Contact me for feedback or questions! I reply to everyone.
"Beware of false prophets, which come to you in sheep’s clothing, but inwardly they are ravening wolves."
Invented in 2009, this browser header tells websites you visit that you do not want to be tracked. 9 years and thousands of articles and discussions about DNT later, and there is still not even a standard for what "tracking" exactly is it supposed to prevent - even though they promised to create one long ago. Needless to say, websites can interpret DNT however they want, or even ignore it altogether. How much effort has been wasted on this dud - effort that could have been spent on creating and improving browser extensions that actually protect you from tracking. DNT, on the other hand, just gives the illusion of privacy to unsuspecting users - which is worse than doing nothing at all. Let's be real here - cooperating with trackers could have never worked anyway - since they don't care about playing fair.
If you've spent any time on the Internet at all, you've surely seen some obnoxious cookie notices, such as:
In 2011, the European Union has created a law which requires websites to inform visitors about the kind of data that will be stored on their computers, its purpose, as well as the need
to get consent from users before storing anything. There were also guidelines for the duration of the cookie's existence. Anyway, a report (archive) has shown that most websites do not follow all the requirements properly. Even if they did, the people who would benefit from this information won't
understand it and will click through it instead; while the aware ones have already blocked the cookies - but will still be bothered by the obnoxious notices. It should also be mentioned that
the most important tracking cookies - the social network ones - are exempt from the law! So you can still be tracked by Facebook and friends; talk about a wasted opportunity.
Almost every browser has this under different names. Let's be clear here - this does nothing whatsoever to protect you from nosy ISPs or trackers; and, while most browsers do admit that - some, like Waterfox, have tried to ride the wave of confusion to pretend that their improved private browsing (archive) does something more. A report has shown (archive) that many people do in fact believe that this mode guards them from online spying; as far as I'm concerned, browsers should remove this if they want to stay honest - or at least change its name. UPDATE: Pale Moon kind of averts this with the Proxy Privacy Ruler addon.
YouTube frontends. Hooktube used to claim that they Keep your data private from the G
(...oogle) (see here) - at least before they were forced to use the YouTube API. However, they still connected to Google video servers, so the whole reason for their existence was a
fraud. Now, Invidious does the same thing but does not claim anything; regardless, they are not YouTube proxies. Note: Invidious does support youtube
proxying now (since I think February 2019?). UPDATE November 2020: Invidious lead dev left the
project (archive) and the other people don't appear to be doing much. Main
instance is gone and the others are hit and miss. Errors such as "Read timed out" are commonplace, channels and playlists don't work either and often you can't even play any video. Invidious,
also, still contains most of the bloat of YouTube. I recommend using youtube-dl (there's a crusade
against that, too) to download videos - with it, you can watch them as many times as you want, whenever you want - without ads or slowdown, google connections or any other connections. An
even better way is acz's aoydl, which is much simpler.
For the last few years, services which have traditionally been famous for their spying (such as Skype, Viber, or the Facebook operated WhatsApp (archive)) have been loudly announcing their support of "end-to-end" encryption - which should mean that only you and the person you are communicating with can see the content of your messages. However, it is still them generating the keys, and therefore relies on their trustworthiness. Many allegedly "private" E-mail providers also suffer from this flaw - read my report. The moral of the story - if you don't manage the encryption yourself, it's not truly end-to-end, and shouldn't be relied upon.
This is simply a huge slippery slope - first it was plugins, then addons, then browser settings kept getting dumped into about:config or the abyss. What's next - deciding what sites you can or
can't visit? Isn't Google SafeBrowsing just that? Maybe one day, they will block all "insecure" HTTP websites. Surely that's going too far - or is it? In fact, both Firefox (archive) and Chrome (archive) have been trying to get rid of HTTP for a long time.
Great, thanks Mozilla and Google for "protecting" me from all this malicious stuff - but who will protect me from you? That is the real question. Of course, people don't
realize there is an issue until something they use regularly breaks. The solution, of course, is to only use software that actually respects you instead of treating you like
a baby; security will always be the responsibility of the user - you cannot "protect" people from everything. Even if you could, it would not be desirable; there is always a
trade-off between security and functionality, and people should be able to choose at which point of the spectrum do they want to be.
An extension of the above; they are the truck through which undesirable changes get dumped onto unsuspecting users. UI modifications, configuration option removals, or the aforementioned blockages; regardless - auto-updates transfer control of the software from the users to developers. And there is no excuse to at least not ask the user before proceeding. The horror stories of updates breaking things are numerous - for example:
My Firefox was updated to it yesterday. It froze when I tried to use it and froze the computer to where I had to use the power button to get out of it. I tried Firefox in safe mode and it still froze. I see messages in Mozilla Zine saying the same thing.
I would appreciate very much if Firefox update informed me about changes it does to my settings in detail. I want to have the chance to not be surprised by a new default search engine or a disabled https feature for example.
and
I first noticed it when it first introduced the "do not track me" setting. I enabled that and the next time I checked, it was disabled.
Jern informed me that Firefox reset the block lists setting of the browser's Tracking Protection feature from strict to basic when the browser was updated to version 50 from Firefox 49.0.2. Basic protection is the recommended and default value of the setting. It does not block as many trackers as the strict blocking list.
and
Michel told me a week later that a recent Firefox update (to 50.0.1 or 50.0.2) did reset another preference. This time an URL string that Michel modified on Firefox's about:config page.
the most common complaints after updating to Windows 10 were software compatibility issues, such as programs not working properly, or at all (21 percent), followed by hardware problems, such as printers and speakers no longer working (16 percent). Members also struggled with issues such as email accounts no longer syncing and personal files being inadvertently deleted, said Which? "Some consumers suffered PC slowdown and, in some cases, members reported complete PC failure. Of those in the survey who experienced this, 46 percent said they had paid someone to fix it, at an average cost of £67 each," noted the consumer group.
Didn't know whether to put this here or in Principles of bad software design - but the alleged point of it is security, so it's here. How does this work? Briefly - certain sites, whenever a link is posted to them - will NOT let you go there directly but only through their special redirect. If this actually improved security I would just consider it as simple babying - similar to the auto-updates; but the reality is much more malicious as usual. Not only are the link filters annoying, but they make tracking easier by putting the website you're leaving to into the URL. Also, people can actually fucking see the link they're clicking on, so the security benefit is doubtful at best. Twitter goes even further and prevents users from knowing where they're going to - every web address is replaced by their t.co shortener. They even admit this is used for censorship (archive):
A link converted by Twitter’s link service is checked against a list of potentially dangerous sites.
Don't bother looking at those links, son - Mommy Twitter will protect you! But maybe they should first focus on their own security than that of others; Steam, for example, had a breach (archive) where
users were able to access other people’s game libraries, and were able to see sensitive information including names, home addresses, email addresses, purchase history, Paypal account information, and even partial credit card numbers.
Twitter had an even worse one (archive) where up to 250 000 accounts were compromised. As I said earlier - security should be the responsibility of the user; we're not babies and treating us like them always results in disaster.
Mozilla's allegedly private file upload service - analyzed in more detail here.
Mozilla's password storage service - analyzed in more detail here.
They've made many of these over the years - the most recent one as of writing is https://www.eff.org/wp/who-has-your-back-2019 (archive). Briefly, the report rates the big corpos' censorship policies, but the most important criteria - that is, how much they actually censor - is completely ignored. Instead, they focus on whether the censors graciously tell you that you've been suspended or that a government has requested a takedown. And so a known violator like youtube gets 4 fucking stars out of 6 - what a joke. They even got a point just for having an appeal system that doesn't even work. There is only one aim of these reports - to justify the big corpos so that naive / inexperienced people don't abandon their services which don't respect them.
A Mozilla-created (hey, a red flag already!) extension which - in Mozilla's words - helps you control more of your web activity from Facebook by isolating
your identity into a separate container
. There are several problems with this:
The same kind of logic applies to all other "container" extensions. Just learn uMatrix, my friends, and you will look down on pretender addons such as this one.
I really didn't want to do this, but some of those pretending to give advice and help people have no business doing so and need to be exposed. So let's get on with it:
The website equivalent of Mozilla - pretends to be your best friend but pushes you off a cliff when you're not looking. It's no wonder, then, that Firefox is
their primary recommendation for all operating systems. They call it privacy respecting
despite admitting that it needs a bunch of about:config modifications (archive) to even sniff that label. To add insult to the injury, they shill Firefox Send as the premier file sharing tool. As would be expected from Mozilla's fanboys, they've inherited some of their unethical behavior.
As an example - they've begun recommending StartPage again (archive), even
after it was acquired (archive) by a data collection company. What is damning is privacytools' rationale, which includes this gem of a quote:
I think, personally, Startpage (unlike some other companies) has been very forthcoming with the privacy community. Their response adds clarity to the situation and they are obviously now keeping track of this issue very closely.
The actual reality is: StartPage has hid the ownership change (archive) for almost a year and then held an AMA on reddit (archive) - which was nothing more than a PR piece to save face, instead of a way to clarify things. How the fuck do you twist that into being "forthcoming" with the privacy community? StartPage went into full damage control mode and yet the Privacy Fools accept that kind of behavior and want you to use their search engine as if nothing happened.
For a better example, their E-mail recommendation page (archive) is pretty much a shill
piece for Proton (one of the worst providers you could sign up for) that ignores all the issues. They make a big deal about their so-called zero
access encryption
while forgetting to tell you that Proton could easily store the plaintext E-mail earlier (and they've been compelled to do targeted surveillance many
times). The "E2E" encryption is an even more insidious fake, because the fucking private key is stored on
the server (archive)! Privacy Fools prop up Proton's onion domain even though it redirects to the clearnet, making it useless and malicious. How
can Privacy Fools justify calling any of this private or secure? One of their "contributors" (tya99) has also attacked Pale
Moon with a bunch of lies (that were even refuted by Tobin, one of the developers). Such
as:
A web browser is a highly complicated piece of software that requires quite a lot of resources to maintain. There is a high demand for 0days to be fixed promptly and this requires resources.
And yet, no actual evidence was given for Pale Moon being less secure than Firefox - just baseless assumptions.
I also think there's a lot of drama surrounding Waterfox/Palemoon. People being banned on the Palemoon forums pointing out faults with the project etc.
They link to a Hacker News post (archive) which talks about Twitter and not the forums, so their claim is unsupported. When it was pointed out Pale Moon does have independent extension developers (unlike what was claimed), tya99 didn't admit to being wrong, but doubled down:
Why anyone would develop on a platform has 0.0000001% market share is beyond my understanding. If you did need some functionality that WebExtensions couldn't provide then a stand-a-alone application using another maintained framework would be a more suitable option.
Nothing else they've said was based on reality, either. They've also wanted to kill off the discussion since it was obvious they were outmatched:
None of this discussion is going to yield anything productive so I vote that this issue be closed.
If you like drama, I recommend reading the whole thread - the destruction tya99 suffered is a sight to behold. Insults started to fly after tya99 couldn't support their claims, including that Tobin is mentally ill and can't write coherent sentences. This is the standard of "service" you get with Privacy Fools and the admins saw no problem with it. Now for something funny:
An addon not working is not a "giant security issue"
Tor browser is not included in tor browser, and noscript barely does anything in tors default mode, and if you still want to block javascript, then you could have turned it off in about config, it was merely an temponary inconvience that made unblocking scripts harder for the people who use tor browser on safer or safest mode.
So - according to security expert blacklight447-ptio - security addons are useless, and TOR browser did nothing wrong when they blocked them. Nevermind all the JavaScript exploits that have suddenly become possible because of that fuckup. Another PTIO member - trai_dep - has contributed to the shadowbanning of my site on r/privacy (which he happens to moderate). I guess the Mozilla and ProtonMail redpills were too big to swallow for him.
There's still some good advice on PTIO, but since privacy websites are mostly targeted at newbies, the audience will not be able to separate the good from the bad. As they say, the easiest way to fool people is to stick in a few well-placed pieces of bullshit inbetween providing good info. And in this case, the lies (such as the ones about Proton and Firefox) just happen to be extremely harmful. Under most sections, PTIO has way too many recommendations, of which most are niche and will just confuse the noobs. Anyway, it's not only what they say that matters, but also what they don't - this means failing to mention XMPP or Pale Moon completely, for example. Add to that the incompetence and suspect morality of the team, and the nickname Privacy Fools is well deserved.
This will be short since this fake doesn't deserve much more. A member of our chat posted them and I immediately spotted the red flags. In Bypassing the privacy chase, I've said that the most important thing while rating a provider's privacy policy is what it stores and for how long. There, I also listed the most important specifics to look for (IP address, system info, etc). Privacy Spy, however, completely ignores all that and bases its ratings on useless stuff. And so, violators like FastMail get a grade of 8 / 10 just because they graciously tell you why they collect personal data (if the reasons are shit, that does not lower the rating), the policy's history or allegedly notify you when it's changed. Of course, Privacy Spy plays fast and loose with most of its definitions, so the ratings become totally useless. For example, about the notification thing, here's what FastMail's policy actually says:
If we make fundamental changes to this privacy policy, we may take additional steps to notify you including by posting on our website(s), through pop-up notices or via email.
MAY
take additional steps to notify you. And because of this MAY
(and not WILL), FastMail gets the best rating. Or check this about the deletion of
personal data:
Even if there is a reasonable delay before the data is fully deleted (as is common), the data still counts as "permanently deleted" and satisfies the parameters for this question.
So, the fact that this data stays around on FastMail's servers for 180 fucking days is completely ignored, and the violator earns the best rating again. Clearly, Privacy Spy's criteria are worse than useless - since they justify clear transgressions while also not caring about what actually is stored and for how long. I could go on for a long time about this fraudulent rating site (there are many more issues - e.g, Privacy Spy is fine with collecting personal data for allegedly critical uses), but as I said, it doesn't deserve it. Avoid and forget it exists!