Privacy Guide

THIS IS A PROOF OF CONCEPT THAT IS STILL WORK IN PROGRESS, THE CONTENT OF THIS PAGE WILL SURELY END UP IN A DEDICATED WEB PAGE OUTSIDE OF THE WIKI

What?

This "guide" is just a big list of great software/providers to dig into, the idea is that this is the information I would like to have seen 4 years ago: me from 4 years ago just wanted a list of good things to dig into: this is a list of good things to dig into.

Threat model: This guide is focused on a specific threat model: avoiding Big Tech company, avoiding companies with ties to law enforcements/government agencies/governments (when possible), avoiding companies with double standard/bad privacy practices.

License: The content of this guide is released under the CC BY-NC-SA 4.0 to everyone, except the current, past and future team members of privacyguides org and privacytools io (or any future domain owned/controlled/related by or to them), reuse is allowed following this license, as long as the content doesn't end up on privacyguides org, privacytools io (or any future domain owned/controlled/related by or to them) and any provider that isn't recommended in this guide.

Why?

This guide has been created because privacyguides org and privacytools io made awful decisions and have awful recommendations. There's also various internal issues at privacyguides org between their own team members.

Some examples of awful decisions I contested:

• Removal of LineageOS: https://github.com/privacyguides/privacyguides.org/pull/294#issuecomment-988092870
• Removal of Posteo: https://github.com/privacyguides/privacyguides.org/pull/369#issuecomment-988094653
• Removal of CanvasBlocker: https://github.com/privacyguides/privacyguides.org/pull/259#issuecomment-988097091
• Removal of Ubuntu Touch: https://github.com/privacyguides/privacyguides.org/pull/253#issuecomment-988099275
• Removal of 7zip: https://github.com/privacyguides/privacyguides.org/pull/258#issuecomment-988104029

The "Do not use" category include things recommended by privacyguides org, that, as the name suggest, you shouldn't use.

Some community feedback about what privacyguides org has become:

• About the removal of a lot of good recommendations "There are so many on this list that shouldn't have been removed. Cookie AutoDelete, multi account containers, Safari, Ungoogled chromium, anti recommendation: chrome. None of it makes any sense...", "This is pointed out constantly, but they just cannot care"

• "PrivacyGuides is a one-man-show @tommytran732 , without any discussion"

• About the Posteo removal because of DMARC: "Nothing to do with security or privacy. Everything to do with email server reputation."

• About the LineageOS removal: "With this logic we should use Forest OS which is even better than Graphene. The process of installing Forest OS is simple. You just throw away all of your tech, burn your passport, and go off the grid to live in a forest as a hermit. This makes you extremely private and your devices impossible to hack."

• About the DDG Browser removal: "Removing DDG browser and saying all iOS browsers are basically Safari with a skin (the assumption being that it’s not really a meaningful difference from one to the next) but then saying use FF/FF Focus because they block trackers, doesn’t make sense to me because DDG also blocks trackers (and has a better default search engine)."

• About the Qwant removal (because "In December 2020, Qwant blocked access from Japan, Romania, Taiwan, and, Turkey.I consider this to be a wicked act."): "How is that a reason to remove it?", "its not privacy related bruh"

• About the removal of good browser addons "I feel like there's a growing disconnect between the authors and readers and we'll eventually have another 'fork' which focuses more on the average user, who has next to no technical knowledge."

More: https://libreddit.pussthecat.org/r/PrivacyGuides/comments/rbv0uh/recent_updates_to_privacyguidesorg/

Requirements

• All software must be open source no exception.
• All providers mustn't be based in the Five Eyes - USA/Canada/Australia/United Kingdom/New Zealand - or Russia.
• All providers shouldn't ideally be based in Switzerland (reason: Switzerland privacy died in 2018, they now basically have their own "NSA-like" agency, providers are just using "Switzerland" in their marketing because the country still has a reputation of being private - while it's not).
• All providers must have open source clients (or use an open standard, like IMAP/POP3 for e-mail).
• All providers should ideally have open source servers.
• All providers mustn't be invite only (sorry RiseUp and cTemplar).

List

Providers

Cloud Storage

Use:

• Your own self-hosted Nextcloud
• Any provider supported by Rclone (and just encrypt with it) that isn't: a Big Tech company (Amazon, Apple, Google, Microsoft...), in a Five Eyes country - USA, Canada, Australia, United Kingdom, New Zealand - (BackBlaze, Dropbox, Icedrive, Mega, Box, OpenDrive, Crashplan, Wasabi, pCloud, Rsync net, and more...) or in Russia (Yandex...).
• Cryptee (Note: expensive, not audited, not supported by Rclone)
• Filen (Note: really young, not audited, not supported by Rclone)

Do not use:

• Any other provider not supported by Rclone
• SpiderOak: their canary died on August 1, 2018 and they handled it as if it wasn't the case.

DNS Resolver

Use (if you use a VPN):

• The one provider by your VPN provider

Use (if you don't use a VPN):

• Adguard (Note: Log some things: https://adguard.com/en/privacy/dns.html )
• Quad9 (Note: Based in Switzerland, no log)
• AhaDNS (Note: Hobby project, no log)

Do not use:

• Cloudflare: it's Cloudflare.
• NextDNS: USA-based
• UncensoredDNS: Hobby project + No privacy policy.

Email provider

Moved to their own page

Search Engines

Use:

• SearX or SearXNG (a fork of SearX)

Do not use:

• Anything else (including Whoogle, that is just SearX but worse)

Social Networks

Social networks are fundamentaly not private by design, but if you have to use one, follow this list:

Use:

• Any Fediverse-compatible project (Mastodon, diaspora*, Friendica, GNU social, Pleroma, Pixelfed...)
• Lemmy (Note: Projects owners/creators are heavily politically biased and use Lemmy to "push" their political opinions)

Do not use:

• Anything else

Social News Aggregator

Use:

• RSS

Do not use:

• Anything else

VPN

Note: A good rules is to avoid any VPN that has referals and/or advertise and/or do fake "time limited" sales (basically 99% of them).

Use:

• Mullvad
• IVPN

Do not use:

• ProtonVPN: like Protonmail, sketchy (allegedly a honeypot), in 2018, Proton, had its VPN client signed by Tesonet an advertising company (they admitted it here and proceeded to delete everything mentioning this, including the message where they admitted it), in 2021, they helped autority by logging the IP address of a French activist, going against their marketing material, and privacy policy (More: https://digdeeper.club/articles/email.xhtml#ProtonMail - Mental Outlaw's video about it: Invidious (YouTube) / Librarian (Odysee)).

Software

Web Browser

Use:

• Librewolf (Note: follow this)
• Firefox properly configured (Note: it directly "encourages" Mozilla's behaviour, including them working with Facebook)
• Ungoogled Chromium
• Bromite

Do not use:

• Tor Browser: it's a browser made for anonimity, not privacy

Operating Systems

PC

Use:

• Any FOSS GNU/Linux distribution (except anything Ubuntu-based (that isn't Linux Mint) and Manjaro)
• Any FOSS BSD distrubution

Do not use:

• Anything Ubuntu-based (that isn't Linux Mint): Made by Cannonical, a company that created and "push" the use of Snap, a "packaging system" that requires connecting to their own closed source server, and used to include advertising for Amazon.

• Manjaro: Sketchy, amateurish distro, awful security practice (keep packages on hold for 2 weeks "testing purposes" but no test is actually done), fired their treasurer because he dug too much into the finances and so much more. (More: https://github.com/arindas/manjarno - Luke Smith's video about it: Invidious / Odysee / PeerTube).

Mobile

Use:

• GrapheneOS (Note: really low amount of devices supported)
• LineageOS (Note: it needs to be "degoogled" first: https://libreddit.pussthecat.org/r/degoogle/comments/cldohl/how_to_degoogle_lineageos_in_2019/ )

• DivestOS: (Note: A soft-fork of LineageOS that is better than it in every way, however the project is REALLY young, support a lot less devices (a lot of the builds are either broken or untested) and has no track record.)

• Any FOSS GNU/Linux distribution

Do not use:

• Any rom that ship with MicroG (CalyxOS...): MicroG is pointless and encourage the use of spyware, just stick to open source software

Calendar and Contact Sync

Use:

• EteSync
• CalDAV/CarDAV (No client side encryption)

Notebooks

Use:

• Joplin
• EteSync Notes
• Plain text files

Do not use:

• Standard Notes: Overly corporate, requires a subscription (so requires an account) on their platform to do basic things (like installing "editors": "An active subscription is required to access advanced features such as editors."), markdown support is only available through a "custom editor", and therefore requires a subscription.

Email Clients

PC

Use:

• Claws Mail
• Thunderbird: It directly "encourages" Mozilla's behaviour (including them working with Facebook) + Bloated + Heavy use of analytics/spyware

Do not use:

-Anything else

Mobile

Use:

• K-9 Mail
• FairEmail

Do not use:

• Anything else

File Encryption Software

Use:

• Veracrypt
• Rclone
• A 7-zip encrypted archive

Do not use:

• Cryptomator: Android client is closed source and paid

File Sharing

Use:

• Lufi
• OnionShare
• Filebrowser

Do not use:

• Anything else

Metadata Removal Tools

PC

Use:

• ExifCleaner
• Exiftools or anything supporting it (imagemagick for example)

Do not use:

• Anything else

Mobile

Use:

• Scrambled Exif

Do not use:

• Anything else

Password Managers

Use:

• Vaultwarden (You can also use Bitwarden itself to support its development, but it's not as simple to deploy)
• KeePassXC (Android client: KeePassDX)

Do not use:

• Anything else

Pastebin

Use:

• PrivateBin (Encrypted)
• Hastebin (Not encrypted)
• Pinnwand (Not encrypted)
• NoPaste (Client side encryption + storage)

Instant Messengers

Use:

• XMPP (Note: not really user friendly, OMEMO encryption with multiple devices on one account is "weird" and sometimes will only make messages apear on one devices)
• Matrix (Note: more user friendly than XMPP, easy encryption with multiple devices, but worse clients, more metadata leakages, heavier server and more minor to major issues)
• Briar (Note: Anonymous, P2P, TOR based, ideal for anonymous communication)
• Session (Note: Anonymous, Lokinet based, ideal for anonymous communication)

Do not use:

• Signal: Phone number required, centralized server, US-based company, hostile toward alternative clients)

• Telegram: Phone number required, centralized server, not encrypted by default, use a non-standard in-home encryption, used to be a Russian based company, incertain future. Currently based in Dubai. (More: https://spyware.neocities.org/articles/telegram.html - Luke Smith's video about it: Invidious / Odysee / PeerTube).

Video/Voice chat

Use:

• Jitsi (Video chat)
• Mumble (Voice chat)