my kids even though I explicitly asked them not to.” That’s rough. On the one hand, that’s a blatant disrespect for your wishes. But on the other hand, maybe they’re not actually “toxic” people and you don’t want to cut them off from their grandkids. These are choices you have to weigh. First off, what is your threat model? A lot of people – in my experience – don’t start there often enough. They seem to go straight to “this is a problem, how can I fix it?” Is it though? Maybe it is. Maybe you don’t want your kid’s face on Meta’s servers for the rest of eternity. That’s fair. If I had kids, I wouldn’t either. But as with any privacy hiccup, the threat model is a good place to start: “is this really an actual problem?” If it is, maybe you have to do the hard thing and say “you can’t take pictures of the kids at all anymore.” If it’s not that big of a deal – more of a preference – maybe a serious talk is in order. Or maybe some sort of compromise, like “you can upload pics but only if their face is obscured.”

This is all a hypothetical scenario for me, but I’m sure it’s not for many of the parents reading this. I’m sure you’ve all at one point or another had to sit down and explain to your family why you don’t want to post pictures of the kids on FB, or why you’ll only send pics via Signal or Proton or something like that (sorry I’m shilling those two so hard today, just using them as shorthand for “secure services”). There’s no easy answers here. Again, if someone’s toxic and only bringing negativity into your life, just cut them out. That’s a pretty straightforward, easy answer in my opinion. It may cause a drama storm, but eventually the storm will pass and your life will be better off for it. But if it’s someone you love who’s causing these vulnerabilities out of ignorance rather than malice, it’s a tough line to walk. Maybe you’ll need to be firm. “If you don’t start using Signal, I won’t reply to your texts.” Maybe you need to frame the problem in a way they’ll understand. “Hey, you know how the internet is a dangerous place and we want to keep the kids safe, right? That’s why I want you to keep pictures of the kids off social media.” There’s no easy answers here. But my goal was not to provide answers, instead it was to bring to your attention a weakness in our defenses that frequently doesn’t get properly addressed. These may not be pleasant conversations to have, but if you want to put yourself in the best privacy and security position possible, they need to happen.

Before I go, I want to reiterate two things. First off, your mental health matters. Do not cut off loving, supportive, well-meaning family members if your threat model doesn’t call for it. Second, and related, be sure to threat model. One mistake doesn’t mean you need to go nuclear, burn down the house, and move the family into witness protection (not for most of us, at any rate). Be patient with your loved ones if they’re trying, but be firm with your boundaries. Boundaries are really important, and people should respect them. Make them clear. I hope this has helped spark some thoughts.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates on Mastodon or support my work in a variety of ways here.

What is Threema & Why Do You Need It?

Threema is an end-to-end encrypted messenger available on Android, and iOS. Linux, Mac, Windows, and web clients also exist, but you’ll have to create an account on mobile first before connecting them (like Signal). I have long touted the need for E2EE in your daily communications for both practical and philosophical reasons. For practical reasons, it can protect sensitive communications like financial discussions, upcoming plans, and NSFW pics/texts if that’s your thing. For philosophical reasons, I think that everyone should use encryption whenever possible to normalize it and make mass surveillance less feasible/practical/economical.

Image

The Good

Threema has a lot of strong attributes to like. Starting at the top, the company is based in Switzerland, which is well known for having strong consumer data privacy laws. They follow this up by having been audited by Cure53 – a well-reputed security company with a history of audits like this. Finally, Threema offers a lot to their users in the way of privacy and anonymity. You can sign up without ever entering any personal information, like a phone number or username. Instead, they assign you a randomly-generated username – a short, easy-to-share one, unlike some other messengers which can be just as easily shared as a QR code. You can also pay for a license via the website, using a masked payment option (such as a privacy.com card or a prepaid gift card) and an alias or masked email address for near total anonymity.

The online payment option is particularly valuable for people with De-Googled devices, and on that topic Threema has been a champion of open source and free software ever since they open sourced their code in late 2020. Some of their recent privacy-first moves include things like trying to raise awareness for data privacy week, running an ice cream truck where they asked people to pay with their data to point out how invasive and ridiculous it is, and moving away from Google services for push notifications on Android, which later evolved into Threema Libre, a fully open-source version that does not have any proprietary dependencies and can be downloaded via F-Droid (or a similar front-end like Neo Store). It should be noted, this is the version I tested for this review.

On that note, from an end-user perspective, Threema worked very well. Signing up – even with a key purchased from the site – was a pretty straightforward process. Certainly not as “insultingly easy” as something like Signal or Session, but also nothing out of the ordinary that would be confusing to anyone who’s ever signed up for another service like email or social media. Adding people was pretty straightforward: just go to “Start a Chat” then click “New contact” and either paste their username or scan the QR code. Syncing to the desktop was similar to Signal in that you scan a QR code, except that you have to also enter your password for persistence, and every time you start the desktop app you have to enable the session on your mobile device so that’s a little annoying. Messages sent and arrived quickly with no issues, and voice chats were received with perfect, impressive clarity. I unfortunately didn’t make any time for voice or video calls, but based on my other experiences I assume they would’ve worked with perfect clarity and reliability.

Image

The Bad

As with every service, Threema is not without flaws. The most prominent of these is that Threema is not financially free. The fee to use the service is one time, and it is only about $5, but not everyone has $5 to spare and some people aren’t willing to pay for a messenger even if they do have it, thanks to years of getting things for free (as well the availability of options like Signal, which are more secure – more on that next – and still free). Threema accurately argues that you’re always paying somewhere – if not with cash then with data – but this can still be a hard pill to swallow for some.

More importantly, Threema’s security is not on par with Signal’s. Now regarding this particular post I just shared, I want to make two notes. First, it’s nearly a year old. I would hope Threema has fixed any serious issues by now. I did reach out to them asking them about this post and they dismissed the criticisms as “valid but well-known and non-essential,” saying they were “based on misconception or not relevant in regards to Threema’s practical use case.” In other words: the people at Threema disagree that these are security vulnerabilities at all on the grounds that it’s either a misunderstanding of how Threema works, or it’s not within the scope of problems Threema is aimed at solving. That brings me to my second point: I want it to be noted that I personally have some issues with this post. I really don’t want to get into it too much and derail the review, but the short version is “I think it’s obvious the author went into this research with some kind of bias.” That’s not me trying to attack them, for the record. I know nothing about this author or the work they do. I just wanted to say that in case anyone else reads that post and notices the same things I did. Having said that, I have no reason to suspect that the conclusions and findings were fabricated or invalid. Does this make Threema not worth using? Not in my opinion. But I do think it’s worth knowing the shortcomings of a messenger. Between the article itself and Threema’s rebuttal, I personally land on the belief that Threema’s security is probably fine for general, day-to-day talk with family and friends. Would I trust it if I were Edward Snowden fleeing the CIA? Probably not. Asking my wife if she needs me to grab anything from the grocery store? Sure.

There are some other downsides beyond questionable cryptographic choices, some of which may be more impactful for daily users. For one, Threema is centralized. We’ve seen this become a problem in the past with other messengers like WhatsApp and Signal, both of whom have had outages. That’s really the main concern with centralized messengers, in my opinion, is risk of an outage for one reason or another. But theoretically there can also be risks of censorship and compromise, depending on the app in question.

The aforementioned audit is also getting pretty old, having last been done in October 2020. At the time of publication, that’s nearly two years old. A lot can change in the digital landscape in just two years. Finally, Threema offers no form of multifactor authentication. The only thing standing between your account and an attacker who wishes to take over your account and pose as you is your password. We can only hope all their users are using good password practices and that Threema is storing those passswords with a strong hashing algorithm.

Conclusion

There are lots of options out there for encrypted messaging these days. Threema has long been a popular option, and it’s got some features worth considering: usernames, audits, strong jurisdiction, and a responsive and pleasant user experience. Getting your friends and family to fork over the $5 may be a challenge, but if they are willing to do so, Threema certainly doesn’t seem like the worst choice you can make when it comes to picking a private messenger. If some of the other popular recommendations – like Signal, Session, or Matrix – aren’t right for you, Threema would be worth checking out.

You can check out Threema here.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates on Mastodon or support my work in a variety of ways here.

The New Oil now has a merch store. If you have no interest in such things, feel free to ignore this. But if you’re interested in possibly helping support The New Oil and picking up some swag in return (we do ship globally), I’d like to take some time talk about this newest support method, because quite frankly, it’s not perfect and some of you are not going to be happy about it, but I think if I explain it you’ll find that it’s actually not too bad.

Why a Merch Store?

When I started The New Oil, I never actually expected it to take off. It was really more of a “getting it off my chest” or “being the change I wanted to see” kind of thing, but I truthfully didn’t expect a lot of people to care. I figured it would get a few hundred hits, attract a few fans, and maybe get a small handful of die-hard donors. I was very wrong. In just a few years, The New Oil has just had shy of 10,000 visitors per month (we actually broke 10,000 for the first time last month) and last year made over $2,000 USD in donations, not including things like affiliate links where I get a credit on my account, and we're on track to make significantly more this year. Once I realized the project was growing so much, I began to look for ways to ethically monetize it. I like my day job, but truthfully I like working on The New Oil a whole lot more, so if possible I’d love to make enough money off of it do do this full time. I decided to aim for this with things like affiliate links, sponsorships, and donations. But of course, money is not the goal here, so we have very strict guidelines about sponsorships that you can view here, and we only implement affiliate links from projects we have vetted and trust and we deploy them in a transparent and optional way. Adding a merch store is merely the latest step in this side goal of ethical income. Donations are appreciated, but I hate asking for handouts and free money. I much prefer to give people something in return. (One could argue that I’m already giving you content, but still.)

Why This Particular Setup?

Let’s talk about how the store itself works. The best way would’ve been to order merch upfront and then sell it via an open-source, self-hosted platform such as OpenCart or WooCommerce. It would’ve meant less parties involved, more control over the content of the store (like third party trackers), the trust of open source, and more profit in my pocket (buying merch in bulk up front results in a lower per-item cost). However, there are several reasons I chose not to go this route. The first and foremost is time. Running a store this way requires me to sink a considerable amount of time into ordering merch, monitoring inventory, restocking, and – most importantly – taking items to the post office and mailing them. I have a full time day job, The New Oil (which is basically a part time job at this point, I easily sink double digit hours into it every week and that’s just to maintain stuff like running the communities, posting articles, and correcting errors on the website), Surveillance Report, a wife, a band, and friends and other family all asking for my time. I can’t afford to put more workload on myself. The idea of putting more work onto my already crowded plate was – quite frankly – ludicrous and I don’t think anyone in my life, supportive as they are, would’ve appreciated me cutting into my precious free time anymore than I already do.

Additionally, I am not comfortable hosting your payment data. Running a self-hosted store would’ve meant that I was responsible for securing your data, and storing it for four years in compliance with the laws in my state. That meant four years of having your name, address, and possibly card details in my possession. This coming from the guy who can’t even spell in his own native language most days, are you sure you want to trust me to have that database set up correctly? To have all the security features enabled? To have all the vulnerabilities patched? I’d like to take this second to remind you that I have absolutely no formal training in this stuff at all. I am not a sysadmin, I was not any kind of comms guy in the military. Everything I know about hosting and cybersecurity has been self taught. That’s fine when it comes to stuff like “use a password manager” and “keep apps off your phone when possible,” but it’s begging for trouble when it comes to stuff like securing your payment data.

How Does it Work?

Instead, I opted to use BigCartel with Printful. Here’s where things start to get sticky. BigCartel is an ecommerce plaftorm with a freemium business model: the free plan (which I’m currently using) allows me to post up to 5 items with a single image to display. Printful is a back-end “on demand” manufacturing platform. In other words, here’s what happens: you buy the item, BigCartel pays me, BigCartel sends your order to Printful, Printful charges me, Printful manufactures the item, and then finally Printful ships the item to you. (Remember that sequence, it’ll come up again shortly.) This does have several drawbacks. For one, the prices are significantly higher. I only make a few dollars from each purchase (I set the profit margin to 15%, well below the retail clothing industry average of 36-43%), whereas with pre-printed and self-shipped products I’d make about $10 or more, easily. I also have very little control over the content of these websites, including things like tracking scripts. But the plus side is that this service is entirely, 100% automated. I don’t have to lift a finger. See my earlier rant about not wanting to add more work to myself.

That said, I stated earlier that making money was not the primary goal of The New Oil. It’s a secondary bonus. Therefore it was imperative to me that I ensure I that whatever platform I use is at least “not god-awful” for privacy. And I think I’ve accomplished that. The following information was gathered over several weeks of studying the privacy polices of both BigCartel and Printful, as well as numerous back-and-forth conversations with both asking for clarifications. First, the easy one: Printful never sees any information about you except what you ordered and your shipping address to fulfill the order. They never see any payment information, and they never get any kind of data that typically gets collected when you visit a website directly, like cookies, tracking beacons, and other fingerprinting techniques. Remember earlier I said “BigCartel pays me, BigCartel sends the order information to Printful, and Printful charges me”? That’s how Printful charges for orders. If you pay $20 for a shirt and the cost for them to print it is $15, then upon receiving that order they charge me $15, leaving me with $5 left over from the order. Your payment info is never involved in that equation.

BigCartel is a little less great. They collect a lot of information like browser type, IP address, “the page you visited before navigating to our services,” device information like hardware model, operating system and version, mobile network information, etc. (You can view their privacy policy here). Now, I do want to clarify something: a lot of websites these days have this trend of writing a privacy policy for users and not visitors. In other words: not everything in this privacy policy applies to you as the shopper. Some of it I have no doubt they do to you, like reading cookies and device information. But you’ll notice some other, more worrying stuff in that privacy policy such as aggregating data from identity verification services. It’s much more likely that this only applies to me, because I have to give them legal information for tax reasons. So don’t read that privacy policy and instantly go into panic mode. This actually leads into my next section about recommendations.

How Can I Use it Safely?

So BigCartel is a little invasive. But as I said earlier, I think it’s pretty reasonable to use it despite that because frankly, to defend against BigCartel’s tracking is to use the exact same stuff I recommend on the website anyways. For starters, you should be visiting with a browser that respects and defends your privacy, such as Brave, Firefox, LibreWolf, or Tor browser if they’ll allow it. You should be using plugins like uBlock Origin that block trackers. I also encourage using a VPN (or Tor browser if you can’t/prefer not to use a VPN for whatever reason) to hide your IP address. That takes care of almost all the automated stuff like fingerprinting and cookie tracking. For payment and shipping, I’ve long advocated for the use of payment masking strategies such as privacy.com and the use of PO Boxes to mail things to instead of your real home. And finally, use a masked email address to protect yourself from both data breaches and tracking when placing the order and a Voice-over-IP phone number if they require a number. Between all of these strategies, you run virtually no risk in using BigCartel’s service to order merchandise.

Having said that, there is one use-case in which I am willing to put in a little extra work (assuming it doesn’t become overwhelmingly popular). BigCartel does not support cryptocurrency, and even if they did it would probably not include privacycoins like Monero. If you’d like to place an order in cryptocurrency, contact us directly at thenewoil@protomail.com (or thenewoil@tutanota.com) and we’ll either send you an invoice or make a new one-time address you can use for the transaction. Then we’ll order the product on your behalf and ship it to the address you provide. (If you have a better suggestions on how to handle crypto transactions, feel free to let me know. I’m not a crypto expert, I’m just trying to ensure a way for us to verify that you have paid the amount while still respecting your privacy).

Where is the Store?

Hopefully this covers everything and has made a decent case for why this particular setup is not as evil as it first seems and explains why I went this route as opposed to other routes. If you know of a better way to accomplish a merch store that doesn’t add more work to my plate but also better respects user privacy and doesn’t rely on my incompetence to protect user payment data, don’t hesitate to let me know. But at this time, I think this is going to be the best compromise. If you’ve read all this and you’re interested in supporting The New Oil and getting some merch in return, you can check out the store here. If the store does well and there’s a high demand, I’ll invest in a paid plan so I can add more items.

Thank you guys for your continued support. I look forward to bringing you more helpful content as The New Oil continues to grow.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates on Mastodon or support my work in a variety of ways here.

Disclaimer/Disclosure of Interest: The New Oil has a ProtonMail affiliate link. If you sign up for a paid plan using this link, we get a small financial payment. As always, a non-affiliate link will also be shared.

What is Zero-Knowledge/End-to-End Encrypted Email & Why Do You Need It?

Encrypted email is a bit of a misnomer. Technically all emails are “encrypted” using technologies such as TLS but in this context I'm specifically referring to “end to end” encrypted (sometimes called “zero knowledge”) email providers. This means that the provider can’t read your inbox, which is – in my opinion – a must-have for any person who values their privacy and security. Many people argue that zero knowledge email providers are overhyped – or worse – because you’re only securing half of the chain. If I’m emailing someone at a Gmail address, the contents are still exposed on Google’s servers. However, in my opinion, that’s still cutting your attack surface in half. If we’re both using Gmail – or if one of us is using another provider like Yahoo – that’s just twice the opportunity for a data breach, warrants, or an insider threat. Sure, you may not get the full benefit without both parties using encryption, but it still counts for something. See my past post about how privacy is a spectrum for more on that logic. With that said, let's look at one of the most popular encrypted email providers out there: ProtonMail.

The Good

Proton has a lot to like. The company is based in Switzerland, a land notorious for having pretty strong user data privacy laws. Signup starts off strong by offering an Onion site (we’ll get to the downsides of this later) which allows you to access the site anonymously via the Tor network, and offering anonymous payment options like cash and Bitcoin (which can be made anonymous with the right work). So far, so good.

On the technical side, Proton has been repeatedly audited and repeatedly found to be secure and sound. They are also based on PGP, which in my opinion is great because it allows non-Proton users to initiate encrypted communications with you (otherwise you would have to email them first with a password-protected email). To be clear, PGP itself is not without drawbacks, but again – privacy is a spectrum, and it's better than not using it at all.

Finally, Proton is an ecosystem. With your account you get access to their VPN service, encrypted calendar, and encrypted cloud. Now of course, this is optional. Some users may not want to put all their eggs in one basket, others may simply find another solution superior for their needs, however I know I personally have met resistance in the past when trying to get people to care about privacy with responses like “Google just makes it so easy, they have email, calendar, Drive, etc.” Well now we’ve got something that can compete with Google, an all-in-one solution that those who want such an ecosystem-type experience may find just what they needed.

The Bad

Proton is not without flaws, and unfortunately in this case they are few but significant. For example, Proton’s Onion link sign-up is broken. Originally it simply redirected you to the “clearnet” version of the site. They fixed this, except now you may be asked to provide additional verification when you try to sign up. They say that this data is not linked to you, but personally this still makes me uncomfortable for people who are actually trying to be anonymous. Most people probably don’t need anonymity but some do. I hope to see Proton find a better solution for this sooner than later.

Speaking of sooner and later, Proton’s app experience is incredibly inconsistent. For example, there’s a Calendar app for Android but not iOS. For the VPN, my iOS and Windows apps updated within a few days of Proton’s branding update, but the Android app took several weeks to follow suit. Proton Drive doesn’t even have an app, requiring the web browser exclusively for use. This can be maddening, especially for customers of a company attempting to create an all-in-one ecosystem. How can I be part of your ecosystem when it’s only accessible under specific conditions? What good does a Drive do me that’s only accessible via the browser? What if I want to use Calendar but I’m an iOS user? This all stems from Proton’s philosophy of “if a feature is ready to roll out, why wait?” which makes sense but it creates a hodgepodge of inconsistent experiences for users.

Conclusion

Email is not secure. I think that’s always worth pointing out. Email was never designed to be 100% secure. You never know who might print it or forward it, and there’s also a bunch of super-technical issues with both email itself and PGP that literally cannot be fixed. Society would have to adopt an entirely new protocol to fix them. You should never trust your life to email (which is one reason why Snowden didn’t just email his documents to people). Yet email is still a widely-used tool that permeates almost every service we use in some way, shape, or form. For that reason alone, it’s worth trying to get a secure email provider to mitigate the risks as much as possible. ProtonMail is a solid choice of email provider with multiple layers of data protection (both legal and technical), PGP-based encryption for interoperability, a free tier that should work for most users, and some great bonuses like green energy, the above-mentioned VPN/Calendar/Drive, and a number of other features that set them apart from even established, mainstream competition like Gmail. I strongly encourage you to check them out, maybe sign up for a free tier, and see how you like it.

You can learn more and sign up for ProtonMail here. If you do decide to sign up, consider using our affiliate link to help support us in the process at no extra cost to you.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates on Mastodon or support my work in a variety of ways here.

Enter your email to subscribe to updates.