My Quixotic Quest for Digital Security

It’s no secret the internet has gotten a lot scarier in recent years. When crime in your area goes up noticeably, it’s rational to invest in a new security system. So why not do the same with our digital lives? This impulse began my attempts at hardening my digital security.

The first step I took back in 2018 was to transition away from Gmail toward a private, end-to-end encrypted email solution at Protonmail. I also decided to buy their bundled VPN service and began using it constantly on all of my devices. The ProtonVPN app is decent enough 99% of the time, but it has a lot of problems, mainly when it has to reconnect. This is an especially salient problem for mobile devices, which are constantly connecting and unconnecting to different WiFi networks or falling back to 4G as you move them around. But even for home WiFi connections, the ProtonVPN app is just not that great, even though some major stability improvements have been made in the last few years like the ‘kill switch’ feature that terminates your connection if the VPN disconnects – which is unfortunately common.

This led me to seek out a custom firewall for my home network that could route all my home network traffic through the VPN. I landed on pfSense, a FreeBSD based OS for firewalls. It purports to offer “enterprise”-grade security. Now the question of what to run it on. A blog I follow recommended a little firewall device from Protectli would be more than sufficient for a home network.

I picked out my Protectli device for about $300 and began setting it up. I managed to get pfSense installed and seeing some packets come through the firewall. I then installed an OpenVPN client with my ProtonVPN credentials and verified everything was getting routed through the VPN tunnel. Looking good so far! I then went out and bought a new WiFi router to put behind the firewall (replacing my ISPs router, lord knows what what thing’s running) and voilá – I now had my own secured home network with no need to run the ProtonVPN app on my device. Everything behind that network would be VPN’d to another IP, and the WiFi router itself was protected by pfSense running on the firewall.

All was well and good until I had to restart the firewall. I was moving some equipment around my living room and had to unplug it. When I started it up again, I couldn’t get it to route traffic through the firewall, even after making a fresh pfSense install!

Right now I’m stuck trying to figure out this issue. I don’t know if it’s a hardware failure or some issue with how I’ve got it setup. The Protectli guys have been nice in communicating via email to see if we can figure out the problem. For now I’m going to have to keep the dream alive in my heart.

Visa To Acquire Plaid

If you use any third-party finance tools (such as Mint, Personal Capital, You Need A Budget, etc.), the tool very likely uses Plaid. Plaid is an API service for securely accessing bank transactions, balances, and so on. It does so by using token authentication to your bank(s). This data then passes through Plaid’s systems decrypted, so if you use these tools, Plaid knows every financial transaction across all of your connected accounts, including balances. The app developers (such as Intuit, who also owns TurboTax and Quicken) also have a copy of this data.

Visa now wants to buy Plaid. This will grant Visa visibility into every transaction you make, across every connected account.

Why is this data valuable to them? It can be used to assess credit-worthiness for Visa’s own products. Furthermore, Visa already has loads of data on consumers since so many of us have Visa cards. Every transaction that goes through Visa’s systems is recorded and part of your permanent record. Adding Plaid will only enhance their data set. That data set can then be repackaged and sold to marketing firms, advertisers, and law enforcement.

The only way to opt-out of this system is to a) abstain from using tools like Mint which use Plaid to access your financial data, and b) use cash where possible.

Covid-19 is now being used to promote a cashless society. I’ve already had several businesses tell me they “strongly prefer” I pay electronically. Today businesses are still legally required to accept cash, but that could change.

Unless you can pay with cash, there is no way to opt of out this system wherein your financial transactions are being recorded, packaged, and sold. We should expect to see more mergers of this sort in the future.

I use Mint myself, but I am looking to transition to an open source solution in the future. Unfortunately, all of the ones I have seen require Plaid accounts. It may not currently be possible to recreate the software features of Mint without running afoul of the surveillance system.


Why You Should Not Have A Public Profile Photo

As of this writing, there are zero available public photos of me. You cannot google my name and come up with an accurate image of my likeness. The only ones that appear are not of me. You might instead find a Hong Kong investor, for example, or any of several others around the world who happen to share my name. None of them look anything like me, nor are they related to me in any way.

I am quite gloatingly proud of this fact. Being unknowable in the information age is difficult, and it took some work to achieve my status as the invisible man.

Why in the era of social media am I so protective of my visage? In 2020 it is common to meticulously document your life on platforms like Instagram and Tik-Tok. I used to have accounts on some of these platforms, but no longer. I am blissfully invisible to the internet, and I love it. It is all part of my privacy philosophy.

My philosophy is this: I want to have as much control over my public information as possible. I am aware that every bit of information about me is a potential tool for someone to do me harm, and the single most dangerous bit of information is my location and what I look like.

As a basic first requirements for privacy, you never want to make the following information public*:

  • Your home address.
  • Your likeness.

With these two pieces of information, anyone in the world can find you, stalk you, and do whatever they’d like to you. So called “people search” sites scrape public records such as voter registrations to compile databases of addresses, so it is often trivial to find the home address of anyone you want, even celebrities and politicians. I have gone to great lengths to remove my information from these sites.

It may seem paranoid to worry about this – after all, I’m a law abiding citizen, aren’t I? – but sadly this is a very real threat in today’s fracturing society. Online bullying and harassment are increasingly common. We must take a defensive stance.

That said, there are some downsides to being unfindable online. Namely, you may end up looking more suspicious for your lack of public information. It’s become common for someone to “stalk” a date or a job applicant before meeting them in person, and if nothing turns up on that search, it may well be assumed that you’re not a real person, or even that you’re hiding something. In fact, this problem is the very reason I originally created this website – to prove my existence in the absence of any other digital presence.

I feel much safer knowing that someone I do not know cannot locate me. And with my own personal site, I can control what information is available about me, showcase my professional accomplishments, some of my interests, and also control the context in which it appears.

*: The only people I would exempt from this rule are those whose profession requires them to be in the public eye. Public speakers or C-suite business leaders, for example, can’t very well hide their likeness from search engines, since they are likely to appear blurbed in articles or prominently displayed on a corporate website. Until I decide to run for office or take a CTO job, I’ll happily remain faceless.

Want a decentralized web? Start a blog

There is a lot of talk about the decentralized web now. I’m very interested to see where IPFS takes us, and I’m even working on my own little IPFS backed project in my spare time.

So what is decentralization? It’s a fancy way of talking about peer-to-peer networks. P2P (a common shortening of “peer-to-peer”) represents the potential future of a distributed, decentralized internet.

But to understand the difference between that and the “normal” internet, you have to understand a bit about networking. When I load up Facebook’s homepage, I am essentially plugging into Facebook’s servers via my browser software. These are thousands upon thousands of computer wired together in a data center somewhere. When you enter your profile information, or post a snarky quip, it gets stored on Facebook’s servers. And Facebook owns that information. They can harvest your data however they want, with some limits in Europe thanks to GDPR and the soon-to-come CCPA in California. Unless you’re in one of those jurisdiction, your data is owned by Facebook. And Facebook can profit from it however they choose.

If you were to upload the same data to IPFS, the situation would be different. IPFS stores data across multiple computers around the world called peers. Unfortunately, to access something like a whole webpage in such a system can be slow, because we have to stick together data from across the network. It’s not all within a single data center controlled by one company. IPFS also uses something called a block chain to keep tabs on that data, making it tricky to “search” for your data unless you know its precise location in this vast network.

If you are at all politically minded, you can see why the decentralized model is getting so much traction in certain circles. It offers an alternative to the world that emerged in the last 2000s where a handful of private entities control vast swaths of the world’s data.

Eventually, so the theory goes, people would come up with a decentralized version of sites like Facebook. It would be powered by something like IPFS. In fact, Diaspora (which predates IPFS by quite a lot) and Mastodon have achieved exactly this.

That said, technology like IPFS has a few glaring practical challenges. For one thing, storing all of that data will take up a ton of space and processing power. Ordinary citizens would have to decide to host an IPFS instance (called a node), pay the electric bill, keep a high speed internet connection running to it, and so on. Some probably would do so out of passion for the project. But it’s almost inevitable that eventually IPFS nodes will be largely running on Amazon or Google hosted cloud servers. Perhaps even one of these big companies would offer “free” IPFS hosting in exchange for an opportunity to packet-sniff everything coming in and out. So the big companies might end up effectively re-centralizing this system in practice if not in principle. Sure, the block chain* aspect prevents tampering with the actual data, but it does kind of beg the question of why we are running this complex peer-to-peer system if it tends to become centralized anyway.

So what is a boy to do? I am a fan of simple solutions. And IPFS, though intriguing, is far from simple. A simple solution for owning your own information online?

Host a blog.

At this blog, I have an opportunity to present myself to the world exactly as I choose. I run WordPress and manage it myself. WordPress isn’t trying to monetize my content or manipulate my audience with algorithms to increase conversion rate on ads. I can post my own profile online here with as much or as little information about me as I want to share with the world.

If you want to see the internet do better than Facebook and Twitter, give blogging a try! All you need is an AWS account, a little bit of technical know-how, and something you want to say.

*I hope to write a more thorough article about blockchain at a later date. It’s a complicated enough idea to warrant its own article.

The risks and rewards of public blogging

I have had an internal debate about whether or not to have a public blog. I enjoyed writing in blogs since long before Facebook and Twitter came to replace them. I enjoy having the space to express myself and share some of my interests in a way that is discoverable for others who may be interested in what I have to say. To me this has always been the magic of the internet.

In the early days, blogs had the flavor of a missive. Each post was a well-considered personal essay on a subject of the author’s interest. Microblogging changed that culture by introducing the short-form post which encouraged quips, jabs, and memes. With only 140 characters, there are severe limitations on discourse. And so today platforms like Twitter have become battlegrounds of thoughtless name calling, self promotion, and knee-jerk politics. Journalists and activists are harassed from one extreme or another. Online armies of deranged Twitter users swarm to defend perceived slights against celebrities. William Gibson himself could not have predicted our dystopian present.

Therein lies the biggest benefit of public blogging. I can control the context in which my writing is interpreted, preventing unwanted context collapse. I know that my writing will be read only on this website. It won’t be shared and pass around on Facebook or Twitter. I can write as pithily or as long-winded as I need to, depending on what subject I’m covering. And I can include all the details needed to make myself understood.

Ideas require nuance, and some things are worth saying publicly. Nuanced subjects require a nuanced approach. And nuance just does not work in a micro-blogging format. It does not work as a Facebook post. Ideas are better expressed in person, but if that is not possible, then in long-form prose.

So I will continue to write here. I will document some of my thoughts about my various interests with the hopes that somebody will find them useful or enlightening.