# Consult Colin - Full Site Content > Colin O'Brien - Independent technology consultant helping European organisations and businesses choose software, maintain data sovereignty, and avoid vendor lock-in. Based in Belgium, working continent-wide in English and French. --- ## Home Source: https://consultcolin.eu/ ### What Colin Does Colin O'Brien is an independent technology consultant offering software and SaaS selection advice for small-to-midsized European organisations that care about how they operate, not just what they do. If you worry about lock-in, data jurisdiction, or simply tools that don't fit how your team actually works, this is the right place. ### The Problem: Ritual Mimicry Many software decisions aren't really decisions. Someone set up the website and a default analytics tool just showed up. Email goes through Gmail or Outlook because that's what email is now. The CRM is whatever someone's last employer used. Nobody really chose these things - they just showed up as defaults. This is ritual mimicry: going through the motions of choosing without really doing the choosing. It works, until it doesn't: - Until you want to use a language that isn't English. - Until half of your team has given up on features that technically exist but are too complicated to use. - Until someone's maintaining a spreadsheet alongside the system that was supposed to replace spreadsheets. - Until you decide to leave and discover your data won't export properly and your communication history won't migrate. And then a policy changes on the other side of the Atlantic, and your data is suddenly someone else's business. ### Why This Matters in Europe Most European organisations with actual values - on sustainability, human rights, fair labour, democratic transparency, the environment - have given almost no thought to whether the technology they use reflects those values. Not because they don't care, but because these tools arrived looking like infrastructure rather than the results of decisions. Your emails probably go through Microsoft or Google servers. Your files are likely sitting on Amazon ones. Your team chats and makes decisions over Zoom. These tools just ended up there, and now your organisation depends on them - and funds them. Every subscription, every renewal, is a financial relationship. Several companies that underpin European online infrastructure are headquartered in a jurisdiction whose political direction is increasingly at odds with the values many European organisations are committed to. In 2025, when the US sanctioned judges at the International Criminal Court, their Microsoft email accounts were suspended overnight. Their Apple IDs were disabled, their credit cards stopped working. These were people living and working in Europe, doing legitimate work. And American companies shut them out of daily life, immediately and with no recourse. There's a growing range of European and open-source tools that can do the job. Often with less fine print, clearer data jurisdiction, and without the political baggage. ### How Colin Works Colin does the homework you don't have time to do. Whether you know something has failed you or you just suspect something isn't right, the goal is to make a clear, intentional choice you can explain to your team and your future self. Most projects follow a simple shape: 1. **Understanding how your organisation works.** Spending time with the team, asking questions, finding out what's really happening: what's working, what isn't, and what people need. 2. **Testing realistic options.** No half-hour demos - days or weeks of real use. Reading documentation, testing support, exploring edge cases. 3. **Mapping the risks and exits before you commit.** Looking at vendor lock-in, data jurisdiction, export formats, hidden dependencies, and what migration would really cost: in money, but also in time and lost history. Along the way: finding out where data really lives, making sure you'll be able to leave when you need to, and asking the awkward questions. ### Services **Technology Risk Assessment - 1,400 EUR / 10 business days** A fixed-price review of up to five core tools: where your data actually lives, what you'd lose if you had to leave, and what deserves attention now versus later. You get two conversations (one to understand your setup, one to walk through findings), a data flow map, and a short visual report: priorities, quick wins, no filler. **Software Selection - contact for tailored quote / 3-6 weeks typical** What that looks like depends on the category. For email marketing, that might mean starting with fifteen-plus tools and working down to four finalists. For an office suite, the field is smaller but the migration questions are harder. Every engagement is scoped to fit. **Ongoing Advisory - contact for retainer details / ongoing, flexible** For organisations that want someone available when technology decisions come up - not a one-off project, but a standing relationship. Retained, flexible, and shaped around how you actually work. ### Case Studies **A sustainable packaging company:** Running on a project management platform built for organisations three times their size - overcomplicated, slow, invasive, and hosted outside Europe. Replaced it with something that matched how they actually worked: simpler, cheaper, open-source and European-hosted. **A bicycle leasing company:** Needed specific email marketing capabilities. A European option existed but the support was so unresponsive it represented a genuine operational risk. Chose the American alternative knowingly, documented the reasoning, and kept the European option on the list to revisit. Sometimes the honest answer is: not yet. **A European organisation for natural healthcare ingredients:** Needed analytics that didn't contradict their values around transparency and data privacy. Built a stack that gave them just the insights they needed, kept everything in Europe, and didn't quietly harvest data of the people they were trying to serve. ### About Colin Colin has been in this industry long enough to have co-founded one of the first internet service providers. He's built networks, assembled servers, written and designed web applications, launched a startup, and made the mistakes that only come from decades of doing this stuff. He's lived through enough hype cycles to know how to filter the substance from the noise. He doesn't chase ideological purity: sometimes the right tool isn't European, sometimes it's a compromise. The point is to make that compromise knowingly, not to discover it three years later when you're trying to get out and can't. --- ## FAQ Source: https://consultcolin.eu/faq/ ### Working with Colin **What types of organisations do you work with?** European organisations and businesses of all kinds: companies that care about where their data goes, how their subscription fees circulate, and whether their technology choices align with their values. Particular experience with social enterprises and B corps, but also SMEs, nonprofits, cooperatives, and mission-driven organisations. **What does a typical engagement look like?** Every project is different, but most fall into a few patterns: software selection (helping choose a CRM, project management tool, email, or other platform), vendor assessment (checking whether a tool actually does what it claims, making sure a web developer will build what you actually need), migration planning (figuring out how to leave your current system), or technical translation (helping communicate with developers and agencies). Some clients need a one-off consultation; others want ongoing support. **How much do you charge?** Pricing is based on the scope and complexity of the work. For a straightforward software recommendation, that might be a fixed fee. For longer advisory relationships, a retainer. Happy to discuss your situation and give a clear idea of costs before committing to anything. The technology risk assessment is a fixed 1,400 EUR. **Do you implement the software yourself?** Generally no. The role is to help you make the decision and plan the transition - not to become your IT department. Colin stays involved during implementation if that's useful, but the goal is to leave you with clarity and confidence, not dependency. **Do you work with organisations outside Europe?** Primarily focused on European organisations because the European regulatory environment (GDPR, DSA, data sovereignty) shapes so much of the advice. That said, if you're a non-European organisation that wants honest advice about these same questions, it's worth getting in touch. --- ## Ethics Source: https://consultcolin.eu/ethics/ Colin believes you deserve completely unbiased advice when making important decisions about your tools and projects. The business is built around a simple principle: only working for you. **No commissions, ever.** All referral fees, commissions, and kickbacks from agencies, developers, or software vendors are refused. When recommending someone or something, it's because they're genuinely the best fit for your needs - not because they're paying. This means: - Honest assessments of any vendor's proposal. - Telling you when a popular tool or platform isn't right for you. - Advocating solely for your interests during projects. - Providing objective oversight without divided loyalties. - You pay directly for expertise, nothing else. --- ## Newsletter Source: https://consultcolin.eu/newsletter/ A daily email on digital sovereignty, ethical tech, and making better software choices. Practical, no hype, no pitches - just useful thoughts. It really is daily, and people stick around. --- ## Contact Source: https://consultcolin.eu/contact/ **Email:** colin@consultcolin.eu (usually responds within 24 hours) **Contact form:** https://letterbird.co/consultcolin **Introductory call:** Can be booked via the contact page. --- ## Privacy Source: https://consultcolin.eu/privacy/ No long unreadable legal text. Colin is located in Belgium where GDPR applies. - **Newsletter:** Email addresses are collected to send emails only. Not sold or shared. Sent via Keila (EU-based). Tracking is disabled on all emails. - **Web analytics:** Self-hosted privacy-friendly Swetrix analytics. No personal data collected. - **Invoicing:** Invoicing information is collected when hired. Not shared with third parties except invoicing software and accountant. --- ## Colophon Source: https://consultcolin.eu/colophon/ Static site built using Eleventy, hosted on the European Bunny CDN, SSL via Actalis (Italy), newsletter via Keila (Germany), analytics via self-hosted Swetrix. --- ## Newsletter Archive ### Friday links for April 24th 2026 Source: https://consultcolin.eu/newsletter/archive/friday-links-2026-04-24/ *24 April 2026* - Silicon Valley is out of touch, age verification isn't just for children, big tech writes EU law, framework transparency, and swinging across borders. Here we go, some links for your Friday perusal: 1. Silicon Valley has forgotten what normal people want Tech leaders dream of inventing the sci-fi future while people just want simple, useful things that will make their lives easier. 2. We must keep age verification from killing anonymity online Age verification for children is age verification for everyone. That means every adult will also have to hand over their ID to get online. We need to protect children but we don't want an internet that requires identification for everything. 3. How Big Tech wrote secrecy into EU law to hide data centres' environmental toll This is wild. Microsoft and some lobbyists got the EU to copy-paste rules they wrote into European legislation. The rules in question are intended to hide data centre energy and water consumption. 4. Europe Measures Digital Sovereignty. Why Doesn't It Publish the Results? The European Commission created a framework to measure digital sovereignty in cloud services. But they don't publish details about the scoring, limiting transparency. A good start but methodology transparency is needed to make proper choices. 5. Borders are a construct, but this swing isn't This is fun: there's a swing on the Belgium-Netherlands border that lets you cross back and forth between countries while you play on it. Have a good one, Colin --- ### Boring is a feature Source: https://consultcolin.eu/newsletter/archive/boring-is-a-feature/ *23 April 2026* - In defence of leaving things alone. Something I've noticed a lot: people who really love technology are often the ones making the worst decisions about it. The problem with being passionate about tech is that you'll often want the newest and shiniest versions of everything. But, in a business environment, that's not really a great strategy. Being an early adopter at home isn't the same as being one at work. If your smart lightbulb stops working after an update, you put the old one back in (or live in the dark for a while) and life goes on. If your team's cutting-edge "AI-powered" project management tool starts rescheduling everything after an automated upgrade to the latest version, you've got a bigger problem. I spend a surprising amount of time holding people back from the bleeding edge. If your current software works and does what you need it to, there's no reason to be tempted by the shiny new thing. "Working" is an underrated quality in business software. When a new technology shows up, the hype machine gets jumpstarted and, suddenly, everyone feels like they'll fall behind if they don't rush to adopt it. That's the pressure of marketing, not of need. Generative AI is the current example. I'm not saying you should completely ignore it. I'd actually encourage you to keep an eye on it, maybe experiment with it, figure out what it can and can't actually do... Take your time. There's one hell of a gap between staying informed and restructuring your whole workflow around something that's only a few years old, haemorrhaging money all over the place, and changing all the time. The companies building these technologies haven't even figured out their own business models, you shouldn't be trying to figure yours out before they have. For the most part, boring is better. It keeps running until there's a genuine reason to change. FOMO isn't one. Colin --- ### An expensive address book Source: https://consultcolin.eu/newsletter/archive/expensive-address-book/ *22 April 2026* - Check-in was free. Check-out will cost you. One conversation that seems to come up more often than any other when talking to clients is them wanting to get away from HubSpot (or some other CRM, but HubSpot gets most mentions). Rarely because of it being bad, mostly because it's just so damn expensive. On top of that, they're usually only using a small percentage of its functionalities. The story is pretty much always this: they signed up for the free tier, then they added some contacts, maybe built a small pipeline. But then they needed a feature that was only available on a paid plan, then another... A few years later, they're paying €50+ per seat per month for a marketing automation service that they're really using as a contact list with notes. This isn't a HubSpot-specific problem. Salesforce, Pipedrive, and a plethora of other big CRMs follow the same playbook: pull you in for free (or cheap), let you accumulate a ton of data, then charge for features. By the time you're hit with the painful prices, leaving feels like a sisyphean task. A migration no one wants to touch. So you "stay and pay". Let's be honest, though. Most small organisations don't need a CRM. They need a structured way to keep track of who talked to who, what was said, and what should happen next. No lead scoring, no AI-powered forecasts, no behavioural email sequences... There's also the sovereign aspect: you're storing sensitive data (names, emails, phone numbers, conversations, pricing...) on US servers, subject to US jurisdiction. I'm betting many of your contacts don't realise you're doing that. There are plenty of small, European alternatives that cover what most teams really need. And, for many, even a well-maintained spreadsheet would do the trick. And if leaving feels impossible today, imagine what it'll feel like next year. It might not be an easy move, but I'd start planning it now, not next year. Colin --- ### The convenience trap Source: https://consultcolin.eu/newsletter/archive/the-convenience-trap/ *21 April 2026* - One password to lose it all. It's obviously convenient to have everything in one place: one login, one interface, one payment. With Google, you get email, docs, storage, a calendar, video calls, etc. Microsoft is the same. Even privacy-forward services like Proton have a bundled offer: email, storage, VPN, password manager, all behind one login. It feels easy and simple. But it also means that if someone gets into your account, they get into absolutely everything. There's a security saying: attackers only need to succeed once, but defenders need to succeed every single time. When your whole online life is sitting behind a single account, you've made the successful attacker's life a lot easier. All it takes is one moment of weakness: a phishing link clicked by mistake or a re-used password. And suddenly your emails, your files, you calendar, maybe even your passwords, your whole online life are in someone else's hands. That's called a single point of failure. It doesn't necessarily have to be an attack either. Google has locked plenty of people out of their accounts without explanation. And, when that happens, you lose it all. There are forums full of people who suddenly discovered their digital life was locked away because some big tech company (or, more likely, one of their automated systems) decided their account was problematic. And good luck reaching a human to get it fixed, even with a business account. Spreading your services across multiple providers is definitely not as convenient. But, when everything goes south, it doesn't cascade into total disaster. Diversifying your accounts also makes it harder for a single provider to build a detailed profile of your activity. When your emails, your documents and your searches all sit in the same place, they know more about you than most of your friends do. They say "don't put all your eggs in the same basket". That works online too. Colin --- ### Have you tried turning off the hype? Source: https://consultcolin.eu/newsletter/archive/have-you-tried-turning-off-hype/ *20 April 2026* - Same capabilities, better PR. I had yet more conversations this weekend about generative AI, specifically about Anthropics's new Mythos model. Some people were worried for their website security after reading the news. If you missed the noise, Anthropic (the people behind Claude) announced a model so good at finding security flaws that they decided they couldn't release it to the public. People panicked, journalists wrote horror stories, cybersecurity stocks dropped. But the story got a lot less scary when people outside Anthropic's marketing department examined it. Independent security researchers took the specific vulnerabilities that Anthropic were hyping up, and ran them through smaller, much cheaper AI models. Turns out they all found exactly the same vulnerabilities. There was some progress in performance for this new model, but nothing unusual. Previous model releases showed similar improvement jumps. The only unusual thing here was the marketing. These companies have been telling us (and investors) for years now that they're months away from Artificial General Intelligence or that their models are going to replace half the jobs. But, when you get down to it, the best press they could have gotten for their revolutionary new model was "it finds bugs a bit better". So they chose fear instead. If your product isn't revolutionary, make it a threat, and journalists will do the rest. I'd love to stop writing about generative AI. But, as long as the hype machine keeps turning, I guess I'll be showing up to spoil the party. Colin --- ### Friday links for April 17th 2026 Source: https://consultcolin.eu/newsletter/archive/friday-links-2026-04-17/ *17 April 2026* - AI makes you a worse person and a curt one, Google sovereignty-washed Brussels, AI eats your old emails. Another Friday, another batch of links: 1. Study finds asking AI for advice could be making you a worse person AI chatbots often agree with users, even when their actions are harmful. This makes people less likely to take responsibility or apologise for their mistakes. This is going to end well... 2. AI learns language from skewed sources. That could change how we humans speak - and think Adding to the previous link: children in households that use voice commands with tools like Siri and Alexa became curt when speaking with humans, often calling out "Hey, do X" and expecting obedience. 3. Accenture and Google Cloud unveil Brussels centre to accelerate sovereign AI adoption This is a prime example of "sovereignty washing". Reminder: if a US corporation owns it, it's subject to the CLOUD act. No amount of marketing will stop the US government from getting to that data. But marketing will clearly make people sign up for this pseudo-sovereign claptrap. 4. AI's New Training Data: Your Old Work Slacks And Emails Lots of AI stuff this week. Looks like they're also buying old emails and chats from companies that shut down, and using them as training data. Nothing's off the table with these people. Until the next one, Colin --- ### Europe’s got your back(up) Source: https://consultcolin.eu/newsletter/archive/europes-got-your-back-up/ *16 April 2026* - Sovereign solutions for proper backups. My email about backups yesterday triggered a couple of replies asking for European backup service suggestions. It's a little complicated to offer solutions without going into detailed comparisons. Everyone has different needs. But, I'll list a few options I know to work quite well for most. There are two parts to any backup system: the client (the backup software running on your computer) and the server (the place where the data is stored). They can be from the same service or different. If you have enough technical knowledge, you'll generally be better off using a separate client and storage service. The issue with most all-in-one services is they're either sync services or network folders (at least when using their clients). Let's start with the all-in-one solutions: Jottacloud are based in Norway and, in my opinion anyway, one of the easier to use solutions. The data stays in Norway and it's encrypted. They can even backup your NAS (Network Attached Storage) as part of a dual system. They also do sync, so you need to be careful about how you use it. There are plenty of other services, but most of them aren't really ideal for incremental backups unless you're willing to tinker or, in some cases, use a separate client. A few to look into: Infomaniak kDrive, Proton Drive, Filen, pCloud. If you can use separate clients and servers, my suggestions for clients are: Arq for Mac or Windows. It's the one I use and I'm very happy with it. It works with all kinds of services including S3 (created by Amazon but now used by many others) and you can choose where, when and how files are backed up. Kopia. An open-source solution available for most platforms and as both a graphical client or a terminal-based one if you're a power user. Like Arq, it works with a plethora of storage services. Restic. One for the power-users but also a very good solution. Server-wise, there's a lot of choice. It's going to depend a lot on your needs, but here are a few: Hetzner Storage. In Germany or Finland. Good value for money. Works with many protocols. Scaleway Object Storage or Glacier (for long-term storage) in France. It's compatible with S3 and can be a good option too. Many other services are S3-compatible, including a few mentioned above like Filen or Infomaniak (you need a pro account at Infomaniak for S3, though). This is far from complete, I don't want to write an essay, but it should get you started on your backup quest. Email-me if you have questions. Colin --- ### Your backups work. Probably… maybe… hopefully… Source: https://consultcolin.eu/newsletter/archive/your-backups-work-probably-maybe-hopefully/ *15 April 2026* - A quick guide to backups that actually work. If you ask people or organisations if they make regular backups of their data, the vast majority will say yes. If you ask them when they last tried to restore them, you'll mostly get silence. I'm one of these people. For a long time, I diligently made backups but never tested them. Then, luckily, one day I decided to restore one as a test ... and it failed. That's the thing: backups break and most of us find out only when we need them. One of my clients recently discovered the NAS (Network Attached Storage) in their office had been backing up an empty folder for months. Luckily for them, they had a secondary backup in the cloud. You may have heard of the "3-2-1" rule: 3 copies of your data, 2 different types of storage, 1 copy off-site. There's often one of these missing, usually the off-site one. That could be cloud storage, but it could also be a hard drive in a different office. It's the best protection against fires or even ransomware attacks. But make sure you test them all. So, at regular intervals, pick a random file and try to restore it. If you can't, you don't really have a backup solution. A few notes: If you're choosing a cloud backup solution, don't forget to take digital sovereignty into account and choose a European solution. A sync service like Google Drive or DropBox is not a backup. If you delete a file or, worse, if ransomware encrypts it, those changes will be propagated everywhere. Whatever solution you choose, just make sure you test it. Colin --- ### The post-it on your monitor isn't a security strategy Source: https://consultcolin.eu/newsletter/archive/post-it-on-monitor-not-a-security-strategy/ *14 April 2026* - The feature that makes offboarding boring again. When I look at how small (and not-so-small) organisations handle passwords, the solution is usually one of these: a shared excel file, a Notion page, Post-its on a monitor (really), an identical password everywhere, or my favourite: "ask Maria, she knows them all". The obvious fix for this is a password manager. Most people have heard (and ignored) that advice a million times. But there's a feature in most of them that rarely gets a mention, and it's the one that can really make a difference for teams: shared vaults. It's pretty straightforward. Instead of every team member storing company passwords in their own personal password manager vault (or their head, or that excel sheet...), you create a shared vault for the team or even for a specific project. Then everyone with proper access can use the passwords stored inside it. The interesting part is the permission levels. You can give someone "read-only" access to the vault, which lets them log in to services without ever seeing or being able to change the passwords. They click, they log in, they do their work. All this without ever knowing the passwords. And when someone leaves the organisation, whether on good or bad terms, you don't have to go round changing every password they might have used. You simply revoke their access to the shared vault and you're done. No more "did anyone change the Canva password?" two weeks later. Most well-known password managers offer something like this (Bitwarden, 1Password, ...). Just pick the one that works for you and your budget. It won't fix everything, but it'll fix the scenario where someone walks out the front door with a laptop and a grudge. Colin --- ### Cookie banners - The sequel Source: https://consultcolin.eu/newsletter/archive/cookie-banners-the-sequel/ *13 April 2026* - But this time there's a plot twist … in Brussels I recently wrote about the EU's Digital Omnibus and some of the ways it could weaken the GDPR. But there is one good thing lurking in there. It's called "Article 88b" (creative naming, I know) and the idea behind it is quite simple: instead of dealing with the usual cookie banners, you set your tracking preferences once inside your browser, then every website has to respect them. No more cookie wall hellscape. This isn't actually new, there have been attempts before. In 2009, when consent requirements for tracking were first added to the law, it said consent could be given via browser settings. The ad industry completely ignored this and went ahead building the banner dystopia we know today. Then they blamed Brussels for it. Again in 2017, the commission put forward a proposal to make browser-level consent obligatory. A lobbying campaign by Google got it killed. Now, like any good Hollywood franchise, it's back. And it's inside the omnibus. The villains are back for the sequel too. The same companies that brought us cookie banners (Google, Meta and the AdTech industry) are warning that letting people choose privacy will somehow be bad for them. The rest of the digital omnibus still needs pushback, but Article 88b really deserves our support. It's one of the rare proposals that would make our browsing lives so much simpler and better. But it would cost the surveillance/ad industry, which explains why they're fighting it so hard. Colin --- ### Friday links for April 10th 2026 Source: https://consultcolin.eu/newsletter/archive/friday-links-2026-04-10/ *10 April 2026* - Google misinforms, European for how long?, ad tracking for the state, and France goes Linux. Friday, link day: 1. Google's AI Overviews Are Providing Misinformation at a Scale Possibly Unprecedented in the History of Human Civilization Google's AI Overviews in search results are providing tens of millions of wrong answers every hour. That seems ... fine. 2. When it comes to tech's software dependency, what does 'Buy European' even mean? Something that needs to be taken into account when choosing European software: will it stay European? It's often one buy-out offer away from turning American. A good reason to regularly audit your stack. Side note: the content is interesting, but this article has a very strong "written with AI" smell to it. 3. Uncovering Webloc Webloc is an ad-based mass surveillance system that monitors the movements and personal characteristics of hundreds of millions people globally based on data obtained from mobile apps and digital advertising. Ads on sites you visit every day are used to build profiles on you that are then sold to organisations like ICE and countries like Hungary. 4. France Launches Government Linux Desktop Plan as Windows Exit Begins Definitely a path more governments should be going down. It could take a while but you might as well get started early. "Status quo bias" is holding back so many organisations, so kudos to the French on this one. Until next time... Colin --- ### Encrypted email won't save you from yourself Source: https://consultcolin.eu/newsletter/archive/encrypted-email-wont-save-you-from-yourself/ *9 April 2026* - A quick guide to risk profiles, encryption, and when to bother. One subject that comes up pretty much at every discussion I have about digital independence is email. There's a lot to say about email, but I'd like to drill down on the privacy aspect today because I regularly get questions about privacy-focused services like Proton mail or Tuta. When most people see "private" or "end-to-end encryption" (E2EE) they assume their email will reach their recipient with no one reading it in transit. Which is pretty much already the case. Most providers already use "Transport Layer Security" (TLS) which encrypts the connection between different mail servers. E2EE is an extra layer of security on top of this and requires both sender and recipient to have the proper setup. This is rare. TLS protects your emails while they're moving, but many servers store the email in a readable form once it's arrived. At this stage, it could be read by people with bad intentions if they got access to the server. But most security issues with email don't happen because of bad actors stealing content straight off the server, they happen because of weak passwords or people clicking malicious links in emails. No encryption will save you from that. So the question is: what's your risk profile? For most organisations, their email contains customer conversations, sales pitches and whatnot. This is low-risk and fine. If you're constantly dealing with sensitive data: medical, legal, defence ... you may want to choose a service that does encrypt your emails "at rest" (when stored on the server). But there are downsides to these services: you often need to use a custom client, the security can be annoying, and they can rarely talk to other systems like CRMs or scheduling software. So, if you're worried about privacy, what should you do? First, make sure everyone on your team has good cyber hygiene: strong passwords, awareness of phishing and social engineering, not clicking on any old link, etc. Then select a European provider that has a good privacy policy (yes, you should read it) and the functionality you require. And if Proton or Tuta are the ones that fit your needs, go ahead. Colin --- ### The ingredients they don't want to list Source: https://consultcolin.eu/newsletter/archive/the-ingredients-they-dont-want-to-list/ *8 April 2026* - Amazon didn't invent Linux. Google didn't invent Python. So, why are we acting like Europe has nothing to offer? I have a question for you: what do Linux, Python, MySQL, Nginx, and Kubernetes have in common? They're all technologies running inside Amazon Web Services, Microsoft Azure, and Google Cloud. They're all open source and free; and none of them were invented by these companies currently making billions from them. That's a side of the "US tech dominance" story that doesn't get much airtime. These "hyperscalers" didn't create a good part of the software powering their platforms; they packaged it, scaled it, and spent a fortune marketing it. But the foundations, those were built by open-source developers, many of them European. Linux is from Finland, Python from the Netherlands, and MySQL from Sweden. The reason I bring this up is that the whole European digital sovereignty debate keeps sticking on this false premise: that we would have to somehow start from zero, that the Americans have secret know-how that we don't, that building European alternatives would take decades... That's patently untrue. The foundations are already open and, in many cases, they were made here. The new EU Cyber Resilience Act requires vendors to provide a software "bill of materials" for their products (a fancy way to say "ingredient list"). This has produced quite a reaction from big tech: Lobbying, pushback, "grave concerns", etc. You might wonder why, what's essentially an ingredients list, would cause so much negativity. Maybe it's because many of those ingredients are things they didn't build themselves? So, this whole "no alternatives" argument should really be setting off our scepticism alarms. When someone says a European equivalent to some US big tech offering is impossible we should be asking "is that true or did no-one even look?". Because, the core tech is certainly available and open, possibly already running here or, in many cases, could be with a little effort. Granted, some very specific setups will be harder and even impossible. But, for most usage, local can be done and probably even exists already. The next time you're picking a tool, take a closer look at the European offerings, you'll often find they come from the same place the American ones do. Colin --- ### The EU's Digital Omnibus: next stop, your privacy Source: https://consultcolin.eu/newsletter/archive/the-eu-digital-omnibus-next-stop-your-privacy/ *7 April 2026* - All aboard the deregulation express! The biggest winners won't be European. The European Commission is currently working on a directive called the "digital omnibus". Nothing to do with public transport, these "omnibuses" are just a way of bundling a bunch of changes to multiple laws in one go (and can also be a sneaky way of avoiding too many checks). The official goal of this directive is to simplify digital regulations and make European businesses more competitive. Sounds reasonable, right? But, when you take a closer look, "simplify" starts to look like "dismantle". Let's take the GDPR. Today, you can write to any company and ask them what data they have on you and who they've shared it with. They have one month to respond. Under these new proposed rules, that company could simply respond "no, your request is excessive". Basically being the judge in their own case. Or let's take the definition of personal data. Today, it's objective: it's anything that can be linked to a real person. Under this new directive, it would become subjective: as long as a company holds your data under a pseudonym (like a string of numbers instead of your name) and claims it can't ID you from it, they can claim it's not personal and the GDPR doesn't apply. Anyone who knows anything about data knows that pseudonymisation is relatively easy to work around. Then there's good old AI. New exceptions in the law would allow companies to use sensitive personal data (health, political opinion, religion, union membership, ...) to train their AI models - with much lighter obligations. The Commission says this will help European companies compete in the market. But if you loosen rules in a market that's over-dominated by American big tech, who do you think will benefit the most? It probably won't be that local European startup. The GDPR has plenty of faults, the biggest one being they don't enforce it. But the answer to poor enforcement isn't relaxing the rules, it's doing the actual enforcement! Negotiations are ongoing, but this is worth keeping an eye on. If you depend on tools from US big tech, relaxation of the rules might end with more personal data flowing from your organisation across the Atlantic. Or... you could be proactive and move to European privacy-focused tools now. Just in case the NGOs, civil society groups, and privacy advocates currently fighting the rule don't succeed. Colin --- ### Friday links for April 3rd 2026 Source: https://consultcolin.eu/newsletter/archive/friday-links-2026-04-03/ *3 April 2026* - LinkedIn strip search, culturally blind AI, big tech stenography, and little web tools. It's Friday. Links incoming: 1. LinkedIn Is Illegally Searching Your Computer The title is somewhat hyperbolic, but it seems LinkedIn is fingerprinting browsers and scanning for installed extensions that could help them profile you. Spoiler: only in Chrome or Chromium-based browsers, so choose an alternative if you go there. 2. AI Headshot Apps Removed Her Hijab Another demonstration of how AI tools are not neutral. You may have seen these headshot tools that generate "professional" versions of portrait photos using AI. All of them remove Hijabs. Proof that the weight of the training data has massive influence on the output. 3. "CEO Said A Thing!" Journalism This is something that has been bugging me for ages now: journalists uncritically repeating what business leaders say; with no context, scrutiny, or pushback. Basically acting as stenographers for Silicon Valley. 4. Kin - Everyday tools.No strings. A curated collection of simple little web tools. From a ukulele tuner to a first-aid guide, via an invoice generator. All free and private. See you on Monday, Colin --- ### I made a thing that judges Source: https://consultcolin.eu/newsletter/archive/i-made-a-thing-that-judges/ *2 April 2026* - Pop your domain in. See what comes out. Don't shoot the messenger. Today's email is slightly different. I've been working on a little web application that lets you scan a domain name to see how "European" it is. It analyses a bunch of different elements linked to that domain, like email, web hosting, domain registration, etc, then gives you a sovereignty score based on how dependent you are (or not) on non-European services and technologies. It's still in beta right now, but I'd appreciate some extra eyes on it while I refine it. If you'd like to test, head to: ccscan.eu and give it a try. All feedback is appreciated. Particularly if you see it doing something it shouldn't or if it doesn't properly recognise a service. Thanks! Colin --- ### A bug is a bug (unless it's open-source) Source: https://consultcolin.eu/newsletter/archive/a-bug-is-a-bug-unless-its-open-source/ *1 April 2026* - Google goes down: bad luck. NextCloud goes down: bad decision. I try to recommend open-source solutions to my clients when I can. There are many advantages to this, I'll probably get in to them in some future emails. But I wanted to point out something I've seen in many places when it comes to open-source being brought in to replace a big tech solution. If, say, Google Drive goes down, everyone gets annoyed but no-one really questions the tool. They just wait it out. However, if a small issue takes an open-source alternative like NextCloud down, the complaints start immediately: "we should have stuck with Google". Similar problem - not-so-similar reaction. Recommending defaults is always the safe path (which is why they're defaults). Recommending alternatives brings risks along for the ride: There's familiarity: people spend years learning the quirks of their tools, often without even noticing. When a new tool shows up, they get impatient with every little crack that appears. If Google breaks, it's Google's problem. When the alternative breaks, everyone knows who decided to install it. Free is still associated with rough edges and incomplete features. When things go wrong, it's proof. When the same thing happens to a large vendor, it's just a bad day. This encourages decisions based on comfort rather than utility or quality. Understandably so, the old saying "nobody ever got fired for choosing IBM" still applies, just with new logos. But a bug is a bug, whatever logo is at the top of the screen. Next time you're evaluating a tool, ask yourself: would I hold the one we're already using to the same standard? Colin --- ### Do you have consent, or just compliance? Source: https://consultcolin.eu/newsletter/archive/do-you-have-consent-or-just-compliance/ *31 March 2026* - Recording everything doesn't make you productive, it makes you a data controller. If you've been in a video call recently, you've probably seen one of these bots that sits in on the conversation and records/transcribes everything that's being said. A question that's come up before is "If everyone can see this bot in the channel, do I really need permission to use it?" Let's start with European law: in nearly every case, you need explicit, informed consent to record a conversation. That means everyone has to give their OK first. The issue is that a "yes" risks being shaped by power dynamics. A junior member of staff or a supplier in need of a deal might feel like they can't say "no" without risking their job or contract. The GDPR talks about "freely given consent". But when a clear power imbalance exists, silence will rarely be considered "freely given consent". So, if you're the one pressing the "start recording" button, you're also the one responsible for making sure you're getting actual freely-given consent. Make sure that someone can really object without penalty, and let them know. Agree to not record if anyone refuses. And, finally, do you really need to record/transcribe this meeting? If it's just going to be another addition to the dark data drawer, skip it and avoid the pressure. In the end, the real question isn't "can I record this?", the real question is "who in this call is least able to say no if I do?". Colin --- ### 404: Impact Not Found Source: https://consultcolin.eu/newsletter/archive/404-impact-not-found/ *30 March 2026* - Those online carbon calculators are doing some heavy rounding. One question that comes up regularly in discussions I have is the environmental impact of a website or web app, and what can be done about it. There are online calculators that will, in theory, give you a website's carbon footprint, but I'm not convinced. These calculators mostly follow the same process: Get the website's page weight. Convert this weight to energy use. Convert that to CO2 (equivalent) emissions. This is a crude proxy at best. Page weight isn't a great predictor of energy use; a 1MB JavaScript file that needs to be parsed and run by the user's device could use more power than a 1MB image that just needs displaying. Most of the energy consumption for our online habits comes from the making and the powering of our devices, the rest from data centres and networks. For example: around 90% of the greenhouse gas emissions from your phone are embodied. That means the manufacture, not the electricity consumed in day-to-day use. Does that mean we should ignore efforts to make greener websites? No, of course not. These calculators and web sustainability projects are great frameworks for thinking about improving the web's footprint. But they're not some magic solution where getting your website an A+ rating will have a measurable impact. On the other hand, choosing web hosting powered by green energy is a better first step. As is making websites that don't go wild with server-side computation (hello AI!). Keeping pages light will let people with older devices use your site for a long time to come and, as a bonus, will be faster to load. Or, to take it to the extreme: does that online service even need to exist? Colin --- ### Friday links for March 27th 2026 Source: https://consultcolin.eu/newsletter/archive/friday-links-2026-03-27/ *27 March 2026* - Data as a liability, Metaverse musings, LinkedIn lingo, Web nostalgia, and supporting artists. Another batch of fresh Friday links. 1. Iran built a vast camera network to control dissent. Israel turned it into a targeting tool A clear demonstration of the core issue with data collection. It's an asset until it becomes a vulnerability. Every database you build is a future liability in the wrong hands. 2. My Prodigal Brainchild Neal Stephenson, who coined the term "Metaverse" in his 1992 novel Snow Crash, reflects on the death of its unsanctioned Facebook-created counterpart. His take on VR headsets pretty much matches my view, they're a dead-end technology. 3. LinkedIn Speak Translator Exactly what you need for your next meeting or social media post. A translation tool that translates from standard language to that mysterious lingo all the LinkedIn influencers speak. 4. Web Rewind A nostalgic journey through the history of the internet made by the people behind the Opera browser. Remember Flash? It's got a very similar vibe to the old flash sites and games. You need to explore to figure out how it works. 5. Unstream A Mac app that detects what you're listening to on Apple Music, Spotify, or other services, and shows you better ways to support these artists (streaming definitely doesn't do that). Like buying directly on Bandcamp or supporting them via Patreon. Have a quality weekend! Colin --- ### Can you trash it? Source: https://consultcolin.eu/newsletter/archive/can-you-trash-it/ *26 March 2026* - Save the planet. Delete a spreadsheet. A lot of tech questions are about where data is stored, how data is stored, or who stores it. But have you ever thought about if that data should be stored? The tech sector is estimated to contribute around 2 to 4% of global CO2 emissions and rising. That's close to aviation. With current demand and, particularly with AI, consumption is projected to double this year. That cloud may seem virtual, but it's made up of gigantic data centres, racks and racks of servers, cooling equipment and more. Most of that turns into e-waste at some point and only about 22% of that is collected and/or recycled. Every file or photo you store online will consume electricity forever, or until it's deleted, if it ever gets deleted. This is what's called "dark data", information that's stored but never used or accessed ever again. Estimates put the percentage of dark data in organisations at 40-90% of all stored data! Next time you're about to hit the save button, ask yourself: can I trash it instead? A regular data cleanup, sensible retention policies, and a culture of saving less by default could make a bigger difference than you think. Colin --- ### Gone but not logged out Source: https://consultcolin.eu/newsletter/archive/gone-but-not-logged-out/ *25 March 2026* - That ex-employee's personal email might still be running your business. If the person who set up your email server, your domain name, your AWS account or your website hosting left your organisation tomorrow, would you still have full control of these services? If you're not sure, you're not alone. And it might cause some issues down the line. A client recently found out they couldn't update their domain records. The domain had been registered years ago, when they launched, by an employee using their personal email. That employee had since moved on. There were no evil intentions or disputes involved, it's just one of these things that happens all the time. But now the client's whole email and web infrastructure was basically locked behind someone else's personal login. And that login wasn't one they controlled. I've seen this so many times... Subcontractors registering software in their own name because it's easier at the time, former staff members who used their personal email for the cloud admin login, social media accounts that someone must have the credentials to, but who? Try this test. For each of the following, do you know who the registered owner is, and is it a shared inbox or some random staff member's account? your domain name(s) your web hosting your email platform your social media accounts your email marketing platform your cloud storage your CRM, project management, accounting, ... If any of these are using a person's account rather than a shared business inbox, you need to fix that before that person leaves, not after. Setup a shared inbox or a specific account like accounts@ and transfer all your logins to it. It's worth the hour or so it will take you. (and, yes, the client got their domain back by contacting that ex-employee on LinkedIn) Colin --- ### Always stray off the happy path Source: https://consultcolin.eu/newsletter/archive/always-stray-off-happy-path/ *24 March 2026* - If the demo looks flawless, you're not asking the right questions. Last Friday, I attended an online software demo on behalf of a client. As I watched the salesperson click and scroll through various scenarios, I noticed they were following a strict, predefined path each time. Nothing unusual - demos are always designed to showcase the best side of a product. During question time, I asked them to run through a few tasks that weren't part of the script. That's when the polish wore off: interface slowdowns, inconsistent user interface feedback, and at one point, it even crashed. Demos will naturally follow what's known as the "happy path", a default scenario that's guaranteed to work every time, with no errors or surprises. It's how nearly every product is presented. Again, nothing unusual here. But, the real picture emerges when you step off this happy path. So, next time you're sitting through a demo, make sure to get them to test the outliers. Not to trap or embarrass anyone, but to see how the product handles the messy day-to-day use it will be put through when your team get their hands on it. Colin --- ### What if the .com police come knocking? Source: https://consultcolin.eu/newsletter/archive/what-if-dotcom-police-comes-knocking/ *23 March 2026* - A simple step to protect your domain from geopolitical surprises. Have you ever thought about who has final control over your domain name? There are several layers to this control hierarchy, the main ones being: What the top level domain is: .com, .nl, .eu, .info, ... Where you purchased and registered the domain name. This is the registrar, like gandi.net in France or namecheap.com in the U.S. If any of these are managed from an unpredictable jurisdiction, you could be at risk of losing ownership or control. Let's look at the top level domain (TLD), which is the one most people skip when analysing risk. ICANN is an American non-profit that coordinates all "generic" TLDs (like .com, .net, .org) which it contracts with registry operators. In the case of .com, it's a U.S. corporation called Verisign. Because both ICANN and Verisign are subject to U.S. jurisdiction, a legal order could request the seizure, locking, or modification of your domain records. This has already happened. Most seizures up until now have been linked to criminal activity. But, with the current unpredictability of the Trump administration, who's to say they won't decide that European sites are anti-American propaganda or that .coms are for Americans only? The chance is low, but you should have a backup plan in place. My recommendation is to grab a local (.be, .fr, .es, ...) or European (.eu) domain, ideally the same as your .com. Then point it at your current setup. If things go bad, you can announce the change and avoid expensive interruptions. Even better, switch to that new domain and redirect the old .com to it. Wear your local roots on your sleeve! Colin --- ### Friday links for March 20th 2026 Source: https://consultcolin.eu/newsletter/archive/friday-links-2026-03-20/ *20 March 2026* - Empire of AI, MAGA wants EU mails, the Metaverse goes poof, fear of the kill switch, and some obscure music. It's Friday, let's do the link thing... 1. Naomi Klein & Karen Hao: The Empire of AI and the Fight for Our Future (video) This is a great in-depth follow-up to what I wrote about generative AI this week. Naomi Klein talking with Karen Hao about her book Empire of AI (which I highly, highly, recommend). It's not all doom and gloom though. They talk of smaller, fairer AI and other community projects. The video lasts over an hour but, trust me, it's worth your time. 2. US Congress demands messages from European officials via Microsoft and Google The US congress is pressing US tech companies to hand over messages from EU officials. The Belgian privacy and tech community has been warning about this for a long time: sending work emails via Microsoft 365 or Google Workspace is basically serving European data on a platter to a foreign administration. 3. Meta is killing off the metaverse. It lost $80 billion Remember when the Metaverse was the next big thing? Someone paid $450,000 to be Snoop Dogg's neighbour in that digital ghost town. Fun times. 4. Europeans think Trump can shut down their internet 86% of people think a sudden U.S. move to restrict Europe's access to digital services is "plausible" and "should not be ruled out". 59% called it "already a real and concrete risk". Time to bring those bytes back across the Atlantic before they need a visa. 5. Vintage Obscura If you like your music rare, this is fun: a streaming radio station that only plays tracks from before 2000 that have less than 30.000 views on YouTube. Have a good one, Colin --- ### Renting your reasoning Source: https://consultcolin.eu/newsletter/archive/renting-your-reasoning/ *19 March 2026* - Pull out the AI and what's left standing? Ethics aside (to the extent one can do that), should you use generative AI in your work? At their core, generative AI models are text synthesis engines. They don't think or reason, despite what the marketing says. They simply fabricate plausible-sounding text. If you imagine prefixing your queries with "What would a plausible answer to this question sound like?:" you'll get a clearer picture of their underlying mechanism. The factual accuracy of any response is basically a side effect of how prominently those facts appear in the training data. So, the only truly safe uses are text manipulation tasks like style changes ("make this announcement more formal"...), standardising date formats, semantic search and replace ("replace sections where I sound hesitant with something assertive"), things like that. There are plenty of unsafe or less-safe uses. Those are going to depend on your risk tolerance. Some potential risks to consider include: Generative AI is non-deterministic, i.e., unpredictable. Even if you give it the same starting conditions, you might get a different result each time. Any process depending on predictable outcomes is at risk. Insurers are looking to add specific exclusions to business policies so they are not obligated to cover AI-related workflows - enough said. Generative AI doesn't summarise, it shortens. Not a huge issue for an email, pretty bad for a scientific paper. In most cases, content produced with AI can't be copyrighted (US law, soon to be EU law also). It's a financial house of cards. Every $20 subscription costs them $200; every $200 one costs them $5000. And the rest of the finances are even worse. Consider the risk of basing any workflow on services that could collapse at any time. There are 3 or 4 major generative AI providers; most of the other AI services or "AI included" services are essentially wrappers built on top of them. And nearly all of them are losing money. It makes you dumber. Which isn't a huge surprise. Technology built to help you think less will make you ... think less. So, what's the takeaway? Vet the tools thoroughly based on your risk profile, and make sure nothing will break (including your brain) if they suddenly disappear. Colin --- ### The consent problem Source: https://consultcolin.eu/newsletter/archive/the-consent-problem/ *18 March 2026* - All the world's creative output, none of the world's permission. Generative AI is unethical. There's no way around that. I don't expect this to radically change anyone's mind about using it. We live inside unethical systems our whole lives, and we've all got blind spots - life is complicated. But we should at least be aware of the impact. Building generative AI models starts with ingesting absolutely any data that can be found: the whole web, all the books (including pirated copies), television, podcasts, you name it... It all gets scraped, regardless of whether the authors or creators have consented or not. The AI companies say this is just like a search engine spidering the web, but it's not. Search engines point people back to the original content, giving the authors traffic and readers. Large language models summarise or, worse, plagiarise the content, rarely crediting the original source or pointing to it. This can only result in many publications eventually shutting down as the AI ouroboros slowly kills the web. Then you've got all the exploitative, neo-colonial, sometimes trauma-inducing labour. Behind the clean, futuristic-looking magic of AI, there are scores of humans in a network of low-wage digital sweatshops, mostly in the Global South, sorting through and labelling all the data to ensure models seem smart and safe. The environmental aspect is probably the worst. The AI companies are far from transparent about their energy and water use (never a good sign). But conservative estimates put the consumption of AI at five times the energy of standard computing. Training a new model takes data centres running for months on overdrive, literally burning through chips as they work. I don't want this to be too long, so I'll end here. But I haven't even mentioned the psychological harm, the use in military kill-chains (despite their posturing, Anthropic are still very much involved too), collaboration with the current US administration, the so-called open source models, etc. There's a lot more to say here, but that's for another time. Colin --- ### Bicycles, Buses, and AI Source: https://consultcolin.eu/newsletter/archive/bicycles-buses-and-ai/ *17 March 2026* - Before we talk about AI, a quick word about buses. No technology decision happens these days without someone raising the AI question (usually loudly and confidently). So let's raise it properly. And the first step is defining what AI actually is. Today, when someone talks about AI, they're usually talking about a relatively recent development: Large Language Models, also known as Generative AI. This is your ChatGPT, Claude, Copilot, Mistral, etc. But AI has been around in one form or another for decades. The term itself was created as part of a marketing move to get financing for research in the 1950s during a funding freeze. Since then we've gone through several technological cycles, from neural networks to machine learning. At each step, the "Artificial Intelligence" branding gets applied, as it sets grandiose expectations of computers as simulated brains and brings science-fiction scenarios to mind. And, each time, it overpromises and underdelivers. Even today, AI is applied to multitudes of technologies. The tool that lets you erase the background in Photoshop, the spam filter, the sales prediction algorithm, the self-driving car, the chatbot... They all get branded as AI, but only the chatbot is a Large Language Model. In the book "AI Snake Oil"1, the authors describe a scenario where all forms of transport, whether bicycles or buses, are simply called "vehicles". Replace the word "vehicles" with "artificial intelligence", and you get a pretty good description of the world we live in now. The frenzy today is over LLMs/Generative AI. Everything else on that list has been around for years. Some were already called AI; others have been rebranded to profit from the current wave. Now that we've cleared that up, we can move on to talking about the usage and ethics of Generative AI (the one you're probably thinking of when you hear "AI"). See you tomorrow. Colin [1]: AI Snake Oil: What Artificial Intelligence Can Do, What It Can't, and How to Tell the Difference - Arvind Narayanan and Sayash Kapoor - 2024. --- ### Stop blaming Brussels Source: https://consultcolin.eu/newsletter/archive/stop-blaming-brussels/ *16 March 2026* - Your cookie banner is a confession, not a legal requirement. A common myth, even among people who work in the web business, is that cookie banners are mandated by the European Union, and it's their fault we're subject to an endless barrage of these banners as we surf the web. This is what's known in technical terms as "completely wrong". The ePrivacy directive doesn't force websites to implement cookie banners at all. What the law says is that organisations are required to obtain your explicit informed consent if they want to track you online. The obvious response would simply be not to track people. But that would mean giving up on lucrative data. So instead, companies built cookie banners. This is "malicious compliance". The site owner can technically claim "We gave them a choice" but the design ensures the choice isn't free or informed at all. Complying (barely) with the rule of law while violating its intent. Every time you see a cookie consent banner, it means someone is collecting your personal data as free raw material - whether the site owner is profiting from it directly or they've embedded third-party tools that do it on their behalf. Do you really want to be seen that way? The solution is simple: don't track your users' personal data and you won't have to pretend "we care about your privacy" (no one believes you, by the way...). Colin --- ### Friday links for March 13th 2026 Source: https://consultcolin.eu/newsletter/archive/friday-links-2026-03-13/ *13 March 2026* - A European office, your mind on AI, computer handwriting, and the Microsoft invasion. It's Friday. Time for some links that caught my eye this week. 1. Office.eu A new sovereign European startup hoping to compete with Office 365 and Google Docs. It seems to be a hosted instance of Nextcloud Hub using Collabora for its office suite. If you like the idea of self-hosting but you also value your weekends, this might be worth looking in to. 2. AI Isn't Coming For Your Job. It's Coming For Your Mind It's a long read but it's also one of the best articles I've read about the effects of generative AI on our ability to learn. Among other issues, those who use AI passively lose skills and become overconfident. So... nothing to worry about then. 3. Turn Your Handwriting Into a Real Font This site will create a font based on your handwriting. It all happens in the browser so it's completely private. You download a file, print it, fill in your writing, upload a picture back to the site and out pops a font. Your computer can now have handwriting as bad as yours. 4. A map of email servers by local municipality Check who hosts your local municipality's email. Belgium and the Netherlands seem to have signed some sort of blood pact with Microsoft. Enjoy your weekend! Colin --- ### You're not printing it Source: https://consultcolin.eu/newsletter/archive/youre-not-printing-this/ *12 March 2026* - Your spacebar is not a design tool. Open a word processor and what do you see? A white rectangle the exact size of an A4 sheet of paper, a blinking cursor, and a ton of buttons you'll probably never click. And when was the last time you actually printed what you were writing? This has bothered me for years. MS Word still frames everything you write as something destined for a printer: margins, rulers, page numbers, headers, footers... The whole interface is a monument to a workflow that's rarely used these days. But we use it because we always have. We open Word (or Google Docs, same story) and start wrestling with formatting instead of focusing on what we actually want to say. I've also stopped counting the number of times I've watched people hitting multiple returns instead of inserting a page break, tapping the space bar to centre a title, or manually adding numbers to lists. There are proper tools in Word for all this stuff. But if you're not using them, you probably don't need Word in the first place. A modern text editor, an online collaboration tool, even your computer's notepad might do the job. Most of what we write today will be read on a screen, maybe even a phone screen. It doesn't need margins or page breaks - it needs to be clear, readable, and well thought out. And that's one more piece of big tech you can ditch. Colin --- ### Your search bar has a gossip problem Source: https://consultcolin.eu/newsletter/archive/your-search-bar-gossip-problem/ *11 March 2026* - Leaving big tech doesn't start where you think it would. During a call yesterday, someone asked me what an easy first step was on the path to getting off big tech. They lead a smallish organisation of 14 people which is pretty much married to Google: email, docs, video conferencing, storage... I'd say the first and easiest step isn't migrating your email or moving all your files. It's simply switching search engines. Google gathers an obnoxious amount of data about you through your searches and, to make matters worse, their results have been (deliberately) declining over time. There are some European search engines out there but, honestly, I don't think they're anywhere near the top of the rankings yet. They're improving day by day though. My top recommendations would be: Kagi if you don't mind paying, it's privacy-focused and miles ahead of even Google. I happily pay for this one myself. DuckDuckGo is probably the second best option. There are ads but they're contextual not behavioural (based on the search terms, not on profiling you). Next up, if you haven't already, quit using Chrome as your browser and switch to something like Firefox or Vivaldi. Colin --- ### Free isn't cheap Source: https://consultcolin.eu/newsletter/archive/free-isnt-cheap/ *10 March 2026* - €0 per month, plus your soul and a consent banner. Lieven emailed me in response to my email yesterday about Google Analytics. Quoted with permission: I agree that GA is complicated and not ideal but it's free. And for organisations with limited budgets this makes a huge difference. I've tried to sell some of these privacy-respecting services to my team but even €9/month is seen as too much for something that's available from Google for nothing. I understand the dilemma. Google got as powerful as they are by offering most of their services for free. Because, as the saying goes: if you're not paying for the product, you are the product. Over 75% of Google's revenue comes from advertising. Advertising that feeds off the data they collect about you and your users. And is Google Analytics really free? It requires a cookie consent banner to be legal. That's either a paid service or a plugin someone still has to set up and maintain. Then there's GA4 itself: two-month default data retention, reports that require a data science degree to configure, and an estimated 90% of accounts improperly set up. You're wasting time, what's it worth? Then there's the data you're losing because of that cookie banner or ad blockers. When banners are designed properly (no dark patterns, no sneakily pre-ticked boxes), 60% or more of visitors say no. In Germany and France it's over 75%. A Chilean government study of 70.000 users found that when given a completely clear choice, 95% rejected additional cookies! (which tells you a lot about all the dark patterns on cookie banners out there). So, you're seeing a minority of your visitors, skewed towards the ones least likely to care about privacy (older people mostly). Privacy-respecting analytics don't need that banner, which means data from more visitors (though a few hardcore ad blockers will still block some of them). You're also on legal thin ice. Between 2022 and 2025, data protection authorities in 8 European countries ruled against Google Analytics for transferring personal data to the US in violation of GDPR. Sweden issued a €1 million fine. Norway's data protection authority recommended companies look into compliant alternatives. Germany even declared Google Tag Manager as illegal. If your mission involves trust, transparency, and treating people with respect: running Google Analytics contradicts that in so many ways. Every visit gets reported back to one of the biggest advertising networks on the planet. Your visitors came to support your cause or your ideas, not to have their behaviour profiled and exfiltrated. Switching to a tool like Plausible or Simple Analytics advertises your values: "we don't track you". €9 a month isn't competing against free (and some are cheaper than that). It's competing against cookie banners, legal issues, developer time, and feeding your community's data into a surveillance network while telling them that you're on their side. Sorry for the wall of data, I'll try to keep the next ones shorter :) Colin --- ### Building a bigger haystack Source: https://consultcolin.eu/newsletter/archive/building-a-bigger-haystack/ *9 March 2026* - Google Analytics: installed 2019, opened twice. Most websites have Google Analytics installed. Not because someone sat down and actually thought about what data needed to be collected, but because it was free, easy to install or pre-installed by the developers, and because of the power of the Google brand ("everyone uses it!"). I'm not criticising, it just happens that way. I see it all the time. A study from Humboldt University interviewed web analytics consultants who'd worked with hundreds of organisations1. What they found won't particularly surprise you: in every single case, Google Analytics had been chosen before anyone had defined what they actually needed from it. The brand did the selling, the price (or lack thereof) did the rest. The problem is that Google Analytics is a genuinely complex tool, built for marketing teams with dedicated analysts or data scientists. If you don't have one of those handy (and I'm betting you don't), you end up clicking around a sprawling and overwhelming interface, vaguely hoping to stumble across something useful. Meanwhile GA is building a bigger haystack, collecting tons of data on your visitors that you'll never even look at but are still legally responsible for. The researchers found that's more or less what happens: people "play with" the data instead of learning anything from it. Some organisations even believed they were "data-driven" simply because GA was installed. The tool is running, so surely it's doing its job? And there's something seductive about all those complex graphs, they make you feel like you're in control and they look good in a presentation. But GA doesn't think for you, It assumes you already know what to ask and how to configure it to answer. Most people don't, and that's totally reasonable, it's not their job. Meanwhile, simpler tools exist: Plausible, Fathom, Swetrix, and many more that give you clean simple data: how many visitors, where they came from, what they looked at, how they left. That covers what most organisations actually need and, more importantly, would actually use. They also don't need you to install cookie banners, because they don't track your visitors individually, meaning fewer legal headaches and no quietly feeding your users' private data to an advertising network on the side. You don't need less data. You probably need less tool. Colin [1]: Alby, T. (2023). "The Data Dilemma: Google Analytics' Untapped Potential and Web Data Literacy." LWDA 2023 (PDF). --- ### Friday links for March 6th 2026 Source: https://consultcolin.eu/newsletter/archive/friday-links-2026-03-06/ *6 March 2026* - European search, billionaire hypocrisy, Meta watches you poo, quality control goes down the drain. It's Friday, time for some links of interest: 1. xPrivo A new(ish) European search engine that doesn't track you in any way. It's not perfect, but it's surprisingly good compared to many of the other independent search engines out there. It uses the "European Search Perspective" index that's also used by Qwant and Ecosia. 2. Peter Thiel and other tech billionaires are publicly shielding their children from the products that made them rich The best product review you'll ever get is watching the people who built it refuse to let their own kids near it. 3. She Came Out of the Bathroom Naked, Employee Says If you bought the Meta Ray-Ban "smart" glasses, there are now people in Nairobi watching you poop. 4. Have We Forgotten How to Design? Quality control is down the drain: exhibit 1. RoboTaxis can navigate a city autonomously but need a food delivery courier to close their doors. The perfect metaphor for an industry that forgot how to think before it learned how to ship. 5. Artisanal care Quality control is down the drain: exhibit 2. Developers are happily shipping "vibe coded" software they've never tested into critical infrastructure. The craftsmanship of an artisan would be nice or, you know, any craftsmanship at all. See you next week... Colin --- ### Double surveillance Source: https://consultcolin.eu/newsletter/archive/double-surveillance/ *5 March 2026* - When you track your visitors, you feed the beast. In my previous email, I mentioned how surveillance on the internet was the architecture working as planned. But there's a side to it we don't always think about: When someone visits your website and it loads a Google Analytics tag, that visit isn't just displayed on your analytics dashboard, it's reported back to Google too. Google now knows that person visited your site, at what time, on what device, and connects it to everything else it already knows about them: searches, emails, location history, Chrome habits, 2am YouTube binges... Your visitor didn't agree to that (clicking "I accept" out of consent fatigue doesn't count). They just came to your site. None of this required thought: the analytics came with the website, the embed was the obvious way to share video, and Facebook told you the pixel was necessary for your ad campaign to work. You knew these tools tracked your visitors, that's why you installed them. What was probably less obvious was that the platforms were reading over your shoulder the whole time and keeping their own copy: A YouTube embed pings Google's servers the moment your page loads, whether someone plays the video or not. Most people don't realise tracking is already taking place here. Google Analytics gives you a nice dashboard, but gives Google something too: more data points on your visitor to add to their own pile. The Facebook pixel goes furthest. It feeds your visitor data into Meta's targeting system, which means any competitor can now run ads against the audience profile Meta has quietly built from people visiting your site. You paid to build that audience - someone else gets to use it. You didn't decide to hand your visitors' data to a surveillance network, you just didn't decide not to either. The good news: this is one of the more fixable problems, and the alternatives are genuinely good. More on that soon... Colin --- ### Built to watch you Source: https://consultcolin.eu/newsletter/archive/built-to-watch-you/ *4 March 2026* - Surveillance wasn't added to the internet. It was the point. Today, the idea that surveillance is something that was added onto the internet after the fact is a common belief. But it's not true, it was baked in from the very start. It emerged from military efforts to build computer systems for a world where everyone was surveilled, predicted and controlled. US intelligence was already using it to help them spy on civil rights activists in the 1970s1. When Google and other big tech companies track and profile their users today, it's simply the system doing what it was always designed to do. Google's advertising model, for example, is built on exactly the same logic as those early systems: collect as much data as possible (your Gmail inbox says hi), find patterns, predict behaviour. So should we all delete our accounts, move to a cabin in the mountains, and start growing our own vegetables? Of course not (well, unless cabin life is your thing). But widespread acceptance doesn't make something inevitable. Better, more ethical alternatives exist, and in many cases they're just as good, if not better. More on this in the next email... Colin [1] See the book "Surveillance Valley" by Yasha Levine for the full history. ---