21 KiB
title | date | draft | tags | author | hidemeta | ShowReadingTime | ShowPostNavLinks | showtoc | cover | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
My Privacy Tools | 2024-04-16T14:12:00+02:00 | false |
|
Olivier Falcoz | false | true | true | false |
|
Image credit: "Lets leave planet GAFAM NATU BATX" by David Revoy for Framasoft − CC-BY 4.0
Why Privacy & Security Matter
Others wrote it much earlier and much better than I could:
Parce que vous vous foutez de vos libertés, ce sont les miennes qui disparaissent -- @aeris, 2014.
Everything Is Broken -- Quinn Norton, 2014. Available in French.
Most of us have nothing to hide but we all have something to lose -- Tommy Collison, 2014.
I need privacy, not because my actions are questionable, but because your judgement and intentions are -- u/starrywisdomofficial (alledgelly)
Too many wrongly characterize the debate as “security versus privacy.” The real choice is liberty versus control. -- Bruce Schneier, The Eternal Value of Privacy, 2006.
Why Privacy Matters Even if You Have ‘Nothing to Hide’ -- Daniel J. Solove, 2011.
Looking at the materials described above, there are three things we should try to protect at all costs:
- The data security itself. You don't want your data falling into the wrong hands;
- The trust in the network. You want to be sure you're talking to the right person;
- The confidentiality of exchanges. You don't want everyone to know who you've been talking to.
Funnily enough, the US has an anagram, for this (NSA1 was already taken): C.I.A. which stand for Confidentiality, Integrity and Availability of data.
Software I use
My privacy-focused tools are chosen primarily on the basis of security features, with an additional emphasis on decentralised and open source tools. They are applicable to a variety of threat models, from protecting against global mass surveillance programmes to avoiding big tech companies to mitigating attacks, but only you can determine what works best for your needs2. Balancing security, privacy and usability is one of the first and most difficult tasks we face on our privacy journey. Security, in particular, is a process rather than a product, and there is a trade-off: the more secure something is, the more restrictive or inconvenient it usually is. I suggest you familiarise yourself with the concept of threat modeling3 before making your own decisions.
- What do I want to protect?
- Who do I want to protect it from?
- How likely is it that I will need to protect it?
- How bad are the consequences if I fail?
- How much trouble am I willing to go through to try to prevent potential consequences?
Once you've completed this assessment, you're free to choose the software that seems most appropriate for your specific use case.
Mobile Web Browsers
See a Browser Comparison Table by DivestOS to understand the key differences between all the mobile browsers available for Android.
Mull for Android
Mull is a Gecko based privacy hardened fork of Firefox developed by DivestOS, with proprietary blobs removed. It enables many features upstreamed by the Tor uplift project using preferences from the arkenfox user.js
project.
Warning
: Firefox-based browsers on Android lack per-site process isolation.
Cromite for Android (Chromium based)
Cromite is a Chromium fork based on Bromite with built-in support for ad blocking and an eye for privacy.
Desktop Web Browsers
Firefox
Firefox, Open Source, independent browser. It requires some hardening and tweaking using preferences from the arkenfox user.js
project to achieve better privacy.
Tor Browser
Tor Browser defends against surveillance by preventing anyone monitoring a user's connection from knowing what websites they visit. Blocks trackers by isolating each website visited so that third-party trackers and ads can't follow. Resists fingerprinting by making all users look the same, making it difficult to be fingerprint users based on their browser and device information. Multi-layered encryption, the traffic is relayed and encrypted three times as it passes over the Tor network.
Web Browser Extension
I follow Arkenfox's position which recommends keeping extensions to a minimum: they have privileged access within your browser, require you to trust the developer, can make you stand out, and weaken site isolation. Therefore, I only use uBlock Origin.
uBlock Origin is an addon to Firefox (mobile) and Chrome/Chromium (desktop). It blocks ads, trackers and malware sites while conserving CPU and memory. Please read about what the addon does before installing, then choose one of the recommended modes to increase your privacy. If you don't understand what you're doing you could end up compromising your privacy.
In addition to the various blocklists that come pre-installed with the addon, I specifically use the Seb Sauvage DNS Block List, which comes in various formats:
hosts format (0.0.0.0 hostname)
https://sebsauvage.net/hosts/hosts for Android and computers. This hosts file can be used as is in Windows, Linux, MaOSX and in personalDNSFilterr and DNS66 on Android.AdGuard/uBlock-Origin format (||hostname^)
https://sebsauvage.net/hosts/hosts-adguard , for Android and computers. This list can be used in AdGuard Android and uBlock Origin.
Email Services
The two providers I have been long using - Mailfence since 2016 - support PGP/GnuPG and 2FA, custom domain names and aliases, are privacy-friendly. See Key disclosure laws for Belgium and Germany, also known as mandatory key disclosure, is legislation that requires individuals to surrender cryptographic keys to law enforcement.
Mailfence
Mailfence is an email services based in Belgium
About // Privacy policy // Transparency report
Mailbox
Mailbox.org is based in Germany
About // Privacy policy // Transparency report
Email Clients
Thunderbird
Thunderbird is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Matrix) client developed by the Thunderbird community, and previously by the Mozilla Foundation.
GNOME Evolution
Evolution is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive documentation to help you get started.
Fairemail (Android)
Fairemail is a fully-featured and easy mail client for Android, open-source email app, using open standards (IMAP, SMTP, OpenPGP). Supports unlimited accounts and email addresses with the option for a unified inbox. Clean user interface, with a dark mode option, it is also very lightweight and consumes minimal data usage
Encryption Tools
GnuPG/OpenPGP
Tools for signing, verifying, encrypting and decrypting text and files using GnuPG standard
GNU Privacy Guard (GnuPG) is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF specification of OpenPGP. The GnuPG project has been working on an updated draft in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major funding from the German government.
OpenKeychain (Android)
OpenKeychain is one of the very few an Android implementation of GnuPG/OpenPGP. It works flawlessly with mail clients such as K-9 Mail and FairEmail in providing encryption support.
Veracrypt
Veracrypt is a free open source disk encryption software for Windows, macOS and Linux. You can use it to either encrypt a specific file or directory, or an entire disk or partition. VeraCrypt is incredibly feature-rich, with comprehensive encryption options, yet the GUI makes it easy to use. It has a CLI version, and a portable edition. VeraCrypt is the successor of (the now deprecated) TrueCrypt
LUKS
Linux Unified Key Setup (LUKS) is the default full disk encryption in Linux using dm-crypt
. Securing a root file system is where dm-crypt
excels, feature and performance-wise. Unlike selectively encrypting non-root file systems, an encrypted root file system can conceal information such as which programs are installed, the usernames of all user accounts, and common data-leakage vectors such as mlocate
and /var/log/
. Furthermore, an encrypted root file system makes tampering with the system far more difficult, as everything except the boot loader and (usually) the kernel is encrypted. I use LVM on LUKS with Arch Linux.
Password Management
KeypassXC
KeepassXC is a hardened, secure and offline password manager. Does not have cloud-sync baked in, deemed to be gold standard for secure password managers.
KeypassDX (Android)
KeepassDX is the Android client.
Search Engines
Startpage
Startpage is a private search engine. One of Startpage's unique features is the anonymous view, which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding some network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity.
Warning
: Startpage's majority shareholder is System1 who is an adtech company although they have a distinctly separate privacy policy.
SearchXNG
SearXNG is a metasearch engine that aggregates the results of other search engines while not storing any information itself. You can either self-host or use any of the multiple public instances of SearXNG.
I use searx.envs.net.
VPN Service
Mullvad is a Swedish based VPN provider that retains no logs, and uses a mostly open source and transparent infrastructure available to the public. Mullvad is one of the best for privacy, they have a totally anonymous sign up process, you don't need to provide any details at all, you can choose to pay anonymously too with Monero, BTC or cash.
Collaborative Tools
Nextcloud
Nextcloud is is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. It's a feature-rich productivity platform, that can be used to backup and selectively sync encrypted files and folders between 1 or more clients. A key benefit the wide range of plug-ins in the NextCloud App Store, maintained by the community.
Cryptpad
Cryptpad is a zero knowledge cloud productivity suite, alternative to popular office tools. All content is end-to-end encrypted (E2EE)4 and can be shared with other users easily. Provides Rich Text, Presentations, Spreadsheets, Kanban, Paint a code editor and file drive. All content is encrypted by default and can be accessed with specific URL. CryptPad is entirely web-based ans works in any browser, desktop and mobile. You can use their web service, or you can host your own instance.
LibreOffice
LibreOffice is a free and open-source office suite with extensive functionality.
Send
Send is a fork of Mozilla's Firefox Send that Mozilla discontinued. It's actively maintained. Self-host or public instances including the maintainer own public instance.
PrivateBin
Privatebin self-hosted and public instances is minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES.
Real-Time Communication
Signal (centralized)
Signal has developed what's become the Gold Standard in message encryption. Developed by Signal Messenger LLC. The app provides instant messaging and calls secured with the Signal Protocol, an extremely secure encryption protocol which supports forward secrecy and post-compromise security.
Warning: requires a phone number for registration
Element/Matrix (decentralized)
Element is the reference client for the Matrix protocol, an open standard for secure decentralized real-time communication.
Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls.
Warning
: No PFS (Perfect Forward Secrecy) and metadata-chatty
Sources:
- Framasoft - a 23yo French Non-Profit Association fighting against surveillance capitalism and promoting the use of Free Software
- Catalogue des logiciels libres - Socle Interministériel des Logiciels Libres (SIIL), Recommended Free Software for French public agencies
- Awesome Privacy List by Pluja - Github (11.8k stars)
- Awesome Privacy List by by Lissy93 - Github (5.9k stars)
- Awesome Privacy List by Nikita Voloboev - Github (1.9k stars)
- De-Google-ify Internet - Framasoft (multilingual)
- The guide to restoring your online privacy - Privacyguides (multilingual)
- Manuel du parfait petit crypto-anarchiste (1/3) - @aeris
- Manuel du parfait petit crypto-anarchiste (2/3) - @aeris
- Manuel du parfait petit crypto-anarchiste (3/3) - @aeris
- Recommended apps for Android - DivestOS
- Instant Messenger Comparison Table - DivestOS
- Mobile Browser Comparison Table - DivestOS
- Ethical Alternatives & Resources - Ethical Networks
- Privacy and Tools - the Electronic Frontier Foundation
- Surveillance Self-Defense Tips, Tools and How-Tos for Safer Online Communications - a project of the Electronic Frontier Foundation
- Ethical, easy-to-use and privacy-conscious alternatives to well-known software - switching.software
- How to configure Firefox to enhance security and privacy - Arch Linux Wiki
- Arkenfox user.js for Firefox (releases) - Arkenfox
user.js
is a template which aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible - while minimizing any loss of functionality and breakage. - The Secrets of Surveillance Capitalism - "Governmental control is nothing compared to what Google is up to. The company is creating a wholly new genus of capitalism, a systemic coherent new logic of accumulation we should call surveillance capitalism" -- Shoshana Zuboff
- Edward Snowden on Substack
- Bruce Schneier, cryptographer, computer security professional and privacy specialist
- Thaddeus E. Grugq on Medium, Substack, Fediverse
-
The US National Security Agency ↩︎
-
Privacy Tools recommendations by privacyguides.org ↩︎
-
A threat model is a list of the most probable threats to your security and privacy endeavors PrivacyGuides ↩︎
-
End-to-end encryption - Wikipedia ↩︎