Encrypt all the things, leak nothing

This site is a principled sort of operation. I have strong opinions about encryption, privacy, and internet freedom. This is a place where I can publicly live up to my own expectations. If you're not super into this kind of stuff, I do have some tips at the bottom that are accessible and useful for regular non-computer-nerd people to help protect themselves online.

Invisible mandatory encryption

I'm opinionated and principled -- borderline weird -- about digital security. You may notice that your browser has a little green lock indicator of some sort next to the URL of this page. That's because I've gone out of my way to set this site up to not just allow, but to require encrypted SSL connections. I recently migrated to my very own dedicated virtual machine, which I have complete and total control over, and the first thing I did was get myself some certificates from Let's Encrypt.

The certificate I'm using doesn't rigorously assure you that this website is, in fact owned by Joby Elliott, of Albuquerque. I didn't have to fill out any paperwork, or even give anyone my name. You wouldn't want to see a bank using one of these. What it will do is assure you that this site is still controlled tomorrow by the same person it is controlled by today, and that nobody between your computer and my server has tampered with what you're seeing. It also means that your ISP can't see what you're reading or doing -- all they can see is that you made some connections to byjoby.com.

Now in the case of this site that isn't really a big deal, but for a lot of sites it's important that they protect the privacy of what their visitors are reading. You probably don't want every search you do on WebMD visible to any schmuck at CenturyLink, for example. I'm also of the mind that for encryption to be genuinely useful as a tool against authoritarianism it must be ubiquitous. It must be everywhere, and on every possible connection. The use of encryption cannot be interpreted as an implicit signifier of any kind of guilt -- so this is me doing my part on that front.

Leaking nothing to third parties

This site no longer contains any third-party tracking code. No ad networks, no analytics networks. None of your browsing here is known to Google, Facebook, or anyone but me. I'll always have to keep some logs, because I need to be able to respond to security concerns and collect some analytics for seeing how well the user experience is working. I run it out of my own pocket for my own reasons. I can afford it as a hobby, and if you really want to pitch in I would happily take a tip at the Bitcoin address listed on my Keybase profile (on the note of encryption, that site can be used to cryptographically verify that the bitcoin address it lists and this domain name belong to the same person). You know, if you read something you liked here, just buy me a cup of coffee over the internet to say thanks. I promise I'll never have ads though. That's not why I do this.

I've completely abandoned Google Analytics, and now run my own free (as in speech) analytics software on my own server. If you look at the resources this page loads, you'll see it as connections to analytics.byjoby.com. I named it "analytics" so that it will easily get caught by automatic privacy filters. If you want to run something like Privacy Badger (you should) to prevent detailed tracking of your online activity that's your right and I'm not going to try to defeat the software you choose to view my site with.

I can't prove it to you, but at least now you can take my personal word for it that my logs get scrubbed of IP addresses regularly, and only anonymous aggregate data is preserved for any significant amount of time.

Take your own action!

Regular people

If you don't have your own website, there's still a lot you can do to protect yourself online. The following browser extensions will go a long way toward keeping you safe and private on the web:

I also highly recommend installing Firefox on your Android phone if you have one. It will let you install uBlock Origin and get ad blocking on your phone. Not only will that make your life enormously better, but it will help keep hackers and ne'er-do-wells out of the enormously sensitive trove of private information that is your phone.

You should also really, really be using a password manager. This is a discussion for another day, but suffice to say that using a password manager is vital to good internet security. I've personally been using LastPass for several years, and have nothing but praise for them. Their free option is perfectly good for almost anyone.

Another discussion that's too deep of a dive for this post is two-factor authentication. Just look for it in every site you use frequently, and turn it on if they have it. Google and Facebook both have it. It's probably the single most important thing you can do to secure yourself online.

Webmasters

If you run a website, you can do these things I've done. SSL certificates are free from Let's Encrypt. It just takes a little knowhow to get them set up if you have command-line access to your server. If you have command line access it's also really easy to set up automated renewals, which makes the whole thing pretty much a set-and-forget kind of setup.

For installing your own analytics software, I recommend Piwik. It's free/libre, and has both a great UI and solid analytics tools. It's also built in PHP, and the world runneth over with LAMP servers. It shouldn't be hard for you to find one to run your own analytics on.

And finally, just care. Take your own privacy seriously, and then try to take the privacy of others just as seriously (if not more so).