I’ve often shared Privacy Guides around to lots of people but found that it is lacking something I believe to be crucial, that being the reasoning behind why people should switch from what they currently use to what PG recommends. For example when looking through the recommended mobile operating systems I can see that PG recommends GrapheneOS and DivestOS, but it doesn’t look like it goes into any detail as to why I should avoid iOS or (default) Android in the first place. I found this to be the case with most (if not all) categories on Privacy Guides.
I’ve had some people come back to me after reading the PG site and not being very convinced as to why they should switch to alternatives when they don’t see what’s wrong with what they already use. Then I’m left trying to collect a bunch of sources and present an argument by myself just for one person to see the issues with what they currently use and why they should consider using a better alternative, but because I’m limited in time, energy, and knowledge I am sometimes not able to make a strong enough case and ultimately they don’t consider making any changes. I think it’s crucial that we share the reasons as to why people should avoid the privacy-invasive software/services most of them are using now in addition to recommending alternatives. I recall back when PG was PTIO, it included examples of what not to use. For example under the desktop operating systems category it mentioned that you should avoid Windows. I think we should bring that back but also include the reasoning (backed by sources) as to why people should avoid X (Windows, macOS, ChromeOS, etc) and switch to Z (QubesOS, GNU/Linux).
This discussion is usually in our discussion forum, or on Github.
We don’t litter the site with every anti-recommendation, otherwise the whole site would become just that, and it would be painful to maintain as there are a lot of things, the team purposely does not use.
We are actually going to be writing a blog post about this change soon.
Essentially, evergreen content such as the Knowledge Base and Recommendations will remain on the site, while content that is likely to “age” and lose relevance will be on the blog. Of course, that doesn’t mean blog articles can’t be updated.
We do within the knowledge base link to specific blog articles, and those can be sorted by category.
Thank you for your clarification.
How do you address changes in recommendations (like with brave in past)? Specially without any guide on how to choose right tool in world where we have so many tools focused on privacy.
I’ve had some people come back to me after reading the PG site and not being very convinced as to why they should switch to alternatives when they don’t see what’s wrong with what they already use.
It is no surprise that the average person have no interest in PG. Again, what is the target audience about? Is it for the average person? Technically proficient person?
A mixture, as those who are technically proficient, don’t often know about privacy, likewise those who are not technically proficient may need extra help to get up to speed.
The site does not target any specific segment. The intention of the site is to be a filter of all the “privacy noise” that is out there, and provide meaningful things one can do. Just because it’s on the website doesn’t mean you must take all our advice.
We don’t jump on every shiny new bit of software released like some other privacy websites do because essentially everything needs to have time to build a reputation.
Yes. However, I’m asking in the perspective of an end user. For example, PG was recommending Bromite and then removed it. A risk may exist for someone who visited and installed Bromite because PG suggested it. This neither the person fault, as PG is intended to be a static site and aren’t expected to visit the site every day to check for changes.
I think this should be stated clearly in the site as disclaimer. The fact that recommendations are the most visited page make this a big issue. This is also sending the wrong message that such tools are needed in order to be private (which is wrong, as Privacy isn’t about the tools you use or the software you download) specially when it recommends as a beginner to privacy resource in most places.
Because there have been several points in the past two years where it has fallen way, way behind in updates for periods of weeks or even months. IIRC it only has a single maintainer.
Here is the PR where Bromite got removed. Essentially it kept falling behind on updates. It’s a great project but we don’t want to recommend software that isn’t getting proper update support, especially something as important as a browser.
What are your thoughts on the overall purpose of the recommendations page?
Both EFF & Opsec critiques about the use of products solely on the focus that it will make you secure.
EFF
The first thing to remember before changing the software you use or buying new tools is that no tool or piece of software will give you absolute protection from surveillance in all circumstances.
Opsec101
Some guides recommend taking a “best practices” approach to security, such as recommending everyone use a VPN, password managers, etc. This “best practices” fallacy is a countermeasure-first approach based on the study of successes, rather than failures, and as such is an insufficient starting point when assessing any highly-individual and dynamic topic such as security or privacy.
I am not saying that PG is misleading readers. However, I think PG should do a much better job at emphasising about the importance of threat modelling and making it clear recommendations page is not a foolproof list. (as privacy tools is the most visited page on PG)
The reason is, because it does have some privacy related features tied up with the brave shields. The other main reason is it is always up to date with upstream, so for a Chromium based browser, it’s probably as good as you’re going to get for now.