1
0
9x0rg.com/content/posts/tech/my-privacy-tools.md

275 lines
21 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "My Privacy Tools"
date: 2024-04-16T14:12:00+02:00
draft: false
tags: ["Data Privacy","Tech","Tools","Software"]
author: "Olivier Falcoz"
hidemeta: false
ShowReadingTime: true
ShowPostNavLinks: true
showtoc: false
cover:
image: "/images/"
alt: "<alt text>"
caption: "<text>"
---
![Let's leave planet GAFAM NATU BATX by David Revoy](/images/Lets-leave-planet-GAFAM-NATU-BATX-by-David-Revoy.jpg "Let's leave planet GAFAM NATU BATX by David Revoy")
Image credit: "[Lets leave planet GAFAM NATU BATX](https://www.peppercarrot.com/sr/viewer/framasoft__2022-05-23_lets-leave-planet-GAFAM-NATU-BATX_by-David-Revoy.html)" by David Revoy for [Framasoft](https://framasoft.org/) [CC-BY 4.0](https://creativecommons.org/licenses/by/4.0/deed.sr)
# Why Privacy & Security Matter
Others wrote it much earlier and much better than I could:
> Parce que vous vous foutez de vos libertés, ce sont les miennes qui disparaissent -- [@aeris](https://blog.imirhil.fr/2014/06/22/vos-libertes-mes-libertes.html), 2014.
> Everything Is Broken -- [Quinn Norton](https://medium.com/message/everything-is-broken-81e5f33a24e1), 2014. Available [in French](https://framablog.org/2014/06/02/plus-rien-ne-marche-que-faire/).
> Most of us have nothing to hide but we all have something to lose -- [Tommy Collison](https://medium.com/@tommycollison/nothing-to-hide-everything-to-lose-aff5f7c96004), 2014.
> I need privacy, not because my actions are questionable, but because your judgement and intentions are -- u/starrywisdomofficial (alledgelly)
> Too many wrongly characterize the debate as “security versus privacy.” The real choice is liberty versus control. -- Bruce Schneier, [The Eternal Value of Privacy](https://www.schneier.com/essays/archives/2006/05/the_eternal_value_of.html), 2006.
> Why Privacy Matters Even if You Have Nothing to Hide -- [Daniel J. Solove](https://web.archive.org/web/20210225053545/https://www.chronicle.com/article/why-privacy-matters-even-if-you-have-nothing-to-hide/), 2011.
Looking at the materials described above, there are three things we should try to protect at all costs:
- The data security itself. You don't want your data falling into the wrong hands;
- The trust in the network. You want to be sure you're talking to the right person;
- The confidentiality of exchanges. You don't want everyone to know who you've been talking to.
Funnily enough, the US has an anagram, for this (NSA[^3] was already taken): **C.I.A.** which stand for Confidentiality, Integrity and Availability of data.
# Software I use
My privacy-focused tools are chosen primarily on the basis of security features, with an additional emphasis on decentralised and open source tools. They are applicable to a variety of threat models, from protecting against global mass surveillance programmes to avoiding big tech companies to mitigating attacks, but only you can determine what works best for your needs[^1]. Balancing security, privacy and usability is one of the first and most difficult tasks we face on our privacy journey. Security, in particular, is a process rather than a product, and there is a trade-off: the more secure something is, the more restrictive or inconvenient it usually is. I suggest you familiarise yourself with the concept of threat modeling[^2] before making your own decisions.
- What do I want to protect?
- Who do I want to protect it from?
- How likely is it that I will need to protect it?
- How bad are the consequences if I fail?
- How much trouble am I willing to go through to try to prevent potential consequences?
Once you've completed this assessment, you're free to choose the software that seems most appropriate for your specific use case.
---
## Mobile Web Browsers
See a [Browser Comparison Table](https://divestos.org/pages/browsers) by DivestOS to understand the key differences between all the mobile browsers available for Android.
### Mull for Android
![Mull browser logo](/images/mull.png "Mull browser logo")
[Mull](https://f-droid.org/en/packages/us.spotco.fennec_dos/) is a Gecko based privacy hardened fork of Firefox developed by [DivestOS](https://divestos.org/pages/our_apps#mull), with proprietary blobs removed. It enables many features upstreamed by the [Tor uplift project](https://wiki.mozilla.org/Security/Tor_Uplift) using preferences from the [arkenfox](https://github.com/arkenfox/user.js) `user.js` project.
> **Warning**: Firefox-based browsers on Android lack [per-site process isolation](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196).
### Cromite for Android (Chromium based)
![Cromite browser logo](/images/cromite.png "Cromite browser logo")
[Cromite](https://github.com/uazo/cromite) is a [Chromium](https://www.chromium.org/Home) fork based on [Bromite](https://github.com/bromite/bromite) with built-in support for ad blocking and an eye for privacy.
---
## Desktop Web Browsers
### Firefox
![Firefox browser logo](/images/firefox.png "Firefox browser logo")
[Firefox](https://firefox.com/), Open Source, independent browser. It requires some hardening and tweaking using preferences from the [arkenfox](https://github.com/arkenfox/user.js) `user.js` project to achieve better privacy.
### Tor Browser
![Tor browser logo](/images/tor.png "Tor browser logo")
[Tor Browser](https://www.torproject.org/) defends against surveillance by preventing anyone monitoring a user's connection from knowing what websites they visit. Blocks trackers by isolating each website visited so that third-party trackers and ads can't follow. Resists fingerprinting by making all users look the same, making it difficult to be fingerprint users based on their browser and device information. Multi-layered encryption, the traffic is relayed and encrypted three times as it passes over the Tor network.
---
### Web Browser Extension
I follow Arkenfox's [position](https://github.com/arkenfox/user.js/wiki/4.1-Extensions#-foreword) which recommends *keeping extensions to a minimum: they have [privileged access](https://blog.mozilla.org/attack-and-defense/2020/06/10/understanding-web-security-checks-in-firefox-part-1/) within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation*. Therefore, I only use uBlock Origin.
![uBlock Origin logo](/images/ublock-origin.png "uBlock Origin logo")
[uBlock Origin](https://github.com/gorhill/uBlock) is an addon to Firefox (mobile) and Chrome/Chromium (desktop). It blocks ads, trackers and malware sites while conserving CPU and memory. Please [read about what the addon does](https://github.com/gorhill/uBlock/wiki/Blocking-mode) before installing, then choose one of the recommended modes to increase your privacy. If you don't understand what you're doing you could end up compromising your privacy.
In addition to the various blocklists that come pre-installed with the addon, I specifically use the [Seb Sauvage DNS Block List](https://sebsauvage.net/wiki/doku.php?id=dns-blocklist-en), which comes in various formats:
- `hosts format (0.0.0.0 hostname)` https://sebsauvage.net/hosts/hosts for Android and computers. This hosts file can be used as is in Windows, Linux, MaOSX and in personalDNSFilterr and DNS66 on Android.
- `AdGuard/uBlock-Origin format (||hostname^)` https://sebsauvage.net/hosts/hosts-adguard , for Android and computers. This list can be used in **AdGuard** Android and **uBlock Origin**.
## Email Services
The two providers I have been long using - Mailfence since 2016 - support PGP/GnuPG and 2FA, custom domain names and aliases, are privacy-friendly. See *Key disclosure laws* for [Belgium](https://en.wikipedia.org/wiki/Key_disclosure_law#Belgium) and [Germany](https://en.wikipedia.org/wiki/Key_disclosure_law#Germany), also known as mandatory key disclosure, is legislation that requires individuals to surrender cryptographic keys to law enforcement.
### Mailfence
![Mailfence logo](/images/mailfence.png "Mailfence logo")
[Mailfence](https://mailfence.com/) is an email services based in Belgium
[About](https://mailfence.com/en/private-email.jsp) // [Privacy policy](https://mailfence.com/en/privacy.jsp) // [Transparency report](https://blog.mailfence.com/transparency-report-and-warrant-canary/)
### Mailbox
![Mailbox.org logo](/images/mailboxorg.png "Mailbox.org logo")
[Mailbox.org](https://mailbox.org/) is based in Germany
[About](https://mailbox.org/en/company#our-mission) // [Privacy policy](https://mailbox.org/en/data-protection-privacy-policy) // [Transparency report](https://mailbox.org/en/company#transparency-report)
## Email Clients
### Thunderbird
![Thunderbir logo](/images/thunderbird.png "Thunderbird logo")
[Thunderbird](https://thunderbird.net/) is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Matrix) client developed by the Thunderbird community, and previously by the Mozilla Foundation.
### GNOME Evolution
![Gnome Evolution logo](/images/evolution.png "Gnome Evolution logo")
[Evolution](https://wiki.gnome.org/Apps/Evolution) is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive documentation to help you get started.
### Fairemail (Android)
![Fairemail logo](/images/fairemail.png "Fairemail logo")
[Fairemail](https://email.faircode.eu/) is a fully-featured and easy mail client for Android, open-source email app, using open standards (IMAP, SMTP, OpenPGP). Supports unlimited accounts and email addresses with the option for a unified inbox. Clean user interface, with a dark mode option, it is also very lightweight and consumes minimal data usage
## Encryption Tools
### GnuPG/OpenPGP
![GnuPG logo](/images/gnupg-logo.png "GnuPG logo")
Tools for signing, verifying, encrypting and decrypting text and files using GnuPG standard
[GNU Privacy Guard](https://gnupg.org/) (GnuPG) is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government.
### OpenKeychain (Android)
![Openkeychain logo](/images/openkeychain.png "Openkeychain logo")
[OpenKeychain](https://openkeychain.org/) is one of the very few an Android implementation of GnuPG/OpenPGP. It works flawlessly with mail clients such as K-9 Mail and [FairEmail](https://email.faircode.eu/) in providing encryption support.
### Veracrypt
![Veracrypt logo](/images/veracrypt.png "Veracrypt logo")
[Veracrypt](https://veracrypt.fr/) is a free open source disk encryption software for Windows, macOS and Linux. You can use it to either encrypt a specific file or directory, or an entire disk or partition. VeraCrypt is incredibly feature-rich, with comprehensive encryption options, yet the GUI makes it easy to use. It has a CLI version, and a portable edition. VeraCrypt is the successor of (the now deprecated) TrueCrypt
### LUKS
![LUKS logo](/images/luks.png "LUKS logo")
Linux Unified Key Setup ([LUKS](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md)) is the default **full disk encryption** in Linux using `dm-crypt`. [Securing a root file system](https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#LUKS_on_a_partition) is where `dm-crypt` excels, feature and performance-wise. Unlike selectively encrypting non-root file systems, an encrypted root file system can conceal information such as which programs are installed, the usernames of all user accounts, and common data-leakage vectors such as `mlocate` and `/var/log/`. Furthermore, an encrypted root file system makes tampering with the system far more difficult, as everything except the boot loader and (usually) the kernel is encrypted. I use LVM on LUKS with Arch Linux.
## Password Management
### KeypassXC
![KeepassXC logo](/images/keepassxc.png "KeepassXC logo")
[KeepassXC](https://keepassxc.org/) is a hardened, secure and offline password manager. Does not have cloud-sync baked in, deemed to be gold standard for secure password managers.
### KeypassDX (Android)
![KeepassDX logo](/images/keepassdx.png "KeepassDX logo")
[KeepassDX](https://keepassdx.com/) is the Android client.
## Search Engines
### Startpage
![Startpage logo](/images/startpage.png "Startpage logo")
[Startpage](https://www.startpage.com/) is a private search engine. One of Startpage's unique features is the [anonymous view](https://startpage.com/en/anonymous-view), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding some network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity.
> **Warning**: Startpage's majority shareholder is System1 who is an adtech company although they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy).
### SearchXNG
![SearXNG logo](/images/searxng.png "SearXNG logo")
SearXNG is a metasearch engine that aggregates the results of other search engines while not storing any information itself. You can either self-host or use any of the multiple [public instances](https://searx.space/) of SearXNG.
I use [searx.envs.net](https://searx.envs.net/).
## VPN Service
![Mullvad logo](/images/mullvad.png "Mullvad logo")
[Mullvad](https://mullvad.net/) is a Swedish based VPN provider that retains no logs, and uses a mostly open source and transparent infrastructure available to the public. Mullvad is one of the best for privacy, they have a totally anonymous sign up process, you don't need to provide any details at all, you can choose to pay anonymously too with Monero, BTC or cash.
## Collaborative Tools
### Nextcloud
![Nextcloud logo](/images/nextcloud.png "Nextcloud logo")
[Nextcloud](https://github.com/nextcloud) is is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. It's a feature-rich productivity platform, that can be used to backup and selectively sync encrypted files and folders between 1 or more clients. A key benefit the wide range of plug-ins in the NextCloud App Store, maintained by the community.
### Cryptpad
![Cryptpad logo](/images/cryptpad.png "Cryptpad logo")
[Cryptpad](https://cryptpad.fr/) is a zero knowledge cloud productivity suite, alternative to popular office tools. All content is end-to-end encrypted (E2EE)[^4] and can be shared with other users easily. Provides Rich Text, Presentations, Spreadsheets, Kanban, Paint a code editor and file drive. All content is encrypted by default and can be accessed with specific URL. CryptPad is entirely web-based ans works in any browser, desktop and mobile. You can use their web service, or you can host your own instance.
### LibreOffice
![LibreOffice logo](/images/libreoffice.png "LibreOffice logo")
[LibreOffice](https://libreoffice.org/) is a free and open-source office suite with extensive functionality.
### Send
![Send logo](/images/send.png "Send logo")
[Send](https://github.com/timvisee/send#readme) is a fork of Mozilla's Firefox Send that Mozilla discontinued. It's actively maintained. Self-host or public [instances](https://github.com/timvisee/send-instances?tab=readme-ov-file#instances) including the maintainer [own public instance](https://send.vis.ee/).
### PrivateBin
![PrivateBin logo](/images/privatebin.png "PrivateBin logo")
[Privatebin](https://privatebin.info/) self-hosted and [public instances](https://privatebin.info/directory) is minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES.
## Real-Time Communication
### Signal (centralized)
![Signal logo](/images/signal.png "Signal logo")
[Signal](https://signal.org/) has developed what's become the [Gold Standard](http://en.wikipedia.org/wiki/Signal_Protocol) in message encryption. Developed by Signal Messenger LLC. The app provides instant messaging and calls secured with the Signal Protocol, an extremely secure encryption protocol which supports forward secrecy and post-compromise security.
> Warning: requires a phone number for registration
### Element/Matrix (decentralized)
![Element logo](/images/element.png "Element logo")
[Element](https://element.io/) is the reference [client](https://matrix.org/ecosystem/clients) for the [Matrix](https://matrix.org/ecosystem/clients) protocol, an [open standard](https://spec.matrix.org/latest) for secure decentralized real-time communication.
Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls.
> **Warning**: No PFS (Perfect Forward Secrecy) and metadata-chatty
---
Sources:
- [Framasoft](https://framasoft.org/en/) - a 23yo French Non-Profit Association fighting against [surveillance capitalism](https://en.wikipedia.org/wiki/Surveillance_capitalism) and promoting the use of Free Software
- [Catalogue des logiciels libres](https://code.gouv.fr/sill/list) - Socle Interministériel des Logiciels Libres (SIIL), Recommended Free Software for French public agencies
- [Awesome Privacy List](https://github.com/pluja/awesome-privacy) by Pluja - Github (11.8k stars)
- [Awesome Privacy List ](https://github.com/lissy93/awesome-privacy) by by Lissy93 - Github (5.9k stars)
- [Awesome Privacy List](https://github.com/nikitavoloboev/privacy-respecting) by Nikita Voloboev - Github (1.9k stars)
- [De-Google-ify Internet](https://degooglisons-internet.org/en/) - Framasoft (multilingual)
- [The guide to restoring your online privacy](https://www.privacyguides.org/en/) - Privacyguides (multilingual)
- [Manuel du parfait petit crypto-anarchiste (1/3)](https://blog.imirhil.fr/2013/09/01/manuel-du-parfait-petit-crypto-anarchiste-1.html) - [@aeris](https://imirhil.fr/)
- [Manuel du parfait petit crypto-anarchiste (2/3)](https://blog.imirhil.fr/2013/09/02/manuel-du-parfait-petit-crypto-anarchiste-2.html) - [@aeris](https://imirhil.fr/)
- [Manuel du parfait petit crypto-anarchiste (3/3)](https://blog.imirhil.fr/2013/09/06/manuel-du-parfait-petit-crypto-anarchiste-3.html) - [@aeris](https://imirhil.fr/)
- [Recommended apps for Android](https://divestos.org/pages/recommended_apps) - DivestOS
- [Instant Messenger Comparison Table](https://divestos.org/pages/messengers) - DivestOS
- [Mobile Browser Comparison Table](https://divestos.org/pages/browsers) - DivestOS
- [Ethical Alternatives & Resources](https://ethical.net/resources/) - Ethical Networks
- [Privacy](https://www.eff.org/issues/privacy) and [Tools](https://www.eff.org/pages/tools) - the Electronic Frontier Foundation
- [Surveillance Self-Defense](https://ssd.eff.org/) Tips, Tools and How-Tos for Safer Online Communications - a project of the Electronic Frontier Foundation
- [Ethical, easy-to-use and privacy-conscious alternatives to well-known software](https://switching.software/) - switching.software
- [How to configure Firefox to enhance security and privacy](https://wiki.archlinux.org/title/Firefox/Privacy) - Arch Linux Wiki
- [Arkenfox user.js for Firefox](https://github.com/arkenfox/user.js/releases) (releases) - Arkenfox `user.js` is a template which aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible - while minimizing any loss of functionality and breakage.
- [The Secrets of Surveillance Capitalism](https://www.faz.net/aktuell/feuilleton/debatten/the-digital-debate/shoshana-zuboff-secrets-of-surveillance-capitalism-14103616.html) - "Governmental control is nothing compared to what Google is up to. The company is creating a wholly new genus of capitalism, a systemic coherent new logic of accumulation we should call surveillance capitalism" -- Shoshana Zuboff
- [Edward Snowden](https://en.wikipedia.org/wiki/Edward_Snowden) on [Substack](https://edwardsnowden.substack.com/)
- [Bruce Schneier](https://www.schneier.com/), cryptographer, computer security professional and privacy specialist
- Thaddeus E. Grugq on [Medium](https://medium.com/@thegrugq), [Substack](https://grugq.substack.com), [Fediverse](https://infosec.exchange/@thegrugq)
[^1]: [Privacy Tools](https://www.privacyguides.org/en/tools/) recommendations by privacyguides.org
[^2]: A threat model is a list of the most probable threats to your security and privacy endeavors [PrivacyGuides](https://www.privacyguides.org/en/basics/threat-modeling/)
[^3]: The US [National Security Agency](https://en.wikipedia.org/wiki/National_Security_Agency)
[^4]: [End-to-end encryption](https://en.wikipedia.org/wiki/End-to-end_encryption) - Wikipedia