The New Oil

Data privacy & cybesecurity for normal people

What is 2FA and Why Do You Need It?

2FA is an abbreviation for “two-factor authentication,” which is basically what it sounds like. Usernames and passwords are a form of authentication; if you don’t know the username and/or password, you cannot be authenticated, or prove that you are authorized to access whatever it is you’re attempting to access. Of course, that’s not totally true. Data breaches expose usernames and passwords all the time. Hence the need for more than one method of authentication at the same time. When you combine more than one form of authentication, you get “multifactor authentication,” or MFA. All 2FA is MFA, but not all MFA is 2FA.


“What a year.” My annual catchphrase. I always say that this project has exploded in ways I never expected, and that never stops being true. So where are we now?


About the Author & the Book

Cathy O’Neil is an American mathematician and data scientist. She got a Ph.D in math from Harvard, and later taught at MIT. In 2007 she left academia to work in the finance industry, an experience she talks about in the book that left her disillusioned with the role of data collection and algorithms and the way that they can harm the outliers. This ultimately led to her publication of Weapons of Math Destruction in 2016.

The saying goes that if you want to cook an omelet, you have to break a few eggs. Weapons of Math Destruction focuses on those eggs who have become casualties on the way to algorithmically modernize the world, using big data to make decisions that are – on the surface – more objective, fair, and accurate. However, O’Neil explores how this is frequently not the case and the flaws with our current approaches to using Big Data to this end.


The following is an original piece of journalism from The New Oil

Twitter may be compromised, and nobody's covering it. This is the allegation from security researcher Lucky225.

In order to understand the context of this story, we have to briefly go back to 2010, where Army intelligence specialist Chelsea Manning was becoming disillusioned with – among other things – the actions she was helping to facilitate for the US incursions into Iraq and Afghanistan. This seems to be at least part of what led her to disclose hundreds of thousands of classified documents to whistleblower website WikiLeaks, which detailed everything from American war crimes in Iraq and Afghanistan to diplomatic cables showing China's frustrations with North Korea at the time.


Regardless of how you feel about capitalism, there is one aspect of it that – to some extent – I think we can all agree is nice: the free market. Exactly how “free” the market should be is up for debate, but I think it’s safe to assume that most of my readers are in favor of a world where someone can wake up one day and say “I hate my job, I’m gonna go find another one,” or “I don’t like that company (for whatever reason), I want to shop somewhere else,” or “I want to make a website teaching data privacy and cybersecurity to beginners. Oh look, I have a second job now.” I don’t believe it’s perfect by any stretch of the imagination, but I still choose to live my personal life largely by the free market hypothesis. I hate the way Walmart treats their employees, so I shop elsewhere. Earlier this year I left one job largely because I felt I was being underpaid (spoiler: I was). On the other hand, sometimes I choose to buy name brand because the better quality justifies the price increase. Free market in action: voting with your dollars.

This ties into privacy when it comes to the argument of “just don’t use X if you don’t like it.” I get that a lot. “Just don’t use Facebook if you don’t like it.” “I don’t see the problem, just don’t use Amazon if you hate them so much.” “I like Google, but you’re free to use something else.” In the free market, there’s the idea that every company is free to institute whatever rules, policies, and business strategies they feel are best. At The New Oil, for example, I have every right to list whatever tools I want for any reason I want. In theory, the market responds accordingly: if people agree with my reasoning – or the tools I list – then they reward me by visiting, recommending the site, maybe even buying merch, donating money, or using an affiliate link to help support the project. On the other hand, if people disagree with my reasoning or tools, they can choose to go support another project such as Privacy Guides or Privacy International the same way. But what if – hypothetically – all three of those organizations were under the same umbrella company?


About the Author & the Book

Shoshana Zuboff is no stranger to technology and the way it impacts our modern life. With a Ph.D. in psychology from Harvard (where she's tenured, by the way, in the Business School), she's written on such topics as the future of work in the digital age (In the Age of the Smart Machine) and somewhat predicted the current state of capitalism in her book The Support Economy (assuming I read the Wikipedia synopsis correctly, truthfully I haven't read any of her other works myself).

The Age of Surveillance Capitalism is arguably Zuboff's best-known book, and has certainly become one of the foundation “must-reads” in the world of privacy. It outlines a brief history of “how we got here” in terms of surveillance, notes the ways that Big Tech and the government often work together, explains how Big Tech encroaches on our privacy, and explains how all of this fits into a larger concept of our individual freedom of choice and a sort of “class struggle” between us as individuals and Big Tech companies as they seek to undermine our freedoms in exchange for profits.


Next week, gift-giving season officially beginning in the United States (and at least a few other places, I presume) with Black Friday. As such, I figured this would be a great time to discuss safe shopping tactics. In what is becoming my own yearly tradition here at The New Oil, below are my list of online shopping tips, updated to reflect any techniques or strategies I've picked up in the last year. (Note: some of the services I suggest offer affiliate programs which The New Oil has signed up for. Affiliate links are clearly marked and are totally optional.)

  • Pay with cash in person. There’s a large push for credit card usage in the US, and it has some personal finance benefits. Cards often come with cashback and purchase protection, and while the risk of skimming still exists, fintech (financial technology) security has come a long way. However, cards are still a privacy nightmare. Your shopping data will absolutely be sold by your bank to data brokers. As such, cash is king. But if you need some less-paranoid, more practical reasons to use cash: if you’re buying a gift for someone who has access to your bank statements (significant other, parent, etc) it can help shield your purchases – both the site and the amount – and keep the gift a surprise. Furthermore, holiday spending and gift giving is often a source of debt in the new year, so using cash will help you stick to your budget. Personally I think racking up a boatload of new debt is a really crappy way to start the new year.

  • Of course, online shopping has long been popular and even moreso during Cyber Monday (not to mention some services are online-only). For online transactions, use pre-paid cards or card-masking services like, MySudo, or ViaBuy (if you live in Europe) to avoid having your real information stolen. If a scammer steals your info, the effects could be as minimal as having to get a new card or as serious as draining your bank account, stealing your identity, or even stalking you. So I definitely encourage you to use a masking service of some kind. Be aware that and MySudo essentially function as banks in this scenario, so they will ask for some personal information that some people may not be comfortable with. If that's the case, call your bank and ask if they offer virtual card services. Some banksk do – including large ones – and it's becoming more popular. You won't have the privacy benefit of having your transactions shielded from the bank, but you'll get the security of not having your card number stolen. Personally I’m a fan of for a lot of reasons (I actually have an affiliate link you can use here if you're interested) but this isn’t the time or place. Feel free to check out all of the solutions suggested and see if any of them are right for you.

  • Use HTTPS. HTTPS is a powerful and effective encryption method for data-in-transit (aka web traffic) that helps protect your sensitive information as it shoots across the web. The vast majority of the internet is now securely encrypted so you’re probably covered, but be vigilant anyways. All four of the browsers I recommend on my site – Brave, Firefox, LibreWolf, and Tor Browser – offer some type of “HTTPS-Only Mode” that will automatically upgrade connections when possible and warn you when it's not. On Brave, go to Settings > Privacy and Security > Security and enable Always use secure connections. On Firefox, Librewolf, and Tor Browser, go to Settings > Privacy & Security and scroll all the way down to HTTPS-Only Mode. Make sure you select Enable HTTPS-Only Mode in all windows.

  • Use a PO Box. PO Boxes can serve tons of great purposes that you didn’t even know you needed. For starters, they start off inexpensive, in some places as little as $20/year. They can be handy because your packages don’t sit unguarded on your porch while you’re at work, they sit safely inside the building of your box. And of course, you don’t have to worry about some stranger on the internet snagging your home address, whether that’s the random person on Etsy, the rogue employee at Amazon, or the cybercriminal who hopefully didn’t steal your information because you already implemented the above bullet points.

  • Use alias email addresses. These are services such as SimpleLogin (affiliate link here) and AnonAddy that offer you email addresses that automatically forward to your inbox. The website you sign up for only ever sees your alias email address, but it all arrives in the same easy-to-manage place. The privacy protection here is that it keeps you from being cyberstalked (there are lots of ways I can find your various other accounts just from an email address) and makes it slightly harder for companies to track you. The security benefit is that it changes your login on each site and makes it harder for credentials caught up in data breaches to be weaponized against you (see credential stuffing). And as a practical benefit, once you've signed up for these sites, they usually spam you with offers, newsletters, and other marketing crap. Usually you can simply click “unsubscribe” but some of the scummier sites don't respect that request. With an alias email address, you simply turn it off and stop getting the spam. Imagine having a peaceful, organized inbox again. Wonderful.

  • On the topic of security benefits, be sure to use strong passwords with a good password manager and use two-factor authentication (2FA) on all accounts that offer it. I know the holidays are a hectic time for most people with travel and family and such, but it also usually means more paid time off for most people. Take advantage of some of that time off and set aside an hour or two to pick a good password manager, change your passwords and password habits, and enable 2FA. This is one of the single most effective things you can do to protect your online accounts, and on top of that it's free and easy, yet still few people do any of this stuff. Doing this step alone is one of the one most powerful things you can do to protect yourself year-round. Speaking of year-round...

  • Don’t quit on December 26. The thing about these habits is that they’re great any time, not just around the holidays. Shopping is something we do all the time, all year, and these strategies can be implemented there, too. You can pay cash at the grocery store. HTTPS can protect your Facebook login from a random cybercriminal just as much as your card number. Online data breaches are quickly becoming a daily occurrence, so using card-masking can prevent your card number from getting permanently posted to the dark web (if you’re not worried about that, clearly you’ve never had the hassle of updating EVERY service you use after a card number changed for any reason). Even a PO Box can be a neat thing to have on hand if you rent and move in the same area frequently, if you need an address on file for work (again, data breaches), or freelance and need somewhere to send checks or a return address for merchandise you sell.

Take some time to think about which of these strategies can benefit you most. HTTPS is something that takes just a few seconds to ensure is enforced and you never have to think about it again. A PO Box can be easily added into your routine by renting one nearby or on your way to/from work. Cash can be handy as well to help you stick to a budget. I hope these tips help keep you safer online this holiday season, and good luck finding that perfect gift!

You can find more recommended services and programs at, and you can find our other content across the web here or support our work in a variety of ways here.

What is Wire & Why Do You Need It?

Wire is an end-to-end encrypted (E2EE) messenger available on Linux, Mac, Windows, Android, and iOS. I have long touted the need for E2EE in your daily communications for both practical and philosophical reasons. For practical reasons, it can protect sensitive communications like financial discussions, upcoming plans, and NSFW pics/texts if that’s your thing. For philosophical reasons, I think that everyone should use encryption whenever possible to normalize it and make mass surveillance less feasible/practical/economical.

The Good

Wire has a lot of valuable features. In addition to the obvious things that make it recommended by this site such as being open source and audited, one major advantage of Wire is that it is username based. You can sign up entirely anonymously by signing up on desktop, using a VPN (or Tor), and using a throwaway email. Even without hardcore anonymous signup, you can still retain a great deal of privacy by using a forwarding email address and not submitting a phone number or real name. And because you pick a username, that means you can privately communicate with others without having to provide any personal information like a phone number to that person. You can also have up to three accounts on a single device, allowing you to easily compartmentalize work and personal life.

Image Wire on Android

According to their privacy policy, Wire does not retain any encryption keys, and uses TLS to encrypt metadata when possible. They claim not to retain copies of encrypted data after it has been delivered, and to only keep technical logs for 72 hours for the purposes of troubleshooting and abuse-prevention. Analytics (sending crash reports on iOS and keeping troubleshooting logs on Android) were opt-in (not on by default) when I signed up for an account. Speaking of Android, Wire is available for F-Droid and seems to work just fine without MicroG or Play services, meaning it should work without issue on any degoogled device.

In my review last year, I noted that Wire was slow. This no longer seems to be an issue – or at least, not a Wire-specific one. When I first started testing it – admittedly during a slow stretch at the day job – I noticed right away that my Android device took a little longer to send and receive messages than my iPhone. But once I got home on a different network, they both worked just fine. I also noted last year that Wire was feature-deprived. Specifically I noted a lack of voice messaging and poor GIF support. This also seems to have been fixed. GIFs use GIPHY (probably not proxied like Signal, so use at your own risk), and voice messages have been added. They even have a little drawing board so you can hand-write notes and a “ping” feature to get someone’s attention (if you prefer not to simply say “hey man, you there?”).

Ultimately, I think Wire’s biggest features are the universal availability in terms of devices and the support of usernames. These two features alone make it a powerful choice worth considering.

The Bad

Image Wire on Windows 10

However, Wire is not without its drawbacks, and there are quite a few worth considering. Let’s start with a recent development: who owns Wire? A few years back, Wire took a significant amount of investment from a venture capital firm (who hates VPNs, by the way) called Morpheus Ventures, who’s other investments seem to be pretty heavy on the “privacy invasive” side of the spectrum, apps and companies who try to use data to tackle various “problems.” The nature of this relationship was never really fully explained, and it remains that way. Currently Wire is listed under the “Other investments made by Morpheus, our founders or funds previously managed by them.” Pretty vague. Is Wire “previously managed”? Or are they “other investments”? Additionally, around the same time as this investment, Wire had moved their headquarters to the US so they could qualify for said investment (and others), but now their website states they are headquartered in Berlin, Germany. Where is Wire based? Who owns how much of it? These question are unclear. I reached out to them for clarification a few weeks back, but never got an answer since I’m not a paying user. (You can read more about the initial investment and move here, but be aware that this article is from 2019.) It’s also important to know what got Wire booted from Privacy Guides in the first place: changing the privacy policy without announcing it. While this is common for many services, it’s troubling for privacy- and security-advocating services in particular.

Finally, it’s worth noting that Wire is centralized. A premium feature does allow it to be federated for enterprises, but for the average free user, the main centralized server is your only choice.


Wire is far from perfect, but to be honest there is no perfect messenger in the privacy space. The ones that are user-friendly usually have glaring flaws, and the ones that are almost perfect are usually nightmarish to implement and/or use. Wire is definitely not for everybody, however I think it offers some powerful advantages – much of the metadata collection can be outsmarted with a simple VPN and a forwarding email address (and by using it on desktop only, if your threat model is that severe) – and the ability to have a username instead of a phone number is something that can’t be discredited. However, I don’t think Wire is right for everyone. Ultimately I think Wire might be a good trade-off between Matrix and Signal: a little more user-friendly than Matrix, but doesn’t require a mobile device like Signal does. Ultimately, as always, it depends on your needs and threat model.

You can learn more and download Wire here.

You can find more recommended services and programs at, and you can find our other content across the web here or support our work in a variety of ways here.

Perhaps one of the most underrated and feared things in the quest to protect your privacy is the dreaded privacy policy. Many a question I see – namely the “what do you guys think of [insert service here]?” on Reddit – could be quickly and easily solved by simply taking a couple short minutes to peruse the privacy policy. So this week, I want to talk about how to read a privacy policy – or more accurately, how I read a privacy policy. While privacy policies don’t hold all the answers to your questions, I strongly believe they are an invaluable starting point when researching any new product or service.


What is Voice-Over-IP (VoIP) and Why Do You Need It?

Voice-over-IP – or VoIP – is basically phone calls over the internet or cell data rather than via traditional phone technologies. The technology is far from new – it’s been used in business for decades – but it’s also available for consumers for a relatively low cost.

While VoIP does come with a few drawbacks – primarily the fact that your call quality depends heavily on your internet strength (via mobile data, for example), the benefits, in my opinion, cannot be overstated. In no particular order, VoIP can be used to compartmentalize your life, set healthy work/life boundaries, protect yourself from spam calls and robotexts, and protect your overall privacy. For example: if you have a VoIP number you use for work, you can disable that number each night when you get off the clock. You can also use a VoIP number for dating or selling things online, which prevents you from being stalked or harassed if things go south. There is no reason I can think of not to use VoIP of some kind if it’s available in your country.

MySudo is a popular VoIP app in the privacy community for iOS and Android that offers up to nine digital identities. I say “identities” because to say “phone numbers” is to discredit MySudo’s other features: an inbox, a web browser, and virtual cards.

Image Photo courtesy of MySudo

The Good

I think the most obvious advantage of MySudo is the number of identities you can have. Having so many different phone numbers at your disposal offers a lot of flexibility. I believe most people could get away with the MySudo Pro plan (three phone numbers with 200 messages and 200 minutes per month) depending on how many minutes you need. You could use these for work, personal, and other, and for most people that’s plenty. But as I said, the configurations are near infinite and can be whatever you need them to be. You could do a dedicated Signal number, shopping, burners, travel, really whatever your heart desires. Even if you can only afford the SudoGo plan (1 number, 100 messages & 30 minutes), that still reduces the odds of a SIM-swapping attack, so maybe you'd use that for all services that only offer SMS 2FA. It really largely depends on how many minutes you need and how much messaging you do, but there should be a plan that nearly anyone can make use of.

When contacting other MySudo users, you get the advantages of group messaging, end-to-end encryption, self-destructing messages, and even video chat. With non-users, you get SMS, MMS, and voice calling (no group chats or calls and no disappearing messages). You also have an email address for each identity that you can customize (ex, which are end-to-end encrypted for other MySudo users, and a web browser for each identity that claims to block third party ads and trackers. Each identity can also create masked virtual cards that you can use online to help prevent tracking and card theft. Unlike, these cards are not linked to a single merchant but can be reused as many times as you want. Finally, MySudo claims that all your data is stored in a zero-knowledge format and that they don’t log your incoming and outgoing messages. So while your messages may not be end-to-end encrypted coming and going, they are safely free of MySudo’s prying eyes once they’re in your inbox.

The Bad

I am biased toward MySudo. I personally use it in my daily life and depend on it very heavily. Having said that, it’s not without drawbacks.

For starters, MySudo is heavily dependent on stock operating systems like Android and iOS. In order to get a paid plan, you have to go through either the App or Play Stores, but once you’ve done that you can move to a new device as long as the billing plan stays active. However, the actual usability of MySudo with custom ROMs seems to be hit or miss. While MySudo does offer direct downloads for both Graphene and Calyx, I’m also told it doesn’t work on Graphene OS at all. I’m unsure about other custom ROMs. Either way, this presents a challenge for those who wish to take their privacy to the max and truly get as Big Tech-free as possible.

MySudo is also an inconvenience for those who prefer to be as phone-free as possible in general. There’s a web app you can use on desktop, but it has to be synced up manually each time you use it, so I can’t just turn my phone off at the end of the work day or get rid of my phone entirely. Sure, I have most of my most important contacts on Signal, Matrix, or some other desktop-ready communication platform but I’m one of those people lucky enough to work a job that generally respects work/life balance. That means that when I get a late-night text, it’s usually kind of important, so I’d like to be able to have a desktop app where I can get this information in real time without depending on my phone.

Image Photo courtesy of MySudo

There’s also the issue of price, as always. There is a free tier, but it’s pretty useless since you can’t call or text non-Sudo users at all. As I said above, I think most people can do just fine with SudoPro, which is $5/month ($50/year) and gives you 300 messages per month and 200 minutes per month with non-Sudo users, as well as 3 virtual cards and 3 identities. However, I am a firm believer that privacy should not be a luxury and should be available to all. Obviously services like MySudo are not cheap to run and must be paid for somehow, but it still makes me sad that the free level is so restrictive. I always want to be considerate of people who truly are that tight on money. The virtual card feature costs money, too: 2.99% of the purchase price plus $0.31. Again, I understand that nothing is free, but I wonder why they can’t just take a cut off the back end like does.

Then there’s the concerns about the limitations of who can use MySudo: MySudo phone numbers are only available for US, UK, and Canadian phone numbers, and you can only sign up for a paid plan in the US, UK, or Canada (UK pricing is not listed on their site, which makes me wonder what other countries are available that we don't know about), while the virtual cards are only available for US users. The app is available for download in New Zealand, Singapore, and South Korea, though, but I guess at that point it would function like any other encrypted messenger, requiring both users to have the app, and at that point I would advocate for nearly any other encrypted messenger instead for that use case.

Finally, a word about MySudo's “other features” like email and web browsing: while they certainly are added value, I think they're pointless. Because MySudo lacks a strong desktop app, using the emails is clunky and annoying. The web browser claims to block ads and trackers, but has no publicly-visible list to check. There are other open-source browsers who do this just as easily like Brave, Bromite, or Mull (or hardened Safari). MySudo's real use is compartmentalization, therefore I see no reason to put all your eggs in one basket. I would still recommend an open source, trusted encrypted email provider and an open source, privacy-focused browser over MySudo's offerings. Therefore – again – while they are nifty features, they mostly collect dust in my use case. Likewise, I use for virtual cards, which offers me significantly more options, better protections, and no fees. Given that virtual cards are only available in the US, I don't know why anyone would bother using MySudo over (unless you don't trust, and I'm not sure why you trust MySudo more in that case as they both require your personal information to comply with anti-money-laundering laws).


It’s important to remember that VoIP is not meant to a be a replacement for an end-to-end encrypted messenger. A lot of people bash on MySudo because it’s not open source or zero-knowledge, but in my opinion that’s missing the point. What VoIP is meant to be is a way to compartmentalize your life and protect you against data breaches, stalkers, and set healthy boundaries in your own life. In that sense, I personally have found MySudo to more than meet my needs and exceed. Due to the price, location restrictions, and operating system restrictions it may not be for everyone but I strongly encourage those who still use a stock iOS or Android and live in an area that MySudo services to look into it. It’s a powerful tool and it may come in extremely handy to have in your arsenal.

You can learn more and download MySudo here.

Updated on Oct 9, 2022 to reflect that a UK paid plan is available. Previously I was led to believe it was not.

You can find more recommended services and programs at, and you can find our other content across the web here or support our work in a variety of ways here.

Enter your email to subscribe to updates.