It seems from recent discussions (and I’m sure not-so-recent discussions I’m not aware of) that most clashes over tool recommendations come from people arguing from different threat-models. The hardliner who can only accept the highest security standards, the casual user who wants improved privacy and security but needs day-to-day conveniences, etc.
I wonder whether it would make sense to have a system of tiered recommendations; maybe have 2/3 archetypical threat models (?), and that the requirements are defined for each. That way, it would be obvious to users when it’s a super safe option or whether it’s “the best there is, but is somewhat insecure/non-private”.
That way, if there aren’t any top-security options at the time of writing, it can be recommended, but with a say , which makes the user aware that there are things we would have liked better; it means “suitable if your threat model approximates this one”.
I know that everyone needs to figure out their own threat model and make decisions based on that. But I could see how this type of system would make it easier and more transparent for users who don’t necessarily have the time to dig through forums and PRs to see how the decision was made and why a certain set of requirements were agreed upon.
Just my 5 cents. Thanks by the way for all the work y’all do in curating all of this, I use PG all the time and recommend friends and family to do so too. tips hat
The problem with this is that you cannot always count on people to properly appreciate this nuance. Any recommendation made by Privacy Guides, even with a warning attached is at the end of the day still a recommendation. Personally I prefer the current approach where the products and services must meet Privacy Guides standards, not an approach where Privacy Guides conforms its standards to the lowest common denominator simply for the sake of having a recommendation to make. This is what differentiates Privacy Guides from other, less reputable sites.
This already exists to the extent that there are both minimum requirements and best-case requirements. Perhaps it could be made more clear which products / services (if any) meet the best-case requirements. I think you can see this as being roughly equivalent to the (minimum) and (best-case) without including sub-par recommendations.
I think that makes complete sense, thanks for the reply!
I think for example of Android OS’es. I think everyone agrees that GrapheneOS on a Pixel seems to be the most secure, and for people with a need for high security; it is thus the only one currently recommended by PG. That of course leaves lots of people with not alternative if they do not have a need for maximum security and want/can invest in a Pixel (I’m on iOS myself, have no stakes, just trying to use a common example).
Similarly now that we’re making recommendations for maps, everyone seems to be able to agree that OrganicMaps and OSM should be recommended. But that on-going discussion quite well reflects that the recommendations are of course made with utility in mind; alternative apps are being considered, and the criteria are also taking into account the convenience needs users might have (such as real-time traffic updates). If convenience affects the criteria, then we are no longer selecting based on what is required for a maps application to be of high enough standard, but rather whether it is of high enough standard whilst meeting convenience standards. I don’t personally have a problem with that, but it examplifies that the criteria then differs in their strength across recommendation categories. Here I see the tiered system as an alternative solution where GrapheneOS on Pixel is an obvious , OrganicMaps may also be whilst e.g. Here WeGo might be .
Again, I’m not saying this app or that app should have this or that designation, there are many of you much more competent than me who should decide that. All I’m saying is that it seems strange that the minimum criteria are not necessarily that, minimum criteria depending on availability and trade-offs and that’s confusing as a casual user who cares. .
Then that’s great - I hadn’t come across that yet! Just found it for Desktop Browsers, but it’s not there for others (e.g. Android Alternatives). However, although these two tiers or criteria are present on the page, it’s not clear which of the recommendations fulfil which set of criteria.
And I think some simple symbols (like the Threat designations and the above ones) would be super helpful in quite figuring out whether a recommendation is minimum or best-case.
You seem to be using to represent the most private, secure, and extreme recommendations while is somewhere in-between and is the most user-friendly but perhaps the least private. I will therefore use this scheme from here on out.
I actually disagree here. I believe that a low standard in the industry has led people to believe that the average Android device is perfectly acceptable for a normal person. The reality is that these devices are chronically insecure and unacceptable intrustive. The only way that bar gets moved is being tough from the get go, even at the cost of only recommendation being out of reach for some people. GrapheneOS is a reasonably secure operating system and is extremely user friendly, I would encourage absolutely everyone to use it regardless of any specific threat-model. The only exception I would make here is iOS for those whose threat-model precludes first-party privacy concerns from Apple.
I still think that will end up being a bit of a misleading simplification in the best case. Take the single-axis political spectrum with the left and the right; it attempts to represent something extremely complex on a single axis, which in practice is quite inaccurate and very situational. I think the same problem would arise with a traffic light model. Take this example, imagine a user coming from Apple Maps on iOS for whom convenience is a maximum priority. Firstly, this user subscribes to Privacy Guides, so they are looking for privacy-friendly tools with an understanding that security plays a part in privacy. This user may look at the model and be extremely confused in their use case. All are recommended by Privacy Guides, so all are suitable, right? Say this user settles on or even because they want maximum convenience while maintaining acceptable privacy. Unfortunately, very few factors considered in this traffic light apply to our hypothetical user. They may bike to work every day, so traffic features are irrelevant for them. So while Organic Maps was given a for being a high-quality, secure application lacking traffic update capabilities, it is still the most suitable option since it is much more user-friendly than OSMAnd while having all the necessary features.
I therefore believe that the current baseline requirement with higher requirements for developers to strive for and users to seek is a good compromise. It allows developers to implement some but perhaps not all of the best-case features, which ultimately benefits the user much more than nothing without punishing an app for not implementing functionality (like traffic updates) which is difficult to implement privately and would have questionable accuracy with a small pool of users.
I absolutely agree. For instance, 1Password is currently still a recommendation despite some users campaigning for its removal. Regardless, it seems clear that although it remains an acceptable option for current users, it may not be ideal for new users. So yeah, I agree that to some extent ‘better’ options in categories should be clearly favoured over inferior recommendations.
First of all, I’m really this good faith conversation
I think we more or less agree, my exemplification is just poor (and I didn’t really mean to start discussions about specific requirements). It seems that with Best Case and Minimal Requirements, a version of this has already been implemented, just not across the board and without being actively used on the pages.
I never meant lowering the minimum requirements, but rather that even when minimum requirements are met there is often a selection to choose from that offer trade-offs, and this would be a way of making that clear.
Once I saw your use of , I like that better actually ( best case, minimal reqs).
What I don’t know about is if we have to options, one is a best case () and one meets minimum requirements (), but the latter doesn’t offer any additional functionality - should it get recommended? Or should “minimal requirements” options add extra functionality/convenience to be considered?
This is never going to work as more privacy does not equal less usability per se. There is also a lot of bad advice that people give on very complex setups and “self” hosting.
In my eyes we should only recommend tools that can be utilized by basically anyone, unless specifically mentioned. And I feel have been moving towards that more and more. This is also becoming easier to do as the available tools have matured.
Also threat models are far more broad and specify and cannot be classified in 3 colours.
I completely agree. People with higher threat models also should be more like power users/ supported by power users. Otherwise, it will cause them to make mistakes. Threat models are not wishful thinking like I want a high threat model and want to self host everything.
A higher threat model means you need more resources, eg investment in hardware and software, and technical support. (For instance, a journalist or whistleblower)
PG also has a bare minimum criteria and should not lower it. There are tons of websites offering apps. However in PG, by reading the criteria, everyone can make informed decisions. You just need to look at the app you want to use and criteria that PG use to suggest apps.
Completely agree, and I do think that where the most private option is also the easiest to use, it’s a clear-cut case. I think already from this discussion, I think I’ve pivot’ed to:
Can we make it more visible which suggestions meet minimum requirements and which meet best case requirements?
?), and that the requirements are defined for each. That way, it would be obvious to users when it’s a super safe option or whether it’s “the best there is, but is somewhat insecure/non-private”.
.
