Hacker News new | past | comments | ask | show | jobs | submit login
Curated List of Privacy Respecting Services and Software (github.com/nikitavoloboev)
105 points by nikivi on April 7, 2018 | hide | past | favorite | 40 comments



> WhatsApp - WhatsApp feature means some encrypted messages could be read by third party.

> Alternatives:

> Signal - Uses Signal Protocol.

Pretty sure both WhatsApp and Signal both use the Signal's crypto for encryption, and both "suffer" from the same "design defect" / "usability improvement".

That said, I still think WhatsApp only encrypts text messages E2E, and doesn't bother for videos/photos/anything else, based on how efficiently it forwards videos compares to sending them for the first time (accounting for video conversion time), so I'd still put WhatsApp in the bad list, but not for that reason.

Being owned by Facebook is enough of a good reason in itself at this point too, mind.

EDIT: Just read through the full list. This is superb. Thank you for putting this together!

EDIT AGAIN: Just read through some of the comments, Iridium in particular is what got my attention as awesome, prior to learning that it's not been updated in 5 months, which is beyond dangerous given the number of security fixes that will have come out in that timeframe. Sad times :-(


I removed Iridium from the list. You are right, 5 months is too long for no updates in a browser.

Also I agree with you on WhatsApp. I mention now that it does use Signal protocol. However WhatsApp sends user's entire contact books to their servers as well as them logging all the metadata around messages which is very revealing.


Sometime in the past year, a contact required that I sign up for WhatsApp. At least on Android mobile, I didn't find how one could complete the sign up without giving them access to one's Android/Google contact db.


"You are the product" seems a bit strong for Dropbox. Pretty sure Dropbox is the product and I pay for it.

Same goes for Siri AFAIK - I don't personally have any use for it, but it's a feature of the iPhone that you pay for and isn't ad/targeted ad supported.


You are right. I have changed it.


It's ironic how the term for non privacy respecting services is "You are the product", but the same is true for half the alternatives. Are you somehow not the product for DuckDuckGo? Are they operating as some sort of non-profit or charging a fee to use them?

Also, the last update for iridum (one of your browser recommendations) was over 5 months ago. That's dangerously out of date for something as exposed as a web browser.

> - Windows - [Microsoft shares Windows 10 telemetry data with third parties](https://betanews.com/2016/11/24/microsoft-shares-windows-10-...).

In the citation:

>Update: Microsoft says that the deal with FireEye doesn't involve the sharing of telemetry data.

Maybe fully check through your sources next time?


> Are you somehow not the product for DuckDuckGo?

Of course I am, but I'm okay with a more honest business model: when I type the words "wallaby porn" into their website, they'll show me ads from people who have bid on those words. (I assume there is porn for that, because there is porn for everything. I don't really want to know.) When I later search for "crosscut saws," they'll show me ads for saws, and not try to "retarget" me with wallaby porn, or mountain bikes, or whatever else I once browsed. They won't become a world-bestriding colossus, but they can make an honest living showing ads next to search results. I remember a company that used to do that. Name started with a "G".


You are right. The fact that your personal data is not being used for advertisements does not mean that you are not the product still. Perhaps that phrasing is indeed too harsh for some of the services on the list.

I changed the link for Windows. When I saw this source, there was no `Update` clause. I don't use Windows myself so not sure what I should add there instead and what category I should move it to. From what I know, Windows shows you ads in the OS itself which I find absurd.


> Are you somehow not the product for DuckDuckGo? Are they operating as some sort of non-profit or charging a fee to use them?

https://www.quora.com/How-does-DuckDuckGo-make-money


They're still showing you advertisements. You (or your eyeballs) are still the product to advertisers. Not tracking you doesn't somehow negate that.


Standard Notes for private, encrypted notes :) (Alternative to Evernote I work on) https://standardnotes.org


Also tagspaces it is an interesting evernote alternative


Thanks! I'd love to switch off of Evernote.


Just discovered that earlier this week, very happy with it so far. Thanks for your work!


Needs an explanation of the vetting process or standards required for inclusion.


I agree. Currently each of the entries links to some 'proof' on why the service is either privacy respecting or privacy breaching.

But I am open to ideas on how to improve the list.


> I am open to ideas on how to improve the list.

You could start by making all of the entries link to some 'proof' on why the service is either privacy respecting or privacy breaching.


It's a good effort, but it is lacking in many places. For example OS does not list FreeBSD and many other alternatives that still exist on the market. And "Linux" is not an OS, it is a kernel (and you even refer to it as such) so you'd rather talk about distributions of Linux as full OS replacements (Ubuntu, Debian, OpenSUSE, Solus, etc...).

On top of that, some alternatives require significant efforts to set up and you should order them by technical level and resources required.

You should also include the license of each solution proposed.

Note that self hosted software is already compiled in a much more extensive list:

https://github.com/Kickball/awesome-selfhosted


But "Linux compatibility" describes the binary format and that's what I care about: Whether it's runnable on my Linux-based operating system.


I've been very happy with Wallabag as a Pocket / Instapaper replacement. Self-hostable, with an option to pay 9 EUR/year for a hosted version.


What about spam on non Gmail free accounts? Google might violate users privacy in multiple ways, but one thing they do well is fighting spam. I'd like to get rid of Gmail for a free service or a paid web+mail space to build one day a very small blog (suggestions?) at some trusted vendor, but I fear having to fiddle with spam like I had to do every day about 15 years ago, training my firewall antispam filters (ipcop IIRC) every single day to get in the end a decent detection ratio, though still not comparable with Google.


Don't use free email accounts. There are services you can get (e.g. mailbox.org) that are cheap, and have decent spam filtering.


I'm wondering about Signal. They also harvest the phone number at signup. A _very_ private information I'm not very keen on sharing.


There's bad stuff like Telegram and the Tor browser bundle in the alternatives section. I feel that's somewhat misleading and possibly dangerous to someone not tech savvy enough to do his own vetting.

I like these kinds of list, though, as I sometimes I learn about things I didn't know existed.


What is wrong with Tor?? And Telegram? I don't know much about telegram but am very surprised to hear Tor described as "bad stuff." And my (admittedly amateur) understanding was that Tor Browser Bundle was a perfectly good way to run Tor (though of course not as secure as running Tor on a separate secure OS).



Both of these links are about Tor. Do you have any of those about Telegram? I've been using it for 2 or 3 years now and I think it's great.

I will be so sad if it's as bad as Whatsapp in privacy department :(


Telegram is using non encrypted chats by default and does not have e2e encryption for group chats which is just unacceptable in this day and age.


I don't get it...

From here https://telegram.org/faq#q-how-are-secret-chats-different

""" Q: Why not just make all chats ‘secret’? All Telegram messages are always securely encrypted. Messages in Secret Chats use client-client encryption, while Cloud Chats use client-server/server-client encryption and are stored encrypted in the Telegram Cloud (more here). This enables your cloud messages to be both secure and immediately accessible from any of your devices – even if you lose your device altogether. """

They claim that it's encrypted, but that uses a different kind of encryption.

Maybe this has changed recently?


The text is saying that only secret chats offer end 2 end encryption. With e2e encryption the message can only be read by the original sender and the receiver specified by the sender.

The quality of the text is btw very questionable and dubious as e2e encryption has nothing todo with where the message is stored. See email where your gpg encrypted message is stored on a lot of systems on its way to reach its final destination. This text makes me distrust Telegram even more, thank you for sharing this!


Advising against using Tor is imho unrighteous. Your arguments are not sound, especially with OS' like qubes and tails around.

I am on your side regarding Telegram though and that's mainly because of using non encrypted chats by default and not having encryption for group chats which is just unacceptable in this day and age.


I don't advocate against Tor though, but against the Tor Browser.


The latest tor browser version is based on the latest ff esr version. As your claims are therefore incorrect I am starting to ask myself if you have any political agenda to speak out against the tor browser.



What are your thoughts about macOS? I noticed it isn't listed in neither "you are the product" and "alternatives".


I added it now to Alternatives. Because of Apple privacy stance (https://www.apple.com/lae/privacy/).


In that case, also consider adding iMessage to the Messengers section.



That seems to be linked on that site.


Here's an exhaustive list:

1. localhost (depending on your OS)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: