Does Privacy Guides have a stance on self-hosting?

I’ve noticed that while self-hosted or self-hostable software does appear in PG’s recommendations (e.g. Nextcloud, SearXNG), the emphasis seems to be on software that incorporates end-to-end encryption. I think some kind of guide detailing the pros and cons of hosting data on your own machines vs using an external end-to-end encrypted service would be warranted. Of course, self-hosting and e2ee aren’t always mutually exclusive, but it would be good to get an idea of what benefit each provides and what type of services/data would be better suited to a e2ee solution on an external provider vs an unencrypted self-hosted solution. As it stands, the closest I found was the “Shifting trust can increase privacy” section of “Common Misconceptions”, but it doesn’t really address the issue of self-hosting directly.

I don’t think their is one concrete opinion.
But first we need to define self hosting well.
Is hosting your own i.e. Nextcloud instance on AWS self hosting? I tend to say yes, is it privacy friendly? - probably not so much.

Self hosting in my opinion requires some basic knowledge about network and computer security in order to do it well. I do not buy that self hosting insecurely without one knowing what they are doing is an option.

Interesting discussion for sure.

1 Like

I back that.
My definition of self hosting would be manage your own server with direct physical access.
Under that definition, I think that self hosting is very private, since you are master of your own data, as far as you host services that don’t spy on you (!) and you are able to manage your privacy.
The main point has more to do with security : many self hosters just deploy docker containers and have no real understanding of system administration. That endangers their data. In that way, shifting trust and having your data managed by a system administrator different from the Big Tech can be a more secure answer.

2 Likes

The reason for this is that most people who are “self-hosting” are doing so via commercial server providers like Hetzner, DigitalOcean, or Vultr, where end-to-end encryption is still very important. This is less of a factor if you’re actually self-hosting at home where you can physically secure the servers, sure.

This is all stuff we do want to cover in a self-hosting guide or category on the site, which is planned, it’s just that nobody has actually written it yet.

6 Likes

I would compare it with cooking your own meals using your own ingredients grown at home. It can be done but you have to know what your needs are and how to actually do it. It takes a little time of your day and whatever you come up with should last for indefinite periods of time. You need to be able to endure losses i.e., plagues, bugs, bad weather, lack of care while away from home for longs periods of time, etc.

All these things are parallels to managing a server with your own data. Even with all the wealth of information found online it can be challenging because it’s not just about setting things up once and forget. No, you need to keep software up to date, manage backups and properly test them, prepare for hardware failure (if you host it at home on physical hardware), restore in case of data loss due to misconfiguration, etc.

It’s definitely an interesting debate that can’t be summarized into pros/cons list imo.

2 Likes

I agree with this definiton of self-hosting as “managing your own server with direct physical access”. Another option for anyone that’s less technical is to ask a technical friend to help system admin one of their self-hosted servers in exchange for access to its services (like Nextcloud).

I think slef-hosting is meaningful if the person can do traffic analysis (I cant yet, it is a learning project for another less busy day). You can self host as you want but if data gathering/telemetry is slipping away from your hands unnoticed it feels no different from hosting in a VPS elsewhere.

Some technical knowledge is required for the privacy concious self-hoster, at least enough utilize network segmentation and VLANs properly. Currently my printer is connected to my WiFi and god knows what it is sending back. I still need to buy a managed L3 or maybe L4 switch for me to be sure that this particular network device does not dial home.

Also good luck finding an open source managed switch - people say they exist, but I find that they exist only in theory, because I’ve asked around the internet and no one seems to have one. All managed switch out there is proprietary only and it is a large, coarsened, uncomfortable pill to swallow.

1 Like

A different take on this would be to consider how centralised a platform is.

Arguably, the more centralised it is, the worse it is for the user from a privacy perspective.

Self-hosting options are useful even if the user does NOT self-host, because if there are viable self-hosting options then there is no lock-in to a particular provider.

So non-corpo email is better than ProtonMail / Tutanota in this respect. An agency just has to install a proxy in front of Proton/Tutanota servers and they have all privacy-conscious users’ emails. Harder to monitor 100000 small providers and self-hosted email servers (home or various VPS).

The same goes for messenging services. WhatsApp, Messenger, Signal, iMessage, etc, all suck because they are centralized. All messages go to a single place for easy surveillance (connection time, location/IP, social network analysis and profiling, etc).

Harder to monitor 100000 small Nextcloud servers or Element/matrix instances - or better yet Simplex. Or Jitsi for video calls. So many servers out there to make surveillance of all more difficult.

Omission of this is a flaw of the guide and makes it lose credibility in my view.

2 Likes

My 2c, self-hosting is the ideal in theory, but in practice the added complexity and the added responsibility for you as the end-user-turned-admin-and-security-team is enough that in practice, self-hosting can introduce more risk than it eliminates for the vast majority of users, and even for users who do have the knowledge and experience to self-host, you also have to consider whether you have the self-discipline, interest, and time. The tradeoff in my eyes with self hosting is you get control and strong privacy by default, but you also have a lot more responsibility and work, and exponentially more chances to make a mistake or screw something up.

But of course, it really depends what type of services we are talking about, and whether they will be restricted to the local network only, partially opened to the internet in a very restricted way, or if you’ll be hosting services that are accessible from the internet.

With self hosting it is also absolutely monumentally critical you think through backups and redundancy (and in some cases the consequences of downtime).

3 Likes

Is there any good solution for self-hosting not at home, but at some other hoster? Because the issue is that that hoster can access your data. Even if you use full-disk encryption, the key is in the RAM and most people use virtual private servers (VPS) which makes it even more trivial.

I read something about combining two hosters, where one server is used for storage with full-disk encryption, and the other server is used as the brain that remotely mounts the first server’s storage and runs the applications, so that the data and the decryption key for the data are on two different servers at two different hosters. Ideally using two different jurisdictions (e.g. one server in the US and the other one in Hong Kong) and paying anonymously with Monero.

Not sure if that would actually work though to have some kind of “end-to-end encrypted” VPS.

Not really. If that is a concern for you, you really should be physically owning your hardware.

2 Likes

That is a rather common setup in some contexts (its common with Nextcloud for example) but my understanding is that the primary security benefit to this is protecting the data on the storage server, it doesn’t solve the problem of still needing to trust the server used to host your services (the ‘brain’) and that hosting provider.

This approach does improve security, but doesn’t/can’t fully eliminate trust in 3rd parties (hosting provider and whoever else might have or gain access to their servers) so it falls short of actual self-hosting or choosing from the PG recommendations.

this nextcloud doc goes into more detail

Yes, the problem of self hosting is in practice. However, depending on one’s usage, Cloudflare Tunnel could minimize the complexity significantly. It’s also open source, as part of the Cloudflare Zero Trust.

But in the end, with this method, all the traffics would be on Cloudflare servers. I am not sure about privacy aspects there. Also, they can ban you for various reasons. I am not sure whether this old bandwidth restriction still exist, as I can’t find it in the latest service terms.

Other than the tunneling, one would need to maintain their servers constantly, e.g. server update, electricity, hardware maintenance, backup, etc.