The Privacy Dad: Privacy Tools Are Not Worth the Hassle

Article from @theprivacydad that heavily resonated with me. I recommend reading the whole article, it’s well written. But the TLDR summary is:

For mass adoption, privacy tools need to be as good or even better than the mainstream competition. Most people are not interested in how their bike works; they just want to ride it and know where to get it repaired. The same is true for software. I happen to have developed an interest, and have turned tinkering and note-taking into a hobby (let’s hope I can retrieve those notes…), but I am the odd one out amongst my circles. The tools should bring people to greater privacy. As long as that model is reversed, and belief in digital privacy is a requirement to seeking out the right tools, adoption will be slow and only for a niche audience.

Thanks @Henry ! I really appreciate the boost.

This was an interesting article, but there’s a lot that I disagree with. I ended up coming across the privacy community through well developed software that also respected privacy. In other words, I chose certain services over others simply because they were better, independent of privacy benefits. The services:

• LineageOS
• Pop OS
• Brave Browser
• Bitwarden
• Proton (for VPN)

Since I’ve joined the privacy community, I can also state that Protonmail, Firefox, MEGA, Vimusic and newpipe just work better for me than their non-FOSS counterparts. I don’t believe that adoption is slow because these apps suck, but instead because they’re not the “default” option for most devices.

Now that I’ve experienced an ad, spam, clutter free, simple, and open source workflow, there’s simply no way I see myself going back no matter how little I care about privacy.

He does mention this, but almost makes it out to seem like the vast majority of this software is buggy and unusable. What I can agree with however, is that the UI for libreoffice is complete dogwater, and search is inconvenient on Tutanota. If you’re a frequent email user, I’d recommend proton over it any day (though as a simple individual tutanota works well as as well).

What I do very much understand is the reluctance to degoogle a phone for a benefit most people just don’t care enough about. I think I’m part of a very small minority of people that sees something new and wants to try it. The only reason I degoogled my phone was the mrwhosetheboss video on calyxOS.

Unfortunately those services are among the exceptions.

You’re right , Libreoffice is powerful and I respect the people making it but it just looks awful.

That is true, but I don’t believe this to be any more the case with FOSS software than with proprietary software. Most software in general is shit, but in almost every category (I say almost), there’s a FOSS application that imo does its job better than any proprietary counterpart.

Mega and Proton are not fully transparent, Mega not at all. Also big companies now, so not the best example of decentralized services

I was playing devil’s advocate in the article to make a point, but I also do agree with the counter arguments to privacy that I present. I have a friend who really cannot be bothered with investigating tools and trying things out. He is not technical. He wants his email to just work. He just quit Tutanota (I’ll post his reasons in next blog post) for reasons that surprise me. His reasons remind me how far distant the regular user is from the tech-interested user, and how many more regular users there are in the world than there are tech-interested users. This is key to the argument I present.

I agree that Brave and Bitwarden and probably the VPN can be used and managed ‘out of the box’. But how on earth would my ‘regular user’ friend ever set up LineageOS or Pop!_OS? And even if I did it for him, he would be extremely frustrated by the small changes in workflow and would not understand how to manage and update these tools.

Unfortunately, I strongly disagree with this approach for several reasons. Sorry for the long post, but I really hope it will demystify the reasons.

First of all, privacy and security are not binary situations. Privacy is not anonymity or secrecy. I was involved in the preparation of a cybersecurity course for the non-technical managers, and what I learned by reading NIS and several other notable resources that there is no perfect privacy and security.

In the end of the training, the most important takeaway and the final assignment of the course was to make a simple cybersecurity risk assessment.

Participants must learn the fundamentals of making a decision in the nexus of your risk assessment, your resources, your needs and your company strategy. You need to decide on your risk tolerance. Therefore, the most important thing is to make an informed decision about your situation.

That said, as an individual, you don’t have to be very tech-savvy or self-host many systems because not all companies and organisations can do that.

That is why I appreciate the approach of Techlore and PG team. They always remind ppl about their threat model, an individual risk assessment, so to speak. All of the tools and methods are countermeasures. However, what do you want to achieve with these moves?

Second and closely related with the previous one, making a lot of hardening, selfhosting and fine-tuning are not always recommended for everyone. Why? The more you make configurations, the more you are likely to screw unless you have an IT background. And, when you compare the effort, time and money, generally it is not likely for you to reap benefits. Applying pareto principle to privacy, you can easily understand that you can achieve 80% of results by applying 20 % efforts. So, what you mention about all difficulties are generally for achieving the 20%. Of course, these numbers are not definitive. Evading completely from Apple, Microsoft and Google is very very difficult. If you start with this goal, then you will get exhausted. Several years ago, I started my journey by just switching to Proton and duckduckgo. Now, I decoupled from Google and Microsoft, except for work accounts. But it took more than 5 years.

Third, you don’t have to and should not make the changes overnight. Again, even the big corporations cannot change their IT system or software in a short time. One of the main reasons is because of people and their adaptation time. Make a simple plan and start by easy steps.
For example,

• As you mention, someone can easily switch Brave or Bitwarden,
• Use multiple browsers, one for work and one for personal for a smooth transition.
• I don’t know the reasons, but Tutanota is not a good option for an average person. Protonmail has a better UI and you will also have drive and VPN. Skiffmail is also a decent option though, they only open source the email.
• • Signal is getting more popular day by day.
• Using a private search engine does not decrease your productivity.
• Using a private notebook app is as easier as others.
• Use the privacy options in your phone or services you use and opt out if possible. Just once when you purchase the devices.
• You can use cryptomator and continue to use big cloud providers if you want.
• You can use ublock Origin with no additional configuration.
• Choose a privacy front end for youtube. And the benefit, the ads are gone.
• If have an apple device, activate Advanced Data Protection.
• You can use email alias services for forums and other privacy invasive websites. If you dont wanna pay, just use Duckduckgo email protection. It can be integrated into Bitwarden.

All of these and more, you dont need to do configuration and pay a penny, and you can achieve a decent privacy.

In sum, privacy is achievable and not very difficult if you look from the appropriate lens and make informed decisions.

Thanks for your considered post.

I can see that working in a professional situation, but regular people are not going to be motivated to do that.

Me too! But who do you think are reading and watching those videos? Not my friend who didn’t like Tutanota. He will never seek out a Techlore video, unless something very dramatic happens.

I agree. I fear the quote taken out of context of the article has put you on the wrong path. I devote many hours each week writing articles to show what it is like for a non-technical person to adopt privacy tools. In this particular article, I was attempting to ‘steelman’ counter arguments, in order to get a better picture of the real problem. You can see that framework in the first couple of paragraphs of the article.

To your point - you are still not seeing just how little a non-technical person who is not motivated to determine their threat model for privacy or security reasons might be able to do without guidance. You say: select a privacy search engine. My Tutanota friend will not know how to do that himself. Same with adding extensions to a browser. That is the level of disinterest in IT I am talking about. I suspect many people operate at that level. I don’t say that to patronise people, but because I think that is the reality we are dealing with. That’s why I like Signal a lot. I can just say: download the app in your store and start using it. My Tutanota friend has and uses Signal no problem.

You’re right (and very justified) in pointing out that the vast majority of people simply want something that works, and as people who spend a lot of time tinkering with gadgets, it’s so incredibly easy to become detached from what the vast majority of Internet users want.

Regular users are unlikely to ever set up lineageOS or pop! OS simply because Windows/bloated android just works and comes out of the box working. When preinstalled, however, would I say these tools are harder to use than Windows and Googled android? Not really. It’s all about what people are used to, and switching platforms is too much of a hassle for most people.

I already come across as the paranoid tinfoil hat individual in all of my circles because of my own practices, but when someone else asks me how they can improve their privacy, I often tell them a few small changes (browser, password manager, debloater) that they can make. Sometimes, I’ll tell my friends that if they want to fullly avoid google/microsoft/apple spying the only way is to switch to a different operating system, but I’d fully recommend against this for the vast majority of people who can’t be bothered with a learning curve.

However, if someone is starting out with tech, and has no prior experience using any email address/OS and is starting fresh (extends to people switching to android), switching to pop! OS isn’t an inherently less user friendly decision than Windows. Same with using f-droid and the aurora store.

Still, we need reminders every now and then. Keep posting takes like this

I agree. I set my kids’ laptops up with Ubuntu from a young age, and they just use it.

I was thinking about why people accept the challenge of learning something not directly intuitive, like sharing permissions for a document on Google Drive, and yet can’t be bothered with trying something different. I think a lot of adoption must be driven via work environments. This is why I am so strongly against Google invading schools via cheap Chromebooks. Solutions like Linux, LibreOffice and Nextcloud are available and free, and can run fast on older software. But you need school management and and IT department with that kind of vision.

Thanks for the encouragement! I will do a couple more posts where I play devil’s advocate and present steelman versions of arguments against privacy.

My Tutanota drop-out friend has agreed to let me publish his reasons for leaving Tutanota, which I think are insightful (because I wouldn’t see them as reasons to stop using it). That should be on the blog later this week.

I’m pissed with Google for basically creating monopolies, and with new legislation like DMA, hopefully open standards allow me to just use something better and still collaborate with Google users.

We all have loci of control, and maybe I’m selfish for thinking this way, but educated people who care about privacy will automatically switch when it is convenient. The fact is, Google controls a large portion of the Internet, and most people simply aren’t willing to avoid Google and the zucc to the same extent as you and I. Without changes to the defaults, these services will always remain fringe applications used by tiny percentages of the digital population, and while that’s okay, you can mitigate this for yourself (and your children) to an extent.

On a little bit of a sidenote here (I’ll remove if it’s against the rules), most of the world does suck in one way or another. The US is overrun by megacorporations, the global south by cronies and government tyrrany (also megacorporations?), and the rest of the world seems to be losing money.

That in no way means you and I can’t do anything to improve our own lives. Is it harder? Sure, but it’s considerably easier than making a social change, and while the world does need people to propagate social movements, it’s often exponentially more mentally demanding to do that then to fix the solution for yourself and your dependents.

Despite all of this, I’ve seen people go from calling me a neckbeard for using signal to becoming way more paranoid than they realistically need to be (they spent 10 minutes looking up big tech privacy violations). That gives me just a (very) small amount of hope that things might change in the future, whether it’s laws like the DMA and GDPR or whether it’s just general awareness (less confident regarding the latter).

I guess at some point I went from being a n enthusiast of all things Apple, Google, DropBox, Evernote etc. to reducing my dependence on them. But I do think it makes a difference that when I was into all the mainstream apps, I liked tinkering with the settings and teaching other people how to use them even back then.

MEGA isn’t particularly private, no, but it has a FOSS client, doesn’t require any phone number to sign up, and provides a large amount of storage for free. While I don’t really use it, I don’t see any harm in encrypting files and then uploading them to MEGA.

Proton, on the other hand, has done some shady things, but its offerings remain some of the most private on the market and make up a decent part of many threat models including my own.

I strongly agree with your viewpoint, and searching for tools which are better in all aspects than their mainstream counterparts is also how I got into this community. Tools which are usable, ad/spam-free, and open source tend to also be privacy-respecting, so there is certainly a lot of overlap.

I think the OP article is a good reminder to the privacy community that you don’t have to recommend tools solely because they are private:

The fact is that most software in general is buggy and unusable. We simply tend to give more visibility to some buggy and unusable tools than they otherwise deserve, just because they happen to be privacy-respecting. I think this is probably a mistake that will harm the credibility of all “privacy tools” in the long run.

Respecting privacy shouldn’t be a free pass for developers to put in the minimum possible effort into their products, respecting privacy is just the minimum bar to pass to be considered at all. Services like Proton, Bitwarden, and Firefox all prove that polished, user-friendly products can be privacy-respecting, and that’s what we should demand from anyone else who claims to want to bring privacy to the masses.

This is a tale as old as time. You can lead a horse to water, but you can’t make it drink.

I don’t see my job as convincing people they need to care about privacy, as much as making sure that when they do care, their privacy journey is as easy as possible.

I wholeheartedly agree with your post here. In one of my other replies to this thread, I did point out that most software is filled with ads, slow, unusable, or simply not available on my platform.

That’s a nice way to see your job, and through the rabbit hole, PG (and earlier PTIO) have been great tools that have helped me almost entirely move away from proprietary software (or software that’s bad for privacy) to a point where I barely miss services like Google. I recently ended up moving back to Google products to collaborate (using a throwaway account) and I was just disappointed at how cluttered, slow, and flashy they feel compared to the tools I have gotten used to.

A side advantage to having better online privacy is having no spam. More than anything, I love that I can now log in to my email client and read every single email I get because I know it’s not spam.

Indeed, if a person does not care at all about privacy or security, then it should be out of discussion. Or, if someone is obssessed by privacy, then s/he will find alternative apps, anyway.

What I mean is not to expect an assessment for every individual, you are right. However, most of the time the suggestions by the privacy community can be overwhelming. Instead of suggesting Proton, ppl say you should self-host your email server or cloud storage. Or, Signal is not private, because it requires phone number. You will even find comments like Proton is founded by CIA, NSA can see Signal’s data, Brave is not private, or Bitwarden is not secure. There is also fanboyism of different companies or products. When an ordinary person see this kind of suggestions, they can easily give up everything.

So, we need to empower mainstream privacy ideas and products in order to spread privacy.

I agree with your point about overly critical views being overwhelming.

I just published a follow-up to the first article, where I try to show the perspective of a regular (non-technical) user on a privacy tool, Tutanota.

shady things? I only see a ‘big’ company that cares about privacy and open sources it’s projects.

Shady Things?

Yeah, I’m not aware of anything approaching “shady” behavior on their part. I’d like to hear specifically what they were referring to.