Privacy Guide
THIS IS A PROOF OF CONCEPT THAT IS STILL WORK IN PROGRESS, THE CONTENT OF THIS PAGE WILL SURELY END UP IN A DEDICATED WEB PAGE OUTSIDE OF THE WIKI
What?¶
This "guide" is just a big list of great software/providers to dig into, the idea is that this is the information I would like to have seen 4 years ago: me from 4 years ago just wanted a list of good things to dig into: this is a list of good things to dig into.
Threat model: This guide is focused on a specific threat model: avoiding Big Tech company, avoiding companies with ties to law enforcements/government agencies/governments (when possible), avoiding companies with double standard/bad privacy practices.
License: The content of this guide is released under the CC BY-NC-SA 4.0 to everyone, except the current, past and future team members of privacyguides org and privacytools io (or any future domain owned/controlled/related by or to them), reuse is allowed following this license, as long as the content doesn't end up on privacyguides org, privacytools io (or any future domain owned/controlled/related by or to them) and any provider that isn't recommended in this guide.
Why?¶
This guide has been created because privacyguides org and privacytools io made awful decisions and have awful recommendations. There's also various internal issues at privacyguides org between their own team members.
Some examples of awful decisions I contested:
- Removal of LineageOS: https://github.com/privacyguides/privacyguides.org/pull/294#issuecomment-988092870
- Removal of Posteo: https://github.com/privacyguides/privacyguides.org/pull/369#issuecomment-988094653
- Removal of CanvasBlocker: https://github.com/privacyguides/privacyguides.org/pull/259#issuecomment-988097091
- Removal of Ubuntu Touch: https://github.com/privacyguides/privacyguides.org/pull/253#issuecomment-988099275
- Removal of 7zip: https://github.com/privacyguides/privacyguides.org/pull/258#issuecomment-988104029
The "Do not use" category include things recommended by privacyguides org, that, as the name suggest, you shouldn't use.
Some community feedback about what privacyguides org has become:
-
About the removal of a lot of good recommendations "There are so many on this list that shouldn't have been removed. Cookie AutoDelete, multi account containers, Safari, Ungoogled chromium, anti recommendation: chrome. None of it makes any sense...", "This is pointed out constantly, but they just cannot care"
-
"PrivacyGuides is a one-man-show @tommytran732 , without any discussion"
-
About the Posteo removal because of DMARC: "Nothing to do with security or privacy. Everything to do with email server reputation."
-
About the Qwant removal (because "In December 2020, Qwant blocked access from Japan, Romania, Taiwan, and, Turkey.I consider this to be a wicked act."): "How is that a reason to remove it?", "its not privacy related bruh"
-
About the removal of good browser addons "I feel like there's a growing disconnect between the authors and readers and we'll eventually have another 'fork' which focuses more on the average user, who has next to no technical knowledge."
More: https://libreddit.pussthecat.org/r/PrivacyGuides/comments/rbv0uh/recent_updates_to_privacyguidesorg/
Requirements¶
- All software must be open source no exception.
- All providers mustn't be based in the Five Eyes - USA/Canada/Australia/United Kingdom/New Zealand - or Russia.
- All providers shouldn't ideally be based in Switzerland (reason: Switzerland privacy died in 2018, they now basically have their own "NSA-like" agency, providers are just using "Switzerland" in their marketing because the country still has a reputation of being private - while it's not).
- All providers must have open source clients (or use an open standard, like IMAP/POP3 for e-mail).
- All providers should ideally have open source servers.
- All providers mustn't be invite only (sorry RiseUp and cTemplar).
List¶
Providers¶
Cloud Storage¶
Use:
- Your own self-hosted Nextcloud
- Any provider supported by Rclone (and just encrypt with it) that isn't: a Big Tech company (Amazon, Apple, Google, Microsoft...), in a Five Eyes country - USA, Canada, Australia, United Kingdom, New Zealand - (BackBlaze, Dropbox, Icedrive, Mega, Box, OpenDrive, Crashplan, Wasabi, pCloud, Rsync net, and more...) or in Russia (Yandex...).
- Cryptee (Note: expensive, not audited, not supported by Rclone)
- Filen (Note: really young, not audited, not supported by Rclone)
Do not use:
- Any other provider not supported by Rclone
- SpiderOak: their canary died on August 1, 2018 and they handled it as if it wasn't the case.
DNS Resolver¶
Use (if you use a VPN):
- The one provider by your VPN provider
Use (if you don't use a VPN):
- Adguard (Note: Log some things: https://adguard.com/en/privacy/dns.html )
- Quad9 (Note: Based in Switzerland, no log)
- AhaDNS (Note: Hobby project, no log)
Do not use:
Email provider¶
Moved to their own page
Search Engines¶
Use:
Social Networks¶
Social networks are fundamentally not private by design, but if you have to use one, follow this list:
Use:
- Any Fediverse-compatible project (Mastodon, diaspora*, Friendica, GNU social, Pleroma, Pixelfed...)
- Lemmy (Note: Projects owners/creators are heavily politically biased and use Lemmy to "push" their political opinions)
Social News Aggregator¶
Use:
- RSS
VPN¶
Note: A good rules is to avoid any VPN that has referrals and/or advertise and/or do fake "time limited" sales (basically 99% of them).
Use:
Do not use:
- ProtonVPN: like Protonmail, sketchy (allegedly a honeypot), in 2018, Proton, had its VPN client signed by Tesonet an advertising company (they admitted it here and proceeded to delete everything mentioning this, including the message where they admitted it), in 2021, they helped autority by logging the IP address of a French activist, going against their marketing material, and privacy policy (More: https://digdeeper.club/articles/email.xhtml#protonmail - Mental Outlaw's video about it: Invidious (YouTube) / Librarian (Odysee)).
Software¶
Web Browser¶
Use:
- Librewolf (Note: follow this)
- Firefox properly configured (Note: it directly "encourages" Mozilla's behaviour, including them working with Facebook)
- Ungoogled Chromium
- Mull
Do not use:
- Tor Browser: it's a browser made for anonymity, not privacy
Operating Systems¶
PC¶
Use:
- Any FOSS non-corporate GNU/Linux distribution (except Manjaro)
- Any FOSS non-corporate BSD distribution
Do not use:
- Anything Ubuntu-based (that isn't Linux Mint): Made by Canonical, a company that created and "push" the use of Snap, a "packaging system" that requires connecting to their own closed source server, and used to include advertising for Amazon.
- Any corporate distro
- Manjaro: Sketchy, amateurish distro, awful security practice (keep packages on hold for 2 weeks "testing purposes" but no test is actually done), fired their treasurer because he dug too much into the finances and so much more. (More: https://manjarno.pages.dev/ / https://github.com/arindas/manjarno - Luke Smith's video about it: Invidious / Odysee / PeerTube).
Mobile¶
Use:
- GrapheneOS (Note: really low amount of devices supported)
- LineageOS (Note: it needs to be "degoogled" first: https://redlib.pussthecat.org/r/degoogle/comments/cldohl/how_to_degoogle_lineageos_in_2019/ )
-
DivestOS: (Note: A soft-fork of LineageOS that is better than it in every way, however the project is REALLY young, support a lot less devices (a lot of the builds are either broken or untested) and has no track record.)
-
Any FOSS GNU/Linux distribution
Do not use:
- Any rom that ship with MicroG (CalyxOS...): MicroG encourage the use of spyware, just stick to open source software. Having MicroG isn't that bad on principle if you stick to 100% FOSS stuff but disable as much stuff as possible.
Calendar and Contact Sync¶
Use:
- EteSync
- CalDAV/CarDAV (No client side encryption)
Notebooks¶
Use:
- Joplin
- EteSync Notes
- Plain text files
Do not use:
- Standard Notes: Overly corporate, requires a subscription (so requires an account) on their platform to do basic things (like installing "editors": "An active subscription is required to access advanced features such as editors."), markdown support is only available through a "custom editor", and therefore requires a subscription.
Email Clients¶
PC¶
Use:
- Claws Mail
- Thunderbird: It directly "encourages" Mozilla's behaviour (including them working with Facebook) + Bloated + Heavy use of analytics/spyware
Mobile¶
Use:
- K-9 Mail: It directly "encourages" Mozilla's behavior (including them working with Facebook)
- FairEmail
File Encryption Software¶
Use:
Do not use:
- Cryptomator: Android client is paid
File Sharing¶
Use:
Metadata Removal Tools¶
PC¶
Use:
- ExifCleaner
- Exiftools or anything supporting it (imagemagick for example)
Mobile¶
Use:
Password Managers¶
Use:
- Vaultwarden (You can also use Bitwarden itself to support its development, but it's not as simple to deploy)
- KeePassXC (Android client: KeePassDX)
Pastebin¶
Use:
- PrivateBin (Encrypted)
- Pinnwand (Not encrypted)
- NoPaste (Client side encryption + storage)
Instant Messengers¶
Use:
- XMPP (Note: not really user friendly, OMEMO encryption with multiple devices on one account is "weird" and sometimes will only make messages apear on one devices)
- Matrix (Note: more user friendly than XMPP, easy encryption with multiple devices, but worse clients, more metadata leakages, heavier server and more minor to major issues)
- Briar (Note: Anonymous, P2P, TOR based, ideal for anonymous communication)
- Session (Note: Anonymous, Lokinet based, ideal for anonymous communication)
Do not use:
- Signal: Phone number required, centralized server, US-based company, hostile toward alternative clients)
- Telegram: Phone number required, centralized server, not encrypted by default, use a non-standard in-home encryption, used to be a Russian based company, incertain future. Currently based in Dubai. (More: https://spyware.neocities.org/articles/telegram.html - Luke Smith's video about it: Invidious / Odysee / PeerTube).
Video/Voice chat¶
Use: