The New Oil

Information Security for normal people. https://www.TheNewOil.xyz

I love sharing stories like this because as much as I love privacy and security and view it as a fun challenge, at the end of the day it’s really all about practicality. This website is aimed at “the average person,” meaning that if this information doesn’t have any real-world applications then it’s no better than watching Mr Robot (great show, by the way, completely recommend it).

So I lost my debit card this past weekend, and I want to explain how the privacy lifestyle I live helped me save the day. Before I go into it, I want to make two things clear: first off, this subject sort of overlaps with personal finance, but personally I don’t find privacy and personal finance to be mutually exclusive. In fact, privacy and security habits will also often improve your financial standing if executed properly (in my opinion). Second, I am writing this from a place of privilege. Not everyone is fortunate enough to put money into savings, or even to have a bank account. I realize that this story involves privilege, and my goal is not to disparage anyone who reads this and goes “wow, must be nice,” but rather to encourage those who are fortunate enough to be in similar shoes to see how this stuff can have real world impacts.

So What Did I Do?

This past weekend my partner and I drove about two and a half hours out of town to visit her mother. It was a birthday visit more than a Fourth of July visit, we’re rather indifferent to the holiday ourselves. At any rate, in our hometown I stopped and used my card for gas (blasphemy to some privacy enthusiasts, I know) and when we arrived I realized my card was gone. So like any sane person in my shoes, as soon as I discovered it was missing I canceled it and ordered a new one through my bank’s automated system. I use MySudo, so I used the VoIP number that I have set aside specifically for important matters – banking, housing, etc – to place the call. Just to fully flesh out my privacy model.

How Did It Impact My Weekend?

It didn’t really. First off, I’m an introvert. I spent the whole week playing Fable (Steam summer sale baby!) and making fun of the movies we watched on TV. But we follow the Dave Ramsey ideology of personal finance. So we have a moderate sum of money in cash for emergencies. We took this savings with us just in case, and we were fortunate enough to be able to dip into this for any expenses like food. As soon as my card gets here, I’ll be replenishing the money. In the meantime I can continue to dip into the savings for things like groceries and gas until my card arrives (sent to my PO Box, of course).

How Will It Impact Me Online?

The real question most people are probably wondering is “how will this impact me online?” Really that’s the big thing. After all, think of all the subscriptions I have to replace now with a new card number, right? First off, not really. I’m a minimalist. I try to keep the subscriptions I actually use to a minimum. From a personal finance perspective, subscriptions are usually a rip-off. They make continuous money off you while providing very little future returns (such as new features and upgrades) and at the end of the day you don’t actually own anything. From a privacy perspective, these companies usually make even more money off of you by harvesting and selling personal information about you. The less accounts I have, the better.

More importantly, I do almost all of my purchases using either cash (such as in-store groceries) or online using prepaid gift cards and Privacy.com cards. I have nothing to update once my new card comes in. Other than not being able to take money out at an ATM, this really has almost no impact on my life.

The Lesson

The moral here is that this privacy stuff has real world impacts. It’s not just about some nebulous abstract like “stopping Google from profiting at my expense” or “what if America turns police state.” There are actual, practical threats that face us everyday: losing our debit cards, bank data breaches, random stalkers. Don’t just brush the information in this site off as “tin foil hat” or “paranoid” because it actually has value in your life.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

Dear Congresspeople,

I don’t even know where to begin writing this letter. I’m a very cynical person, especially when it comes to politics, and yet I’m no anarchist. I recognize the importance of having a representative government who dictates what is and isn’t allowed. I value individual freedom, and yet I realize that we need to draw lines in the sand and enforce them. And not to be too hard on you guys, but I think a lot of you don’t understand technology. You’re being lied to by people with an agenda who are making you think that the scary unknown is dangerous, a wild west of lawlessness, Silk Roads, and worse. But that’s not the case.

I am speaking, of course, about Senator Lindsey Graham’s latest assault on encryption. His so-titled “bill to improve the ability of law enforcement agencies to access encrypted data, and for other purposes” (what are those “other purposes” anyways?), which flat out says that he views end-to-end encryption as a tool for criminals to sell drugs and sexually abuse children. This is not true, and in this letter I hope to help you see why this is bill is at best a misguided effort to do the right thing and at worst a full on assault on the Constitutionally-guaranteed privacy of Americans.

Bad People Existed Before Encryption, Bad People Will Exist After Encryption

The primary crux of Sen. Graham’s argument against encryption is that it is used by very bad people, the kind of bad people we all universally agree are bad – specifically, drug dealers and pedophiles are often mentioned. And yet, child sexual abuse was recognized a specific type of child abuse by Congress in 1973. Some of the earliest writings on the subject date back to 1857 in a paper by a French forensic pathologist. This is not a new issue, it’s one that predates the internet, the automobile, and almost the widespread use of electricity. As for drugs, I don’t think I need to provide evidence that drugs are an ancient problem. Drug abuse is nothing new, and dates back as long as drugs have been discovered.

I won’t disagree that bad people sometimes hide behind end-to-end encryption, but if you ban it they’ll just find another method. You’re treating the symptom, not the root cause. And that matters because you’re also penalizing law-abiding citizens in the process.

We Don’t Ban Freedom Because Some People Abuse It

Lots of law abiding citizens use end-to-end encryption for lots of perfectly legal purposes. I use it to transfer sensitive login or financial data with my partner (as well as more benign content like memes and what our dinner plans are). The Clinton Campaign made extensive use of Signal to keep their conversations confidential. Trump and his lawyer used Signal to discuss their legal matters in private (as they are legally entitled to by attorney-client privilege). The EU Commission has ordered all its staff to switch to Signal. And that’s just one specific app. Lots of high-level people use end-to-end encryption to protect sensitive conversations. WhatsApp is one of the most popular apps in the world for people to communicate with family members in other (sometimes hostile) countries so they don’t have to pay for expensive international plans. Does that make it illegal? If you have a sensitive conversation with your spouse about finances, would you want to record that and air it on national news? Does that make it illegal if you answered “no?”

My favorite comparison is clothes. Here’s a YouTube video about how many guns you can hide in your clothes. Here’s another story about a teen hiding drugs in his underwear. And yet, where are the cries to ban clothes? Why aren’t we making them illegal? What do you have to hide? You’re not doing anything wrong, right? So why use the same items that criminals do? The argument sounds stupid because it is stupid, no matter whether you use it on clothes or messenger apps.

Criminals, By Definition, Don’t Obey Laws

One of the top arguments in the gun control debate is that criminals, by definition, don’t listen to laws. If you ban guns, all you’re doing is taking guns out of the hands of law-abiding citizens who would otherwise use those guns to defend themselves. The same is true for end-to-end encryption. If you ban end-to-end encryption, criminals will still use it. The Great Firewall hasn’t stopped tech-savvy Chinese citizens from finding ways around encryption. Activists in Hong Kong were using Animal Crossing to bypass censorship earlier this year. Additionally, those same protestors are using decentralized apps – meaning apps that don’t have a central service provider the way that Facebook or Twitter does – to communicate and organize, which makes censorship exponentially harder. You can ban encryption in America, but all that’s going to do is make criminals use different services that are harder to shut down and based overseas. You won’t stop them, you’ll just punish law-abiding citizens by stripping them of their ability to be safe and protect themselves. If you vote against gun control, you’d be a hypocrite to vote for this law instead. And if you vote for gun control, then remember that encryption is a violence-free way of providing individual protections and civil liberties.

There are bad people in the world, and there always will be. That doesn’t mean we shouldn’t try to stop them and protect the innocent, but what kind of dystopian authoritarian says that it’s okay to strip everyone of their freedoms in exchange for stopping a few bad guys? The United Nations recognized privacy as a human right in 1948 (Article 12). This isn’t just about Democrats and Republicans or some other arbitrary “chalk one up for my team” fight, this is about human rights (and whether you want to admit it or not, America does not have the best human rights record (Alternate Source)). In another blog post, I mentioned that violent criminals make up less than 1% of the US population. Not pedophiles and drug dealers specifically, ALL violent criminals, including murderers, domestic assaulters, violent rapists, violent burglars, and more. Less than one percent. Would you do anything if your odds of success were less than 1%? In almost all situations, no. So don’t punish 99% of law abiding citizens by stripping them of their freedoms because of a few bad apples.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

I promised on my site that I’d use this blog to announce any major updates to my website, so in that spirit: I’ve massively updated my site! Here’s some of the changes I’ve made:

  • Added an “advanced” section for those who want to go the extra mile and get extreme privacy and security
  • Added categories (privacy, data breach defense, cybersecurity, etc) to help readers more easily determine what sections are most relevant to their concerns
  • Added suggestions on how to start using these services and techniques in your own life, as well as tips and tricks I’ve picked up along my own journey that may benefit new readers
  • Added Mailbox.org as an encrypted email provider
  • Noted potential business practices that might alarm privacy extremists with Signal and DuckDuckGo
  • Removed several books from the Resources section on the grounds of being more than five years old and/or not containing enough educational content to justify
  • Removed ExpressVPN on the grounds of not being open source and there being enough open source alternatives to warrant this
  • Reorganized certain sections’ importance on the grounds of changing social landscapes

Feel free to provide any suggestions or constructive criticism. Thanks for your support!

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

I’m gonna start this off by saying my title is wrong. I wanted something short and snappy, and “Why a VPN Shouldn’t be a High Priority for Your Privacy Model” was too wordy. So before anyone jumps down my throat, don’t?

VPNs are kind of a staple of privacy and security. They are most people’s first introduction into this kind of stuff. Maybe they use for one work, or maybe – like me – they were alarmed by the US Government allowing ISPs to sell your browsing data and the many ways that would definitely be abused. Maybe they just wanted to watch something that wasn’t available in their area. At any rate, most people are familiar with the basics of VPNs. If you need more information, check my website.

You might be confused why I listed VPNs in the lowest section of concern on my site, but it’s actually not as confusing as you might think. The reason is because these days, most of the privacy and security features that a VPN offers can be replicated in other ways. Privacy and security technology has come a long way.

What Does a VPN Do?

A VPN provides an encrypted connection between your device and the VPN server, and from there it goes out to the website in question. This all traffic on your device is hidden from anyone in between your device and the VPN server, including your local router, your service provider, and anyone else who might be looking along the way. Additionally, your traffic essentially appears to be coming from that server. So rather than appearing to come from your IP address in Portland, Maine, you might appear to be living in Los Angeles, California. Or Geneva, Switzerland. Or anywhere else you choose.

How Is That Replaced?

Security

For starters, TLS/SSL, better known as “HTTPS.” TLS allows encryption between your device and the server you’re accessing, and this is the technology that allows you to securely transmit login information and credit cards over the internet. The days of sitting in a Starbucks with a laptop and stealing the logins of other customers are pretty much over. As long as a site is using HTTPS, you’re reasonably secure. Most apps also use TLS to communicate, meaning that almost all activity on your phone should be relatively encrypted (however it is hard to verify this so never assume that’s the case).

Privacy

Another powerful technique that helps is the resistance to tracking cookies and browser fingerprinting. Under the Most Important section of my website, I have a chapter called “Securing Your Browser,” and several chapters on phones called “Securing Mobile.” These chapters share steps on how to institute anti-tracking measures on your phone and your web browser, which in turn help to eliminate some of the tracking that a VPN would help to protect you from.

So Is a VPN Useless?

No, not at all. TLS hides everything after the slash, in essence. So for example, if you visited my blog, your internet service provider can see that you visited Write.As, a minimalist blogging website, but they can’t see exactly what blog you visited. A VPN tells them nothing, they can’t even see that much because all traffic is encrypted from your device to the server. Additionally, with a VPN, you’re encrypting everything on your device. With services like TLS and tracking protection you’re only protecting your web browser or specific app. With a VPN you’re protecting all the apps, telemetry, updates, and background stuff that may not be using TLS (or may be using an old, less effective version).

In short, I’d put it this way: if you’ve already done all the other more important stuff and you have the money, a VPN is a great addition to your privacy and security model. But focus on other, more effective and more important stuff first. VPNs are still an important layer of protection for privacy and security, and lately I’ve seen a lot of debate over whether or not they matter. I think everyone should still be using a reputable VPN provider these days, but I do think there’s more critical steps to be addressed first. Using a VPN with Google still doesn’t help much. But coupled with other privacy-respecting services and techniques, it’s a powerful link the chain.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

I know a guy. Let’s call him Ron because I’ve been reading a lot of Harry Potter lately. Ron swiped right on a dating app on a girl we’ll call Luna (because I haven’t finished the series yet so I don’t care about canon). He and Luna started talking. It soon moved to text, as most of these dating app conversations do. There was a lot of explicit flirting, and Luna even sent a few nudes (not at his request, she volunteered them). After a few weeks, the conversation died out and they stopped talking. Then, the other day, Ron got a call from Luna’s dad who furiously informed Ron that Ron had been sexting an underage girl. Floored, Ron checked his text messages and noticed one particularly long message that he had skimmed over before, but upon closer inspection he noticed that she had made a mention about her upcoming 17th birthday. Cue the panic.

Why Am I Telling You This?

It was Ron’s fault for not reading the text, right? Yeah, probably. But here’s the thing: we all make mistakes. Ron wasn’t being a creep. He was tired and distracted when she sent the original text and he didn’t notice it. Tell me about how you’ve never overlooked an important detail, missed an important email, or made a mistake. It happens to the best of us. Mistakes get made. And furthermore, we operate as a society on a basis of trust. Ron assumed that since Luna was on the dating app she was over 18. He can’t go around demanding everyone send him a copy of their ID and birth certificate. We have to place trust in people. He made an honest mistake. This case is a case study in why we need to be proactive about our privacy.

How Did it End?

Ron called me, panicked, knowing that I know a lot about privacy. As I began to investigate, cracks began to appear in the story. They’re not relevant, so I won’t bother sharing them, but I ended up reaching out to a close friend of mine who currently works in law enforcement at a relatively high level. Without even hesitating, my friend assured me that it was definitely a scam and that Ron should just block the number.

So How Should Ron Have Been Proactive?

For starters, use a Voice-over-IP number. I’m a big fan of MySudo, but there’s lots of other options out there, even Google Voice if you’re strapped for cash. I’m anti-Google for privacy reasons but I’d recommend a Google Voice number over your actual SIM card number any day. You should be compartmentalizing your life: you should have a VoIP number for work, another one for interacting with strangers (such as dating or selling stuff online), maybe even one for banking. The idea is to compartmentalize your life. Phone numbers are basically social security numbers these days. If I give my work a phone number that I only use for professional purposes, they can search that number but they’ll only find my professional life: my LinkedIn, my website, maybe a few other subscriptions related to my professional self. If I have a separate number for dating and I find out after a few dates that the person is a little mentally unstable, it becomes that much harder for them to stalk me when I cut it off. It also gives me the freedom to change the number without upending my entire life. I can change my dating number without my boss ever even knowing.

The second proactive step would’ve been for Ron to use a fake name. Ron used his real name on this app, and even though most apps only use a first name that’s still risky, especially combined with his real phone number. If I use a fake name and a fake phone number on Tinder, your odds of finding me get astronomically small without some advanced techniques. Remember: we’re not talking about hiding state secrets from the NSA, we’re talking about hiding from scammers, blackmailers, crazy exes, and similar threats.

A final step I would suggest is to take unique pictures. We all know that a professional site should feature a clear, well-lit head shot. Your dating profile probably doesn’t need to be so exact. I’m not saying you should use a fake picture, that’s asking for an awkward meetup. And of course there’s something to be said for actually getting a good look at the person you’re considering meeting up with, whether it’s for a one-night stand or a potential lifetime together. Personal opinion but I think physical attraction does matter in any intimate relationship, though the exact amount and definition of “attractive” varies from person to person and situation to situation. The point is, maybe don’t use the same picture you use on LinkedIn, because a reverse Google Image search will find that in a heartbeat and now the person you’re trying to escape has your real name, your place of work, and more. Also consider what’s in the pictures. Can I get a good look at your apartment? Any identifying landmarks? (A group shot with friends at a popular bar might be an exception here.) Can I see any work logos, addresses, mail, or sensitive information? Google claims they don’t use facial recognition in their reverse image search, but even if they don’t companies like Clearview and Facebook do. The idea is to make your dating pictures different enough from your professional ones that they can’t be super-easily linked with an image search.

By the time Ron called me, it was too late. If it had been a real situation and not a scam, it would not have been good. My law enforcement friend told me that in his experience, in this situation a lawyer wouldn’t even bother taking the case cause there’s so little evidence of criminal intent, it wouldn't be worth the trouble. But what’s to stop the dad from blasting Ron on Facebook? After all, he has Ron’s real name and number. And there’s nothing the internet loves more than to shame someone virally without hearing their side of the story or getting the facts right. And let’s be real: even hardened murderers will shank a pedophile in prison. This story had all the right bits to be a viral social media post. At that point, it’s too late. Even if he moved and changed his number, an employer doing a public background check (aka a Google search) would likely still find this story. This could’ve ruined Ron’s life. Don’t wait until crap hits the fan to decide that you need privacy cause then it’s too late. Take steps now to avoid a crisis later.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

Things are a little crazy here in the US right now – well, crazier than normal – so I thought now might be a good time to talk about protesting, surveillance, privacy and security. Now, before you roll your eyes and move on, I want to explain why I care: I fully support the right to a peaceful protest (peaceful being the key word). I absolutely despise the idea that you can be identified and tagged – 100% without human action – simply for exercising your constitutional rights and peacefully protesting. As the famous quote goes (roughly): “I disagree with what you say, but I will defend to the death your right to say it.” Without going into detail, I believe that attending a protest will absolutely get you put on a list automatically (if you can be identified), that being tagged for peacefully protesting chills free speech, that laws are not an indicator of morality, and that peaceful dissent is an absolutely valid way to demand change. So if being tagged discourages people from attending protests, then it’s a form of control and is immoral. (See my website for more detail and sources.) That’s why I want to cover protesting today: ways you might be tagged and how you can avoid it to protect your privacy and not end up on a list just for exercising your rights.

Finding and Attending the Protest

For most of us, social media will be our main avenue to learn about upcoming protests. That’s fine, but I recommend you don’t actually mark yourself as attending the protest. Several years ago during the Keystone XL protests, law enforcement was accused of using Facebook check-ins to target protesters. The veracity of this claim is debated, but why risk it? Feel free to keep checking the page before the protest to learn of any updates or changes, but don’t publicly mark yourself as attending. Police don’t need a warrant to look at a list of attendees on a Facebook event.

Getting to the protest can also present challenges. Protests often take place at locations that are politically relevant and heavily monitored such as capitol buildings or police station. If you’re in a large city (as the capitols usually are), you can pretty much guarantee that the city is using license-plate scanning technology to track your vehicle as you travel in real-time. Often times public transit is recommended. This of course, isn’t foolproof as many public transit services also have cameras and records, but we’ll come to that shortly. You could also order a cab and pay in cash, but even cabs are starting to include cameras.

Whatever method you take, I recommend arriving near but not at the location. If you drive or get a ride, park or get dropped off a few blocks away. In the unlikely event that public transit stops at the exact location, get off at the stop before or after. Same thing once you’re ready to leave. Move a few blocks away then get picked up. If you’re extra cautious, consider using a different location than you did before. Also if you have to pay for parking and can’t use cash, consider picking up a Vanilla gift card in cash so it can’t be easily connected to your debit or credit card.

Biometric Recognition

At the time of this writing, the COVID-19 pandemic is still a thing and therefore wearing face masks in public is not only acceptable but recommended. That’s great, but sadly most facial recognition actually focuses on the eyes. I have it on good authority that I trust that the least-suspicious-yet-most-effective way to beat facial recognition is aviator sunglasses and a baseball cap. Try to get your hands on a plain black hat. I bought one with a design on it then cut the design off. You could also try getting one that’s out of character for you, maybe with a sports team you’re indifferent to or a band you don’t really listen to. Either way, get these items far in advance. It’s easier to pull up purchases from a week ago or earlier that day and correlate them to you. If you made the purchase more than a month ago, that makes things trickier.

For tattoos, wear long sleeves or clothing that covers them. Think smart. If you’re protesting in the summer, wearing a coat is kind of suspicious. Wearing a long-sleeve shirt is less suspicious. I’ve posted articles in the past about how even your walk can give you away. I read once somewhere (I forget where) that the best defense against this is to wear baggy clothes. These will help obscure your gait, but keep in mind that if they’re too baggy it could interfere with your ability to get away quickly if violence breaks out (and I highly recommend that you bail as soon as the first rock or punch gets thrown even if you had nothing to do with it).

Cell Phones

Now for cell phones. Cell phones are a death sentence if you want to remain anonymous at a protest. Even if you turn off all cell data, wifi, bluetooth, and tracking technology your phone still has to ping cell phone towers continuously to check for regular SMS messages and phone calls. And those pings contain unique, identifying information about your device, which is likely already linked to you unless you keep a device just for this kind of occasion. If you really think you might need your phone, you could leave it in the car or turn it off on arrival, but both of those things run the risk of being suspicious (the location and/or the sudden turning off the phone, both of which are easily detectable by your provider and police). In my opinion, your safest bet is just to leave the phone on at home. If you must bring the phone, remember to make a backup before you go in case it gets lost, stolen, broken, or confiscated.

What if you do need a phone but you also need to be invisible? Burner phone. Here’s how it works: buy a phone in cash. If you desperately need secrecy, get someone else to do it for you to avoid the cameras (former hacker Kevin Mitnick suggests even paying a stranger to do it if your threat level is high enough). If you need a cheap phone, you can buy a dumb phone but I don’t recommend that for reasons I’ll get into in a moment. Instead, you can buy a slightly-more-expensive-but-still-cheap smartphone Android for about $100. Do not under any circumstance give the phone any real information about you. Use a fake name, don’t use any biometric information to unlock it, etc. I know this is hard, but it can be done. You may have to use something like the Tor Browser to create an anonymous email account for this purpose. That’s fine. Once you have the phone, make sure not to put service in your name, either. Get a prepaid card and use fake information. Make sure to never, ever, ever have this phone on except at the protest. Don’t leave it on at home. In fact, turn it off before you get home. Download any apps or updates you need right there in the parking lot, then turn it off. Don’t turn it on again until you arrive at the protest. Turn it off again as you leave. If your threat model is low, you can probably repeat this strategy for a few protests at a time. If your threat level is high, I recommend ditching the phone as soon as the protest is over. And as always, I recommend using encrypted messaging – even on a burner phone – and encrypting the device itself whenever possible.

I mentioned not getting a dumb phone. The reason is this: I’ve mentioned Stingray devices before. Quick refresher: Stingrays (technically called IMSI-catchers) are cell-phone tower emulators. They forcibly capture all cell signal in a certain area, copy the data (including the content), and then pass the data along like normal as if nothing ever happened. In fact, you have almost no way of knowing one was even used. Also, these devices are incredibly small – about the size of a desktop computer on the large end and they only get smaller from there. One or more could be easily connected inside a police car along the protest perimeter and you’d never even notice them. I have absolutely zero doubt (though no proof) that these devices are used generously during protests, and that means that every single signal your cell phone sends during that protest will be copied by the police. If you buy a dumb phone, you have zero protection. You cannot load encrypted messaging apps or VPNs onto that device. That means every text you send is readable, as well as who it went to. Even if you only text one person and speak in code, that dramatically increases your risk of being identified. However, if you use a burner smartphone, you can load encrypted messaging apps and VPN apps which will dramatically improve your privacy. The police will still capture your traffic, but it will be all encrypted.

If Detained or Arrested

After extensive research, here’s some things I think every American should know:

Arrest means you are in police custody. They can place you in handcuffs, move you around, and more. At this point, you have a variety of rights such as the right to remain silent and the right to have an attorney. If you cannot afford an attorney, you have the right to have one provided to you by the state. You may or may not be entitled to any phone calls. The call does not have to be to an attorney, but if it is the police are not permitted to record or otherwise monitor the call. If it is not to an attorney, assume the call is being recorded. Also at this time you are not entitled to refuse a search without a warrant. At this point, you may be ordered to unlock a device such as a phone or computer, but you are not required to tell them the password.

Detainment means you are not under arrest, but you are not free to leave. At this point in time, you are not entitled to an attorney provided by the state, but you are entitled to stay silent, to have an attorney present if you can afford one or have one, and to refuse a search without a warrant. Keep in mind that your devices are protected by warrants. Police are not allowed to unlock and search your devices without a warrant or consent from you. I recommend you use a PIN or password lock anyways because unfortunately not all cops know this or care. Don’t use facial ID or fingerprint because the officer might try to point the camera at you in an attempt to unlock the device without your consent and search through it.

In general you are never required to answer any questions without an attorney present, regardless of whether you’re arrested or not. You are never required to tell the police any passwords to unlock your phone, computer, tablet, or any device although – as noted before – you may be required to unlock the device if you’re under arrest. Keep in mind that police are allowed to confiscate your device and copy the data (hence why encryption is necessary). I have been detained at protests. In my experience, it is generally okay to answer some questions such as identifying yourself and saying why you were in attendance. If you feel uncomfortable or the questions start getting accusatory, definitely request a lawyer. One of my non-privacy related interests is true crime, and I can’t tell you how many cases I’ve studied where innocent people thought they were making themselves look good and doing themselves a favor by not requesting a lawyer (cause they had nothing to hide) and it ended up coming back to bite them.

I am not a lawyer. I do keep very up to date with my rights, but things change, laws vary from place to place, and I have no legal background whatsoever. I have written all of this with the best faith, but I encourage you to contact an actual lawyer if you have concerns and questions in this area. Do your own research. I highly recommend EFF’s Surveillance Self Defense portal, especially their article on attending protests. EFF is comprised of actual, experienced lawyers, so I trust their judgement and information. I actually got a lot of the information in this blog post from there.

If you choose to exercise your first amendment rights, please do so peacefully and keep yourself safe. You should never be tagged on a list for peacefully exercising your rights, and you should not be marked for further surveillance or future retribution either. Keep yourself protected, and good luck!

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

On my Mastodon bio I state that The New Oil is a website specializing in news, advice, and reviews for the average person, so in that spirit I figured this would be a good place to share my thoughts on my latest privacy-related read. Like many of you, I find myself with a lot of free time these days, so I’m setting aside some of that time to catch up on reading and other content. That includes working my way through some of the “recommended reading” of the privacy community. My local library had a digital copy of Kevin Mitnick’s classic readily available, so I decided to check it out.

About the Author & the Book

Kevin Mitnick is a famous hacker-turned-good-guy. He was arrested in 1995 for “various computer and communications-related crimes.” He now runs a security consulting company where he uses his skills for good, explaining how he performed his various crimes and how companies can defend against them.

The Art of Invisiblity is a non-fiction book that discusses various threats against privacy – mostly digital in nature, such as tracking cookies, surveillance cameras, and more – and how to defend against them.

The Good

The book was massively informative. In some ways it’s a great introduction to privacy for people who are totally new to this stuff. Mitnick does a fantastic job of explaining how encryption works, how cookies work, how your real-world identity gets correlated with your digital one, and more. Additionally, he lists real world case studies and research which were super helpful to me. It’s one thing to say “hypothetically, this thing could be used in a bad way” and a totally different thing to say “here’s a real-world example of this thing actually being used in a bad way, even if it was in a controlled environment to prove it could be done.” He also balances the realism of those threats as opposed to fear mongering. For example, in one section he goes in depth into how a smart thermostat could be hacked, but he did explicitly point out several times that every one of these techniques requires physical access to the device.

Because of the real-world examples Mitnick mentioned, I was able to share some of the concepts with my coworkers who have children (one example included Pearson monitoring Twitter for any mentions of their tests) and help them prepare for the world they’re raising their kids into. It also helped me tighten up some of the information in my website, such as how ad-blockers can save you from malware and how Microsoft One Drive doesn’t use any encryption on their product (don’t worry, I did research all of this to ensure the information was still current).

The Bad

Look, I’m gonna be honest: who am I to criticize a world-famous hacker? I can’t even get Kali to work half the time, let alone hack anything. My hacking skills end at being just charming enough to sometimes use social engineering. I readily admit on this website that I’m not an expert. Even if he did caught, I would argue that failure is sometimes the best teacher and therefore the author probably knows more than me. Having said that, I found some of Mitnick’s suggestions to be inconsistent. For example, early on in the book he gives several detailed suggestions on how to attain an anonymous phone, but then makes almost no mention of the fact that having that phone at home and turned on will quickly defeat your anonymity (because if it stays on at the same location every night, eventually it’s pretty obvious who the phone belongs to). He waits entirely too long (the final chapter, actually) to point out that invisibility is kind of a sliding scale and it’s a really question of how much you need. He also offers almost no advice on Internet of Things devices other than “change the default password and be careful how much they say about you.” He doesn’t offer any kind of advice on putting a VPN or firewall on your router, using a separate network for IoT devices, or anything like that. Maybe that’s coming in a future edition, but I found it kind of lacking. Obviously he took the approach that I do, that not everybody is willing to forgo owning an Alexa for one reason or another, but there's still a lot of reasonable solutions he could've discussed to help people protect their privacy more.

Final Verdict

Definitely worth a read. It’s an easy read, written in a very casual (but clear) tone as opposed to being written like an academic paper. He has a great knack for explaining things in a way that make sense, and backs things up with real-world examples and research wherever possible. If you’re new to privacy, consider the book an introduction to digital surveillance rather than actual how-to guide. If you’re a privacy veteran, consider it a “fundamentals check” to make sure you’re paying attention to the basics and you’ve assessed your threat level correctly.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

Paranoid. Tin-foil hat. Crazy. Weird. Obsessive. Whatever you want to call me, I guarantee I’ve heard it before. And honestly I’ve called you things, too. Blind. Apathetic. In denial. Let me explain: one of the most common questions I see in the privacy community is something along the lines of “how do I get other people to care about their privacy?” The question usually goes something like “all my friends think I’m crazy because I don’t use Google and they don’t want to switch from WhatsApp to Signal. They think I’m being paranoid, like ‘why would anyone want to watch you? What are you hiding? What are you up to?’”

It’s a frustrating position for people on both sides of the fence. It’s frustrating to you, the person who doesn’t care about privacy, because your friend or loved one is asking you to do extra work just to chat or hang out. But it’s equally frustrating to us. So this is an open letter to all the folks who don’t care about privacy. I’m asking you to be patient with us privacy-minded folks. That doesn’t give us the right to bully you or be obnoxious, but respect is a two-way street. I want to try to explain why we’re so paranoid so you know where we’re coming from. This isn’t meant to sway you to our side, simply to consider things from our perspective and see if it might be worth taking some reasonable steps at the request of your loved ones.

It’s About Respect

Before I get into any concrete reasons for why we care about privacy, I think I should start with the most basic concept of all: respect. You are a sovereign person, meaning that you have the right to make decisions about yourself with zero justification whatsoever. You don’t have to justify to me why you want a tattoo, why you watch the shows you do, why you’re vegetarian, or why you go to church. That’s your right as a human being. Likewise, us privacy folks shouldn’t have to justify our choices either. If we ask you not to post pictures of us on the internet or not to gift our kids a Chromebook or something like that, you should respect it because that’s what decent human beings do. This doesn’t have anything to do with race, gender, politics, or age. It’s about being a good person. They’re called boundaries.

When it comes to two-way situations, such as encrypted messaging, I think it’s a decent human move to at least try it out or consider the request. Signal, for example, is insultingly easy to set up and use. It literally could not be any easier. I don’t think asking anyone to use Signal is an unrealistic request and those who take the five seconds to download and set it up will find it very reasonable and easy to use. Switching to PGP is a little more involved, and I understand if you say no to that one.

On that note, whatever happened to compromise? I made a deal with my mother that if I set up a ProtonMail account for her, she would use it when emailing me. She agreed, and she’s held up her end of that bargain. Setting up ProtonMail is not hard. It’s no harder than setting up any other email account. Yet I still made the offer. Likewise though, I respect her. If she uses her old email account to contact me, I don’t ignore it. I still respond. The point is, it’s mutual respect. I don’t hardline people and tell them “use encrypted messaging or I’ll never talk to you again.” I respect their wishes, and in turn they respect mine. That’s how human relationships work, and if you won’t at least consider your privacy-oriented friend’s request, honestly you’re being kind of a dick.

We’re Not Crazy (But We Are Abstract Thinkers)

Calling somebody a negative name is what’s known as a “thought-terminating cliché.” In other words, if I call you crazy, I have now discredited you. It doesn’t matter what you say, you’re crazy so there’s no point in listening to your argument, even if your argument is “the sky is blue.” You’re crazy, who cares what evidence you spout to support your claims?

Most of us are not crazy (though some of us are a little extreme). When we talk about things like how data collection can be abused, we’re not just being paranoid. We’ve seen it happen before dozens of times. The difference is that we realize it could happen here to us. Often when I talk about abuses of data in other countries, people go “yeah but that would never happen here.” You’d be amazed. China’s social credit system is on it’s way to America. Random strangers are routinely swatted or harassed for the smallest things. Even the federal governent itself has doxxed dissidents. It can happen here, and it can happen to us.

We’re Not Crazy, We’re Playing a Numbers Game

“Okay,” you think, “fine. It can happen here, it can happen to me. But is it really likely?” Maybe not. But consider this: your odds of dying in a plane crash are 1 in 11 million, yet society doesn’t find a fear of flying odd or paranoid. Meanwhile the odds of being caught up in a data breach are 1 in 4, yet somehow I’m viewed as weird because I reduce my odds by giving up as little information as possible to those companies so that less of my information gets leaked? Why is it the more likely and valid fear gets shunned and mocked? Is it because these companies have built the most powerful and wealthy businesses on the planet by you giving up your data willingly? The CIA sure is jealous of how readily we hand stuff over to Facebook. It’s almost as if these companies have a financial interest in making privacy weird and socially unacceptable.

Everyone Lies

“Okay, but it’s not just that you don’t have Facebook,” you say again. “It’s the fact that you give fake names and numbers. You go out of your way to hide. Why?” Because, in the words of famous Dr Gregory House: “everyone lies.” Famous hacker Kevin Mitnick writes in his book about a proprietary encryption software that claimed to use 56-bits of encryption. When Mitnick hacked their system and examined the code himself, he found out they were really only using 30. For context, that’s the difference between 2 seconds and 25 days for the hacker to guess that password. In the HBO Documentary “Kill Chain” it was mentioned how companies who make electronic voting machines love to advertise how secure and unhackable their machines are, yet this is routinely proven to be untrue – not only are the machines easily hackable, but the companies refuse to let cybersecurity experts audit and fix their security.

We’re Trying to Meet You Halfway

So yeah, in light of all this, you’ll have to be patient with us when we don’t trust Apple’s claim that they’re going to start respecting privacy more. Or Google’s claim that they delete our data. Or Facebook’s claim that they won’t abuse your data (which has already been proven a lie numerous times). These are all companies who refuse to let us see behind the curtain. These companies and others just like them routinely get proven to be liars, and we just don’t trust them. Would you trust your friend who says he missed your party because he was sick after he accidentally sent you a selfie from the bar? Of course not! So why do we get blamed for not trusting companies that routinely get caught lying? We’re scared. We’re scared of what these companies aren’t telling us. We’re scared of when these companies change hands and now that data – which has the potential to essentially mind control us – is in the hands of someone who will do anything to make another buck, or win another term in office. We’re scared of when this stuff gets breached and now our sensitive information (including financial and government records) is on the public web through no fault of our own.

If you’re reading this and you’re scared, I get it. If you’re not scared, you should go back and click on some of the links I posted. We know this stuff can be overwhelming. When you’ve been in a certain field long enough, you forget how to talk to outsiders. If I asked you to explain how to do your job, you might struggle. It’s second nature to you, but to me it would be completely foreign. Things like DNS, onion routing, and psuedo-anonymous accounts are child’s play to me, but I’ve been living and breathing this field for the past few years. You may not have understood any of those terms. We’re sorry that sometimes we forget to simplify it or we fail to explain it well or we just get really overzealous. It’s empowering and exciting to feel like you’re improving yourself. A lot of this stuff is scary and overwhelming, but there’s hope and light and sometimes we get a little too excited when trying to share that. We’re not trying to overwhelm you, we’re trying to help you. And we need to respect it if you don’t want our help. That’s your choice to make. But when it comes to us, you should also respect our choices to be more private even if you don’t agree with them. The world would be a much better place, I think, if everyone was just a little more considerate of each other.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

I’ve been writing a lot of posts about abstract topics lately, so this week I want to come back down to earth and write something practical and helpful. Chances are that if you’re reading this, you have a job or are looking for one, which means this should be pretty applicable to most everyone. So without further ado, let’s talk about how to enter the workplace while still respecting your privacy as much as possible.

Fields of Work

In an ideal world, the most privacy-respecting job would be some sort of self-employment where you can funnel all payment and legal activity (taxes, invoicing, etc) through an LLC. The job itself would be something that focuses on your work and not you. For example, being an actor or an artist puts the focus on you and your skills. Owning an electrical company or being a freelance technician of some kind allows you to hide behind a brand (ABC Electrical or Smith Designs, for example). But most of us don’t have the desire to be self employed for any number of legitimate reasons. I’ve done it at least part-time consistently since I was out of college and it’s hard work. So if you’re self-employed or want to be, my advice would be to set up an LLC and funnel all your work and assets through that. It protects your privacy but also protects you and your possessions legally. I’m not an expert on this, and laws vary from place to place, so I’m not going to go into detail but do your own research if you think this might be for you. For the rest of us, let’s start at the beginning.

Searching for a Job

Most of us have to go find a job. Whether you go the networking route or sign up for job-hunting sites, from a privacy perspective, I would approach it the same way: get a work email and a work phone number. Your work email should be professional without giving away too much about you, ex “jsmith@protonmail.com” or “john.smith@tutanota.com.” You can get a work phone number using Voice-over-IP (VoIP). Google Voice is a common and reliable service, but I recommend something else if you can.

Using separate contact information will serve three purposes. First, you can compartmentalize your life. When searching for a job, you’re going to have to sign up for a lot of sites and make accounts to submit applications and put your contact information out there publicly, which means you’re going to get lots of spam and get your information sold and resold. Having separate contacts means less crap in your personal email and less chance of your personal email getting caught up in data breaches, thereby possibly compromising your other personal accounts. Second, it allows you to set healthy work/life boundaries and turn work off after hours. If you have a separate work email and work phone number, you can simply ignore them or disable them when you’re off the clock (if you work one of those jobs where you’re not on call). Finally, your email and phone number are as good as your social security number these days. Using your personal email – even if it looks professional – or your personal phone number makes it easier for your potential employer to look you up and find all your social media accounts and personal information. I’m not saying you should hide your Facebook from your employer so you can talk bad about them on a bad day. Personally I find that both immature and unprofessional. But I do believe that what you do off the clock is none of your employer’s business and so they shouldn’t be entitled to be able to find and track you off the clock. Using alternate contact information will help maintain that boundary.

Paperwork

Filling out any paperwork nowadays essentially comes down to one question: “Does this person need this piece of information?” When it comes to employment information, the general answer is “yes.” Most of the time, they do need your legal name and your social security number for tax purposes. They do need your bank account for direct deposit (feel free to opt for a check instead, it will be slower but it’s technically one less data breach you need to worry about). Do they need your home address? In my experience, no. I’m not a lawyer, so I can’t guarantee the legality of this, but in my experience I’ve always given my PO Box and that’s always sufficed. Notice that I’m not giving them a fake address. Anything they send me will still reach me. I’m not dodging anything. But it’s not my boss’s concern where I lay my head at night. I show up on time sober, I do my job, and I do it well. That’s where our relationship ends.

In the Office

Once you actually start work, the main thing I recommend is to establish a fake name right off the bat. Go by a middle name, or a nickname version of your real name (ex “Bob” instead of “Robert” or “Bill” instead of “William”). Nobody will question it, and most of the time when you meet someone new they ask what you prefer to go by anyways. Obviously if you go by “Shadow” or “Big Z” you might get some weird looks, but your middle name won’t really raise any eyebrows. This might seem overkill, but if you use a different name it makes it harder for someone to search you. Your coworkers probably aren’t going to stalk you, workplace stalking is thankfully relatively rare, but personally I fall into the camp of proactivity: in other words, if something happens you can’t erase whatever your coworkers learn about you. It’s better to decide on a case by case basis who you want to invite over for the July 4th barbecue at your place rather than decide later that one of your coworkers is targeting you for some reason and trying to get them to back off.

My only other piece of advice would be try to keep your workspace clear of identifying information. It’s probably safe to change your computer wallpaper to an NFL logo if you really like that team, and maybe hang up that drawing your toddler drew. But maybe think carefully about putting up pictures of your family on that last vacation out of country, or even having a physical calendar with appointments on it, and definitely don’t leave sticky notes lying around with your passwords.

Devices

Let’s take a moment to talk about devices. The general rule of thumb is that if they want you to use a certain program, the company should supply a device. It is unfortunately very common for people to add their work email to their phones’ mail app, or to download an app to clock in and out. At the time of this writing, employers are increasingly turning to spyware to ensure that employees are actually working and being productive during company time.

I’m going to admit right off the bat: I’m speaking from a place for privilege. I have a good resume and excellent work ethic. Finding a new job is not particularly difficult for me.

If your employer is asking you to download ANYTHING on your device, I first recommend checking what it does. It may just be to clock in and out, or to allow you to view company project files in the field. Those are probably not as worrisome as a screen-mirroring software. Next, check the privacy policy and permissions of the app or software. Most privacy policies are not worded too confusingly, although they are pretty vague. Either way, it should give you enough information to decide if you’re comfortable putting that program on your personal device.

If you find anything concerning, approach your boss respectfully. Point out your concerns and ask if there’s an alternative or if they can provide a company device. If they refuse, you now have a choice to make. You can try to get an alternate device – such as an old phone lying around in the closet – or you can straight up refuse. Generally speaking, it is illegal for an employer to force you to download company programs to your personal devices. However keep in mind that finding a lawyer and taking the case to court can be costly and time consuming, and the company can find other excuses to fire you or make your life suck. Pick your battles. I recommend that a hard line in the sand be software designed to ensure your productivity – aka the screen-mirroring stuff I mentioned before that ensures you’re doing your work at home. I personally would quit before I’d agree to that. The company would have to provide me with a device. But as I said before, I also acknowledge that I’m coming from a place of privilege there and not everyone has that luxury. If your employer is drawing that line in the sand, see if you can find any lawyers who will take your case for cheap or pro bono. Most states also have a legal aide society designed to help lower-income people get legal assistance for free or cheap. Check into that.

Personally, my recommendation is to keep your personal device as free of work stuff as possible. For example, don’t put work email on your phone. This goes back to the work/life balance thing. Try to keep your phone clear of apps as most of them do collect more information than they really need and apps can be a security risk anyways. If your employer asks you to use an app for legitimate purposes – again such as timekeeping – see if you can just use the mobile website instead.

Finally, if you are issued a company device, just assume that everything you do with it can be seen by your boss. Don’t use it for personal email or to check Facebook or any of that stuff. Use it for work only. Completely shut it down and store is safely when it’s not in use. Make sure to use the same security protocols on your work device as you do your personal one (VPN, strong passwords, Firefox browser, etc).

Conclusion

The main ideas here can be summed up as “separate your work and personal lives.” A lot of this stuff may seem paranoid and overkill, and honestly it probably is. But you never know when you’ll have a disgruntled coworker, an unstable client who doxes you, or when the third-party service your HR department uses will have a data breach, or when your employer turns out to be crappy and tries to track your device without your consent. Additionally, as I said in the first point, compartmentalizing allows you to establish and, more importantly, enforce a healthy work/life balance. If you don’t have work email on your phone, you don’t check it on nights and weekends, and you turn off your work VoIP number after hours, people will have no choice but to respect that.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

I mentioned last week that Signal has earned my skepticism and I’ve decided to move on to Riot as a replacement. There were a number of factors that went into this decision, and I spent weeks doing my research. Factors considered included user friendliness, multi-platform support, security features, and privacy. But one of the biggest concerns that went into that choice was decentralization. You see, I think decentralized communication is the way of the future in the sense that it’s the safest way forward.

The Problem of the Past

In the past, communication has been largely centralized. While the message itself may bounce around from server to server, all the servers are controlled exclusively by a single entity or set of entities. When you, a Verizon subscriber, text your friend, a Sprint subscriber, the text stays isolated in those two networks. Because of the proprietary and monopolistic nature of those networks, they are extremely vulnerable to government and social pressure. In other words, it’s real easy for your text messages to be intercepted, read, and even altered or blocked for any reason. Maybe the government doesn’t like your activism. Or maybe you were just born a way the government didn’t like. Maybe you just hold socially unpopular opinions that the providers don’t want to help propagate, even if you have a legal right to hold those opinions.

The Solutions of the Future

Decentralization, as the name suggests, works by making a network run on a variety of providers rather than a single centralized network. Take the Tor network, for example. As I type this, I have an old computer under my desk at my feet running a tor middle relay. Nobody authorized me to do that, I didn’t have to get a license or register with the government. I just needed the hardware and an internet connection. And this applies to anyone in the world, so if the state government came knocking down my door and carried off my relay, people in other states could still run them. And if the federal government outlawed them, people in other countries could still run them. In fact, Tor is a popular tool used in countries like China to help bypass censorship. Because of its decentralized nature, Tor is extremely hard to squash.

We are facing an increasingly hostile environment in the privacy world. The California Consumer Protection Act is often called “GDPR Lite” because it gave California residents so much protection from the sale of their personal data by data broker companies, but the state organizations like the post office and the Department of Motor Vehicles were explicitly exempted from the rules. The FBI and Interpol have both declared end-to-end encryption to be a menace. The US is explicitly working on a bill that would allow them to outlaw end-to-end encryption. Governments around the world are beefing up their surveillance each day, and personally I find these developments disturbing. Even if you genuinely believe they aren’t doing anything bad with those capabilities right now, having the framework in place is dangerous, especially in the modern world where leadership and agendas change every few years. All it takes is one bad leader to abuse the power, and the infrastructure is already in place.

I’m not here to tell everyone to get off Signal or Wire and switch to Session or Riot. Those solutions are still valid, and hopefully all these anti-encryption efforts and censorship trends die off and become nothing. However, I sadly personally find myself regularly disappointed by people and their astounding ability to remain passive and apathetic to clear assaults on their civil liberties that should’ve warranted resistance many times over. So personally, I’m placing emphasis on self-hosted and decentralized solutions in the future to try to prepare for this eventuality.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

You can find more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.

Enter your email to subscribe to updates.