The problem in the privacy community

The privacy community in the internet is divided. Most of the community believe in fake privacy initiatives, only trust mainstream solutions or might even go as wrong as recommending proprietary software and other bad actors like Cloudflare.

By seeing the bad state of the privacy community, I decided to create this site which tries to advocate for real privacy and not just an illusion of it.

I’ve written a brief analysis of well-known privacy sites which don’t provide real privacy.

PrivacyTools.io

Probably the most popular privacy site. I used to visit this site too when I was getting started.

This site contains affiliate links and discount codes. While we understand that maintaining something like this requires a lot of time and effort, we consider that the addition of affiliate links and discount codes for certain services may affect the criteria for adding or removing that service, or listing them instead of others which do not give them profits.

Furthermore, this site recommendations are very poor, often targeted at non technical people thus sacrificing privacy. But in some cases they recommend privacy violators instead of alternatives which would require the exact same effort to set up! We consider this unacceptable. This applies to almost every site in this page.

First problem: It’s Cloudflared. Cloudflare is a well known privacy violator and it’s service acts as a MITM attack.

The are a lot of issues with their recommendations. For example, they recommend browsers which are known to send telemetry like Firefox or Brave instead of the mitigated Librewolf and Ungoogled Chromium. Additionally they recommend the Duckduckgo browser when it is clearly outclassed as a Chromium browser by Ungoogled Chromium and Bromite.

There’s probably more, but I didn’t bothered. The fact that it is Cloudflared shows how little they care. There was a huge drama months ago between PrivacyTools.io and PrivacyGuides.org which seemed to be about the donations money. Maybe they only care about donations and that’s why they list awful options like Signal, Thunderbird or Cloudflare. Or maybe they are just incompetent. I don’t know, but it sucks. And it was one of the reasons for the creation of our site.

PrivacyGuides

Created by a former maintainer of PrivacyTools.io. This site at least isn’t Cloudflared. Let’s see if it’s any better than PrivacyTools in their recommendations:

Probably more, but this alone shows that there’s no real privacy here. Yet another privacy website which instead of digging deeper for real private alternatives they recommend the mainstream solutions. They go as far as recommending proprietary spyware like Apple Mail or Safari. Big red flag.

The New Oil

The New Oil targets non technical users too much. They recommend iOS. iOS is a proprietary blackbox which can’t be fixed. At least Android can be degoogled and you are able to mitigate most of it’s spyware. But with iOS you can’t. They doesn’t mention Android custom ROMs which are far more privacy respecting than the factory one.

They critize Firefox and Brave but still recommend them, not mentioning the truly private alternatives like Librewolf and Ungoogled Chromium/Bromite.

For email, once again, they recommend Tutanota and Protonmail. One fun fact is that they give Protonmail more “Pros” and less “Cons” than Tutanota. Casually they happen to link Protonmail with an affiliate link while they don’t have one for Tutanota.

As instant messengers they recommend Signal, Threema and Wire. See our IM comparison if you don’t know why this is bad.

Probably more but I don’t want to waste more time in that site. It’s also interesting that they are hosting their site in Gitlab which is Cloudflared and won’t work at all without JavaScript. This says a lot about them.

The Madaidan

There’s much more to be said about this topic, this was extracted from a discussion in the Spyware MUC

One of the greatest problems in the community are a security researcher known as the Madaidan and a GrapheneOS dev, Micay. They almost have the same ideas when it comes to security (and unfortunately privacy). GrapheneOS devs attack everything with the excuse of security. Android ROMs are a security nightmare because they don’t have firmware updates and the bootloader is unlocked. Calyx is very insecure due to signature sppofing. Firefox is quite insecure, so you must use Google’s browsers. A known member of the GrapheneOS matrix room has been attacking F-Droid and enhancing GrapheneOS store and the Aurora Store.

Micay, in the FAQ of GrapheneOS, says that the Linux kernel is insecure and that he’s excited about replacing it with a microkernel (Oh, did you know that Google’s Fuchsia is a microkernel?). As they see it, we have to use Google hardware and software because every alternative is ridicously insecure.

They also recommend using smartphones (GrapheneOS in a Google device or non-jailbreaked iOS up to date) over desktop computers because computers weren’t design with security in mind. And if you want to use a desktop, they recommend Windows 11 with secure boot. What a joke. Windows is a major privacy offender. You can’t be private in Windows. You may even get a hosts file with a ton of blocked domains to block Microsoft’s telemetry. But then, Windows will detect that behavior like a virus and it deletes it.

Yeah, sure, a Google phone with proprietary bootloader and a proprietary TITAN M chip is the best option for privacy.

Madaidan tends to recommend corporate software like Chromium, MacOS or Windows. He will shit on Linux and he completely ignores OpenBSD, which has been awarded as an excellent security focused desktop OS. He recommends Signal, in spite of requiring Personal Identifiable Information like a phone number and being centralized. He doesn’t mention XMPP, which outclass Signal. In his browser article he doesn’t even recommend configuring your browser and he’s against content blockers, saying that everyone configures their browser differently and that you’ll stand out.

That is the average excuse to use Google Chrome. But there are other options: Moonchild, the main Pale Moon dev takes the other approach, since he knows that blending in is almost impossible, he makes his fingerprint unique in purpose, randomizing it with every page reload.

At the end, these recommendations are harmful for the user’s privacy. If you want a truly secure boot, take a desktop with support for Libreboot/Coreboot and make GRUB verify with GPG. That’s a true secure, verified boot. Not like Microsoft’s, which only purpose is to force you into using Windows.

Further reading and sources