Being a Workaholic Nearly Killed Me. Here's What I'm Doing Differently

I’ve written about my heart attacks several times before, but bear with me, because I’m still in the long process of healing and understanding what it’s all about and how I need to change my life.

Quick recap: last July I had two heart attacks which led the discovery that I had major heart disease, serious enough to need a sextuple bypass. I was in the hospital for three weeks and even months later I’m still recovering, physically and emotionally.

When all that sh*t went down, I was astounded that I had heart disease because I lacked most of the warning signs: I wasn’t overweight, didn’t smoke, and had no history of heart disease in my family.

However, I was under enormous stress–partly because of family issues (one of my two children is high-needs) but mostly because I was constantly anxious about work and therefore stressed all the time.

What’s weird is that I was stressed even though: 1) I work my own hours, 2) I set my own workload, 3) I only work with people I like, 4) I make very good money, 5) I get to work from home and 6) I do work that I generally enjoy.

In other words, there was no objective reason for me to be stressed about work. In fact, I sorta fit the profile of the exact opposite of a workaholic. Or so I thought.

According to a recent article in the Harvard Business Review, you are still a workaholic if you allow work to intrude into your thoughts all the time and if your feelings about work are tied up with anxiety, regardless of how many hours you actually spend on the job.

So I was a workaholic and didn’t even know it. And it almost killed me.

And when I say it almost killed me, I’m not exaggerating. All but one of seven my heart arteries were blocked, some of them 100%. I was literally on the edge of death and it’s a miracle that I’m still alive.

In fact, due to the operation, I’m in better health than the heart attacks. That’s the good news.

But here’s the bad news: even with my new regimen of heart medicines, those blockages may return. And because I’m not overweight and don’t smoke, there’s really not much “ballast” to throw overboard to keep my ship afloat.

I eat heart-healthy, but I pretty much did that before the heart attack. I’ve also stopped drinking alcohol but I’ve always been a “two or three glasses of wine a week” kinda guy. So even with heart medicine, I’m high risk for more heart problems.

So you see, if I can’t lick my workaholism, it will literally kill me.

I have a feeling that I’m not the only one who’s facing the challenge of way too much stress at work. So, in the hopes that it might inspire, here’s specifically what I’m doing to prevent bot the workaholism and the heart disease it causes:

1. I’ve abandoned unrealistic goals.

The root of much of my work-related stress was a deep-seated feeling that I wasn’t living up to my potential because I hadn’t fulfilled two goals I’d set for myself about twenty years ago

  1. Write a NY Times non-fiction bestseller.
  2. Write a novel that would be made into a movie.

In setting these ambitious goals, I was “shooting for the horizon.” However, while that might work for some people, I made myself miserable every time I failed to achieve those goals. 

So, even though I wrote several well-received and successful business books, but never hit the NY Times bestseller list. And while the novel I wrote did garner some Hollywood interest, nothing came of it in the end.

So, even though most people would be probably be proud to have done so well, I felt like a failure because I didn’t reach the horizon for which I’d aimed.

So while “aim for the horizon” goals might work for some people, for me they’re toxic because I beat myself up when I think that way. So I’ve scaled down the goals, big time. I just can’t afford to think that way any longer because it will kill me.

2. I’ve redefined who I really am.

As you might have noticed, there was more than a little grandiosity behind those ambitious goals. Indeed, I had such a high opinion of my potential that I hated that I wasn’t fulfilling that potential. And that hate was a HUGE source of stress.

For example, (and this is really embarrassing and I’ve never told anyone this) I used to have a little mantra: “I’m a famous author.” I’d repeat this silently to myself hoping that if I convinced myself it was true, it would become true in the real world.

After the heart attack, I realized that I can’t think of myself that way, not if I want to stay alive. Rather than try to be somebody I’m not, I have to accept the fact that, at best, I’m a moderately talented writer. And a reasonably good father, husband and friend.

And that’s OK.

3. I’ve stopped doing work I don’t enjoy.

If there’s one thing that I KNOW I can do really, really well, it’s write compelling marketing messages, marketing copy, cold emails, email marketing chains, website copy, etc. I can usually double or triple the sales revenue of a typical client.

Needless to say, clients have been more than willing to pay me big money to rework their marketing message. 

However, while I’m really good at it, I just don’t enjoy this kind of work. It’s too simple and too repetitive, like fishing with dynamite.

Even when I make good money, I have to FORCE myself to hit deadlines. My desire to do a good job for my clients was in direct conflict with my desire to avoid doing this kind of work. That’s been a recipe for crazy stress.

So no can do no more.

4. I make health my #1 priority.

Prior to my heart attack, I went through periods when I’d work out regularly but in the past decade or so, I’d made working out a lower priority than “getting the job done.” As a result, I rarely worked out.

Needless to say, this wasn’t a smart move heart-wise.

Today, regardless of how much work I might have on my plate, or what’s going on in my sometimes crazy home environment, I work out every day… before I do anything else.

Just as important, I don’t get all frantic about working out because that would just create more stress, negating the purpose of working out. If I have to take a day off from working out because, say, I have an appointment, that’s OK.

5. I’m filling my life with gratitude.

As a workaholic, I was addicted to the ambitious goals, the grandiosity behind them and the stress that it caused. My addiction drove me to achieve more and more and more. And it was killing me.

So now I’m jettisoning all of that, which leaves a huge metaphorical and metaphysical hole inside me. If I’m not that workaholic guy, who am I?

I’m trying–really hard–to fill that hole with gratitude. I’m trying to use gratitude as a fuel that will keep me going, still writing and still creating. I’m not sure how to do that but, seriously, my life depends on it. 

I used to think it was me against the world and I was a self-made man. I now realize that I’ve been very, very lucky. Insanely fortunate. Hopefully I’ll be able to stick around long enough to enjoy my good fortune.

Anyway, if you stuck around long enough to finish this post, I’m open to any advice or suggestions as I go forward. Frankly, I’m sailing in what, to me, are uncharted waters. 

Wish me luck!

3 Things Lions, Tigers, and Bears Can Teach You About Productivity

You work longer days, often late into night and on the weekends, and still feel like you haven’t accomplished anything. Does this sound familiar?

We tend to embrace the idea that more time and effort equals greater results when the opposite is often true. Blame your brain. The human brain has evolved to focus more on past and future events and less on present ones. How can you stay focused on the here and now? You need to think like an animal.  

When wolves, tigers, and even hawks search for prey, they seem to focus all of their brain power and attention on making the kill. They don’t appear to think about the previous hunt or the next one. This may be due to the fact that their brains are hardwired to hunt. According to a study by the Yale School of Medicine, scientists identified a sub-region of the amygdala in the animal brain that is the epicenter for predatory hunting. Additionally, they determined that animals have two distinct neural pathways that are designed for hunting.

In comparison, many of us don’t need this level of focus to survive. Our human minds  wander back and forth from the past to the present to the future and back again. Of course, this comes in handy when solving problems and thinking creatively. But it also makes us vulnerable to letting our past failures or future fears affect our performance. It also makes us easily distracted by the ping of a text or e-mail, or the opportunity to partake in office banter.

If you have trouble staying present, you need to tap into your inner lion or hawk. Practicing mindfulness can help you do this in order to stay focused on the task at hand and avoid putting in extra hours with little result. Here are three ways to do this:

1. Close your eyes and follow your breath.

Meditating for a brief amount of time can reset your brain and sharpen your focus. As Deepak Chopra, a prominent author and public speaker on mindfulness and alternative medicine, has said, “Meditation is not a way of making your mind quiet. It’s a way of entering into the quiet that is already there, buried under the 50,000 thoughts the average person thinks every day.”

I incorporate meditation into my workday by setting reminders on my calendar. When my calendar says it’s time to meditate, I stop what I’m doing, close my eyes, and focus on my breathing for two minutes. Counting breaths–saying one with each inhale and two with each exhale–helps me stay present and keep my mind from wandering.

2. Listen to music to reset between meetings.

We tend to just dive into meetings or conference calls that require our full attention without giving our brains a chance to warm up. I always schedule two to five minutes before any meeting or phone call to just sit and be still and clear my head. Sometimes I listen to a soothing or energizing song — whatever will help me calm down or pump myself up, depending on what type of situation I’m going into next. This helps me to be completely present, attentive and have the right level of energy for the specific situation.

3. Play a game or take a walk for a short diversion.

A study by a social networking company, Draugiem Group, found that we can stay absorbed in work for up to 52 minutes, but then need a 17-minute diversion. You can use this time to take a walk, read, or play a game. Focus on activities that are fun and relaxing. The key is to provide separation from the energy intensive work, so you can allow your brain to relax before getting back to work. One way that I relax is by creating playlists on Spotify.

When I’m in my home office, I also pick up my bass guitar and practice a few songs before going back to work. If you work in an urban environment, think about taking a walk with a colleague to your local Starbucks to get a coffee with the agreement that you will not talk about work.

Training the brain to be more present can help you stay focused and attentive when it matters most.  So next time your mind starts to wander, visualize the focus of a lion or hawk to help you refocus and teach your brain to recognize that the most important task is always the one right in front of you.

Where Entrepreneurs Go Wrong When Hiring Big Executives

You’re scaling your company and need a few good people to help you excel in areas outside your realm of expertise. It may seem like finding an experienced executive to join your team is the hard part, but the reality is that successfully integrating them and getting the desired outcomes is the real challenge. 

If you’re a first-time CEO and you’re several years younger than this new professional, you may think, I hired this person and they are the expert–they’ll know what to do. Please, please, resist this temptation. I’ve known many CEOs who’ve practiced this management approach, and I have yet to see it yield great results.

Your job as a leader is to be inspiring, fair, and honest–and to hold people accountable to doing their best work. If you do that, you will not go wrong. Don’t become intimidated by years of experience, a good reputation, or simple bravado. You’re the boss, and while they may be the domain expert, you need to make sure that they (and your company) are successful.

That requires active discussion and engagement on all fronts. A winning recruiting and onboarding strategy entails a lot of dialogue for alignment around:

  • What does success look like?
  • What is expected of the new executive?
  • What authority level does the new executive have? (What authority do they have to hire? What input should they get before they fire anyone?)
  • What are the expected behaviors? What is the appropriate style for the culture?
  • What do the first ninety days look like?
  • What problems will they want to tackle right away? What should be put on hold?
  • What is the cadence for check-ins? How often will you be meeting?

I’m a fan of codifying the above in a document so that there’s something to reference and check against. People interpret goals and expectations differently, so this exercise is especially important. (I ask the new executive to take the lead and document what we’ve discussed, and then to let me edit it.) I recommend having weekly one on ones.

These meetings also offer an opportunity to provide advice and to solicit input on how you can help them become more successful. If something is bothering you, you are not doing anyone any favors by hiding your concerns. When you do articulate your worries, try to do so in a way that’s constructive and truth seeking, rather than blaming.

A couple of other points:

You hired this person for a reason. You therefore know that something needs to be done differently, so expect that there will be some changes. You just need to be aligned about what they are.

There’s a lot to be discussed and much to be imparted, but don’t forget that listening goes a long way. Any new executive should be reminded of the importance of listening to the team. I recommend soliciting input about what is going well and where improvement is needed.

As mentioned earlier, there is likely to be change, and the current team needs to be forewarned about and accepting of the fact that some things might be done differently under new leadership. If (or, more likely, when) people come to you to complain about the changes, you need to listen, but also route them back to have a transparent discussion with the new executive.

Don’t forget the basics. Do everything in your power to make the new hire feel welcome. Assign someone in their department to show them around the first day. Take them to lunch. If you can’t personally do it, be sure to have someone else on the team take them.

Remember, the reason you hired someone is that you needed a change. Now set up the conditions to implement that and to make them wildly successful. This takes active management. If you wait, it takes even more work. Never expect things to magically get better. The better you onboard and acclimate someone, the faster they will deliver impact and the faster you will all earn the results you are striving to achieve.

Loupedeck Review: This Keyboard Designed for Editing Photos Is All Thumbs

The humble keyboard. Its holy QWERTYness. The layout of its keys, designed to keep a typewriter’s hammers from colliding as they struck the page one after another, was forged in the mechanical era. Though considered by many to be an imperfect design, it stuck around long enough to make the leap to the digital domain.

Even with alternative solutions (touchscreen laptops) and augmentations (Apple’s Touch Bar) available, the QWERTY keyboard still reigns. Creative pros have dealt with it by learning esoteric keyboard shortcuts to hit up their most-used commands. Now, a new gadget promises to free those folks from their finger acrobatics. Loupedeck has made a unique input device just for digital photographers. It’s a keyboard designed specifically for use with Adobe Photoshop Lightroom.


This product was born of Indiegogo, and it has obvious appeal for anyone who has ever poked and prodded Adobe’s tiny adjustment sliders for any amount of time. Designed and built in Finland, the Loupedeck board features scroll wheels, buttons for commonly-used features, and even arrow keys and a jog dial for rotating and cropping images. This sounds like a photographer’s dream come true. But, unfortunately, it’s a product that let me down very quickly.

Pictures don’t do the Loupedeck justice, and, in fact, I think the photos may lead you to believe this’ll be a nice piece of kit. Even the nicely-designed packaging set me up for an Apple-like experience, with raised ink logos leading to high hopes.

But then, as I pulled it from its stylish black box and started to feel how chintzy this thing is, my heart sank. It’s terribly cheap. Plastic all around, with a flimsy bit of silver plastic trim, this keyboard feels like a sub-$50 product, certainly not a $260 one.

Instead of neatly integrating with Lightroom out of the box, it requires special software drivers, which are available for PC and Mac. After installing them and restarting Lightroom, I was off to the races.

At first, Loupedeck worked pretty well. The idea of directly manipulating controls with a dedicated device is appealing, and I loved making subtle corrections with the twist of a knob or dial. Once I got into the groove, I reached for Loupedeck’s right arrow key to advance to the next image in my edit queue. That’s the precise moment when the whole experience came apart at the seams. The arrow keys, essential to navigating Lightroom via keyboard, are a nightmare on this keyboard. They’re wobbly, mushy, and need to be pressed dead-center to work at all.

The dials on the Loupedeck work as expected, but the scroll wheels for controlling color channels are rough. I’ve used dollar-store computer mice—you know, with the roller ball in the bottom—that have nicer scroll wheels. These hardware shortcomings are all the more infuriating because at its core, the idea of the keyboard is friggin’ brilliant. It took me a bit to get accustomed to the layout, but there’s something really satisfying about having precise control over things like contrast and clarity without laying a finger on a mouse.

Especially at its $260 price, I can’t recommend the Loupedeck. Once the company sources some higher quality components, it might be worth a look. In its current incarnation, its potential is completely undercut by its execution. That said, if a greatly improved v2 Loupedeck comes along, it’s something I could see myself shelling out hard-earned cash for.

Federal services provider CSRA partners with Google Cloud

(Reuters) – CSRA Inc, the target of rival bids from General Dynamics and CACI International Inc, said on Thursday it had partnered with Alphabet Inc’s Google Cloud.

A man checks Google devices outside its booth at the Mobile World Congress in Barcelona, Spain, February 27, 2018. REUTERS/Sergio Perez

CSRA, a provider of IT services to the U.S. federal government, said the partnership will help expand its digital solutions and offerings. (

The company already has strategic alliances with Inc’s AWS cloud services, Cisco Systems Inc, Microsoft Corp and Oracle Corp, among others.

U.S. defense contractor General Dynamics on Tuesday raised its offer for CSRA to $9.7 billion, including $2.8 billion in debt, in an attempt to top an unsolicited bid from CACI.

Reporting by Laharee Chatterjee in Bengaluru; Editing by Sriraj Kalluvila

Data Sheet—After Thrashing the News Business, Google Seeks to Make Amends

We want our money back. In the aftermath of the controversy surrounding Cambridge Analytica, Facebook is being sued by investors over a share price slump that the plaintiffs claim is due to Facebook failing to responsibly safeguard user data. CEO Mark Zuckerberg is reportedly planning to address mounting criticism against his company during an all hands meeting on Friday, and possibly even before then.

Nixed. Cambridge Analytica has suspended its CEO, Alexander Nix, after undercover Channel 4 News reporters in the U.K. captured him on film making off-color remarks. The video shows Nix bragging about swaying the U.S. presidential election and suggesting that prospective clients entrap and extort political rivals.

Are you sure you want to delete… WhatsApp co-founder Brian Acton piled onto the Facebook hate train, tweeting, “It is time. #deletefacebook.” Acton sold his messaging app to the social network operator for billions of dollars in 2014. He recently poured $50 million into a non-profit organization, the Signal Foundation, that aims to develop privacy enhancing technologies.

Guess who’s back? Back again? Former Uber CEO Travis Kalanick is back in the captain’s chair, this time at a real estate firm. On Tuesday, Kalanick announced his purchase of a controlling stake in a distressed company, City Storage Systems, for $150 million as well as his installation as CEO. “There are over $10 trillion in these real estate assets that will need to be repurposed for the digital era,” the boss wrote in a tweet.

Around the world in 880,000 days. Orbitz disclosed Tuesday that it suffered a security breach that impacts 880,000 payment cards. Attackers may have gotten their hands on customer information, including names, street and email addresses, and birthdays, from the travel booking website operator owned by Expedia. The company said records from purchases made between Jan. 1, 2016 and Dec. 22, 2017 were at risk.

The tax man cometh. The European Commission released a proposal for a plan that would tax tech companies based on where their digital users are based, rather than merely where the companies are based. The plan proposes to take a 3% cut of turnover from the European operations of tech giants, such as Google, Facebook, and Amazon. Estimated proceeds: about $6 billion.

Kind of a big deal. Salesforce has agreed to pay $6.5 billion in cash and stock for the business software company Mulesoft. The deal is poised to be the biggest acquisition in Salesforce’s history, and it comes a year after Mulesoft went public. Mulesoft’s products, which link corporate apps and data into unified IT systems, seem to pair nicely with Salesforce’s cloud offerings.

This White Tech Guy Has an Idea to Make Tech Less White

Bjorn Freeman-Benson is a little embarrassed by his 200-person engineering team: It’s overwhelmingly white, and it’s overwhelmingly male. He says he wants a more diverse staff for his digital product design company, InVision, but doesn’t get the applicants. “If I just have a bunch of young white men from Stanford, I’m not going to get a good result for my customers.”

Next month, two Latina engineers from Portland, Oregon, will join his team as full-time apprentices making $15 an hour, plus benefits. After three months, if all goes well, they’ll be hired full-time at full pay, as junior engineers.

InVision is one of three employers, along with Nike Inc. and MailChimp, trying to foster and hire a more diverse tech workforce through TalentPath, a new initiative from the coding school Treehouse and the Boys & Girls Clubs of America, whose local chapters provide after-school programs to young people in diverse communities across the country. With the involvement of the clubs, its founders hope it can make more of a dent, albeit a small one, in tech’s diversity problem than their earlier efforts did.

Ryan Carson started Treehouse in 2011 believing, like many coding-school founders, that people don’t have to go to college to land high-paying tech jobs and that his school, by lowering the barrier to entry, could foster a meritocracy and bring diversity to tech. Seven years in, he realized he’d failed. Treehouse alone has trained over 80,000 people, but the tech world—including Treehouse itself, whose engineers are mostly white men—has remained stubbornly homogenous. “I had to admit that although we were helping tens of thousands of people get jobs, we weren’t helping change the equation for people that were black, Latinx or women,” Carson said.

TalentPath aims to bridge that gap by partnering with local Boys & Girls Clubs, which recruit members or alumni who might want tech jobs and also help them navigate the working world via financial literacy classes and weekly mentoring. A participating employer sponsors students to take nine-month, part-time, online coding courses—enabling people in school or working full time to participate—and guarantees those who graduate a three-month, full-time apprenticeship on its engineering team. It can then offer them jobs.

(Carson would not tell Bloomberg what companies pay per student, but he said it’s more than the $200 per month Treehouse charges for other boot camps. InVision said the program is about a third cheaper than using a recruiting firm.)

The first class of graduates started apprenticeships this month at InVision, Nike and Treehouse itself, which participated to diversify its own workforce. Mailchimp is sponsoring a class of 10 students in the program now.

“I didn’t think, because I was Hispanic, I could have a career in tech.”

Coding schools have made a number of prior efforts to get more people of color and women into tech, although it’s difficult to gauge their success. Many coding schools, including Treehouse, offer scholarships, some aimed at promoting diversity and some created in partnership with tech companies or sponsored by the likes of Aphabet Inc.’s Google. There are also a host of coding programs for women and people of color.

Yet diversity at tech companies hasn’t budged.

Employers bear much of the responsibility. Not all of them make the effort. Bias can cloud their hiring processes. Workplace discrimination can discourage applicants and push out qualified employees.

Tech executives often blame their companies’ overwhelming whiteness on what they call the pipeline problem—a lack of qualified engineers who aren’t white men. But they often overstate it. Black and Hispanic graduates with computer and mathematical science degrees, for instance, are much more likely than their white peers to be unemployed or working in unrelated jobs, according to 2013 data from the National Science Foundation.

Even the coding schools often touted as potential solutions haven’t generally managed to recruit or retain underrepresented talent effectively. They don’t always reach people who don’t know much about tech jobs; even when they do, they might not hold much appeal, said Colleen Showalter, the liaison between Treehouse and the Boys & Girls Clubs of Portland and previously the chapter’s director of development.

“It’s really difficult for the minority communities we serve to have trust with organizations that just come in and say, ‘You should do this,’” she said. “They don’t look like them, and they don’t have any affinity for them.” Better boot camps won’t suffice to get young black and Latino people into tech jobs, she added. “They need support, because the barriers in their lives are real.” Some don’t have computers at home; many don’t know anyone who works in tech.

“We weren’t helping change the equation for people that were black, Latinx or women.”

Coding boot camps still aren’t substitutes for college degrees, despite the ambitions of people such as Carson. Some coding schools have over-promised on jobs and skills; a number of graduates and employers alike told Bloomberg in 2016 that their training hadn’t sufficiently prepared them for the work they were seeking. Many companies, for all their talk of pipeline problems, remain reluctant to hire people without degrees or prior experience.

TalentPath aims at least to give this experience to young people of color via its apprenticeships. But its program is hard to stick with, and even that faces challenges when it comes to retention; only a third of the students who enrolled in the inaugural class completed the program. And ultimately, its success depends on employers—and whom they decide to hire.

When Carlos Salgado, 18, first heard about TalentPath from the Boys & Girls Club in Portland last year, he was skeptical. “I was a bit sketched out, because it seemed too good to be true. My parents were telling me it was fake,” he said. “I didn’t think, because I was Hispanic, I could have a career in tech.”

He graduated from the Javascript bootcamp this year, and he started an apprenticeship at Treehouse this month. Next he hopes to land a full-time job in tech.

Alphabet's 'Outline' Homebrew VPN Software Offers Open-Source, Easy Set-Up Privacy For the Masses

A virtual private network, that core privacy tool that encrypts your internet traffic and bounces it through a faraway server, has always presented a paradox: Sure, it helps you hide from some forms of surveillance, like your internet service provider’s snooping and eavesdroppers on your local network. But it leaves you vulnerable to a different, equally powerful spy: Whoever controls the VPN server you’re routing all your traffic through.

To help solve that quagmire, Jigsaw, the Alphabet-owned Google sibling that serves as a human rights-focused tech incubator, will now offer VPN software that you can easily set up on your own server—or at least, one you set up yourself, and control in the cloud. And unlike older homebrew VPN code, Jigsaw says it’s focused on making the setup and hosting of that server simple enough that even small, less savvy organizations or even individual users can do it in minutes.

Jigsaw says that the free DIY proxy software, called Outline, aims to provide an alternative to, on the one hand, stronger anonymity tools like Tor that slow down web browsing by bouncing connections through multiple encrypted hops around the world and, on the other hand, commercial VPNs that can be expensive, and also put users’ private information and internet history at risk.

“The core of the product is that people can run their own VPN,” says Santiago Andrigo, the Jigsaw product manager who led Outline’s development. “You get the reassurance that no one else has your data, and you can rest easier in that knowledge.”

Trust in Yourself

Any basic commercial VPN like Freedome, NordVPN or Private Internet Access encrypts all of your online traffic and routes it from your PC or smartphone through a server in a remote data center, and only then out to the open internet. The result is that any snoop or censor watching your local connection can only see your scrambled communications to that server, not the actual destinations of your browsing or the contents of your communications. But while most decent VPNs promise not to keep sensitive logs of users’ online histories, it’s hard for users to confirm that safeguard is actually in place. And many of the most proven privacy-conscious VPNs are too expensive for users in surveillance-heavy countries in the developing world. The result, for many, is that “your privacy is in someone else’s hands,” Andrigo says.

Outline’s setup integrates with cloud provider Digital Ocean to let the user choose which country their VPN server will be hosted in.

Outline, which will run on Windows and Android to start and Apple operating systems in the coming weeks, instead lets anyone set up their own VPN server on a virtual server either hosted on a cloud platform like Rackspace, Google Cloud Engine, or Amazon EC2, or on a physical server under their control. The program most seamlessly integrates with the cloud provider Digital Ocean, which Jigsaw recommends for the easiest setup experience. Choose that provider, which offers 500 gigabytes of traffic for $5 a month, and Outline integrates with its API to offer a menu of its available server locations from London to Bangalore.

Outline isn’t the only homebrew VPN available: Security researcher Dan Guido launched a similar project in late 2016. And Outline itself is based on the existing, open source VPN software ShadowSocks. But Outline has tried to distinguish itself with its simplicity: It lets users skip ShadowSocks’ normal technical setup that requires a series of complex server configurations and cryptographic key generation steps performed through command line instructions. Instead, Outline automates practically the entire installation: In a demo for WIRED, Andrigo set up a new VPN on a Digital Ocean server in Amsterdam in about half a dozen clicks and just a few minutes.

Once an Outline server is set up, the administrator of the VPN can generate secret keys for other users and share them via links. (Andrigo suggests sending those URLs via an encrypted messaging app like Signal to control who can access the server.) That account sharing should help make Outline an easy way to run a VPN for an entire organization, like a group of activists or journalists.

A Swedish NGO called Civil Rights Defenders, for instance, has been testing Outline since last fall with the group of sensitive internet users it works to protect, who include journalists, lawyers, and LGBT communities in 18 repressive regimes around the world. CRD program director Marcin Kaminski says he’s found it’s an easy way to set up a VPN that CRD itself controls. “We send a link to the user, and after three clicks they’re running it, and it’s more or less untraceable to their activities,” says Kaminski. But Outline is also designed to help even groups with much less technical know-how. Aside from its simple setup, it’s designed not to require much maintenance: A feature called Watchtower automatically checks for security updates and installs them.

Not Quite Anonymous

Even though it’s designed to be installed on a server the user controls, Jigsaw says that Outline is still set by default not to collect logs. And unlike other VPNs that make that promise, Outline’s code will be left open source on GitHub to allow anyone to check that assurance.

Outline’s management software, showing a VPN shared with two other users.


But like any VPN, Outline isn’t quite a privacy panacea. If Outline is set up on a cloud server, rather than in the user’s own data center or garage, a deceptive cloud provider might be able to log traffic coming from the server even without changing the code running on it, stripping away the user’s protection. It doesn’t provide the same degree of anonymity protections as Tor, which routes traffic through three hops rather than just one and also protects against attacks like browser fingerprinting. Jigsaw goes so far as to warn in its FAQ for Outline that the program is “not an anonymity tool”; it doesn’t prevent sites you visit from identifying you, so much as block surveillance on your network and provide a path to route around censorship filters.

Outline users also face the same risk that all VPNs face in countries like China and Iran: If local snoops are stymied by a VPN, they can simply track down the IP address of the server running it and block it. But Andrigo says Outline is designed so that its servers will at least be very difficult to detect and block en masse, even with a tool like China’s Great Firewall. It’s designed to connect with users from a randomized port on the server running it, and doesn’t respond to any scans or pings unless the user offers their unique key. Jigsaw says it’s committed to keeping up with the cat-and-mouse of evading the censors. “This is an ever-evolving game,” says Andrigo.

With any luck, though, Outline might just change the nature of that game. And instead of blocking a single commercial VPN and cutting off many thousands of users, censors may have to play whack-a-mole with thousands of servers set up to host just a few individuals’ traffic each. Make a custom path to the open internet easy enough for anyone to set up, in other words, and it could become far harder for the authorities to tear them all down.

VPN 101

Facebook Struggles to Respond to the Cambridge Analytica Scandal

Two weeks ago, Facebook learned that The New York Times, Guardian, and Observer were working on blockbuster stories based on interviews with a man named Christopher Wylie. The core of the tale was familiar but the details were new, and now the scandal was attached to a charismatic face with a top of pink hair. Four years ago, a slug of Facebook data on 50 million Americans was sucked down by a UK academic named Aleksandr Kogan, and wrongly sold to Cambridge Analytica. Wylie, who worked at the firm and has never talked publicly before, showed the newspapers a trove of emails and invoices to prove his allegations. Worse, Cambridge appears to have lied to Facebook about entirely deleting the data.

To Facebook, before the stories went live, the scandal appeared bad but manageable. The worst deeds had been done outside of Facebook and long ago. Plus like weather forecasters in the Caribbean, Facebook has been busy lately. Just in the past month, they’ve had to deal with scandals created by vacuous Friday tweets from an ad executive, porn, the darn Russian bots, angry politicians in Sri Lanka, and even the United Nations. All of those crises have passed with limited damage. And perhaps that’s why the company appears to have underestimated the power of the storm clouds moving in.

On Friday night, the company made its first move, jumping out in front of the news reports to publish its own blog post announcing that it was suspending Cambridge Analytica’s use of the platform. It also made one last stern appeal to ask The Guardian not to use the word “breach” in its story. The word, the company argued, was inaccurate. Data had been misused, but moats and walls had not been breached. The Guardian apparently did not find that argument sympathetic or persuasive. On Saturday its story appeared, “Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach.”

The crisis was familiar in a way: Facebook has burned its fingers on issues of data privacy frequently in its 14 year history. But this time it was different. The data leakage hadn’t helped Unilever sell mayonnaise. It appeared to have helped Donald Trump sell a political vision of division and antipathy. The news made it look as if Facebook’s data controls were lax and that its executives were indifferent. Around the world lawmakers, regulators, and Facebook users began asking very publicly how they could support a platform that didn’t do more to protect them. Soon, powerful politicians were chiming in and demanding to hear from Zuckerberg.

As the storm built over the weekend, Facebook’s executives, including Mark Zuckerberg and Sheryl Sandberg, strategized and argued late into the night. They knew that the public was hammering them, but they also believed that the fault lay much more with Cambridge Analytica than with them. Still, there were four main questions that consumed them. How could they tighten up the system to make sure this didn’t happen again? What should they do about all the calls for Zuckerberg to testify? Should they sue Cambridge Analytica? And what could they do about psychologist Joseph Chancellor, who had helped found Kogan’s firm and who now worked, of all places, at Facebook?

By Monday, Facebook remained frozen, and Zuckerberg and Sandberg stayed silent. Then, late in the afternoon in Menlo Park, more bad news came. The New York Times reported that Alex Stamos, the company’s well-respected chief of security, had grown dissatisfied with the top of senior management and was planning to exit in a few months. Some people had known this for a while, but it was still a very bad look. You don’t want news about your head of data security bailing when you’re having a crisis about how to secure your data. And then news broke that Facebook had been denied in its efforts to get access to Cambridge Analytica’s servers. The United Kingdom’s Information Commissioner’s Office, which had started an investigation, would handle that.

An all-hands meeting was called for Tuesday but for some reason it would be led by Facebook’s legal counsel not its leaders, both of whom have remained deafeningly silent. Meanwhile, the stock had collapsed, chopping $36 billion off the company’s market value on Monday. By mid-Tuesday morning, it had fallen 10 percent since the scandal broke. What the company expected to be a tough summer storm had turned into a Category 5 hurricane.

Walking in the Front Door

The story of how Kogan ended up with data on 50 million American Facebook users sounds like it should involve secret handshakes and black hats. But Kogan actually got his Facebook data by just walking in Facebook’s front door and asking for it. Like all technology platforms, Facebook encourages outside software developers to build applications to run inside it, just like Google does with its Android operating system and Apple does with iOS. And so in November 2013 Kogan, a psychology professor at the University of Cambridge, created an application developer account on Facebook and explained why he wanted access to Facebook’s data for a research project. He started work soon thereafter.

Kogan had created the most anodyne of tools for electoral manipulation: an app based on personality quizzes. Users signed up and answered a series of questions. Then the app would take those answers, mush them together with that person’s Facebook likes and declared interests, and spit out a profile that was supposed to know the test-taker better than he knew himself.

About 270,000 Americans participated. However what they didn’t know was that by agreeing to take the quiz and giving Facebook access to their data, they also granted access to many of their Facebook friends’ likes and interests as well. Users could turn off this setting, but it’s hard to turn off something you don’t know exists and that you couldn’t find if you did. Kogan, quickly ended up with data on roughly 50 million people.

About five months after Kogan began his research, Facebook announced that it was tightening its app review policies. For one: Developers couldn’t mine data from your friends anymore. The barn door was shut, but Facebook told all the horses already in the pasture that they had another year to run around. Kogan, then, got a year and a half to do his business. And when the stricter policies went into effect, Facebook promptly rejected version two of his app.

By then Kogan had already mined the data and sold it to Cambridge Analytica, violating his agreement with Facebook and revealing one of the strange asymmetries of this story. Facebook knows everything about its users—but in some ways it knows nothing about its developers. And so Facebook didn’t start to suspect that Kogan had misused its data until it read a blaring headline in The Guardian in December 2015: “Ted Cruz using firm that harvested data on millions of unwitting Facebook users.”

That story passed out of the cycle quickly though, swept away by news about the Iowa caucuses. And so while Facebook’s legal team might have been sweating at the end of 2015, outwardly Zuckerberg projected an air of total calm. His first public statement after the Guardian story broke was a Christmas note about all the books he’d read: “Reading has given me more perspective on a number of topics – from science to religion, from poverty to prosperity, from health to energy to social justice, from political philosophy to foreign policy, and from history to futuristic fiction.”

An Incomplete Response

When the 2015 Guardian story broke, Facebook immediately secured written assertions from Cambridge Analytica, Kogan, and Christopher Wylie that the data had been deleted. Lawyers on all sides started talking and by the early summer of 2016, Facebook had more substantial legal agreements with Kogan and Wylie certifying that the data had been deleted. Cambridge Analytica signed similar documents, but their paperwork wasn’t submitted until 2017. Facebook’s lawyers describe the process as a tortured and intense legal process. Wylie describes it as a pinkie promise. “All they asked me to do was tick a box on a form and post it back,” he told the Guardian.

Facebook’s stronger option would have been to insist on an audit of all of Cambridge Analytica’s machines. Did the data still exist, and had it been used at all? And in fact, according to the standard rules that developers agree to, Facebook reserves that right. “We can audit your app to ensure it is safe and does not violate our Terms. If requested, you must provide us with proof that your app complies with our terms,” the policy currently states, as it did then.

Kogan, too, may have merited closer scrutiny regardless, especially in the context of the 2016 presidential campaign. In addition to his University of Cambridge appointment, Kkogan was also an associate professor at St. Petersburg State University, and had accepted research grants from the Russian government.

Why didn’t Facebook conduct an audit—a decision that may go down as Facebook’s most crucial mistake? Perhaps because no audit can ever be completely persuasive. Even if no trace of data exists on a server, it could still have been stuck on a hard-drive and shoved in a closet. Facebook’s legal team also insists that an audit would have been time-consuming, and despite the rights granted in a developer contract would have required a court order. A third possible explanation is fear of accusations of political bias. Most of the senior employees at Facebook are Democrats who blanche at allegations that they would let politics seep into the platform.

Whatever the reason, Facebook trusted the signed documents from Cambridge Analytica. That June, of 2016, Facebook staff even went down to San Antonio to sit side by side with Trump campaign officials and the Cambridge Analytica consultants by their side.

To Facebook, the story seemed to go away. In the year following Trump’s victory, public interest advocates hammered Cambridge Analytica over its data practices, and other publications, particularly The Intercept, dug into its practices. But Facebook, according to executives at the company, never thought to double check if the data was gone until reporters began to call this winter. And then it was only after the story broke that Facebook considered serious action including suing Cambridge Analytica. A lawyer for the company, Paul Grewal, told Wired on Monday evening that “all options are on the table.”

What Comes Next

Of Facebook’s many problems, one of the most confusing appears to be figuring out what to do with Chancellor, who currently works with the VR team. He may know about the fate of the user data, but this weekend the company was debating how forcefully it could ask him since it could be considered a violation of rules protecting employees from being forced to give up trade secrets from previous jobs.

A harder question is when, and how exactly, Zuckerberg and Sandberg should emerge from their bunkers. Sandberg, in particular, has passed through the crucible of the past two years relatively unscathed. Zuckerberg’s name now trends on Twitter when crises hit, and this magazine put his bruised face on the cover. Even Stamos has taken heat during the outcry over the Russia investigation. And a small bevy of brave employees have waded out into the rushing rivers of Twitter, where they have generally been sucked below the surface or swept over waterfalls.

The last most vexing question is what to do to make Facebook data safer. For much of the past year, Facebook has been besieged by critics saying that it should make its data more open. It should let outsiders audit its data and peer around inside with a flashlight. But it was an excess of openness with developers—and opaque privacy practices—that got the company in trouble here. Facebook tightened up third-party access in 2015, meaning an exact replay of the Cambridge Analytica fiasco couldn’t happen today. But if the company decides to close down even further, then what happens to the researchers doing genuinely important work using the platform? How well can you vet intentions? A possible solution would be for Facebook to change its data retention policies. But doing so could undermine how the service fundamentally works, and make it far more difficult to catch malevolent actors—like Russian propaganda teams—after the fact.

User data is now the foundation of the internet. Every time you download an app, you give the developer access to bits of your personal information. Every time you engage with any technology company—Facebook, Google, Amazon, and so on—you help build their giant database of information. In exchange, you trust that they won’t do bad things with that data, because you want the services they offer.

Responding to a thread about how to fix the problem, Stamos tweeted, “I don’t think a digital utopia where everybody has privacy, anonymity and choice, but the bad guys are magically kept out, can exist.”

At its core, according to a former Facebook executive, the problem is really an existential one. The company is very good at dealing with things that happen frequently and have very low stakes. When mistakes happen, they move on. According to the executive, the philosophy of the company has long been “We’re trying to do good things. We’ll make mistakes. But people are good and the world is forgiving.”

If Facebook doesn’t find a satisfactory solution, it faces the unsavory prospect of heavy regulation. Already in the UK, the General Data Protection Regulation rule will give people much more insight and control over what data companies like Facebook take, and how it’s used. In the US, senators like Ron Wyden, Mark Warner, Amy Klobuchar, and others may have the appetite for similar legislation in the US, if Facebook’s privacy woes continue.

Facebook will hold its all-hands today, and hope for that inevitable moment when something horrible happens elsewhere and everyone’s attention turns. But it also knows that things might get worse, much worse. The nightmare scenario will come if the Cambridge Analytica story fully converges with the story of Russian meddling in American democracy: if it turns out that the Facebook data harvested by Cambridge Analytica ended up in the hands of Putin’s trolls.

At that point, Facebook will have to deal with yet another devastating asymmetry: data from a silly quiz app, created under obsolete rules, fueling a national security crisis. But those asymmetries are just part of the nature of Facebook today. The company has immense power, and it’s only begun to grapple with its immense responsibility. And the world isn’t as forgiving of Silicon Valley as it used to be.

Facebook and Cambridge Analytica

Global regulators to work on test bed for fintechs

LONDON (Reuters) – Regulators from across the world start work this week on a blueprint for a global “sandbox” or testing bed for new financial technology applications, Britain’s Financial Conduct Authority said on Monday.

The logo of the new Financial Conduct Authority (FCA) is seen at the agency’s headquarters in the Canary Wharf business district of London April 1, 2013. REUTERS/Chris Helgren

Britain helped to spearhead sandboxes which allow fintech firms to test new apps on real customers, but under the close eye of regulators to avoid consumer harm.

Chris Woolard, the FCA’s executive director of strategy and competition, said the watchdog was now pushing ahead with trying to set up a global sandbox, given that many fintech firms and their business plans span borders.

“Later this week we start work with interested regulators, including colleagues across Europe, the U.S. and Far East, on a blueprint,” Woolard told the Innovate Finance conference in London.

“There’s real momentum behind this and we hope that before long the ambition of a global sandbox will be a reality.”

The FCA’s own sandbox, the first of its kind, has worked with 70 fintech firms, with 90 percent of firms in the first round of applications having gone to the market and finding it easier to raise money, Woolard said.

Britain wants to maintain its role as a major fintech center, but its planned departure from the European Union has spurred the EU with its vast single market to propose measures to attract fintech firms from London.

“Increasingly we’re hearing from firms a demand to operate globally, to grow at real scale and pace,” he said.

Although FCA has signed fintech cooperation agreements with regulators in eight jurisdictions, there is no joint sandbox program for firms to participate in.

“Such a project represents new territory. Breaking new ground requires an element of risk, not something, as I’ve said, that regulators are generally comfortable with,” Woolard said.

Regulators have to be realistic about what a global sandbox could look like, however.

“In some quarters, there could be an aspiration for global standards. The logic is clearly there, but my strong suspicion is that it would take 20 years to negotiate and in a fast-moving market would be 19 years and six months out of date when we got there,” Woolard said.

Reporting by Huw Jones; editing by Jason Neely