How to Find Privacy-Respecting Services & Software
So, you’ve decided to reclaim some digital privacy? Here are steps you can take to switch to privacy-respecting services and software.
Define Your Threat Model
Start by determining what people you’re trying to protect your data from, and in what situations. Are you trying to protect your data from average users on the public Internet, from Big Tech, or from your government or foreign governments?
Are you trying to protect your data while at home, while using public Wi-Fi at coffee shops, or while traveling across international borders?
The level of privacy you need will depend on these factors, so figure them out.
Identify Gaps Between What You Have & What You Need/Want
Once you know what level of data privacy you want or need, compare that to the level you have right now. What gaps are there? Maybe you’re content with your level of privacy while messaging, but you don’t like how all your photos are stored in Google Photos.
Make a list of the gaps so you know how far you need to go in each area.
Define Criteria
Next, define the criteria that you’ll use for selecting your service/software. Maybe you only want to use services/software based in a certain country (such as one that isn’t part of Five/Nine/Fourteen Eyes). Maybe you prefer open-source software over closed.
Two criteria I recommend including are end-to-end encryption and zero access or zero knowledge. These ensure that your data is only available to you, so that if a service provider suffers a breach or is hacked, your data can’t be read by others.
End-to-end encryption (E2EE) means that data is encrypted from one endpoint to the other, inaccessible to anyone in between. For example, Signal is an E2EE messenger, so no one, not even the Signal Foundation, can see your messages to another Signal user.
Be careful, because some services and software will say they’re E2EE, yet the service provider holds the encryption keys, which they can use at any time to access your data (or give someone else access). For example, Apple’s iMessage is E2EE, but if you have iCloud Backup enabled on any device where you use iMessage, the key to decrypt your messages is included in the backup stored on Apple’s servers.
I highly recommend that you not only look for E2EE, but also ensure that only you have the encryption key. This can be labeled as “private encryption key,” “personal encryption key,” “customer-owned encryption key,” “customer-supplied encryption key,” “use your own encryption key,” or similar language.
Zero access or zero knowledge means that only the user can access data, and not even the service provider can. Your data is encrypted with your personal encrypt key, which the service provider doesn’t have access to.
For example, the email in your Proton Mail account can’t be read by Proton because they use zero-access encryption. But the email in your Gmail account can be read by Google, because although they encrypt email in transit and at rest (on their servers), they have the encryption key.
It may help to prioritize or assign weights to the criteria, so you know which are most important to you when choosing between them.
Find Options
After you’ve defined your criteria, it’s time to start looking for privacy-respecting services and software. I regularly references these lists from trusted sources, which saves a lot of time researching. You can start with these, and start to record your own trusted sources for future reference.
Evaluate Options
Once you’ve created a list of options, you’ll start evaluating them against the criteria you defined earlier. You won’t always be able to find the perfect solution, so you’ll need to decide which criteria are most important to you.
Pay attention to the people behind the service/software, the privacy and security track record, and the monetization model.
How long will the company or project exist? What will happen to your data if the company goes out of business, or volunteers stop supporting the open-source project?
Look for reviews of the service/software, but be alert for paid promotional content that can be biased.
I suggest choosing no more than 3 options to test, to see which will work best for you.
Test Options
Once you’ve selected 1–3 options, start testing them. Again, pay attention to your criteria. Try to test not only your average use cases, but also any abnormal situations that you want to be prepared for.
Refine Over Time
Technology changes quickly, and your wants/needs will likely change over time as well. Whenever you want, start this process over to see if there are new services/software that are a better fit.
