Fake privacy / security initiatives

"Beware of false prophets, which come to you in sheep’s clothing, but inwardly they are ravening wolves."

Do Not Track

Invented in 2009, this browser header tells websites you visit that you do not want to be tracked. 9 years and thousands of articles and discussions about DNT later, and there is still not even a standard for what "tracking" exactly is it supposed to prevent - even though they promised to create one long ago. Needless to say, websites can interpret DNT however they want, or even ignore it altogether. How much effort has been wasted on this dud - effort that could have been spent on creating and improving browser extensions that actually protect you from tracking. DNT, on the other hand, just gives the illusion of privacy to unsuspecting users - which is worse than doing nothing at all. Let's be real here - cooperating with trackers could have never worked anyway - since they don't care about playing fair.

If you've spent any time on the Internet at all, you've surely seen some obnoxious cookie notices, such as:

In 2011, the European Union has created a law which requires websites to inform visitors about the kind of data that will be stored on their computers, its purpose, as well as the need to get consent from users before storing anything. There were also guidelines for the duration of the cookie's existence. Anyway, a report (archive) has shown that most websites do not follow all the requirements properly. Even if they did, the people who would benefit from this information won't understand it and will click through it instead; while the aware ones have already blocked the cookies - but will still be bothered by the obnoxious notices. It should also be mentioned that the most important tracking cookies - the social network ones - are exempt from the law! So you can still be tracked by Facebook and friends; talk about a wasted opportunity.

Private Browsing / Incognito Mode

Almost every browser has this under different names. Let's be clear here - this does nothing whatsoever to protect you from nosy ISPs or trackers; and, while most browsers do admit that - some, like Waterfox, have tried to ride the wave of confusion to pretend that their improved private browsing (archive) does something more. A report has shown (archive) that many people do in fact believe that this mode guards them from online spying; as far as I'm concerned, browsers should remove this if they want to stay honest - or at least change its name. UPDATE: Pale Moon kind of averts this with the Proxy Privacy Ruler addon.

Hooktube / Invidious

YouTube frontends. Hooktube used to claim that they Keep your data private from the G (...oogle) (see here) - at least before they were forced to use the YouTube API. However, they still connected to Google video servers, so the whole reason for their existence was a fraud. Now, Invidious does the same thing but does not claim anything; regardless, they are not YouTube proxies. Note: Invidious does support youtube proxying now (since I think February 2019?). UPDATE November 2020: Invidious lead dev left the project (archive) and the other people don't appear to be doing much. Main instance is gone and the others are hit and miss. Errors such as "Read timed out" are commonplace, channels and playlists don't work either and often you can't even play any video. Invidious, also, still contains most of the bloat of YouTube. I recommend using youtube-dl (there's a crusade against that, too) to download videos - with it, you can watch them as many times as you want, whenever you want - without ads or slowdown, google connections or any other connections. An even better way is acz's aoydl, which is much simpler.

"End-to-end" encryption

For the last few years, services which have traditionally been famous for their spying (such as Skype, Viber, or the Facebook operated WhatsApp (archive)) have been loudly announcing their support of "end-to-end" encryption - which should mean that only you and the person you are communicating with can see the content of your messages. However, it is still them generating the keys, and therefore relies on their trustworthiness. Many allegedly "private" E-mail providers also suffer from this flaw - read my report. The moral of the story - if you don't manage the encryption yourself, it's not truly end-to-end, and shouldn't be relied upon.

Forced "protection"


This is simply a huge slippery slope - first it was plugins, then addons, then browser settings kept getting dumped into about:config or the abyss. What's next - deciding what sites you can or can't visit? Isn't Google SafeBrowsing just that? Maybe one day, they will block all "insecure" HTTP websites. Surely that's going too far - or is it? In fact, both Firefox (archive) and Chrome (archive) have been trying to get rid of HTTP for a long time. Great, thanks Mozilla and Google for "protecting" me from all this malicious stuff - but who will protect me from you? That is the real question. Of course, people don't realize there is an issue until something they use regularly breaks. The solution, of course, is to only use software that actually respects you instead of treating you like a baby; security will always be the responsibility of the user - you cannot "protect" people from everything. Even if you could, it would not be desirable; there is always a trade-off between security and functionality, and people should be able to choose at which point of the spectrum do they want to be.

Silent or forced updates

An extension of the above; they are the truck through which undesirable changes get dumped onto unsuspecting users. UI modifications, configuration option removals, or the aforementioned blockages; regardless - auto-updates transfer control of the software from the users to developers. And there is no excuse to at least not ask the user before proceeding. The horror stories of updates breaking things are numerous - for example:

External link filters

Didn't know whether to put this here or in Principles of bad software design - but the alleged point of it is security, so it's here. How does this work? Briefly - certain sites, whenever a link is posted to them - will NOT let you go there directly but only through their special redirect. If this actually improved security I would just consider it as simple babying - similar to the auto-updates; but the reality is much more malicious as usual. Not only are the link filters annoying, but they make tracking easier by putting the website you're leaving to into the URL. Also, people can actually fucking see the link they're clicking on, so the security benefit is doubtful at best. Twitter goes even further and prevents users from knowing where they're going to - every web address is replaced by their t.co shortener. They even admit this is used for censorship (archive):

A link converted by Twitter’s link service is checked against a list of potentially dangerous sites.
Don't bother looking at those links, son - Mommy Twitter will protect you! But maybe they should first focus on their own security than that of others; Steam, for example, had a breach (archive) where
users were able to access other people’s game libraries, and were able to see sensitive information including names, home addresses, email addresses, purchase history, Paypal account information, and even partial credit card numbers.

Twitter had an even worse one (archive) where up to 250 000 accounts were compromised. As I said earlier - security should be the responsibility of the user; we're not babies and treating us like them always results in disaster.

Firefox Send

Mozilla's allegedly private file upload service - analyzed in more detail here.

Firefox Lockbox

Mozilla's password storage service - analyzed in more detail here.

EFF's "Who has your back?"

They've made many of these over the years - the most recent one as of writing is https://www.eff.org/wp/who-has-your-back-2019 (archive). Briefly, the report rates the big corpos' censorship policies, but the most important criteria - that is, how much they actually censor - is completely ignored. Instead, they focus on whether the censors graciously tell you that you've been suspended or that a government has requested a takedown. And so a known violator like youtube gets 4 fucking stars out of 6 - what a joke. They even got a point just for having an appeal system that doesn't even work. There is only one aim of these reports - to justify the big corpos so that naive / inexperienced people don't abandon their services which don't respect them.

Facebook Container

A Mozilla-created (hey, a red flag already!) extension which - in Mozilla's words - helps you control more of your web activity from Facebook by isolating your identity into a separate container. There are several problems with this:

  1. It does not prevent Facebook data collection while you're on it. It is trying to give a compromise between privacy and the convenience of the violators' services, which of course doesn't work.
  2. Even for its stated purpose, it doesn't really work (archive). Inspecting the source seems to reveal that it's using a blacklist to decide which sites contain facebook elements that are then blocked.
  3. It is completely outclassed by uMatrix, which can contain not only Facebook (in a way that actually works), but any other sites you'd like in addition to many other benefits.

The same kind of logic applies to all other "container" extensions. Just learn uMatrix, my friends, and you will look down on pretender addons such as this one.

Other privacy sites

I really didn't want to do this, but some of those pretending to give advice and help people have no business doing so and need to be exposed. So let's get on with it:

Privacytools.io

The website equivalent of Mozilla - pretends to be your best friend but pushes you off a cliff when you're not looking. It's no wonder, then, that Firefox is their primary recommendation for all operating systems. They call it privacy respecting despite admitting that it needs a bunch of about:config modifications (archive) to even sniff that label. To add insult to the injury, they shill Firefox Send as the premier file sharing tool. As would be expected from Mozilla's fanboys, they've inherited some of their unethical behavior. As an example - they've begun recommending StartPage again (archive), even after it was acquired (archive) by a data collection company. What is damning is privacytools' rationale, which includes this gem of a quote:

I think, personally, Startpage (unlike some other companies) has been very forthcoming with the privacy community. Their response adds clarity to the situation and they are obviously now keeping track of this issue very closely.

The actual reality is: StartPage has hid the ownership change (archive) for almost a year and then held an AMA on reddit (archive) - which was nothing more than a PR piece to save face, instead of a way to clarify things. How the fuck do you twist that into being "forthcoming" with the privacy community? StartPage went into full damage control mode and yet the Privacy Fools accept that kind of behavior and want you to use their search engine as if nothing happened.

For a better example, their E-mail recommendation page (archive) is pretty much a shill piece for Proton (one of the worst providers you could sign up for) that ignores all the issues. They make a big deal about their so-called zero access encryption while forgetting to tell you that Proton could easily store the plaintext E-mail earlier (and they've been compelled to do targeted surveillance many times). The "E2E" encryption is an even more insidious fake, because the fucking private key is stored on the server (archive)! Privacy Fools prop up Proton's onion domain even though it redirects to the clearnet, making it useless and malicious. How can Privacy Fools justify calling any of this private or secure? One of their "contributors" (tya99) has also attacked Pale Moon with a bunch of lies (that were even refuted by Tobin, one of the developers). Such as:

A web browser is a highly complicated piece of software that requires quite a lot of resources to maintain. There is a high demand for 0days to be fixed promptly and this requires resources.

And yet, no actual evidence was given for Pale Moon being less secure than Firefox - just baseless assumptions.

I also think there's a lot of drama surrounding Waterfox/Palemoon. People being banned on the Palemoon forums pointing out faults with the project etc.

They link to a Hacker News post (archive) which talks about Twitter and not the forums, so their claim is unsupported. When it was pointed out Pale Moon does have independent extension developers (unlike what was claimed), tya99 didn't admit to being wrong, but doubled down:

Why anyone would develop on a platform has 0.0000001% market share is beyond my understanding. If you did need some functionality that WebExtensions couldn't provide then a stand-a-alone application using another maintained framework would be a more suitable option.

Nothing else they've said was based on reality, either. They've also wanted to kill off the discussion since it was obvious they were outmatched:

None of this discussion is going to yield anything productive so I vote that this issue be closed.

If you like drama, I recommend reading the whole thread - the destruction tya99 suffered is a sight to behold. Insults started to fly after tya99 couldn't support their claims, including that Tobin is mentally ill and can't write coherent sentences. This is the standard of "service" you get with Privacy Fools and the admins saw no problem with it. Now for something funny:

An addon not working is not a "giant security issue"
Tor browser is not included in tor browser, and noscript barely does anything in tors default mode, and if you still want to block javascript, then you could have turned it off in about config, it was merely an temponary inconvience that made unblocking scripts harder for the people who use tor browser on safer or safest mode.

So - according to security expert blacklight447-ptio - security addons are useless, and TOR browser did nothing wrong when they blocked them. Nevermind all the JavaScript exploits that have suddenly become possible because of that fuckup. Another PTIO member - trai_dep - has contributed to the shadowbanning of my site on r/privacy (which he happens to moderate). I guess the Mozilla and ProtonMail redpills were too big to swallow for him.

There's still some good advice on PTIO, but since privacy websites are mostly targeted at newbies, the audience will not be able to separate the good from the bad. As they say, the easiest way to fool people is to stick in a few well-placed pieces of bullshit inbetween providing good info. And in this case, the lies (such as the ones about Proton and Firefox) just happen to be extremely harmful. Under most sections, PTIO has way too many recommendations, of which most are niche and will just confuse the noobs. Anyway, it's not only what they say that matters, but also what they don't - this means failing to mention XMPP or Pale Moon completely, for example. Add to that the incompetence and suspect morality of the team, and the nickname Privacy Fools is well deserved.

Privacy Spy

This will be short since this fake doesn't deserve much more. A member of our chat posted them and I immediately spotted the red flags. In Bypassing the privacy chase, I've said that the most important thing while rating a provider's privacy policy is what it stores and for how long. There, I also listed the most important specifics to look for (IP address, system info, etc). Privacy Spy, however, completely ignores all that and bases its ratings on useless stuff. And so, violators like FastMail get a grade of 8 / 10 just because they graciously tell you why they collect personal data (if the reasons are shit, that does not lower the rating), the policy's history or allegedly notify you when it's changed. Of course, Privacy Spy plays fast and loose with most of its definitions, so the ratings become totally useless. For example, about the notification thing, here's what FastMail's policy actually says:

If we make fundamental changes to this privacy policy, we may take additional steps to notify you including by posting on our website(s), through pop-up notices or via email.

MAY take additional steps to notify you. And because of this MAY (and not WILL), FastMail gets the best rating. Or check this about the deletion of personal data:

Even if there is a reasonable delay before the data is fully deleted (as is common), the data still counts as "permanently deleted" and satisfies the parameters for this question.

So, the fact that this data stays around on FastMail's servers for 180 fucking days is completely ignored, and the violator earns the best rating again. Clearly, Privacy Spy's criteria are worse than useless - since they justify clear transgressions while also not caring about what actually is stored and for how long. I could go on for a long time about this fraudulent rating site (there are many more issues - e.g, Privacy Spy is fine with collecting personal data for allegedly critical uses), but as I said, it doesn't deserve it. Avoid and forget it exists!

Back to the front page