What is the point or purpose or reason for PrivacyGuides.org to exist?

[Mikaela]

This ties in to a lot of discussions including whether or not we should list something:

• Who is the target audience of PrivacyGuides?
  • If there are many or it's wide, where are the lines on who belongs to which demography?
• What is the scope of PrivacyGuides?
  • I may not be the best to word this, but I think we may have been some growing pains there, like instant messaging is something everyone does and needs, but then there are cases such as website analytics (should we advice people on-site to use Matomo and not Google Analytics (or are they out of scope)), hosting providers, frontends for other sites, file hosting services etc. that are not as clear-cut.

[TommyTran732]

In my opinion:

1. Target audience should be anyone who is looking for privacy, from an average user to technically proficient people.

2. As for the scope...
   I think it should be limited to guides and tools that actually does something to improve privacy and security, not to "replace/avoid big tech".

One of the problems I see a lot in privacy communities is that people like to fear monger about Google, Apple, Microsoft (the so-called big-tech), then tell others to switch to an alternative with no apparent privacy/security improvements. A common example is people switching from Google products to a different service provider, without knowing exactly why they are doing it. Then, someone else comes along and accuse that new provider of being a honey pot, and we have drama with insane and stupid conspiracy theories.

For every recommendation we make, there should be a specific threat that we are trying to solve. There is no point in switching from Gmail to ProtonMail if the threat is the service provider - both of them can trivially get your incoming unencrypted emails anyways (and they do indeed scan all of those emails), you have to trust them. The threat here is government requests to hand over your data - if we assume both providers to not be malicious, then Google has your entire mailbox to hand over. ProtonMail has almost everything to hand over as well - except for the message body which is stored encrypted using your own keys at rest. Only for this specific threat would using something like ProtonMail make sense. If the threat is the service provider, the only viable solution is to set up your own email server - shifting trust from one service provider to another will not solve it. Threat modeling is very important.

This is a similar situation with VPN recommendations. A VPN does 2 things: shifting the risks from the ISP to itself, and protecting you from 3rd party IP based tracking. If the threat is 3rd party tracking, then a VPN is a valid solution to layer up your defenses. If the threat is the service provider profiling/tracking you, then you should be using Tor. A VPN is about as trustworthy as an ISP - neither of them are to be trusted, and you should always assume you are logged. While it makes sense for PG to go over the jurisdiction, privacy policies and whatnot when making a recommendation - threat modeling is much more important. If the technology cannot ensure your privacy, then it should not be considered as an option at all.

Recently, the discussions about Invidious and Piped came up. What most people seem to forget is to do threat modeling - what is the threat here? The threat should not be "Google is profiling you", but rather, "your video streaming platform is profiling you". To fight against such threat, the first thing to do is to eliminate IP based tracking - you should always use a VPN. If you do not trust YouTube with your IPs, then you should not trust the Invidious operators with your IPs either. Likewise, if you cannot trust YouTube with your subscription list/playlist, then you should be storing those locally, using a client like FreeTube and Newpipe. Don't make an account on Invidious instances and have your subscription lists/playlists saved there. If you are not using this feature, then it makes little differences whether you are using the YouTube front end or Invidious. There has to be a real privacy improvement for something to be recommended.

Someone recently told me that Invidious and Piped lets you watch YouTube without JavaScript, and if you do not have a subscription list/playlist, then yes, it is a security improvement (being able to just turn off JavaScript is a great plus). I am going to make a new PR regarding this very specific use case.

Some people use Invidious, Piped, or even other networks like DTube, PeerTube, simply because of their fear of Google without having an actual threat model. They do not realize that doing this is does absolutely nothing for privacy - it is simply shifting trust from one party to another. It is not a viable approach and it is never going to work. This is the equivalent of switching from using Gmail to any other email provider out there without realizing that those email providers can read your emails as well. I do not believe that simply listing a bunch of alternatives to Google without any apparent privacy or security improvements will get PG anywhere far, and at best we will end up being the abomination that PTIO is right now. There is a reason that in security communities, PG/PTIO is viewed as a complete joke. In other words, alternatives to the "evil big tech" with no real privacy or security benefits should be out of scope.

It is also important that PG should evaluates technologies based on their merits. For example, if the LBRY Desktop client helps users browse the LBRY Network privately, then it should be listed. Just because nasty people (Neo-Nazis) abuse the LBRY Network to host their insane ideologies doesn't mean LBRY should be delisted. If we are going to delist LBRY, then under the same logic, things like Tor, I2p, cryptocurrencies, should never be listed as well, because degenerates do use them quite a lot. It is a slippery slope. The only time something like this should be delisted is when it is designed specifically for illegal or unethical purposes. But LBRY isn't like that. It is built to be censorship resistant. Content creators (especially YouTubers) have their content backed up on LBRY channels in case they get de-platformed, and there are people like me who consume a lot of content on LBRY as well. Are we Nazis? No, we are not. There are people who see themselves as "free speech absolutists", who think that speech, no matter how wrong, disgusting, insane, should not be censored unless they call for direct violence. The LBRY folks are those people. They are idealists, not Nazis. To call people who simply believe in free speech Nazis is disgusting. That said, social issues should be out of scope for PG.

[TommyTran732]

Would be great if the team could confirm the direction we are going with. All of my contributions have been based off of the premises I laid out above.

The pending browser rewrite (which is practically done at this point, just waiting for approval) is also based on those same principles. The recommendations are purely made because of technical reasons, and political/social issues are not taken into consideration whatsoever.

[ghost]

Totally agree, all recommendations should be purely functional for privacy. Putting brave on the anti-recommendation list because it "doesn't want to be associated with the privacy community" makes no sense as this doesn't affect the actual functioning of the browser. Similarly, extensions like TOSdr and Snowflake don't actually directly improve the privacy of the user, so they shouldn't be recommended.

[TommyTran732]

Thank you. That is exactly what I did in my PR. TOSdr is only recommended as a website, and recommended against as an extension. Recommending TOSdr as an extension really does nothing for privacy or security and just weakens site isolation. The user can just visit tosdr.org to get a privacy summary of the Terms of Services instead.

[jonaharagon]

I think overall our vision is aligned, but I actually personally disagree with more than a few of the specific points you are making here.

[The scope of Privacy Guides should] not [be] to "replace/avoid big tech". [...]

One of the problems I see a lot in privacy communities is that people like to fear monger about Google, Apple, Microsoft (the so-called big-tech), [...]

I think this is absolutely the wrong approach to this subject. From the perspective of the vast majority of people, Big Tech is their single largest privacy concern hands down.

You mention three examples in the original post: email, VPN, and video providers. For all of these examples, you bring up the value of threat modeling — good! — but then focus on one extremely narrow threat model (that threat model being any service provider) that sounds more aligned with your own personal privacy goals. There's no problem with the examples you are putting forth here, but there are far more threat models that are more lenient and more applicable to the vast majority of people seeking answers from this site.

For every recommendation we make, there should be a specific threat that we are trying to solve.

The threat should not be "Google is profiling you", but rather, "your video streaming platform is profiling you".

Similarly again, forcing a predefined threat model we've come up with on the user is not what our goal here is. The ultimate goal of Privacy Guides should — in my opinion — not be to make recommendations at all in fact, that is just a secondary task we complete. What we are really all about is privacy education, we should be putting more of a focus on:

1. Threat modeling — how you determine your own, not answering "what is my threat model?" for the user.
2. Why we made certain recommendations — Elaborating on the thought process behind everything we publish to make it more transparent for the user.
3. What differentiates our recommendations — If we have more than one, how do they compare? If we only recommend one product in a category, why?

I think we are very focused on "recommendations" because that is the current state of the website, but it is not how it should stay in the long-term. The clue is in the name, eventually we will have more of a focus on actual "guides"/long-form content.

There is a reason that in security communities, PG/PTIO is viewed as a complete joke. In other words, alternatives to the "evil big tech" with no real privacy or security benefits should be out of scope.

I have never seen evidence that this is the case, and in fact I am aware of many security/privacy professionals who promote our work.

To call people who simply believe in free speech Nazis is disgusting.

This LBRY example feels like a strawman to me, I haven't seen accusations like these seriously leveled against reputable decentralized providers like Odysee, LBRY, or PeerTube. I have seen them leveled against organizations like Gab, Rumble, etc., and those accusations are accurate which is why we would not list such services.

That said, social issues should be out of scope for PG.

Privacy is inherently a social and political topic, and as such I think social issues should be taken into consideration when we evaluate the content we are putting on our website.

cc @dngray @freddy-m looking for team thoughts?

[TommyTran732]

Couple of things:

1. How big does a company have to be to considered "big-tech"?
2. How do you deal with the conspiracies that ProtonMail/ProtonVPN/etc are honey pots? Most of these accusations comes from the lack of understanding of what those technologies can and cannot do for the user. I have seen people people getting scared of ProtonMail and recommend others switch to worse alternatives like Cockli, which is absolutely depressing.
3. If you define your threat as just Google/Microsoft/Apple/whatever, you will end up with very mediocre recommendations. For example, under such standards (just not being Google), are you going recommend DTube, Bitchute, Bit.tube, HookTube, DailyMotion, Vimeo as well? Where do you draw the line? In fact, which one of them would you not recommend, and what is your justification?
4. Yes, the whole LBRY situation is a strawman. Yet, LBRY was very close to getting removed the last few days, what do you think about this?
   Add back PeerTube, Invidious, remove LBRY privacyguides.org#356
   video-streaming: delist LBRY until proper process privacyguides.org#358
5. If you take social issues into account, you will have a lot of random questions you have to answer for, including why you are recommending something like GrapheneOS, which requires Google hardware to run.

[markcellus]

I agree with most of your message but we should be careful with statements like this one:

They do not realize that doing this is does absolutely nothing for privacy - it is simply shifting trust from one party to another.

For some people switching platforms isn't always shifting trust to one platform to another. One may switch to another app because the code is open source which makes it more trustworthy. You can actually see (in the code) what the app is doing and how it changes over time.

[markcellus]

Again, I'm not just talking about youtube frontends or Signal or any app specifically. My point was that its not safe to make generalizations about why people have switched platforms or apps without considering how (open) transparent its code is.

you have to trust the instance operator if you sign up for an account there

Not if you've signed up using the proper tools and ficticious information that keeps you anonymous. You're making very bold claims that just aren't true.

[TommyTran732]

How is it not true? If you are signing up using "proper tools and ficticious information", it makes 0 differences whether you are using the YouTube front end or a third party front end. There is 0 difference in privacy or security.

[markcellus]

The bold claims that you're making that aren't true are statements like this:

It's doesn't matter much whether a server is open source at all

A server can't be open source. I said the server-side code can be open-source.

There is nothing that guarantees that the server is running the same code as the open source version.

Not sure if you're a software engineer, but I've been one for 20+ years. There is a way to sign releases so that what's in production can be verified against the codebase. We use checksums for that. The implementor just needs to make this available.

Whether Odysee itself is open source or not doesn't matter at all.

Another untrue statement. If both client side and server-side code is open source, you can see what data is being stored, how it's being stored, and where.

I stand by my original statement: If a platform takes the right precautions and implement their client, server, and database connections in a way that is fully transparent to their users, there won't be any blind areas of trust.

For the good of this group, it's important that the people who are running PrivacyGuides make sure they understand all apps and platforms, use-cases, and how technology fundamentally works. And create privacy guidance around facts that are verifiable--not sweeping generalizations and assumptions (like some being made in this thread). If not, you're just pushing opinions and rhetoric, which are just as untrustworthy as the platforms you call out.

[TommyTran732]

I don't think you get what I am saying at all.

You cannot know what is stored where on a server. No one except the server operator actually knows what is running on a server, because the server can just be configured to run completely different code (a whole different version) than what you publish as the open source server sided code. It doesn't matter whether you sign releases or not - it is impossible for and end user to verify it.

The moment a user start trusting a server, they start trusting the operator of that server. It does not matter if you publish some server code in the name of transparency or not. If I coded an instant messenger with no end to end encryption, but have it in the open code to completely delete the messages after they get delivered (kinda like Snapchat), should you trust me at all? No, because I can just make a tiny change to remove the deletion step. You are better off with an instant messenger where the client is open source and the server is proprietary, because at least you know what information is sent encrypted and what isn't. You don't need to trust me or the server that I am running to not keep your messages forever.

For private, sensitive data, you need client side encryption. The server should not be a trusted party at all. I love and do use primarily free software, but I do not believe that whether a server is open source or not matters at all if it is not in your control anyways.

[markcellus]

I don't think you're getting what I'm saying at all, either. I'm saying (and have always been saying) that a platform who chooses to open source its code does matter when determining its trustworthiness. You can keep saying it doesn't matter. But it does. It's much better than nothing being open sourced.

Additionally, you're arguing against assertions that I've never made. I'm talking about open-source code and how it helps with the transparency of a platform, and you start talking about servers as if open-source somehow means there must be a server. I never said that servers can be trusted, you assumed--just like you're doing in virtually every post you've made in this thread. I never brought up servers. In fact, there doesn't need to be a server at all. A client could store data in memory or locally and open source that. It all depends on the application. You should open your mind. Your perspective seems delusional and single-minded. There are a ton of different applications and technology, all with different setups. You should be more careful about what you say because you risk misleading people.

[dngray]

My personal opinion is that Privacy Guides exists to provide information and advice about software which both improves privacy and security. Security does intersect with privacy (you can't have something private if it isn't secure).

To evaluate these things I believe we must:

• Learn how it works and evaluate privacy benefits. This could take form in:
  • Looking for external audits
  • Looking at the whitepaper and learning how the technology works
  • Contacting developers for comment
  • Verifying aspects of source
• Provide a user experience that we can actually stand by:
  • Does the product reach a certain maturity/stability/quality?
  • Would we consider using it ourselves?
• Provide feedback on how it may be improved (if possible)
• Create criteria where possible to compare to other products and tools that have a similar usecase

I think as far as target audience goes, anyone who is interested in improving their privacy. This is why recommendations have to actually be usable. While certain manual approaches like PGP encrypting all messages on an airgapped computer might provide maximum security, they come at a massive user experience disadvantage. Not everyone is trying to be the next Edward Snowden. I think if you are, you need specialized advice for your particular situation.

That is where I disagree with PrivacyTools and all its rhetoric about, "eyes", "NSA" and state adversaries. It's not that those things aren't important, it's that simply recommending a bunch of tools (that you don't use or know anything about) isn't sufficient. Every time I look at that page and see the quotes in between each recommendation I cringe a little. Recommending Binance against the NSA, come on. Governments love cryptocurrency, well all of them except certain privacy coins. What auditor wouldn't love having a public ledger of all transactions. Binance is known to bend over backwards for any law enforcement (even ones in dodgy countries), because they're trying to legitimize their business, but anyway I digress..

I believe we should keep our tone and recommendations politically and geographically neutral. That means advising users to assess their own threat model, based on location, needs etc. The "eyes" agreement is not the only intelligence gathering agreement out there, and depending on where an individual lives it actually might be of minimal importance. For example if you were living in a dictatorship your local state is likely to be a much higher priority on your list than a distant country who passively observes.

Our recommendations must be based on merit. We don't need to be involved in every social issue that exists. There are many problems in the world and trying to address all of them is never going to be sufficient. It is going to cause us to stray from our mission and that will compromise our integrity. We need to remember people come to the website to find out how to best protect their privacy.

On that note I also don’t believe the site should be providing irrational advice against every product from “big tech”. The fact is software costs money to create. A lot of the best and most complex open source products out there are backed with some commercial for profit model. A lot of companies start out small and then grow to either be larger or acquired by bigger companies and that doesn't mean we should suddenly drop them as if they have done something wrong. It is worth continuing to evaluate if they change and how.

Many open source products in fact use components created by large tech companies like Google and Microsoft. Those companies now release a huge amount of those components to open source (Go, .NET, AOSP etc), because community maintenance is an invaluable asset that saves them money long term.

We want to eventually translate the website to other languages therefore social or political issues that are of concern to someone in one country might not be of concern to someone in another. We want to expand our blogging/news so that we're actually writing content about privacy and how it impacts various parts of the world.

Before we do that though, we need to clean up the site, remove some of the bad or outdated legacy advice. Long term we want to incorporate a 501(c)(3) and further decentralize ownership over key assets.