Who Is Privacy Guides For?

This might seem like an obvious or even inane question, but I think it’s at actually at the heart of a lot of our discussions.

Bare with me! Here’s my case:

Privacy Guides is a respected and fairly extensive resource. While the homepage’s introduction is friendly and simple enough for your everyday internet user—linked by a friend or blog, let’s say—we have articles on everything from web browser and search engine recommendations to AOSP derivatives and release-cycle evaluations. I think that’s great.

Regardless of whether you agree with a particular decision, I think it’s also clear that the team is selective and thorough about recommendations. Further, our community is great at exchanging ideas, making arguments, and sourcing new suggestions. My aim is to streamline those efforts.

We all know that threat modelling is necessary to make any meaningful improvements to digital privacy and security (you’ve read the article, right?). Somewhat parallel, I think that understanding who our knowledge base and recommendations are intended for is essential to productive discussion.

I often link to the Writing Style guide for the simple reason that Privacy Guides is a predominantly written resource. Currently,

Privacy Guides’ intended audience is primarily average, technology using adults. Don’t dumb down content as if you are addressing a middle-school class, but don’t overuse complicated terminology about concepts average computer users wouldn’t be familiar with.

Now, I think that the topic and little details of how content is organized and explained on the website is an ever-evolving and important discussion (and I have some fun information-taxonomy ideas of my own), but this topic is about who Privacy Guides is for. For me, some questions come to mind:

1. Who is reading Privacy Guides?
2. Who do we want to be reading Privacy Guides?
3. What can we expect of those people?

In the same way as identifying threats to important information and implementing the most appropriate means of mitigation, identifying target audience is necessary to make productive evaluations. Obviously, the whole point is that threat modelling exists, and that advice will therefore always differ.

However, in the context of a project with a specific scope, that is besides the point: if someone wants to improve their security and they ignore Windows updates (e.g. because they’re annoying, by default), then you point them to something on the importance of software updates. Likewise, if someone’s having trouble with configuring Nginx for the first time, you point them to the relevant documentation or a helpful guide.

Threat modelling, naturally, will always apply. However, for the purposes of evaluation, it can be helpful to identify target audiences.

With target audiences in mind, we can do a lot of the heavy lifting: extrapolating a likely threat model and determining appropriate mitigations. To that end, target audiences might be people who

• freak out at pop-ups;
• know how to access a settings menu and mostly use social media;
• or are the family “tech support” and like customizing their web browser;

Or, they might be people who

• prefer free and/or open source software—maybe they use a Linux distribution;
• prefer privacy-respecting alternatives to popular tools, and advocate for the right to privacy;
• are familiar with self-hosting, system administration, etc.;
• or are anything beyond: security professionals, researchers, etc.

One of the brilliant advantages of having such an extensive range of information (as I outlined), is that there’s room to consider more than one target audience (and it already happens frequently)! For example, things like native tools and automatic updates are often preferable because they address the likely threat models of a greater number of people, but stringent analysis of encryption design or trust extension can be life-saving for a journalist or activist in a dangerous situation—and there aren’t many approachable public resources with that information.

Now, finally, I will reiterate: rather than re-envision the project, the goal of this discussion is to be able to develop ideas about our target audiences to help focus evaluative discussions.

So, who is Privacy Guides for?

Privacy Guides’ intended audience is primarily average, technology using adults.

This is an extremely broad demographic, and I don’t know if this is the best approach, but the current approach (FMPOV) has just been to post as much accurate information as possible to the website, and leave it up to the reader to determine whether the information is relevant to them.

Thus, these are not hard rules and recommendations you must follow, rather the whole site gives the reader a background understanding of privacy and knowledge about commonly used tools and techniques.

I am not sure we can make any assumptions about how our readers are using our advice, how much their own technology use aligns with our recommendations, or even whether they find the website useful at all, because these are things they can only determine for themselves once they have read through the site already.

but the current approach (FMPOV) has just been to post as much accurate information as possible to the website…

Honestly, I think that’s a really good way of doing things, because it definitely does achieve the result you mention: providing a wealth of current educational information.

because these are things they can only determine for themselves once they have read through the site already.

That’s a great point, and perhaps those questions require way too many assumptions to be able to answer well. To be honest, the concept of this thread might be click-baiting a little bit: I’m not sure that arriving at a conclusion (“Privacy Guides is for these particular people”) is very useful, since the nature of the topic is that the right to privacy is inherent to everyone.

Maybe it’s better to look through the telescope the other way around: when we evaluate a tool, whose threat models might it stand to benefit most?

There doesn’t even need to be a preference, like “it’s better to help people with x level of experience”, but I think that the actual exercise of brainstorming different levels of computing experience can be a helpful way to create lenses that reduce some of the murkiness.

What murkiness are you perceiving when it comes to evaluating things, is this in response to a specific issue?

While we don’t really consider which threat models a tool/recommendation might be most helpful against, we do impose minimum standards for our recommendations, although these are not always clearly defined. For example, in the Librewolf thread I identified the trade-off between Librewolf and Arkenfox+Firefox, namely:

In this case we are not really making a determination about who Firefox+Arkenfox or even Librewolf might be for, but we have imposed a minimum requirement for our browser recommendations to have automatic and timely (security) updates, and our opinion is that this is an important feature to have regardless of threat model (thus determining threat models for either of these products does not seem very relevant to the decision to make this recommendation).

One problem in this regard is that the minimum standards are for the most part not clearly defined, although notably we do have them posted for our VPN and Email provider recommendations. I believe the stated intent from our team is to have similar criteria for all categories, however it is difficult to encompass every edge case, so most of these standards are being developed on the fly with common consensus rather than any sort of written policy. Should this be changed to hard, universally applicable criteria? Is there a way to quantify what should and should not be recommended on the site at all? I’m not sure what the answers to these questions would be.

Honestly, I think that the translator is not helping me to understand 100% the topic exposed in the thread, but as I have understood, we are talking, in short, about how the vocabulary, recommendations and, in general, PrivacyGuides should be structured, depending on its target audience, or if it should be globalized to reach new audiences, right?

I personally believe that PrivacyGuides already does very well (even too well in some cases) its job of promoting knowledge about online privacy and security and the tools to achieve it.
Personally, I would like that, since this site (as Kai rightly points out) is a wonderful site to, in my words, promote the critical spirit and the technical-practical knowledge of everything concerning privacy and security, I think it would be very convenient for the target and non-target reader to include more information that could indirectly affect the central premises that PrivacyGuides efficiently deals with. That is why one of the threads I opened in the forum was dedicated to readings of evident political accent, and that is why I plan, once I have time and I can gather the appropriate information (with sources and others) to open a thread on a comparison of the various political and legislative models currently existing in the international diversity in which the interested reader can check with data and facts which administrative models (and as a result praxeologic, which ideas and legislations) favor more in a direct or indirect way to promote or to oppose the informatic freedom and privacy of the users. WARNING, I am not trying to say that the web should be politicized or ideologized at all, I just think it is convenient to extend the critical spirit that the forum already has about online privacy to other fields that may indirectly affect that previous central premise (very clear examples of what I am trying to talk about here could be, for example, the legislations that directly affect cloud services and VPNs, the whole issue of privacy policies that sadly almost nobody reads, the stories and investigations about organizations that have firmly attacked online privacy such as the various projects and agencies that Edward Snowden revealed at the time…, I do not know if the forum already has about online privacy to other fields that may indirectly affect that previous central premise. …), I don’t know if I have explained myself correctly at this point, but well, it’s just a proposal.

Something simpler to understand, for example, could be, as an idea, to create a reduced list of tools to recommend in a simpler way, something like what PrivacyTools does (which it does badly, but I only refer to the type of list) with its “Best Privacy Software & Services in 2022 - Top 10 Picks”. I don’t mean a ranking, but rather a reduced list of what, in your opinion, would be the basic privacy tools that you would recommend to a potentially uninformed user, out of the many tools mentioned in PrivacyGuides. I will give an example to make myself understood: A few days ago a friend of mine, after he found out on his own about Edward Snowden’s leaks, contacted me so that, if possible, I could recommend him some software to improve his privacy. I, at first, redirected him here, to PrivacyGuides, but a while later he contacted me again because he didn’t know very well what to choose from all the things that appear in the list and in short he was a bit lost, and it makes sense, because he doesn’t have much idea about privacy and online security, nor knows many basic things that we almost take for granted or obvious. So what I did was, among all the tools in PrivacyGuides, I recommended him the ones that in my opinion were the best suited to him (to the profile of an uninformed user), (my recommendations were Brave and Brave Search, Proton suite, Bitwarden, uBlock Origin and I also mentioned Cryptee).

What I want to get to is that, in essence, I like PrivacyGuides very much as it is technical and specific, and always moving within its code of conduct and model of recommendations, always promotes to a greater or lesser extent the critical spirit and the certainty of information, and therefore I think it would be good to increase / globalize even more the spectrum of ideas and concepts that are handled, both in more complex planes (privacy policies, legislation and other issues discussed in the first part of my comment) as well as in simpler levels (to facilitate the language or the entry even more to potential uninformed users who enter the website and that for various reasons do not know or can not devote enough time to generate a critical and informed spirit as we have, as I have exposed in the second part of my comment). I hope I have contributed correctly and fruitfully with my comment. Best regards.

By the way, if there is something that is repeated or badly translated, my apologies, I insist, lately the translators are trolling me and many times or I write too much or because of my poor level of English I miss some mistake (here you have an example of it).

My problem with this is that I see the way PrivacyTools promotes things as fundamentally flawed. It does not seem particularly useful to me to simply list tools like a checklist you can check off to suddenly and magically “be private.” If you just want to find new tools you could browse awesome lists and call it a day. The tools you will want to use will differ from the next person, so making a reduced list for everyone isn’t possible.

In essence, you’re doing the research for him. This is fine, but we are not building a resource for people like your friend who are not interested in educating themselves on privacy tools and fundamentals, we are building a resource for people like you who are interested in learning about privacy and maybe even sharing it with others.

I didn’t mean that either, and obviously you don’t achieve perfect and absolute privacy by magically using x tools. I always say “online privacy is, above all, a matter of information and attitude”. I just think it would be convenient to facilitate the entrance to a more private digital life by creating a simpler and easier to swallow method for those who, I insist, may not inform themselves not because they don’t want to but because they can’t (because let’s be honest, acquiring information requires time, and nowadays many people don’t have enough of it). To distance ourselves from my mention of the list, for example, I can think of creating some kind of introductory test based on choices. For example, person x accesses the test, and one question is: what web browser do you normally use? and depending on his decision (if he chooses one based on chromium or firefox), the corresponding recommendation is close to his choice (if he chooses chrome, Brave is recommended, if he chooses firefox, Tor or Firefox with Arkenfox is recommended), I don’t know if I understand what I mean. In any case, it is a proposal, I insist, somewhat silly seen from our point of view, but that surely an uninformed user I think would appreciate. Of course, it should be made clear to him that this test will only help him to be “somewhat more private”, but that if he really wants to go into privacy, he should also go into privacy and venture to learn within PrivacyGuides, the new does not replace the existing, I mean. Anyway, it was just a proposal, and I understand that you may not find it interesting, but well, at least I thought it was a good idea. Best regards.

PS: I have already seen that you have removed the PrivacyTools link, and rethinking it, it makes sense. Sorry for linking it, it won’t happen again.

An interactive starting point is something that’s been considered and brought up before, but nobody’s really stepped up as far as actually creating such a thing. If someone with the development skills to create something like this wanted to contribute, we’d be happy to come up with a guide/flowchart/content for such a questionnaire, but I don’t have the time to build it.

Sincerely, I would be delighted to be able to collaborate at such a level with you, but I don’t have the technical or practical knowledge to do so (I have just entered the multiplatform application development degree and we have barely given the Java syntax). If by the time I have finished my studies or have acquired that knowledge, this interactive media has not yet been created, I promise to create it for you, but until then, I can not do much more .

What murkiness are you perceiving when it comes to evaluating things, is this in response to a specific issue?

By the “murkiness” of evaluation, I just mean that evaluating tools can—of course— be complex and difficult; I think that the current on-the-fly consensus approach actually works really well, since it’s targeted enough that consensus can be reached (viz. the countless recommendations already on the website), but flexible enough that edge case suggestions are still worth making.

In the case of the LibreWolf discussion, I agree: I think the minimum requirements work well, since they already act as a kind of litmus test to rule-out the suggestion.

To try and tl;dr what I was really aiming for with the whole “develop[ing] ideas about our target audiences”, I’m really just spelling-out something that’s implicit in the already effective process because I think it can be a helpful discussion tool.

To clarify further, I think that my original post had a few implicit conclusions:

1. The scope of Privacy Guides should be clearly identified.
2. Identifying target audiences is necessary for progressing evaluative discussions.
3. Identifying target audiences is sufficient for progressing evaluative discussions.

I hopefully made it clear that I wasn’t aiming for (1), since, personally, I don’t think there’s anything wrong with the existing scope (i.e. whoever it might benefit).

I don’t think I was clear about the difference between (2) and (3), though. I think that your example is a great illustration of why (2) isn’t true: often, the minimum requirements are sufficient to make a decision. Different target audiences are already implicit when we identify use cases and different threat models, and, while making them well-defined has the advantage of ensuring a consistent standard, I’m not sure that that’s really an issue for the project (which tends to be consistently selective).

(3) is what I was really after (it took me a while to get here, though ). I think that questions like “Who Is Privacy Guides For”?, “whose threat models might [a tool] stand to benefit most?”, and “how many levels of computing experience can I identify?” are just helpful to think about when it comes to navigating the complex task of evaluation.

I wrote about this on Nov 24, 2021 discussion 351 a while ago so I’ll paste here:

Hopefully my reply to Jonah helps to clarify my very wordy original post!

I do not know if the forum already has about online privacy to other fields that may indirectly affect that previous central premise. …), I don’t know if I have explained myself correctly at this point, but well, it’s just a proposal.

Obviously, it depends on how the moderators feel about maintaining a targeted discussion about the effect that things like legislature and wider social issues have on privacy, but I think that would be an interesting topic!

I think it would be good to increase… the spectrum of ideas and concepts that are handled… both in more complex planes… as well as in simpler levels…

If someone with the development skills to create something like this wanted to contribute, we’d be happy to come up with a guide/flowchart/content for such a questionnaire, but I don’t have the time to build it.

This kind of thing sounds really useful and—especially in light of this discussion (so far)—like something that could help to maintain the existing scope and spirit of Privacy Guides without requiring us to spend too much time on deciding whether to do guesswork about readers, make rigid criteria that goes beyond minimum requirements, and so on!

I briefly mentioned that “I have some fun information-taxonomy ideas of my own”, and they’re on exactly these kinds of lines. An interactive quiz (etc.) would be really cool, but I don’t think it even needs to go that far: the information on Privacy Guides is already fantastic, and I think some writing UX and organization could help make the reader experience a bit more accessible.

Thing like the admonitions and cards are already making strides, in my opinion.

If it’s something the team and community would be interested in, I’d happily put together a little overview of my ideas (like a diagram, or something), because I’d love to work on it!

Sure we’re always happy to have people contribute, that’s what makes the site a community site

I feel hard to recommend PG someone as an introduction, and there are better resources when it comes to this imo.

Maybe it is because of lack of diagrams, unnecessary jargon, everything is crammed, or maybe because PG is trying to cover too much.(im not an expert, just what i feel)

However, guides about password, 2fa are very easy to understand for me

So is privacy guides who already have good understanding about privacy and less of an introduction? (im pretty sure the answer is here somewhere in one of posts, but don’t feel like reading)

I think we’re doing some improvements here.

We do have guides under The Basics section, while there are more advanced guides under Advanced.

The intention is that the basics guides are easy enough for anyone to understand, while the advanced guides offer something to strive towards in a privacy journey.

Yes, however I still find email(still no idea what pgp is), tor (decentralised?), VPN(tcp, ssl strip???) guides are unnecessary in the basics section. Also, the sectioning is confusing. Like why is there an android, Linux and real-time communication there? Shouldn’t they have like a basics and advanced level?

I think the threat modelling guide need to be more focused and emphasised as it is the most important part when it comes to privacy. I feel like it doesn’t really answer why I want a threat model and the purpose of it, also the importance of it.

Also,
privacy misconceptions should have it own section. Shouldn’t be hidden inside the common threats(I dont see the connection to it)

So I think there should more focus on improvement on this side. I feel like the privacy community(from what Ive seen discussion about privacy) is more focused on tools, which should be the last thing to consider.

This is just my opinion btw and sorry for going off topic. Ultimately, it comes to aim(educating about privacy?) and audience(people who are interested in privacy) of PG.

I think some of these things actually require a bit of elaboration, having looked at those pages just now. Regarding SSL Strip specifically, we could just say something which doesn’t reference a specific product.

Indeed, and I think this would be of benefit, to help readers understand what is important to them.

I actually think that would be very beneficial. Originally it is what I had in mind.

Definitely, which is why we expanded the site to not just be a “recommended tools” site after the migration/rebrand.

Also regarding threat modelling, I found this article(opsec101.org) which does a good job of explaining the threat modelling and engaging(at least for noobs like me) compare to the guide on PG. Maybe it was because of the pictures and diagrams.

Food for thought : Some guides recommend taking a “best practices” approach to security, such as recommending everyone use a VPN, password managers, etc. This “best practices” fallacy is a countermeasure-first approach based on the study of successes, rather than failures, and as such is an insufficient starting point when assessing any highly-individual and dynamic topic such as security or privacy.

In reality, while the countermeasures recommended might end up working for some of the people, some of the time, that merely indicates the threat model for those people happens to be similar at the moment, but it doesn’t teach why, nor is it adaptable for when it’s not similar. This is why rather than making assumptions based on the “best practices” fallacy, Opsec seeks to understand the rationale to make reproducible judgments in dynamic situations, to educate oneself through practice to the point of not needing any guides.

credit: http://opsec101.org/

Also, would like to consider out this. I don’t think PG does “best practices” and like how PG leaves things to reader to decide. I think PG is not doing best. I’m pretty sure most of the people in here doesn’t have a clear threat model. Instead, just install custom OS on android and switch to ProtonMail just because it is “recommended”. I believe PG should address this clearly.

For an advanced guide PG does a good job, however PG is often recommend in places like r/privacy “beginners Resource Guide” or a “quickstart to privacy”.