The following criteria gives visitors an idea of how we select services in our resources. The criteria is not perfect, but rather designed to share what we generally look for. There are rare situations where a service hits all criteria and remains unlisted (ex. due to legal issues) - and there are situations where a service doesn’t hit all criteria but remains listed. (ex. due to an absence of better options)
Open source isn’t everything, but it adds a massive layer of transparency & oversight; open source services undergo a level of scrutiny rarely found in proprietary software. It’s worth acknowledging the importance of open source varies depending on the context: For example, open source cryptography is more important than a DNS service open sourcing their web app (which has little to do with the privacy/security offered by the DNS provider itself)
This will mean different things in different contexts. Broadly, we do our best to select services that offer strong privacy protections from the service itself (ex. Browsers that don’t track their own users) and that offer strong privacy protections against third parties (ex. Browsers that prevent websites from tracking you)
Similar to privacy, this will mean different things in different contexts. Broadly, we do our best to select services that offer strong security protections from the service itself (ex. Implementing zero knowledge encryption) and that offer strong security protections against third parties (ex. Sand-boxing its clients in a way that protects users)
Security patches are critical to keeping users secure in our ever-evolving world. We put a great deal of emphasis on them, and do our best to only recommend services that stay reasonably up-to-date with the latest threats.
We believe (with few exceptions) that teams behind services should be public & active. This allows users to know the history behind a service, adds accountability, and ensures there are real people dedicated to the service. Activity level is also important and speaks to the long-term sustainability of the service. We try to prioritize projects we feel have viable business models, with public & active teams who will exist in 5+ years.
Privacy & security mustn’t inherently result in convenience or efficiency loss. Services which actively enable users to gain privacy & security in an efficient manner are generally prioritized. (This can present itself as an issue in some of the following ways: difficult to install, difficult to setup, difficult to update, significant performance hit, requires certain hardware, etc.)
Similar to the previous point, privacy & security shouldn’t be challenging. We generally prioritize services we feel anyone - regardless of technical knowledge - can thrive using. Even seemingly small issues can mean a lot to some users (ex. needing to download an app from a third-party app store, or sometimes we avoid listing services due to high cost when cheaper alternatives exist) Additionally, we prioritize services offering quality customer support in the event users need individual assistance. This can take the form of a helpful community, though we prefer official customer support.
Services come and go. Developers come and go. Ideas come and go. We appreciate services that have a consistently good history in prioritizing user safety. We prefer services with 3+ years of mostly positive history as a starting point for passing the test of time. One thing is announcing a new messenger, another is maintaining one for 5+ years.
Broadly, we do our best to list services that have been formally audited—publicly, and/or have a great deal of trust within the privacy & security community. Trust is ultimately subjective and highly personal - which is why we take a broader approach to evaluating what’s generally trusted by the community as a whole, in addition to analyses performed by experts.
Lastly, we prefer services that are consistently evolving. User threats are growing in sophistication, and services that evolve with those threats are massively important to protecting users.