A VPN is a service that creates an encrypted tunnel between the device and the provider's server, protecting all your traffic from prying eyes along the way like your ISP or whoever owns the router (think public Wi-Fi, for example). After reaching the provider's server, your traffic continues on to your desired destination like normal. Mullvad is one such service, very popular in the privacy community for their low price, lack of required data at signup, and oth privacy-first policies which will be discussed in this review.
You may not, to be honest. I recommend you check out IVPN's site “Do I Need a VPN?” here). A lot of people really hype VPNs as one of those absolutely, must-have, life-changing things that will solve all your problems. In all honesty, while I do believe that VPNs are an essential piece of your privacy strategy, there are many other free or low-cost strategies that will give you significantly more protection. A VPN these days pretty much only has two purposes: changing your IP address and protecting your traffic from local snoops. Changing your IP address is a valuable part of avoiding tracking, but it’s just one way and a VPN won’t protect you against those others like browser fingerprinting, tracking pixels, cookies, and more. Likewise, while it can be great to protect your traffic from your Internet Service Provider or a local cybercriminal, from a security perspective you’re already pretty well covered so long as you enable your browser’s HTTPS-Only mode and make sure you’re using the correct sites and not spoofed or phishing sites. Having said all that, I do still consider a VPN to be a critical part of your privacy and security posture if you can afford one. It can bypass censorship, stop your ISP from selling your browsing data, help obscure your IP address from tracking and logging, and protect your traffic from local attackers.
Some people prefer Tor over VPNs. I am an ardent fan and supporter of Tor. Tor is definitely right in certain situations, but not all of them. For one, many essential services – like banks – block known Tor IP addresses to prevent fraud and abuse, making using those services nearly impossible. Second, Tor loses almost – if not – all of its anonymity once you login to something. If you login to your email and then your Reddit account in the same session, they’re now tied to together and you’ve lost your anonymity benefit. For this reason, I recommend reputable VPNs for any services that are tied to your real identity (or blocked by Tor) and Tor for random searches, accounts that are not tied to your real identity, or pretty much anything else.
Mullvad has long had a lot of things to like about them, but this year they added even more. Let’s start from the beginning as if you were signing up for the first time: they require absolutely no identifying information to sign up. You are assigned a randomly-generated account number, you add however many months you want to your account, and you download the app for the device you wish to protect. That simple. When it comes to buying time, you can pay with several privacy-respecting options like Monero, privacy.com cards, or even cash, as well Bitcoin, PayPal, bank wire, the options are immense.
There’s a couple updates regarding this that are both good and bad. Mullvad no longer offers recurring subscriptions or refunds on cryptocurrency. You’ll have to top up your account every time it runs low. They’ve done this in an effort to avoid storing any unnecessary customer information. I’ll talk about this again in the “Bad” section, but for now the motives are – in my opinion – good and this will come into play later in this section.
The price is probably the most popular selling point for many people (tied with or second only to the privacy record which I’ll get to). Most VPN providers offer tiers that give you different features for different prices – access to more servers, better speeds, or things like P2P servers for using Bittorrent and other services, for example. Mullvad doesn't do this. They offer only a single plan at a (in my opinion) very reasonable €5/month. Most people reading this have €5/month to burn, and the fact that Mullvad is committed to offering a full-service VPN at a consistent price point is admirable. They never do sales and they don't do any kind of advertising or affiliate programs. Five Euros, no matter what. I admire that level of consistency.
Mullvad is based in Sweden. In the past I’ve put a small amount of weight into a service’s country of origin – and I still do but even less than before. On the good side, Sweden gone out of their way to build in strong consumer privacy laws. In addition to being accountable to the GDPR, Sweden has also determined that VPNs do not count as telecommunications providers and therefore are not subject to the usual wiretapping and surveillance laws and practices. Mullvad has an entire page here outlining all the various legal protections in place that make Sweden a good thing for VPNs. In fact, we saw this come into play just a few short months ago as I write this: Mullvad got searched for the first time in their history. However, due to Swedish law and their practices (which I’ll discuss shortly) Mullvad had nothing to turn over and insists that any seizure of hardware or data would’ve been illegal.
Mullvad offers servers in 43 countries (up from last year’s 38), and (as far as I can tell) uses very strong, state of the art security measures (see “The technical stuff” here). Finally, Mullvad has a long track record of being early-adopters for strong privacy and security technology. They were among the first commercial VPNs to offer Wireguard – a new protocol that’s supposed to be faster, lighter, and potentially more secure – as well as quantum-resistant tunnels, RAM-only servers, and more. Things like this increase user security and stay a step ahead of emerging trends and possible threats. Personally this is perhaps my favorite thing about Mullvad. It’s my personal perspective that from an end-user perspective, Mullvad doesn’t offer anything unique or groundbreaking. Sure the price is good, the features are competitive, and the apps are modern and functional, but it’s all the behind-the-scenes work that they do that really sets them apart.
Finally, I’d be remiss if I didn’t at least mention the Mullvad Browser. This isn’t strictly VPN-related, but it does show Mullvad’s continuing dedication to the privacy movement. The Mullvad Browser is basically “The Tor Browser without Tor” and is designed to be used with any VPN to create a pool of users who are hard to fingerprint and look the same. Both Techlore and I created our own videos on the browser which I think complement each other quite nicely and offer additional information for those who’d like to know more. It’s definitely become one of my daily browsers on Windows – and sometimes Linux when I remember to open it (my workflow can be a bit rigid sometimes). It’s a powerful offering available even for those who don’t use Mullvad. (It’s also worth mentioning that their DNS is available for free to the public, too. So even if you don’t use any VPN, you can still have access to a trustworthy, private DNS resolver.)
Truthfully there's not much bad to say about Mullvad, but there’s a few things. For starters, as I mentioned above, some of their hardcore privacy measures have resulted in a slight hit to user-friendliness. “Slight” is the key word here. I don’t think it’s huge, but it’s definitely there. Their desire to stop storing user data, for example, means that I have to manually top up my account each year (or month or whatever). While that’s not the worst thing it the world, I personally very much prefer to “set and forget” my payment options rather than log in one day and go “oops, I’m out of time and need to top up.” To be fair, it does give you a warning, but I’m already in a position where I could easily miss that warning. (For those who care: I use Qubes and using Mullvad on Qubes doesn’t require the app, meaning I could easily run out of time and never get a notification since Mullvad doesn’t have my email address.) This also extends to their money-back guarantee: it doesn’t apply to cryptocurrency since honoring it would require them to store data about what addresses sent them how much money. While I realize that the price point is extremely low and for most people would not really present a worthwhile loss if they were disatisfied with the service, it still presents a point of friction for potential users who may be on the fence.
In the past I expressed concern about Mullvad being based in Sweden because Sweden is part of the 14-Eyes surveillance network. I’m still concerned by this, but not as much as I used to be. My original logic went like this: Sweden is part of the 14-Eyes intelligence sharing agreement. Even if they do have good privacy laws in place, they as a country have – by entering into that agreement – expressed a level of comfort with secret surveillance intelligence sharing at the expense of the right to privacy for their citizens. In my opinion, it's that tone that makes it a bad thing when a country is part of a surveillance agreement. I’m no longer concerned by this for several reasons. The main crux comes down to “is the service really prioritizing user privacy and security?” I trust that Mullvad wants to protect the privacy of their users, and I hope that if Sweden ever took a more invasive turn that Mullvad would respond accordingly. The choice to stay in Sweden at this time should not be a dealbreaker for those considering Mullvad, but it does mean you should be keeping up-to-date on current events. Though personally, I think that's true of any service.
Mullvad is a company that grows on me more and more with each passing year. Each year I see posts from them about the new ways they’re working hard to innovate on protecting user privacy, even in niche areas one normally wouldn’t think to consider (such as auditing their payment processes or their search engine). They really do set a high bar for the privacy community. If you're looking for a VPN – or browser or DNS – you'd be remiss not to consider Mullvad. They offer a 30-day money-back guarantee (crypto not included), so you've got nothing to lose, and I suspect you’ll likely be impressed.
You can learn more and sign up for Mullvad VPN here. No affiliate link available.
You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.
Buckle up. This is going to be a very long post.
In the past week, I’ve had a number of people ask me the same question: namely what are my thoughts on privacy and banking (with some variation and additional expansions). This is a topic I’ve covered before, however with so many asking about it it’s clear that it wouldn’t hurt to bring some updated thoughts to the discussion. So without further ado, let’s talk about financial privacy.
Let’s start at the top: banks are not your friend. Period. There’s a reason “bankers hours” just so happen to coincide with the traditional 9-5 working hours, making it nearly impossible to do any in-person errands involving financial institutions: you’re not their primary customer. Prior to World War II, banks didn’t even offer many services to the general public. Banks originally existed to serve other businesses. They just so happened to decide “hey, we can make more money if we offer services to individuals, too,” so they did. I was unable to find an exact breakdown of how much money banks make off businesses versus how much they make off individuals, but I’d be shocked if the numbers aren’t vastly skewed toward the businesses.
The problem is further exacerbated by the manipulative and hostile actions banks sometimes take toward individuals and organizations. In the previously-linked blog post, I talked about how American Express lowered one man’s credit limit because he shopped at Walmart and aggregated data showed that most people who shopped there had poor credit or payment histories. The UK uses financial data to penalize welfare recipients they feel are abusing the system, even for things as small as buying name-brand products instead of generic alternatives. And of course, in 2022 people who donated to truckers that were on strike to protest vaccine mandates found their donations blocked, while PornHub was blocked from receiving payments from Visa and Mastercard. These are just a few of the ways that financial institutions can wield control of our own money and weaponize it against those they wish. And of course I’d be remiss if I didn’t mention that banks frequently – almost universally – sell your transaction data to data brokers who use your shopping habits to build a better profile on you, your personality, habits, values, and more for a variety of reasons, usually advertising, but who’s to say that it can’t and doesn’t get abused for other purpose? (Spoiler alert: it does.)
With so much rampant data collection and abuse going on, you’d think that I’d be a staunch hater of banks. But you’d be wrong. Don’t misunderstand me: I’m not here singing the praises of JP Morgan or Bank of America. The modern financial system is absolutely riddled with problems from inequality to systemic oppression to the potential for – and actualization of – political oppression and more. I’m talking specifically about banks as a place to store and invest your earnings because in today’s modern era, you basically have three options there: store it in cash/gold, store it in crypto, or use a bank.
Storing your money in cash or gold is absolute lunacy. You see, here in America we have this absolutely wonderful (note my sarcasm) legal doctrine called “civil asset forfeiture.” This is basically where the government has the legal right to say “we want your thing, so it’s ours now.” On paper, one way it could work is like so: you sold a ton of meth and bought a Lamborghini. The cops arrested you, your meth, your meth-making equipment, and anything else meth-related, including said Lambo you bought with illegal meth money. The cops then auction said sweet ride and pocket the money to bust more meth dealers. On paper, that’s semi-reasonable (depending on who you ask). You used illegal money to buy stuff, and the cops confiscated that illegal money. It’s the same principle as getting part of the proceeds if someone plagiarizes your work and sells it as theirs. In practice, however, what happens is that the cops say “I think you obtained this thing – potentially including cash – illegally, therefore I’m going to take it. Fight me if you want it back.” This is not rare (nor limited to cops, for the record, but let’s focus on the cops for now). It’s not even uncommon. In 2014, police stole more money from innocent civilians than burglars did. And 2014 was not an anomaly. They’ve been stealing so much money consistently that in 2019 the US Supreme Court attempted to intervene. If you want to read about a specifically poignant case of this, click here to read about how combat veteran Stephan Lara got robbed of his life savings, $87,000 USD, leaving him stranded on the side of the road.
This may read as an anti-cop post, but that’s not my intent. My intent is to point out that you are gambling by carrying your money around in a tangible format like cash, gold, silver, etc. All it takes is one bad cop to find it for any reason and go “mine now” and now you have to burn thousands of dollars fighting the local police department to get it back. You can decide how likely you think that is, but personally I think you’d be insane to take that gamble regardless of how pro- or anti-police you may be. That doesn’t even account for things like natural disasters, robberies, etc.
Your next thought may be “okay, what about the crypto route?” I also find this to be mindblowingly insane in all but the most extreme cases. As I write this blog post, the price of Bitcoin has fluctuated 3.23% in the last 24 hours. That may not sound like much, but consider that for Bitcoin, that’s an $857.78 difference. I make pretty good money, but that’s still nearly ½-1/3 of my paycheck (depending on how much overtime I’ve worked that pay period). Furthermore, consider that last year, Bitcoin went from nearly $32,000 to just under $16,000 in just a few months. In fact, it went from just over $31,000 to just over $15,700 in less than two weeks (June 8-19, 2022). Imagine if your bank account cut in half in a single pay period. Couple this with the fact that most place just don’t accept cryptocurrency. Sure, some niche places do, probably enough of them in different markets for you to scrape by if you’re okay with only being able to buy from a handful of vendors for each area of your life, but even in my town – which is a very techy area – I’d be hard pressed to walk into any store and find vendors still accepting Bitcoin – or any cryptocurrency for that matter. Now, for the record, there are ways around this. You can use cryptocurrency to buy gift cards from sites like Coincards for example, but that’s gonna get real old real quick, and it only works for the gift cards they support. It’s not sustainable (or available outside of the US, Canada, and UK).
Now before I defend banks, let me note that I’m not at all opposed to cash or cryptocurrency. I believe you should use both whenever possible. I use cash for my day-to-day in-person purchases like coffee, groceries, and gas. I’m trying to get better about using cryptocurrency – Monero being mine of choice – for services who offer it like IVPN or Tutanota. I’m also a huge fan of diversification. I personally don’t believe the dollar will ever go to zero – at least not in our lifetimes (yes, I know, I’m a moron who’s brainwashed by the WEF or whatever, save your emails) – but I’ve personally lived through prolonged power outages where the ATMs are down and cash is the only way to get through the week, and while I don’t think the dollar will become worthless I certainly know that recessions and depressions are things and that crypto could potentially be resilient in those situations. There are plenty of valid reasons to diversify your money. That said, I think going all-in on any one of these strategies is careless, paranoid, and gambling. You’re even more likely to lose all or significant amounts of your money by avoiding a bank. Here’s why:
Banks are FDIC insured up to $250,000 USD. That’s it. That’s really it. If my house catches on fire, all that money under my mattress is gone and I’m screwed (assuming a crooked cop didn’t confiscate it first after my New Year’s party got too rowdy and they got called). If Bitcoin halves in value overnight, I better be pretty rich to be able to take that kind of hit and still pay my rent (spoiler alert: I’m not. I’m still waiting to get my first $100 check from YouTube ads). Meanwhile, you know how much the dollar has changed in value over the last 14 years since Bitcoin was invented? Forty-one percent. Bitcoin, meanwhile, has fluctuated from 9 cents upon launch to a peak value of just shy of $69,000 in November of 2021. That’s 76,566.6%. And you may think “but that’s an increase in value, Nate!” Until it’s not. The current price of Bitcoin is just over $27,000 USD. Let’s call it $27,400 to be generous. That’s a 60% decrease in value. Bitcoin has fluctuated multiple times as much as 5 figures in the same amount of time the USD has steadily moved only double digits. The US dollar may be losing value, but I’m willing to bet money that I’m never going to wake up and discover that my bank account lost half of it’s value overnight short of a total national collapse – which I won’t rule out for the record, but at that point all personal finance advice goes out the window and I strongly suspect your Bitcoin will be just as useless as your Tesla. If you make so much money and have so much in savings that you can go all-in on crypto, you do you. But most people aren’t in that kind of position and I wouldn’t recommend it even if they were. Diversify, but don’t go all-in.
Now finally, you may be thinking “but banks need so much data about me!” Yup. You’re not wrong. They sure do. These are what’s known as “Know Your Customer” or “KYC” laws, and they are one method the government takes to attempt to fight financial fraud, requiring banks to verify your true identity with things like full real name, date of birth, social security number, and more. This is not the banks being data-hungry (necessarily), this is a law. Accusing the banks of just being after your data because of the law is like accusing someone of being a wussy driver because the speed limit is 25 mph. Being a privacy advocate, I’m not a fan of KYC laws. Perhaps they work. Perhaps they don’t. I don’t know and frankly I don’t care. While I’m certain that these measures do stop a considerable amount of crime, the potential for abuse – intentional or not – still exists and thus I’d prefer we found other ways to fight that crime. Unfortunately however, there’s not much we can do here. We’ve already discussed the absurdity of keeping bucks, bullion, or blockchain. And if you find a bank who’s willing to eschew KYC laws, well, to be frank, I wouldn’t trust it. There’s something shady going on there and they’re most certainly not FDIC insured, meaning that if they run off with all your money you’re sort of screwed.
So all this to say that basically, like it or not, your best choice for storing your money in a format that’s stable and secure at this point in time is with a bank. Those of you preparing to send me a YouTube link from Davos can leave now, thank you. Feel free to come back and smug when your predictions come true and I look like a jackass.
This leads us to the main question I’ve been getting lately and have actually gotten many times before: “how do I pick a bank?” You may not like my answer: pick the one with the best financial incentives for your lifestyle and goals.
You see, a lot of people in the privacy community have become convinced that banks must be both a privacy and security nightmare because of KYC laws and weak customer-facing security measures. You are both right and wrong. You’re right that banks are a privacy nightmare, not only because of KYC laws but because of their side hustle of selling your transaction data to various data brokers (more on that soon). But you’re wrong about security. The main assumption of banks as having poor security arises from their customer-facing policies: mainly the fact that most banks have poor two-factor authentication options and some even enforce maximum character limits for passwords. However, these points overlook other, more salient defenses. Consider the fact that banks aggressively rate limit sign-on attempts. In fact, you likely saw this when you first got into privacy: suddenly everyone and their mother was asking you to solve a CAPTCHA or do additional verification because suddenly you weren’t acting like you anymore. Banks are also pretty aggressive about demanding a second form of authentication when signing in from a new location, even if you don’t have 2FA enabled. And while SMS can be easily SIM-swapped, most banks offer verification via email which is more secure and can be locked down with a hardware token or TOTP (plus most banks allow VoIP numbers which are significantly harder to SIM-swap). To put it frankly, if a bank suffers a breach of your credentials, there are three possible outcomes: 1) the attacker may not have accessed the funds as those would be on different servers, 2) the attacker did access funds, in which case your credentials mean nothing and your money is FDIC insured anyways, or 3) the attacker only accessed your credentials but the bank has still placed a significant number of hurdles for them to log in with them.
But really, the big thing here is that banking regulations are expansive. Like, really really complicated and expansive. In the US, banking regulations are so complicated that it actually warrants having a full-time lawyer on staff just to figure out what the actual f*ck is going on and what rules you need to be following to be in compliance. The Wikipedia page about US banking regulations suggests three different pages of additional reading just on “consumer protection” alone, which includes electronic funds transfers. In other words: banks have high standards to meet. On Surveillance Report, we have a weekly section where we share all the data breaches we heard about that week, and we almost never have banks. We regularly have SaaS companies, tech startups, game companies, crypto exchanges and hot wallets, even dating and porn sites, but we almost never have banks. In all the years I’ve been talking about data breaches, I can probably count all the bank breaches on one hand. That’s not to say they never happen. They absolutely do. But they pale in comparison (frequency-wise) to companies like T-Mobile, who has had at least 5 major data breaches in 4 years (with allegations of hundreds of compromises per year), or Amazon’s AWS web-hosting service who was responsible for so many exposed databases that I successfully turned it into a drinking game among listeners. Banks face so many regulations regarding consumer security and privacy – plus the incentive to not lose all their customers’ money lest the angry customer take their business elsewhere – that they actually manage to have a much higher standard of security than – by comparison – unregulated industries.
So let’s go back to the original question: “how should I pick a bank?” Well privacy is clearly already a non-starter since any trustworthy institution will absolutely abide by KYC laws and verify your identity. And security is also a relatively pointless metric because the same organizations will be abiding by the extensive patchwork of regulations and working tirelessly to defend your funds. So how should you pick a bank? By picking the one that fits your financial needs and goals best (and ensuring that they are FDIC insured to be certain that you’re actually getting the benefits of everything I’ve talked about thus far). At the end of the day, basically all FDIC-insured institutions are essentially the same. So instead pick based on your needs and goals. Are you trying to retire at age 65? Then you should pick a bank that has great retirement accounts. Are you trying to save up for next year’s vacation? Then you should be looking into banks with high-interest savings accounts or who offer credit cards with travel bonus points or similar offerings.
Now, to quickly touch on it, there are some small variations out there. Bank of America, for example, allows the use of a 2FA hardware token for login. And generally speaking, larger banks will have more money to ensure they’re staying current with regulations, technology, and other defenses while smaller banks will make for smaller targets because they have less money and fewer customers (in theory). But at the end of the day, I strongly believe these differences to be negligible for the end-user. Like them or not, trust them or not (and rest assured, despite all my glowing words here, I do not trust banks, I’m certain the CEO of JP Morgan would personally throw me into a meat grinder for a dollar), banks really aren’t a security nightmare waiting to happen, and as long as your institution of choice is FDIC insured (and you stay within the $250k limit) you’re safe in all but the most extreme of circumstances. Again, that doesn’t mean don’t diversify. That doesn’t mean don’t take precautions and have backup plans in place. But it does mean you should run from banks like the plague. For better or worse, they’re probably your best bet.
Banks are still a privacy nightmare. They may be a secure place to store your money and prevent wild fluctuations in value or sudden loss from any number of factors, but they won’t hesitate to sneak in something in the Terms of Service about how they can “share your data with trusted third parties,” aka “sell your transaction data to data brokers.” So while I strongly believe a bank is great place to store the majority of your money – especially savings and investments – I don’t for a moment recommend it as a place to spend directly from. As noted in my blog post from 2021, I strongly believe that it’s only a matter of time before your spending habits start to directly impact your life (as it already has for the person who got their credit limit lowered for saving money). I think in the future we’ll see where you shop or what you buy affect your health insurance premiums or other related fields. Thus, my recommendations from that blog post still stand.
Generally speaking, conventional privacy wisdom says to pay for everything in cash where possible. Where not, pay with masked payment options such as prepaid gift cards or virtual credit/debit cards like Privacy.com or Revolut. Overall, I agree with this strategy. But for those who are willing to deal with a little added complexity in exchange for some perks, I have additional advice I’d like to add onto that: strategic use of credit cards.
In a perfect world, it would be nice to simply swear off the credit system and ignore it. We never really agreed to it. But for most of us that’s simply not an option. I know I’m already tripled my usual word count, but if I may share something quickly: over the past few years I’ve been working hard to get my financial life together – building up savings, fixing my credit score, and investing for retirement. In just those few short years, I’ve noticed something shocking: the better my credit score, the easier my life is. A few years ago, moving into an apartment meant first and last month’s rent plus security deposit up front. Starting utilities likewise meant a security deposit. Internet required a credit check with a deposit for the ISP’s router (mandatory). Five grand might be a good buffer to get all this stuff handled in most cases. This last time I moved – about a month ago as I write this – I didn’t pay a single deposit. For anything. We moved in with our five-grand savings we had set aside specifically for the move mostly untouched. And honestly my credit isn’t even that good yet. It’s better, but it’s not where I want to be. Life is just easier when you play the system. You get better terms, you save more money, and you meet less resistance.
I say that to say this: being that The New Oil is aimed at “average” people who want to find a good balance between convenience and privacy/security and is not aimed at the extremists who wish to live in a cabin in the woods devoid of all prying eyes, I think that those who can be responsible with credit cards can use them to their advantage: both their personal finance and privacy advantage. Personal finance experts preach that you should use credit cards responsibly. They point out that – for example – most credit cards come with purchase protections, and if a credit card gets stolen you’re not out the money until it get resolves like you would be with a debit card. They also like to note that using cards correctly can save you money and even earn you extra money. You can get cashback on things like gas or groceries or earn airline miles for your next vacation. Just be sure to pay the balance off in full every month to avoid incurring interest. In light of my earlier conspiracy theory about our purchases being used to calculate our premiums, I would like to encourage this strategy (again, if you can be responsible with a credit card) while adding another recommended layer: use credit cards to paint a positive picture of yourself. Buy your healthy groceries with your credit card that gives you 3% cashback on groceries, but put the sodas on a separate cash transaction. Put your gym membership on card, pay for movie tickets and snacks with cash. Maybe I’m being overly paranoid and creating more work for myself, but I strongly suspect that in the near future approaching your finances like this creates a carefully construed positive image of yourself as a healthy, responsible person and will earn you better rates and privileges from the industries who are increasingly turning to Big Data to solve their problems.
This brings us to a final topic one reader asked me to talk about: the use of data and AI. Truthfully, I don’t think there’s anything new here. ChatGPT may be the big story in the news, but financial institutions have been using aggregate data for years to make decisions. Cathy O’Niel covers this extensively in her book “Weapons of Math Destruction,” which I reviewed and recommended. I don’t see this getting any better any time soon, hence my recommendations about strategic use of credit cards, but whether it’s via aggregate data or a glorified Clippy, we’ve long been living in an age where machines are making these decisions more than individuals, usually to mixed results. Now of course, that raises the point that this is morally questionable stuff and we probably shouldn’t just be okay with it. I agree. But then this blog post would balloon by another 2,000 or so words. So pardon the rush but let me just summarize on that note: “I agree. Call your politicians. Demand oversight and regulation. Try to push back on companies who use it when you know and can.”
In the meantime, I know this is a record-setting blog post. There was so, so much to unpack and I hope it made sense and was helpful. Privacy is always complicated and nuanced, and mixing it with money makes it even more so. As always, at the end of the day, you have to do what’s best for you, but I hope this blog post gave you a peak inside my thought process and opinions. You’re welcome to take them or leave them, or adapt and evolve them to fit your needs, but hopefully it at least gave you some things to consider with your own finances. Good luck out there. This stuff is never easily, especially in today’s landscape, but I hope I made it at least a little easier to sort through.
You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.
Among the more hardcore privacy enthusiasts, the cloud is anathema. To be fair, this isn't a bad philosophy – the saying that the cloud is simply “someone else's computer” may not be entirely accurate, but it's also not totally wrong either. However, we live in a world where advising most people to simply avoid the cloud is on par with advising most people to avoid getting a job: it's just not realistic advice. Most of us have come to rely on the cloud to easily sync and share files, and on the website I acknowledge the cloud as the most feasible off-site backup solution for many people (though for the record, a regularly-updated non-cloud backup – such as a USB stick stored at your desk in the office – is preferred whenever possible).
Normally when I do reviews, I pick 1-2 services and highlight the good and the bad. In this review, however, I want to roll all the cloud options listed on the site into a single snapshot review, so in this blog post I will be listing each service (in alphabetical order, as always) and giving it a paragraph or two of a review. I hope this helps for those who have decided that a cloud service – for backups or for any other reason – is right for their threat model. In this review I have included affiliate links where I have them, but as always feel no pressure to use them if you don't want to. Also in this blog post I'll be talking a lot about encryption, not in a technical way, but if you're unfamiliar with encryption or some of the common phrases like “zero-knowledge” and “end-to-end,” you can get a quick rundown here.
Before we talk about actual encrypted cloud options, we should start by giving a special shout out to Cryptomator. Cryptomator isn't a cloud provider, but rather an open source application that manages encrypted files on the cloud for you. In other words: Cryptomator sets up the encrypted vault for you, then automatically handles the encryption and decryption on your devices. When you use Cryptomator, you can use any cloud storage solution you want – like Google Drive, iCloud, or Dropbox – and your files are encrypted locally on your device before being uploaded. You can use Cryptomator on multiple devices, including mobile devices, for a seamless experience just like any other cloud service, but with added protection. Cryptomator is so trusted that many privacy enthusiasts recommending using it with all clouds – even some of the ones listed below – for additional protection or insurance. The only drawback to Cryptomator is that it requires a one-time license fee for mobile devices (note: licenses are non-transferable between platforms. So if I understood the site correctly, if you buy a license for Android then get a new Android phone, the license should still work, but if you switch from Android to iOS you'll need to buy a new license).
Although Cryptomator does allow you to use any cloud, I personally am still a fan of recommending more privacy-oriented services. One reason is because many of these mainstream services still collect metadata, such as location if you use the mobile app or information about what sort of files are stored in your cloud. That leads to reason two, which is that we don't know if someday these organizations may take an anti-encryption stance either by choice or by force (nearly all Big Tech terms of service state that terms are subject to change without warning, so you may not get a warning to remove your vault and go elsewhere). That said, sometimes these services offer vastly more storage space than other options (like Google Drive's 15 GB storage) or you may already be in their ecosystem (like iCloud). Either way, Cryptomator is a great tool to consider using if you have any concerns or hesitation about the cloud as another layer of protection regardless of which service you go with.
Filen is a somewhat popular option in the privacy community. Filen offers a seamless, modern user experience and look with apps for all operating systems and 10 GB of storage space for free. I personally like Filen and have used it on a few occasions to share files. That said, Filen does have a couple dings against them. Their most serious blunder has been at least one accusation (I've heard there are others but have not seen any personally) claiming that Filen's security was poorly implemented and that while they did fix the issues when notified, they didn't communicate at all with the person who reported it, not even a “thanks for finding that, we'll fix it.” There was also a big kerfuffle a few months back when they blatantly ripped off Vercel's (a popular website for front-end developers) website. Filen blamed the web developers they had hired at the time, and they did eventually modify it a bit to be a little bit less obvious, but it was a pretty embarrassing blunder.
That said, I still think Filen is a good choice for low-risk stuff. I wouldn't upload my driver's license there, but I would definitely upload benign photos and documents to share with other people or have remote access to. The UI is clean, the storage space is fairly generous, and it functions well.
Mega is another privacy poster child who has suffered a bit of hit. Mega has long been popular in the privacy community for having open source clients, end-to-end encryption, and a whopping 20 GB free plan. Impressive stuff! Mega also offers a number of other features that would be helpful for businesses like a built-in text and video chat with other users, and even the ability to schedule backups, making it probably one of the only true “backup” solutions on this list since it can handle automatic backups for you. That said, like Filen, Mega has also suffered from some pretty serious encryption vulnerabilities that shook user faith in their code, and raised questions about possible further vulnerabilities. For me, I think of Mega the same way I think of Filen: it's great for sharing non-sensitive data, and with double the storage space and additional features it may even be right for some low-risk organizations to collaborate and coordinate. Personally I'm not a huge fan of the UI, it feels a bit dated, but it's hard to argue with those extra features if you're running a team.
Okay, Nextcloud is a bit of a complicated entry here. In a perfect world, everyone would self-host a Nextcloud instance out of their own home for maximum privacy. Nextcloud is more than just file storage, Nextcloud is a full office suite. By default it comes with the ability to store your contacts, photos, files, and calendar, but you can add a ton of other plugins and extensions that add additional functionality like two factor authentication (including hardware tokens), user management for organizations, messaging with other users, form submission, budgeting, recipes, health tracking, you name it. Seriously, if you can think of it, it probably exists. However, it's important to note that not all of these apps are official, maintained, or even well-made. Consider for example the “Files From Mail” app, one of the lowest rating apps published by Maxence Lange (whoever that is) and last updated 3 years ago.
Speaking of lowest rated apps on the platform, end-to-end encryption is basically nonexistent on Nextcloud. Even the official app is quite convoluted in their execution (on the user end, I would expect difficulty for the admin but not the user), and many users have complained that it often encounters bugs that corrupt or lock folders and files and can cause them to be uneditable, undownloadble, or simply deleted altogether. Unfortunately it also seems that for whatever reason, Nextcloud hasn't really made it a priority to develop and fix this app either. This is why I called Nextcloud complicated and recommended that users self-host from home: if the server is located anywhere else, even a data center, you have very few meaningful options for encryption. You have to trust the data center to respect your privacy since there exists no meaningful zero-knowledge protections to enable. Sure, you could couple it with the use of Cryptomator, mentioned above, but that won't do much for your calendar or contacts. I understand that making these legacy protocols encrypted is a massive undertaking in any situation, but it's still disappointing to see that one of the biggest names in this space – and one used by governments all over Europe – has put nearly zero effort into even trying. Nextcloud does come with an optional “server-side encryption” check mark, but it can be very easily bypassed.
Despite all this, I personally am a huge fan of Nextcloud and would recommend it if you have the resources (time, knowledge, skill, and hardware) to figure it out. I have a few friends and family who use at least some aspects of it, and since I host it from home I feel pretty confident in its security. It wouldn't really stand up to the NSA, but then that's not part of my threat model. I just want some privacy from data miners and not have to worry about my account suddenly being cancelled. Nextcloud gives me calendar, notes, contacts, photos, file storage, and more with all that peace of mind. I get the convenience of putting all my eggs in one basket with very little risk, so long as I'm willing to put in a little effort into the maintenance. A no-brainer for me, but I recognize that not everyone has those luxuries. That's why I have other entries on this list.
Proton Drive is still a bit rough around the edges, but has the potential to be a private cloud powerhouse in the future. Proton Drive is brought to you by Proton, the same company behind ProtonMail and ProtonVPN. Aside from a few unfounded and disproven conspiracy theories (and at least one unrealistic expectation), Proton is a widely trusted name in the privacy community with a slew of solid offerings. Their email service offers a free tier which is probably plenty for most users, and even their VPN has a free tier – one of the only free VPNs recommended in the privacy community. Proton is trying to be a Google/Apple replacement, with things like contacts, calendar, and now this. It's a pretty powerful offering for those who are willing to trust them. That said, Proton Drive still has some room for growth. For one, there's no desktop client yet. As such, all uploads and downloads must be done via web browser, and despite Proton's claims that your file size is limited only by your storage space, several users have actually found that there's actually a limit that varies based on your browser and file system. So in theory there's no limit, but until there's an actual desktop client that's not true in practice. It’s also worth noting that you share storage space with your email account, so if you’re the kind of person who never deletes emails, that might eat into your storage space after a while. Henry from Techlore – my podcast cohost – has also reported consistent issues when downloading videos I send him via ProtonDrive. Granted, that was nearly a year ago when ProtonDrive was still a much newer offering, so perhaps this is fixed now, but the point is simply to be aware that Proton Drive is still very young and you may encounter some issues. That said, if your files are reasonably small and you can afford the luxury of maybe needing to try again a few times, ProtonDrive is one option for storage. I personally use it to transfer TikTok videos to my Lineage device to upload from there, and it works pretty well most of the time.
Sync is the only propriety offering on this list, but I've been using them for years without issue and thus am quite comfortable recommending them. Sync is more of a Dropbox-type experience, with a simple app (for all operating systems except Linux, unfortunately) that lets you upload and download files and folders in one space and share them with a link or email address. It doesn't have any fancy image viewing options or anything like that, but you can manage users, sharing, and more. I use Sync with my band to share songs, ideas, and pretty much anything we need to collaborate on. Even my singer has started using it for his own freelance work to share files with clients. If for some reason none of the other offerings on this list appeal to, you I recommend Sync to check out. It's a great product.
Okay, last but not least, I know that if I don't mention this one I will get emails asking about it: iCloud's Advanced Data Protection is end-to-end encryption for iCloud that rolled out late last year. It is disabled by default, but can very easily be enabled in the settings. Personally, I don't recommend the use of Apple if it can be avoided. In a perfect world, everyone would be using a Graphene or Calyx (or maybe Divest) phone. But that's not always an option for everyone. As I've noted in a past video, iPhones are available in more countries than Pixels are at the time of this writing, and some people may not be comfortable trying to flash a several-hundred-dollar phone. That's a lot of money if you screw it up (even though – I'm aware – some flashing processes are so dead simple it's virtually impossible to screw it up). Regardless, there are times when people may decide that an Apple device is right for them. In those situations, I'm still not a fan of iCloud. While ADP is a massive improvement, there are still things that aren't zero-knowledge, like contacts and emails, and at the end of the day you're still trusting Apple with your metadata and feeding their ecosystem, and Apple – like Google - is a company who has been proven to lie in the past about their data practices. I would strongly encourage users – even if you're already using an iPhone – to opt for a different cloud storage solution that has a better history of respecting user privacy. That said, if for whatever reason you're intent on staying in the iCloud ecosystem, then I certainly believe that using ADP is better than not using it. Just read the article linked in the subheader so you know what the limitations of this protection are.
I hope this blog post has been helpful for those of who need to use cloud storage – whether as a backup or to share files – and are having trouble picking a provider. As I said at the top, ideally you wouldn't be using someone else's computer, but the point of The New Oil is not to teach you to forsake modern life and go live a life free of technology in the woods (though I'll be the first to admit that somedays that does sound very appealing). Rather, it's to teach low-risk users how to mitigate those risks, improve their privacy (even if it's imperfect), and navigate being a functioning, productive, and successful member of modern society without handing over all of their data 24/7 to every company who tries to pry even the slightest bit. Remember that no cloud provider – even the ones listed here – are unhackable or without risk, but using one of these (along with appropriate threat modeling) should go a long way toward reducing risks and improving privacy and protection.
You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.