My personal opinion is that Privacy Guides exists to provide information and advice about software which both improves privacy and security. Security does intersect with privacy (you can’t have something private if it isn’t secure).
To evaluate these things I believe we must:
- Learn how it works and evaluate privacy benefits. This could take form in:
- Looking for external audits
- Looking at the whitepaper and learning how the technology works
- Contacting developers for comment
- Verifying aspects of source
- Provide a user experience that we can actually stand by:
- Does the product reach a certain maturity/stability/quality?
- Would we consider using it ourselves?
- Provide feedback on how it may be improved (if possible)
- Create criteria where possible to compare to other products and tools that have a similar usecase
I think as far as target audience goes, anyone who is interested in improving their privacy. This is why recommendations have to actually be usable. While certain manual approaches like PGP encrypting all messages on an airgapped computer might provide maximum security, they come at a massive user experience disadvantage. Not everyone is trying to be the next Edward Snowden. I think if you are, you need specialized advice for your particular situation.
That is where I disagree with PrivacyTools and all its rhetoric about, “eyes”, “NSA” and state adversaries. It’s not that those things aren’t important, it’s that simply recommending a bunch of tools (that you don’t use or know anything about) isn’t sufficient. Every time I look at that page and see the quotes in between each recommendation I cringe a little. Recommending Binance against the NSA, come on. Governments love cryptocurrency, well all of them except certain privacy coins. What auditor wouldn’t love having a public ledger of all transactions. Binance is known to bend over backwards for any law enforcement (even ones in dodgy countries), because they’re trying to legitimize their business, but anyway I digress…
I believe we should keep our tone and recommendations politically and geographically neutral. That means advising users to assess their own threat model, based on location, needs etc. The “eyes” agreement is not the only intelligence gathering agreement out there, and depending on where an individual lives it actually might be of minimal importance. For example if you were living in a dictatorship your local state is likely to be a much higher priority on your list than a distant country who passively observes.
Our recommendations must be based on merit. We don’t need to be involved in every social issue that exists. There are many problems in the world and trying to address all of them is never going to be sufficient. It is going to cause us to stray from our mission and that will compromise our integrity. We need to remember people come to the website to find out how to best protect their privacy.
On that note I also don’t believe the site should be providing irrational advice against every product from “big tech”. The fact is software costs money to create. A lot of the best and most complex open source products out there are backed with some commercial for profit model. A lot of companies start out small and then grow to either be larger or acquired by bigger companies and that doesn’t mean we should suddenly drop them as if they have done something wrong. It is worth continuing to evaluate if they change and how.
Many open source products in fact use components created by large tech companies like Google and Microsoft. Those companies now release a huge amount of those components to open source (Go, .NET, AOSP etc), because community maintenance is an invaluable asset that saves them money long term.
We want to eventually translate the website to other languages therefore social or political issues that are of concern to someone in one country might not be of concern to someone in another. We want to expand our blogging/news so that we’re actually writing content about privacy and how it impacts various parts of the world.
Before we do that though, we need to clean up the site, remove some of the bad or outdated legacy advice. Long term we want to incorporate a 501(c)(3) and further decentralize ownership over key assets.