If you are anything like most people, you have ended up on this site because you've realized your privacy is being violated by governments and big corporations and you've been trying to do something about it. To accomplish that, you've likely traversed recommendation lists like the E-mail report or the Web browser rankings and modified your choices according to them. But is this the right approach?
The first question we have to ask ourselves is what actually is privacy - or else we will fail in our quest to reach it. Simply, privacy is the default state of other people not knowing where you are, what you do or think. Though the violators are trying really hard to blur the lines - we're not born with tracking devices under our skins. In fact, our biology is designed with privacy in mind - we're individuals each with our own sets of brains, eyes and ears whose contents are not directly shared with anyone by default. Humans have an ingrained need for privacy:
Ralph Adolph and Daniel P. Kennedy, neurologists at the University of Caltech in the United States, discovered that there’s a structure in our brain which is responsible for telling us where the limits of our personal space lie. This structure is the amygdala, a small region associated with fear and the survival instinct.
This discovery reveals something essential. The brain measures the personal limits of each individual. It’s like a personal alarm which tells us when something or someone is bothering us. When something is invading our privacy or violating our integrity until it becomes a threat to our well-being.
It reminds us that one of our greatest sources of anxiety is witnessing how we feel more “crowded” every day in every way.
And so, the
nothing to hide argument totally misses the mark, since privacy is the biologically necessitated default. This brings us to our next point:
As stated above, we lose it whenever our brain detects another person (or a group of people)
invading our personal space. However, this only works for people - we've spent over 99% of our time on this Earth in the wild, and that is what our brains are tuned to. There is no computers in the jungle, after all. Civilization has allowed privacy violators to hide behind devices (such as CCTV cameras) and avoid triggering our biological intrusion detection system. Does all this have anything to do with the article title? Sure does:
Just as privacy in the wild would entail getting away from the people who got inside your personal space - digital privacy works similarly except the person is replaced by an electronic device. Though CCTV makes this easy to see, the gadget in question could very well be the computer you use every day, your credit card, printer or even the IOT fridge. We have been so accustomed to a life full of electronics that this simple point eludes us. There can be no privacy loss with a tech-free life. Which of course I'm not recommending - only wanted to show the root of privacy issues. Clearly, the amount of data collected while avoiding all electronic devices would be zero - but then we'd lose all the advantages of those. How to balance this?
A privacy newbie usually comes in with the attitude of replacing his current violators with privacy-respecting versions. And of course, there are a bunch of providers who are happy to fulfill (or pretend to) that need. You heard your Google Chrome browser spies on you? Mozilla Firefox to the rescue (or not)! Gmail? ProtonMail. Google Maps? Hmm, we're not doing too swell here...Anyway, this same person in 30 years will be asking how to replace Google Parent, Google Cook, Google Home Designer, etc. Is this the right approach? We've established there can be no privacy violations without electronic invaders. Therefore, the way to take control of your privacy seems to be minimizing device usage. And so, the right question for a newbie to ask is not
how do I replace this service? but
do I actually need it?
Google Maps has been invented in 2005. Amazon Alexa - in 2014. Siri - 2011. Smartphones - in the 2000s. And yet a lot of people today cannot imagine a life without those. But 20 years ago, we all did fine without them. What has changed? It's obvious technology modifies the way society works (for example, there's a higher requirement for cars or other transportation than a few decades ago), but many of those devices can be easily dumped today - and even the "required" ones can as well with more effort. It is the capitalist focus on shiny new gadgets and the slick marketing which keeps them alive; as well as people's increasing laziness. Real privacy, therefore, has to start with not being dependent upon the violators instead of trying to replace, modify or block them.
Now that we've cut off most of the violators, we can more thoroughly focus on managing the ones we do actually need - such as search engines, web browsers (though even this you can curb by avoiding bloated sites and downloading the ones you care about for offline reading) or communicators (hey, there's always carrier pigeons...). So let's end the privacy saga and learn how to choose privacy-respecting services so that you won't have to rely on recommendation lists anymore (which are prone to bribes, fanboyism, groupthink, low quality research, outdated information, etc):
Respecting privacy means having it as the priority, instead of an afterthought. But to check for that, you often have to dig up information from long ago - such as in the case of DuckDuckGo. Briefly, the owner has run a data collecting operation for a few years until selling it (to an unethical company) and inventing DDG. He has then advertised it heavily as an alternative to Google, and it was of course much better - but eventually, he's started including anti-user stuff such as tracking cookies, pixel tags and Cloudflare; as well as playing fast-and-loose with the definition of
personal data. As you can see, the spirit of his previous invention eventually started surfacing (and knowing the previous history would have allowed more cautious people to have predicted that).
You don't really need to follow a provider's every move to decide to avoid them - just a few pieces of history will usually suffice. Mozilla has for years been dependent upon the funds of a known violator, Google - do you think this is something a privacy-respecting company would be comfortable with? Then they started switching deals to other privacy-haters such as Yahoo. Or consider the saga about their horrible mistreatment of a long-time supporter - if they don't care about contributors, surely they won't about the users either. Iridium Browser is another case of a seemingly private project that included Google SafeBrowsing in it by default, and tried to justify it. Already then clearly we could see that privacy isn't something the devs truly took seriously - and they confirmed it later by enabling yet more spyware. One event where something else has been put over privacy is usually enough to become suspicious. Pretenders aside, can we find an opposite example? One that is actually focused on privacy as proven by their history? Sure:
So, as you can see, history is the fundamental upon which we base everything else. However, putting it all together requires a combination of willpower, time, effort and skill which many people might not have. It also doesn't provide any insight if the provider is new. Can we find a more clear-cut and immediate way to rate a provider?
Categories of information we collect. Let's go right to the subsection titled
Information about your device since that's where the nitty-gritty is usually found:
When you use our services we may collect specific information about your device, and across your devices, such as the product model, serial number, operating system, device settings, device performance, device and advertising identifiers, Internet service provider, IP address and other unique personal or online identifiers. If you or your device experiences an error, we collect information about the error, the time the error occurred, the application or features being used, the state of the application when the error occurred, and any communications or content provided at the time the error occurred.
IP, unique ID, advertising ID.
Across your devices likely means they combine all that info into a profile. Hey, we might have the next privacy giant around here, so let's dig a little further -
Information about your use of our services:
We collect information about your use of and interaction with our services. This could include information about your gameplay, your online status, your service use history, your connections and interactions with other users, the content you share, the date and time of your visit, information about the links you click, pages you view, and advertising you interact with within our services, inferences used to create a profile about preferences and characteristics, standard server log information, and other information about how you use our services.
In short, absolutely everything you could imagine is stored, including
inferences to create a profile - which means they (using all the collected data) try to predict what you'll like or what you're going to do next, etc. With the above, we have enough to throw Nintendo into the pile of the biggest violators, along with Facebook, Discord or Mozilla. But our speedrun was supposed to have two parts - data collection and duration - so let's check out the other. From section
Information retention and information security:
This is the most reliable way to prove or disprove privacy. For web browsers (as well as anything else that uses the HTTP protocol, such as package managers) you can use mitmproxy. For anything else, use netactview. It lacks the rich functionality of mitmproxy, but it works for any protocol. To use it, first go to the
view menu and enable the
command option. This will allow you to see what program actually makes a connection. Then turn on the application you want to test (or all of them). Now watch; if you see a program make a connection when it isn't even supposed to use the Internet (I haven't had that happen yet) - well, you have your proof. It is also possible to check for the actual hosts a process is connecting to; you might be surprised to learn that your favorite "private" service is going through Amazon servers or such...Wireshark is another program that can do this, but it's more complicated and netactview does what we need it to do.
The above method works for both closed and open source software. Of course, if source code is provided, you can read it; but for the vast majority of people, it requires too much skill. Assuming you do have that skill - most software still has so many lines of code you could not inspect it properly. Even in small programs, it is still easy to miss a connection or have a malicious developer hide it. Network monitors, though, will reveal all - so they are the most viable option. But what if we're trying to judge an online provider, instead of software?
Sometimes, services do show their source code but you can't verify that it's the same one they're running. Fortunately, many providers can still be tested. You can easily check (with uMatrix or just the browsers' in-built tools) if a search engine is setting tracking cookies, like DuckDuckGo used to do, or if it's behind Cloudflare. If Tor or VPNs are blocked, that pretty much disqualifies a provider from being privacy based. Servers can have insecure setups which are often testable, such as ProtonMail's redirection of onion domains to the clearnet or secmail's revealing of the operating system and PHP version on their server. This can refute the
name of VPN +
government or +
court to find ones that were keeping logs and ones that weren't). You can talk to the people behind a service directly - which can increase your trust in them or even reveal interesting information such as secmail not having time to implement SSL. But in the end - short of hacking the server - you cannot 100% prove a VPN's no-log policy, for example.
Though it's great if a service or software has privacy, that alone is not enough for continued usage. What are some other things to care about?
We have to pick the issues that are the most important to us. I recommend starting with privacy - this is testable by all the ways I've given above. Then, moving on to censorship - which can be similarly tested. After that, check if the software or service actually does what you want it to do. Fortunately - even if we don't manage to tick all the boxes - many people have cared enough to create stuff that's private, freedom-supporting, and functional. By minimizing the amount of things we use and doing proper analyses, we can more easily fill our computing and lives with quality instead of quantity. Joining related communities is also a good way to get relevant advice.Back to the front page