How I replaced Dropbox

My main beef with Dropbox is that it's not secure, not adequately encrypted, and there's been a little too much indication that Dropbox is spying on user data.

Ever since I decided to lock down my cyber-life, I had Dropbox in my sights. It was going to be a pain to replace it, I thought, so it took a while before I got around to doing so. I finally did do so today.

The longest step of this process was deciding what I wanted to do. At first, I thought I'd set up my own lightweight cloud server using my desktop, which would sync files on all my devices, something like NextCloud. A great bonus is that this makes it particularly easy to sync things like your address book and passwords. This doesn't seem like a bad idea and is now my fallback. But I ultimately decided to pass because (a) setup might end up being very bothersome, (b) it might eat up desktop resources, and (c) I'd have to keep my computer on all the time, which seems suboptimal.

All of the problems with installing my own NextCloud—bothersome setup, resources constraints, and always-on system—are taken care of by getting my own server or, less ambitiously, what is called a NAS, or Network-Attached Storage system. I spent several hours yesterday researching all about NASes, and came close to getting either a QNAP or a Synology NAS, because they're so frickin' cool. I mean, jeez, it's actually a fully-functioning standalone web server with a zillion apps (especially Synology), and sure, you can use it to sync your files. But the more I thought about it, the more I thought, "This is a lot of work (and yet another giant attack surface for hackers), when all I really want is a Dropbox replacement." If I were just hacking and exploring, I would have gotten a NAS in a heartbeat, they're so cool. But I have other things to do, so...

I also semi-seriously considered getting a zero-knowledge encryption system, like SpiderOak. The premise seems solid: your files are all saved in the cloud, but 100% encrypted, and the key needed to decrypt them is only on your machine (or in your head). SpiderOak (and many other similar services) cannot scan your files because it lacks the keys to read them. I guess my experience with being hacked and seriously disaffected with storing data in the cloud generally turned me off even to this. If I don't have to trust a company (as I do if, e.g., I want to use a VPN), then I'd prefer not to.

So, how do you get cloud functionality without the cloud? With syncing apps. These use different technologies to sync your devices directly with each other, through the Internet, but not stored on the Internet, and without any one of them acting as a server to the others (so they're all peers of each other in your little device network). It turns out that there are several options available here, and I came close to going with Syncthing because it's open source (and therefore, more trustworthy) iPhone app. But the next best thing is Resilio Sync, which is also based on (the UPDATE: closed-source) Bittorrent Sync. Now, the fact that it uses Tor doesn't mean your data is stored in the dark web. It simply makes use of the Tor network, which is perfectly legal and legit, that is required for accessing the dark web (something I've never even tried to do, by the way). The beauty of the system is that in transit through cyberspace, your data is end-to-end encrypted through a decentralized network. It's hard to get more secure, or that's my understanding.

Resilio Sync is pretty easy to install if you're not using Linux. It was a bit of a pain (they could work harder on the setup, I mean really, guys) but still doable, if like me you're reasonably adept with vague Linux instructions. It didn't take longer than an hour to completely set up and test (my son did it in half the time), and then I started moving folders over, one by one, from Dropbox to my new Sync folder. This was quite satisfying, not unlike that satisfying feeling of changing my account email addresses from to And because Resilio updates via your LAN directly from device to device, it syncs much faster than Dropbox. Like Linux, the slightly geekier alternative turns out to be just better, all the way around.

I got the $100 one-time deal so my family could all use it. Since this is roughly what I've been paying to Dropbox yearly for the last decade or whatever it's been, I was very happy to pay this.

How does it work? Well, once it's set up, it's just like Dropbox. Create a new file in your work folder? It's practically instantly synced to any other devices that are on, as soon as you save it. (Of course, it does have to be on, in order to sync. And your phone won't sync the file and folder contents; it will only sync the index, and then, as with the Dropbox mobile app, you can download the item one-by-one.)

There is one very small change this might require to your routine. Since your files aren't in the cloud but only on other machines, before you leave one machine with files on it you might want to access elsewhere, you'll want to make sure either (a) that machine will stay on while you're away from it, or (b) you've synced before you leave while they're in close proximity (the LAN connection will make syncing faster, too).

Love it so far. Buh-bye Dropbox! Any regrets so far? Not really. While LAN syncing for me is significantly faster than Dropbox, it uses only 10% of my available LAN bandwidth, and I wasn't able to get it to go faster; I'm not sure what's up with that. I tried to fix it but didn't dare do too much, since it involved a lot of fiddly changes to settings that, it seems, need to be undone. Your mileage may vary.

Also, they didn't make Linux GUI other than a browser-based one, which is OK; it works well enough. They didn't even bother to create a tray icon, but they do have an API, so my 12-year-old son made one for them and I'm already using it. (Want the code, Resilio? I can set that up.)

Of course, if you haven't taken the Linux plunge, Resilio Sync is probably going to be a lot more usable for you—not that, at the end of the day, it isn't extremely usable for Linux users, too. And, as I've indicated, there are many, many other options available to you if you want to ditch Dropbox. You should consider them for yourself.

Another installment in my series on how I’m locking down my cyber-life.

How and why I got a VPN

As part of my ongoing efforts to lock down my cyber-life, I finally decided to investigate VPNs (virtual private networks) and subscribe to one, if it seemed to be a good idea.

Well, it is a good idea. So I got one, and it was pretty cheap.

What is a VPN, anyway?

A virtual private network, briefly, is subscription service (there are free ones, but don't use a free one) that you can connect to in order to mask your IP address, pretending (unsuccessfully if you're using a mobile connection) that you're connecting to the Internet from somewhere else, while encrypting the data that passes between you and your ISP (which can mean your data is encryped as it passes through wifi). It doesn't replace your ISP; you still need an ISP to connect to the Internet. More specifically, a VPN (typically, a for-profit company):

  1. Is runs a number of servers (computers), which ideally are located all around the world, each of which connects to the Internet on your behalf.
  2. Is a service you connect to, as a data "tunnel" to the Internet. You can set up your computer or phone so that it connects to the VPN whenever you get online (or whenever you like). All your requests to the Internet, and all the responses you receive from the Internet, are routed through one or another of the VPN's nodes.
  3. Encrypts the data exchanged between its servers and your device.
  4. Typically doesn't log your traffic (but there's no way to know this for sure) or intercept your data (unless they receive a specific court order to do so in your case).
  5. Is typically a paid service; there are free ones.

Why would I want a VPN?

So, what does a VPN do? What is it good for? What are the benefits? Why would you get one? Several things (cf. this useful intro):

  1. Foil the NSA, maybe. You connect to the Internet via your ISP at home, right? Well, since data you exchange with the VPN is encrypted, your ISP can't detect anything about what websites you're looking at or what information you're sending. Since mass surveillance (e.g., by the NSA) is typically done at the ISP level, this foils such surveillance. But maybe you trust all the fine, upstanding people who work for the government and don't care. Well, there are other reasons, as well:
  2. Make it harder for websites, hackers, and advertisers to spot you. When you connect to a website without a VPN, it typically logs the IP address that is accessing it, maybe info about your device, browser, etc. This can be used by the website to track you and for various nefarious purposes. When you connect with a VPN, websites log data from the VPN's server, which says nothing about you. This protects your information privacy and security (which you should care about!).
  3. Use airport, hotel, and restaurant connections securely. If you connect to the Internet via your airport's connection, hackers can pretty easily do nasty things with your data stream. But if your data stream is completely encrypted on its way through the airport's wifi to and from the VPN, those hackers can't touch you. Take that, hackers! This is a huge advantage to me, considering how much traveling I'm doing these days.
  4. See content as if you were elsewhere. If you want to access information that is accessible only by IP addresses from a given country (such as the U.K. or the U.S.), a VPN lets you do so. You can make it look like you're from there! E.g., I can watch Brits-only content from the BBC. That's just kind of cool.
  5. More safely do P2P file sharing. If you must, and are cheap, and refuse to pay the creators of your content, you bastard.

If you don't care about privacy or security or striking a blow against mass surveillance, then you should pass. If you do care about those things, consider getting a VPN.

WThere's one significant disadvantage about VPNs, which makes me sad, but I'll live with it: VPNs do slow down your Internet connection, but not necessarily by much. As you know (if you know how the Internet works at all), Internet traffic bounces from node to node as it makes its way from the website (or whatever) you're accessing to your device. The VPN adds one node to that trip. As long as you connect to a VPN server located near you, this trip isn't actually lengthed by much. says it slows down your connection speed by 10%, but the actual amount at any given time depends on many factors. I rarely notice much of a difference, for what it's worth.

Update: after using it for a couple days, my VPN (which is reputedly one of the faster ones) doesn't really noticeably slow down my connection, even at the hotel. Except when I was connected to the U.K., and then the only problem was that I had to buffer a video once or twice.

What VPN did I choose?

I'm not telling. I spent some hours doing research. A name emerged. You should do the same and use your own judgment. Be careful not to subscribe to any shady VPNs; they doubtless do exist and it might be hard to figure out whether yours is one. There can be problems with the software as well. Unfortunately, some amount of trust is involved if you're not a specialist. I bore these requirements in mind:

  • Don't just look for claims that they don't keep logs; check that the claims have been verified (by consultants, courts, or police).
  • Bear in mind that many reviews might be paid for and so can't be trusted. It might be hard to tell which reviews these are.
  • Speed.
  • Can one determine who owns the company? Do they look legit?
  • Support for Linux.

There are other features you might be interested in, of course.

How hard was it to buy and install?

I can speak only about the one I bought and installed: it was dead simple. It was no harder to buy than any other subscription service. As for installation, I had it downloaded, installed, and working in maybe two minutes. Of course, that's just the one I bought.

Note, you don't have to install special software to use a VPN, e.g., if you're using an OS or browser that has the software built in.

There's much more to know about VPNs, which you might want to know if you're going to get into it. You're just getting a rank beginner's explanation of why he got one, here.

This is part of the series on how I'm locking down my cyber-life.

A reply to Mark Zuckerberg's "Privacy-Focused Vision for Social Networking"

Yesterday (March 7), Facebook CEO Mark Zuckerberg outlined Facebook's new "vision and principles around building a privacy-focused messaging and social networking platform." The essential problem isn't that they need a new app; rather, they need to reform their existing one.

Rather than acknowledging the elephant in the room—that users are deeply incensed that their privacy continues to be systematically sold by Big Tech, that ongoing security issues stem from Facebook's inherent and business-critical data-collection and -sharing practices—Zuckerberg pretends that it's important that he solves, well, a different problem:

But people increasingly also want to connect privately in the digital equivalent of the living room. As I think about the future of the internet, I believe a privacy-focused communications platform will become even more important than today's open platforms. Privacy gives people the freedom to be themselves and connect more naturally, which is why we build social networks.

It is as if Zuckerberg had been reminded one too many times by his advisers that people really do care, after all, about this pesky privacy issue, which once upon a time he could say with impunity was no longer a "social norm." Yeah, so maybe he was wrong. Maybe the perennial demands for a right to privacy are not a changeable social norm, after all. Maybe people really do care about their information being controlled by themselves and not by giant corporations and authorities. Yes, Zuck, well spotted. People do care about privacy after all. But he interpreted the general sentiment in the most naive, simple-minded way, and decided that what people were missing were...private chat rooms.

Because people are really upset that they don't have private chat rooms, apparently. But never fear! Zuck is here to save the day! He'll make chat rooms, and he'll make them really, really private! (Well, not really. Not even that, as we'll see.)

Throughout the 3,200-word piece, there is no explicit acknowledgment that there might be a different way to do more open and public social networking. Nothing about standards and protocols. Nothing about interoperability between independent social media networks.

Zuckerberg also shows no awareness of the real reasons we should care about privacy. No, it's not just about people being free to have intimate conversations. There's much more to it than that. It is ultimately about freedom and autonomy. It's a fundamental right. Like free speech, people who don't understand it or who want to control us are only too happy to make it conditional on their ultimately arbitrary and power-driven decisions.

Zuck makes much of WhatsApp's end-to-end encryption. It is certainly true that private messaging services should have end-to-end encryption built in, and that, no, not even Facebook should be able to listen in on our private conversations: "End-to-end encryption prevents anyone—including us—from seeing what people share on our services." Well spotted, indeed! But as we'll see in a bit, he doesn't really mean it. Are you surprised?

Does Zuckerberg propose privacy improvements to Facebook itself, the public and semi-public service that Facebook has used to exploit us, to its enormous profit? No, not really. Perhaps this is an oblique and hopeful-sounding reference: "Over the next few years, we plan to rebuild more of our services around these ideas." Sure. Maybe you will, if you're still around. We'll believe it when we see it. But of course we shouldn't believe any such oblique promises from an arrogant frat boy who deems his users to be "dumb fucks."

Later in the piece, Zuckerberg tips his hat slightly toward those of us who want to decentralize social media: "End-to-end encryption is an important tool in developing a privacy-focused social network. Encryption is decentralizing—it limits services like ours from seeing the content flowing through them and makes it much harder for anyone else to access your information."

But soon after repeating this tantalizing offer of real end-to-end encryption, Zuckerberg takes it away:

At the same time, there are real safety concerns to address before we can implement end-to-end encryption across all of our messaging services. Encryption is a powerful tool for privacy, but that includes the privacy of people doing bad things. When billions of people use a service to connect, some of them are going to misuse it for truly terrible things like child exploitation, terrorism, and extortion. We have a responsibility to work with law enforcement and to help prevent these wherever we can. We are working to improve our ability to identify and stop bad actors across our apps by detecting patterns of activity or through other means, even when we can't see the content of the messages, and we will continue to invest in this work. But we face an inherent tradeoff because we will never find all of the potential harm we do today when our security systems can see the messages themselves.

People who actually know something about how privacy works and why it's important—you can be one of them, if you read The Art of Invisibility by Kevin Mitnick or Cybersecurity for Beginners by Raef Meeuwisse—will instantly spot a contradiction here. If there is truly end-to-end encryption, then it will be impossible for Facebook "to work with law enforcement and to help prevent these wherever we can." This is why some politicians and governments simply want to outlaw encryption, which would be a giant step toward totalitarianism, and absolutely insane to boot. Maybe we could make this a teachable moment for Zuck: "Look, dude, you can't have it both ways. Either you have end-to-end encryption that the authorities cannot (without superheroic efforts) crack, or you give authorities (and yourselves, and expert hackers) a back door that naturally undermines the real privacy (not to mention security) of your network. You can't have it both ways."

But no—he wants us to believe that we can. And that he believes that we can.

Truly risible.

The hard, cold fact is that, just as whispered conversations conducted far from prying ears and detection technology, in principle, cannot be monitored, so private conversations online, if they are successfully end-to-end encrypted, cannot be long as eavesdroppers don't have the private keys, and the private keys are strong enough not to be crackable, and...and...and...

Anyway, Zuckerberg has amply demonstrated that he's learned nothing. Move along, folks—nothing to see here.

The decentralization revolution will proceed as scheduled.

Please use #DecentralizeSocialMedia when you share this post!

My Facebook #DeletionDay goodbye message

Here's what I posted as my last long message to Facebook.

Folks, as previously announced, tomorrow will be my #DeletionDay for Facebook. It'll be the last day I'll post here, and I'll begin the process for the permanent removal of my account. (Among other things, I'll make a copy of my data and my friends list.) I'm sorry to those who want me to stay, but there are too many reasons to quit.

Let me explain again, more tersely, why I'm quitting.

You probably already know that I think this kind of social media, as fun as it undoubtedly can be, undermines relationships, wastes our time, and distracts us. I also agree, as one guy can be seen saying on virally-shared videos, that social media is particularly bad for kids. All I can say is, it's just sad that all that hasn't been enough for me (and most of us) to quit.

But in 2018, it became all too clear that Big Tech—which is now most definitely a thing—is cynically and strongly committed to using social media as a potent tool of political control, which it certainly is. They like having that power. For companies like Google, Facebook, and Apple, reining in wrongthink is a moral imperative. And they're doing the bidding of the Establishment when they do so. It's very scary, I think.

The only thing that gives them this awesome power over us and our free, voluntary conversations is that we have given them that power. But notice the thing that empowers them: we give them our data to manage. It's not really ours. They take it, sell it to advertisers, repackage it, and show it back to us in ways they control. And they can silence us if they like. That's because we have sold our privacy to them for convenience and fun. We're all what Nick Carr aptly called "digital sharecroppers." I now think it's a terrible deal. It's still voluntary, thank goodness; so I'm opting out.

Another thing is that I started reading a book called Cybersecurity for Beginners (no, I'm not too proud to read a book called that) by Raef Meeuwisse, after my phone (and Google account and Coinbase) were hacked. This finally opened my eyes to the very close connection between privacy and security. Meeuwisse explains that information security has become much more complex than it was in the past, what with multiple logins, multiple (interconnected) devices, multiple (interconnected) cloud services, and in short multiple potential points of failure in multiple layers.

[Adding now: Someone recommended, and I bought and started reading, another good privacy book called The Art of Invisibility by Kevin Mitnick. Mitnick is a famous hacker. Meeuwisse is a security professional as well. The Mitnick book is much more readable for savvy Internet users, while the Meeuwisse book is a bit drier and might be more of a good introduction to the field of information security for managers.]

The root cause of the increased security risks, as I see it (as Meeuwisse helped me to see), is our tendency to trust our data to more and more centralizing organizations (like Facebook, Microsoft, and Apple). This means we trust them not only to control our data to our benefit, but also to get security right. But they can't be expected to get security right precisely because social media and cloud services depend on their ability to access our data. If you want robust security, you must demand absolute privacy. That means that only you own and control your data.

If we were the gatekeepers of our own data (if it were delivered out of our own clouds, via decentralized feeds we control, as open source software and blockchains support), then we wouldn't have nearly so many problems.

Maybe even more fundamental is that there are significant risks—personal, social, and political—to letting corporations (or governments) collectivize us. But precisely that is what has been going on over the last ten years or so.

It's time for us to work a new technological revolution and decentralize, or decollectivize, ourselves. One reason I love working for a blockchain company is that we're philosophically committed to the idea of decentralization, of personal autonomy. But it's still early days for both open source software and blockchain. Much remains to be done to make this technology usable to grandma.

While we're waiting for viable (usable) new solutions, I think the first step is to lock down your cyber-life and help create demand by just getting rid of things like Facebook. You don't have to completely unplug from everything; you have to be hardcore or extreme about your privacy (although I think that's a good idea). You can do what you can, what you're able to do.

I won't blame or think ill of you if you stay on Facebook. I'm just trying to explain why I'm leaving. And I guess I am encouraging you to really start boning up on digital hygiene.

Below, I'm going to link to a series of relevant blog posts that you can explore if you want to follow me out, or just to start thinking more about this stuff.

Also, I hope you'll subscribe yourself to my personal mailing list, which I'll start using more regularly tomorrow. By the way, if you might be interested in some other, more specialized list that I might start based on my interests (such as Everipedia, education, libertarianism, or whatever), please join the big list.

Also note, especially if your email is from Gmail, you will have to check your spam folder for the confirmation mail, if you want to be added. Please move any mails from me and my list out of your spam (or junk) folder into your inbox so Google learns I'm actually not a spammer. :-)

There, that's me being "terse."

How deep should one go into this privacy stuff, anyway?

Probably deeper than you thought. Here's why.

If you are convinced that privacy actually matters, and you really want to lock down your cyber-life, as I am trying to do, there are easy options, like switching to Brave (or Firefox with plugins that harden it for privacy). I've done that. Then there are more challenging but doable options, like switching your email away from Gmail. I've done that. Then there are the hardcore options, like permanently quitting Facebook. I will be doing that later this month.

And then, finally, there are some extreme, weird, bizarre, and even self-destructive options, like completely unplugging—or, less extremely, plunking down significant sums of money on privacy hardware that may or may not work—or that works, but costs a lot. As an illustrative example, we can think about the wonderfully well-meaning company Purism and its charmingly privacy-obsessed products, the Librem 13 and 15 laptops as well as the Librem 5 phone, which is due in April "Q3".

I'm going to use this as an example of the hardcore level, then I'm going to go back to the more interesting broader questions. You can skip the next section if it totally bores you.

Should I take financial risks to support the cause of privacy?

If I sound a little skeptical, it's because I am. Purism is a good example because, on the one hand, it's totally devoted to privacy and 100% open source (OSS), concepts that I love. (By the way, I have absolutely no relationship with them. I haven't even purchased one of their products yet.) Privacy and open source go together like hand in glove, by the way, because developers of OSS avoid adding privacy-violating features. OSS developers tend to be privacy fiends, not least because free software projects offer few incentives to sell your data, while having many incentives to keep it secure. But, as much as I love open source software (like Linux, Ubuntu, Apache, and LibreOffice, to take a few examples) and open content (like Wikipedia and Everipedia), not to mention the promise of open hardware, the quality of such open and free projects can be uneven.

The well-known lack of polish on OSS is mainly because whether a coding or editorial problem is fixed depends on self-directed volunteers. It often helps when a for-profit enterprise gets involved to push things forward decisively (like Everipedia redesigning wiki software and putting Wikipedia's content on the blockchain). Similarly, to be sure, we wouldn't have a prayer of seeing a mass-produced Linux phone without companies like Purism. The company behind Ubuntu, Canonical, tried and failed to make an Ubuntu phone. If they had succeeded, I might own one now.

So there is an interesting dilemma here, I think. On the one hand, I want to support companies like Purism, because they're doing really important work. The world desperately needs a choice other than Apple and Android, and not just any other choice—a choice that respects our privacy and autonomy (or, as the OSS community likes to say, our freedom). On the other hand, if you want to use a Linux phone daily for mission-critical business stuff, then the Librem 5 phone isn't quite ready for you yet.

My point here isn't about the phone (but I do hope they succeed). My point is that our world in 2019 is not made for privacy. You have to change your habits significantly, switch vendors and accounts, accept new expenses, and maybe even take some risks, if you go beyond "hardcore" levels of privacy.

Is it worth it? Maybe you think being even just "hardcore" about privacy isn't worth it. How deep should one go into this privacy stuff, anyway? In the rest of this post, I'll explore this timely issue.

The four levels

I've already written in this blog about why privacy is important. But what I haven't explored is the question of how important it is. It's very important, to be sure, but you can make changes that are more or less difficult. What level of difficulty should you accept: easy, challenging, hardcore, or extreme?

Each of these levels of difficulty, I think, naturally goes with a certain attitude toward privacy. What level are you at now? Have a look:

  1. The easy level. You want to make it a bit harder for hackers to do damage to your devices, your data, your reputation, or your credit. The idea here is that just as it would be irresponsible to leave your door unlocked if you live in a crime-ridden neighborhood, it's irresponsible to use weak passwords and other such things. You'll install a firewall (or, rather, let commercial software do this for you) and virus protection software.—If you stop there, you really don't care if corporations or the government spies on you, at the end of the day. Targeted ads might be annoying, but they're tolerable, you think, and you have nothing to hide from the government. This level is better than nothing, but it's also quite irresponsible, in my opinion. Most people are at this level (at best). The fact that this attitude is so widespread is what has allowed corporations, governments, and criminals to get their claws into us.
  2. The challenging but doable level. You understand that hackers can actually ruin your life, and, in scary, unpredictable circumstances, a rogue corporation or a government could, as well. As unlikely as this might be, we are right to take extra precautions to avoid the worst. Corporate and government intrusions into privacy royally piss you off, and you're ready to do something reasonably dramatic (such as switch away from Gmail), to send a message and make yourself feel better. But you know you'll never wholly escape the clutches of your evil corporate and government overlords. You don't like this at all, but you're "realistic"; you can't escape the system, and you're mostly resigned to it. You just want the real abusers held to account. Maybe government regulation is the solution.—This level is better than nothing. This is the level of the Establishment types who want the government to "do something" about Facebooks abuses, but are only a little bothered by the NSA. I think this level is still irresponsible. If you're ultimately OK with sending your data to Google and Facebook, and you trust the NSA, you're still one of the sheeple who are allowing them to take over the world.
  3. The hardcore level. Now things get interesting. Your eyes have been opened. You know Google and Facebook aren't going to stop. Why would they? They like being social engineers. They want to control who you vote for. They're unapologetic about inserting you and your data into a vast corporate machine. Similarly, you know that governments will collect more of your data in the future, not less, and sooner or later, some of those governments will use the data for truly scary and oppressive social control, just as China is doing. If you're at this level, it's not just because you want to protect your data from criminals. It's because you firmly believe that technology has developed especially over the last 15 years without sufficient privacy controls built in. You demand that those controls be built in now, because otherwise, huge corporations and the largest, most powerful governments in history can monitor us 24/7, wherever we are. This can't end well. We need to completely change the Internet and how it operates.—The hardcore level is not just political, it's fundamentally opposed to the systems that have developed. This is why you won't just complain about Facebook, you'll quit Facebook, because you know that if you don't, you're participating in what what is, in the end, a simply evil system. In other ways, you're ready to lock down your cyber-life systematically. You know what a VPN is and you use one. You would laugh at the idea of using Dropbox. You know you'll have to work pretty hard at this. It's only a matter of how much you can accomplish.
  4. The extreme level. The hardcore level isn't hardcore enough. Of course corporations and governments are using your data to monitor and control you in a thousand big and small ways. This is one of the most important problems of our time. You will go out of your way, on principle and so that you can help advance the technology, to help lock down everybody's data. Of course you use Linux. Probably, you're a computer programmer or some other techie, so you can figure out how to make the bleeding edge privacy software and hardware work. Maybe you help develop it.—The extreme level is beyond merely political. It's not just one cause among many. You live with tech all the time and you demand that every bit of your tech respect your privacy and autonomy; that should be the default mode. You've tried and maybe use several VPNs. You run your own servers for privacy purposes. You use precious little proprietary software, which you find positively offensive. You're already doing everything you can to make that how you interact with technology.

In sum, privacy is can be viewed primarily as a matter of personal safety with no big demands on your time, as a political side-issue that demands only a little of your time, as an important political principle that places fairly serious demands on your time, or as a political principle that is so important that it guides all of your technical choices.

What should be your level of privacy commitment?

Let's get clear, now. I, for example, have made quite a few changes that show something like hardcore commitment. I switched to Linux, replaced Gmail, Chrome, and Google Search, and am mostly quitting privacy-invasive social media. I even use a VPN. The reason I'm making these changes isn't that I feel personally threatened by Microsoft, Apple, Google, and Facebook. It's not about me and my data; I'm not paranoid. It's about a much bigger, systemic threat. It's a threat to all of us, because we have given so much power to corporations and governments in the form of easily collectible data that they control. It really is true that knowledge is power, and that is why these organizations are learning as much about us as they can.

There's more to it than that. If you're not willing to go beyond moderately challenging changes, you're probably saying, "But Larry, why should I be so passionate Isn't that kind of, you know, wonky and weird? Seems like a waste of time."

Look. The digital giants in both the private and public sectors are not just collecting our data. By collecting our data, they're collectivizing us. If you want to understand the problem, think about that. Maybe you hate how stuff you talked about on Facebook or Gmail, or that you searched for on Google or Amazon, suddenly seem to be reflected by weirdly appropriate ads everywhere. Advertisers and Big Tech are, naturally, trying to influence you; they're able to do so because you've agreed to give your data to companies that aggregate it and sell it to advertisers. Maybe you think Russia was able to influence U.S. elections. How would that have been possible, if a huge percentage of the American public were not part of one centralized system, Facebook? Maybe you think Facebook, YouTube, Twitter, and others are outrageously biased and are censoring people for their politics. That's possible only because we've let those companies manage our data, and we must use their proprietary protocols if we want to use it. Maybe you're concerned about China hacking and crippling U.S. computers. A big part of the problem is that good security practices have been undermined by lax privacy practices.

In every case, the problem ultimately is we don't care enough about privacy. We've been far too willing to place control of our data in the hands of the tech giants who are only too happy to take it off our hands, in exchange for "services."

Oh, we're serviced, all right.

In these and many, many more cases, the root problem is that we don't hold the keys—they do. Our obligation, therefore, is to take back the keys.

Fortunately, we are still able to. We can create demand for better systems that respect our privacy. We don't have to use Facebook, for example. We can leave en masse, creating a demand for a decentralized system where we each own and control how our data is distributed, and the terms on which we see other people's data. We don't have to leave these important decisions in the hands of creeps like Mark Zuckerberg. We can use email, mailing lists, and newer, more privacy-respecting platforms.

To take another example, we don't have to use Microsoft or Apple to run our computers. While Apple is probably better, it's still bad; it still places many important decisions in the hands of one giant, powerful company, that will ultimately control (and pass along) our data under confusing terms that we must agree to if we are to use their products. Because their software is proprietary and closed-source, when we use their hardware and services, we simply have to trust that what happens to it after we submit it will be managed to our benefit.

Instead of these top-down, controlling systems, we could be using Linux, which is much, much better than it was 15 years ago.

By the way, here's something that ought to piss you off: smart phones are the one essential 21st-century technology where you have no free, privacy-respecting option. It's Apple or Google (or Microsoft, with its moribund Windows Phone). There still isn't a Linux phone. So wish Purism luck!

We all have different political principles and priorities, of course. I personally am not sure where privacy stacks up, precisely, against the many, many other principles there are.

One thing is very clear to me: privacy is surprisingly important, and more important than most people think it is. It isn't yet another special, narrow issue like euthanasia, gun control, or the national debt. It is broader than those. Its conceptual cousins are broad principles like freedom and justice. This is because privacy touches every aspect of information. Digital information has increasingly become, in the last 30 years, the very lifeblood of so much of our modern existence: commerce, socialization, politics, education, entertainment, and more. Whoever controls these things controls the world.

That, then, is the point. We should care about privacy a lot—we should be hardcore if not extreme about it—because we care about who controls us, and we want to retain control over ourselves. If you want to remain a democracy, if you don't want society itself to become an appendage of massive corporate and government mechanisms, by far the most powerful institutions in history, then you need to start caring about privacy. That's how important it is.

Privacy doesn't mainly have to do with hiding our dirty secrets from neighbors and the law. It mainly has to do with whether we must ask anyone's permission to communicate, publish, support, oppose, purchase, compensate, save, retrieve, and more. It also has to do with whether we control the conditions under which others can access our information, including information about us. Do we dictate the terms under which others can use all this information that makes up so much of life today, or does some central authority do that for us?

Whoever controls our information controls those parts of our lives that are touched by information. The more of our information is in their hands, the more control they have over us. It's not about secrecy; it's about autonomy.

Part of a series on how I'm locking down my cyber-life.

How and why I transitioned to Linux—how you can, too

Let me briefly tell my Linux story. If you're thinking about moving to Linux, and wondering how you'd do so, it might give you some pointers and inspiration.

The back story

My first introduction to the command line was in the 80s when I first started learning about computers and, like many geeky kids of the time, wrote my first BASIC computer programs. But it wasn't until my job starting Nupedia (and then Wikipedia) that I spent much time on the Bash command line.

(Let me explain. "Bash" means "Bourne-again shell," a rewrite of the class Unix shell "sh." A "shell" is a program for interacting with the computer by processing terse commands to do basic stuff like find and manipulate files; a terminal, or terminal emulator, is a program that runs a shell. The terminal is what shows you that command line, where you type your commands like "move this file there" and "download that file from this web address" and "inject this virus into that database". The default terminal used by Linux Ubuntu, for example, is called Gnome Terminal--which runs Bash, the standard Linux shell.)

Even then (and in the following years when I got into programming again), I didn't learn much beyond things like cd (switch directory) and ls (list directory contents).

It was then, around 2002, that I first decided to install Linux. Back then, maybe the biggest "distro" (flavor of Linux) was Red Hat Linux, so that's what I installed. I remember making a partition (dividing the hard disk into parts, basically) and dual-booting (installing and making it possible to use both) Linux and Windows. It was OK, but it was also rather clunky and much rougher and much less user-friendly than the Windows of the day. So I didn't use it much.

Linux on a virtual machine

When I decided in mid-2016 that I wanted to start learning to program, really really, more seriously this time, I knew I'd have to transition soon to Linux, especially if I was going to learn Ruby on Rails (which I was and am). There's less pressure to do this if you're a Mac user, since modern Macs make a Bash console easily available; OSX is based on Unix and so is a sibling of Linux. Anyway, if you don't want to plunge headfirst into Linux-only or dual-booting, then the Thing To Do, beginners are rightly told, is to install Linux on a virtual machine.

A "virtual machine" (VM) is a program that, generally, runs in Windows or Mac and allows you to run a completely distinct operating system within a window (or in my case, a couple windows, one for each monitor). When I turned on my computer (i.e., the physical machine with the on switch), I booted into Windows as usual. But when I wanted to start programming, I started the VM and, inside the windows that popped up, it looks like a separate Linux computer is running. It's easy to switch back and forth; you can do so with the click of a mouse.

One of the first things I had to decide was which distro (flavor of Linux) to use. Leading distros include Ubuntu, Mint, Debian, Fedora, and CentOS. I chose Ubuntu because it was (and is) popular, relatively stable, well-supported, and relatively easy for newbies to get into. I find Ubuntu running the Gnome desktop environment—I'm not going to bother explaining what that means, but different distros can run different desktop environments—to be a pleasure, as I'll explain later.

My precocious son H., then age 10, had already set up a VirtualBox VM, so I had his help installing Linux in one myself. Installing Ubuntu to a VirtualBox VM is not terribly easy if you've never done it before, but there are plenty of tutorials and free help to be found online. If you're moderately technical, you can do it. It's not that bad.

Why I decided to install Linux on a partition

I used Ubuntu in VirtualBox for a couple years. It was a great way to transition from Windows to Linux; I ran Linux on a VM when studying programming, and I ran Windows for everything else.

Then came 2018, with its stunning revelations and outrages by Facebook, Apple, Google, and others. With privacy and free speech—in short, digital autonomy—deeply under threat, I decided to lock down my cyber-life. (I encourage you to do the same.)

I'd wanted to run Linux on a partition for a long time (doing so is quite a bit faster and more seamless than a VM). But when all these giant, centralized corporations showed such contempt for our privacy (and thus our security) and free speech, I decided that I was going to do all I could to take my data out of their hands. Microsoft is and always has been terrible when it comes to security, but with Windows 10—though admittedly an improvement in UX—they jumped on the privacy-violating bandwagon. Windows 10 bothered me ever since it came out. Now finally I decided I'd have to do something about it.

See, I've always thought information privacy was important, but like many of us, I rationalized the increasingly jaw-dropping privacy violations and security failures by corporations (and government, for that matter) in the last ten years or so as the price we pay for awesome new technology. You know—awesome new tech like Facebook, Twitter, Google Search, Google Chrome, cloud storage, and a free but better-designed operating system like Windows 10 was (at launch). At first, all this seemed indeed worth the price. (Or enough to keep me from taking the privacy issues seriously.) But when these corporations (and government) over and over brazenly demonstrated just how much contempt they have for our information privacy and security, not to mention free speech rights, the bloom was off the rose. Something snapped, and I'm never going back to them.

Privacy matters. A lot. Facebook? Don't need it. I'll be switching back to good old-fashioned email groups soon. Twitter? OK, I might keep it around strictly for advertising purposes, but don't expect much in the way of personal sharing. Google Search? Meh, DuckDuckGo has come a long way and is as good as Google for most (still not all) purposes. Google Chrome is simply not better than privacy-respecting browsers like Brave (my preference) and Firefox. I'll be moving my data to a more secure solution than traditional cloud storage soon.

A few days ago, as I worked through my to do list, I finally decided it was time to ditch Windows and switch to Linux. I still have Windows available for things like Camtasia Studio (video production), but I really don't need it for most purposes.

The switch

There are five basic steps to the process of adding Linux to your Windows or Mac machine:

  1. Pick a distro.
  2. Put the distro on a thumb drive or DVD so you can boot to it from there.
  3. Create a partition big enough for the Linux distro.
  4. Install the Linux distro in the partition.
  5. Configure Linux so you can use it on a daily basis.

I won't explain how to do these things (there are lots of tutorials already available, like this), but here are a few notes. And for the non-techies out there who have bravely read this far, let me tell you: the hardest part of using Linux is installing it. Don't feel bad if you need to get help. Heck, I've installed it myself before my 12-year-old son was born, and I wasn't too proud to get a lot of help from him the second time around! If you don't have a family or friend who can help, and you have to pay a rent-a-geek, it'll be money well spent.

I discussed #1 above. Notes on #2 and #3: Creating a partition is a pretty simple process. But if you're going to use a Linux boot loader (i.e., the thing that tells your computer which operating system to load; I use Grub) then you'll first want to put Linux on a thumb drive, since it's typically quite small and easily fits, and boot to that. Then you'll probably use GParted (the Linux partition software) to actually do the partitioning. You'll want to make sure you actually know what you're doing (so, read up about potential pitfalls) before making any changes. It's also very important to make sure your must-have data is well backed up, because you might lose it. If you do it right, there's little chance you will; but there's always a chance. Also, make sure you allocate reasonable amounts of space to your respective partitions. You don't want to run out of space on either one.

As to #4, actually installing Linux, once the partition is ready, is the easy part. It takes a little while (i.e., waiting), then you set your time zone and a login (very important, as you'll use it a lot), then you're done!

The easiest part is #5, but you're not totally out of the woods yet. The Ubuntu Software app is like a free app store (it's not the only one, of course), and they've made it quite easy to install a lot of software. Especially if you're programming, though, you'll have to use the command line at least sometimes. The most important thing to remember here (and maybe for the whole process) is to do intelligent web searches for help whenever you need it.

There's nothing magical or particularly deep and difficult about any step of this process. It just requires a little bravery, lots of Internet searching, time, and patience, and you can definitely get it done. is it?

So far, I love using Linux (OS), Ubuntu (distro), Gnome (desktop environment) as my main workstation. I actually hate it when I have to boot up Windows. Not only does it feel clunkier (really) and more unnecessarily bloated, I can't stop thinking about how I don't know what data is being sent to Microsoft.

If you haven't tried Linux for a long time, let me tell you: it has changed a lot from the early days. It is not just more usable than it was, in some ways it is more usable than Windows or Mac, in my opinion, for day-to-day work. I mean, of course this applies if you can deal with a few technical challenges. But if you can, Linux is more usable not just because of the nicer UX available, but also because of how configurable Linux is. You can change almost anything on the system you want. You want a different look and feel? There are apps for that. You want a different sort of app store? There are alternatives. You want something simpler and leaner? Available. Something that looks and feels like Windows or Mac? Available, of course.

One big exception is in installing some technical software that, if you aren't a programmer, you probably won't need to install. If for whatever reason you want or need to start using the command line (for example, running Bash on a terminal like Gnome, as I said above), try this beautifully written tutorial. The command line isn't that difficult to learn, actually. The basics are rather simple once you get the hang of them.

Another big exception lies in the sometimes non-standard and quirky ways the software sometimes behaves. Again, this is much better than it was in days gone by, but quirkiness is still definitely a Linux thing. I guess I don't mind.

A final difficulty is that it has some occasional, and almost always very minor, operating system issues that simply would never crop up for Windows or Mac. This is probably one of the bigger problems and obstacles to wider adoption. I can give you an example from Ubuntu 18.04, which I installed: it has a "memory leak" problem that very slowly and progressively eats up your memory (over the course of days) until you have to reboot. This will be fixed in an update soon if it hasn't been already.

But enough of the negatives. One enormous positive that neither Windows or Mac is likely ever to be able to boast is that it's an operating system that respects your autonomy. You own your system, not Microsoft or Apple. You don't have to ask a giant corporation for permission to do anything. You don't have to worry about them invading your privacy, putting your data at risk of hacking, or censoring you. And you have all the tools you'll need to make the system just the way you like it. That might not sound like a big deal (and maybe it wouldn't be to you), but if you try it, you might find yourself delighted with all the options. I was.

In summary, here are the similarities and difference to a typical desktop (Windows and Mac--I have both) experience:

  • Browsing is exactly the same as in Windows (I use Brave).
  • My mail program is exactly the same (MailSpring).
  • Other apps, like Telegram, Slack, and more, are exactly the same.
  • My password manager is almost exactly the same (Enpass).
  • For the long tail of specialist software, most of it is free, and you don't have to worry nearly as much about downloading viruses. Linux is much harder to hack and hackers rarely try.
  • Finding and loading software is different. It's better in that most of the software is free and quite easy to find, and there's a lot more of it. It's worse, however, in that more technical software (at least, the stuff I use) requires comfort with the command line. This is a deal-breaker for some non-techies, I know. But I think most of the software non-techies use will be pretty easy to install. Ubuntu developers put a great deal of work into usability, and it shows.
  • A lot of the free/open source software for office work is "fine" but will strike experienced MS Office users as a little quirky and clunky in places. Office 360 doesn't run in some flavors of Linux except using Wine, which doesn't always work (my son uses Wine for some purposes). This is one reason I still have a Windows partition going.
  • Linux is generally lean and fast. Unless you install a particularly bloated distro, it's much faster than Windows or Mac on the same machine. This is a very nice benefit.
  • If you're a serious gamer, Linux won't satisfy you (yet).
  • It can be subject to weird but non-serious crashes and problems solved with updates.

Back in 2002 when I was using Linux the first time around, it wasn't really ready for prime time. But it is now. You kind of have to be able to search the Internet and read some technical help pages in order to learn how to use the thing, or get help from someone who can do this. It is, after all, another whole operating system. So, yes, there's still a learning curve. It's not a huge learning curve, though, and not nearly as big as it used to be.

Linux: it's not for just uber-geeks anymore. Admittedly, there is probably a minimum intelligence requirement. But in the not-too-distant future, we might well see a completely foolproof distro.

Why does information privacy matter, again?

It's not just because you are a criminal and the coppers might catch you. Or because you really, really hate big corporations who just want to sell you stuff more easily. Or because you're paranoid.

If that's as far as your thinking goes, when people start talking about "privacy" on the Internet, you really need to bone up on the subject.

You probably already knew that you don't have to be criminal, paranoid, or anti-capitalist to be very jealous of your Internet privacy rights. After all, plenty of law-abiding, merely sensibly cautious, capitalism-loving people are freaking out about the way FAANG (Facebook, Apple, Amazon, Netflix, Google) companies, and many more, are creepily tracking their every move. Then those same corporations are selling the information and making it available to governments (or, at least, not going out of their way to stop governments from getting it).

Are people right to freak out about these privacy violations?

Yes, they are, or so I will argue. The threats come under three heads: corporate, criminal, and government. And let's not forget that in the worst-case scenario, the three heads merge into one.

The corporate threat

Left unchecked, in ten years, some of the biggest, most influential corporations will know (or have ready access to) not just your name, email address, phone number, age, sex/gender, credit card numbers, family relationships, friends, mother's maiden name, first car, favorite food, various social media metrics, browsing history, purchase history, as well as a large collection of content authored and curated by you. That's already bad enough (for reasons I'll explain). But they might add to their dossiers on you such things as your social security number, credit score, criminal record, medical history, voting history, religion, political party, government benefits, and more.

But how? Well, you might have asked that about the first list twenty years ago. How indeed? They'll create must-have devices and services that become very popular. Everybody has to have the device, or the service. Then they'll talk a good game when it comes to your information privacy and security, but they'll get their hands on your medical history, your credit score, your government benefits--and that will be it.

Imagine, too, the possibilities that highly motivated project managers will dream up when they can mash up your growing dossier with data from facial recognition, AI/big data text analysis, and other new technologies.

In such a situation, what information isn't private?

"But I can make up my own mind about what to buy," you say.

Well. Top-flight marketing and product people are, naturally, very good at what they do. It's not an accident that, once everybody and his grandma got online, some of the wretched Mark Zuckerbergs of the world would stumble on some platform that would connect us by our personal relationships, not care one bit about privacy, and hire people who are and become very, very, very good at manipulating us in all sorts of ways. They'll keep us online, give us more reasons to share more information, watch ads, and yes, buy stuff.

But corporate control of your private life is much more insidious than that.

Do you feel quite yourself when you're reading and posting on Facebook and Twitter, shopping on Amazon, watching and commenting on YouTube and Netflix, etc.? I admit it: I don't. We become more irrational when we get on these social networks. Sure, we retain our free will. We can stop ourselves (but often won't). We are the authors of what we write (as influenced by our echo chambers), which reflects our real views (maybe). We could quit (fat chance).

We have become part of a machine, run by massively powerful corporations, with their clever executives at the levers. Only part of what is so offensive about this machine is that we are influenced to buy things we don't need. What about radicalization--being influenced to believe things we haven't thought sufficiently about? What about self-censorship, because the increasingly bold and shameless social media censors (no longer mere "moderators") increasingly require ideological purity? What about the failure to consider options (for shopping, entertainment, socialization, discussion, etc.) that are outside of our preferred, addictive networks?

More importantly perhaps than any of those, what about the opportunity cost of spending our lives coordinated by these networks, with less time for offline creativity, meaningful one-on-one interaction, exercise, focused hard work, self-awareness, and self-doubt?

The machine, in short, robs us of our autonomy. As soon as we started giving up every little bit of information that makes us unique individuals, we empowered executives and technologists to collectivize us. It is not too much of a stretch to call it the beginnings of an engine of totalitarianism.

The criminal threat: privacy means security

If you've never had your credit card charged for stuff you didn't buy, your phone hacked, precious files held hostage by ransomware, your computer made inoperable by a virus, or your identity stolen, then you might not care much about criminal hackers. Several of these things have happened to me, and since I started studying programming and information security, I've become increasingly aware of just how extensive the dangers are.

Here's the relevance to privacy: keeping your information private requires keeping it secure. Privacy and security go hand in hand. If your information isn't private, that means it's not secure, i.e., anybody can easily grab it. You have to think about security if you want to think about privacy.

So, even if you (wrongheadedly) trust the Internet giants not to abuse your information or rob you of your autonomy, you should still consider that you're trusting them with your information security. If a company has your credit card information, government ID number, medical history and health data, or candid opinions, you have to ask yourself: Am I really comfortable with these companies' confident guarantees that my information won't fall into the wrong hands?

If you are, you shouldn't be. Think of all the data hacking of systems that, you might have thought, were surely hacker-proof: giant retailers like Target, internet giants like Facebook, major political parties, and heck, the NSA itself (not just the hack by Snowden).

No, your credit card info is not guaranteed safe just because the corporation storing it makes billions a year.

If you want to keep your information safe from malevolent forces, you shouldn't trust big companies. There are all sorts of ways bad actors can get hold of your information for nefarious purposes. They don't even always have to hack it. Sometimes, they can just legally buy it, a problem that legislation can make better--or worse.

The government threat

Remember when Edward Snowden revealed that the NSA has a (once) secret spy program that actually empowers it to monitor all telephone calls, emails, browser and search histories, and social media use? Remember when we all were shocked to learn that Bush and Obama, Democrats and Republicans had together created a monster of a domestic surveillance program?

I do. I think about it fairly often, although one doesn't hear about it that much, and the programs Edward Snowden uncovered, like NSA's PRISM, have not been canceled. That means (a) everything you do and access online can be put in government hands, whenever they demand it, and (b) it's no more secure than the NSA's security.

Remember when everybody left social media in droves and started locking down their Internet use, because otherwise the NSA would have easy access to their every move?

No, I don't remember that either, because it didn't happen. Nor, sadly, was there a popular revolt to get these programs repealed. I think many of us couldn't really believe it was happening; it just didn't seem real, it seemed to be about terrorists and spies and criminals, without any impact on us.

One thing that bothers me quite a bit is that pretty much the whole Democratic Party thinks Donald Trump is a crypto-Nazi and is one step from instituting fascism—but still, puzzlingly, nobody thinks to observe worriedly that he's in control of the NSA and can find trumped-up excuses to spy on us if he wishes. In other words, if Trump were a fascist and he did turn out to want to start the Fourth Reich here in the good ol' U.S. of A., it doesn't seem to bother many Democrats that Trump holds handy tools to do just that.

Meanwhile, Republicans often think the Democratic Party is beholden to social justice warriors that want to institute socialism, thought policing, censorship, and general totalitarianism. You know--fascism. But they, too, seem strangely uninterested to dismantle government programs that systematically monitor everyone.

Both sides think the other side is just desperate to lord it over us, the innocent, good salt of the earth. But nobody seems to care that the very tools that make a police state worse than 1984 possible are already in place. And they're only too happy to keep building and rewarding a corporate system that feeds directly into the NSA.

Government surveillance isn't that bad! Fascism will never happen here! We can keep putting our entire lives in the hands of giant corporations! So say the people whose direst fear is that the other side will consolidate even more power and start executing their secret desires to institute fascist control.

What to do

But it can happen here. That's why we need to start demanding more privacy from government.

If you're really worried about fascism, then let's defang the monster. Complain more about government programs that systematically violate your privacy rights. After all, knowledge is power, so NSA's PRISM program, and similar surveillance programs in other countries, is really just an undemocratic power grab. With enough of a public uproar, Democrats and Republicans really could get together over what should be a bipartisan concern: shutting down these enormously powerful, secretive government programs.

In the meantime, we need to wake up about our personal privacy.

Look--everything you do online has multiple points of insecurity. If you can see that now, then what's your response? Hope for the best? Throw your hands up in despair? Do nothing? Figure that decent people will eventually "do something" about the problem for you?

Don't count on it. If you aren't ready to start acting on your own behalf, why think your neighbor or your representative will?

Stop giving boatloads of information to giant corporations, especially ones who think you are the product, and contribute to the market for genuinely privacy-respecting products and services. If you don't, you're opening up that information to hackers who will exploit those points of security, and making it easier for governments everywhere to control their people.

Do your personal, familial, and civic duty and start locking down your cyber-life. I am. It'll take some time. But I think it's worth it and, soon, I'll be finished getting everything set up.

What if you and all your family and friends did this? If there were a groundswell of demand for privacy, we might create tools, practices, education, and economies that support privacy properly.

Think of it as cyber-hygiene. You need to wash your data regularly. It's time to learn. Our swinish data habits are really starting to stink the place up, and it's making the executives, criminals, and tyrants think they can rule the sty.

"OK," you say, "I'm convinced. I guess I should start caring about privacy. But really, how deep do I need to go into this privacy stuff, anyway? Well, I've answered that one, too."

Part of a series on how I'm locking down my cyber-life.

Stop giving your information away carelessly!

27 tips for improving your cyber-hygiene

Who is most responsible for your online privacy being violated?

You are.

Privacy is one of the biggest concerns in tech news recently. The importance of personal privacy is something everybody seems to be able to agree on. But if you're concerned about privacy, then you need stop giving your information away willy-nilly. Because you probably are.

Well, maybe you are. See how many of the following best practices you already follow.

  1. Passwords. Install and learn how to use a password manager on all your devices. There are many fine ones on the market.
  2. Let your password manager generate your passwords for you. You never even need to know what your passwords are, once you've got the password managers set up.
  3. Make sure you make a secure password for the password manager!
  4. Stop letting your browser save passwords. Your password manager handles that.
  5. If ever you have reason to send a password to another person online, break it into two or more files (texts, emails, whatever) in different media, then totally delete those files. Also, some password managers help with this.
  6. Credit cards and other personal info. Stop letting your browser save your credit cards. Your password manager handles that.
  7. Stop letting web vendors save your credit card info on their servers, unless absolutely necessary (e.g., for subscriptions). Again, your password manager handles that. Maybe you should go delete them now. I'll wait.
  8. If you give your credit card info out online, always check that the website has the "lock" next to its address on the address bar. That means it uses the https protocol (i.e., uses encryption).
  9. Stop answering "additional security" questions with correct answers, especially correct answers that hackers might discover with research. Treat the answer fields as passwords, and record them in your password manager.
  10. Stop filling out the "optional" information on account registration forms. Give away only the required information.
  11. Americans, for chrissakes stop giving out your social security number and allowing others to use it as an ID, unless absolutely required.
  12. Stop giving your email address out when doing face-to-face purchases. Those companies don't actually need it.
  13. Stop trusting the Internet giants with your data. Consider moving away from Gmail. Google has admitted it reads your mail—all the better to market to you, my dear. Gmail isn't all that, really.
  14. Maintain your own calendar. When meeting, let others add your name, but don't let them add your email address, if you have a choice.
  15. Maintain your own contacts. No need to let one of the Internet giants take control of that for you. It's not that hard. Then have them delete their copies.
  16. If you're an Apple person, stop using iCloud to sync your devices. Use wi-fi instead.
  17. Browser and search engine hygiene. Use a privacy-respecting browser, such as Brave or Firefox. (This will stop your browsing activity from being needlessly shared with Google or Microsoft.)
  18. If you must use a browser without built-in tracking protection (like Chrome), then use a tracker-blocking extension (like Privacy Badger).
  19. Use a privacy-respecting search engine, such as DuckDuckGo or Qwant. (Ditto.)
  20. Social media, if you must. On social media, start learning and taking the privacy settings more seriously. There are many options that allow you to lock down your data to some degree.
  21. Make posts "private" on Facebook, especially if they have any personal details. If you didn't know the difference between "private" and "public" posts, learn this. And a friend says: "Stop playing Facebook quizzes."
  22. Stop digitally labeling your photos and other social posts with time and location. Make sure that data is removed before you post.
    (Putting it in the text description is better.)
  23. For crying out loud, stop posting totally public pictures of your vacation while you are vacation. Those pictures are very interesting to burglars. Wait until you get home, at least.
  24. Sorry, but stop sharing pictures of your children on social. (This is just my opinion. I know you might differ. But it makes me nervous.)
  25. Consider quitting social media altogether. Their business models are extremely hostile to privacy. You (and your private info) are the product, after all.
  26. A couple of obvious(?) last items. Make sure you're using a firewall and some sort of anti-virus software.
  27. Don't be the idiot who opens email attachments from strangers.

How many did you answer "I do that!" to? I scored 22, to be totally honest, but it'll be up to 27 soon. Answer below. Well, answer only if you have a high score, or if you use a pseudonym. I don't want hackers to know who they can hit up for an easy win!

Kick the tech giants out of your life

If you're like me, you feel a need to need to kick the tech giants out of your life. But how? Well, nobody said it would be easy, but I'm actually doing it!

Stop using Google Chrome. Google is contemptuous of your privacy and of free speech. I recommend Brave.

Stop using Google Search. And it tracks you after you search. I recommend DuckDuckGo, with results just as good as Google's 90+% of the time, in my experience.

Stop using Gmail. Look. Gmail is way overrated. And there are many, many other options out there which do not read your mail and extract marketable data.

Stop using Google Contacts and iCloud. Start managing your own contacts and data. There are lots of great tools to do this; it's not that hard.

Shields up on all the tech giants' websites and devices. Dive in to the innards of your settings (or options)—not just a few, all of them, because they like to hide things—and set your privacy settings to max.

Maybe quit social media. Facebook, Twitter, YouTube, and others have becoming increasingly censorious and contemptuous of your privacy. Make them less relevant by spending more time elsewhere, if you can't just quit for good.

Use a password manager. Stop letting your browser track your passwords.

And then, if you want to get serious:

Start learning Linux... Microsoft's problems with privacy and security are famous. Apple has its own too. Well, there are these things called "virtual machines" which make it easy (and free) to install and play with your very own Linux installation. Try it!

...then switch to Linux. If you know how to use Linux, why not make the switch to something more permanent? You can always dual-boot.

How I locked down my passwords

If you’re one of those people who uses the same password for everything, especially if it’s a simple password, you’re a fool and you need to stop. But if you’re going to maintain a zillion different passwords for a zillion different sites, how? Password management software. I’ve been using the free, open source KeePass, which is secure and it works, but it doesn’t integrate well with browsers, or let me save my password date securely in the cloud (or maybe better, on the blockchain). So I’m going to get a better password manager and set it up on all my devices. This is an essential to locking down my cyber-life. One of the ways Facebook, LinkedIn, et al. insinuate themselves in our cyber-lives is by giving us an easy way to log in to other sites. But that makes it easier for them to track us everywhere. Well, if you install a decent password manager, then you don’t have to depend on social login services. Just skip them and use the omnipresent “log in with email” option every time. Your password manager will make it even easier than social login systems did.

You need a password manager

Password management software securely holds your passwords and brings them out, also securely, when you're logging in to websites in your desktop and handheld browsers. Decent browsers (like Brave) make your passwords available for the same purposes, if you let them, but there are strong reasons you shouldn't rely on your browser to act as a password manager.

Instead, for many years I've been using KeyPass, a free (open source) password manager that's been around for quite a while. The problem with KeyPass, as with a lot of open source software, is that it's a bit clunky. I never did get it to play nicely with browsers, and your passwords are saved in a file on your computer and/or in the cloud. If you lose the file, you lose your passwords.

Password managers do, of course, automatically generate passwords and save them securely. They can also (but not all do) store your password database securely in the cloud, so you don't have to worry about losing it (you can export a copy if you like). You can use it on all your devices with equal ease. They'll let you log in with a fingerprint on your phone.

A very nice feature is that they'll securely store payment information, so your browser, websites, and operating system don't have to hold that information. That means you don't have to trust them to manage this information properly. You only need to trust the password manager...

But can you trust password managers?

"Ah," you say, "but can you trust password managers?" That's not a bad or naive question at all; it's an excellent question. Consumer Reports, of all things, weighs in:

By default, LastPass, 1Password, and Dashlane store your password vault on their servers, allowing you to easily sync your data across devices. As a second benefit, if your computer crashes you won’t lose your vault.

But some people just really hate the idea of storing all their passwords on one site in the cloud—no matter what the company promises about its security measures, there's probably a bulls-eye painted on its encrypted back. If that sounds like you, it's possible to store your passwords locally.

Dashlane lets you do this by disabling the “Sync” feature in Preferences. This will delete your vault and its contents from the company’s servers. Of course, any further changes you make to your vault on your computer won’t show up on your other devices.

So what's my take? There are layers upon layers of security protecting your password repository, not least of which is the (hopefully well-chosen) master password to your password database. While you do have to choose the professionalism and honesty of a cloud-based password manager, I think that's their business, so I'm inclined to trust them. But, but!

I ask myself: what is more likely, that they become compromised (for whatever reason—let your imagination run wild) or instead that I lose my master password or all copies of my password database or somehow allow myself to be hacked? I think both are fairly unlikely, first of all. I am certainly inclined to distrust myself, especially over the long haul. And frankly, the idea that a security business is compromised seems unlikely, since security is their business. But could a password manager server be hacked? That is, again, a really good question, and you wouldn't be the first to ask it. Password manager company OneLogin was actually hacked, and the hackers could actually "decrypt encrypted data," the company said. Holy crap!

Also, which is most disastrous? Losing my password file would not be a disaster; I can easily generate new passwords; that's just a pain, not a disaster. But a hacker getting hold of my passwords in the cloud (no matter how unlikely)? That could be pretty damn bad.

After all, especially as password manager companies grow in size (as successful companies are wont to do), they naturally can be expected to become a honeypot for hackers. Another example of a hacked password management company was LastPass, which was hacked in 2015, although without exposing their users' passwords.

If you're like me, you have libertarian concerns about having to trust external entities (and especially, giant corporations) with your entire digital lives. You might also not want to trust (future?) dangerous governments with the power to force those corporations to give access to your entire digital life, then we're no longer talking about anti-crime cybersecurity. Then it looks like you shouldn'tsensibly put your password files in a corporate-managed cloud. Then you're having to trust people a little too much for my comfort. So you should manage their location yourself.

Then there are two further problems. First, can you be sure that it is impossible for anyone at the password management software company to crack your password database, even if you host it yourself? (Do they have a copy? Can they get access to a copy? If they have access, are there any back doors?)

Second, there's the practical issue: Without the cloud, how do you sync your passwords between all your devices? That feature is the main advantage of hosting your passwords in the cloud. So how can you do it automatically, quickly, and easily?

What self-hosted password manager is really secure?

Several password managers use the cloud, but what is stored in the cloud is only the encrypted data. All the login and decryption happens on your local device. This is called zero-knowledge security, and it might be a suitable compromise for many. I have one main issue with this: Especially if the software is proprietary, we must simply trust the company that that is, in fact, how it works. But that's a lot to ask. So I'll pass on these. I'll manage the hosting of my own passwords, thanks very much.

Here are my notes on various password managers:

  1. These all feature zero-knowledge security but seem not to allow the user to turn off cloud sync (maybe they do, I just couldn't find evidence that they do): 1Password, Keeper Password Manager, LastPass, LogMeOnce, Password Boss, Zoho Vault.
  2. Sticky Password Premium: Allows home wifi sync of passwords, which is just fine. Fills out forms, works on all your devices...except Linux devices. Linux does not seem to be supported. Next!
  3. RoboForm: Doesn't have a sync feature without using their cloud service, but hey! It has a Linux version! Might work on Brave, since Brave is built on Chromium and there is a Chrome extension. This was enough for me to install it (and it worked!), but it seems to be rather clunky and there were a few different things that didn't inspire confidence.
  4. Dashlane: This has zero-knowledge security, which isn't a bad thing, but in addition, it allows you disable sync. Whenever you turn it off, the password data is wiped from their servers (so they say). You can turn it on again and sync your devices, then turn it off again. This is within my tolerance. Also, Dashlane has a Linux version. In other respects, Dashlane seems very good. I installed it and input a password. The UX is very inviting—even the Linux version. It's expensive, though: it's a subscription, and it's $40 for the first year (if you use an affiliate link, I guess), and $60 if you buy it direct, which I'm guessing will be the yearly price going forward. That's pretty steep for a password manager.
  5. EnPass: Here's something unusual—a password manager that goes out of its way to support all platforms, including Linux and even Chromebook (not that I'd ever own one of those). Rather than an expensive subscription, like Dashlane, EnPass's desktop app is free, while the mobile version costs $10, and that's a one-time fee. They don't store passwords in the cloud; passwords are stored locally, but EnPass has some built-in ways to sync the passwords (including by wi-fi, like Sticky Password). The autofill apparently doesn't work too well, while more expensive options like Dashlane do this well, and lacks two-factor authentication, which would be nice, and other "luxury" features.

Installation and next steps

Dear reader, I went with EnPass.

So how did I get started? Well, the to do list was fairly substantial. I...

  1. Made a new master password. I read up on the strategy for making a password that is both strong, easy to remember, and easy to type. I ended up inventing my own strategy. (Do that! Be creative!) So my master password ended up being a bit of a compromise. While it's very strong, it's a bit of a pain to type; but it's pretty easy to remember. Whatever master password you chose, just make sure you don't forget it, or you'll lose access to your password database.
  2. Installed EnPass on Windows and Linux and tested it to see if it worked well in both. It does (so far).
  3. Used EnPass to sync the two installations using a cloud service. (I'll be replacing this with Resilio Sync soon enough, so it'll be 100% cloudless.) I confirmed that if I change a password in one, it is synced in the other.
  4. Imported all my Keepass passwords, then tested a bit more on both platforms to make sure nothing surprising is happening. So far, so good. My only misgiving about EnPass so far is that there doesn't seem to be a keyboard shortcut to automatically choose the login info. I actually have to double-click on the item I want, apparently.
  5. Deleted all passwords from all browsers, and ensure that the browser doesn't offer to save new passwords. Let the password manager handle that from now on. (No need for the redundancy; that's a bit of extra and unnecessary risk.)
  6. Installed on my cell phone, synced (without issue), and tested. (Annoyingly, the Enpass iOS app doesn't do autofill, but I gather that's in the plans.)
  7. Installed app and browser plugin on my (Mac) laptop. No issues there either.
  8. Deleted Keepass data in all locations. That's now redundant and a needless risk as well.

I'm now enjoying the new, secure, and easy access to my passwords on all my devices. I'm also happy to be free of browser password managers.

This was installment four in my series on how I'm locking down my cyber-life.