Welcome to Pragmatic Pragmatic is a weekly discussion show contemplating the practical application of technology. Exploring the real-world trade-offs, we look at how great ideas are transformed into products and services that can change our lives. Nothing is as simple as it seems. This episode is sponsored by Hover. Hover is a domain registrar that stands apart from the rest. It is simple, easy to use and understand with a valet service for your domain transfer, making it simply the best way to buy and manage your domain names. Check out Hover at hover.com/pragmatic and find out just how easy it is to grab your own domain and transfer your existing domain to Hover using the coupon code pragmatic to get 10% off your first purchase. Let hover valet your domain stresses away today. This episode is also sponsored by ManyTricks, makers of helpful apps for the Mac. Visit ManyTricks or one word dot com slash pragmatic for more information about their apps. Butler, Kimo, Leech, Desktop Curtain, TimeSync, Usher, Moom, Name Mangler and Witch. If you visit that URL, you can use the code pragmatic 25. That's pragmatic the word and 25 the numbers in the shopping cart to save 25 percent on any ManyTricks product. We'll talk more about them during the show. I'm your host, John Chidjie, and I'm joined again, once again, by my friend Seth Clifford. How are you doing, Seth? I'm doing well, John. Thanks for having me back. Thanks for coming back on. Before we dive into the topic today, which is going to be privacy, I just want to mention once more that for a few more weeks available for sale, the first and quite likely only Pragmatic T-shirt. They're being sold through Teespring. a link in the show notes and this time it is in the show notes. I said it was last week but unfortunately it missed out on the initial cut but I later updated the website. So apologies if you're looking for it in the show notes and you didn't find it while it's there this week definitely I apologize again for that. I do realize with Teespring if you're in outside the US shipping can be a little bit pricey I do understand that but unfortunately there aren't very many good quality international options that I'm aware of. If you are aware of one, please let me know. I've also had a few requests for a coffee mug and for a stubby holder. Let's just see how this goes first before we get too excited. Yeah, so I'll get back to you on those. In any case, like I said, I'm really not planning on doing this again. I'm only really doing it because people have asked pretty much for the last nine months, when are you doing a shirt? And not just one, quite a few people. So at this point, the sales count is up to about 14. It's only been up for less just just about a week. And I think that's pretty good. So I only set the minimum at 10. So that it will be made. I don't have expect to sell huge numbers. But if you've ever wanted a shirt now's your chance. And I'll leave the nagging there. So go grab one while they're available. Okay, So, privacy. Now, this one, as topics go, this one came up out of episode 42, which was the e-readers episode. I think it was called, hopefully they don't burn it. Fatuous reference to burning books in the Second World War, but never mind that. Longtime listener of the show, Nick Radcliffe, and I had a very long email conversation back and forth, which I alluded to in the follow-up episode for episode 42 regarding privacy. And I realised that some of the points that he brought up were really enough fodder for an entirely independent episode about privacy, because privacy and online privacy is a big deal. And it's something that I guess I feel like in the last 20 years, we've gone from not trusting anything that we put online to getting to a level of trust, whereby people will even put credit card numbers online and buy stuff online, which, you know, 20 years ago, when it was just becoming a possibility, where people would say, "Oh, that's crazy." But it's like the trust has sort of been building. But then there have been a few incidents, like sites have been hacked recently, and I can see some of that being undone, and people are starting to think more about their privacy and what it's worth. So I guess there was a time, you know, if you go back far enough, before governments, before records were kept, like, you know, people were born, we live, we died off the grid. Well, not that there was a grid or a radar, actually, I was going to say off the radar, too, but there was no radar either. And there was no government. And perhaps maybe there was a basic government, but they had no idea that people existed, like exactly who, when and where and so on. And there's places in the world right now where that's still the case. But I guess governments sort of were put together to try and protect the people. All that you said was the idea. And they were formed to govern and to do that, they need to keep track of where people were, how many people were born and died, where they lived so they could plan access to amenities, figure out where to build roads, hospitals and all that sort of seemingly innocent stuff. But of course, time goes on, they want more money. Ultimately, they bring in things like income tax and then they start tracking people with social security numbers and tax file numbers Social insurance numbers. So those are like US, Australia and Canada numbers and all around the world So they can track your income so they can figure out how much to tax you And you know that way then they can fund government buffets and fact-finding missions to the Bahamas or something, but I don't know Yeah, what do they do with tax money anyway - Certainly not fixing the road. - That's an entirely different show. - You're right, actually it is. So yes, rather than go down that round hole, but nevermind. So I guess the thing about the internet that scares governments and scares a lot of people that wanna have that information and to track all this information so they have some level of control is that the internet is about sharing information freely and that it can be anonymously shared. And part of the problem with that that that's directly opposed to the other movement which is well I want to be able to conduct business online which therefore has to be has to have some level of privacy but at the same time has to be very secure. So I see privacy and security is sort of very intertwined you know if you've got good security then you can ensure a certain degree of privacy so I guess we kind of needed to cover a bit of both I think anyway. All right, so I guess the thing is that a lot of companies since the internet came about have tried to take control of aspects of it and in some cases even infect different components of it in order to snoop in on that information. And recently that Heartbleed exploitation for example, I think CIA knew about it for years before it became public knowledge and they were exploiting it for their own purposes of eavesdropping. And then, of course, there was this whole Prism thing. Has everyone forgotten about Prism already? I mean, it seems like old news, but I mean, that's a huge deal. So, yeah, I mean, when that- Again, an entirely different show on its own. Oh, yeah, I don't want to dive into exactly what Prism was, but I mean, go it was Snowden was the guy that broke that, if memory serves, right? - Yeah. - He's still in seclusion, isn't he? - Or has he been? - I believe so. Yeah. I mean, I don't know what to think. I think that's... I don't know what to think. I guess I suppose the end justifies, you know, to some extent. It's hard to know, but all I know is that Prism was wrong. It's just that, you know, it existed and there's a lot of eavesdropping going on. And I guess ultimately, no matter how you slice it, if you treat the Internet as you put something out there, it could be exploited by the wrong people. So it's best for us to just focus on what we have, where we have a choice and where we have some degree of control and how to exercise that control. Because beyond that, I mean, unless you want to pull the plug and completely go off the grid, which is the ultimate answer, in which case you probably won't be listening to this podcast, then oh well. So I guess it's about for me, I guess it's the pragmatic choices, which are I want to be able to take advantage of the digital age and be a part of the Internet and still enjoy all of those benefits. Like I want to be able to shop for some things online. I want to be able to download stuff. I want to be able to, you know, get music from Apple. But at the same time, I want to have a little bit of privacy. I don't want it to be. I don't want them to have everything about me. If that makes sense. And oh, no, it absolutely does. And for me, you know, I come at this more from, I guess, an end user perspective where I am very selective about the types of services that I choose to use, what I choose to share with them, because I understand now, you know, we started talking, we started this conversation talking about it from, you know, kind of a, a government perspective and infrastructure level, uh, me personally, I'm far more concerned with all of the different ways, like if we assume that we're being monitored, let's just say, I'm far more concerned with all of the ways that I don't know people are taking my data and using it for not even nefarious things, just things that I don't approve of, you know, selling the data, doing other things with it. And so that's the kind of thing that I think about on a daily basis. And when I hear security breaches and credit cards were hacked and this, you know, all passwords are stored in plain text, like all of these consumer level things that affect us, that's the stuff that drives me up a wall. Like things like Prism and, you know, things at that level, I guess I just assume that those things are happening and you have to kind of make peace with it on some level, even though it is not something that we would want as, you know, internet citizens. But I think the thing that rankles me more is the whole move to free services and giving all this stuff away without a notion of what the actual cost is. That's the thing that keeps coming back around for me. Yeah, one of the things that I always ask myself when I sign up for any service, free or paid, is what exactly do you need X, Y, and Z for? that particularly get me, and maybe we should sort of, before we go any further, just talk about what private data, what I'm talking about. Like, when we say privacy, what are we talking about? Just break it down real simple. And that is, yeah. So, let's start with obviously our name, but not just our name, our full name. So, you know, do they really need to know what my middle name is? Probably not. You know, do they even know, I have to know what my first name is? Is an initial good enough? Surely that's good enough. You know, so what about my date of birth? What are they going going to do, send me a birthday card? Well, no, they're probably not. Oh, well, yeah, so they need to know my age for age verification purposes. Well, I could just fudge that. So what's the point of a date of birth exactly? I don't, you know, and date of birth is often used for unlocking information on bank accounts as proof of identification. So date of birth is, you know, is a very, very dangerous thing to have leaked out there. I think. Physical address is another good one. Why do they need my physical address if they're never going to ship me anything. You know, it's like that comes up time and again. And a lot of the time when that comes up, it's because I'm signing up for an account that requires a credit card. So the credit card companies, a lot of them as verification will ask you to enter your physical address to verify that your credit card is in fact yours and valid. Which, yeah, your billing address, right? Yeah, exactly. Which I kind of get. But at the same time, if that's the only point, it seems a bit wrong that you know, shouldn't I give that to the bank and not to this third party website that God knows what they're going to do with that information? I don't understand why they need it. So, you know, sometimes if they ever ask for things like identification card numbers, things like a driver's license number, that's just wrong. Admittedly, I can't think of too many sites, although there's one I'll talk about later that did Health insurance numbers, anything official like that. I mean, that's nothing. None of the no online services I can think of unless they're government based could ever want anything like that. But yeah. Yeah. Phone numbers. That's another one. Although admittedly, phone numbers aren't necessarily, they're more of a nuisance thing. I think someone gets a hold of your number, they can text you stuff. But with things like iMessage and with push notifications and stuff like that, it's become a lot easier. You don't need a mobile phone number anymore to annoy people on their smartphones. Right. So, other ones that are a little bit less tangible are things like the company you work for, the company's address, different avenues to gather more information about you, that sort of thing. So, is there anything you'd add to that list? No, I think that pretty much covers it for the purposes of the discussion. The one thing I would add is that there are legitimate reasons for wanting to understand who your users are. If you want to build a better product, if you want to serve your user base better, it helps to know who's using it, where they are, what they're looking for. Maybe age demographics to a certain degree, but not the birth month and day and year. There are probably tons and tons and tons of companies who ask for bits of information like this because they really do want to just take it and use it anonymously and just apply it against what they're building. I fully believe that a lot of places want to do that and this is just the most straightforward way of doing it. But there are so many more that only want that information so that they can market to you, track you, watch other activities that they really have no business being in the loop for. And that's the thing that really gets under my skin. Yeah, you know, it's good you raised that because one of the things that I've... OK, I'm not... I'm an engineer, I'm not a marketing person. I get that if I tell you I'm in the age bracket 18 to 24, then I suppose that statistically, I might be more interested in certain kinds of products. But, you know, if it comes to things like, I don't know, like a crib, a cot or something for a baby, you know, and I guess I'm bringing that up because of your current situation. But I guess the thing is that that's not necessarily connected to my age, you know, because I could have a young family or I could wait till I was middle age or a little bit older before I have a family. I could have had one marriage and I'm on my second marriage and I'm I'm 50 years old and I want to have a start my second family. I mean, there's all sorts of variables in there You know, it's not age related. So it's like I don't know I guess You know how many children you have If you have any children, I guess that's all you know, interesting stuff But if you're signing up for an email address, it's like that's very survey data Like, you know, it's not yep. I don't know. I I guess I always wondered just how effective that information would be just an age, based on a date of birth, just how effective is that really at targeting advertising I think it can't be as... There's got to be some value to it, but I can't imagine it's a heck of a lot of value Things like Google have cornered this idea of gathering all this information every single search term that you put in a massive database of information about you to target ads, that's far more valuable than just a few scraps I would have thought. Yeah, I guess if you're asking someone to provide it kind of as a, as a means of fleshing out a profile and that's, you know, there's no other way for you to gather input or data from them, then you'd kind of take what you can get and assess, you know, whatever value you can from it. Obviously the stuff that Google does is far more detailed and far more sweeping, but it's also more accurate and that's, you know, Google is one of those things that I am very conflicted about because on one hand the technologist in me is like, this is, you know, this is amazing. This is, that this can happen, that a company can do this and learn about me and then bring me more relevant content and tailor my activities in such a way that it streamlines my day. But on the other hand, it's like I don't really think anybody needs to know that much about me and depending on the week, I'm either very bullish on it or I'm very bearish on it and I don't. It's a pendulum, it swings back and forth and it's dependent on a heck of a lot of factors. Yeah, no, that's true. I feel very cautiously... I don't know what the right way of putting it is. With respect to Google, I'm cautiously concerned, I suppose, and sometimes it does freak me out when I start typing in something and it's like it's reading my mind. And, you know, sometimes then I'll switch to Duck, duck, go or something else, because it freaks me out. Quite serious when I say that it does freak me out sometimes. And I've made a conscious effort to move away from from Google's, from Gmail. So I typically don't use Gmail anymore. But, you know, it's unfortunately it's one of those things that you can't really get away from, because technically, because, you know, the engineering, I think about this, it's like, well, what's stopping Apple or what's stopping Microsoft apart from them saying, oh, we wouldn't do that. What's actually stopping them from doing it? And the answer is nothing. If I put a search term into their service and their service spits back a result, can they cache what I've asked for? Of course they can, you know, and I can't, I have no guarantee that they won't. So does that mean I stop using search engines altogether? Well, no, not necessarily. And this is the thing about Google, though, is that, you know, they're smart enough to know that if you do nothing and you just, you know, get in your web browser of choice, go to google.com and type in a search term, you type in enough search terms from that IP address, that route, they're going to start to build a profile. And if they can attach your name to that profile, they'll flag it as you and it'll follow you around. You know, and it's one of those things that if you don't log in as yourself on a Gmail account, and I don't log in on Gmail or Google accounts, I should say these days they call it. I don't log into my Google account ever anymore. And if I go to a stranger's computer on a completely different place, I will get different search results because, of course, it's not, it can't follow my profile. And I've been using Google search long enough to tell the difference between, oh, yeah, OK, it knows it's me and oh, no, it has no idea that it's me in the search results. Yeah, we should probably, we should probably figure out what the the silos of this conversation are going to be. I think Google needs to be one of them. I think Facebook needs to be one of them. Yeah. I think probably something like Amazon needs to be one of them because they all collect data in different ways for different purposes. And I feel very, very different about each one of them. OK. But, you know, we don't have to limit it to those. Those are just three that come to mind. And, you know, those different kinds of trade-offs that we make, what they offer. Well, I guess the thing is that from a privacy point of view, if you are concerned about Google tracking the who you are rather than the what you search for. I mean, if you're going to call yourself, you know, Bob the Builder and, you know, create Bob the
[email protected], go for your life. I'm actually sure someone's already done that, but nevermind. Probably not the real Bob, but anyway. Yes. Anyway, too much kids TV. I'm going to blame that. Anyhow, it's on in the room. You can't avoid it. Okay. Anyway, I get sidetracked easily sometimes. So yeah, if you do create a false name and you do all your searching under that account to get sort of pseudo benefits and you don't mind saying to your friends, yeah, just email me at
[email protected] and that's perfectly okay, then that's fine. You know, but it'll still connect all that information with you so long as you never ever put in your actual name in any way to connect you to that profile. Although Google will build a profile, they think it's a profile of Bob the Builder and I'll have no idea to you personally. So maybe that's okay. Maybe that's the line that you draw and maybe that's perfectly fine. So, you know, in which case you can still enjoy all the benefits that Google has to offer. But all it really does take is a slip and Google will pounce on it. They'll have the information that they need to connect the dots if they're smart enough. And, you know, they've been doing it long enough. I'm sure they are. But the thing is that where it's different, I guess, and I'm not talking about Google Plus because does anyone use Google Plus? I don't know. I think plenty of people use it. I personally don't use it. It really isn't my kind of thing. I think that people use it because it's just a Google account thing. It's like, you know, you signed up for a Google account, so you get Google Plus. Oh, and then they push it in Gmail and they push it, you know, all that as much as they can get away with. But I guess I'm thinking now more of you mentioned Facebook. And of course, Twitter is also part of this, where you voluntarily post information about what you're doing, what's going on in your life. It's not a search thing. It's like having breakfast. Well, OK, I don't do that often, but I mean, sometimes maybe that's what Instagram's for. But here's a photo of my breakfast. I don't get that anyway. All right. So but yeah, so Facebook at least make some vague attempt to keep your posts private if you want to keep them private, but they keep messing with their privacy settings. So it's almost like they don't want your information to be private, but they want it to look like they want your information to be private. You said you had some thoughts about this. Yeah, well, you know, from a very high level, I feel like there's three different ways, you know, based on the three different companies that I mentioned that, you know, people are using data, right? Google is taking everything that you can possibly give it to build better search results and serve better ads and do and I'm using the word better because I'm kind of embodying that ideal for for these purposes that this is is what they want to do they want to make everything more relevant to you. I I have a Google account I don't really sign into it all that often because even though I've heard from friends that when you sign in your search results are better I don't know that I want better results. I want results. I want to do a search and run a query on a term and have returned to me what the internet thinks I'm looking for. Like, I don't care that Google knows I've searched for whatever, MacBook Pros, 150 times, and so they're going to surface MacBook Pro stuff more. If the thing I'm looking for is something else, That, to me, in my mind, could get in the way of what I'm looking for. And this is totally a personal thing. With Facebook, I feel like the more you put into Facebook, like, what are you getting out of it apart from the social interaction? Like, Google at least has a value if you look at it in that perspective. Facebook, if you look at your wall, and I left Facebook several months ago because it was rather unceremonious, but I just wasn't really using it and decided it didn't need to be in my life anymore. But if you look at your typical, you know, login, look at your wall, so much of it is just ads. And your content that you're looking for, your friends' content, photos, whatever it is that you're there to view, is just completely buried among all this other stuff. And Facebook's ads have never been relevant to me. And that could be because I never really put a lot into it, But it just never seemed to be-- I was not deriving any kind of value from it the way that I could see someone deriving value from Google services. So and like you said, Facebook changes their privacy settings. And they really want everything to be public. And they have this philosophy of, well, if everything is kind of public, then we can all communicate better and do these things better. But that seems kind of thin to me, just based on the stuff that the company does and just the way that they handle things. They've traditionally done a lot of backpedaling when it comes to privacy concerns and things like that. And that to me, you can look at it for a little while as hopeful naivete, like, well, they just want these things to be better. They want a better internet. They're a younger company. These are their goals. or their objective. So yeah, they're going to make mistakes and they'll, they'll kind of go back on them and everything will be fine. But I feel like at this point now, when there are things that seem weird about Facebook or, you know, the, the amount of data that you put into it, I feel like they ought to know better. And again, I'm not using it anymore, so I could be woefully out of the loop and they could be way better at privacy. But my My feeling is that it's not going to get a whole lot better because they benefit from that way more than you do. The trade-off is skewed in their favor. Yes. Totally agree. See, the thing is, I guess, with Facebook is it's all based around a reality. You are who you say you are. There's no real push on Facebook for anonymity. all about you connecting with your friends, which requires that you have your name, your face, your information. And that is inevitably is the premise. Now, you compare and contrast that with Twitter and Twitter, it reminds me a lot more of IRC of old. I mean, IRC is still around, but you know what I mean? Back when IRC was the way you would chat and communicate with people and so on. It's just that it's like a public IRC. that anyone can look at it. And they make no bones about it. You know, there is no privacy. There just isn't. You can enable a private option, but it severely limits a lot of the features. Like you can't retweet private accounts and you can't just become, like you can't just follow their account. You need to get their permission and everything. And you know, there's Twitter is very upfront about it. Whereas Facebook isn't. And either way you slice it, you're putting information into a third party server, which means you're trusting them. And I guess for me, the privacy angle to be had is more about, for this whole privacy discussion is about who gets access to your private data. I'm handing over my private data. There's an expectation as to how that data is going to be used, or better still, who I'm giving it to. The problem for me is not necessarily the who I'm giving it to, although sometimes with Google and Facebook and Twitter, I do wonder, more so Facebook and Google. I'm giving you this information. Do I trust that that's where it stops? You know, or is it gonna be used for something else that I'm not aware of? So I know that Google are gonna use my information to give me better more tailored search results. And maybe that's a good thing, maybe it's not, I don't know. It just, it's sometimes it's just creepy, like I said. But with Facebook, you know, honestly, I don't see much of an advantage to Facebook. I'm like you and if my wife and like two or three other of my friends that are only on Facebook that I want to see what's going on with or I want to, you know, participate with online, they're not on Twitter and there's no other social way of interacting. So beyond iMessage, you know, Facebook has become a method by which I stay in touch with a certain subset of my friends and family and it works for them. But honestly, if not for that, I wouldn't use it because the ads are terrible. But, you know, with Twitter, I made a decision when I joined up to use my real name. I didn't have to, but I made a choice because I used to go around calling myself Apple convert back in the forums on Australian Macworld many years ago. And then when I started Tech Distortion, I started out writing under the same same moniker for a while. But then I thought to myself, if I'm going to be, you know, if I ever want to go and build beyond just being a pseudonym. I need to present my real face and my real name. So I decided to do that. And along with doing that publicly comes a certain degree of risk. And I guess that's also an element of this privacy thing is if you're going to put your name out there, then you're going to get more attention and you're going to get become more of a target potentially. And I guess that's one of the trade-offs and one of the risks. When you're using Twitter, there's nothing stopping you. you can call yourself whatever you like. You know, like Counter Notions is a very popular example in our little tech bubble of someone Contra or whatever he calls himself. And no one knows who he is or rather, I think Guy English knows who he is, but I don't know. Do you know who he is? No, no, I don't. Anyway, well, not really the point, but I guess so. I mean, you would say that Mr. counter notions is in fact exercising his right to privacy. So if it's a he even actually come to think of it, I don't know. So anyway, all right. So to me, the privacy is about the trust aspect and Facebook has done so many things wrong to ruin that trust with their changes, their privacy policy. And like you said, they're there. Oh, yes. Sorry about that kind of attitude. We really didn't think about it. It's like, oh, it was just an accident. We accidentally just opened all your information up to everybody and you didn't have time to set it so that you couldn't be, you know, so it was private. It's like, well, so, but they do it too often. They've burned all of their goodwill. And this is the, this is the thing. So to me, it's breach of trust. Information I'm going to send from one person to another. I'm going to publish it on Facebook. I'm going to do whatever I'm going to do. Let's say it's Apple and I'm trying to, and I'm filling in credit card information or date of birth or any of that sort of stuff. It doesn't really matter so much as the exactly who, it's a matter of, I expect this information to stay with between us. But the problem with that is, of course, there's the breach of trust whereby the person hoarding the data, the person that runs the server that keeps your data, will they keep it safe? Can they keep it safe? And then, of course, there's the possibility of being intercepted in transit between your place and theirs. And of course, there's, you know, your end of it getting infected by, just say your computer, like intrusion at the source, like your computer, malware, viruses, whatever, you know, that sort of thing. And people say, "Oh, I've got a Mac, "don't have to worry about that." But well, I don't know, keeping your system up to date and every computer on your home network is always good advice. I know I'm jumping around a little bit here, but I'm just trying to get to this point where if you're going to put information about yourself out there onto the internet in any way, and you're concerned about it being intercepted, you know, start at home and make sure that you've got, you know, some degree of antivirus on your computer, if it's not a Mac, especially, but even if it is a Mac, it's worth considering and keep your system up to date. So if there's an update, just make sure you've got your security updates up to date, that's all. And on every computer on your home network. But the next thing is, who do you trust on the server side of things? And one of the things that's been going around just recently within our circles is whether or not you go SSL on everything. whether or not you encrypt on your website. That's something I thought you might be interested in just discussing briefly, your thoughts on that, whether you should or shouldn't. - Yeah, I mean, we certainly can. There was a pretty good discussion on ATP about it. I'm sure that's where a lot of us started to think about it in detail. - Sure. - And it's one of those things, I'm probably not even the right person ask about this in terms of technical aspects, but for reasons, for the obvious reasons, like if you do SSL, you can avoid ad injections and things like that. There's a lot of reasons why it makes sense. And I think if we as a culture are serious about maintaining a level of, you know, not personal protection, but personal awareness, I can see tremendous value in that. It's funny, my mind is jumping all over the place because I'm now thinking about the Verizon, you know, the wireless super cookie thing and how that's getting handled and we'll totally be getting ahead of ourselves because that's something also that I want to talk about because it's nauseating. Okay. In terms of just your SSL thing, I think it's probably one of those things that makes sense. Is it feasible to do in a short time frame? No, of course not. Is it the kind of thing that we should champion? I guess, because it is achievable and it probably ultimately benefits users the most. And I'm a big believer in being a user, being a person who lives in technology. I want the best for me and my family and the people that I know. So it's something that, admittedly, like I said, I really am not familiar with the full technical underpinnings and what it would take to do it. But yeah, at a surface level, it seems like the right thing to do. It seems like now is a good time to start talking about it and start that ball rolling given all of the things that are happening. Okay, cool. Well, look, before I do, I just want to do a brief discussion of the basics of SSL, what it is and why it matters. But before I do, I would like to talk about our first sponsor and new sponsor and have been a very big fan of these guys for a long time and they are Hover. Now, Hover is a domain registrar that stands apart from the rest. Owning and controlling your own domain is critical if you're developing an app, writing a blog, running a business, a project, wanting to keep the same email address for life even, or just having a presence on the web at all. A domain is a single best way for other people to find you and the best way to buy and manage domain names is with Hover. If you don't currently have a domain name, Hover can help you find find the perfect one. Hover supports a huge list of TLDs and their domain search is truly amazing. You type in your best idea and it'll tell you not only whether that domain is available but it'll suggest dozens of close matches that might be just as good or even better than your original suggestion. Sometimes people sign up for different hosting services and they offer a free domain name as part of the deal but read the fine print because sometimes they'll charge a mint to transfer that domain out when you want to leave for whatever reason and you could end up losing it. Keeping control of your domain using a service like Hover where that's their bread and butter it puts you in control and as little as five minutes you can be up and running with your own domain. Now Hover's tools are so easy to use and follow that most people won't need any help getting set up but if you do their support team is always available to help you out. They're famous for their no wait no hold no transfer phone service no kidding. A real living human being will help you. Now Hover they don't try to to upsell you on every little detail. Things like who is privacy that everyone should have. It's just included. There's no flashy ads, no pushy BS. In short, it's actually pleasant to use, which is for a domain registrar, in my experience anyway, is a rare thing. I know that that's all wonderful and everything, but Hover also offer bulk discounts for 10 domains and up. So the more domains you have with them, the cheaper it gets. That's a bonus. They also have a reliable email service and you can get a terabyte of storage space if you want it. They even offer email forwarding for as little as $5 a year. Now, finally, the thing that I think that brings so many people across to Hover that have existing domains, it's their valet transfer service and it's free. All you got to do is point Hover in the right direction with your existing domain and register information and they'll take care of everything. You don't have to worry about messing it up. They do it all the time. So it's going to go a lot more smoothly than if you've only done it once every few years. So, I mean, and that is one of many reasons why I moved my domains there years ago and why they're still at Hover and that's where they're staying. So anyway, check out Hover at hover.com/pragmatic and find out just how easy it is to grab your own domain or transfer your existing domain to Hover using the coupon code pragmatic to get 10% off your first purchase. Let Hover valet your domain stresses away today. Thank you so much to Hover for sponsoring Pragmatic. So SSL, I don't want to go into too much of the technical whys and so on, 'cause I think it's sort of beyond the scope of this, but just basically the idea is that it's the mechanism by which you can encrypt one of several methods by which one of the more popular methods you can encrypt data transactions between your computer and a server computer. It's based on a public key and a private key that are then combined to create a session key at the commencement of communications. To get these, you generate the public and private key on your own server, and then you pass that as a certificate signing request or CSR for short, and you can send that to a certificate authority. And they will then send you back a valid certificate based on that information. You serve up the public certificate, browse checks it against the trusted servers in the list, and says, yes, your certificate is valid, it's current, it belongs to the site it's being served from, and it's certified by this authority, and we know they aren't dodgy, or rather we think they aren't dodgy, they're probably not dodgy. So they're on the not dodgy list of CAs. Anyway, each direction of data is encrypted by its partner and it creates a session key for the duration of that communication. So it's all nicely encrypted. So in other words, you know, in one direction, it gets the, anyway, the point is that the keys are only set at the creation of the connection and then it goes based on the session keys at that point. So you really only get a very narrow window if you wanna sniff on it at the beginning of communications and that's one of the key things about it anyway. Everything, once it's encrypted is essentially is private and cracking that encryption on the duration of the data transaction is extremely difficult. Anyway, but the bottom line is that there's a choice quote, there's a choice quote about this with regards to phishing attacks. And phishing attacks of course, impersonating a server. So people think you're going to apple.com you're actually not, you're going to JohnsDodgyApple.com and you just don't know it. And the whole thing is that the whole certificate authority and the trusted certificate system, and it's all based on... Well, OK, there's a quote that I found through the Electronic Frontier Foundation, EFF, and it goes something like this, "The security of HTTPS is only as strong as the practices of the least trustworthy and competent certificate authority such that the market tends to drive people towards cheapest providers and therefore with reduced cost, usually you increase the likelihood that the certificate authorities themselves will be hacked Of course, if people get their hands on, like hackers get their hands on their private keys, they can generate their own certificates and they can start impersonating servers or, you know, it can all go wrong if that happens. Now, there is a link on the show notes actually about how someone was able to hack someone else's SSL connection at a local Wi-Fi hotspot or coffee shop, let's say. It makes a bunch of assumptions of like, you know, you can impersonate a router, the router has, your router has a stronger signal than the coffee shop's router and the server doesn't completely encrypt all of the traffic. Like there's a few pages that aren't encrypted. So, you know, it's, There's a bunch of assumptions, but essentially it can be done and has been done with a lot of caveats, even if you don't have the actual keys. This is actually sniffing and cracking it right there with no other information other than what they can sniff over the Wi-Fi. But bottom line is, it's difficult and there's a bunch of caveats and it works in a very limited subset of situations. I've got though is that you know SSL is still not completely perfect. It's the best but it's the best we've well it's one of the best that we've got. So the idea is that if you've got a site and you're storing any kind of data at all, logins, passwords, even if it's just that, you know you should really have SSL and that's one of the things that I looked into and I'm currently updating the website and so on and so forth. So the the logins for example on hold and And that's one of the things that I'm considering implementing in future as a result of some of the research for this actually, for this episode. So I think it matters because I mean, if people are going to give me their name and a password, I have no idea if the password they're using is unique. So I have to try and protect that information. And that means I need to make sure that it's not sniffed between their computer and the server that I operate. And of course, I need to make sure that the server that I'm operating has sufficient security measures in place and isn't an open book. All the passwords themselves are encrypted but you know you can still break that if you if you can hack in and get all of the all of the hashes you can always run them through because the thing is yeah have you seen these articles about how to build a hacking machine that runs software with parallel graphics cards that crunches through all of the combinations to break the encryption and takes days weeks whatever but if they get their hands on the even on the the hashed passwords they can still they can still eventually hack them through brute force? No no I have not. Well if they hack into the server and they actually get those passwords they can given the right hardware and enough time and patience just using lots and lots of graphics cards all stacked together I mean it's highly hacked but but you know, we call them hackers, that it is actually possible. That's why, you know, when I hack into a server, even though the passwords are encrypted, you know, they can still decrypt them because the decryption only works in the one direction. So if you run through enough possibilities, eventually you'll come out with something that isn't gibberish, as it goes to theory anyway. It's just, you gotta try every single possibility. And you can't go in through the front door and do it because they rate limit it. So they say, well, you can only have X number of requests to, for a login attempt or whatever, to test your attempts at the password. So going in through the front door is no good. But if you can hack the server and extract the data and run it on your own box, and you can run through all the possibilities, millions and millions and millions and millions and millions of possibilities, just sit there and, well, I was gonna say grab a cup of coffee, but you might be there for months, but you know. So it's protecting your server side is very important as well. So it's not just the SSL which protects the data transaction, it's protecting the server on the other end. And that comes back to trust, you know, hubba hubba hubba, who do you trust? I wonder if anyone gets that one, but anyway. Sorry. - Yeah, I get it, I get it. - Oh, yay. - I think the question is not should we apply SSL to anything that has logins and passwords. I think that's pretty obvious. I think the topic that was being discussed on that particular show and what I think is most relevant as we go forward is should SSL be applied to everything, right? Read-only pages and stuff like that. Wasn't that something that was that, uh, that came up? Yeah. The issue is that if you have, so if you've got a site that has a single page that has data that needs to be protected in transit, it would then make sense to simply force HTTPS on every single page. So every, everything on that site, just push it across to HTTPS and be done with it. So everything is protected. - Right. - Because some sites were doing a, well, I only have to protect this one page. So it'll have a special URL, special handling, special rules, the rest of the site will be served up normally. Well, the argument is, well, no, you should do the lot, one in, all in. And that protects against a myriad of issues. But honestly, from a privacy point of view, yes, it also does lock out a bunch of other things, like you said, advertising and so on. but from a privacy perspective, you can protect against the advertising and stuff through different means, through your browser directly, which we'll get to. But I don't know. I think that the reason that I bring it up is that if you're ever doing a putting secure data, well, sorry, hang on. If you're putting data out onto a website, signing up for something, and it's not SSL, and you're putting in your name, your date of birth, anything like that, You really should have, it really should be HTTPS. There should be a nice little lock certificate and all that stuff. And you and I, we know where to look for that stuff. The average person doesn't. But then again, I guess I'm betting that people that are listening to this show know what to look for. So I don't know. - I think that's a pretty safe bet. - Yeah, I think it's a pretty safe bet too. But you know, tell your friends and your family. Anyway, all right. I think we should probably keep moving. - Yeah, so before we go in a different direction, I just remembered that the other company I had mentioned was Amazon. - Yes. - And Amazon is, I mean, their whole use of data is very different, but at the same time, not so different, right? So they know a heck of a lot about you, and they, I think, so as irrational as it might be, I am right now today more okay with Amazon knowing the stuff that I've bought and the videos that I've watched and whatever else I've done with Amazon services. I don't know why. I feel like the value that I extract from them knowing more about me is higher than with something like Facebook. I feel like when I've purchased certain items and they say, "Here are some other things you might like," there have been times where I've looked at it and been like, "Yeah, I do want one of those actually." And that kind of a transaction, that kind of a mental jump for me is easier to make. If I watch videos and they say, "Oh, you watched Apocalypse Now, you might like this." I'm like, "Yeah, actually that is something "I'm curious about." Something about the way that Amazon brings recommendations to me and keeps a full record of all of the things that I've done within the Amazon ecosystem, again, I'll reiterate, I know it's irrational, but something about that feels better to me. I can't put my finger on why. Maybe it's because I can't recall a time where Amazon came under fire for using data differently or in an unexpected way, or anything like that. And there could have been instances, they're just, I don't know what they are. But I think the other thing is that I feel like Amazon has all this data and they want to keep it. Like it's for them. I feel like it's not in their best interests to sell that data because the more they have, the more they can buffer their own business against competitors. So again, I don't know why I feel this way. It's just one of those things where the convenience of Prime, the availability of certain products, the recommendations seem very relevant to my interests, although there's a hell of a lot of kid videos and diapers and crap that I don't need to see every time I log in. It's a different kind of system. I know they're gathering mountains of data about me, but I feel very different about that than I do about something like Facebook. - It's interesting, isn't it? Because Facebook, I wonder if the ads on Facebook, if they actually were better or more relevant that it might feel differently. I don't know, but to me, I just hate Facebook. That's just me. I can't actually rationalise my reason for hating Facebook much the same way that it's hard for you to rationalise why you trust Amazon more than you would say Google. But I guess the bottom line is that you just you get more value from Amazon and perhaps it's the same thing with Apple with their suggestions, because they do the same kind of thing, right? They know what you bought and presumably what you've watched. And, you know, the genius suggestions, the... Yeah, it is, isn't it? iTunes geniuses, iTunes, not my iTunes, my iTunes genius, isn't it? Was introduced a few years ago. I don't, I turn it off. Yeah. Yeah. Yeah. Genius recommendations and stuff like that, you know, so they suggest things you might like as well, but I don't know, I guess one of the things though, it comes up time and again, whenever, whenever I talk to someone about privacy is that what is the worst that could happen? It's like, well, is it really relevant to anyone that I watched Home Alone 2 or Home Alone 3? Even worse, potentially. No, the third one was terrible. Anyway, is it really useful information to someone, to anyone? And I guess I think to myself, well, not so much that, but things like my name, my date of birth, my home address, that sort of thing is perhaps more of an issue potentially. And it's not so much that even it's also, okay, right now, Amazon has that data. Or let's say that you're really, you're really a big fan of a certain company that's producing something that you really want to use like a male client or a, or a to-do app, to-do list app. That's a good one. I don't know. And it's got a web component that requires for some reason, your home address and your day and date of birth, who knows. And then they get bought out or they go out of business or the government serves them a subpoena for information or you know, they've signed up to Prism or to God knows what, you know, and that data that you thought was just with them and you trusted them with it and went to them, suddenly now someone else has got it. And sometimes these things go up to the highest bidder and what happens with the information after that? Who knows? So I guess the problem I've got is that previously when you have a paper copy of something, the paper copy says, here's my name, my date of birth, my home address. And that was filed in a cabinet somewhere that you physically had to access the physical security. It was difficult to copy because you needed a photocopier, I guess, or you had to write it down by hand. So that made it far more difficult to steal. You had to do the whole Mission Impossible thing, you know, with the fake face and the accent and pull the security guards badge and make a fake copy and get in and break in and, you know, stop doing the music. And you know, but that's a sign of, okay, maybe they didn't have to go that far, but that sort of thing, right? Whereas these days, once it's online, replicating it digitally is easy. And once that information is out there and it's released, then it's up for anyone that wants to pay for it in a lot of cases. Some companies may sell it, like you say, Amazon's not going to sell it because they really have no benefit in selling it. And that's a good thing, I think. But someone like Google, that's their business. So yeah, they're going to sell it. Yeah, they're going to sell you because that's their business. So I guess it's levels of paranoia, isn't it? How paranoid do you want to be? Yeah. And that's the thing. Apple and in the past, I would say one to two years, they've taken a very user-centric privacy heavy stance where, you know, Apple Pay has been introduced. And that is really to obfuscate your purchases and keep transactions as secure as possible. There's been a lot of credit card breaches and things like that in the past one to two years. Apple has gone on record with, you know, PR releases and things like that, saying what they do, what they don't do, how this, you know, this focus is for the user and protecting people. And as much as they know about, you know, us as users, this is something that they have made very public. I think partially because of the sensitivity of these things happening, certainly it's a great marketing message. And if they are going to stick to it, that to me carries a lot of weight. That makes me feel like, okay, well, I can put at least a little bit more trust in these services and these products, because this is something that I care even nominally about. Now, like you said, things change, data gets sold to the highest bidder, and suddenly the once great feeling you had about a company can go away. But the fact of the matter is, if you use a credit card, the data that you share with that credit card company or the issuing bank is sold time and time and time again. And that's a transaction that you just have to be OK with if you're using a credit card. I mean, half the reason you get voluminous amounts of junk mail is because your bank and your credit card and your ISP and your mortgage company, everybody sells your information to everybody else. It's just, it just happens. That's, that's how junk mail is born. And it's, it's crazy how rampant it is, but you know, we're talking a lot about things that happen online and protecting digital assets and stuff like that, but this has been happening for so long, just in the normal sphere of culture that I think it's different. It feels different because it's happening online. And we, as you said earlier in the show, we went from a point 20 years ago of, I don't know about this buying things online thing to all of this information being online and now we're kind of pulling back like, "Hey, wait a second. Like maybe this wasn't such a terrific idea. You know, maybe we shouldn't have put all this out there." But it's almost too late because your information, your home address, your, all that stuff is on paper, but it's not protected behind lock and key anymore. It's just, it's shared for profit every single day. That's it. Yeah, that junk mail. It's depressing. It's so bad. So bad. Yeah. You know, sometimes my wife says, "Hey, we didn't get a bill. We got junk mail." And I'm like, "Sometimes I wish it was a bill." But anyway, not that often. Anyway, so I want to tell you a story about a job hunting experience that I had that freaked me out. And this is sort of freaked me out on a level that I haven't been freaked out about privacy for a while. And it was just the one company and I will not say who it was. I was applying for a job and they had a secure website and the secure website said in order to apply for this job, you must provide the following. They asked for a scanned, full color scan copy, high-resolution scan copy of my driver's license, of my birth certificate. And it kind of occurred to me when I'm doing this, I'm like, I really need a job right now. 'Cause I was, you know, in a bad situation from an employment point of view at that point. And I needed a job. So I called them up and I said, can I supply you a hard copy? Can I drop off a hard copy to you? I'm not comfortable, A, transmitting this information across the internet. and B, I'm not sure I'm comfortable with you storing it in soft copy. And their response was twofold. First of all, she sounded like no one had ever asked this question before. - Of course. - Yeah, of course. Like, oh, really? It's a big deal? Well, actually, kind of was. So anyway, her first response was, well, you're welcome to drop in a scanned copy if you want. I mean, you're welcome to drop in a hard copy if you want, but we'll just scan it in ourselves anyway. And I'm like, okay, so I've eliminated the in-transit problem, but I haven't eliminated the storage of that information digitally problem. And I then said, okay, is there any way that if I'm successful for the role, then I can give that to you? 'Cause if I'm unsuccessful, what are you gonna do? Keep it on file, what's your policy? you're going to delete it. Why do you need it? And she said, well, it's a policy that, you know anyone that applies for this we need to confirm your country of birth and your current status within the country. Like they're trying to basically cut back on what do they call illegal aliens or something. That's the thing, you know, they call them North America. People are not legally allowed to work in the country because they're not an appropriate visa or whatever. Trying to crack down on that. And of course, because their human resources department was spread over multiple locations, having a single hard copy wouldn't cut it because they were farming out their work to multiple locations. So, not only was it a problem once it was in soft copy, but that soft copy was then distributed amongst different sites. So, it was really a big question of how much I trusted that company. And ultimately, as much as it pained me to do so, and as much as it went against everything that I thought was reasonable and sensible, I ended up doing it because I needed the job. But that, to me, illustrated how far we've come and how really dangerous, you know, some of this really is. Because if they have their server hacked, someone can now impersonate me. They have everything that they need right there to just take over my identity. You know, the two most precious pieces of information. So, yeah, and as we've seen repeatedly in recent memory, servers are not as secure as companies would have you think. And their entire infrastructure is not as secure because there's been all kinds of breaches. There's been memos that have been leaked. And the two that come to mind are the Target one here, I guess that was about a year ago, and the Home Depot one. And there were articles, I remember reading an article on Ars Technica about the person who was in charge of security for Home Depot, and it was laughable that that guy was the person who was supposed to be securing everything, and calling it an afterthought would be an overstatement. Yeah. And these, you trust these companies, you trust that, well, they have all this data, they have to be protecting it because you would think it would be crazy not to, they'd be so liable if they didn't, but they're not. So many of them aren't, or if they are, they're not doing it in the right ways. And they're basically, it's kind of a, you know, don't worry about it until something bad happens and then we'll apologize and offer everybody a year of credit monitoring. And that is the most offensive thing I can think of that our lives and livelihoods are constantly put at risk for no good reason, because it's cheaper to offer a year of credit monitoring and a letter of apology than it is to just secure the data correctly. Yeah, exactly. Another one that comes to mind recently was the, uh, the Sony hack, which had a lot of personal information for employees, um, that was leaked out onto, um, you know, onto the internet. It's just, it's crazy. And what bugs me is that people have become so comfortable with the convenience that they are, and they are not taking the security aspects of it seriously enough. And this is why I thought it was worth adding into this privacy discussion is that I think people have reached that point now where they're beginning to realise, "Oh dear, this is really not such a smart idea. you know, this is, you know, bad and I can't just trust. And it's about a breach of trust. So, I mean, you give over your driver's license number, your birth certificate to the government because, well, they're the government. Now, whether or not you want to trust the government, that's another story, I guess, again. But, you know, seriously, though, assuming you do trust the government more so than you trust a private corporation, at least, I don't know. I don't know. Damn me. All right. So I think we should probably keep moving. We've been we've been all over the place today, but it's it's one of those topics that you get flustered thinking about it, because even if we had done a big formal outline of all the things we wanted to talk about, it wouldn't it wouldn't cover it all. And we'd still be off on a tangent. So, yes, I agree. Let's let's keep moving. Okay. So, okay. The next subtopic area, I guess I'd want to talk about is the use of credit cards online specifically. But before I do go down that particular rat hole, I'd like to talk about our second sponsor. And that's ManyTricks. Now, ManyTricks, they're a great software development company and their apps do, well, you guessed it from their name, many tricks. Their apps include Butler, Kimo, Leech, Desktop Curtain, TimeSync, Moom, Usher, NameMangler and Witch. Now there's so much to talk about for each of those apps, I can't do it all at once. So what we're going to do is we're going to talk about four of them. We'll start off with Moom. Now I love Moom. It makes it so easy to move any of your windows to whatever positions you want on the screen. Halves, corners, edges, fractions of the screen, whatever you like. And then you can even save and recall your favorite window arrangements. And there's even a special auto arrangement feature when you connect or disconnect from an external display. It's awesome. I use it every day. Name mangler. Now let's say you've got a bunch of files that you need to rename quickly, efficiently, and in large numbers. Well, name mangler can extract things like the metadata from the files and use that to rename them. It's got search and replace, obviously, but you can also create staged renaming sequences. And if you mess it up, you just go back to when you started and have another go. Which, and you should think about which is a supercharger for your command tab App Switcher. Now which is great for and is very popular with X Windows users like myself, although it's becoming more of a fading memory with every week. Anyway, if you've got three or four documents open at once in any one app, then which is beautifully simple pop up lets you pick exactly which one you're looking for very quickly. It's great. Usher. Well, you can access any video stored in iTunes, Aperture, iPhoto, or any connected hard drives on your Mac, allowing you to easily group, sort, tag and organize them in the one application. If you install Perion or Flip4Mac, there's no need to convert anything to an iTunes format, just so you can watch it. So if you've got a video collection in different formats, scattered across different programs and drives, then Usher can help you straighten it all out. Now that's just four of their great apps. There's still five more of them you can check out on their site. And all of them have free trials. You can download them from many tricks, all one word.com/pragmatic and try them out before you buy them. They're available to buy from those, their respective pages on the site or through the Mac app store. However, if you visit that specific URL and yes, they've extended this offer again, you can take advantage of a special discount off of their very helpful apps exclusively for pragmatic listeners. Simply use the code pragmatic25, that's pragmatic the word and 25 the numbers in the discount code box in the shopping cart, and you'll receive 25% off. everything in that. So, the offer is only available to Pragmatic listeners for a limited time, so take advantage of it while you can if you haven't already. Thank you once again to ManyTricks for their continued support of Pragmatic. Okay, credit cards online. The thing is, when I was younger, this was unconscionable to me that I would ever put credit card information online and yet I've done it. And the convenience is what the is the attraction. It's so convenient to just go to Apple or Amazon or eBay, you know, and buy something and then have it show up on your doorstep either the next day, the next few days or next week, or in my case in Australia, the next month sometimes because we're in a little island. Well, it's actually not that little, but it's an island anyway. So, yeah. And you choose the ultra cheap, ultra slow Pigeon delivery service, which sometimes gets lost as it crosses the Pacific. So, you know, anyway, I choose to live here. We have beautiful beaches. That's what I keep telling myself. Yeah, but anyway. OK, right. Good focus. So, right. I always am wary of sites with homegrown looking checkouts. You know, I look for the sites that have got the actual Bigger shops, bigger sites, things like Shopify, even though they're sort of, yeah, 'cause you know Shopify, I've got all of the security, because each of the companies that host this information have to split the data between servers and it's a bunch of other regulations that they have to follow and everything. And you know, you get to know some of the brands behind it, but there's definitely a trust aspect to it. But people like Apple and Amazon have got this, and Barnes and Noble is like, they all, all examples of places that have got all of that well and truly taken care of. But even so, every time you transmit that information, even across SSL, there's always that possibility, no matter how remote that you can have your credit card details stolen. Or if someone hacks their servers, they could get that information as well. Although it's unlikely, of course, if they follow all of the regulations and that require separate servers. Technically, then if they hack one server, they only get half the information and that's not enough. So, there's a whole bunch of stuff by that. I don't wanna go into that in too much detail, but still. The way I think you can get around that, you can limit the damage is by not using a credit card online but if you still want to be able to buy things online, there is a one way around it and that is some, there's an episode of Dilbert that referred to it as an inferior form of cash and that's a gift card but the thing is, some sites will offer independently purchased gift cards because of course, there's gift cards that you buy online with a credit card which defeats the purpose of course, you need to be able to buy them independent of being online. In other words, you have to go to a shopping mall, shopping center, you know, wherever, 7-Eleven, I guess, and buy the gift card from there. And if you're really, really, really paranoid, you don't want to use your bank card so they can't trace your bank card transaction, then pay with cash and it'll be more or less untraceable. But the point is that, again, depending on your level of paranoia, just I'm an ideas guy. I'm not necessarily advocating it, but you can if you want to. You have the power. So there are a few places that do this where you can have a buy gift card in the real world that you can use to buy fully digital products without a physical delivery, perhaps even if you want to go down that road. So fully digital products like music or movies or apps. Yeah, so examples for that are e-books is a good example too. So a big, big name examples, Apple, Amazon, Barnes and Noble. Those are the big three that I could think of. Can you think of any others? No, that's Apple and Amazon are probably where I buy most of everything, so that they probably cover a lot. Barnes and Noble is another big one. I'm sure there's a half dozen I could rattle off if I thought about it for 30 seconds. Yeah, I mean, I guess I picked those because those are the cards that you can buy that are readily available in shops. I mean, okay, Barnes and Noble and Amazon, not so much here, but definitely Apple. You can't walk into a corner store down here without seeing an Apple gift card on the shelf. So, you know, you can walk into a store, buy them with cash, bring them home, punch in a number into an Apple account, and enter your Apple ID. And if you create it with, you know, quote unquote, fake or protected, if you want to think of it that way, information about yourself, You can theoretically still have that experience that you would have anonymously and you can still download apps and everything and charge it all to a gift card that's all been bought that way. If you are really, really concerned about your privacy, that is an option. But, you know, if you're concerned about a physical address, you're stuck. You know, if you want to buy things from Amazon that get shipped to you, well, you want them shipped to you. You're going to have a physical address to ship it to. So there are other ways around that. But of course, you can always ship it to a friend or a family member or a business address and then pick it up from there, I suppose. But you know, that starts to get to be more painful. And if you're going to do that, then if there's an option for shopping in a bricks and mortar store, then shop on a bricks and mortar store and buy it that way while you're even considering it. So I guess that's the point of what this privacy discussion is. It's an online thing. So obviously, go offline if you want to not get your information taken online because 'cause that's kind of obvious, isn't it? So you can go and live in a cave if you want to, that's your choice. Might be a bit cold and damp, but still. Right, so I don't have too much. - That's an interesting point though, I just wanna say it like, going offline is almost not an option if you wanna be a part of society. You know, like there are plenty of people who aren't really online and you know, just saying, "Oh, you have to be online," on one level sounds a little asinine. Like, no, you really don't. You can live your entire life offline. But there's so much interaction, social or otherwise, that occurs on the internet among totally normal everyday people. Just emailing your parents, emailing your grandparents, you know, sending stuff to friends back and forth, things that have become so standard, it's increasingly hard to just step back entirely, Even if you say, I'm not gonna buy things online, I'm only gonna buy things in person, I'm gonna buy things in cash, there's steps you can take, but it's so hard to detach and remain connected to the everyday people in your life. Not even the people that are miles away, just people in the same town as you. It's just a cultural difference now than from a decade or two ago. - Yeah, that's a good point. Emails become ubiquitous. It's like everyone who seems to have an email address. And the reason is that, you know, you buy an iPhone, you know, you get an email address when you create an Apple ID, right? You create a Google account for free, you get an email address. So, everyone seems to have an email address. So, to not have one seems very, very unusual. And certainly pretty much everyone that I know, with the exception of my mother, Just realise that my mum doesn't have any... My mum doesn't have internet at her house. She doesn't have an email address. She doesn't have a computer. She doesn't even have an iPad or any computing device whatsoever. That sounds like bliss. Well, I sometimes say to her, "Oh, did you see the photos we put on Facebook?" Oh, never mind that. No, you didn't. Of course you didn't. What am I thinking? Anyway, and every now and then we sort of say, "You should get yourself an iPad or we should get you an iPad. And we, my sister and I, we almost did, we almost bought her an iPad. And she's like, if you bought me an iPad, I would refuse to use it. And I'm like, but she'd be giving it to you. But my mum is this sort of beautiful person who says, well, you know what? You can't make me. So, it's like, OK, fine. Be that way. It's all good. I guess it's one less iPad that I have to maintain. Think of it that way. Yeah, look at that one. I've got my wife's iPhone, my kids iPads, it's like, and I've got enough stuff to maintain in my IT personal life. But yeah, so it's very hard, you're right, to go off the grid, especially in Western culture these days, especially for anyone, I think, under the age of about, I don't know, 50, I would say. It's just so hard. Anyway, I don't mean to be ageist when I say that, I just I was trying I think of a good age off the top of my head and maybe that's hard to put a number on but you know okay I didn't have too much else to say about credit cards to be perfectly honest but you know I just wanted to mention that so let's talk a little bit about browsers and a few little bits and bobs before we wrap it up but some things you can do is there's Chrome has this thing called incognito mode and Safari has this thing called private browsing and I thought it might just be interesting just to quickly talk about what that does and what that doesn't do. So I guess in terms of additional protection it's it's more about protecting your the data on your side on your own computer more than more so I think than anything else. You still type if you're in incognito mode and you type in a search into Google, Google's still gonna have a record of it you know but if you've got a browsing history that browsing history won't be maintained on your computer. Any cookies that have been transferred you know during your web sessions that ordinarily would would stick around potentially on your hard drive for a bit longer to track where you go next well they'll be expunged at the end of your session. Of course you can do that yourself manually if you want to there's settings in your browser to turn that off you can turn off your cookies and so on and so forth and so I don't get keep track of my history but the idea I think of incognito on private mode is that it's a one-click button that allows you to I just realized a one-click button as opposed to watch on a two-click button or a three-click button it's one button that you can press to take care of it all I suppose but you can go further than that if you want to and one of the things that I've come across is HTTPS everywhere and its friend SSL everywhere. Have you come across these ones? I think I've heard of them but I've never really looked into it. Yeah, I started looking into it a few weeks ago actually and it's their extensions or HTTPS Everywhere is an extension for Firefox, Chrome and Android and it forces HTTPS and SSL Everywhere is an option that does the same for Safari users. a few other different ones out there but those are the two that I was looking at. It forces HTTPS on every website whenever it is a possibility. So rather than if the website says default HTTP but there's an HTTPS option then the browser will force the HTTPS option. So it forces that encryption even if the site doesn't. You can also, as I said, set your cookies to expire whenever you exit the browser. You can turn off referral links. you can turn off, you can install an ad blocker. That's another one. I also came across an interesting site. I haven't used it, but it's called Disconnect Me. And it kind of looks interesting. There's a free version of it. It's a $5 a month version. It says it can give you a truly anonymous search, visualize tracking information and so on. I don't know, might be interesting just to investigate further. It's not necessarily a recommendation, but you know, there are other things that you can do. But honestly, the simple things with passwords and stuff as well. I know it's sort of a tangent on browsers, but when you're signing up for something on the web, just use a different password for every site you sign up to. That way, if one gets hacked, your password's not gonna get affected and the other logins won't be affected as well. And using a password management tool that can generate and remember all the unique passwords is very useful for this. And I use one password. I realize, again, that's a bit of a tangent, but it's still related, securing what you're doing and keeping it private. having one password for everything is insane. I'm assuming you use a password management tool, Seth. Oh yeah. I've been using one password for years. I swear by it. And I tell everybody I can about it. Yeah. Same here. And I've tried to get my wife to use it. And she says, I don't know what the pop-up means. So I just keep hitting cancel. And that's the sound of my head banging against the desk. Yeah. I finally got my wife using it and she's, she's on board now. She gets it. And that just, uh, it sounds small, but it helps me sleep better. - Yeah, exactly right. 'Cause my wife's Facebook got hacked a while ago, which was a brief but unpleasant experience. So yeah, and I think she's getting better, but I still need to do more training, I think, on the one password site. So anyway, do you have anything to add on things you can do with browsers to try and improve your privacy? - Yeah, a service that I like to use, especially when I'm traveling, is Cloak. It's a VPN service that you just pay a couple of bucks a month, and everything is basically routed through a private server that they maintain. And again, you're trusting them with that data. But I feel like it's a good trade-off if you're on public Wi-Fi, or in an airport, or traveling, or wherever. It's very, very fast. And whenever I sign up for a service like this, I try to dig as much as possible and see what they're all about. And I get a pretty good feeling from those guys. It's a very small company. They seem very serious about providing a good service. So that's one that I currently use and trust and also recommend to people. It's very inexpensive if it's something that you're interested in. Cool. And just for the listeners that don't know about the why VPN matters is that if you, what a VPN does is you dial into a, dial in, gosh, geez, I sound so old fashioned when I say that. When you connect to a VPN, hang on a sec while I slap myself. Anyway, when you connect to a VPN and it's an encrypted one, it's essentially a connection between your computer and a service somewhere out there. That data transfer is then essentially, is encrypted and no one else can sniff on it locally. and then all your data requests go via that VPN. So wherever that VPN comes out at the other end. So what you're essentially doing is, yeah, you're meeting anyone locally, like you said, on the free wifi around the place. They can't sniff any of that data 'cause it's encrypted between you and wherever the VPN is. So they can't get at it, which I think is a very good idea. And it also kills a lot of the ads and stuff and things that get inserted over the top on free wifi, I think. Yeah, I think so. VPN is traditionally more of a corporate thing for getting back into your business network. But I've seen kind of a small proliferation of consumer-level VPN services over the past few years. And Cloak is one that has always worked for me. It's very, very fast. And that's really it. I mean, you get sometimes a speed hit, a performance hit, when you do that, because you're bouncing your data requests through somewhere else. But it's very performant in my experience. And again, if it's the kind of thing that you think about at all, it's worth investigating. Our wireless services, LTE, stuff like that is pretty robust these days and getting better. But there are times when you just don't have service and you have to use public Wi-Fi. And just having that available to you is an extra level of security and a good feeling. Cool. Cool. Good tip. Should we even, should we even talk about the Verizon SuperCookie? That is actually what I was hoping you would say, because I've got a note here you mentioned it earlier. So let's, let, let, let's explore your front, your current frustration and angst with respect to the SuperCookie. I just, I actually only know bits and pieces about this. It sounds like you know more about than I do. So, um, yeah, take it away. Yeah. Admittedly, I'm not a security researcher and I will probably misspeak at least once in this diatribe, but the general notion is that, I believe it's AT&T and Verizon, but Verizon's is more unpleasant. I think they're both doing it. I don't think I heard of Sprint doing it. I know T-Mobile is not, because they've come out and said, "We don't do this." Anyway, I use Verizon as my carrier, so that's why it's relevant to me. The notion is that there are cookies that are placed on your wireless traffic that is not done over Wi-Fi, but over the LTE or 3G network, that even if you have opted out wherever possible through Verizon's services, which I have done, to limit ad tracking and stuff like that, this particular snippet will remain. And even if it is deleted, it can come back and their position is it's legal and you don't really have to worry about it 'cause nobody is going to use it. But third parties have investigated it and found that other companies are in fact using it and that even if it is deleted, those companies can still access it or replace it or something like that. The bottom line is that there is a flag on your wireless traffic if you're using those networks that basically reveals an awful lot about you, your behavior, your location, and your habits. And it's an extremely unsettling thing to learn, And it's the kind of thing where you say to yourself, "Okay, I can't switch carriers today because for me in my area, I've had every single carrier and Verizon is the best. My service is extremely good here, extremely good. And I'm very pleased with it. It's fast, it's reliable, it's ubiquitous in my area. but there is a part of me that is severely disturbed by this. And whether it's just on general principle that this shouldn't be happening, that's a part of it. But the other thing is, getting back to what I was saying earlier, the notion that companies have of, oh, don't worry about it, nothing bad's gonna happen. And that attitude incenses me to no end because even as a non-security researcher, I have a little bit of insight that says, yeah, something bad could easily, easily happen as a result of this. And whether you're selling it or it gets misappropriated in some other way, bad things can happen. So don't sit there and tell me, don't worry about it and it's fine. Like it's just, we're way past the point of just saying, oh, all right, well, no big deal then. You know, and I really hope it's the kind of thing that gets a lot more attention. it's getting a lot of attention. I hope it's the kind of thing that gets a lot more attention and that it continues to really keep this dialogue open of what we are accepting of and what we are allowing these companies to do with our data and with our identities to some degree. I'll tell you one thing that I do think is wonderful about Apple is, and there are lots of things to love about Apple, of course, but they're not perfect and they do do things wrong from time to time. But this whole push that they've got about privacy, if you want to be the cynic and say, "Yeah, it's just a marketing thing because they don't really mean it or whatever else." But you know what? If you take them at their word and people say, "Well, I feel safer with an iPhone because of all the malware that seems to get on Android versus that gets on an iPhone. And the fact that Apple Pay and Touch ID is all that information is all stored in a secure chip and you can't get the data out. It's a one-way transaction. Data goes in, it never gets out. You know, it's like, well, okay. So that's wonderful. If that becomes a strong differentiator, how long before that momentum starts to, I say infect, but I mean in a good way. but it starts to be a big influencer and all of the other companies that are out there start to realise we can't keep being so... It's almost patronising, isn't it? It's like, oh, it's no big deal. Don't worry about it. You know, you shouldn't be worried. It's like, well, actually, we are worried. Yes, it is a problem. And no, we don't trust you. And I'm going to now vote with my feet because I have an alternative. And these people over here care about my privacy. So I'm gone, you know? Yeah. And I think we're starting to see the beginning of that, but it hasn't gained enough momentum yet. And this whole discussion about privacy, the more I think about it, the more I think to myself that it's going to become a bigger and bigger issue and people are going to start demanding it. It's only a matter of time. And the more breaches that we have, the more exposure that there is, more information that people are trying to get out of us, the bigger a a problem it's going to become and the more visibility it's going to get. So I don't know. I'm not sure if turning point is the right expression, but certainly there have been enough incidents that it's starting to really change public opinion. So. Yeah, we're finally going to get chip and pin here after 15 years of people saying, don't worry about it. So things are changing. Yeah. Yeah. I'm really happy that America isn't finally going to embrace chip and pin. It's been... When I lived over there, it was always very odd to me that I would hand over my credit card. - Yeah, it is. - It's just weird. But you kind of get used to it because that's just the way it was done. And it's great to see. And honestly, it's going to make it a lot easier, especially for people traveling around the world, but also for everyone in the US. It's just better. And now with Apple Pay over the top of that, like I sort of, I talked about this in the last episode, it's, yeah, it really is the next step whereby the transaction is sort of, is more in control for the individual and it's more difficult to extract and it's going to really cripple the vast majority of credit card fraud. And I mean, we're talking about what, 200, oh, hang on, it's 200 billion is the overall loss in the US for merchants. I think on an individual level, it's about 5 billion US a year. Oh, that's individuals. So you add up everyone's individual losses. That's losses that cannot be recovered. So every individual's added all up, $5 billion of credit card fraud every year. So chip and PIN's gonna decimate that and Apple Pay will decimate it even further or systems like Apple Pay. So definitely steps in the right direction. All right, there's another thing just want to quickly talk about and that is getting back to Nick Radcliffe's feedback and that's specifically about ebooks and this is how this all started is that the problem is that if you want to be able to you know get music and do it anonymously or ebooks and get them anonymously the ability to sideload those books not via an app store is a handy feature and some devices allow it and some don't. But in any case, it's that the end of course a lack of DRM is also very helpful if you're going to do that. So there's an interesting book and article on a life hacker. There's lots of good stuff on lifehack and there's a link to it in the show notes. For people that feel that they're in too deep with their digital footprint, if you want to call it that, there's a book that was written by a professional skip tracer and their job is of course is to track people down and anyway it's called Disappear, Erase Your Digital Footprint and I haven't read it but I've read excerpts from it and it looks really, really good. And the idea is that the person that wrote this had 20 years of experience tracking people down and they decided that they should write a book about how you can actually make it hard for people like them to find you. So some of the interesting points for those people that feel like they're in too deep and they want to back out a little bit, and some of these are probably going to be obvious but I'll just quickly mention them anyway. Minimize social interactions on social networks. So stop posting things, like don't include your location, don't tell people exactly what you're doing, you know, gradually reduce the amount of interactions. do it suddenly that looks obvious. Just do it gradually and then ease out of it. You can create misinformation in all of your profiles online. So, you know, rather you change the spelling of your last name, change your date of birth. If you put your actual one in, change your address, just a couple of numbers here and there and so on and so forth. And then and that will then, of course, you know, throw people off if they're trying to find you. You know, stop using credit cards, debit cards, just move to cash. I was going to say stop using plastic, but in Australia, we have plastic money. So that's not going to help. But anyway, you know what I mean, right? Stop using the credit cards, stop using debit cards because it's a lot harder to track you if you're just using cash. And if you really, really, really want to go further, you can say, well, I'm going to set up a business entity to handle moving all my money around so they can pay bills on an apartment, they can pay electricity bills, whatever else, utilities and so on. And technically your name is a further layer or two removed. So anyway, that's pretty intense, though. I don't know if people really want to go to that level, but it still looks interesting for those people that want to get away from being too exposed online. I think that it's interesting. I personally am probably not going to do that, but you never know. Maybe you're considering it. So I don't know. So I guess if I had to wrap this up, and I know you're right, we have been a bit all over the place. So it hasn't been a typically, it hasn't been a typical pragmatic episode in that sense. But still, I guess people have been saying for years not to put so much information about yourself online. This is not a new thing. But maybe only recently are people starting to take it more seriously, because a lot of that trust that's been building is now being broken with all these server-side hacks. And as I said before, being out of the mass dumping of encrypt, what people thought were encrypted passwords and personal information and the Sony hack and target and all these things are happening and starting to erode that trust. There is really no encryption method that can't be hacked eventually. It's not possible. There is always going to be a method to to break encryption. Nothing is perfect. And, you know, it's just a matter of it's a cat and mouse game. So you move the piece of you, you move the goalposts, you set them higher and the technology catches up to let hackers hack it. And then you got to keep moving it up and moving it up. And it's you never quite you never out of the game. You always got to keep getting better encryption and better technologies for doing this stuff. But if you want to play online and take advantage of the Internet and what it's got to offer, you can still minimize your risks of your private data becoming exposed. But the key point is you can never fully eliminate it. You can't. Eventually, someone who is truly determined can find you. It's just how hard are they prepared to work? Tracing back your IP address to an ISP, hacking into the ISP to find out your home address or God knows what they would do. You can never truly, absolutely, completely get away from it if you're going to partake in it. Eventually, someone can find you. It's just a matter of how far you're prepared to go, how paranoid you feel and how much trouble you want to go to, to avoid, I suppose, that risk. What do you think? Yeah, that's about all you can say on that. Cool. Well, before we do go, though, there is something that you've been working on that I do want to talk about. I know it has nothing to do with privacy, but it is cool and it's an app. Actually, it's a cool app called Stringer. Do you want to spend a couple minutes just talking about that? Yeah, sure. Stringer is an app for shuffling your music. It's our first app at Derby that we released last November in the fall. So a bunch of you guys got together and started a little company on the site because I know that you're CIO of Nickelfish, but you sort of started this derby thing to specifically work on apps that you guys wanted to write. Is that right? Yeah, that's accurate. We've had ideas for years that we wanted to build ourselves, but Nickelfish is a client services business, and it's always hard to allocate the time to that stuff. So we found ourselves in a position to do that, I guess, at the beginning of last year. And we did. And it's been an interesting journey. It's been a lot of hard work, a different kind of hard work, but it's been extremely rewarding. And so Stringer was just the first idea that we wanted to kind of kick off. We needed some place to start and the team is very small, so we needed to build something that we could get out without taking too much time. So as I started to say, it's a pretty basic concept. If you have local music on your iPhone or you're using iTunes Match, what the app will do is it'll look at it and it'll shuffle all that stuff. And the trick is that when you use the regular music app, if you shuffle, as you go through songs if you hear something that you like, you want to hear more from that artist or from that album, you have to stop the shuffle and kind of step outside and go listen to more of it and then come back and reshuffle and do all that. Well, the thing about Stringer is you can-- where you are in your shuffle, kind of step over to the side and throw some songs in right after that. So you can hear more from that album or go the other way and hear more from that artist from their other albums that appear in your collection and continue on. So it's a customizable shuffle. There's some other stuff that's built into it. You can import your iTunes playlists. You can save strings if you've kind of tailored a string to your liking. If you have all this artists one albums and it's only the songs you like, you can save stuff within the app like that. It does a few other things. It's the kind of thing that now so many people use streaming services like Rdio and Spotify. And that's cool. I mean, they offer amazing things. The core group of us that had this idea, though, we have really big music collections, and we listen to a lot of our own music still. And I think there's still a pretty decent number of people who do fall into that group. And iTunes isn't selling as much music as they once were, but they are still selling a pretty decent amount of it. So if you are someone who does fall into that category and listens to a collection and likes to shuffle and often thinks, "I'd like to hear more of this", then it might be something for you to check out. It's pretty fun. We think it looks real nice and there's not too many bugs. - Okay, nice. That's always handy. Yeah, so people should forget shuffle and they should string it. And honestly, I play with it and I know this is little things like animations, but it looks very, very cool. The stringing effect is very cool. So yeah, I've played with it. I quite like it. I've actually been going through a phase where I'm listening to a lot of podcasts more than I am listening to music, but still I have to admit it is so much better than the built-in shuffle functionality. And as I said, I, I'm like you, I don't stream very much. I tend to, I have my own music collection, so it suits me perfectly. So if you haven't checked it out already, then I encourage you to check it out. It is, it is free on the app store, I believe. Yeah, it's free with an in-app purchase to unlock the advanced features, but you can definitely try it and figure out if it's for you. You can use it for free to your heart's content just as it is. Cool. Excellent. All righty. Well, thank you for that. I guess if we might leave it there then. I don't think there's anything else to talk about on privacy. We could go on forever about privacy. Yeah, exactly. We've got to draw a line somewhere. I think this was a good jumping off point. I think we touched on a lot of things at a very shallow level and maybe we'll revisit some of these in the future, but there's so much to talk about. We could go on and on. Yeah, that's it. Exactly. If you do want to talk more about this, you can reach me on Twitter @johnchidjie and my site techassortion.com is where the podcast is hosted, along with my writing and some other stuff that I've done. If you'd like to send any feedback, please use the feedback form on the website. where you'll also find the show notes for this episode and the podcast is Pragmatic. Don't forget about the T-shirts. There is a link in the show notes this time, promise, and grab them while you can. They're not going to be up forever and I'm probably not going to do shirts again. So this is your last chance. Get in while you can. You can follow Pragmatic Show on Twitter to see show announcements and other related stuff. I'd also really like to thank my guest host today, Seth, for coming on. And what's the best way for people to get in touch with you, Seth? You can find me on Twitter. I'm Seth Clifford there and if you like the things I say, you can read some stuff I write occasionally on my site at SethClifford.me. Yeah, and you had a good one about privacy I think. Yeah, it was kind of timely in retrospect. It's just comparing and contrasting some different approaches and it's really just feelings and not a lot of science but it's just you know stuff on my mind so yeah there it is. Cool, excellent. Oh and if you want to see the work we do, I should probably say that too. Nickelfish.com for the main company and heyderby.com for our products. Fantastic, excellent. Very good, excellent. Well, a final thank you to both of our sponsors for this episode. Firstly, I personally want to thank Hover for sponsoring the show. Hover is a domain registrar that's simple and easy to use with a valet service for your existing domain transfers, making it simply the best way to buy and keep full control of your domain names. Check out Hover at hover.com/pragmatic and find out just how easy it is to use. Use the coupon code "Pragmatic" to get 10% off your first purchase. Let Hover valet your domain stresses away today. I'd also like to thank ManyTricks for sponsoring Pragmatic. If you're looking for some Mac software that can do many tricks, remember specifically visit this URL, manytricks.com/pragmatic for more information about their amazingly useful apps and use the discount code pragmatic25, that's pragmatic the word and 25 the numbers for 25% off the total price of your order. Hurry, it's only for a limited time. I know they keep extending it but they won't extend it forever so get in while you can. Thanks again everybody for listening and of course, thanks again for coming back on Seth. Thanks man, it was fun. [MUSIC PLAYING] (upbeat music) [Music] (upbeat music) (upbeat music) (upbeat music) (upbeat music) (upbeat music) (upbeat music) (upbeat music) (upbeat music) (upbeat music) (upbeat music) (upbeat music) [Music] (dramatic music)
