Issue 93

The best privacy tools of 2020

Delivered on 28 December 2020 by Justin Pyvis. About a 6 min read.

I trust everyone had a Merry Christmas! To wrap up 2020 I thought I'd provide a summary of some privacy-friendly software I use on a regular basis, just in case anyone felt the need to improve their risk profile in the new year.

Password management

Getting (and using) a password manager is the single biggest step you can take to improve your digital privacy and security. A password manager will generate a unique password for every service you use up to 128 characters long. You only need to remember one password* (or better yet, a passphrase) to unlock everything. That means if a company gets compromised - which happens far, far too often - at least all your other accounts are safe.

*Note that ideally you should combine your password/phrase with 2-factor authentication, such as an app like andOTP or Authy Aegis.

In terms of which password manager to use, look no further than Bitwarden. It's open source, has a very usable free option and will automatically sync with all of your devices. Here's a sample 32-character password I generated:

RNgs%BY7!*zu^HHPiHQsK$56iZLf!zgR

And here's a random 5-word passphrase I asked it to cook up:

excavate-daredevil-bobsled-sheep-ritalin

If you were really keen you could use KeePass but I find Bitwarden's simplicity and ease-of-use impossible to beat, except perhaps by 'premium' managers such as 1Password, which are closed source so drop down my list a bit.

File synchronisation and cloud storage

Dropbox, iCloud and Google Drive are great but not only do they scan and index your files, employees (and governments) can come snooping too. There are two clear privacy-friendly alternatives, one is free and requires a bit of technical nous while the other involves forking out a bit for a premium service.

The free option is Cryptomator. It's open source and encrypts all of your data locally, meaning whichever mainstream cloud provider you use will only see gibberish when they scan your files.

The downside of using Cryptomator is that it makes collaboration impossible, including sharing file links. It also adds an element of risk - if you lose your passphrase or somehow corrupt your Cryptomator folder, you lose your data (always use a password manager!).

That downside can be resolved by using a paid service such as Tresorit, Sync.com, Mega or ProtonDrive. I haven't tried ProtonDrive as it's only in beta but the other three work at least as well as the big mainstream cloud providers. Note that Mega and Sync are based in New Zealand and Canada respectively, which are both members of the 'five eyes' and so should be avoided where possible. That leaves Tresorit, which has been around quite a while now and is based in Switzerland (with relatively good privacy laws). However, as with the other three its source code is not open, meaning there's still an element of trust involved.

The only other options that tick all the boxes are Nextcloud or Seafile. But those are self-hosted solutions so require a bit of technical ability and either a paid virtual private server (VPS), a dedicated server in your home or someone else to manage it.

Email

This is an area where I have flip-flopped a few times over the years. I have found that encrypted email - e.g. ProtonMail, Tutanota - might sound good on paper, but you usually have to sacrifice too much for limited gains.

The ability to sync contacts to your phone's address book? Someday, maybe. Properly formatted emails? Occasionally. Calendar invites? If you're lucky!

While end-to-end encrypted email sounds nice, it's better in theory than in practice. Aside from the relatively limited features, just about every email you send or receive will have Apple, Google or Microsoft on the other end of it anyway, meaning they already have a copy of most of your emails. That means there's very little point to end-to-end encrypted email; it's simply not the right medium for privacy.

However, you should still try to avoid the Google's of the world where you can. Despite the pitfalls, encrypted services such as ProtonMail are good in the sense that you can be sure they do the basics well, including zero-access encryption at rest and 2-factor authentication. They're also good if you regularly email someone else willing to use PGP, such as a spouse or colleagues.

I personally have accounts with Swiss-based ProtonMail and Iceland-based Runbox, using the open source clients Thunderbird (Desktop) and K-9 Mail (Android beta version) with the latter as its web interface leaves much to be desired. Other options I have dabbled with over the years include mailbox.org, Soverin, Mailfence and StartMail. YMMV, so make sure to use your own domain name (@yourname.com) to make switching providers easy should the need arise.

Messaging

While the email protocol was not built for privacy, messaging was. The standout is the Signal Protocol, which is what secures the Signal Messenger and a bunch of other major encryption implementations from WhatsApp to Skype chat.

However, of the available encrypted messaging options only Signal Messenger is open source. Facebook claims that WhatsApp uses the Signal Protocol but there is no way to guarantee it's actually working, or that it hasn't subsequently backdoored it.

To keep a long story short, try to use Signal Messenger whenever possible. It only has two weaknesses, namely that:

  1. it's centralised, meaning there's a single point of failure in the Signal Foundation's servers; and
  2. it requires a mobile phone number, which may not be practical for some people.

If either of those two weaknesses are a major issue for you, consider using Element, which provides end-to-end encrypted chats over the decentralised, federated Matrix network.

Social media

There's no good answer here. All of the mainstream networks - Facebook and Instagram, Twitter, SnapChat, TikTok, WeChat - are in fact advertising companies masquerading as social media platforms. They don't charge you anything because you're the product, not the client. Privacy is non-existent on these services so other than abstinence, there's no easy way to avoid having all of your information gobbled up by them.

While you could sign up for an account on the Fediverse, good luck convincing anyone to join you (incidentally I run my own Pleroma node).

All I can say here is that if you must use the likes of Facebook and Twitter, at least use an open source client on your mobile such as Twidere or Frost for Facebook (the latter requires F-Droid, an app store containing only free and open source software on Android), which will prevent these companies from listening in on your microphone and harvesting everything else you might have on your phone.

Podcasts

I use AntennaPod, an open source podcast manager that can index podcasts from all of the popular websites or RSS feeds.

Note taking

For mobile and desktop note taking I use Standard Notes, which is open source and end-to-end encrypted. It's simple but does the trick and will automatically sync with all of your devices.

Web browser

The best of a bad bunch is Firefox with the uBlock origin add-on (make sure to also check the option to prevent WebRTC from leaking local IP addresses). I say a bad bunch because Firefox has been horribly mismanaged by the Mozilla Foundation, which for whatever reason prioritises myriad of side projects at the expense of its most important product, Firefox. Even if you wanted to donate specifically to improve Firefox, it goes into general revenue so there's a good chance the Mozilla Foundation will instead use it to increase its CEO's pay or finance some whacky side project, such as the creation of an AI division.

VPN

You should use a VPN whenever it's convenient to do so. The most important features are that it doesn't keep logs and is based in a country that you do not reside within. You generally get what you pay for with a VPN and I'd recommend the Sweden-based Mullvad (or if you use ProtonMail for email, bundle it with ProtonVPN).

Have a Happy New Year!


Issue 93: The best privacy tools of 2020 was compiled by Justin Pyvis and delivered on 28 December 2020.