
Privacy Tools – Encryption Against Global Mass Surveillance - selmat
https://www.privacytools.io/
======
jasode
_> All [vpn] providers listed here are outside the US, use encryption, accept
Bitcoin, support OpenVPN and have a no logging policy._

Yes but how does the average person _really know_ if those suggested foreign
VPNs are not CIA or other government coordinated honeypots?

In terms of cyberspace cat & mouse games, I think VPNs can be useful to evade
Netflix streaming restrictions to particular countries or to hide your DNS
queries from your ISP. You don't need a lot of trust in VPN entities to evade
_commercial businesses_.

However, using VPNs to evade _government surveillance_ is a whole different
ballgame. Because of the far reaching tentacles of government agencies,
there's no reliable method to determine which VPN to trust.

~~~
DyslexicAtheist
exactly. it just shifts the trust from your ISP to the VPN (who ironically
even has your credit card info in many cases ...).

even Verizon now peddles VPN services to take their slice of the privacy
snake-oil market [https://www.verizonwireless.com/biz/security/wireless-
privat...](https://www.verizonwireless.com/biz/security/wireless-private-
network-vpn/)

~~~
reshie
many accept bitcoin.

as you say though it all comes to trust.

~~~
IggleSniggle
Bitcoin is not private. It is, in fact, a PUBLIC LEDGER, and at some point,
most folks want to either convert to or from bitcoin to a government backed
currency. Sure, you could argue that the transaction could be laundered, but
no more than any other transaction could be laundered, so then you need to
compare whether it is more or less private than other transactions internally.

I’m not a bitcoin person, but I still don’t understand why people think of
bitcoin as more private than other transactional systems when the whole
premise of bitcoin is a publicly shared ledger.

~~~
LMYahooTFY
"I’m not a bitcoin person, but I still don’t understand why people think of
bitcoin as more private than other transactional systems when the whole
premise of bitcoin is a publicly shared ledger."

You don't have to provide personally identifiable data to transact.

As far as I can tell, this is not achievable digitally with any traditional
currencies.

Yes it requires connectivity that might yield personally identifiable data,
just like every other method of connectivity via the internet.

~~~
freeflight
> As far as I can tell, this is not achievable digitally with any traditional
> currencies.

Paysafecard [0] does exactly that with traditional currencies.

I can buy those with cash, even at gas stations, and use them to pay online
without ever sharing my personal details with anybody.

[0]
[https://en.wikipedia.org/wiki/Paysafecard](https://en.wikipedia.org/wiki/Paysafecard)

~~~
chopin
That's not longer the case in Germany (don't know whether this is the case in
other EU countries though) where it requires a verified account with Paysafe
(PostIdent no less).

~~~
freeflight
That must be a rather recent change (1. January?) because the last Paysafecard
I used didn't require me to do anything like that, that was maybe 3-4 months
ago to pay for an online-hoster.

------
tptacek
_Why is it not recommended to choose a US-based service?_

This is extraordinarily, almost axiomatically bad advice. The USG has an NSL
process for obtaining information from US-based service providers. It has no
process whatsoever for obtaining it from foreign providers. _It can simply do
it_. We have the largest, best-funded signals intelligence agency in the
world, and literally the only place in the world you have any procedural,
legal defenses against them is here.

I'm not being normative. You don't have to like this state of affairs. But it
is the reality in which we live, and signing up with a European privacy
service won't keep your data out of the hands of US surveillance if they want
it.

I think jurisdiction is the wrong question. The most important question to be
asking about a service provide is "what information do they collect and retain
about me". Sometimes these comparisons are hard to make from the outside, but
other times you can make inferences just based on the features they offer and
the protocols they use.

~~~
chopin
NSL's obtain data legally, whereas other methods are illegal (at least in most
countries), and surely not well received when detected. In the latter case the
hole will be closed. For me legality matters as well.

~~~
pvg
Law enforcement agencies in Europe cooperate extensively and legally with US
ones. Just recently in the news -

[https://www.dutchnews.nl/news/2019/01/the-netherlands-
tapped...](https://www.dutchnews.nl/news/2019/01/the-netherlands-tapped-el-
chapo-phones-for-fbi-due-to-relaxed-privacy-laws/)

This is El Chapo getting burned by this exact bad advice, among other things.

------
mockingbirdy
Using privacy-related software makes it more likely that you'll get
specifically targeted for surveillance. [1]

Simply visiting this site makes it more likely. [2]

For anyone who fears state-level surveillance: Using a VPN or Tor and some
privacy plugins isn't enough. Don't assume that you're safe just because of
it. In fact, you make yourself identifiable if you rely on such plugins.

I won't go into details on how to be able to have privacy that can compete
with state-level surveillance, because you'll have to commit crimes to get it.
If you think that your government is watching you - don't trust these simple
instructions. It's way harder. Some people had to die because of this.

Many (authoritarian) governments don't let you use a VPN without putting you
on a watch list. If you try to keep a low profile, you need other measures.
False sense of security can be dangerous in some countries. I hope that those
who need this (a fraction of those who read it) keep themselves safe.

edit: I think they should clearly state that this tutorial isn't suited for
individuals who are in great danger w.r.t surveillance. It's for people who
are interested in privacy, not for people in life-or-death situations.

[1]: [https://www.cnet.com/news/nsa-likely-targets-anybody-whos-
to...](https://www.cnet.com/news/nsa-likely-targets-anybody-whos-tor-curious/)

[2]: [https://www.makeuseof.com/tag/interest-privacy-will-
ensure-y...](https://www.makeuseof.com/tag/interest-privacy-will-ensure-youre-
targeted-nsa/)

~~~
commandlinefan
> Using privacy-related software makes it more likely that you'll get
> specifically targeted for surveillance.

Which is a good reason for people who specifically don't have anything to hide
to start using them - if you're not signal, you can't help out by being noise.

------
mtgx
One of my favorite lines against "I have nothing to hide" is from national
security whistleblower, Edward Snowden:

 _“Arguing that you don 't care about the right to privacy because you have
nothing to hide is no different than saying you don't care about free speech
because you have nothing to say.”_

[https://www.goodreads.com/quotes/7308507-arguing-that-you-
do...](https://www.goodreads.com/quotes/7308507-arguing-that-you-don-t-care-
about-the-right-to-privacy)

But ultimately, the idea that you want privacy because you have something
_bad_ to hide is a deeply flawed one, pushed by governments, maybe not
necessarily because they are "evil" and want to abuse that power (although
that certainly seems a factor to consider lately), but also because pretty
much the only times they do want to bypass privacy laws is when they deal with
criminals. So that gives them a very narrow view of the issue. When all you
have is a hammer, every problem looks like a nail.

Privacy is both about "keeping things to yourself" and not wanting others to
know everything there is to know about you for no good reason, as well as to
protect yourself against potential abuses (from governments, but also
criminals, unscrupulous companies, etc) that can't be predicted ahead of time.
There are thousands of potential uses for the data, like say using your data
to manipulate you with ads during elections, make you buy anti-depressants,
make you pay higher insurance, and so on.

~~~
yura
_" Privacy is both about "keeping things to yourself" and not wanting others
to know everything there is to know about you for no good reason, as well as
to protect yourself against potential abuses (from governments, but also
criminals, unscrupulous companies, etc) that can't be predicted ahead of
time."_

Yes. To put it succinctly: I may trust the current government to use this data
for (mostly) good, but I don't trust all future governments.

~~~
Bizarro
A "government" is a big abstract entity that is made up of people and
procedures. People come and go, and procedures/regulation are changed all the
time without direct legislative efforts.

You don't have the knowledge to know if you trust "that" government or
"another" government. The best solution for all is always be suspicious of
concentrated power....especially power that involves state-sanctioned violence
against you.

------
chin123
Prism Break is also worth taking a look: [https://prism-
break.org/en/](https://prism-break.org/en/)

I like that it has OS-specific recommendations.

~~~
xvector
One of the most frustrating things about this website is that it doesn't
provide a reason for their "avoids." Why should I use KeePass over 1Password?
Why should I use Mumble over FaceTime?

It wouldn't be that hard to provide a sentence-long justification for their
avoids in addition to their recommendations.

~~~
EduardoBautista
The _only_ reason is because they are closed source.

------
ptero
This is a great overview and a list of useful tools and technologies. Kudos to
the author!

However, I am afraid that using those tools to protect your own privacy is at
best a temporary band-aid as long as the current trend of accepting more and
more backdoors into our personal lives persists.

To change this a significant portion of people need to see the government not
as the main savior from terrorism (poverty, disease, crime, etc.) but as a big
bureaucracy where a lot of clerks care more about their paycheck than the end
results of their day's work (which is fine). And a large portion of public
servants who do care, care more about their career, power and perception than
about people who chose them to govern (which is bad).

This view change, if it ever happens, should force government to justify their
actions and pay more attention to real issues (poverty, crime, disease,
terrorism) and less to scare tactics. A used car salesman can provide a useful
service -- knowing that a customer suspects him to be a swindler forces him
into a partial honesty. That said, I am not optimistic that this view change
will happen soon.

~~~
ignoramous
You'd find that a single Firefox addon uMatrix itself takes you a long way AFA
as privacy is concerned (and breaks websites, too, unfortunately). You need to
start somewhere.

------
holri
Isn't it bizarre that a privacy tools website uses Google Maps instead of
Openstreetmap?

~~~
jesterson
Yeah, good point actually

------
yange
Many file formats record creation timestamps, like in image, document, video,
audio, executable, archive, and so on. If you create these formats and send
the file to others, they would at least know when you created the file.
Sometimes they even include timezone info, so they can even know something
about your geo location. This applies to network protocols, application
communications, database records and so on. Even Git will record your
timestamp and timezone info for every commit, and it's very difficult to
completely change or remove these info.

You might think it's a trivial thing, but it actually tells a lot about you.
If someone can trace your activities through time, it's essentially a detailed
profile of you, and they can learn how you live and work. Sometimes it can
even be used to de-anonymize you by cross referencing with your "real" online
identity.

In general it's impractical for users to fully understand what kinds of meta
data were included in each file format or send by each application. EXIF data
is often included in image files generated by cameras or image editing
software. Your full file path to a source code file may be included in the
executable you compiled, and it may leak your personal information. Your
operating system may send regular health report to its company. A proxy
service may append your real IP address in HTTP headers. Even for some
encrypted services, they don't encrypt or sign everything. Like 1Password in
the past didn't encrypt the URLs of your saved login sites. TLS 1.2 doesn't
sign the cipher suites. TLS 1.3 doesn't encrypt client certificate.

Most of these software and protocols were not designed with privacy as a
primary concern. Even they do, there are info that they decided to be okay to
leak. However, it should be up to the users to decide whether the design
decisions were reasonable for their own use case. Even many of these meta data
leak seem like targeted surveillance, it's actually scalable and can be
adapted to mass surveillance.

------
walterbell
Brave (based on Chrome, minus Google tracking) includes optional Tor in
private tabs, anti-tracking and ad blocking. By making Tor accessible to all
users of Brave, it makes Tor users slightly less of an anomaly. Brave has also
added capacity to the Tor network.

~~~
Forbo
Brave users of Tor tabs have a different fingerprint than users of the normal
Tor browser. Having a larger anonymity set may be preferable for some people's
threat model.

~~~
walterbell
Alternately, being part of "people who don't download Tor browser" could be
useful in some scenarios.

~~~
jemas54
If you are among "did not download Tor browser" but are among "produces Tor
web traffic without downloading Tor browser" you are easier to identify than
if you were among "Downloaded Tor browser and produces Tor (web) traffic".

This would make you either more suspicious or your adversary (justifiedly)
think you are an idiot.

------
skilled
I am impressed with the amount of detail this page has, wonderful job by the
author!

------
throw1984
[https://torrentfreak.com/proxy-sh-vpn-provider-monitored-
tra...](https://torrentfreak.com/proxy-sh-vpn-provider-monitored-traffic-to-
catch-hacker-130930/)

------
ericcholis
A nice resource, but I think the links on the page should all open into a new
tab. Reading through and clicking a link takes me away from the page, I'd
rather that the links open in a new tab for later.

~~~
freeflight
Clicking a link with the middle mouse button opens it in a new tab, at least
on Chrome.

------
Maximus9000
Are those password managers listed really "better" than 1Password or lastpass?
If so, why? Shouldn't I want to pay money for my password manager?

~~~
iotku
>Are those password managers listed really "better" than onepass or lastpass?
If so, why?

The main point seems to be that they're either local or able to be self
hosted.

In theory online password manager service providers could be forced (or
otherwise compromised) to access a user's password database or interface to
said database.

Encryption could be potentially worse than the more commercial offering if
implemented wrong, but you can also restrict access better to local/self-
hosted databases.

>Shouldn't, I want to pay money for my password manager?

Not if it's unnecessary to do so, and it also adds a paper trail relating your
account to your passwords etc should they be compromised.

Personally that's pretty far out of my threat model, but I still have my
password DB locally because I figure if someone compromises my computer
they'll get my passwords anyways (keyloggers, etc), but at least an online
service I have no control of wont get compromised and affect me.

Only real difficulty with local keepass databases is keeping them synced/up to
date on my devices.

~~~
xvector
> In theory online password manager service providers could be forced (or
> otherwise compromised) to access a user's password database or interface to
> said database.

Could they really, though? 1Password, for example, extensively details their
client-side encryption protocol. Unless they were forced to distribute a
compromised client, there's really no downside to using it.

~~~
iotku
>1Password, for example, extensively details their client-side encryption
protocol. Unless they were forced to distribute a compromised client

Not particularly familiar with the methods 1Password uses, but that is the
general theory.

It's pretty out there and you'd likely have to be in pretty deep for a
government (or some other attacker) to try and pull something like that
(especially just to hit you personally).

There's similar pie in the sky arguments for most software on your computer
that will auto update as well I suppose (Windows Update, Google Chrome,
whatever...).

I don't think it's a realistic concern for most people, but if your life (or
your freedom) depended on your password manager you'd want the least amount of
points of failure possible.

------
bungie4
The only way to win the game is not to play.

