An Opinionated Guide to Privacy Despite Authoritarianism
37fx
8TurnTrout
3fx
23jbash
2TurnTrout
6jbash
4TurnTrout
4jbash
15lc
14Rana Dexsin
9bodry
16TurnTrout
1bodry
4trade_apprentice
2Sherrinford
1samuelshadrach
1KvmanThinking
-5StartAtTheEnd
9jbash
10Thane Ruthenis
1StartAtTheEnd
6TurnTrout
10StartAtTheEnd
5fx
2TurnTrout
2StartAtTheEnd
1boops_u
New Comment
Another great resource for privacy is https://privacyguides.org. I assume most of the recommendations there are approximately the same, but they may list additional private alternatives for some software.
I used to be pretty active in the online privacy community (PrivacyGuides, GrapheneOS, etc.) and I've seen a LOT of absolutely terrible misinformed privacy advice. Your guide doesn't seem to parrot any of that, which is really refreshing to see.
From a quick glance, there are only two (pretty minor) issues I can find in your guides:
- Your VPN section explains how VPNs hide your activity from the ISP, but it doesn't seem to mention the fact that they just shift the trust from your ISP to the VPN provider. Yes, Proton is definitely more trustworthy than ISPs in authoritarian countries, but I think it should still be mentioned that VPNs don't make you anonymous and you still need to trust a third-party with your traffic.
- You recommend F-Droid for app downloads, which is fine, but it has some fundamental security issues and it's considered better nowadays to use things like Obtainium. See here and here for more information.
1Thanks so much. I'll update the guides on both counts. I'll also add in a section on Tor.
Yes, Proton is definitely more trustworthy than ISPs in authoritarian countries
Furthermore, Proton claims to keep no logs of your activity and has its no-logs implementation independently audited.
Furthermore, Proton claims to keep no logs of your activity and has its no-logs implementation independently audited.
Yeah, of course, all trustworthy VPNs will do that, and I do generally believe that Proton actually doesn't keep your traffic logs. It's just that a lot of other VPN companies, like Nord or ExpressVPN, have very aggressive online marketing campaigns where they push false claims, like the claim that using a VPN can make you completely anonymous or even somehow protect you from getting hacked. This leads to most people's understanding of VPNs being "it's an app that changes my Netflix country and protects me from all evil".
So I think it's good to clarify that there is still trust involved in using a VPN, even if that trust is unlikely to be broken.
Good work.
I do really mean that it's good stuff. Most people would be a lot better off if they did it. But of course it's traditional to whine.
On contacts, do you want to remind people that their associations can still be identified through the associates' contact lists? People give out their contact information like it's going out of style. Not to mention doing things like uploading metadata-laden pictures with your face in them, and probably other things that would come to mind without too much searching. It's really hard to keep people from leaking information about you.
I know it's hard to tell people not to use so many damned cloud services, but jeez do people use too many damned cloud services these days. Not only is whatever you put on one of them exposed to anybody who can infiltrate or pressure the operator, but, since they tend to get polled all the time, each of them is another opportunity to get information about what you're up to.
Calling Proton Mail "E2EE" is pretty questionable. Admittedly it's probably the best you can do short of self-hosting, but there's a lot of trust in Proton. Not only do they handle the plaintext of most of your mail, but they also provide the code you use to handle the plaintext of all your mail.
Signal is surely the best choice for centralized messaging, and in the past I wouldn't have said that normal people (in the US) needed to be worried about traffic analysis... but it's not the past and I'm not sure normal people in the US don't need to be worried about traffic analysis. The legal protections that have (mostly) kept traffic analysis from being used for civilian mass surveillance look a lot less reliable now. Using a centralized service, with a limited number of watchable servers, makes it relatively easy to do that, even if you do it via a VPN and even if the servers themselves are out-of-country. Session, Briar, or Jami might be alternatives. Of course, the reality is that you can only move to any of these if the people you communicate with also move.
Migrating from X to Mastodon or Bluesky gets you some censorship resistance (although note that Bluesky isn't really effectively federated). Nostr would get you more, at the cost of a worse experience and, in my opinion, a much worse community. But, especially since this is a privacy guide, maybe what most people should really be doing is thinking hard about what they really need to trumpet to the world.
I think there are probably occasions when even relatively normal people should be using Tor or I2P, rather than a trustful VPN like Proton or Mullvad. [And, on edit, there is some risk of any of those being treated as suspicious in itself].
I'd be careful about telling people to keep a lot of cash around. Even pre-Trump, mere possession of "extraordinary" amounts of cash tended to get treated as evidence of criminality.
11Calling Proton Mail "E2EE" is pretty questionable.
Yeah. The original article addressed the issue but buried the lede. Will update:
Old: Proton Mail stores your emails e2ee. ... (Later warning) Most of your email can still be read in transit by the authorities. If two Proton Mail emails communicate, they automatically use e2ee. However, if e.g. a @gmail.com address sends you something, the content will be plainly visible to the authorities.
New: Proton Mail stores your emails E2EE. If two Proton Mail email addresses communicate, they automatically use E2EE in communicating with each other. However, if e.g. a
@gmail.comaddress sends you something, the content will be plainly visible to the authorities while in the sender's account (if they seize the data) and during transmission. Once received, Proton encrypts it in your mailbox, but the government could have already intercepted it in transit.
.
Not only do they handle the plaintext of most of your mail
IMO --- Not Proton's fault, just how email works sadly. I also warn that most emails will be read by authorities via other access points.
they also provide the code you use to handle the plaintext of all your mail.
Yes, but the code is open source and independently audited. I don't see why I should call this out as a trust deficiency in particular.
I think there are probably occasions when even relatively normal people should be using Tor or I2P, rather than a trustful VPN like Proton or Mullvad. [And, on edit, there is some risk of any of those being treated as suspicious in itself].
Yeah, I agree. I'm adding a section on Tor.
I'd be careful about telling people to keep a lot of cash around. Even pre-Trump, mere possession of "extraordinary" amounts of cash tended to get treated as evidence of criminality.
Thank you. I'm now planning to advise that people keep a small amount of cash (< $2,000) in a fireproof safe with receipts of legitimate withdrawal. High-risk individuals should ultimately consult with asylum experts.
Yes, but the code is open source and independently audited. I don't see why I should call this out as a trust deficiency in particular.
... which is as good as it gets in most cases. I am not saying I have a better alternative for most people.
But the thing is that supply chains are hard. When you use Proton webmail, do you actually verify that the JavaScript they serve to you is actually the same JavaScript they had audited? Every time? And make sure it doesn't get changed somehow during the session? If you use the Proton proxy, do you actually rebuild it from source at every update? Even with reproducible builds (which I don't know whether they use or not), how many people actually check? Another person's checking does add some value for you, but there's a limit, especially if it's possible to guess who will check and who won't.
Worse, how many "normal" people can actually check? How many can even keep all the issues straight in their minds? Lots of professional programmers get simple PKI issues wrong all the time. PKI is a strict subset of what you have to worry about for supply chain.
So, yeah, you can use that stuff, but by the time you get to the point where you're actually getting much assurance out of the source code access or the audits, I think it's more complicated than self-hosting a mail server (which I've done for probably about 30 years). Of course, with self-hosting your deliverability goes to hell, and you're still relying on an incredible amount of software, but you get some protection from the sheer chaos of the environment; it's usually not so easy for the Bad Guys to actually get the data back reliably and inconspicuously, especially for untargeted surveillance.
1If I added hedges about every similar possibility of supply chain attacks due to e.g. non-formally verified build signatures, the guide would grow bloated for reasons outside the comprehension and threat model of the vast majority of my readers. So while I agree with you about the possibility, I don't think it's relevant for me to note in the text. (Maybe you agree?)
The best privacy/security guide I am aware of is Michael Bazzells book. Michael Bazzell is a former computer crimes investigator, and his methods are red teamed at least in the sense that he works with e.g. people with extremely determined stalkers. Some things that book goes over that this doesn't:
- How to buy your home/car/P.O. box with LLCs and keep them out of your name, how to get a SIM card not tied to you personally.
- The who/what/where of how your personal information (incl. address, phone number, etc.) gets collected in the first place, and ends up in public databases (which of course the government also leverages). What you can do about data already there, to the extent that you can do something.
- (For people in really advanced situations) How to disinform in a way that actually works & ends up poisoning records, for example by taking up an electricity bill inside a building you don't own.
Obviously the government has capabilities that private individuals don't, so maybe the threat model here is different. For the most part though I would say that peoples' biggest privacy/security risk is that there are infinity public databases with all of their personal information, and anybody with a credit card can pull up their address. Stopping the inflow to those should be priority #1 and the solution isn't even really that digital, it's just arcane legal procedures.
Slight format stumble: upon encountering a table with a “Cost of tier” column immediately after a paragraph whose topic is “how to read this guide”, my mind initially interpreted it pretty strongly as “this is how much it will cost me to obtain that part of the guide”. Something like “Cost of equipment & services” would be clearer, or “Anticipated cost” (even by itself) to also suggest that the pricing is as observed by you at time of writing (assuming this is true). You could also add a sentence like “The guide itself is free of charge, but some of its recommendations involve purchasing specific equipment or services.” to the previous paragraph.
1I am a US citizen who opposes Trump. I follow the political situation closely and I would consider my threat-level to be low to very low. Why do you think the threat-level is medium?
btw I appreciate the privacy guide.
I'm guessing you think "I'm a citizen. I don't break laws. I'm not in a directly targeted group. I'm low risk."
You might be thinking about risk as binary—either you're targeted for arrest/elimination, or you're safe. The thesis isn't "you might get swept up." The thesis is: "The 'medium risk' assessment is based on the principle of 'authoritarian creep.'" The tools and tactics normalized against one group (immigrants, protesters) invariably get turned against the next, less-popular group.
Disclaimer: This comment is AI-written but human-composed. I spent over an hour thinking about your question, articulating my views, dialoguing with the AI, fact-checking its claims, and adding new content. It'd be a big pain to rewrite everything myself and I want to finish up thinking about this for now, so posting as-is.
Authoritarian regimes exert control in two ways:
- Targeted threat against actively persecuted groups (you aren't here yet), or
- Widespread fear against all who disagree with the regime (you absolutely belong to this).
You say you oppose Trump and follow politics closely. That means you have political awareness and opposition. Under ambient fear tactics, you don't need to be individually hunted down—you just need to know that your legal status won't protect you if you're inconvenient.
The infrastructure for widespread fear already exists
Citizen status doesn't ensure protection
Over 170 US citizens have been wrongly detained by ICE, including George Retes, an Iraq war veteran whose ID was in his car mere feet away but who spent three days in jail with pepper spray burns, unable to make a phone call or speak to a lawyer. He wasn't charged with anything. He was just released with no explanation.
And how hard would it be for ICE to flip an entry in a database?
ICE officials have told us that an apparent biometric match by Mobile Fortify is a 'definitive' determination of a person's status and that an ICE officer may ignore evidence of American citizenship—including a birth certificate—if the app says the person is an alien.
—Ranking member of the House Homeland Security Committee Bennie G. Thompson (D.-Miss.)
Court orders don't ensure protection
Trump has threatened to invoke the Insurrection Act to override judicial rulings. In Chicago, ICE continues to tear gas protestors and not wear identification in violation of a court order.
Congressional oversight doesn't doesn't ensure protection
Twelve Democratic members of Congress filed a lawsuit after being denied entry to detention facilities in violation of federal law explicitly granting Congress the right to conduct unannounced inspections. Rep. LaMonica McIver was charged with "assaulting law enforcement" for trying to enter—charges she calls "purely political."
Why this matters for you
ICE ignoring court orders in Chicago shows contempt for the judiciary. The Congressional blockade shows a contempt for the legislature. This creates an unchecked executive. An unchecked executive means all citizens have a higher risk profile, because the legal systems designed to protect you have been proven to be ignorable.
As Bruce Schneier notes: "If ICE targets only people it can go after legally, then everyone knows whether or not they need to fear ICE. If ICE occasionally makes mistakes by arresting Americans and deporting innocents, then everyone has to fear it. This is by design."
You're meant to be chilled. Maybe you won't be put in a camp. Maybe you'll never be arrested. But maybe:
- You'll lose your job for expressing political views online
- You'll face legal harassment even if charges are eventually dropped
- You'll self-censor because you know opposition has consequences
This is what 1950's McCarthyism looked like—most people weren't jailed, but thousands lost jobs, were blacklisted, had their lives destroyed. The threat didn't need to be execution; it just needed to be real enough to make people shut up.
Medium risk means: You probably won't be individually hunted down. But you absolutely could face consequences—detention, job loss, legal harassment, having to lawyer up even for bullshit charges—for being a visible Trump opponent. The goal isn't necessarily to arrest you. The goal is to make you wonder if sending that frustrated text message, or writing that Google Docs comment, or making that donation will put you on a list. The goal is to make you self-censor.
You're politically aware enough to understand what's happening. You openly oppose Trump. The system has demonstrated it will ignore your legal protections when convenient. That's not low risk, that's medium risk—the infrastructure exists to grab you if you're inconvenient, and your citizenship won't stop them.
I don't know if it'll get to camps. I don't know if it'll get to purges. But I know the ambient fear infrastructure is already functioning, and you're in the category of people it's designed to intimidate.
That's why I recommend taking precautions now, as listed in the article.
I read this as government actions will be taken to persecute me and/or government actions will be taken to make me afraid. I only care about the first category. Whether or not I'm afraid is entirely within my power. I could be actively persecuted and still choose to not be afraid.
News is really bad right now and LLMs don't help.
That link description is misleading. That article does not claim that. The article states that they found 170 citizens that have been factually detained by ICE. ICE may detain US citizens without a warrant for searches and arrests if conditions are met (see Powers without warrant section a4 and a5 as well as Searches without warrant). If you hit an ICE agent then they may detain you. Some people in that article were wrongfully detained but 170 is not the number.
George Retes, an Iraq war veteran whose ID was in his car mere feet away
That is misleading. He was not arrested under suspicion of being an illegal alien so the ID part is irrelevant. ICE was in the process of clearing a protest. He may have been detained for BS reasons but its still important to distinguish between arresting someone under suspicion of being an illegal alien and other suspicions.
And how hard would it be for ICE to flip an entry in a database?
I wish you were more specific here. It could actually be pretty hard for ICE to flip an entry in a database depending on the database we're talking about. Mobile Fortify draws from several databases and I don't think ICE has overwrite access to any of them.
ICE officials have told us that an apparent biometric match by Mobile Fortify is a 'definitive' determination of a person's status and that an ICE officer may ignore evidence of American citizenship—including a birth certificate—if the app says the person is an alien.
—Ranking member of the House Homeland Security Committee Bennie G. Thompson (D.-Miss.)
If this claim is true then there would be direct evidence of that happening. There should be no need to rely on word of mouth. From what I've read they only run the app when a suspect does not provide an ID.
I won't go over everything. I agree with the fact that checks on the executive are under attack.
A chilling effect may be the intention but its not the reality.
The No Kings Protest on October 18th may have been the largest protest since 1970. There were at least 5 million people in it. I have a lot of uncertainty about the future but the environment is not breeding a lot of docility or much of any of the psychological conditions necessary for a successful authoritarian.
Not knowing about security or threat modelling, something I've wondered is how much does engaging in privacy protection makes you "stand out". Maybe someone knowledgeable can comment about it. At what point does it make sense to worry that using a vpn "flags you" to an authoritarian government? If government surveillance can tell there are individuals engaging in privacy enhancement, either by reduction of activity on non-private things or by the use of private services themselves, what is left to do?
Very interesting and actionable guide.
I have two questions (maybe I'll have more later):
- Is it possible that the government shuts down bitwarden, or the country where someone who uses bitwarden blocks it, and then the user loses accessto all passwords?
- Why proton authenticator and not bitwarden authenticator?
