The New Oil

Information Security for normal people. https://www.TheNewOil.xyz

The choice of web browser seems like a silly thing for me to talk about. As I’ve mentioned countless times before, when I run this site I strive to find a balance between throwing too much at my readers but also serving them with good, useful information. But honestly, a web browser is one of those things that on the end-user level makes almost no difference and on the backend makes a huge difference, so I figure it’s worth discussing. In other words: once you get used to it, the browser you use has almost no impact on your daily life, but it can have huge implications behind the scene.

What is a Web Browser and Why Does it Matter?

In the off chance you’ve somehow gotten very lost in your quest for cat videos and have no idea where you are or what I’m talking about, congratulations! You’re almost certainly reading this on a web browser! (Unless someone screenshotted this or copied it to a text file or something like that.) A web browser is simply a program you use to access and explore the internet. Sure apps and things of that nature also access the internet, but they do so in a very specific way. Your web browser allows you to do so openly and flexibly. Common examples of well-known Web Browsers include Chrome, Internet Explorer, Edge, Firefox, Opera, and Safari (in no particular order).

Why does it matter? Because frankly, there’s a lot more going on behind the curtain of your web browser than meets the eye. At eye level, you type in “buzzfeed.com” and you go to buzzfeed to watch reaction gifs and read clickbait articles. But behind the scenes where you can’t see it, so much more is happening.

I’ll try to make this as not-confusing as possible but I want to give you a rough idea of some common things that happen on the backend of any given web browser. You type in “buzzfeed.com.” Your browser contacts a Domain Name Server (DNS) and says “what’s a ‘buzzefeed.com’?” The DNS checks it’s records and goes “oh, that’s IP address 127.0.0.1” (that’s not it, for the record) and your computer goes “oh! I understand that!” and contacts that IP address. Once they’ve established that connection, your computer temporarily downloads the website to view on your computer, running all the HTML, CSS, Javascript, and more that the site has to offer. Likely it will even download cookies, which are small text files containing information about your visit to the site. In return, your computer will transmit – upon request (and most sites request it) – information such as existing cookies it already has stored and information about the device visiting the site, such as operating system (Windows, Mac, Android phone, etc), the web browser, your location, and more. Some of this information is used to make sure you see the site appropriately (for example, a desktop site rarely looks good on mobile) and some of it is just to help the site owner know more about their audience (“it seems my site is really popular in Canada”). But some of it, such as cookies and details about your device, are just invasive and unnecessary. And all the while, your Internet Service Provider (ISP) is watching all that traffic.

So What Browser is Best?

With most things on this website, I’m very hesitant to give a straight answer because there’s so many variables and options. But here I feel pretty confident giving a blanket statement: use Firefox. Let me go into detail.

Far starters, the worst possible browsers you can use include Edge, Internet Explorer, Safari, and Chrome. Chrome is very fast, very well supported, and very secure, but all of these browsers share one common dealbreaker, and that’s that they report detailed usage information back to their creators. They’re essentially spyware. All of them. So by using something like Chrome, not only are you sharing all your browsing with your ISP, you’re also sharing it with Google. Why would you willingly invite a spy into the mix?

Firefox is open source and privacy-minded. That’s not to say they’re perfect. They’ve had their fair share of “oops” moments, bad judgment calls, and unnecessary information collection, but compared to the other mainstreams browsers I mentioned above it’s practically not even worth considering. Additionally, while Chrome is fast and secure, it’s barely any faster than Firefox (the average person won’t even notice it), and for the average person your biggest security concerns should be things like data breaches, not obscure DNS injection attacks. Mainstream threats like breaches, bad passwords, and phishing are significantly more threatening to the average person than behind-the-scenes code vulnerabilities.

Now for the disclaimer: that’s a blanket statement for the average person reading this. For 90% of my readers, Firefox is a perfectly good browser. For those other 10%, you have plenty of options. I personally support “upstream” distributions because they’re so quick to get security updates and features. Because it’s open source, Firefox has a ton of “forks” – modified versions, basically – that focus on everything from improved privacy to lighter processing requirements to open source alternatives and more, but these all require updates and features to be added by the person or team who modified them, which means they could be slower to receive critical security updates. If you’re in a situation where something like that might of more concern to you, then I recommend you do your research and see if they’re right for you. But in my opinion, Firefox plus the add-ons I recommend on my own site would be more than enough for the average person. If you need additional privacy or security, consider the Firefox configuration tweaks recommended by PrivacyTools.io.

Mobile

For Android there’s no contest. Firefox is fully available on Android, including all the plugins mentioned here. You can easily replicate the same browsing experience. For iOS, things get a little trickier. The two main contenders I support are Firefox Focus and DuckDuckGo. To be honest, they are essentially the same. Both block ads, both block trackers, DDG offers multiple tabs while Focus instantly erases everything once you close it out. It’s really a matter of which you prefer. I’ve tried both and found both to be acceptable personally. DDG is a company with a great reputation in the privacy community, as is Firefox, so I feel comfortable saying “whichever floats your boat.”

Honorable Mentions

Brave is a very popular browser these days. It’s based on Chrome so it’s lightning fast, but it comes built in with ad-blockers and the “HTTPS Everywhere” plugin. I would recommend Brave before Chrome if you absolutely refuse to leave Chrome for whatever reason, but I think it’s not as good Firefox for two reasons. First, since Brave is based on Chrome, it still uses the Chrome DNS, which means you’re still inviting Google to spy on all your traffic without reason. Second, Chrome might do away with ad-blockers, so I can’t imagine that functionality will remain in Brave.

TOR is another browser quick to be touted by privacy enthusiasts. TOR (which stands for “The Onion Router”) works as an entire network protocol by bouncing your encrypted traffic around a few different relays before releasing it into the wild, in effect providing you with anonymity and security. (As usual, that was a really basic overview, it’s a little more complex than that.) TOR does work, and it’s fantastic. In fact, I access the internet in relation this project exclusively through TOR. But for the average user, it can be a bit unwieldy. For one, it’s quite slow. For another, because TOR is so often abused, many websites block known TOR addresses to prevent said abuse. You’ll drive yourself crazy trying to check your bank account via the TOR Browser. You may even run into the occasional issue where a website thinks you’re in a foreign country so they translate the site into a language you don’t understand. Most importantly is that insecure websites present an even greater risk on the TOR network as now you have to trust that the person at the end of the chain who can see your traffic isn’t stealing your information. I love TOR, and I use it for many things, but again, for the average individual, it’s probably a bit too clunky.

Closing Thoughts

As I said at the beginning, web browsers don’t mean much to the person using them. My girlfriend, a die-hard Chrome user, adapted instantly to Brave, then again later to Firefox. Once she settled in, she noticed no difference in her online experience. But the things happening behind the scenes are another story, and something as small as how you browse the internet can make a massive difference.

I'm amused – and slightly sad – that as I began to do my research for this blog post, every result for a search of “tracking links” or “tracking URLs” returned the same thing: web-hosting and analytics companies giving a very benign overview of what they are and then explaining why everyone who owns a website should be using them. I shouldn't be surprised. Like most surveillance technologies, the proliferation of tracking links is aided by two main concepts: the first is that they provide a very useful trade off, and the second is that people don't really understand or consider the danger of the capabilities.

Tracking links or tracking URLs are hyperlinks that not only direct you to a website, but also record information about you when you click on them. These can appear in the form of shortened links, such as the common “bit.ly” service, or it can appear in the full link, usually beginning with a question mark or a slash then followed by a bunch of other information, such as in the example I chose to use on my website (click to enlarge):

Image

This is not to say that every shortened link contains tracking, although it's hard to tell without seeing the full link. Likewise, not every question mark or slash signals the beginning of tracking information. But they are the most common indicators.

What do they do?

Tracking links, as the name suggests, track information when you click on them. As a business owner, I understand the value of certain metrics. It's useful to know if the majority of your website visitors are coming from mobile or desktop so you know how much focus you need to give to making your site responsive. It could even be useful to know if they're specifically coming from Apple or Android devices in case you were developing an app and needed to know which to prioritize. Even what sites they come from lets you know where your most engaged audience is.

However, as with most good technologies gone wrong, tracking links get so much more invasive than simple, useful metrics require. It's not uncommon for tracking links to be able to trace unique, personal information like IP address, MAC address, operating system down to which specific version or upgrade has been installed (ex: iOS 13.2). Some of them can even be used to track who sent the link, what time it was opened, other apps that are installed on the device, or websites that have been visited (this, I would imagine, involves the use of cookies stored on your device and therefore this becomes a coordinated effort from the tracking link). This is significantly more information than any website would need to know for metrics' sake, and it runs the high risk of identifying you personally in what's supposed to be anonymous data designed to help improve the site or service. Why does a recipe website need to know what other websites you've visited? What use does a clickbait article site have knowing the apps on the phone of the friend you shared the article with? It's a massive invasion of privacy.

The easiest way on desktop is to install a plugin such as NeatURL. However one should never rely on technology and should always know how to take matters into their own hands if necessary. (Also this solution isn't valid for many mobile users.) The key giveaway is to look for the aforementioned questions marks and gibberish. A link that goes “https://www.website.com/article-title/gfm-feed-12456" probably doesn't need that last bit (“gfm-feed-12456”). I've found the most effective solution is to erase it and see if the link still works. If it does, congratulations! You've erased the tracking link and helped protect the privacy of both yourself and your friends! Same thing applies with question marks. “https://www.website.com/article-title.html?=feed-123456." Delete everything from the question mark on, and check the link. This does require you to learn how to read a link, but honestly it's not that hard. Usually key words from the title will appear in the link, and it's a safe bet that anything you don't recognize beyond “.html” is probably not required. It's also a good idea to check the link before sharing it. I've found as I post news links to The New Oil's Mastodon account that some websites have gibberish-looking parts of their URL that are actually necessary (Forbes comes to mind, their links tend to look something like “forbes.com/article-title/12356” but deleting the gibberish actually brings up a 404 error page).

Stripping tracking links will not negatively impact the necessary metrics of a website, and frankly it won't stop invasive data collection. Any owner interested in the analytics will still be able to tell who visits their site, what device, how long they stay, and a ton of other invasive information that quite frankly they don't need. But it will help to protect both your privacy and the privacy of those around you by removing small parts of the puzzle – the fact that you sent your friend to that site, for example, or other invasive information that helps corporations and governments create a more complete but unnecessary picture of you that can and usually does get abused. And the more we take conscious stands against this kind of stuff and show that we as consumers will no longer tolerate it, the less common it will become (hopefully).

I personally am indifferent to New Year’s demarcations. I can often be found on any given NYE at midnight sleeping soundly in my bed. That’s not to say I don’t care for them, I just don’t care about them. Having said that, I do think it’s important to set goals for one’s self, and the arbitrary (if necessary) line in the sand of “new year” seems like a good time to revisit that for anyone. As 2019 draws to a close, I am assessing the past year both personally and professionally – what worked, what didn’t, etc – and am planning what’s to come in the next twelve months. Once a month, I post asking for financial support on Liberapay for this project, and so in the interest of transparency I wanted to take just a moment to outline what my goals are for this project. I want those who do support me to know what I’m doing with their hard-earned money, and possibly entice those who are on the fence about supporting me. And as always, if you are unable to support financially, I am totally okay with that and appreciate simply interacting with my posts, sharing them, and similar free shows of support.

If I had to define 2019 for The New Oil in one word, I’d call it “successful.” I hate when people say things like “this project has gone beyond my wildest dreams” because we all know that’s not true. Even bands who keep their hopes in check have dreams of playing the Superbowl (or similar large-scale successes) and even I myself have similar dreams for the scope of this project. But I will say I am pleasantly surprised how fast I’ve grown, as well as the overwhelming outpouring of positive feedback and interaction I’ve received.

When I started this project, I had one goal in mind: I wanted to take privacy and security – particularly against digital surveillance of all kinds – and make it accessible to “normal” people – that is, people who aren’t programmers, system admins, tech enthusiasts, etc and make them realize that it’s not as hard as they think to take some basic-level protections. There’s tons of great resources out there, but it’s not accessible to people like my mom, my girlfriend, or my best friend. They don’t understand it, and they need a translator to explain it to them in terms they get. That’s what my goal was with this site.

When I started the project, I had the same dreams as anyone else, but I tempered them with realistic expectations: I expected a few followers, the occasional hater, and overall I assumed this would become a passion project with no real effect. Instead I was greeted with tons of positive feedback, from “great article” to “everyone check this guy out.” Just last month I got my first financial supporter on Liberapay and broke 100 followers on Mastodon. I’ve even got people asking me questions about my thoughts on things or how I recommend tackling certain issues.

I have to remember that I am still a small fish in a small pond. There are people who are much more knowledgeable about this stuff than I am. Honestly, I like it that way. Snowden once said that his biggest challenge in presenting mass surveillance to the public was how to take complex issues and explain them in a way that everyday people could grasp. By keeping myself out of the higher levels of technical skill, I force myself to understand things at a general-public level, which I think (or hope at least) helps me present these things to the general public in an understandable format.

In 2019, I think I successfully found a sustainable foundation for the site going forward. I formed a working solution for selecting and posting articles based on a criteria that keeps them mostly relevant to the site. I created a solution for posting blog posts weekly, thought that one really comes down to just being disciplined. I think I showed both myself and my supporters that I’m serious about this project.

In 2020, I want to expand. In the closing weeks of 2019, I took a leap and started my own home server. Right now I mainly use it for things like RocketChat and Nextcloud, but I also run a TOR bridge. This is something I’ve wanted to do for years, to do my part to support digital freedom. In the coming weeks I plan to add a second relay for regular TOR users. In the future, I’d like to run a PeerTube instance and maybe even a Mastodon instance, as Eugen has indicated that Mastodon is growing rapidly and needs more servers. I’m currently torn between buying my own server and renting a VPS through a provider. There are pros and cons to both, feel free to message me your thoughts that might help me make a decision. This is still some time off, for now I’ll stick to running to small, personal services on the old desktop tower under my desk. But I do hope to have a professional-grade server running more advanced services before the end of the year.

In addition, I hope to start hosting regular cryptoparties in my area. Cryptoparties are basically classes where you explain encryption and surveillance to folks and help them get set up with things like 2FA, encrypted messaging, VPNs, and other simple such services and concepts. There are a startling lack of them in my area, despite being a major tech town, and I want to remedy that. Ideally I’d like to do them once a month, but I think I may aim for once per quarter so I don't overload myself.

In 2020, I also hope to attract more financial support for this project. This will help me cover the obvious things like hosting costs, VPS services (if I go that route), hardware maintenance (if I go that route) and other related expenses. Any excess support would go to helping me cover my own bills like housing, transportation, and groceries. I’m not a materialistic person, I actually identify as a minimalist, so rest assured that any “excess support” is not going to paying for a new Lexus or an expensive house. It’s going towards a moderate apartment and a used Toyota, and maybe some frugally-executed vacations in the future. And also two cats. They’re not very expensive though.

In the long term, I hope to be able to travel and speak and more on this project, lending my help wherever possible. I’ve got a few EFF links I need to look into this weekend about signing petitions against facial recognition and such. I work closely with my local EFF chapter to help bring these subjects to the general public in my area. I would love to be more closely involved in these types of organizations wherever I can. I would love to educate wherever I can. I would love to offer services and solutions of my own, hence my desire to invest in servers.

The purpose of this post was partially to put my own thoughts in order, but also to express transparency and let you guys know what to expect from me in the coming year. Two goals are actually not much for me, as someone who’s constantly on the go. Today is supposed to be my day off, but in the four hours since I woke up I changed a small part on my car, rescheduled a doctor’s appointment, made an appointment for the cats to get their annual shots, wrote this blog, and checked into some payroll stuff at my day job, so I’m not really much of “day off” kind of person. I wish I had more goals for this project in 2020, so if you see room for improvement please don’t hesitate to message me and let me know. And also feel free to keep suggesting services and products for me to review and add to the site, I want visitors to have as many options as possible.

For those who supported me in 2019, thank you so much. You honestly do inspire me to keep going on days when it feels hopeless or meaningless. For those who are new to the site, thank you for joining and I hope it lives up to your expectations. For those considering supporting me financially, I hope this post has helped you make the choice either way by explaining what I hope to accomplish in the future. And for those who can’t do so, I hope you can support me by sharing the site, the articles, the blogs, or whatever else you find worthy of sharing, and I hope it helps make this important subject more accessible to the general public.

The other day I found myself talking with some friends about privacy and security. I was sharing that my girlfriend recently jumped on board the privacy train with me. That may surprise some readers to know that I chose to involve myself so closely with someone who didn’t share my views, but I think that’s pretty in-keeping with the message of this site: you don’t have to draw lines in the sand all the time, sometimes you can make compromises, and it's all about making educated decisions. Until recently, my girlfriend respected my use of Signal for daily communication and my use of a VPN on the home network. She would even let me do stuff like set up her Firefox browser for her and disable a lot of the telemetry on her computer. Basically as long as it didn’t inconvenience her too much, she didn’t mind. But then her boss casually informed her that corporate is able to read all communications sent over the company WiFi. I’m not sure how the subject came up, and needless to say this wasn’t exactly a new thing, but something about being told to her face by the company itself (more or less) really rattled her. That night, without any prodding from me, she downloaded a VPN on her phone, switched to ProtonMail, and invited all her coworkers to use Signal.

As I was regaling my friends with this story, one friend spouted his usual response that privacy enthusiasts the world over have become allergic to: “I don’t really care about that stuff, my work can read my texts, I have nothing to hide.” He wasn’t dismissing my girlfriend’s choices or criticizing her, just stating that he personally couldn’t care less. I explained to him that while he may not care, “arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.” (Edward Snowden, 2015). Basically while he may not care, he should care for others. My friend, for example, is bisexual, and is very open about it. He makes no effort to hide it. And I told him that while he should absolutely have the right to not care if his sexuality is a secret, someone else should have the right to care and hide it for any reason so they so choose, including but not limited to “it’s nobody’s damn business.”

My friend immediately agreed with me and respected that. “But,” he countered, “I don’t understand what I can do. How does my using Signal or a VPN help them?”

“Three ways,” I offered. “Herd Immunity, economics, and normalization.” (Originally I tried to divide these into bullet points in this post, but I found them to be too closely intertwined to do so meaningfully.)

Let’s take an example community of 100 people. Let’s pretend all of these people use encrypted messaging of one kind or another. Lately, in real life, the FBI and Interpol have both been making the claim that End-to-End Encryption allows for the proliferation of illegal activities such as drug dealing and pedophilia.

According to The Hamilton Project, which claims to offer statistics to help lawmakers make better-informed decisions regarding policy in the United States, drug arrests accounted for only 1% of the population on average in 2015. A WorldAtlas article from 2018 lists the total number of sex offenders (not just pedophiles) in the United States as 747,408. If the population in the US in 2018 was estimated at about 327.876 million, then that means sex offenders account for less than a quarter of a percent of the population.

So let’s be generous with our imaginary community of 100 people. Let’s pretend that a whopping 5 percent of them are criminals – not just sex offenders and drug dealers, but all violent criminals (in the United States, violent criminals account for less than 1% of the population). That means there’s still 95 people – 95% of the population – who are perfectly normal, law-biding citizens who use encryption for any number of completely legal, valid reasons, like trading sensitive information (in the aforementioned blog post, I talked about how I can send my girlfriend the credit card number safely in case of an emergency), avoiding unwanted surveillance capitalism, or any other of millions of perfectly okay things. If only the criminals were using that encryption, then it would validate what those agencies are saying. So if everyone were to use encryption, it invalidates those claims. It goes from looking suspicious that you use encryption to it just being something everyone does. Everyone wears clothes in public, too, does that mean everyone who wears clothes is hiding a weapon? Or drugs? Of course not. No agency would ever publicly state that we need to ban clothes because criminals use them to smuggle illegal goods, even though such a claim is rooted in a fact. Nobody ever says we need to ban airplane luggage because criminals sometimes sneak bombs in on them. We all know that privacy comes with risks, but we also know that as a general rule, criminals are a minority and just because some people are doing bad things doesn’t mean everyone else gets stripped of their rights. So why should you care about your privacy even if you have nothing to hide? Because it normalizes it. When everyone is using encryption, nobody looks weird for doing so. It goes from “what are you hiding?” to “of course you are.” Nobody ever looks at me suspiciously in public for locking my phone when I’m not using it, and nobody should be looked at suspiciously for digitally securing their public lives. This is normalization. When we all take basic, effective measures to protect our privacy, we stop looking crazy or suspicious. We normalize it.

Most of you reading this are likely familiar with the “anti-vax movement,” the belief that children shouldn’t be vaccinated for diseases like measles and mumps for a variety of reasons. This is a controversial opinion for many reasons, and I’m not going to get into it on this site so don’t bother contacting me about it. But I mention it because of one specific argument that medical experts cite, called “herd immunity.” Basically, there are some people who cannot be vaccinated for safety reasons, such as a severe allergic reaction or complication to the ingredients in the shots, particularly among children and elderly. So the experts argue that the more people who get vaccinated who are able to, the less likely those diseases are to spread, and it protects the unvaccinated just as effectively. Basically, the whole herd is immune, so the one person who isn’t has such a low chance of encountering the disease that they’re essentially safe as well.

A threat on par with government surveillance in the US is corporate surveillance (partially because the government has access to that information, and partially because it’s actually more invasive and effective than government surveillance, as is usually the case with these types of things). This surveillance is fueled not by the desire for control but for money. Corporations are trying to build the most accurate picture of you so they can sell you things. They don’t want to waste the money showing you fifty ads that may or may not convince you to buy a product or service, they want to spend money once to show an ad that will definitely make you buy a product or service. In order to do that, they need to know as much about you as possible. They need to know your hobbies, interests, which devices you’re watching on, what times you watch, what motivates you to spend money on something, and more. The biggest threat with this, as I said, is that it can be abused by anyone from state agencies to Facebook. So that’s another layer of reasoning to protect yourself from “surveillance capitalism,” as it’s called.

In the previous section, I argued that everyone should use encryption because it protects the people who actually need it. In this section, it protects the people who can’t. A popular notion in the privacy community is to delete Facebook. Really all social media, but Facebook especially. They are, by far, the most egregious offender in this realm. But for some people, that’s not always an option. Early in my career I worked a job where work was conducted via a secret Facebook group – schedules posted, bulletins to other technicians, etc. Not using Facebook wasn’t an option if I wanted that job, and since I was early in my career I needed any job I could get.

Going back to our 100-person community, let’s say 5 people can’t use encryption for whatever reason. Their phones are old and don’t support the option, the people they do business with can’t support the protocols for it, whatever one of a million valid reasons. If 95 people are using encryption, it stops making financial sense for corporations to keep sucking up all that data. The data – previously unencrypted, revealing, and useful – has become encrypted, unreadable, and useless. After a while, it becomes a financial loss to keep pouring so much funding into projects to scoop up all this data and get almost nothing from it, so they stop. And after a while, that means even unprotected people are now protected because nobody is watching. This is both herd immunity and the economic angle. Herd immunity has protected the few who can’t participate, and the proliferation of security has made surveillance uneconomical.

Maybe you have nothing to hide (first off, that’s a blatant lie, we all have things to hide whether it’s our bank accounts or access to our homes or cars or whatever). Even if you don’t, it’s selfish to assume that nobody else does, and while it may not seem as effective as going to a protest or becoming a hacker, even simple things like the products, services, and techniques shared on this site can add up and create a larger change, often at little or no expense to your own convenience or lifestyle. So I recommend you implement as much of this as you can, if not for yourself than for others.

In my time in the privacy community, I’ve noticed a prevailing myth. Sometimes this myth is brought in by newbies who have a preconceived notion. Sometimes it is inadvertently (or intentionally) perpetuated by hardcore privacy enthusiasts. But in short, the myth is the idea that privacy is a binary thing. An all-or-nothing game. Go big or go home. Start building your cabin in the woods or don’t even bother using 2FA. Quite frankly, this is a crock of garbage.

Privacy and security are often sliding scales. It’s rarely a binary yes or no, but rather a spectrum. Very few people are 100% secure or 0% secure. If you use a password – any type of password, even “password” or “admin” – that’s a level of security above just having an open account or document. But obviously that’s a poor level of security against a password such as “(z”a8j#;uU$>s!;–;6!G”. That’s a far better password with far better security. But even that’s only 20 characters, and can be improved. It’s almost always a spectrum.

Most of us, by default and the way we were raised, tend to fall on the “less secure” end of the spectrum. We use easily remembered – and therefore easily guessed or hacked – passwords. We don’t use 2FA. We use Google search and Google Calendar and Gmail.

The goal of this website, as I’ve said before, is to nudge you to the “more secure” side of the spectrum. It actually doesn’t take much to get there. Using 2FA, password managers, and similar techniques discussed on this site will actually move you considerably far on the spectrum. Because the thing is, the spectrum is relative. If we have a group of 100 people and 90 of them aren’t using 2FA and you do, that automatically puts you in the top 10% of the “most secure” spectrum. If the other 90 people add 2FA, the bar has been raised. Sadly a lot of the techniques I share on this site aren’t being used by the majority of people, so just doing these basic things dramatically moves you along the spectrum.

Now I do want it to be noted that where you need to be on that spectrum depends heavily on your threat model, as I’ve discussed before. So while Person A’s threat model may be as simple as 2FA and a VPN, Person B might have need of secure messaging and even extra protection against location tracking. Person C might opt to not even have a phone and live in an apartment rented in cash or a shell corporation (totally legal, I assure you). It’s different for each person.

I encourage you to go as far as you can and do as much as you can for the sake of herd immunity. If everyone uses encrypted messaging or a VPN, then it doesn’t stand out and look suspicious, and it makes reading the traffic uneconomical for the companies who do it. But at the end of the day, you’re still doing something even if you only do a little bit. Some people – including your own doubts – might lead you to believe that if you aren’t going whole-hog – deleting Facebook, deleting Google, and hosting your own email server – then you aren’t doing enough. Those are certainly great things to do if you can, but honestly don’t listen to them. If you eat two dozen donuts every day for breakfast and suddenly decide to cut down to one dozen, you’ve still made a difference. It may not be enough to run a marathon and you'll probably still have some health problems, but it’s certainly better than eating two dozen and it may even be the first step towards a healthier lifestyle in the long run. Don’t let anyone make you feel bad for not going as hardcore as them. It’s a journey, and there is no one-size-fits-all solution. Do what you can and go from there.

It’s hard to figure out where to begin a blog post about encryption. It’s like explaining air, or the sun. It’s sort of a given starting point that everything unravels without. Encryption, for those who have somehow stumbled on this blog by accident or may have forgotten my previous overviews of it, is basically using a code to hide your data. For example, when you were young, you may have used a hidden language to pass notes to your friends in class. Maybe A=1, B=2, etc. Or maybe you even drew your own unique symbols. Those are, technically, a type of encryption. Weak encryption, but still encryption nonetheless. More modern encryption protocols, like Signal and AES are significantly more advanced but at it’s root, the concept is the same: we’re replacing easily understood words with complex substitutes and – in a perfect world – you can only figure out how to turn them back into the easily understood words with a “key,” which explains the code. In the grade school example I gave earlier, the “key” is knowing that A=1, B=2, and so forth. In more advanced software encryption, the key is your password or passphrase. This is, of course, a tremendously high-level overview that dramatically oversimplifies things, but it gets the basic point across.

Encryption is a concept that I harp on with every service I recommend, specifically what’s called “End-to-End Encryption” or “E2EE.” I’ve mentioned in other blog posts that technically a majority of the internet is encrypted when using HTTPS. Additionally, most services and websites offer at least a basic level of encryption when it comes to things like saving passwords, credit card information, and even sending messages. The thing is, those types of encryption only work against outsiders. Facebook messages, for example, are encrypted to anyone outside of Facebook. Google can’t read them, the random hacker can’t read them (technically), but Facebook employees can read them as if you sent it to them. E2EE defeats this. E2EE messages can ONLY be read by you and the recipient, provided you used the service correctly. Even the provider can’t read them. For example, if both you and the recipient are using ProtonMail to email each other, Proton can’t read your emails. (Note: that’s an example of “using the service correctly.” It is outside the scope of this specific blog post to talk about how to use various services correctly, so make sure you understand what that means before assuming your privacy and security.)

Encryption, however, is not limited simply to your communications. Encryption can be used on your various devices to protect them when not in use. And I recommend this, especially for devices that are prone to being lost or stolen, such as phones, laptops, and tablets. Encrypting these devices ensures that even if your device is lost or stolen, your sensitive personal information is safe from whoever finds it.

Apple recently released a commercial that announces (accurately) that there is a ton of private information on your phone. Contacts, health information, diet information, communications, a history of where you've been, and more. Even if backed up to the cloud, think about what all that information reveals about you. Pictures, some of which may be very personal. Apps that are always logged in to your accounts. Bank information. Maybe your map program even has your home or office saved in it. And now imagine any random stranger downtown having that information to peruse freely.

For that reason alone, I highly encourage everyone to encrypt their devices. According to Statista, the number of lost or stolen devices ranges from 45% to 20%, depending on age range. This number is from 2012, and is the most recent, credible source I could find. One article from the Daily Texan in 2014 claims that number is on the rise. Digital Trends reported over 1 million devices stolen in 2014 (not including lost devices). I expect the numbers continue this trend into the current year. The math is not in your favor.

Encrypting devices varies from operating system to operating system, and it changes quickly. At the time of this writing, my research indicates that iPhones are encrypted automatically by adding any kind of login security (passcode, fingerprint, etc). Android devices, on the other hand, must be encrypted via the “Security” options under “Settings.” Be sure to backup your device first and keep it plugged in while it encrypts, as it has been known to take some time and can sometimes go wrong.

For desktop operating systems, Macbooks have their own built-in encryption software called “File Vault” located under “Security and Privacy” in the “System Settings” menu. Windows 10 devices come in several flavors, technically, and some of the more advanced-level flavors (Pro and Education, for example) come with a program called BitLocker, which is basically Microsoft’s answer to File Vault. Since most of us reading this are likely using Windows 10 Home, there’s a solution that doesn’t cost $100+: a free, open source program called VeraCrypt. It can be a little bit intimidating, but it’s not as scary as it seems. Here’s a guide on exactly how to encrypt your Windows computer using it.

Enabling encryption on all your devices is a good idea, especially – again – on devices that you are likely to leave the house with or are easily stolen such as phones, tablets, and laptops. At very least, encrypting these devices will ensure that your personal data gets erased rather than accessed and abused by any would-be thieves. The negatives of encryption are minimal, almost to the point of being nonexistent in my opinion, with one major exception: be sure not to lose or forget your password, or else you’ll be locked out for good. Most of these encryption features are powerful and effective, meaning that without the key, you’re in trouble. Keep that password somewhere safe and secure, and hopefully you’ll be one of the lucky ones who never has to worry about this stuff.

In my last blog, I cited a statistic that the majority of the web is encrypted. This means that when you visit, say Facebook, that your Internet Service Provider (ISP) can see that you visited and logged in, but they can’t see your login credentials (username and password). Similarly, using Amazon means they (and whoever owns the router of the network you’re using) can see what you bought but not your card number. This is done with the use of HTTPS, a powerful and increasingly popular encryption protocol used online. It’s quite effective and difficult to break.

So in effect even the average person has – generally speaking – a basic level of powerful security in their online lives. Which begs the question that privacy enthusiasts everywhere have come to despise like nails on a chalkboard: “why should I care?” If your sensitive details such as password and credit card number are safely encrypted, who cares if your ISP can see what websites you visit? Or if your network administrator can see what you bought? Or if Google remembers what you searched last week? (Spoiler alert: the front page of my website has a curated list of reasons why you should care, but let’s ignore that for now.)

This information in question is called “metadata,” sometimes described as “data about the data.” Maybe I can’t see exactly what you said in your email, but I can see who you emailed, what time, and the size of the email. And on the surface it doesn’t seem so bad. Who cares if you know that I emailed my mom at 7pm and the email was 7KB?

As is the case with most privacy and security concerns in the modern era, the problem isn’t so much what’s collected but rather how it has the potential to be used. Take this excellent article from the Electronic Frontier Foundation, for example. A couple examples they list of metadata that has the potential to be too revealing include:

  • They know you rang a phone sex line at 2:24 am and spoke for 18 minutes. But they don't know what you talked about.

  • They know you got an email from an HIV testing service, then called your doctor, then visited an HIV support group website in the same hour. But they don't know what was in the email or what you talked about on the phone.

As you can see, metadata has the potential to be just as revealing as content itself, and therefore should be protected just as much as the actual data. “You keep saying potential,” you might say to yourself. “Do you think that’s likely?” The answer is yes. China is already notorious for their incredibly invasive, 1984-like “Social Credit System.” The United States is starting to implement the use of your social network in insurance industries. Oh, and the United States is working on their own “Social Credit System” too. So yeah, metadata is an important part of your attack surface that you need to consider as you protect your privacy and security.

Certain metadata is impossible to avoid. Most of us probably aren’t willing to leave our phones at home and go without, so location-based metadata is inevitable. Most websites also collect information about what type of operating system and therefore device you’re using when you visit. Even connecting to a VPN service or sending encrypted email requires a certain amount of metadata to communicate. I wish this blog post ended with a list of suggested services to help reduce or eliminate the amount of metadata you leak in your daily life, but the fact is no such thing yet exists (easily). Instead, the goal of this post is to make you aware of metadata, how it exists and is collected, and what it says about you. As you pick services to help keep you safe and private in the digital world, it’s important to consider who those services are talking to and what they’re saying. Wire messenger, for example, collects metadata about your initial sign-up so they can create your unique account. This data isn’t shared outside the company without a warrant, but it is a good reminder that Wire is not 100% anonymous from the company itself if that’s your goal. On the other hand, Mullvad VPN allows you to pay with Bitcoin without surrendering any personal information at all, so in theory – if done carefully and correctly – Mullvad can make you 100% anonymous on the internet (disclaimer: there’s a lot more that goes into that than just buying a VPN with Bitcoin, so don’t get any ideas, it’s just an example that is possible in theory).

Most of us probably don’t need to be 100% anonymous for any reason, but it is a good idea for us to protect our metadata just as much as our actual communications. Again, I wish I had some concrete advice, but instead it simply comes down to asking yourself “what metadata am I giving up and to who?” Using a VPN means you’re transferring a considerable amount of your metadata away from your ISP and over to your VPN provider. Assuming you use a reputable, trustworthy VPN provider, that’s a good strategy. Encrypted emails are the same thing. Many of these companies will surrender what they can if given a warrant, but these same companies rarely have much to turn over aside from a few login locations and times (which can again be defeated with a VPN). It’s a multi-layered approach but it’s one worth considering until technology can catch up to protect our metadata by default.

With gift-giving season officially in full swing in the United States (and at least a few other places, I presume), I figured this would be a great time to discuss safe shopping tactics. I don’t feel like this needs any sort of real introduction, it’s pretty self-explanatory, so let’s begin.

  • Pay with cash in person. In general using your card is a bad idea for both security and privacy. In addition to the risk of having your card number stolen, there’s also the privacy invasion of having banks selling your shopping habits. Both of these risks can be eliminated completely by simply paying cash wherever possible. This also helps if you’re buying a gift for someone who has access to your bank statements (significant other, parent, etc). They can’t see how much you spent or where.

  • For online transactions, use pre-paid cards or card-masking services like Privacy.com and Blur to avoid having your real information stolen. Be aware that Privacy.com essentially functions as a bank, so they will ask for some personal information that some people may not be comfortable with. Blur is a little less invasive, but you’re basically just creating digital pre-paid cards. Personally I’m a fan of Privacy.com for a lot of reasons, but this isn’t the time or place. Feel free to check out their site and see if it’s right for you.

  • Use HTTPS. HTTPS is a powerful and effective encryption method for data-in-transit (aka web traffic) that helps protect your sensitive information as it shoots across the web. The vast majority of the internet is now securely encrypted but why take any unnecessary risks? The web browser plugin HTTPS Everywhere will automatically ensure an HTTPS connection wherever it’s offered, regardless of search engine or browser settings.

  • Use a VPN. VPNs are popular for people looking to change their location online to do things like get around country restrictions on YouTube or Netflix, but they can also serve a number of other purposes, such as providing additional encryption and security, especially if you're a fan of using public wifi such as the library or coffee shops.

  • Use a PO Box. PO Boxes can serve tons of great purposes that you didn’t even know you needed. For starters, they start off inexpensive, in some places as little as $20/year. They can be handy because your packages don’t sit unguarded on your porch while you’re at work, they sit safely inside the building of your box. And of course, you don’t have to worry about some stranger on the internet snagging your home address, whether that’s the random person on Etsy, the rogue employee at Amazon, or the hacker who hopefully didn’t steal your information because you already implemented the above bullet points.

  • Don’t quit on December 26. The thing about these habits is that they’re great year-round, not just around the holidays. Shopping is something we do all the time, all year, and these strategies can be implemented there, too. You can pay cash at the grocery store. HTTPS and VPN encryption can protect your Facebook login just as much as your card number. Online data breaches are quickly becoming a daily occurrence, so using card-masking can prevent your card number from getting permanently posted to the dark web (if you’re not worried about that, clearly you’ve never had the hassle of updating EVERY service you use after a card number changed for any reason). Even a PO Box can be a neat thing to have on hand if you rent and move in the same area frequently, if you need an address on file for work (again, data breaches), or freelance and need somewhere to send checks or a return address for merchandise you sell.

Take some time to think about which of these strategies can benefit you most. HTTPS and VPNs are things that take just a few minutes to set up and you never have to think about them again. A PO Box can be easily added into your routine by renting one nearby or on your way to/from work (if you have a concern about stalkers, you may want to consider getting one in a nearby town instead). Cash can be handy as well to help you stick to a budget. I hope these tips help keep you safer online this holiday season, and good luck finding that perfect gift!

Social media is a ubiquitous part of modern life. I am the last person here to decry the negative effects of it, though for the record there are some we should be aware of address outside of privacy and security. No, for an introvert and avowed hater-of-small-talk like myself, social media is a godsend. I hate calling or even texting someone to go “hey, I have no reason to be bugging you but what's new? Let's chat.” Instead I love the ability to peruse the timeline at my leisure and respond to whatever someone else felt was worth sharing, whether it's their latest meal, their child, or their trip to the brewery.

But we all know social media comes with wide-ranging risks, from cyber-stalking and cyber-bullying to full on identity theft. Many of us likely know someone who was or have been ourselves victims of someone pretending to be us on Facebook. This usually isn't a problem when you can just post “hey, that ain't me, don't give them money.” But what happens when you're a well-known, respected person and your social-media doppelganger is posting things you would never endorse in a million years? Well, it happens. And sometimes, it has nothing to do with you. Another common abuse of social media is to use the information one over-shares for “social engineering.” For example, I can check your Facebook page, see your banner picture is the Green Bay Packers, and if your website security question is “who is your favorite sports team?” I now have a pretty good guess. Or on a more complex level, I can assume that the Packers might be part of your password and I can use that for a dictionary or brute-force attack.

So am I here to tell you not to have social media? Well, sort of. Not to be “that guy” but the quality of my friendships has increased dramatically since I deleted Facebook. I find it much more meaningful when my friends personally invite me to hang out rather than send me a faceless, impersonal, mass event invite. We also put more intentionality into our talks, even our texts. It's more engaging than a casual like while lying in bed at night waiting to fall asleep. But having said that, even I have a personal Mastodon account I'm in no rush to delete.

At very least, I do encourage you to ditch traditional social medias like Facebook, Instagram, Twitter, TikTok, and Snapchat (and others) in favor of more privacy-respecting services like Mastodon, Diaspora, Pleroma, PixelFed, Riot, and others. Traditional social media companies are terrifyingly abusive in both the ways and extents that they collect data about you and process it. But that's a post for another time. Instead, this post is about how to best-use your social media – be it Facebook or Mastodon – and how to be smart about it to enjoy the best aspects of it while avoiding some of the worst.

-Ditch mainstream. I know I already said that, but I assume some people are going to skim this post, and it bears repeating anyways. Seriously. Here's just one site full of good reasons why Facebook sucks, and there's plenty more where that came from from each major company.

-Think about your privacy settings. This one is pretty well-known these days so I'm not going to spend much time harping on it, but unless you're a public figure intentionally attempting to reach the masses, you may want to consider locking down your profile behind as much privacy as you can. Making your Twitter private may cost you some followers, but it will make you significantly safer and make your experience more enjoyable.

-Think about what's really worth posting. Again, I'm not here to decry “the good old days” and make fun of people who post their lunch on Instagram all the time, but does it really make you happy? Does “vaguebooking” about your unhappiness really fix the problem? Does sharing that link (that you didn't even read or fact-check) actually change anyone's mind? Don't just impulsively dump things into your profile or feed. Take a few seconds to ask “do I really want to share this?”

-Think about what you're posting. Okay, so you've thought about it and you're REALLY feeling that selfie. Your hair has never looked so good. Great! But do you really need to angle the camera in such a way that the company logo is visible on your work shirt that you're wearing? Did you leave any mail or personally identifiable information in the background? Is everyone in the picture consenting to be in the picture? I don't care if my girlfriend posts a selfie to Facebook but I politely ask her to angle the camera in such a way that it leaves me out. Think about what information someone could potentially learn from that photo, such as where you live or work, and remember that people search websites are a tragically real thing. (I'll do a post about that someday too). Again though, it's not just you. When you post a picture of your child to Facebook, that picture stays on Facebook's servers forever. Someday your child will be grown, and they should have the right to decide if they want Facebook to have their facial recognition data on file. Carelessly posting even statuses or location check ins can sometimes reveal more information than you or the people you're with may be comfortable with. Be sure to think about what information you're revealing and be sure everyone involved is okay with it.

-Remember who your audience isn't. One big reason I dislike mainstream social media is the lack of privacy. If your profile isn't set to private, literally anyone can see your posts, pictures, likes, and more. “I don't care if my friends see where I work,” you say as you check-in with your latest tweet, but what about the stranger? The Guardian wrote an article reminding us how easily one can “stalk” someone – even by accident – with how much information social media reveals about us.

-Remember who your audience might be. This story shows how even the best intentions can backfire when you overshare on social media. Even if you make a post privately or in a closed group, you can't guarantee that it won't be screenshotted, printed out, or otherwise shared with someone it was never intended to see. Always assume anything you put on the internet is wide open to the public, even if it isn't.

-The internet never forgets. So you had a little too much to drink last night, or maybe the anesthesia the dentist gave you was pretty strong, or maybe you just were real depressed and it felt cathartic to make some emo posts. You can just delete them later, or set your profile to private, right? Allow me to introduce you to the Wayback Machine. The Wayback Machine is a free service from Archive.org that automatically creates a copy of every page on the internet it can find at all times for the sake of history. It's not trying to make everyone remember that picture of you in 8th grade, it's trying to ensure that a hundred years from now we have a copy of the front-page news from major events in history and such. The problem is that it's a bot. It doesn't discriminate. Now obviously the bot can't be everywhere at once, and it can't possibly get everything all the time, but it tries hard. The longer you keep something online, the more likely it is to get swept up in archiving services, and the harder it will be to remove. And Wayback isn't the only service that does this. Anything you post, even briefly, has the potential to stay on the internet forever, if not on the social media provider's servers then on an archiving service. The odds of this increase as your social media presence grows – aka, if you're a notable figure of some kind (musician, actor, influencer, etc). Posting something online and then deciding later “nah, I don't really think I want to share that with the world after all” isn't really an option. It's there forever and whatever prompted you to remove it – such as personal information, non-consenting parties, or even just bad lighting – will be there forever to haunt that decision.

Once again, I'm not here to bash social media (this time). I'm not here to tell you to delete Facebook (though I do encourage it). But I do want you to take the time to think about what you're sharing and make sure you know what you're getting into. Be smart with your social media usage. As I said in my first ever blog post here, our goal is to reduce our “attack surface.” We want to make ourselves a less convenient target so that bad actors go after an easier target. Think twice about anything you post on any social media platform, and that alone will get you pretty far. I hope the pointers above have been helpful in that regard and given you some factors to consider. Use wisely!

If you've been online for any time at all, you've probably at least heard mention of Linux or Unix. What is it exactly? And is it worth your time?

Linux, put simply, is an operating system, just like Windows or Mac. Linux, however, is open-source and as such there's dozens of variations of it. Some require more technical knowledge than others. Some versions are run by an official team, such as Fedora, and others are purely made on a volunteer basis, like Debian. Some are specialized towards a specific job or purpose, like AVLinux, and others are designed to be used by anyone and everyone.

So first off, why should you consider switching to Linux? For starters, security. Linux has very few viruses and malware for a variety of reasons. For one, it's not very widely used. Second, those who do use it tend to be personal users and not high-level governments or celebrities. Third, the users who do use it tend to be tech saavy, which means any sort of malicious actor would have put considerable work into their malware to get past the users' general knowledge and caution. Finally, there's so many version of Linux it makes it difficult to make a virus that would work across all of them. And of course, because Linux isn't owned by a corporation, there's no telemetry, which it makes it virtually impossible to get a solid number on exactly how many Linux users there are.

Another advantage to Linux is privacy and customization. As I said above, Linux has no central owner, so there's nowhere to “call home” to. Windows 10, on the other hand, has been caught with a keylogger on even their most miniscule softwares like calculator and Office. (Source) That's an incredible jump in privacy right off the bat. Also, because Linux is open source, there's a million ways to customize it if you feel comfortable messing with that. And if you don't, there's so many flavors that you're likely to find one that feels right for you. There's versions designed to look like MacOS or Windows XP. Even the same version of Linux could have up to four different desktop environments for you to pick from, completely changing the feel of the system.

In light of all that, should you switch to Linux? The short answer I would recommend is “if you can.” Unfortunately some of us have specific hobbies or jobs that require Windows/Mac only software. Hardcore or professional gamers, for example, will be hard pressed to find a Linux distro that can support some of the popular titles or use the same stability as a conventional OS. Other people, such as graphic designers and musicians, may find that the softwares they rely on that most benefit their workflow are not available on Linux. And of course, there are tons of other jobs that rely on proprietary softwares that are only available for Windows or Mac. So before I give a hard “yes, everyone should switch,” it's important to note that sadly that's not an option for everyone. Of course, there's nothing to stop you from having a work computer and a personal computer that runs Linux (except perhaps finances). You could try dual-booting if you feel comfortable with that and insist on having your personal life on Linux.

How hard is it to use Linux? Again, it depends. Distributions such as Qubes require a high degree of technical knowledge and comfort. Other versions like Mint and Ubuntu are very straightforward and come with a high level of support online through the communities who use them.

Which version do you want? If you're a Mac user, ElementaryOS is probably the place to start. It looks a lot like MacOS and is gorgeous. It will probably feel most at home as an introduction to Linux. If you're a Windows user, Mint looks like Windows XP and will probably be your best introduction. If you're tech savvy and feel comfortable diving right into a different operating system altogether, Ubuntu is by far the most popular Linux distribution. If you feel more comfortable and want even better security or transparency, then I would recommend Fedora or Debian (respectively). Really at this point it's a personal question of what you want out of your computer and how comfortable you are with tinkering with software. Just about any distribution – except perhaps the highly specialized ones – will give you the same basic ability to check your email, watch Netflix, listen to music, browse the web, and create text documents. If you need anything more than that, it's a personal preference that only you can answer.

If you're interested and curious about switching, in addition to just searching “getting started with Linux,” I recommend this site I found that quizzes you about what's important to you and recommends different distributions based on that.

Enter your email to subscribe to updates.