Hacker News new | past | comments | ask | show | jobs | submit login
Privacy – A curated list of services and alternatives that respect privacy (github.com/pluja)
199 points by sharjeelsayed 8 months ago | hide | past | favorite | 51 comments

Why do they add that warning in bold about NewPipe sharing your IP with YouTube but don't add it for the other clients? That's an obvious thing, any YouTube client you use will share your IP with YouTube unless you are hiding behind a proxy or VPN, that's how internet works.

RedReader for reddit is missing, though it is a bit obscure but the programmers are privacy conscious and the client doesn't include any kind of telemetry as far as I know.

Invidious (unless you self-host) is essentially a proxy for YouTube. Looking at its description, Yotter is the same.

(I use Invidious mainly because it doesn't have the insane JS bloat of the official site.)

> Invidious And it skips ads, and if you are playing music on your mobile devices it allows you to turn off the screen and still play music. Invidious and Youtube are both a very good side by side comparison on what a video sharing site ought to be if it s build for user, vs build to extract information from user.

That makes sense for those but they should add the same warning for Fritter and the reddit apps. Consistency is important with these things otherwise they end up making some things look worse than others when they are the same.

RedReader is my favorite

I would recommend adding as a preamble a bit more on the specifics you care about. Reading through it seems like general analytics trackers are something you're trying to avoid, in addition to avoiding a few companies in particular. Spelling those out may help folks understand what drives your recommendations and conclusions here.

Otherwise in-section descriptions are great. Thanks for compiling.

Why don't they host on an alternative to GitHub?

Ah yes, replace photoshop with gimp, why has nobody thought of that before?

I get where you're coming from. The problem with a lot of alternatives is that they're just worse. Analytics alternatives are a prime example. I'd very much like to self-host my analytics but the alternatives pale in comparison to the features offered by Google Analytics. Automated bot filtering, realtime statistics (how many people are on the site right now), not to mention the power user features and integration with Adwords and Search Console. Maybe one day this will change but for now, especially if you're in the ecommerce space, you don't want to go with a worse alternative to such a critical aspect of your business.

My biggest issue with GA at this point is only that so many visitors block it. That's the biggest reason why I'd want a self-hosted solution. At some point, even with all of its great features, GA will simply become useless.

My point is “use Gimp” is basically an undead meme at this point, I’ve read some version of that recommendation since the 90s.

Also Adobe marketing cloud is some seriously sinister shit, photoshop isn’t the issue with that company.

Can you elaborate about Adobe marketing cloud a bit?

They target ads based on health conditions for starters [0], and I've seen them doing some pretty exotic stuff with using first-party cookies as shared identifiers between tracking networks.

[0] https://www.adobe.com/content/dam/acom/en/privacy/pdfs/Adobe...

Thanks, I didn't know about the health condition stuff.

here's my favorite: https://swoop.com

I mean, I’ve replaced Photoshop with Krita for my personal use. It’s not like everyone who pays for Photoshop actually needs all of the professional features that sets it apart from FOSS alternatives.

English Language search engines and relationships with search services here: https://www.searchenginemap.com/ The other two international search engines are Baidu and Sogou.

All other search "engines" are search services sending data to, and getting back results and ads from the search engines (usually Bing).

Only Mojeek offers privacy (no-tracking). https://blog.mojeek.com/2021/05/no-tracking-search-how-does-...

Self-disclosure: Mojeek team member

Great list! Always looking for new tools to use. PrivacyTool.io and ThinkPrivacy.ch are great, but it helps to have something else to compare against.

Some quick notes on the actual list: - Should add Startpage - private search engine that gives Google results. - It doesn't explain why products to be avoided, just lists them. A few have explanations, but not all.

Startpage.com was bought by an adtech company. Of course they say they don't use any data from Startpage.com but ...

Startpage person, here. Startpage doesn't collect user personal data so it wouldn't share it because it doesn't have it.

From Robert Beens (co-founder and CEO): "In no way does System1 want to change the privacy practices or process by Startpage, in fact, they legally cannot as all of those decisions are held by the co-founders of Startpage."


"System1 is interested in Startpage's ad revenue, not its data"

Source - https://www.computing.co.uk/news/4017337/privacy-focused-sea...

They are until they aren't. I deem it not trustworthy for the simple reason that I can't be bothered to look out for any changes down the line.

Startpage should have an option to disable sending the large proxy URLs. These make the Startpage SERP very large (relative to other search engines), especially for anyone who does not need them. Plus Startpage limits to 20 results at a time and requires sending a cookie just to change this basic setting. (Why a cookie. This is supposed to be a privacy focused website. Why not accept the settings as parameters in in the URL or request body.) Finally, Startpage is somewhat quick to block an IP if the user is doing a number of searches in succession. Even if it is a viable privacy solution, IMO Startpage has uneccesarily become too slow and cumbersome to compete.

That should be PrivacyTools.io

im new to this. why is safari not listed as an iOS browser that respects privacy? is it that it lets 1st party cookies exist? the browser itself i thought was not used for any data harvesting or the like right? also ITP?

Do you remember the outcry some time back against Google when they wanted to limit add-ons in a way that would make adblockers less effective? Well, Apple did that too but Apple doesn't receive as much flak. This caused some add-on developers to shut down their add-on development for iOS while others just warn that their add-ons are now crippled. That alone makes it not a recommendable browser for privacy.



I’m curious why Dropbox is on the not recommended list here.

Dropbox, at least at one point in time, did their de-duplication based on simple hashing, ACROSS accounts. It does look like they stopped that practice, but it caused quite a stir at the time

So if you uploaded a ubuntu ISO and so did I, they were simply linked. This may have been disabled.

They specifically advertised stuff like this wasn't being done, but turns out it was "mis-communicated". FTC complaints were even filed i believe over this. [1]

The Snowden leaks revealed the encryption they used allowed Dropbox to decrypt and surrender files to third parties. Though this was widely know and the workaround had long been to encrypt a container and store it in dropbox to mitigate this and the de-duplication issues etc.

They also have a tendency to strip/remove files/code they deem malicious in nature. So anything netsec related was at risk for me. Things like shell scripts etc. They actually say this is a feature, but its pretty heavy handed

Not sure if that is the current behavior because due to these things i ditched them years ago and never looked back. I mostly roll my own with things like this now anyway. The only time i use a "cloud" service like this is to share something with the understood privacy risks.


None of the points seem all that bad to me, though I can see that their security mechanisms could cause issues if you're doing netsec. For instance is wrong with de-duplicating files on the backend provided they use a strong enough hash algorithm to avoid hash collisions?

If it's only on the backend, a timing attack could still potentially estimate whether particular content is already on the system. Protection against subtle timing attacks on deduplication is difficult.

I used to have a mountable VeraCrypt file system image in my Dropbox to mitigate just these types of things. That was when Dropbox first started. I now have no need for Dropbox at all so no longer have an account. These days their are also lots of FOSS alternatives too.

Dropbox isn't private. Lacking e2e encryption, everything you store on Dropbox is available to Dropbox staff as well as anyone who can coerce them.

Probably similar reason to why Google/Microsoft/Apple cloud aren't on there either: You should not expect these companies to respect your privacy with regards to everything you upload to their servers.

Very useful list, and well organized. I’ll be sharing this with family, friends, and coworkers. The payment section seems a bit thin, since it offers up only cash (as in paper money) and Monero as options. Are there no centralized providers that respect privacy by simply operating in certain countries?

It would also be interesting to have this entire list ranked or tagged for resistance to censorship or deplatforming.

I would add Apache Guacamole[1] to Remote Access and Control section. Nice thing about Guacamole is that a web browser can be the client, so you don't need to install anything on the client side most of the time.

And it's a bit sad that BSDs don't get a mention in the OS section..

[1]: https://guacamole.apache.org

I am just curious because I do photography as a hobby/semi-pro and I don't understand where using Adobe Photoshop/Illustrator/Lightroom is infringing on your privacy (PC/Mac). I also use VSCO plugins for Lightroom at times (I mainly switched to Capture 1 Pro though) and I'm unsure why I should avoid them.

AFAIK you can export from Google Authenticator. May be a relatively new feature though.


It is a relatively new feature. You couldn’t for years and now you can.

I am very much wondering why it is that if i go on a public instance of invidious all videos shown are from my personal preferences... shouldn't this be random?

Seems like YT is reading cookies or mapping the IP anyways...

Nice list! Most alternatives I use, found a couple which I didn't knew

I'm looking for a privacy focused smart scale. Idealy one where my data don't leave my phone. Any idea whether that exist?

Put any decent pressure sensor hooked to an esp32 running esphome firmware under a board reporting to home assistant.

Anyone who uses OpenStreetMap in a city, how hard is it to give up the traffic aware features of Apple / Google Maps?

You could give https://www.magicearth.com/ a try; OpenStreetMaps routing with (unspecified source) traffic information. I only ever use it abroad on vacation (with a rented RV) though, as I’m car-less, so your mileage may vary…

Some more info on the OSM Wiki: https://wiki.openstreetmap.org/wiki/Magic_Earth

> Search Engines

As usual, https://yacy.net is not on the list.

How come Adobe products are on this list?

Been squeezing my brain to understand the same thing hence my previous post, I would assume the mobile versions may infringe on privacy (or Creative Cloud if you actually use it - I personally don't).

Unfortunately since it's so high up the list of don't this whole list reads more like "use these FOSS thingies instead of xyz corporate things", disregarding the Adobe Suite is so good when concerning workflow and it shouldn't really infringe on your privacy since it's not really doing a lot of talking (unless you use their cloud storage thingie which I can't fathom a reason for).

"Don't use MS Windows"

I still use Windows for games, and coding for fun.

Ouch... :)

So how fast is Whoogle?

Update: Just deployed an instance using the Docker container. Initial impression - pretty good. Speed and experience in between Google and DuckDuckGo. Probably gonna switch to it for real.

However, I think it is possible to eke out a bit more performance by optimizing the architecture and using some more performant language than Python.

Trying to get my head around whoogle. Won't a "proxy" for google that only has access from a single person, just build a profile for that person from that whoogle install?

Yeah, I have been wondering the same. IMO the project needs a FAQ entry about this.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact