Effective Steps Towards Privacy

In a previous article, we covered the importance of privacy, as well as the dangers of mass surveillance-powered businesses. In this article, the focus will be on what we can do about it. And if the previous article focused on the severity of our situation, this one is going to be a bit different. Because when it comes to privacy, the current standard is so low that no matter what we do, the possibilities of doing something better are very high.

Before starting, I would like to make a disclaimer. The privacy-minded community can be quite divided sometimes. Some disagreements are completely reasonable, but others can be a bit more difficult to grasp. This is because there are some hardcore fans of a particular product, or some purists that will judge you if you're not using their favourite software. Not everybody is like this, though, and there are fantastic voices and resources out there that can help you improve your privacy, not to mention all the contributors that freely put their time and energy into building a better Internet. I will list some by the end of this article. I think that privacy needs to become the norm, and for that we need to take privacy out of its bubble. There is a guiding principle behind this article, and it is one of the criteria of The Debugger: it's all about having a better standard. Sometimes, the solutions we find are not perfect, and no software is bulletproof. But we have to aim for a better standard, collectively. If we achieve that, that's already a big improvement.

This means that if someone switches from Windows to Fedora, the proper reaction will not be that it's a pointless move because Fedora is also supported by Red Hat, an American company. Honestly, if I have to choose between Windows and Fedora, my answer is clear. And the fact that this choice is encouraged does not mean that I personally endorse these solutions, nor that I use them, or I think they're the best possible choice. But we also have to give space for the people willing to adopt the habit of privacy. For those of you who are already experts, this article will be of little help, but I hope it can also be an encouragement for you to make an effort to accommodate those who are interested in making a change, and to attend to their particular and widely different needs, so you can help and orient them.

This brings me to my second point: for those looking to improve their privacy, keep in mind that privacy is a habit, and as with any other habit, it is one that is built with time. Do not force yourself to change everything from day one; that will probably be overwhelming and frustrating. Step by step, introduce little changes, get used to other products, try what works for you, and you'll see that in time you will make a huge improvement. Don't get blocked waiting for the perfect solution; start responsibly by trying things, and in time, you will get there. Again, almost everything is about having a better standard.

Finally, a preliminary tip. Briefly speaking, we can improve our privacy essentially in two ways:

1) By sharing less data and reducing our exposure, we can start to use software that does not track our activity or access to our information, for instance. And

2) by avoiding profiling, that is, by increasing our anonymity. This means that when we cannot avoid sharing our data, we will try to make it more difficult to link it to us.

So these are the two main strategies that I will follow here. How to achieve this? By following these criteria whenever possible in our choices:

• The software is open-source.
• You do not need to create a profile or an account to use the software.
• The app does not collect any telemetry (that is, information about how you use the software).
• There is no revenue done by collecting and selling your data.
• If it applies, encryption is actually end-to-end encryption.

That being said, I will not extensively review the options I am about to put in, now will I make particular suggestions. I will do that in separate articles. This is not an analysis; it is an overview, and not even an exhaustive one. In any case, any of these options are better than what we normally use, so check, explore, and choose whatever best suits your needs and preferences. Lastly, this article may be a bit overwhelming, but you don't have to go through the whole article; you can instead jump to the sections that concern you most. To facilitate the navigation, you will find a table of contents below. Take this as a basic resource, as a starting point, and then inform yourself beyond what is said here. We don't want to offer you the "final truth", so contrast, ask and keep yourself informed. Finally, no software is a magical solution; there is no panacea out there. In order to be effective, any software has to be used responsibly. Be conscious about which information you share, and with whom.

I am not affiliated with any of the products or organisations I mention here, nor do I get any benefits if you use any software I list here.

Part One: alternatives to your daily general services

Mailing

Mailing is arguably one of the most sensitive elements of our digital life. It effectively acts as a personal identifier since we use email for almost everything. Not only to communicate, but also to sign up for other services, purchase physical products, etcetera. Therefore, it is essential to have a good email provider. Here are some suggestions:

• Tutanota: offers a mail service as well as a calendar service. As far as I know, it is the first email service to offer post-quantum encryption. Based in Germany, this is The Debugger's current email provider.
• Protonmail: it consists of a suite that offers mail, calendar, VPN, a password manager, cloud storage with the ability to edit documents online, and a crypto wallet for Bitcoin. Based in Switzerland. A few months ago Proton sparked an intense debate within its community after a public political endorsement. Still, Proton is generally a reliable option and represents a better standard than Google or Microsoft.

There are other interesting proposals that I recommend you to check as well:

• mailbox.org: This one is a bit different, as it aims to compete with Google Workspace and Microsoft 365 suites by offering a wide range of solutions, including mail, online office, calendar, and video-conference tools. This makes mailbox.org particularly interesting for companies. It is also encrypted and based in Germany.
• StartMail: Great combination of usability and privacy. It has no free option, but you can try it for free for seven weeks. Based in The Netherlands.

Messaging apps

Similarly to an email provider, having the possibility of using a trustworthy communication channel is essential. Having a secure messaging app implies having a basic right to privacy. It is so important that I can't stress enough. It is particularly crucial in times of political persecution and censorship. Your private conversations should be that: private. It even feels strange to write this sentence down - these are the times we live in.

• Signal: You can think of it as an improved version of WhatsApp. It is open-source, end-to-end encrypted, has a strong record, and is really easy to use. There are some caveats, such its reliance on Amazon Web Services. Also, it needs your phone number to function (you can use VoIP to mitigate that; check below). However, it has also emerged as a widespread and effective alternative to WhatsApp, and in some countries, like the Netherlands, is becoming quite standard. And above all, it is still a very solid option. (And yes, it is US-based; that being said, just quit WhatsApp as fast as you can!).
  • Alternatively, you can also use Molly, a fork (that is, an alternative project based on the original one and developed independently from it) of Signal with an emphasis on enhanced security (only available for Android).

None of the following options require a phone number to sign up, which is a huge advantage since it removes the persistent identifier your phone number actually is, giving you a more anonymous experience.

• Simple X: Free and open source, end-to-end encrypted app. What characterises Simple X is that it does not use an identifier for your account.
• Delta Chat: Also a free and open source, end-to-end encrypted application that uses email serves as a way to communicate.
• Matrix: I've seen some public administrations from Germany using Matrix.org for their communications. More than an app, Matrix is a federated communication protocol. Due to its federated nature, it is also end-to-end encrypted. This means that you will not download Matrix, but you will need another app for that.
  • Maybe the most popular app to use Matrix is Element, but you can check here all the apps you can use.
• Threema: This paid version based in Switzerland offers a decentralised, also end-to-end encrypted app with some interesting features, including the ability to use the app without an account. The app is also open-source, but the server side remains proprietary.

What about Telegram? Briefly speaking, despite being advertised as an encrypted app, it is not end-to-end encrypted by default, and chat groups are not end-to-end encrypted at all. There is also a distinction between being encrypted and end-to-end encrypted: I will not discuss the differences here, but when talking about communications, end-to-end encryption matters, a lot. Now, Telegram is more a hybrid between a messaging app and a social media. Therefore, its use is not particularly encouraged. If you have to use it for whatever reason, try to encrypt your personal chats using the "secret chat" option and review your privacy settings.

Federated Social Media

The level of privacy using these tools will depend significantly on the information you want to give about yourself. With that in mind, these are socials with no algorithm recommendations, promoted content, ads, or tracking. No one makes a profit from selling your data. Additionally, you can use a Mastodon account to follow a profile in Pixelfed, for example. This is because all these socials use the same protocol to interact with each other (it is similar to mailing: I can have Gmail, and I can still send and receive messages from an Outlook account, for instance). This is how social media should be: ad-free, without promoted content and addictive algorithms. And above all, without the possibility of being owned by just one person or company.

• Mastodon (replaces X/Bluesky)
• Pixelfed (replaces Instagram)
• Friendica (replaces Facebook)
• Pleroma (replaces Facebook)
• Lemmy (replaces Reddit)
• Loops (still not generally available. Replaces TikTok)
• PeerTube (replaces YouTube)

Browsers

Browsers are the tools that we use to, well, browse the Internet. A good browser is essential not only in terms of privacy but also of security.

• LibreWolf: Free and open source version of Mozilla Firefox, but without telemetry or proprietary software.
• Mullvad Browser: Developed in collaboration with the Tor Project. Strong focus on privacy, so you don't have to configure anything.
• Tor Browser: Probably the most secure and anonymous way to access the Internet.
• Vivaldi: Highly functional and with a strong community behind it, Vivaldi offers pretty good levels of privacy and a powerful solution.
• Brave: Based on Chromium, the experience is similar to that of using Google Chrome. Also, it has good levels of privacy and great usability.

Web searchers

If a solid browser is essential for privacy, browsers are no less important. Think about it. Every doubt or inquiry, anything that we want to look up, goes through our searcher. That's why tracking-free browsers are so important.

• Mojeek: Probably one of the most privacy-minded options out there. Based in the UK, Mojeek does not rely on third-party results from Google or Bing, for instance.
• DuckDuckGo: It has been around for many years now, and it has become quite the standard when it comes to privacy-oriented searchers. It relies on Bing results, so you can think about DuckDuckGo as a more private and safe way of using Bing. It is based in the US.
• StartPage: In a similar way to DuckDuckGo, StartPage relies on Google's indexing, so expect a similar browsing experience, but without all the tracking and the noise. It can also offer results based on Bing's indexing. Based in The Netherlands.

Two-Factor Authentication Apps

You don't need to tell Google or Microsoft every time you use your two-factor authentication app to access one of your accounts

• Open Authenticator
• FreeOTP
• Aegis Authenticator (works only on Android or Android-based phones)

Office Suites

• LibreOffice: Germany-based LibreOffice is a powerful suite and a fantastic replacement for Microsoft Office. It's free and open-source. It has no subscriptions and no accounts. Only what you need to work. Available for Windows, macOS and Linux. Some public administrations are starting to adopt LibreOffice too.
• OnlyOffice: This free and open-source suite allows you to edit files on the cloud and collaborate with other users, making it a very capable and robust tool.
• CryptPad: Do you want to replace Google's online suite? CryptPad has you covered. This collaborative online suite is free, open-source, and encrypted, ensuring that only you and the intended users can access what you write. Based in France.

Notes

Similarly, your personal notes should be that: personal (it's even weird to have to say that). Here are some options:

• Standard Notes
• Joplin

VPNs

A VPN (Virtual Private Network) basically allows you to hide your IP when you browse the Internet (although your VPN provider will be able to see your real IP). There are some benefits to using VPNs, but in terms of privacy and security, they have been quite overstated. Now, VPNs per se are not bad, though. What is bad is to think that a VPN will solve any issue and grant you complete anonymity, giving you a false sense of security. To begin with, a VPN needs to be trustworthy, and most products there are quite dubious. Still, here are some good options to start with:

• Mullvad VPN
• IVPN

AI Chatbots

• DuckDuckGo AI: Consider it a safer way of using models such as ChatGPT, Claude 3 or Mistral. It adds a layer of anonymity by making none of your prompts used to train any models, gathering no metadata, and anonymising your IP address. That being said, make sure not to share any sensitive information. This is just a more private way of using these products, but it does not entirely solve the issues associated with privacy and AI-powered chatbots.
  • That being said, if you want to give Mistral AI a try, I encourage you to do so. Its open-source nature makes it more transparent, but again, it is not the most private solution out there. The DuckDuckGo AI layer will offer you more protection.

Password Managers

Many experts recommend using password managers to keep good password habits by facilitating the possibility of creating and remembering strong passwords for a particular service. Others point out that this makes password managers an attractive target for cyber-criminals. Nevertheless, if you decide to use a password manager, these options will cover you. And whatever you do, please do not use the same password for all your accounts, no matter how good and strong it is.

• Bitwarden: Open-source password manager, arguably the standard choice for this kind of product. And with good reason: Bitwarden has a solid reputation, so it's definitely worth giving it a try.
• Proton Pass: Powerful and easy to use. This one is developed by the team behind ProtonMail, and it is integrated into their suite.

Video-conferencing

Do you need to set up a meeting or a conference? You don't need Google Meet or Microsoft Teams for that. Here are some alternatives that, besides being more respectful towards your and your guests' privacy (yes, that's also nice to consider), tend to be less clunky since you don't need an account to use them:

• Jami
• Jitsi Meet
• Nextcloud Talk

VoIP (Voice over Internet Protocol)

I said before that phone numbers act as a persistent identifier. We give our phone number to basically everybody. From banks or acquaintances to online stores, workplaces or public administrations. However, you can use different numbers for different purposes by using a VoIP provider, the difference being that your phone number will use the Internet to communicate this time. Think about this strategy as similar to the one we used when we discussed email aliasing.

• Linphone

Part Two: secure your phone

Your phone is probably your main vulnerability in terms of privacy. Think about it. We carry it everywhere with us. It can listen to what we say, knows our location, and is constantly connected to the Internet. Most people rely by default on their phones, not their computers, to browse the web. You can directly change your operating system (OS), but there are also some steps you can take now to improve your privacy while considering which OS would suit you better at a later stage.

Android

Let's start with Android. Android is developed by Google and, among other things, comes with Google Play Services installed. Google Play Services consists of a series of APIs that are used to power a lot of Android apps. Now, the problem is that Google Play Services is extremely invasive and collects a lot of metadata about practically everything that is going on on your phone. You cannot change this unless you change your OS, but there is one advantage that Android has and that you can use to your advantage: the ability to install software outside the Google Store. To have different stores for your apps means that no one can fully control what you install and what you don't, which means that you are not limited to what Google allows you to install.

Stores

• F-Droid: This is a store for Android, but the difference is that it offers only free and open-source software. It also has some privacy assessment of its apps, which is a helpful resource for better knowing what you're installing on your phone. You can install it from their website, so you must allow your browser to install software from a third-party source. Make sure you turn off that option again after installing F-Droid!
• Aurora Store: Another store for Android, but unlike F-Droid, this one is a substitution for the Google Play Store. It has all the apps that are in Google's store, but the difference here is that you don't log in with your profile when using Aurora Store. This means that, in principle, it will be harder for Google to link the app you're downloading with your profile, offering you an extra layer of anonymity. You can install Aurora Store from F-Droid.
  • All the links that direct you to the Google Play Store can be used in Aurora Store instead.

There are other stores out there that are worth checking. Some alternatives to F-Droid include Neo Store or Droidify (forks of F-Droid, that is, projects that have evolved independently from F-Droid and hence are based on it) or Obtanium, to name a few. Feel free to check those options, too, if you wish, but starting with a combination of F-Droid and Aurora Store will have you covered.

Once this is set, let's look at some replacements for other services. Most of these options are available through F-Droid. Otherwise, you can turn to Aurora Store.

To Google Maps

Arguably, one of the most concerning apps is Maps. Maps is not only able to track which route you are taking at a particular time, but also your preferences, which places you visit, how often, and so on. It may not be a big deal if they record your favourite ice cream shop, but just imagine the consequences of having a detailed record of billions of citizens worldwide.

• OrganicMaps: It works entirely offline (only connects to the Internet to download the maps) and does not collect any telemetry.
• OsmAnd: Comes in free and paid versions. Also works online.
• OpenStreetMap (only through a browser): Both of the previous options are based on this one. OpenStreetMap is a massive open database that is powered by the community. This means that anybody can contribute to making OpenStreetMap better and more up-to-date.

Keyboards

Not even the strongest encryption will protect you from a keyboard that collects telemetry. Some safer options include:

• AnySoftKeyboard
• FlorisBoard
• Simple Keyboard

Email client

Sometimes, you cannot help using Gmail or Microsoft Outlook. However, you can use a different client to access your account.

• Mozilla Thunderbird (also available for desktop)
• K-9 Mail

Browsers

• Fennec: Based on Mozilla Firefox, but without proprietary software and without telemetry.
• DuckDuckGo Browser
• Privacy Browser
• FOSS Browser
• Orbot (uses the Tor network)
• DuckDuckGo Browser

YouTube

• NewPipe: Allows you to access YouTube without using an account. It is also ad-free. You can configure NewPipe to hide comments, suggestions and so on, making the app way less engaging.
• Tubular: Another version based on NewPipe.

Reddit

• RedReader: An open-source client for Reddit. It has no ads, and it allows you to subscribe to a subreddit without an account (but you can log in with yours if you prefer).

Android settings

As a last thing, make sure to apply the following things:

• Set up a strong password in order to access your phone.
• Try to avoid installing any apps that you don't need. Most of the time, you can use a browser version instead.
• Check all your permissions, and don't grant any permission that is not strictly needed. As a rule, if I cannot avoid granting a certain permission to an app, I tap on "ask every time". Therefore, if you need to send an audio through WhatsApp, you don't need to give permanent access to your microphone; just a temporary permission will do.
  • Pay special attention to permissions like microphone, camera, location, storage and contacts.
  • On top of this, make sure that you're camera, microphone, and location are disabled, and only enable them when needed, only to disable them right after use (you can do this through your privacy settings (Settings > Security and privacy > Privacy controls), or through the quick settings that appear when you swipe down your screen. Feel free to explore these settings to know what is going on on your phone.
• Turn off your ad identifier (you can check how to do it here: https://www.eff.org/deeplinks/2022/05/how-disable-ad-id-tracking-ios-and-android-and-why-you-should-do-it-now)
• Turn off 2G to enhance your security since a significant amount of malware uses 2G to access your device, and even Google recommends that you turn 2G off.
  • You can turn off 2G by going to Settings > Network and Internet > SIMs > Select your SIM card > Tap into the "Allow 2G" option to deactivate it.

iOS

What about iPhone? As said, Apple does not allow you to install third-party software, that is, anything that does not come from their store, which is unfortunate since it gives Apple complete control over what you can and cannot install on your own device. But still, you can use many of the services listed above, so I will not list them again to avoid repetition.

It's also worth noting that iOS comes with some nice built-in features to enhance privacy, so make sure to apply the following settings:

• As with Android, set up a strong password to protect your phone.
• Again, try not to install unnecessary apps, and use the web version instead.
• Avoid using Siri.
• Check your privacy settings. You can do this through Settings > Privacy and security. Pay attention to critical permissions like microphone, camera, contacts and location.
  • Whenever possible, do not grant any permissions. If you cannot avoid doing it, then try to aim for the option "Ask Next Time" or, if that is not possible, "While Using the App".
• Disable your ad identifier (you can check how to do it here, just like for Android): https://www.eff.org/deeplinks/2022/05/how-disable-ad-id-tracking-ios-and-android-and-why-you-should-do-it-now).
• Enable Advanced Data Protection for iCloud (https://support.apple.com/en-us/108756).
• Consider the possibility of using Lockdown Mode. It is a feature that aims to protect the user from more sophisticated malware, but it also has some drawbacks in terms of usability. Still, it's good to know it exists and that you can enable it if needed (you can check how to do it here: https://support.apple.com/en-us/105120).

Alternative Operative Systems for your phone

All these measures will improve your privacy and security, but the best you can do to secure your phone is to choose a different OS. It must be noted that contrary to Android, which runs on a wide range of devices, most of the alternatives presented here can only run on a few models. Here there are some recommendations:

• Graphene OS: Think of it as an enhanced version of Android in terms of privacy and security. The interface is basically the same, but it has extra features and customisations to improve your privacy. On top of that, Google Play Services is not installed (although you can install it if you want). Unfortunately, Graphene only runs on Google Pixel devices. If you're going to try Graphene, you can always purchase a refurbished Google Pixel.
• e/OS: Another deGoogled version of Android. You can also purchase a phone that has it preinstalled (you can check Murena or Phairphone for that). However, it has been received with some hesitance because it also contains proprietary software (Graphene OS received similar remarks, too). The fact that you can purchase a phone with e/OS already installed makes it a very suitable choice for those without any kind of technical expertise or who might find it too inconvenient to install an OS manually.
• Ubuntu Touch: As the name suggests, it is a mobile version of the popular Linux distribution, Ubuntu. Again, you have to check the list of compatible phones in which ti can be installed.
• CalyxOS: Another free and open-source operative system with a strong focus on privacy and security. It comes with MicroG (a less invasive alternative to Google Play Store) as optional.

Part Three: PC OS (well, it's basically Linux here)

Linux comes in several versions or distributions (also named as "distros"). Different distros might serve different purposes, but in the end everything is customisable. That being said, I will suggest just a few reliable distros that are easier to use for beginners:

• Linux Mint: Very user-friendly, stable and reliable. Mint is a fantastic choice to start trying Linux out!
• Zorin OS: Probably the closest you'll get to a Windows experience. Its familiarity makes it a good choice for people used to Windows.
  • Their privacy policy states that your computer could send some information, such as the number of users or an anonymous installation identifier. You can opt out of all of this.
• Elementary OS: If Zorin tries to replicate the experience of using Windows, Elementary does the same regarding macOS. This extremely beautiful distro is also very easy to handle.

We will release an installation guide in time, but there are also excellent resources that can help you to do that. There are literally hundreds of distros out there, so as said other times, just take the time to explore more options if you wish to do so.

Final remarks

As said in the beginning, you don't have to try all at once. You don't have to apply everything that has been said here, but hopefully, this is an encouragement and an orientation on where to start. Also, keep in mind that none of your choices have to be definitive. You can start by trying Elementary OS, for instance, and then move to something else if you want. Rest assured, whatever you do, it will be better than our current standard (yes, it's pretty easy to improve when Windows screenshots everything you do by default, for instance). No software is invulnerable, but we can still improve our digital lives with just a small effort. Your choices matter, and as discussed in our previous article, this is not about you needing to hide something in particular; it is about which kind of society we want to build. Therefore, I also encourage you to consider these things not only for you as individuals but also for your workplaces, your organisations and administrations.

Finally, privacy is a political issue. Our individual choices matter, particularly in this case. But we don't have to stop there. Make sure to vote for political options that have privacy in mind (at least, to some extent). Resist initiatives like the EU's project of ending ent-to-end encryption (an article on that soon, but long story short, is a really bad idea). Follow associations' work that aims to improve our digital life, and support them however you can. The Free European Software Foundation, for instance, started the Public Money? Public Code! campaign. Or the Electronic Frontier Foundation, which has been advocating for years now in favour of digital rights. Also, consider supporting the projects you like. It can be with a tiny one-time donation. Everything counts.

Mass surveillance weaponises entire populations and paves the way to authoritarian regimes where the rule of law no longer holds. But it does not have to be like this, and that's really good news. If only we start right now.

Want to make a change, but you also have questions (either for you or your organisation)? You can reach us through Mastodon or at thedebugger@tuta.com. We'll be happy to resolve any doubts or support you however we can within our possibilities. Oh, and for free!