Reminder: Beware the Little Guys

In the above-linked CTemplar blog post, I wrote that “in the privacy space, we are very skeptical of new services.” Since then, I’ve seen a shift away from that. I’m not a fan. On the one hand, I’ve written in the past about how no service or tool is perfect and how we should always be striving for better services that improve upon those shortcomings. In the CTemplar post, I also mentioned the value of supporting the little guy and how every major organization was once a “little guy.” However, I think that the privacy community has taken this mentality too far. Not a week goes by that I don’t see some new forum post, email, or Surveillance Report question about some new service I’ve never heard of before. It’s great that so many new people are recognizing the room for improvement and stepping up to the challenge, and that so many privacy enthusiasts stand ready to support these efforts. But in the CTemplar post, I also touched on the fact that starting a new service is really hard and riddled with uncertainty. It could be a Big Tech or government honeypot. Even if it’s not and the creators are genuine, it’s incredibly easy to accidentally screw up implementation and allow for bugs and vulnerabilities (if it happens to the big, well-funded giants on a regular basis, why would the small, cash-strapped startups be any safer?). And of course, any new company in any industry must compete, and that’s never a sure thing no matter how much money you throw at something or else there’d be no such thing as “box-office bombs” and venture capitalists would have a far higher success rate.

I know that advice is contradictory, but life is complicated, contradictory, and messy. Still, two things can be real – like how new services should be both supported but also treated cautiously. It’s okay to donate to a new service you believe in that you think is doing interesting things, but you probably shouldn’t immediately move everything over to be your primary service. Relationships have some pretty consistent rules and characteristics across the board, whether it’s with a potential romantic partner or a corporation. One such rule is to go slow. You wouldn’t propose marriage on the first date, so why on earth would you move all your most sensitive data into a brand new service you just discovered that’s less than two years old and just launched their first stable release six months ago and you can’t find any expert reviews of it? Explore, support, but temper your excitement. Wait to see what the experts say and if the service really is here to stand the test of time.

Reminder: Control Your Data

This is a topic I clearly need to discuss more: the tech space in general – but especially the privacy space – is rife with ephemeral projects, whether because they get sold, abandoned, or forced out of business. The single best way to defend against this is to control your data, and the best way to do that – I think – is to think in “standards.” The internet was never Netscape, Explorer, Firefox, or Chrome (or apps, for that matter). It was always HTTP, TCP/IP, the OSI model, and other such standards. These have been improved upon over time (such as HTTPS and DoH/DoT), but the core standards have never changed. And they're open! Accessing The New Oil today is no different than accessing Myspace in 2003 or the CERN website in 1991, except it’s probably a lot faster, easier, and better-looking (no offense, Proton/CERN alumni).

If you don’t know what any of that stuff means, don’t worry about it. Here’s the point: try to think about how to reduce your data to a standard – preferably an open one – and then preserve that. For the record, I don’t mean a literal web standard like the ones above, but I do mean the same ideas and principles. Bear with me and I’ll come back to that. Since this post was inspired by Skiff (and built off my CTemplar post), let’s take email for example. Like it or not, email isn’t going away any time soon. Nearly all websites require email to sign up for an account, for example, and lately there's been a big push for services to forgo a password logon entirely and instead email you a link every time you sign in. (Not a fan.) However, email is an interoperable standard. Whether you use Proton, Tuta, Mailbox, or Gmail, that login link is going to get sent to you. So regardless of whether you’re wanting to check out a new provider or simply improve your own data sovereignty, the question to ask here is “how can I think of email as a 'standard' to ensure that I retain control of my email no matter what?” The most extreme option here is to self-host your own email server, but that’s generally not recommended unless you’re an expert – there’s too many opportunities for things to go wrong and suddenly your emails will be blocked (possibly both sending and receiving) and you may not have any idea for a long while. Instead, the next-best option is to control the email address, because then you always control where the emails go. You’re not bound to a specific provider, which means you can migrate for any reason – shutdown, censorship, better options, etc. The good news is that this is incredibly easy to accomplish. You simply buy your own domain name from any reputable registrar for a few bucks a year, and most email providers have instructions on how to set it up. Then, if you decide you want to use a different provider, you just look up their instructions instead.

Now, of course, experienced readers will go “email isn’t a standard, Nate.” And you’re 100% right. As I said, I don’t mean to think in literal standards like HTTP or TCP/IP. What I do mean is think in terms of “universal” and “interoperable” – like a standard. As I said earlier, email is universal. Proton, Tuta, Gmail, Yahoo, every email provider is built on the exact same standards that make email function, such as SMTP, RFC 5322, and MX DNS records. Of course, Proton & Tuta offer different protections and technical features than Gmail and Yahoo (and even each other) but the core product is identical: an email is an email and will be delivered to or sent from anywhere (not including restrictions such as company or government censorship). As such, you can think of an email the same way you think of any standard: how can I ensure that I always receive my emails, send emails, and have my emails? As I said, the first two are easily accomplished via custom domains: if you ever have issues or find a better provider, simply migrate over with a few clicks and some help from the provider and you’re golden. The last one can be accomplished by exporting your emails, a feature that going forward I will consider a non-negotiable requirement to be listed on The New Oil because of situations exactly like this. Most providers also let you import emails, allowing you to transfer as if nothing ever happened. Backing up your emails via exporting on a regular basis and owning a custom domain essentially untethers you from any one given provider for email, making you independent, resilient, and in control of your own data.

Practical Application

This thought process can be applied to nearly anything. “How can I save this file in a format that’s compatible with other word processors or operating systems?” “How can I save my backups in a format that’s recoverable and usable?” “What would I do if this messenger shuts down tomorrow?” Not to victim blame, but perhaps the biggest failing with the Skiff fiasco – and CTemplar before it – was not asking these kinds of questions in advance and planning ahead. One should always have an exit strategy and backup plan in place, even with the most trusted and long-standing services, and one should always look for opportunities to reduce their dependence on these platforms as much as possible. (Note: I would like to recognize that some people are truly living paycheck to paycheck and cannot afford to pay for a custom domain or even a premium email aliasing service. This is valid, and I still encourage you to ask these questions and come up with solutions that are within your means, even if they’re less than ideal.)

It is, of course, worth noting that there’s only so much you can do. You can’t literally own your own domain registrar, and even if you could you couldn’t own the organization who makes the kinds of decisions that affect your specific domain. Therefore you can never 100% be certain of your domain name. But even as an everyday individual, you can rest assured that it would take a lot to get your domain name revoked or taken away, and for most of us that’s simply not something to even worry about. Likewise, for a lot of apps, you can export your data but it may only be readable by that same app. It’s important to be aware of these limitations and ask if you’re comfortable with them. I am a Qubes user, and I don’t expect that to change any time soon. My backups from Qubes can only be read by another Qubes device, and for me that’s okay. The purpose of these backups is to have them as literal backups – to be able to reload them on another Qubes device in the event of theft, loss, or damage of my Qubes laptop. On the other hand, I want my emails to be portable so that I can open them with another provider (or at very least, another program) so that I don’t lose all my past correspondence if I ever have to migrate services. These are two very different use cases that warrant consideration.

Whatever services you’re using today, there’s a near 100% chance you won’t be using most of them in 10 years. Whether they shut down or whether you simply migrate to something that better suits your needs, the software you’re using will almost certainly change in the future. The question is if you’ll be ready when that happens. Everyone who was depending on Skiff directly must now scramble to migrate and pray that they didn’t overlook anything when the dust settles. Don’t be caught in that situation when the service you depend on sheds this mortal coil and joins the choir invisible. If you’re lucky, you’ll decide that the time is right to move on to another project and have all the time you want to make the switch. We can’t always be so lucky. The best time to plant a tree is 20 years ago. The second best time is today. I’ll end with what I said when CTemplar shut down:

Controlling your data is important and powerful. It makes you independent, it makes you resilient, and it makes your life simpler by being prepared for when things change – and in tech, things are always changing. Part of threat modeling is planning for what could go wrong and then putting systems in place to mitigate it if it happens. Maybe you weren’t affected by this CTemplar situation. That doesn’t mean you won’t be affected by the next one. Be sure to review the products and services you use and plan ahead. There’s always room to improve. Take this time to learn some lessons and apply the necessary changes to your own posture.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.

Picking a Service

If you’re considering online dating, that means you’ll have to pick a platform. It’s generally recommended to select from well-known, reputable choices. This serves you in both the safety and cybersecurity departments: a reputable outlet is more likely to have good moderation in place to weed out potential scammers and abusers, and also is more likely to have qualified security personnel on payroll to create a secure product. Of course, in many organizations security is more of an afterthought on a compliance checklist, so I’m not saying that the big platforms are scam-free or hackproof, but they’re still probably safer than some random site that just popped up yesterday who’s may already be selling your credit card on a cybercrime forum (which they might not even be doing on purpose, it might just be bad security allowing for Magecart skimming). On the other hand, larger sites make for more attractive targets given the larger amount of users and thus user data. There’s never a perfect solution.

On the privacy front, you should further consider things like which services allow for Progressive Web Apps or desktop sites instead of regular apps – which will function mostly the same as a regular app but have much less access to sensitive data on your device – and of course you should always peruse the privacy policy to get an idea of what you’re getting into. If the service you want to use doesn’t offer a PWA/desktop site or it doesn’t function well (I’m looking at you, Apple Music) then remember to carefully check the permissions in your device’s App Settings menu and remove any unnecessary permissions.

Sign Up & Profiles

Once you’ve settled on a service, you’ll have to make an account. As with any other website, I recommend you make use of an email aliasing service to create a unique email address for that account, a password manager to create a strong and unique password for said account, and enable two-factor authentication in the settings. This will make your account significantly harder to hack, make it harder for you to be traced across multiple other accounts, and allow you to more easily limit the damage from any sort of spam or compromise.

On that note, I strongly encourage using a unique username for every account, and this is no exception. Unless you’re trying to build a brand (for example, as a Twitch streamer), I don’t recommend being “nateb” on every account you have. One easy way to do this is by using your password manager’s passphrase generator option to generate random words and combine two or three of them to create random usernames. This, again, will make it harder (but not impossible) for a potential stalker to find you on other social media accounts. If the service you use requires a real name instead of a username, try to pick a nondescript or common name – such as “Nate B” instead of “Nate Bartram,” a middle name instead of a first name, or a nickname. This is especially important if you have a unique name or spelling that might make it easier to find you on other websites. In that case you may want to consider purposely spelling your name wrong to make it look more common; for example, “Alex” instead of “Alyx” or “Alecz.”

Finally, after you sign up for an account, be cautious what information you fill out on your profile. I do believe you should volunteer some information to get to know you – after all, you’re trying to find someone you have chemistry with, right? – but there’s no need to overshare. “I have a four-year degree and work in marketing” is plenty of information. There’s no need to list the school or company you work for, you can share that at a later time if you feel comfortable. This also extends to your settings: check your privacy settings in particular to see what options you have over who can see your profile, photos, and posts. Some sites may limit your profile to only people who are signed in, local, or you’ve friended. These are great ways to not only avoid people you’re not interested in (such as long-distance relationships) but also to limit your personal information and protect your privacy a little better.

Posting & Content

This may seem obvious but I’d be remiss if I didn’t mention it: always be careful what you share online. This goes not only for the dating site, but all your online presence. Even if you’re careful not to post obvious stuff online – like your full name or address – there are a plethora of tools online that can be used to parse through your posts, photos, and more to pull information you never realized you had let slip. Services like PimEyes, for example, make it easy for any would-be stalker to run a facial-recognition search on you and find any other pictures of you for a nominal fee, including you in the background of a concert or news article. This could reveal old posts that share information about your social network, your employment, or places you’ve lived (or currently live). Photos you upload may accidentally contain identifying landmarks or logos. In one case, a rapper uploaded a photo to Instagram that had his address on a piece of mail, allowing criminals to find and rob his home. He was sadly killed when the robbery went wrong. Be mindful and paranoid about what you share, both on and off the dating site. If you’re interested in purging old posts online, I recommend a service like Redact (non-affiliate link here).

Meeting Up

So you’ve created a profile with privacy in mind – you’ve used a different email address, a strong password, 2FA, and been careful what you post. You found someone you hit it off with and now you’re talking about meeting up for a first IRL date.

Even before you meet up, there are some steps you can take to help verify your safety. For example, many reputable dating sites offer profile verification where users can upload a government ID and a selfie (or similar verification process) to help prove they’re a real person and who they say they are. If the person you’re talking to has opted not to do this (maybe for privacy reasons) – or even if they have – you can also request a video call prior to meeting up. Considering you’re about to meet up in person, this doesn’t seem like an unreasonable request, and if they’re unwilling to do so then you can consider that a huge red flag. You should also be wary of people trying to take you off-site too fast, usually to platforms like Snapchat, WhatsApp, or even Signal. That said, many dating apps don’t yet offer real-time calling features, so you may need to find another service like the aforementioned to do a video verification call. Try to opt for username-based services here instead of ones that require a phone number – so for example, Signal may not be a good choice since at this time it doesn’t offer usernames (though using a VoIP number or a secondary Signal account – if you have access to that – could be a good way to go). iMessage allows you to use an email address instead of a phone number if you’re an Apple user, and there’s also choices like Session, Jitsi, and Wire. Of course, there’s always a high chance that the person you’re trying to verify isn’t super privacy-focused like you are, and they may get exhausted trying to jump through a million hoops. It may create a better first impression and keep things moving along if you compromise here and create an account with a more mainstream service like Snapchat or WhatsApp or Discord strictly for dating verification purposes. Of course, I’m not suggesting you completely throw your privacy to the wind. Try to isolate whatever service you choose as much as possible to preserve privacy (such as only downloading it for the verification phase or using a separate device). I’ll take more about this later.

Once the night of the meetup comes, there’s several things you can do to keep yourself safe. First, tell a trusted friend exactly where you’re going and when you expect to be home. Arrange a check-in time to have them contact you and make sure you’re okay. A few sitcoms – like How I Met Your Mother and Letterkenny – have presented the idea of having an excuse early on in the date to leave – a prearranged phone call where you can say an emergency came up, for example. I can’t imagine that would feel good for the other person, but if you’re detecting any red flags, better safe than sorry.

Be sure to meet up somewhere public – a restaurant, bar, concert, museum, theme park, mall, etc. If you’re especially concerned, you can share your location with a trusted friend. Apple and Google both have built in features that allow this, and there are dozens of third-party apps, too. Keep in mind that your privacy is basically out the window with these sort of apps while you’re using them, but it’s probably worth giving up your location privacy for one night in exchange for being physically safe. If you’re feeling especially cautious, you could consider taking an Uber, cab, or public transit to your date. This will prevent the person from being able to note your license plate or other identifying features about your car, but keep in mind it could also make a quick getaway harder if you feel especially threatened. It’s probably overkill in most situations, but it’s worth a mention.

Finally, listen to your gut. No matter how long you’ve been talking or how deep your online conversations may have been, you don’t owe your date anything. Period. End of story. No exceptions. Regardless of how expensive the meal was, how far they’ve traveled, or the genders. If you feel unsafe, if the person is giving off red flags, if anything feels off, better to play it safe. There are plenty of fish in the sea. Even if it turns out you’re just being paranoid, that just means the other person will – at worst – be disappointed, think you’re kind of weird/crazy, block you, and move on. If it turns out you were right, then you may have literally saved your life. Don’t take any chances.

A Final Note on Compromise

Earlier I suggested that when it comes to online dating, you may have to make some compromises. This is true of life in general, and is a topic I’ve addressed many times. In any relationship – professional, platonic, or romantic – it’s typically never a good idea to overwhelm someone with a bunch of demands, especially if this date may not even pan out. Don’t start out your communications by expecting the person you’re talking to to download XMPP and verify PGP keys. You may have to settle for using VoIP apps, or less-than-ideal apps to verify yourself. Not to sound calloused or harsh, but why should be people put in too much work for something that probably won’t go anywhere? On any given dating site, you may be one of several ongoing conversations. If you’re putting up all kinds of obstacles for the sake of privacy, there’s probably at least 2-3 other people (maybe more) who aren’t putting up any, and there’ll hit a point where it’s just not worth the amount of effort for the other person. Remember: your extreme interest in privacy – while commendable – isn’t the norm, and while most people may be willing to humor you to some extent (like using Signal instead of WhatsApp or accepting that you’re not ready to say where you work yet), there’s only so much they’re willing to do. Additionally, it takes time to build up that trust and rapport with a new person regardless of the nature of the potential relationship. If you’re into dark humor – and you have any degree of social skill – you know that you don’t just walk up to a stranger and start cracking the most messed up jokes you know. You take time to get to know the person and if that’s even their sense of humor or if they’re going to be offended. Dating is no different. You have to take time to get to know the person. If your first message is “hey let’s move to Signal,” you’ll probably get reported as a spammer pretty quick. All that said, that doesn’t mean don’t advocate for yourself. If someone says “hey I hate this app, let’s move to Discord” you don’t have to instantly say yes. Don’t be afraid to ask “I don’t have a Discord, would you be okay with Signal?” You might be surprised by their answer. (Also I’m sorry I keep shilling Signal, it’s just the most mainstream, user-friendly option that you’re likely to find other people using.) Look for opportunities to protect yourself and be aware of what risks you might be opening up by compromising (and if you’re willing to accept those risks) but also be willing to make reasonable concessions to “meet them halfway.” If things start getting serious, then you can start nudging them toward better options, but also remember that they’re an individual person who is free to do whatever they want, so if they’re not willing to use or try out the things you suggest, you’ll have to decide if that’s okay with you or not. You could also start planting the seeds of this stuff early on by, for example, putting things in your profile like “I’m really passionate about cybersecurity.”

Dating in general can be rough, online dating moreso, but it doesn’t mean you have to give up all your privacy or surrender to being alone forever. As with most things in privacy, this topic at its core comes down to “be intentional and thoughtful.” Be sure to think ahead, put proper protections in place, and be prepared for a lot of dead-end conversations and compromises with your communication. Threat modeling really helps a lot here. Good luck with your search, and stay safe out there.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.

Despite all that problematic context, let’s be real for a moment: the internet can be a toxic wasteland (heavy emphasis on the “can be” part), and at face value I do agree with the overall (alleged) mission of this day. So regardless of who’s behind this day, I think it’s worth taking a moment to discuss the idea of a safer internet and some of the steps we can take to protect ourselves and create a better online experience. For some context, today I will be focusing on the threat model of “other users” as opposed to companies, governments, or even insider threats like sysadmins and employees. I’m talking about cyberbullies, trolls, and other common threats who make our online experience less enjoyable.

Security

Of course, staying safe online starts with all the usual privacy and security basics. Among the top-priority, “most-bang-for-your-buck” recommendations we have all the greatest hits: use strong passwords on all accounts, use two-factor authentication where available, keep good backups, turn on automatic updates, secure your home network, stay updated on the changing landscape, avoid phishing and malvertising, so on and so forth. This is the same information you can find on any given blog post, and all of it (and more) is covered in-depth on the website so I won’t rehash it all here, but of course I would be remiss if I didn’t at least give it a quick mention. Security is the way we enforce our wishes: if we can’t secure our accounts, settings, and data then we have no way to force people to respect our data or our online selves (and remember that the proliferation of free, legal online hacking tools and YouTube tutorials makes these a credible threat in the hands of even the most novice malicious actor) .

Usernames

One criminally underrated strategy starts at the beginning of using a website: your public username. Most people prefer to use the same “handle” online. This can be great if you’re building a brand like a website, YouTube channel, or other influencer persona but for personal accounts it can be an easy way for a troll or harasser to easily locate you on other platforms and attack you on multiple fronts. I strongly recommend that you use different usernames on each platform – and for the record, I mean really different. Don’t just be JohnSmith on Instagram and JSmith03 on Reddit. My recommended trick is to use your password manager’s passphrase generator to pick two random words (or Bitwarden’s username generator if you prefer), so you can be CrepeCity on Mastodon and Unbent4141 on Lemmy. This will make it way harder for a troll to find you, and your legitimate friends and associates should have no issue just reaching out to you to find you on other platforms if they’re interested (in the case of mainstream services like Instagram, they make this process automatic and even easier).

Privacy Settings

Next, you’ll want to block access to what people can see about you. It’s incredibly easy for someone to see a single post or comment out of context, and for some reason the internet’s favorite pastime seems to be assuming malicious intent. Few people rarely take the time to click on your profile or even the thread you’re replying to to get more a complete picture, they just assume you’re an awful person and respond accordingly. Hence, the classic “reply guy” problem prevalent on every platform. Most online platforms provide privacy settings that allow you to control who sees your information including posts, followers, and other information depending on what’s collected. Take the time to review and adjust these settings on social media platforms, email accounts, and other online services. Limit the amount of personal information you share publicly, and be mindful of the permissions you grant to apps and websites.

Be Generous With The Block Button

Believe it or not, I consider myself a free speech advocate (a real one, unlike some celebrities). For years, this manifested in a metaphorical allergic reaction to the “block” button. This was a mistake and one I encourage you to learn from me instead of by experience. “Freedom of speech does not mean freedom of reach.” Imagine someone standing on a street corner on the proverbial soapbox and yelling into a megaphone. Freedom of speech means that nobody comes by to turn off the megaphone, take away the box, or otherwise stop them from speaking. However, some “free speech” types seem to think that this also entitles them to have everyone stop what they’re doing and listen. This is incredibly wrong and narcissistic. Nobody is required to listen to you, just as these hypocrites never seem interested in hearing out other people. People are perfectly free to keep walking by or – believe it or not – to call you names, boo you, give you the finger, etc as they keep going. I believe in everyone’s right to (pardon my language) be an asshole, but I don’t think that gives you a right to an audience or protection from disagreement. If you can’t stand the heat, get out of the kitchen.

These days, I’ve learned to be liberal with both the “block” and “mute” buttons online. Saying something that isn’t technically problematic but I just don’t care? Mute. Got a literal swastika in your slur-riddled profile? Block. You have a right to be an asshole, but I don’t have to put up with your abuse. Don’t be scared of the block button. Abuse it. Trust me, it makes the internet a much more pleasant and experience. And again: no, you’re not infringing on their free speech. They still have a profile where they can complain about you (or whatever they’re complaining about), they’re still free to speak, and if they keep getting “censored” they can always go create their own website or instance. There's lots of places on the internet for even the worst of people. You are not obligated to listen to their garbage under any circumstance.

Minimalism

I’ve really been harping on this a lot lately but an underrated aspect of privacy, security, and digital well-being is simply not being there in the first place. I’ve been very open about my belief that X/Twitter has become a Nazi site in the last year or so. Perhaps you disagree. That’s fine. I don’t care. I know that X has become a place full of takes, people, and opinions that I find to be annoying, enraging, low quality, and full of disinformation. I’m not afraid of differing opinions, but I’d like to at least get them from someone who’s arguing in good faith with some degree of factual information and not a Photoshopped image from an unrelated event in 2019 who’s main goal is to get engagement and “own the libs.” Therefore, I choose not to hang out on X. I also choose not to follow or engage with accounts that annoy me on Mastodon (see the previous section) for the same reason. I strongly believe that you should keep your accounts to a minimum because an account that doesn’t exist can’t be hacked, but it also helps your mental health. If you don’t have an account on a platform you disagree with, you can’t be constantly exposed to things that annoy or stress you out. That goes for all sides of the political spectrum: I wouldn't encourage a hardcore conservative to go hang out on an extremely liberal social media platform. Again, I want to clarify that I’m not talking about living life in a bubble, but there’s a vast difference between a meme account and an actual journalistic outlet from the opposite side of the aisle. One will – if you’re willing to let it – challenge you in positive ways or at least keep you informed of opposing narratives and ideas. The other is probably half-true at best and only exists to confirm biases and paint the other side in bad faith. Quality content is the key. By extension, I believe this also means picking and choosing the aspects of any platform that work for you. One thing I always liked about Reddit was the ability to pick which subreddits to subscribe to. This meant I avoided the large, low-quality subreddits (like r/funny which, despite what the name implies, is rarely funny) in favor of subs that either catered closer to my specific sense of humor or simply weren’t aiming for mass appeal from bots. This also translated to smaller, friendlier communities and a much more pleasant overall experience compared to larger, more divisive subs. I recommend applying this to your minimalism strategy: have fewer accounts on fewer platforms, and seek out those that are high quality with a high signal-to-noise ratio in both the content and community.

Touch Grass

Last but not least, I want to encourage us all – as I did last week – to disconnect more often. Look, I’m not an “outdoorsy” kind of guy, okay? The most gardening I do is picking out a good-looking onion at the grocery store, and I’m pretty sure I would die if I was internet disconnected for more than an hour. I’ve literally got music streaming as I write this (“Carousel” by Flobots if anyone wants any music recommendations). That said, I find that the more I disconnect from the massively social aspects of the internet, the more I enjoy technology again. Going for a walk while listening to a podcast or music energizes me and makes me excited to get back to work. Playing video games is a great stress relief. Watching movies and TV shows is fun again. Even one-on-one or small group conversations are energizing. I can’t overstate the value in unplugging from the massively social sides of the web – getting off Reddit, Facebook, even Mastodon – and doing something more individually focused or intimate. When I quit Facebook, the most immediate benefit I noticed was that all my interactions were suddenly more meaningful. Even a thumbs-up reaction on Signal means more to me than a thumbs-up or heart on Facebook because I know that person took time out of their day to navigate to my message (even if it was just clicking on the notification itself) rather than just having it passively served up to them by the algorithm.

The internet has a long way to go in being safer – more secure, more private, and overall more pleasant. That last one, I think, is the trickiest one of all to achieve because it’s so subjective. Some people find dark humor abhorrent while others are fans. I find the vast majority of content on TikTok to be low quality and asinine but I’m sure plenty of people who find it hysterical would argue that Futurama – my favorite comfort show – is boring. Everyone has different standards for what’s fun, safe, and positive. I don’t foresee that part especially being resolved any time soon. So until then, it’s important to take matters into your own hands and craft your own experience. Secure your accounts, then focus on reducing the noise and boosting the quality of your online interactions.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.

The most effective data privacy strategy is simply not to make data. Period. What doesn’t exist doesn’t need protection. Of course, in 2024 most of us can't “airgap” long-term like that. It simply isn’t sustainable to just not exist online (with a few exceptions, I'm sure). Even the most digitally disconnected people I’ve met still have an email address and a couple social media accounts they check once in a blue moon. Most of them even have a phone – usually a smart phone – and if not they typically use a tablet instead. But I think most of us – myself included – are online way more than we really need to be. To cite just one example from my own personal life, I have a plethora of audiobooks, movies, e-books, and even Duolingo on my phone but for some reason, when I’m sitting around bored, I choose to “lurk” on Reddit. I don’t even sign in and I don’t even have the app on my phone, I just open the browser and navigate there. It’s ridiculous when you think about it. I'm going out of my way to waste my time when I could do something productive more easily.

This isn’t a post about the value of self-improvement though I am a strong believer in that, but I think it’s extremely common for all of us to develop habits and then fall into them as a routine. James Clear in his seminal book Atomic Habits (which I strongly recommend to everyone) says that “You do not rise to the level of your goals, you fall the level of your systems.” In other words, your habits determine your future, good or bad. You can make plans and set goals and dreams and aspirations, but if you don't create new good, habits, you won't change. If you want to lose weight but you keep buying snacks, you’re going to keep snacking. For most of us, when we first get into privacy we make a lot of changes: we change email providers, browsers, messaging apps, operating systems, etc. And sometimes we make small changes after that – we may try out a new messenger or graduate to different operating systems as we get more comfortable and our lives change (I talked about that last week). But I suspect that overall it’s very easy for us to fall into our routines and never really stop to ask “why am I doing it this way?” until something comes along and forces us to. For the record, I suspect that because I’m like that: for all my emphasis on self-improvement and growth, it’s not always easy or obvious to me to question and change certain things in my life – both privacy-related and not.

I think tomorrow is one such opportunity to really shake that up for all of us. As I said earlier, I think many of the other Data Privacy Day blog posts I’ve read this week are great and valuable and have a reason to have been written. I don’t see a need to add to or contradict what was said. But I also haven't seen any of them address the value (both privacy-related and not) of simply not putting your data out there in the first place. So tomorrow, let’s do that. Many of my regular readers know that I love technology: I play video games, I have many long-distance friends and family that technology enables me to stay close to, and I love podcasts and music. This post is not me decrying the harms of modern technology (of which there are many, for the record). Technology can be great. But the internet can be a toxic and exhausting place, and even offline tech can be detrimental when we overuse it. It’s important for all of us – myself included – to unplug and go “touch grass” sometimes.

So that’s my Data Privacy Day tip for 2024: tomorrow, let’s all unplug for a little bit (as much as we can) and rethink our relationship to technology. Read a book. Go for a walk. Go out to eat (if that’s still affordable). For most of us, I think we’ll more or less come back to tech afterwards. I certainly have no intention to quit playing video games or throw away my phone. But maybe we’ll realize “you know what? The front page of Reddit is all low-quality garbage. I should read a book when I’m bored instead.” Even if all you can spare is thirty minutes or if you have to leave your phone on because you're on call, tomorrow let’s take some time to get away from it as much as we can for even a little while and rethink all our digital relationships: our accounts, our communities, our apps, our devices. What can we get rid of? What we can use less? What guard rails and restrictions can we put on those things to ensure they serve us and not the other way around? Again, this is not just about privacy (though that's always a consideration) but also about our mental health, our relationships, and ourselves. Privacy should be something that enhances our lives, not hinders it, but many of the same end-user problems of Big Tech – social media addiction, for example – can easily follow us into more privacy-respecting spaces if we’re not intentional and careful. This Data Privacy Day, be intentional. Don’t put out data you don’t need to, and then protect what you do.

Happy Data Privacy Day, y’all. Enjoy your time off (if you can).

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.

Yet, for some reason, people in the privacy community have a hard time wrapping their minds around change. To some extent, I get that. I think at some level we’re all a bit resistant to change. Change can sometimes make us feel out of control, or sometimes it’s just the plain old “fear of the unknown.” Sometimes there’s a valid reason here; for example, I’ve successfully managed to get nearly everyone I know using Signal. If Signal turned out to be unsafe tomorrow for any reason, it would be a monumental nightmare to not only pick a service that’s as polished, stable, and feature-rich but also to convince everyone to move over. It’s also unwise to simply rush into the latest new service blindly because it’s new. It’s always a good idea to slow down and first see if these services even stand the test of time and second wait to see what the experts think (or to examine the project yourself if you are one such expert).

But other times, I think we just get stuck in our habits. When I got into privacy, iPhone was clearly superior to Android in the privacy/security front. At the time custom OS’s were nearly unusable for a normal person and Android’s security was a joke. But while I advanced in my personal privacy journey, the entire Android landscape matured and soon Android became an increasingly appealing option for me. Making that change represented a huge disruption for my existing day-to-day life. I mean sure, at the end of the day a phone is a phone and they all more or less function the same, but anyone who’s ever made the switch or even temporarily had to use the other OS that isn’t their daily driver knows that it’s a bit of a shock and it takes some time to get used to the differing menus, capabilities, or thought that went into the design. In the case of Android specifically, I also had new apps, features, and possibilities to explore.

It is vital that as a community we become accepting of change because it will come for all of us whether we like it or not. There are plenty of recent examples. Encrypted messenger WickrMe was fully retired this year, but even before it was shut down it was on a downward spiral. Michael Bazzell claimed he had detected it sending telemetry back to organizations such as Microsoft and shortly thereafter Wickr was sold to Amazon. Two more recent, salient examples include the sales of Raivo OTP (once recommended on The New Oil) and Simple Mobile Tools. In most cases, there is little or nothing standing in the way of negative changes, whether it’s as simple and (arguably) innocuous as introducing telemetry that you disagree with or full-on shutting down or selling out.

In the world of writing, aspiring writers are instructed to “kill your darlings.” That means no matter how attached you get to a work, you must be willing to set those feelings aside and do whatever it takes to make it the best possible version of itself. That might mean cutting a part you really like, rearranging some sections, or just throwing out the entire thing and starting over. (I did a large amount of that in writing this very post.) In privacy, we must have the same attitude.

Compromise and “enshittification” are extreme examples, but I would argue they’re probably the least common culprit forcing us into change. I’m willing to bet that by sheer numbers, simple life circumstances and growth are. As mentioned above, getting married changed a lot of things for me, privacy included. Prior to being married, I didn’t even own a TV. Now we have two smart TVs because my wife loves to consume streaming content. As such, we also use ProtonVPN on our router because they promise to work with streaming services (a promise that thus far has been kept). But if I were still single, I would probably be using IVPN or Mullvad on my router and I would also be far more aggressive with tracker blocking. A single woman dating may download one of those safety apps that shares her location with trusted individuals to stay safe on dates. A parent may decide that – at least while their children are younger – it’s worthwhile to enable location tracking their phones (or to give them phones at all) in case something bad happens. They may also decide to use certain mainstream, less-private services to better control their child’s content intake. I’m not condoning helicopter parenting, for the record, but the internet is a vast and dangerous space and it would be pretty reckless to just let your young children run wild on it without supervision.

Another example might be outdated devices. Perhaps you were quite happy with stock Android so long as it was still receiving security updates, but if you suddenly found yourself in possession of a device that has reached “End of Life” and you didn’t have the funds to upgrade, the math might change. You might decide that it’s worth it to flash a custom OS so you can still receive at least some updates.

And of course, there’s always growth. Many of us never stop to consider this, but for most of us we make a lot of changes when we first start our privacy journeys. We go from Windows/Mac to Linux, SMS to encrypted messaging, Gmail to encrypted email, Google search to private search, and more. Sometimes we even make multiple changes, testing out several messengers, email providers, Linux distributions, and more. Why then, once we settle into a suite that works for us, do we suddenly decide that this is it, finality, the end, there can be no room to improve after this – at least, not significant changes like the ones that got us here? This is ridiculous. It’s called the “End-of-History Illusion”: the belief that you have experienced substantial change or growth up til now but now things will just be the same forever from here on out.

Change can be scary, but it is vital. As we go through life, different services will come and go and in some cases services that are perfectly fine will no longer fit our needs. We shouldn’t be afraid of change. Change allows us to grow and improve, but it also allows us to live fulfilling, full lives. Privacy is a human right, but so is food, education, and shelter. Despite this, most of us don’t spend all of our free time learning about water quality, teaching, or construction and architecture. We appreciate these things and want to have a functional knowledge of them (how to spot bad water and buildings we should absolutely steer clear of) but most of us have other hobbies, interests, priorities, and desires. Privacy should be no different – it should protect us and our rights, but it shouldn’t prevent us from getting the most out of our lives the way we want to. I’ve written on this subject before, so I won’t rehash it here. I’ll just leave with the parting thought that time waits for no one, so it’s best to accept the impermanence of everything in life, especially technology and ourselves. Don’t be afraid to embrace evolution and change up your privacy strategy as needed. As the band Rush so famously put it well: “changes aren’t permanent, but change is.”

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.

Strong Passwords

The foundation of your digital security starts with robust passwords. Create passwords that are complex and unique for each account. Incorporate a mix of uppercase and lowercase letters, numbers, and symbols. Avoid easily guessable information such as birthdays or names. According to experts, the single most important thing you can do to protect your online life is to use strong, unique passwords on each account. You can get more information on passwords, passphrases, and recommended password managers here. I also discuss Passkeys – the new passwordless login standard that launched last year and if you should use it.

Multi-Factor Authentication (MFA)

Enhance your security by enabling MFA wherever possible. According to Microsoft, MFA stops 99.9% of unauthorized account access. MFA adds an extra layer of protection by requiring you to verify your identity through a second method, such as a text message or authentication app. This ensures that even if your password is compromised, an additional step is needed for access. You can get more information on the different types of MFA and which apps I recommend here.

Regular Software Updates

Software updates often include patches for security vulnerabilities, making it crucial to stay current and protected against emerging threats. Back in the day, updates would frequently break things, so people would often wait a significant period before applying them. These days that’s pretty rare and with very few exceptions, you should always apply updates as quickly as possible. Thankfully, most devices nowadays have automatic updates enabled by default. Still, this is a great opportunity to take the time to check your various device settings to ensure automatic updates are enabled where offered.

Secure Your Wi-Fi Network

The internet brings us lots of great things, but also lots of risks. Therefore, it’s important to secure your home network. Yes, this is unfortunately a common risk you must be aware of. A compromised router can be used to mine cryptocurrency (spiking your power bill and reducing your performance), help attack other users and services via botnets, or worse. Some basic advice includes changing default passwords for both the router and WiFi itself, creating a separate guest network for IoT devices, and keeping your router updated. You can get more advice and tips on creating a secure home network here.

Be Cautious with Communications

When we think of phishing, we often think of the classic “Nigerian Prince” scam. But the truth is that online scams have come a long way. Even for the quick and simple ones, all it takes is one careless click to fall victim. Even I have almost fallen prey to a couple of well-crafted, very real-looking phishing attempts. These can come in the form of an Amazon receipt for something expensive, a text from your bank, or something even more specialized and convincing. Always exercise critical thinking and caution when examining these types of communication.

Review App Permissions

Apps ask for a lot of permissions, usually ones they don’t need. Thankfully, both Android and iOS are increasingly giving users more control over the apps on their phones and their permissions with each release. If you haven’t done so recently, this is a great time to check the various apps on your phone. First, check to see if there are any apps you don’t use very often or can live without and delete them. Each app you have is an “attack vector” – a security vulnerability an attacker could use to gain access to your device or a third-party company collecting and selling your data. For the apps you do decide to keep, check the permissions they have and disable any that you don’t actually use or aren’t needed for the app to function.

Review Your Account Settings

This one especially applies to social media accounts but can apply to all your accounts. Take some time next time you log into an account to go through all your settings – who can see your profile? Are you opting in to targeted ads? Have you enabled MFA?

Secure Browsing Habits

Thanks to a number of efforts, the vast majority of the internet is encrypted with HTTPS these days (not to say that all risk is removed, but it’s much safer than in years past). Still, there are steps to take to ensure you’re getting the most out of those protections. Make sure your browser is set to use HTTPS-Only mode, and I recommend clearing your browser data after each use. This will require you to log in each time you use a website, but personally, I find the added privacy and security to be more than worth the slight inconvenience. You can find more information on recommended browsers and settings here.

Device Security

It goes without saying that devices enable our digital lives – you can’t access the internet without some sort of phone, tablet, computer, etc. Therefore, it’s critical to secure those devices. Make sure that you’re locking them with strong passwords, configuring the settings accordingly, encrypting them, and making plans for loss or damage such as keeping good backups. You can find more information on recommended phone settings here, recommended computer settings here, encrypting your devices here, and backups here.

Review Financial Statements

Identity theft is a normal concern and a common crime. Thankfully, there are plenty of ways to help prevent it. In addition to general privacy practices like removing your data from people search sites, being careful about what you share online, and using fake answers to security questions, you can also freeze your credit, place a fraud alert, and regularly request and examine your credit report and bank statements. You can find more information on how to protect your identity here.

Educate Yourself

The privacy and security landscape is constantly shifting with new technologies, abuses of those technologies, and emerging threats. Staying up to date is critical. The New Oil offers a number of casual, easy ways to stay updated that don’t require a lot of time or energy from you: we offer a weekly podcast about current events related to privacy and security, long-form videos, short-form videos, a news feed, and of course, this blog (which you can subscribe to via email, or you can subscribe to most of those other offerings via RSS). But it’s not just me: on the website I recommend tons of other books, documentaries, podcasts, YouTube channels, and websites that contain great information about privacy and security. With so many great projects out there, you’re sure to find one that appeals to your preferred style and “vibe.”

Remember, this is a “basic/foundational” checklist. There’s so much more to privacy that I haven’t even touched on like encrypted messaging, encrypted email, aliasing, VoIP, disinformation, Linux, and more. Many of us hope to have new beginnings with the new year, and now is the perfect time to start making changes to your digital life that will improve and protect it. Privacy and security are about being proactive – it’s too late to start locking your door after a thief breaks in, and you can’t unleak data that was stolen. But remember that privacy doesn’t have to be overwhelming. Don’t try to do all this stuff at once if you’re new. Bookmark this blog post, come back to it every few days, pick a new topic, and go “I’m gonna work on this next.” Before you know it, you’ll be in the top 10% of the safest people online. Good luck!

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.

2023 Goals

Last year, I kept my goals small. I stated that my main goals were time management – namely to reclaim some free time – and general growth. I specifically cited a desire to do better with Open Collective, a commitment to use more cryptocurrency, and floated the idea of creating a companion workbook for the site, a Tor exit node, and a public Session group. I also mentioned being more consistent with blogging. Time management was hit or miss. I did manage to shave away some distractions and improve my workflow – a constant struggle – so I feel like I did have a bit more time in my day. There's still room for improvement, but overall I did an okay job. I also think I did much better with blogging consistency, though again things started to fall apart later in the year. Everything else pretty much failed. I did not start an exit node, Session group, or workbook. I don't have much else to add to that, I'm realizing now that I never really set any tangible, measurable goals so it's really hard to pin down exactly how well I did. But I think the fact that I've managed to reclaim some free time (and again, plan to continue to do so) really counts as a win. That's what really makes the project sustainable is my ability to manage stress and keep pushing forward with the limited time I have.

Growth

As you can see, a number of services are missing from the list this year, including Twitter, Odysee, Matrix, Discord, and Reddit. Twitter has been deleted. Due to changes in Twitter's management my reach on Twitter was severely hampered, making it virtually impossible to reach new audiences without paying (and I don't want to support to the new management). Furthermore, due to additional changes from said management, I am unable to crosspost from a single source anymore, meaning I would have to queue up posts twice each day – once for Mastodon, and once for Twitter. Due to these and other concerns, I have decided Twitter is no longer a platform I wish to be associated with and deleted my account. Likewise, I no longer have any interest in being active on Odysee. I will continue to crosspost videos there as it costs me literally zero effort or money, but I no longer actively maintain or engage with that space. You can see more details in this blog post. Bluesky is a new addition. At this time, this purely an experiment. I've found a service that lets me crosspost to both Bluesky and Mastodon – it's not as slick as I would like, but it does mean I don't have to schedule posts twice using two different services. Bluesky may not stand the test of time, but for now I'm willing to dip my toes in the water and see how it goes. Regarding Matrix, Discord, and Reddit, see the “2024 Goals” section below.

Overall, growth was steady and consistent this year. If I had to pick one area of note, I would say it's TikTok. I understand most people have very negative opinions (to put it nicely) of TikTok for a variety of reasons. For what it's worth, I'm with you. While I'm not one of those hardcore “ban TikTok, it brings no value to society” people I do agree that it's an extremely problematic platform (again, putting it nicely). That said, there is clearly a huge swath of people on there who are interested – at least somewhat – in hearing about privacy and security, as evidenced by the over 500 subscribers and the tens of thousands of views I've amassed in a single year. I know by TikTok standards that's not much, but it's something (especially given the fact that I've not been very active or consistent) and perhaps I can be the gateway person who helps introduce these people to privacy and get them started in their journey. One comment now forever burned into my memory on my video about the MOVEit breach (posted in August 2023) was from someone who said they were struggling to explain to their non-English-speaking immigrant parents how exactly their 16-year-old child's data ended up in the hands of a company they'd never heard of or done business with and then been stolen. I don't mean to sound dramatic, but my heart hurts for these kind of people. It's unlikely that they don't care about privacy, it's far more likely that they simply aren't aware of how bad the situation is, what the potential consequences are, or what they can do about it. I was once one of those people. Right now TikTok requires little effort from me and my messages seems to be received well enough, therefore until that changes I will continue to post. (Side note: it requires little effort from me thanks to the excellent video editing work from volunteer HestiaHacker. They sell privacy-respecting smart thermostats based on Raspberry Pis. If that sounds interesting to you, please check them out and support them to thank them for their work with us.)

Finances

Let's start with the elephant in the room: The New Oil is – on paper – nearly a thousand dollars in the red ($919.55, to be exact). Don't panic, I don't believe there's any reason to worry. This year we saw a significant amount of one-time investments that heavily skewed our typical spending patterns. For example, in the “production” category, I bought a new camera lens. That alone was over $800 (which accounts for nearly all of the deficit). But a camera lens is a one-time purchase. In fact, if I take care of it, the camera lens can easily last me decades, maybe even the rest of my life. And being that my only use for it is filming YouTube videos, I don't foresee myself ever needing to purchase another one or it suffering any significant damage. At very least I can't see myself outgrowing it any time in the next few years. We also bought a mic, lights, a camera tripod, and other similar expenses. Of course, that's not to say I'll never need to make any large purchases like that again, but this year the focus was improving the quality of videos – which has definitely been our weakest spot and had the most room for improvement. I feel confident that I have procured all the major necessary components to do that – lights, mic, lens, teleprompter – and any further tweaks from here on out should be incremental and less expensive.

Analyzing the income: as I have long said, Surveillance Report is by far my biggest source of funds. It is literally 70% of our gross income. This was also the first year The New Oil were eligible for YouTube ads, and honestly I'm kind of surprised we made as much as we did, partially because I've always heard “YouTube ads don't pay for crap” (which is relatively true, they were 3.4% of our income), and also because I fell off making videos pretty hard in the second half of the year and figured that would seriously hinder my growth and views. I'm certain it didn't help but the channel did seem to do okay regardless. I'm also including our affiliate income – despite only being $26.07 – for the sake of transparency. It's so small that GnuCash actually lumped it in with “others” category (at the bottom of the list) in the pie chart, but since affiliates are the most common conflicts of interest for content creators like myself, I figured it was worth listing. Finally, let's talk about sponsorships and contributions. Earlier in the year, we lost our only sponsorship on account of rising prices. While I believe this was the right choice (you can read more about that here), it also means we took a significant financial hit. We have yet to garner any interest from any sponsors that meet our standards, so at this time I expect that next year that category will likely hit zero and drop off entirely. I'm not sure when it'll come back, but I'm okay with that. While a sponsorship would indeed be a significant income boost, I think we'll be okay with out any for now.

That pretty much just leaves our final source of income for the future: contributions. Our main source of income after Surveillance Report is one-time or recurring contributions. Sadly these decreased this year, but I get it. It was a rough year all around. Inflation is really taking a crowbar to everyone's kneecaps (my household included), housing prices are really screwing over renters (like myself), and layoffs were constant (thankfully I've avoided that one). It sucks but I don't have anything to say here, I'm not gonna ask people who are struggling paycheck to paycheck to donate. If you do have some discretionary funds and would like to help us keep growing – or at least maintain – it's always appreciated, but of course if you're also struggling to figure out how to make the grocery budget work even after cutting out comfort foods and luxuries, I don't expect you to sacrifice for this project. My last note on this category is I was surprised to see where our contributions come from: Liberapay was by far our biggest contribution category at $295.90. Open Collective was $164.20 and the rest came from PayPal. As a final note about income, we have re-instituted a Patreon. This was not included because I had autopay disabled, but we only made about $12 this year anyways (because of my slow production schedule). I have Patreon set to only charge patrons when I release an early-access video (hopefully once-per-month this year, see Goals below). Lastly, the merch store finally turned a profit at $83.92 this year – which isn't much but it pays for a year of VPS hosting so I call that a win.

Now let's talk about expenses. By far our biggest expense category was “operations and infrastructure.” This is usually almost entirely hosting and domain costs, but also includes a few smaller expenses like Postmark (the service we use to send emails for our instances like password resets and such) and subscriptions for email and such. However, this year, this category also had a few large one-time expenses. For example, earlier in the year I spent $279 on thenewoil.com. I have no plans for this domain name, but I didn't want someone to buy it up and then try to impersonate or phish people in the future. That was a huge expense, but the renewal rate is astronomically cheaper, somewhere in the ballpark of $18/year, so it seemed worthwhile to snag it now before someone else did something malicious with it. I also have some plans to try and reduce the infrastructure cost a bit, which I'll discuss in the Goals section. Finally, I pay for the a Calyx hotspot. I consider this an operational expense because I use it frequently when I travel for both TNO (such as Monerotopia) and the day job. It's often faster and more stable than hotel Wi-Fi and it allows me to continue to post articles and work while I'm on the road. This year I'm hoping to get my day job to pitch in a little for this expense since I also use it quite generously at work: it's unlimited and we frequently work in places without any Wi-Fi, and the hotspot tends to be faster and more reliable than a phone hotspot (and doesn't cost people their data). I mention this expense specifically because for some reason I ended paying for that twice this fiscal year: once in January and again December. I'm not sure why it wasn't the same month both times, but that's how it shook out, and as a result it raised our expense in this category by an extra $500. I guess we'll see if it wants to me to pay next December or if it won't show up on 2024's finances.

Production was another high-expense category. As I discussed earlier, this includes a few considerable one-time expenses, like the camera lens, but also includes things I use to create the content like my Slate Digital audio plugins subscriptions (although Slate finally introduced cheaper annual plans, so this year was once again slightly more expensive because we had to purchase both the monthly subscription for most of the year before being able to switch to the much-larger-up-front annual subscription). As stated, I expect to see this category revert back to a significantly smaller number next year as the equipment we currently have is high quality, future-proofed, and should be everything we need to produce high-quality content for quite some time, at least until the channel experiences significantly more growth.

Next, content & reviews. Normally this refers to things that I do specifically with the intention of making a video or blog post about it: a subscription to test or review a service or product like the Nitrokey, SPN, or other similar things. This year, however, we had yet more one-time expenses in this category. When my wife and I moved into our new home, I immediately called dibs on a specific corner to film content in. Because this was a significantly bigger space than before, I needed to add some decor to fill it out more and make it more interesting to watch – similar to people like Naomi Brockwell or The Linux Experiment. As such, that meant procuring some new items like picture frames, shelves, book ends, and more. As with the other one-time expenses, I think I'm content with the background I currently have for now, and while I may add little things here and there going forward I don't foresee a need to invest significantly in things like that again. Even if the available space changes in another home I suspect it would be smaller, not larger. This is one of the larger spaces I've lived in and I don't foresee us being able to afford a bigger space any time soon.

Finally, a new category: charity. With the rise in income, I figured it would be appropriate for me to start giving back to some to some of the projects that help make TNO possible or that TNO benefits from. Right now I've mainly donated to Signal and Tor. In the coming year I want to add in projects like Mastodon, Matrix, and PeerTube. I am open to consideration of other projects, but as I said I want to start with projects we directly use or benefit from.

2024 Goals

Okay, let's start with a major announcement: TNO communities are going away. All of them. Immediately. That's why they're not included in the growth table above. By the end of Q1 2024 (that's March 31st), I will be closing down both Matrix and Discord. Reddit has already been invite-only for quite some time. There are a lot of reasons for this. The biggest one is that managing communities is simply no longer how I want to spend my limited time. Even with good moderators – which I have – managing a community is a considerable time commitment. Also the more I think about it, the less hosting TNO-specific communities makes sense in the context of my broader mission statement for TNO. There are already a plethora of great privacy-focused spaces on all of those platforms, as well as project-specific spaces where you can go get help and ask questions about specific services. But TNO has never been about getting people to become hardcore privacy zealots who join privacy forums and talk about privacy nonstop. It was always about helping “normies” feel empowered to protect their privacy and to integrate privacy into their existing lives in a way that's as non-intrusive as possible. Think of it as the difference between an accountant and someone with an emergency fund and a retirement account: the accountant has made finance their life, the other person has simply made smart decisions regarding finance that benefit their life (which isn't finance-centered). TNO has never been about making people accountants, rather about helping them integrate smart habits and choices that set them up for success as they go about their normal lives. To that end, it doesn't make sense to host a bunch of rooms where people can only talk about privacy. I would rather help people find other communities on privacy-respecting platforms like Matrix, Mastodon, and Lemmy that are already dedicated to their existing “normal,” everyday interests like video games, sports, and pop culture. Based on my experience and observations, I believe that this will be a more effective approach to helping privacy reach mainstream adoption.

Therefore, I will be shifting focus toward hosting instances as a way to help support this goal. Some of you may have noticed on Mastodon that I have already moved over to our own instance. And of course, we've have long had a PeerTube instance. I also just recently spun up a Matrix instance (matrix.thenewoil.org). You are all welcome at any of these places. All of our instances require moderator approval, but this is simply a formality to discourage spammers from abusing the platform. (For Matrix, I had to get a little creative on how to implement that, you can apply for an account here.) Consider this a soft launch for Matrix since it still needs a lot of features to be configured (such as Sliding Sync) but you can feel free to sign up and suggest any improvements you notice are needed on any of these platforms. You can also contact me if you want to be able to upload videos to PeerTube and we discuss that, too. That's only disabled by default because videos take up so much space and storage is expensive (see the previous section on Finances).

Just to be clear, I like the TNO community. I have valued every person who helped it grow and contributed. I have valued the jokes, the insight, the conversation, and the friendship. But the privacy community is a big space, and I trust that those same contributions can be replicated in other spaces to equal or greater effect. Right now this is the best path forward for me and the project at large. It will help me realign my values and focus on the original mission while also dedicating the resources needed to help TNO continue to serve both the privacy community at large and new audiences.

The other major plan for 2024 that should be visible to the public is that I'm going to attempt to be more consistent with videos again. A major reason for investing in a new lens and teleprompter was so that I could produce videos that both look more professional (because I can read a script while looking at the camera) but also make editing faster – because I can, ya know, read a script, which means less pausing to look at my notes, less rambling, less empty space while I collect my thoughts or struggle for the right words. This in turn means less stuff to cut, which means the video will be ready much sooner for effects and “b-roll” (like articles, stock footage, etc). That'll only save an hour or two per video, but with how tight my time constraints are those couple hours can be a week-long difference for me. I'm also going to once again reaffirm my commitment to trying to keep Crowdin updated (it often slips my mind, I'm so sorry but I appreciate all of who have been helping with site translation) and to document expenses in Open Collective better.

There's a lot more planned in 2024, but the vast majority of it will be behind the scenes. This relates heavily to what I discussed in the financial breakdown. For example, I want to switch from CPanel hosting to a VPS for the website. This will reduce the amount of data collected from visitors and make updating both the hidden service and the clearnet site easier and quicker. I'm also working with a developer to create more automation for things like backups and possible freemium features for some of the instances. Perhaps the biggest behind-the-scenes change is a planned migration from 1984 to Namecheap. This is a purely financial decision. Consider, for example, that a VPS #2 from 1984 (which I use for both PeerTube and Mastodon) is $12/month. By comparison, Namecheap's Pulsar VPS costs $6.88/month (if you buy yearly, but even monthly is only $9.88) and includes more CPU cores. 1984 offers more storage and bandwidth, but so far neither of those has been a concern for me. This is even more evident as you scale up. Namecheap's Quasar plan is 4/6/120/3TB for $12.88/15.88, compared to 1984's VPS #4 4/8/160/5TB at $48 or VPS #5 6/16/320/8TB for $96. If you don't know what that means, just leave it at “as my server demands grow, Namecheap will increasingly become the more affordable option.”

After consulting with other experts in the privacy space, we all agree that right now I'm throwing away money for “privacy theater” by using 1984. (Not that they aren't a great service, they're just not right for me in this situation.) The New Oil Media is an American company. Regardless of where the servers are located, we can access the data and we will have to comply with legal requests. (Two notes here: first, that doesn't mean we won't push back or consult with a lawyer ever, but it does mean that there's only so much we can do. Second, we have always been up front about this in the Privacy Policy.) As we continue to grow and offer more services, that premium price adds up and eventually it's just wasting money that could otherwise go toward better things. If you are concerned by this plan and you are a supporter of the project, feel free to reach out to me and express your concerns. If you are concerned by this plan and are not currently supporting the project, please direct your complaints to hello@example.com.

Thank you everyone who helped make The New Oil what it is today. Whether that was financial support, opening an issue, participating in the community, sending a story to Surveillance Report, sharing a video or page, whatever. Every little bit you do helps, and it is hugely appreciated. I think 2024 will be the year I finally really streamline things and really smooth out the process. Running this project has been a learning experience for me and I'm glad to have your support and have you along for that journey. I'm not expecting huge growth in 2024, but if I can follow through on my goals this year I think it'll really put us in a strong position to take advantage of future opportunities. Stay safe out there, and happy new year.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.

• Use cash. Credit cards offer some personal finance benefits (such as cashback or rewards points and purchase protections) and the risk of skimming and other card-stealing techniques – while never fully eradicated – has been largely mitigated. However, credit cards are still a privacy nightmare. Your shopping data will absolutely be sold by your bank to data brokers. As such, cash is king. But if you need some less-paranoid, more practical reasons to use cash: if you’re buying a gift for someone who has access to your bank statements (such as a significant other) it can help shield your purchases and keep the gift a surprise. Furthermore, holiday spending and gift giving is often a source of debt in the new year, so using cash will help you stick to your budget.

• For online shopping: Of course, sometimes online shopping is the only practical option. For those times, utilize pre-paid cards or alias payment services like Privacy.com (non-affiliate link here), MySudo, or ViaBuy (if you live in Europe) to safeguard your real data from theft. The effects of a data breach could be as minimal as having to get a new card or as serious as draining your bank account, stealing your identity, or even stalking you. Be aware that Privacy.com and MySudo essentially function as banks in this scenario, so they will ask for some personal information that some people may not be comfortable with. If that's the case, call your bank and ask if they offer virtual card services. Some banks do – including large ones – and it's becoming more popular. You won't have the privacy benefit of having your transactions shielded from the bank, but you'll get the security of not having your card number stolen.

• Use alias email addresses. These services forward emails to your inbox while hiding your real email address, providing both privacy and security with convenience. By using different email addresses for each site, you make it slightly harder to be tracked across sites, but all your emails arrive in one place. This also improves your security as it changes your login on each site and makes it harder for credential stuffing attacks if your email gets exposed. As a bonus, sites often spam you with offers, newsletters, and other marketing crap. Usually you can simply click “unsubscribe” but some of the scummier sites – or scammers if your email address was exposed – don't respect that request. With an alias email address, you simply turn it off and stop getting the spam. I recommend SimpleLogin (affiliate link here) and Addy.io as alias email providers.

• Use reputable websites. These days there are tons of websites and apps promising to help you score a great deal on something by taking you to some website you’ve probably never heard of. While some of these are legitimate, others aren’t. The last piece of stress you probably want to pile onto the chaos of the holidays is having your data stolen. It’s just not worth saving an extra $10 on shipping. That said, I'm also vehemently opposed to Amazon for a number of reasons, so when I say “stick to reputable sites” I’m not advocating for getting everything on Amazon to play it safe. I prefer to buy directly from the manufacturer when possible using alias cards and email addresses, but there’s also big box stores, department stores, and pretty much anyone else. Not to say that Target or Etsy aren’t evil, I’m simply trying to make it clear that this isn’t a call for readers to continue to feed the abusive Amazon monopoly, It’s also a warning to be wary of those “greatdeelz.com” sites that seem to be dime-a-dozen.

• Beware scammers. Scammers are always drawn to opportunities to make money and the holidays are a great opportunity for them to take advantage of the increased online financial activity and the surrounding chaos to try to sneak in phishing attacks like “there’s a problem with your Amazon order, click here to correct it” or “here’s your receipt for your order of an iPad Pro/Samsung Galaxy” or “low balance” alerts from your bank (all designed to get your login credentials or card numbers directly). The best way to avoid these scams is to slow down, take a deep breath, and think. Ask yourself “did I even use this site recently?” For example, if you don’t bank with Bank of America, then how would you be getting a low-balance alert? Even if you suspect the alert is legitimate, go directly to the website and log in. Do not click the link in the email no matter what. If there really is an issue, there will be a message waiting in your inbox or a pop-up as soon as you login asking you to correct the issue. As an extra measure, you can call customer service to verify – but again, make sure you get the customer service number from an official source like the retailer’s website or the back of your credit card. Be careful if you “Google” the site as a way to find their customer service number, there have been cases where scammers abuse ads to direct people to fake websites with fake customer service numbers.

• Use a PO Box. PO Boxes can serve tons of great purposes that you didn’t even know you needed. To start, they can be pretty inexpensive, in some places as little as $20/year. They can be handy because your packages don’t sit unguarded on your porch while you’re at work, instead sitting safely inside the building. And of course, you don’t have to worry about some stranger on the internet snagging your home address, whether that’s the random seller on Etsy, the rogue employee at Amazon, or the cybercriminal who hopefully didn’t steal your information because you already implemented my other advice.

• Secure your accounts. Be sure to use strong passwords with a good password manager and use two-factor authentication (2FA) on all your accounts that offer it. I know the holidays are a hectic time for most people with travel and family and such, but it also usually means some paid time off. Take advantage of some of that down time and set aside an hour or two to pick a good password manager, change your passwords and password habits, and enable 2FA. This is one of the single most effective things you can do to protect your online accounts. On top of that it's free and easy, yet few people do any of this stuff. Doing this step alone will make you a harder target than most, and all but the most dedicated attackers won’t even bother with your data, they’ll simply move on to easier targets (of which there are plenty).

• Don’t quit on December 26. The thing about these habits is that they’re great any time, not just around the holidays. Shopping is something we do all the time, all year, and these strategies can be implemented there, too. You can pay cash at the grocery store or when getting gas. You can use payment-masking services to pay for your subscription services or bills. Even a PO Box can be a neat thing to have on hand if you rent and move in the same area frequently, if you need an address on file for work, or freelance and need somewhere to send checks or a return address for merchandise you sell.

I hope these tips help keep you safer online this holiday season, and good luck finding that perfect gift!

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.

While hidden services are riding a fine line of potentially being “out of scope” given my target audience, the required costs (in time, maintenance, technical proficiency, and finances) are quite low, and given that TNO explicitly states that we are not an adequate resource for high-threat-model individuals, I feel like this is a service we can confidently offer to give our readers an extra layer of privacy – even from ourselves (trustworthy though I may feel we are). That said, I am certain there is room for improvement, and if any of the more experienced readers out there see ways that we can offer our readers even more protection, please open an issue on GitLab or GitHub.

To access our new Hidden Service, simply navigate to TheNewOil.org in the Tor Browser as we already have the automatic redirect set up, so your browser will either automatically redirect you or at very least offer to redirect you depending on your settings. If you'd rather go there directly, you can find us at vyrgfx4jz2lnejqduons56ph5xtsrtaoo7ovny53dd7okyzhfsgkzbad.onion. Thank you to everyone who made this possible and helps make The New Oil a little better everyday. I look forward to many more privacy-friendly moves like this in the future!

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.

Brave

If you use Brave, click the Brave icon in your address bar. Toward the bottom, click “Filter lists.” When you're taken to the filter settings, click “Show full list,” find “Bypass Paywalls Clean Filters,” and enable it. Reload the page and it'll probably work now.

Firefox (et al)

If you're using a Firefox-based browser (including Librewolf or Mullvad), you should have uBlock Origin installed. (If you don't and refuse to, then skip to the next section). Click on uBlock Origin, click the gear icons to bring up the settings, and navigate to the “Filter lists” tab. Scroll all the way down to “Import” and enter https://gitlab.com/magnolia1234/bypass-paywalls-clean-filters/-/raw/main/bpc-paywall-filter.txt. Click “Apply changes.” “Bypass Paywalls Clean filter” should now appear under the “Custom” tab.

Paywall Unblock Sites

If you do not use Brave and refuse to use uBlock Origin for any reason, I really disagree with your choice but whatever. It's your life, you do you. You can try a paywall blocking site if you want, but in my experience they don't work for crap. At this time the only one I'm aware of is 12ft.io. I'll revise this blog post to add more if/when I hear of them.

If none of these solutions worked for you, then like I said, chances are that the post wasn't paywalled when I originally found and queued it up. I schedule posts every 30 minutes, 9-6 (Central Time), Monday through Saturday. Sometimes there's a considerable delay between when I first read a post and when it gets posted – at times I've been backlogged by up to 3 days. Sometimes outlets paywall articles at a later date for a variety of reasons. If that's what happened here, I'm really sorry. Try searching the headline in your privacy-respecting search engine of choice and see if you can find other news outlets talking about the same subject, or maybe try entering the link into the Wayback Machine and see if you can pull an earlier, non-paywalled version.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.