PrivacyGuides considered harmful

19 Jul, 2022

PrivacyGuides.org considered harmful, period

PrivacGuides are bunch of ~~clowns~~ amateurs that spread some half truth, normally based on no research at all or are simply entirely based on fanboyism. The so-called community tends to spread some random tools because they use it themselves which only expands their own bias instead of suggesting programs and showing programs and guides that have solid potential and are actually usable in the real-world.

I am not the only one saying it. I am not a fan of him because most stuff he spreads is pure BS, but he has some valid points in his statements against PTIO/PGOG such as that Firefox is preferable over other Browsers because you can tweak it or install a pre-tweaked Browser, without even mentioning that Chromium can also be tweaked in a similar way. The community based on mostly, not entirely, fanboys still spread nonsense that it makes a difference when you use Firefox or other Browsers, this is pure fiction and does not change any underlying fact that most web tech is owned by big players, they invent them, they pump money into it and they set the standards that programmers use, apparently these people will never understand this point, hopeless case.

The advise PrivacyGuides often spread and list are nothing but nonsense, e.g. promoting - best (whatever that means) - tools practices, this is nothing but dangerous. Not only it wrongfully echo chambers opinions rather than solid proof yet one of the main issue is that if everyone uses and trusts exactly the same tools and developers, hackers would target such tools much more because they know more people are behind which increases their chance of gaining something out of it, which simply automatically makes it more attractive to them.

PrivacyGuides simply ignores that you can update protocols and apps to address almost every criticism, which basically then results in a removal and re-adding software process which is not only confusing but also irrelevant because some of listed software suggested under recommended is potential blocked in some countries due to sanctions, law or other other conflicts. That said it is always better to list multiple alternatives and not only one or two.

Using GitHub but collect donations for a domain that is barely used

GitHub is questionable as code hosting provider, you normally would expect that such privacy and security oriented community uses other platforms but this seems not the case, at the end of the day they do not self-host their material, which I would do if I get that amount of donations. Using your domain with Gitea is something you can setup in 30-60 minutes, easily. The project leaders and members with access have the money and also the time to establish this to set higher standards but instead they swim with the mass, probably because it s better for the algorithm.

GitHub wants to introduce competition on their own platform because it benefits Microsoft.

The developer competition thing is mainly spread and introduced by Microsoft, aka GitHub to award developers or content creators, or simply put, people that upload something onto their platform with meaningless stars is a cheap trick to keep you on the platform and a false sense of showing what tools, ideas and material is - worth - more. I dislike such practices but apparently people still fall for such thing, the problem here is that some talented developers might not get much attention because they focus on code and not marketing because getting a star is usually 80 percent marketing and spreading your product and not necessarily represents code quality or effort put into a project, idea or discussion. Lots of those PrivacyGuide members think that star or likes, or whatever nonsense indicators a project has represents overall quality, again, this is not always the case and this system only helps Microsoft because they can put pressures on you as developer because you potential rank lower if you have less stars which makes it hard to impossible to get attention with only the platform and no external promotional help. The thing here is that PrivacyGuide has - for whatever reason - a good track with those star system, this is bad for smaller projects that actually seek to spread real guidance.

There is no clear statement about what values PrivacyGuides really represents and this is a huge problem, not only for a potential competition but also for those who just want to spread solid guides and review programs, at the end you are forced to work with them because the project - because of a crippled and wrong system - might get more attention, clicks or a higher rating. I expect from a community who seems to be entirely against surveillance to not practice into such surveillance based systems, because this is what this is about, surveillance as well as benefiting a questionable platform with questionable characters behind.

In short:

The domain is barely used.
Setting up Gitea is not hard.
Combining a Gitea instance and add a blog is a big more tricky but not impossible.
Most traffic comes from GitHub and most of the code is stored there, so why donate something, for what exactly, for other peoples submissions, ideas and content. GitHub and other people do the heavy lifting here.
Supporting GitHub and their policy is questionable. Mirroring from Gitea to GitHub, just for the algorithm would also be no problem if there is a fear that traffic problems. It is also sad to see that such community does not push other systems and entirely does the same what the mainstream does.

”Guides” in the name, but no or only some beginners guides provided which makes the whole guide name pretty much meaningless

The domain as well as the organization claims to provide some guides, while in fact their Blog is basically retired, the handful articles are opinions and not really guide related. The opinions are often debunked or are unprofessional written, given the fact that these authors are native English speakers. I think we all heard about 9/11 and the information they provide here - in one of their post - can be gained more easily via a Wikipedia link, the benefit is that Wikipedia is usually more maintained an more up-2-date, in other words, these guide offers nothing for the privacy oriented user anyway, also not to beginners because they usually seek guides that can be applied in the real world e.g. to harden Windows.

Potential abuse of Donations

There is no hosting that takes 750 USD from you. If you go trough the list of expenses you see lots of discrepancies, regarding hosting costs as well as very expensive upgrades which makes you question how honest they are while using others people money.

Since the original domain is not a top-tier class domain the domain as well as hosting can be archived pretty cheap, e.g. on GitHub, which would make sense because their source as well as content is mainly on it already. Transforming GitHub in a free blog is pretty easy, all you need is a domain, some time and some tools or scripts, I posted them already on several places, my sub-reddit has an entire category dedicated to blogging.

At the end it is once again not about spreading knowledge, it is about money. As of today I do not understand why someone wants to donate to a project that does not depend on donations, instead you can and should point out that the money is more needed for actual developers that at the end provide us with the tools we recommend to others.

Reddit bans, suppressed opinions and more

Their subreddit is controversial on its own, not only is the sub intransparent because it is unclear who is really in control but also because mods often hide behind their anonymity. There is a large history with moderation abuse. Legitimate questions as well as submissions not getting approved or removed. This is the opposite of transparency and not really organization worthy, but more a thing about power, control and some circus freaks who want to undermine trust and shape public opinions.

I do not claim I would do it better but assuming I would be in the same position I would establish a better ban-appeal rule and provide a document so that this issue can be solved on a more civilized manner.

Complex all-in-one solutions preferred over other smaller solutions

You often read that suggested software adds nothing over already listed solutions, while this might be true it should be pointed out that some users might prefer small tools because most AiO solutions have so many features that this can be overwhelming.

There is also another point to consider, performance and code complexity. The more code a program has the more vulnerable it becomes. In case a small xy Kb tool gets the job done then this should be preferable over complex solutions that added bunch of features that maybe only a handful people really need or use. More is not always better in terms of application performance, resource usage and security.

When 1 plus 1 does not equal 2, updates updates updates

There is a misconception that tools constantly need updates, this is not always the case because development is not just black and white, same like security holes not always getting exploited, lots of exploits typically rely on other stuff too, things that can be prevented explaining users what secure sources are, or in other words things that PrivacyGuides only very briefly covers. However, if 1 plus 1 equals 2 then there is nothing to update. Same goes for development, if no third-party dependencies are involved and the tool is finished then there is no point in updating it, assuming that mentioned product got reviewed and is secure. If you deliver programs trough external stores such as Google Play or Microsoft Store such platforms typically enforce their own rules onto developers, which forces them to update their apps otherwise it gets removed, however normal code platforms do not enforce such rules which means when there is nothing reported nothing needs to be updated.

The main reason why tools - should - but not - must - be updated are dependencies or updated libraries that might fix things such as performance, security etc. But randomly and blindly spreading wrongfully everything is affected by it is nothing but fiction. There are tools that are up-2-date but still insecure because other factor play a role and then there are tools that are one year without any update and still secure due to the nature of how they got designed or developed ... until someone actually reveals some hole, the most popular case is TrueCrypt.

Some security features, protocols or mechanism are also not getting daily, weekly or monthly updates and they are simply finished. Do you see AES 256 updates, no of course not it is finished until proven that there is a need to update the standard. SO why spread .. not updated since x equals insecure? Based on what, hopes and dreams or actual finding, more like door number one.

That said, blindly respelling the same nonsense over and over is just not how things work. Updates are a factor but in most cases only features are been added or if there are findings it requires an update, spreading here just because it did not got any update is maybe harmful for the developer who actually maintains his program or works on new features in the meantime.

Rejecting legitimate concerns

PTIO/PGOG has some big history rejecting legitimate concerns from users, probably because it is against the project team own beliefs. You than often see issues getting pretty fast closed without any detailed explanation, which would be worth to write down to avoid same question getting asked over and over, again and again.

Signal
Riot, which is now Element. The problem here is that there is a fight in adding and removing it, that I lost count. There are like 20 requests, issue tickets and countless discussions about the same IM over and over again. It should be pointed out that some of the project members are not objective because they provide or work with Matrix together or providing scripts/tools themselves, which means there is no objectiveness possible because people that already use the program tend to suggest it to others much faster without doing any research. The same goes for other projects like GrapehenOS who gets sponsored by the same people who donate. You cannot provide objectiveness and spread info for the masses and then fund someone or a project which you list on your site. This corrupts and shows how biased these people are, especially in the privacy and security scene this still remains a problem because people usually advocate things they directly support or sponsor.

Software criteria

In general their suggestions and software criteria makes no to less sense at all because

Developers can address problems. Instead of working together with them the software usually does not get listed in the first place or it is not pointed out that its fixable. There are countless issues tickets that I could link here that shows that developers contacted PTIO/PGOG but the team simply rejected the software because of some minor criteria problems. I do not see any reasons to list programs that have huge potential under a separate list, or while mentioning the to-dos. This could avoid constantly adding and removing programs and potential help small developers to gain funding, which then could help the entire project, which would be a win-win-situation for everyone.
Most developers have an internal or even public roadmap what is on the to-do or is already known. In Riots/Elements case the problems with encryption were pretty well-known from the beginning and everything was already discussed, instead of linking to the tickets, they added and removed it which was at the end pretty pointless because the software is now added (again). There are other examples like Brave Browser which the community was fighting over since the beginning.
Some of their suggestions and criteria play no to less of an role in a security context.
There is no best when it comes to software, PTIO/PGOG wants to list best software. This is dangerous and nonsense, the best software is worth nothing if the user does not understand it and even dangerous when he starts to change settings on his own because of compatibility or understanding issues. However, some people simply have other needs and as stated already some programs and services are banned or removed from official Stores. This is also one of the reason why I prefer minimum to list 5 solid alternatives.
It is pointless to suggest encrypted tools or services when only one person uses it. That said there is no warning, mentioned such important things. Lets assume you use ProtonMail and communicate to someone else that uses GMail your eMails are not encrypted at all because GMail does not support ProtonMail standards. It should also be mentioned that encryption here plays in general no role because once the eMail lands on Googles servers they can read and forward them. Such important points are not mentioned and the beginner might think that everything is fully secure and protected, which is in our example scenario absolutely not the case.
Most security they list is based on protocol security, means that lots of stuff depends on what protocol you use the rest is often, not always optional and has questionable benefits. That said protocols evolve and this should be clearly pointed out to give users a better indicator to what to look for.
The team suggest software and established criteria but they cannot even work with Certbot that automatically checks and renews the certificate, it is a miner issue but makes me once again question how much experts they truly are, such things are beginner mistakes.
In some cases they request an audit, if an audit is green then there is no need for additional criteria because if security is already confirmed already then this superseded additional requirements, in terms of security unless otherwise stated in the audit paper.

Inspecting the PTIO/PGOG Team, no one ever heard of them

In case you check the project members you see bunch of random people no one ever heard of, not in any security forum nor in the scene directly.

About the project members, the ones with direct access

Some of them fund projects that directly getting listed on PTIO/PGOG, which disqualifies such persons automatically from suggesting software, because they protect their personal interests.
Childish behavior from some project members and also some of the volunteers, that clearly shows their mentality. I like to add here as personal note that car privacy and security is a serious topic.
Absolute zero qualifications, one of them is apparently translator for QuobesOS or translation lead however, that is no qualification at all, more a hobby. Maybe only listed on the GitHub profile page because of the considerable good reputation of QuobesOS.
Some of them have some scripts for Minecraft which makes you question why they got access to PTIO/PGOG in the first place and why they are qualified enough to suggest programs to beginners or advance people that might watch the project.
All of them seems amateurs and doing this as hobby, however PTIO/PGOG never mention with any word that this is a hobby project instead they pretend and try to look professional, probably to collect donations for software suggestions other people and developers provide, at the end it is their work and dedication and these random people just list their favourite tools, that is all.
Most input, ideas de facto comes from external people, free volunteers and not the PTIO/PGOG team. Why collect money in form of donations for mainly suggestions of other people. If I would list here all issue tickets and suggestions from other people compared to what the team provides it would be 90:10 in relationship effort to contribution.

That said PrivacyTools or now PrivacyGuides is a collective of amateurs and fans that want to sound professional while they are very often pure an simple wrong. Reverting changes or adding/software based on some opinions and questionable criteria only confuses beginners and they usually do not tend to inspect every issue ticket, discussion or want to spend time in backtracking what is going on.

Amateur mistakes mislabeled as Bug

Several issue tickets are labeled as Bug when this is not bug related at all, I only pick one single example, this one which is simply a amateur mistake and not a bug. If you use self-signed certificates via e.g. LetsEncrypt you need to provide your eMail, in order to get notified SEVERAL TIMES before your certificate expires. There is no way you can ignore it, you get 20 to 17 days before the point of no return comes the first notification eMail which gives you enough time to check if certbot has all permissions as well as open ports to obtain the new certificate. You can use dryrun parameter to actually simulate getting a certificate and in addition use a cron-schedule to automatically check and renew the certificate every day, this is only some lines you need to execute and add once. The fact that this did not happened pretty much shows that amateurs are behind because you need to ignore eMails, never did a dryrun to check if everything is setup correctly and then when the day come you sit there and ignore everything and wait until someone points this out.

Given the fact that PTIO/PGOG got several hundreds of dollars already this should never happen. Of course no one is perfect and I do not deny that this is sometimes something which you simply ignore because it has low priority but it is questionable why several people do not cross check such things before they even occur.

Remember that they say that they want to educate other people, which makes me wonder with what qualification exactly and with which background. [Framasoft](tab:https://framasoft.org/en/ does pretty much similar thing), giant donation buttons but no one ever heard of them in the actual security or privacy scene. They just popup from nothing and want to educate people, in truth they want to make a living out of it.

Mislabeling your own failures as bug is sadly a practices to hide the real problem and on many levels just ethical wrong.

Do not bother joining their chats, you gain zero out from it

Some people might defend the team by saying that joining some groups such as Reddit, or Matrix, or whatever they provide has a benefit. It does not, mainly the group is a mix of amateurs that have no real-life or any other expertise to guide others, which can be dangerous especially then when you spread wrong things that leads to problems. However, as actual expert there is nothing to gain from it, as beginner you directly join a mass echo chamber and the same people will spread their own beliefs as - best practices - and find arguments to defend their beloved products.

The reason I basically closed all of my discussions groups, is that I find echo chambers are a toxic group behavior that leads to mass psychosis and people usually tend to prefer it because they want to get spoon-feeded, because it is easier to let other people do the research and job than using your own brain. Another problems is potential platform restrictions, censorship, surveillance as well as mod and admin abuse.

In general I am not anymore for chats such as Discord etc because at the end you help such platforms, people never search the history even if you guide them with step-by-step instructions and it always leads with repeating questions over and over and over and over ... again and again. Such things are for me and my nerves frustrating, the older you get the less patience you have because the clock is constantly ticking and you do not like to waste your lifetime respelling the same again and again, you either can ignore it and give up and let others deal with it or you have a chat dictated by only a handful people which I also dislike because that also only enforced bias onto beginners.

My Conclusion

The privacy and security scene is infiltrated with pseudo-experts that want to collect donations and this is pretty much the bottom line, Framasoft does it, PrivacyGuides does it and I could list much more here but it is obvious that such organization want to sell you other peoples work as educational service. Stuff you get on the original tool websites anyway, usually more updated and reading documentations is pretty much mandatory for almost everything related and connected to privacy and security, not only to stay up-2-date but also to do actual research, based on given information and then cross-reference is across multiple other sources to debunk or confirm claims.

I am absolute not a fan of selling information for money or donations, my information I provided was always free and it should be free but who would continue such projects without money is the big question and who wants to support amateurs. These questions are unresolved because there is not really any transparency given about why they need to collect donation and what are benefits in doing a small or big contribution, my opinion is that developers should get the money and not the people who write articles about the tools, or at least there should be a 80 to 20 split if you appreciate qualitative good articles. Sadly PrivacyGuides provides almost no guides, and the ones that exist are pretty much meaningless because the information is usually already covered in official documentations or you find already more updated and in-depth guides with a simple search engine search within the shortest amount of time.

To close this chapter I like to add, that you should stay away from such fake organisations and people that are not trustworthy at all and better read docs, do searches on search engines or on YouTube or ask real developers about their opinion on certain topics and best practices.

For example I mainly get my information trough search queries, RSS-Feeds, code, code samples as well as discussions, things that is much faster and more up-2-date than any random group that lists questionable recommendations can ever deliver. There exist tons of good YouTube channels that are much more interesting to follow, more on the subject and the creators put much more effort into their videos than any PrivacyGuides member in their articles, all of the variables and factors listed and combined makes my conclusion final - stay away from them and their opinions.

Reference

#privacyguides #privacytools