Practical privacy and simple cybersecurity.
TheNewOil.org

The New Oil Has a Merch Store Now

The New Oil now has a merch store. If you have no interest in such things, feel free to ignore this. But if you’re interested in possibly helping support The New Oil and picking up some swag in return (we do ship globally), I’d like to take some time talk about this newest support method, because quite frankly, it’s not perfect and some of you are not going to be happy about it, but I think if I explain it you’ll find that it’s actually not too bad.

Why a Merch Store?

When I started The New Oil, I never actually expected it to take off. It was really more of a “getting it off my chest” or “being the change I wanted to see” kind of thing, but I truthfully didn’t expect a lot of people to care. I figured it would get a few hundred hits, attract a few fans, and maybe get a small handful of die-hard donors. I was very wrong. In just a few years, The New Oil has just had shy of 10,000 visitors per month (we actually broke 10,000 for the first time last month) and last year made over $2,000 USD in donations, not including things like affiliate links where I get a credit on my account, and we're on track to make significantly more this year. Once I realized the project was growing so much, I began to look for ways to ethically monetize it. I like my day job, but truthfully I like working on The New Oil a whole lot more, so if possible I’d love to make enough money off of it do do this full time. I decided to aim for this with things like affiliate links, sponsorships, and donations. But of course, money is not the goal here, so we have very strict guidelines about sponsorships that you can view here, and we only implement affiliate links from projects we have vetted and trust and we deploy them in a transparent and optional way. Adding a merch store is merely the latest step in this side goal of ethical income. Donations are appreciated, but I hate asking for handouts and free money. I much prefer to give people something in return. (One could argue that I’m already giving you content, but still.)

Why This Particular Setup?

Let’s talk about how the store itself works. The best way would’ve been to order merch upfront and then sell it via an open-source, self-hosted platform such as OpenCart or WooCommerce. It would’ve meant less parties involved, more control over the content of the store (like third party trackers), the trust of open source, and more profit in my pocket (buying merch in bulk up front results in a lower per-item cost). However, there are several reasons I chose not to go this route. The first and foremost is time. Running a store this way requires me to sink a considerable amount of time into ordering merch, monitoring inventory, restocking, and – most importantly – taking items to the post office and mailing them. I have a full time day job, The New Oil (which is basically a part time job at this point, I easily sink double digit hours into it every week and that’s just to maintain stuff like running the communities, posting articles, and correcting errors on the website), Surveillance Report, a wife, a band, and friends and other family all asking for my time. I can’t afford to put more workload on myself. The idea of putting more work onto my already crowded plate was – quite frankly – ludicrous and I don’t think anyone in my life, supportive as they are, would’ve appreciated me cutting into my precious free time anymore than I already do.

Additionally, I am not comfortable hosting your payment data. Running a self-hosted store would’ve meant that I was responsible for securing your data, and storing it for four years in compliance with the laws in my state. That meant four years of having your name, address, and possibly card details in my possession. This coming from the guy who can’t even spell in his own native language most days, are you sure you want to trust me to have that database set up correctly? To have all the security features enabled? To have all the vulnerabilities patched? I’d like to take this second to remind you that I have absolutely no formal training in this stuff at all. I am not a sysadmin, I was not any kind of comms guy in the military. Everything I know about hosting and cybersecurity has been self taught. That’s fine when it comes to stuff like “use a password manager” and “keep apps off your phone when possible,” but it’s begging for trouble when it comes to stuff like securing your payment data.

How Does it Work?

Instead, I opted to use BigCartel with Printful. Here’s where things start to get sticky. BigCartel is an ecommerce plaftorm with a freemium business model: the free plan (which I’m currently using) allows me to post up to 5 items with a single image to display. Printful is a back-end “on demand” manufacturing platform. In other words, here’s what happens: you buy the item, BigCartel pays me, BigCartel sends your order to Printful, Printful charges me, Printful manufactures the item, and then finally Printful ships the item to you. (Remember that sequence, it’ll come up again shortly.) This does have several drawbacks. For one, the prices are significantly higher. I only make a few dollars from each purchase (I set the profit margin to 15%, well below the retail clothing industry average of 36-43%), whereas with pre-printed and self-shipped products I’d make about $10 or more, easily. I also have very little control over the content of these websites, including things like tracking scripts. But the plus side is that this service is entirely, 100% automated. I don’t have to lift a finger. See my earlier rant about not wanting to add more work to myself.

That said, I stated earlier that making money was not the primary goal of The New Oil. It’s a secondary bonus. Therefore it was imperative to me that I ensure I that whatever platform I use is at least “not god-awful” for privacy. And I think I’ve accomplished that. The following information was gathered over several weeks of studying the privacy polices of both BigCartel and Printful, as well as numerous back-and-forth conversations with both asking for clarifications. First, the easy one: Printful never sees any information about you except what you ordered and your shipping address to fulfill the order. They never see any payment information, and they never get any kind of data that typically gets collected when you visit a website directly, like cookies, tracking beacons, and other fingerprinting techniques. Remember earlier I said “BigCartel pays me, BigCartel sends the order information to Printful, and Printful charges me”? That’s how Printful charges for orders. If you pay $20 for a shirt and the cost for them to print it is $15, then upon receiving that order they charge me $15, leaving me with $5 left over from the order. Your payment info is never involved in that equation.

BigCartel is a little less great. They collect a lot of information like browser type, IP address, “the page you visited before navigating to our services,” device information like hardware model, operating system and version, mobile network information, etc. (You can view their privacy policy here). Now, I do want to clarify something: a lot of websites these days have this trend of writing a privacy policy for users and not visitors. In other words: not everything in this privacy policy applies to you as the shopper. Some of it I have no doubt they do to you, like reading cookies and device information. But you’ll notice some other, more worrying stuff in that privacy policy such as aggregating data from identity verification services. It’s much more likely that this only applies to me, because I have to give them legal information for tax reasons. So don’t read that privacy policy and instantly go into panic mode. This actually leads into my next section about recommendations.

How Can I Use it Safely?

So BigCartel is a little invasive. But as I said earlier, I think it’s pretty reasonable to use it despite that because frankly, to defend against BigCartel’s tracking is to use the exact same stuff I recommend on the website anyways. For starters, you should be visiting with a browser that respects and defends your privacy, such as Brave, Firefox, LibreWolf, or Tor browser if they’ll allow it. You should be using plugins like uBlock Origin that block trackers. I also encourage using a VPN (or Tor browser if you can’t/prefer not to use a VPN for whatever reason) to hide your IP address. That takes care of almost all the automated stuff like fingerprinting and cookie tracking. For payment and shipping, I’ve long advocated for the use of payment masking strategies such as privacy.com and the use of PO Boxes to mail things to instead of your real home. And finally, use a masked email address to protect yourself from both data breaches and tracking when placing the order and a Voice-over-IP phone number if they require a number. Between all of these strategies, you run virtually no risk in using BigCartel’s service to order merchandise.

Having said that, there is one use-case in which I am willing to put in a little extra work (assuming it doesn’t become overwhelmingly popular). BigCartel does not support cryptocurrency, and even if they did it would probably not include privacycoins like Monero. If you’d like to place an order in cryptocurrency, contact us directly at thenewoil@protomail.com (or thenewoil@tutanota.com) and we’ll either send you an invoice or make a new one-time address you can use for the transaction. Then we’ll order the product on your behalf and ship it to the address you provide. (If you have a better suggestions on how to handle crypto transactions, feel free to let me know. I’m not a crypto expert, I’m just trying to ensure a way for us to verify that you have paid the amount while still respecting your privacy).

Where is the Store?

Hopefully this covers everything and has made a decent case for why this particular setup is not as evil as it first seems and explains why I went this route as opposed to other routes. If you know of a better way to accomplish a merch store that doesn’t add more work to my plate but also better respects user privacy and doesn’t rely on my incompetence to protect user payment data, don’t hesitate to let me know. But at this time, I think this is going to be the best compromise. If you’ve read all this and you’re interested in supporting The New Oil and getting some merch in return, you can check out the store here. If the store does well and there’s a high demand, I’ll invest in a paid plan so I can add more items.

Thank you guys for your continued support. I look forward to bringing you more helpful content as The New Oil continues to grow.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...