diff --git a/i18n/fi/CODE_OF_CONDUCT.md b/i18n/fi/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..a2074693 --- /dev/null +++ b/i18n/fi/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Do not spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not an information home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +2. **Do not abuse our willingness to help** + + Our community members are not free tech support. We are happy to help with specific steps for your privacy journey, if you are willing to put in effort. We are not obligated to answer endless, repetitive questions about general computer problems solvable with a simple internet search. **Do not** become a [help vampire](https://slash7.com/2006/12/22/vampires). + +3. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Being respectful of differing opinions, viewpoints, and experiences. + - Demonstrating empathy and kindness toward others. + - Focusing on what is best not just for us as overseers, but for the overall community. + - Giving and gracefully accepting constructive feedback within our community while growing and improving. + - Operating with a communal mindset at all times. + +## Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- Any other conduct which would reasonably be considered inappropriate in a professional setting. +- Public and/or private harassment of any kind. +- Publishing others' private information, such as a physical address and/or an email address, without their explicit permission. +- The use of sexualized language or imagery, and sexual attention or advances of any kind. +- Trolling, insulting and/or derogatory comments, including personal or political attacks. + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +## Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform via chat, direct message, or any designated "Modmail" system. + +If you have a problem elsewhere, or a problem that our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of reporters for all incidents. diff --git a/i18n/fi/about.md b/i18n/fi/about.md new file mode 100644 index 00000000..217dd1ae --- /dev/null +++ b/i18n/fi/about.md @@ -0,0 +1,234 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/logos/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](assets/brand/logos/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides information for protecting your data security and privacy. We are a non-profit project with a mission to inform the public about the value of digital privacy, and about global government initiatives which aim to monitor your online activity. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:material-heart:{.pg-red} Become a Member](https://donate.magicgrants.org/privacyguides){ .md-button .md-button--primary data-portal="signup" } +[:octicons-home-16:](https://www.privacyguides.org){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } + +Privacy Guides is built by volunteers and staff members around the world. All changes to our recommendations and resources are reviewed by at least two [trusted](https://discuss.privacyguides.net/u?group=team&order=solutions&period=all) individuals, and we work diligently to ensure our content is updated as quickly as possible to adapt to the ever-changing cybersecurity threat landscape. + +In addition to our core team, [many other people](about/contributors.md) have made contributions to the project. You can too! We're open source on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +[Job Openings :material-arrow-right-drop-circle:](about/jobs.md) + +## :material-email-edit: Contact Us + +[:simple-discourse: Join the Privacy Guides forum](https://discuss.privacyguides.net){ .md-button .md-button--primary } + +The best way to get individual help is from our community on Discourse. If you notice an issue with our website, please open a discussion in the [Site Development](https://discuss.privacyguides.net/c/site-development/7) category on our forum. If you have a question about anything we cover, please ask it in the [Questions](https://discuss.privacyguides.net/c/privacy/questions/8) category on our forum. + +![Signal contact QR code](assets/img/layout/signal-contact-qr.png){ align=right } + +Have a tip for us, or need to share some sensitive information? The best way to get in touch with us securely is via `@privacyguides.01` on Signal. This group account is monitored by [Jonah](https://discuss.privacyguides.net/u/jonah), [Niek](https://discuss.privacyguides.net/u/niek-de-wilde), [Em](https://discuss.privacyguides.net/u/em), and [Jordan](https://discuss.privacyguides.net/u/jordan). + +[:simple-signal: Chat on Signal](https://signal.me/#eu/zg9xcrIv5w-EtXt2FmTJgfWv01LmyTed8rpr7RDv35Mizq8ISZ9NJLmYtzsxI0Z4){ .md-button } + +You may also email the entire team at . This is a shared inbox that could be read by any [team member](https://discuss.privacyguides.net/u?group=team&order=solutions&period=all), so please consider what sensitive information you share via email accordingly. + +We will do our best to respond to all queries within 3 business days, but please understand we are unable to provide individualized advice to everyone who asks. If you have a question about privacy, you will receive a much more detailed and timely response from the Privacy Guides community by [asking on our forum](https://discuss.privacyguides.net/c/privacy/questions/8). + +You can also use OpenPGP to contact us via email, if you feel comfortable with your client's security settings. You can discover the PGP keys of our team members using WKD if your client supports it. If it doesn't, or you don't know what that means, you can also find the public key for any Privacy Guides email account by searching on [keys.openpgp.org](https://keys.openpgp.org). We do not have PGP for the shared team inbox, only individual mailboxes which can be found in our team directory below. + +If you need an alternative secure channel, please request one via any contact method including social media, and we will work with you to establish one. Please do not share any sensitive information with us before we have established an appropriately secure discussion channel. + +## :material-account-tie: Executive Committee + + + +The project executive committee consists of five volunteers charged with management of the [MAGIC Privacy Guides Fund](https://magicgrants.org/funds/privacy_guides), making most critical project-related decisions. + +
+ +- :polar_bear:{ .lg .middle } **Daniel Gray** + + --- + + :material-text-account: Founder + + [:material-account: Profile](https://discuss.privacyguides.net/u/dngray) + + [:material-github:](https://github.com/dngray "GitHub") + [:material-mastodon:](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + [:material-email:](mailto:dngray@privacyguides.org "Email") + +- :detective:{ .lg .middle } **Freddy** + + --- + + :material-text-account: Founder + + [:material-account: Profile](https://discuss.privacyguides.net/u/freddy) + + [:material-github:](https://github.com/freddy-m "GitHub") + [:material-mastodon:](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + [:material-email:](mailto:freddy@privacyguides.org "Email") + +- :robot:{ .lg .middle } **Jonah Aragon** + + --- + + :material-text-account: Founder, Program Director + + [:material-account: Profile](https://discuss.privacyguides.net/u/jonah) + + [:material-home:](https://www.jonaharagon.com "Homepage") + [:material-github:](https://github.com/jonaharagon "GitHub") + [:material-mastodon:](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + [:material-email:](mailto:jonah@privacyguides.org "Email") + +- :cactus:{ .lg .middle } **Niek de Wilde** + + --- + + :material-text-account: Founder + + [:material-account: Profile](https://discuss.privacyguides.net/u/Niek-de-Wilde) + + [:material-github:](https://github.com/blacklight447 "GitHub") + [:material-mastodon:](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + [:material-email:](mailto:niekdewilde@privacyguides.org "Email") + +- :smirk_cat:{ .lg .middle } **Olivia** + + --- + + :material-text-account: Founder + + [:material-account: Profile](https://discuss.privacyguides.net/u/olivia) + + [:material-github:](https://github.com/hook9 "GitHub") + [:material-mastodon:](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +
+ +## :material-account-edit: Staff + +Our staff are paid to contribute to supplemental content at Privacy Guides, like [video production](https://www.youtube.com/@privacyguides), [news articles and tutorials](https://www.privacyguides.org/articles), and our discussion communities and social media. Most are available and paid on a full-time basis to assist the organization. + +
+ +- :jack_o_lantern:{ .lg .middle } **Em** + + --- + + :material-text-account: Activism and Outreach + + [:material-account: Profile](https://discuss.privacyguides.net/u/em) + + [:material-github:](https://github.com/EmAtPrivacyGuides "GitHub") + [:material-mastodon:](https://infosec.exchange/@Em0nM4stodon "@Em0nM4stodon@infosec.exchange"){rel=me} + [:material-email:](mailto:em@privacyguides.org "Email") + +- :full_moon_with_face:{ .lg .middle } **Jordan Warne** + + --- + + :material-text-account: Digital Content Producer + + [:material-account: Profile](https://discuss.privacyguides.net/u/Jordan) + + [:material-github:](https://github.com/jordan-warne "GitHub") + [:material-mastodon:](https://social.lol/@jw "@jw@social.lol"){rel=me} + [:material-email:](mailto:jordan@privacyguides.org "Email") + +- :video_camera:{ .lg .middle } **Nate Bartram** + + --- + + :material-text-account: Digital Content Producer + + [:material-account: Profile](https://discuss.privacyguides.net/u/nateb) + + [:material-github:](https://github.com/tnonate "GitHub") + [:material-mastodon:](https://mastodon.thenewoil.org/@nateb "@nateb@mastodon.thenewoil.org"){rel=me} + [:material-email:](mailto:nate@privacyguides.org "Email") + +
+ +## :material-check-decagram: Social Media + +We have a general policy of avoiding links to centralized social media profiles and other websites outside our control. This means that in places like our website footer and other areas, we only link to platforms we fully control, such as our Mastodon and PeerTube accounts or Matrix channels. + +However, Privacy Guides _does_ have social media accounts on a wide variety of platforms, in the hope of reaching new users who aren't yet familiar with our content. We try to make this a "one-way street" where those accounts link to privacyguides.org, and not the other way around. However, this creates some confusion about which accounts are actually run by the Privacy Guides team. For reference, we will list all of our accounts here: + +
+ +- [:simple-discourse: **Forum**](https://discuss.privacyguides.net) +- [:simple-matrix: **Matrix Space**](https://matrix.to/#/#privacyguides:matrix.org) +- [:simple-mastodon: **Mastodon**](https://mastodon.neat.computer/@privacyguides) +- [:simple-peertube: **PeerTube**](https://neat.tube/c/privacyguides) +- [:simple-bluesky: Bluesky](https://bsky.app/profile/privacyguides.org) +- [:simple-codeberg: Codeberg](https://codeberg.org/privacyguides) +- [:simple-github: GitHub](https://github.com/privacyguides) +- [:simple-gitlab: GitLab](https://gitlab.com/privacyguides) +- [:fontawesome-brands-linkedin: LinkedIn](https://linkedin.com/company/privacyguides) +- [:simple-reddit: Reddit](https://reddit.com/r/PrivacyGuides) +- [:simple-x: X (Twitter)](https://x.com/privacy_guides) +- [:simple-youtube: YouTube](https://youtube.com/@privacyguides) +- [:simple-tiktok: TikTok](https://www.tiktok.com/@privacyguides) +- [:simple-facebook: Facebook](https://www.facebook.com/PrivacyGuides.org) +- [:simple-instagram: Instagram](https://www.instagram.com/privacy.guides/) +- [:simple-threads: Threads](https://www.threads.net/@privacy.guides) + +
+ +To reiterate, this is not an endorsement of any platform, and we generally discourage following us on most social media platforms. + +## :material-newspaper: In The Media + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://nytimes.com/wirecutter/guides/online-security-social-media-privacy) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok), [Wirecutter](https://nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc) [[2](https://nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac)], [NPO Radio 1](https://nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), [Wired](https://wired.com/story/firefox-mozilla-2022), [Fast Company](https://fastcompany.com/91167564/mozilla-wants-you-to-love-firefox-again) and [404 Media](https://404media.co/privacy-service-optery-faces-backlash-after-plan-to-send-openai-user-data). + +## :material-history: History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](about/privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +In 2023, we launched international translations of our website in [French](https://www.privacyguides.org/fr), [Hebrew](https://www.privacyguides.org/he), [Dutch](https://www.privacyguides.org/nl), and more languages, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). + +In 2024, we successfully fundraised to hire several full-time staff members, Em, Jordan, and Kevin; to help with content creation, community management, and video production. This has allowed us to expand our reach and provide more frequent updates to our audience. + +In 2025, we launched our [newsroom](https://www.privacyguides.org/news), providing timely articles on the latest developments in privacy and security. We also hired Nate as a Digital Content Producer to bring more consistency to our educational video content. + +We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## :material-license: Site License + +
+ +The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/README.md#license). + +
+ +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-sa: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-ShareAlike 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and share your work under the same license. + +You may comply with these terms in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. diff --git a/i18n/fi/about/contributors.md b/i18n/fi/about/contributors.md new file mode 100644 index 00000000..8170d38a --- /dev/null +++ b/i18n/fi/about/contributors.md @@ -0,0 +1,22 @@ +--- +title: Contributors +hide: + - toc +description: A complete list of contributors who have collectively made an enormous impact on the Privacy Guides project. +--- + + + +This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of **any** kind are welcome to be added to [this list](https://github.com/privacyguides/privacyguides.org/blob/main/.all-contributorsrc), including contributions to Privacy Guides outside this repo, and contributions that aren't content related (like sharing ideas for Privacy Guides, promoting the project, answering questions on the forum, etc.). + +| Emoji | Type | Description | +| ----- | ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | +| 📖 | `doc` | A contributor to the content on [privacyguides.org](https://www.privacyguides.org/en). | +| 👀 | `review` | Someone who has taken the time to review [pull requests](https://github.com/privacyguides/privacyguides.org/pulls) to the site. | +| 📝 | `blog` | Someone who has written a [blog](https://blog.privacyguides.org) post for us. | +| 💬 | `question` | Someone who has been helpful when answering questions on our [forum](https://discuss.privacyguides.net) or Matrix channels. | +| 🌍 | `translation` | Someone who has contributed on [Crowdin](https://crowdin.com/project/privacyguides). | + +A huge thank you from Privacy Guides to the following wonderful people ([full emoji key](https://allcontributors.org/docs/en/emoji-key)). We also especially thank our dedicated community moderation team on Matrix and our forum: _Austin Huang_, _namazso_, _hik_, _riley_, and _Valynor_. + +\--8<-- "includes/contributors.md" diff --git a/i18n/fi/about/criteria.md b/i18n/fi/about/criteria.md new file mode 100644 index 00000000..d8f08fc7 --- /dev/null +++ b/i18n/fi/about/criteria.md @@ -0,0 +1,35 @@ +--- +title: General Criteria +description: A list of general priorities we consider for all submissions to Privacy Guides. +--- + +Below are some general priorities we consider for all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +- **Security**: Tools should follow security best practices wherever applicable. +- **Source Availability**: Open-source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform Availability**: We typically prefer recommendations to be cross-platform to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed. Unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users. An overly technical background should not be required. +- **Documentation**: Tools should have clear and extensive documentation for use. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must undergo our [self-submission process](https://discuss.privacyguides.net/t/about-the-project-showcase-category/114) as a way to engage with our community, address any potential concerns, and elicit any feedback that can help improve your project. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security white paper if it is a project that involves the handling of sensitive information like a messenger, password manager, encrypted cloud storage, etc. + - Regarding third party audit status, we want to know if you have undergone one, or have requested one. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - What new problem(s), if any, does it solve? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. Ideally, a developer should be able to identify what [common threat(s)](../basics/common-threats.md) their project protects against. diff --git a/i18n/fi/about/donate.md b/i18n/fi/about/donate.md new file mode 100644 index 00000000..467f051d --- /dev/null +++ b/i18n/fi/about/donate.md @@ -0,0 +1,193 @@ +--- +title: Donate +description: The charitable mission of Privacy Guides relies on contributions from visitors like yourself. Anything you can do to support the project is hugely appreciated. +--- + + +Support our mission to defend digital rights and spread the word about mass surveillance programs and other daily privacy invasions. You can help Privacy Guides researchers, activists, and maintainers create informative content, host private digital services, and protect privacy rights at a time when the world needs it most. + + +[:material-heart:{ .pg-red } Become a Member](https://donate.magicgrants.org/privacyguides/membership){ class="md-button md-button--primary" data-portal="signup" } + +[Become a Member (Cryptocurrency)](https://donate.magicgrants.org/privacyguides/membership){ class="md-button" } +[One-Time Donation](https://donate.magicgrants.org/privacyguides/donate/privacyguides){ class="md-button" } + + + +MAGIC Grants is our fiscal host, and their custom, open-source donation platform allows you to donate to our project with **Monero**, **Litecoin (MWEB)**, **Bitcoin**, or **debit/credit card**. You can also donate using [:simple-github: GitHub Sponsors](https://github.com/sponsors/privacyguides). + + + +## Foundations & Organizations + +=== "Current Supporters" + + Thank you to these organizations who significantly support Privacy Guides. (1) + { .annotate } + + 1. Please contact to inquire about giving. Privacy Guides reserves the right to rescind the membership of those who are unaligned with our mission or organization at any time. Organizational members have no ability to influence what content is recommended on the Privacy Guides website. Learn more about our [donation acceptance policy](donation-acceptance-policy.md). + +
+ + [![Power Up Privacy]](https://powerupprivacy.com){ rel=nofollow target=_blank title="Power Up Privacy" } + [![DeleteMe]](https://joindeleteme.com){ rel=nofollow target=_blank title="DeleteMe" } + + [Power Up Privacy]: ../assets/img/donors/power-up-privacy.webp + [DeleteMe]: ../assets/img/donors/deleteme.webp + +
+ +=== "Past Supporters" + + Thank you to these organizations who have substantially supported our project in the past. + + - [Safing](https://safing.io){ rel=nofollow target=_blank }: 2019 – 2021 + +## Active Members + +Privacy Guides would not be possible without these individuals who generously donate on a monthly or yearly basis. (1) +{ .annotate } + +1. If you [become a member](https://donate.magicgrants.org/privacyguides/membership) and [link your donation](https://discuss.privacyguides.net/t/getting-your-member-flair-on-the-forum/25453) to your forum account, you're automatically added here with a link to your profile and avatar to show your support for Privacy Guides. If you don't make your membership public on the forum, you'll be a silent +1. You can change your visibility any time. This chart is updated upon each website release. + +
+
+ +--8<-- "includes> +
+ + + +This is a list of our **active** [members](https://donate.magicgrants.org/privacyguides/membership), plus donors on GitHub, who have chosen to make their donation public. Hundreds more have donated in the past or privately, and their support is hugely appreciated as well. + + + +

+ Merchandise +

+ +

+ You can support us and share your passion for privacy by buying our merchandise from HelloTux. +

+ +

+ Buy on HelloTux.com{ class="md-button" } +

+ +

+ Non-Financial Support +

+ +

+ It takes a lot of people and work to keep Privacy Guides up to date and spread the word about privacy and mass surveillance. If you're looking for other ways to help out, consider getting involved by editing the site, joining our forum, or contributing translations. +

+ +

+ FAQ +

+ +

+ What is an organizational membership? +

+ +

+ Organizational membership to Privacy Guides is open to any company, private foundation, or organization that donates at least $5,000 per year. While Privacy Guides does not endorse private companies or their products, we're grateful for their contributions. Your donation may be tax-deductible, and we will provide you with a receipt. +

+ +

+ You can become an organizational member by reaching out to info@magicgrants.org for more information. +

+ +

+ How are organizational members recognized? +

+ +

+ Organizational members that choose to be recognized publicly are included in our organizational members section (above), and occasionally at other opportunities where appropriate. Organizational member links include the rel="nofollow" attribute: We adopted this policy to screen out potential abuse of our program and site to raise the rank of third parties in search algorithms. Unfortunately, this is a growing problem for nonprofits. This was a complex decision since we know many of the sincere supporters behind these companies, but we decided that it was the best choice for us. +

+ +

+ Organizational members have no ability to influence what content is recommended on the Privacy Guides website. Learn more about our donation acceptance policy. +

+ +

+ What is an active membership? +

+ +

+ Your monthly or yearly membership sustains Privacy Guides's services and public activism for privacy and cybersecurity year round. If you become a member, we will recognize your support here on our website, our community forum, and occasionally in other areas like our videos if you choose to make your membership publicly known. +

+ +

+ Our membership program is brand new, and we are still exploring other ways that we can share a token of our appreciation with you, while maintaining sustainable and ethical boundaries. Stay tuned! +

+ +

+ How does Privacy Guides use donations? +

+ +

+ Privacy Guides has been a nonstop effort for over 5 years to stay up to date with the world of cybersecurity and privacy, and to promote the benefits of privacy overall. This is a non-profit, community-driven project that would not be possible without the generous support of all our contributors, in addition to our regularly donating members above. +

+ +

+ Your donation go to a dedicated fund within MAGIC Grants, a 501(c)(3) organization and our fiscal host. The funds will only be used for this project specifically. +

+ +

+ You may qualify for a tax deduction. When you donate to us here with cryptocurrency or card you have the option to receive a receipt from MAGIC Grants for this purpose. If you have questions about other transactions please email info@magicgrants.org. +

+ +

+ We use donations for a variety of purposes, including: +

+ +
+
+ Payroll +
+ +
+

+ We have journalists, writers, and video creators on payroll to review products and create more educational content on a regular basis. This is a significant expense, and we are only able to create our quantity of content with your support. +

+
+ +
+ Web Hosting and Infrastructure +
+ +
+

+ Traffic to this website uses hundreds of gigabytes of data per month; we use a variety of service providers to keep up with this traffic. +

+
+ +
+ Online Services +
+ +
+

+ We host internet services for testing and showcasing different privacy-products we like and recommend. Some of them are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). +

+
+ +
+ Product Purchases +
+ +
+

+ We occasionally purchase products and services for the purposes of testing our recommended tools. +

+
+
+ +

+ Thank you to all those who support our mission! :material-heart:{ .pg-red } +

+ +

+ We strictly do not use donations to support political campaigns/candidates or attempt to influence legislation. Earnings will not inure to the benefit of any private shareholder or individual. +

diff --git a/i18n/fi/about/donation-acceptance-policy.md b/i18n/fi/about/donation-acceptance-policy.md new file mode 100644 index 00000000..7037dc75 --- /dev/null +++ b/i18n/fi/about/donation-acceptance-policy.md @@ -0,0 +1,58 @@ +--- +title: Donation Acceptance Policy +description: Privacy Guides aspires to obtain funding from a wide variety of sources to reduce our dependency on any single donor. Please consider donating! +--- + +Privacy Guides takes the ethical responsibility of making unbiased recommendations on its website very seriously. + +Privacy Guides aspires to obtain funding from a wide variety of sources to reduce our dependency on any single donor. Please consider [donating](donate.md)! + +## What we **can** accept + +In the course of our regular fundraising activities... + +- Donations and other forms of support will generally be accepted from individuals, corporations, foundations, or other entities, without limitations. + - This includes cash, cash equivalents (checks, money orders, credit/debit card payments), and cryptocurrency. +- Gifts of Real Property, Personal Property, or Securities may only be accepted upon approval of the MAGIC Grants board of directors. + +Privacy Guides will only accept such gifts that are legal and consistent with our policies. Gifts must not interfere with Privacy Guides' mission, purpose, and procedures. + +## Things we do **not** do + +- Accept sponsorships. +- Offer to recommend a product or service in exchange for a donation or other incentive. +- Threaten to remove a recommendation for a product or service unless we receive a donation or other incentive. +- Offer to expedite a review of a product or service in exchange for a donation or other incentive. +- Write sponsored content or feature sponsored components in our content. + +## Things we **may** do + +- Accept donations from privacy-related companies and non-profits. +- Apply for grant programs. +- Accept free versions of software or hardware to test and review, while being mindful of possible differences in versions that could differ from a regular customer experience. ([More details](executive-policy.md#ep1-freely-provided-product-samples)) +- Accept discounted versions of software or hardware that assist our operations (for example, discounted software costs made available to non-profits). + +## Restrictions on gifts + +Privacy Guides accepts unrestricted gifts, and we appreciate the flexibility to apply your gift to our programs where they are most needed. + +We also accept and appreciate gifts for specified programs or purposes, provided that such gifts are consistent with our program's stated mission, purpose, and priority. Privacy Guides will not accept gifts which are too restrictive in purpose. + +Examples of gifts which are too restrictive include: + +- Those which fund the research and review of a specific product category or specific product. +- Those which violate our existing policies. +- Those which are too difficult for us to administer. +- Those that are for purposes outside our general mission. + +An example of an acceptable restriction could be a gift towards funding our [video](https://www.privacyguides.org/videos) production, or hosting our website and forum. + +Final decisions on the restrictive nature of a gift and its acceptance or refusal will be made by our executive committee. + +## Additional terms + +Privacy Guides generally does not pay "finder's fees" or commissions to third parties in connection with any gift to Privacy Guides. We may, however, pay commissions and fees to properly negotiate and receive assets when appropriate. + +No officer, committee member, employee, or other agent of Privacy Guides will be compensated in a manner which is dependent on the size or nature of gifts made to Privacy Guides by any person. If we engage with legal, accounting, or other professionals, their fees and expenses will be determined by the time they spend engaged with our work, and not by reference to any particular gift in connection to their retainer. + +Privacy Guides always follows the MAGIC Grants Gift Acceptance Policy, available on their website: diff --git a/i18n/fi/about/executive-policy.md b/i18n/fi/about/executive-policy.md new file mode 100644 index 00000000..e7b93a36 --- /dev/null +++ b/i18n/fi/about/executive-policy.md @@ -0,0 +1,28 @@ +--- +title: Executive Policy +description: These are policies formally adopted by our executive committee, and take precedence over all other statements expressed on this website. +--- + +These are policies formally adopted by Privacy Guides' executive committee, and take precedence over all other statements expressed on this website. + +The keywords **must**, **must not**, **required**, **shall**, **shall not**, **should**, **should not**, **recommended**, **may**, and **optional** are to be interpreted as described in [RFC 2119](https://datatracker.ietf.org/doc/html/rfc2119). + +## EP1: Freely-Provided Product Samples + +_Our policy on accepting product samples for review was adopted September 7, 2024._ + +\=== "Current Version (1)" + +``` +- Privacy Guides **shall not** proactively reach out to vendors asking for product samples or review accounts. +- Privacy Guides **shall not** accept test/review accounts for subscription cloud services. +- Privacy Guides **may** accept freely-provided product samples for one-time purchase software applications which run locally, given they don't require a subscription for continued operation. +- Privacy Guides **may** accept freely-provided samples of hardware products. + - Privacy Guides **may** accept a freely-provided subscription service associated with a hardware product, if such a subscription/license is necessary to use the product. +- Privacy Guides **must not** enter into an agreement pertaining to our editorial opinion with the vendor in order to receive a sample or publish a review. All freely-provided items must be strictly "no strings attached." + - We **may** agree to return the product to the vendor following the review if requested. + - We **may** agree to a reasonable NDA, provided it has a clear embargo date that is lifted no more than 6 months in the future where the NDA completely no longer applies. + - We **should not** enter into any other agreement with the vendor not described here. Potential agreements not described here **must** be approved by the executive committee beforehand. + +In all cases, whether we paid for the product independently or received a free sample from a vendor, how we obtained the product **must** be clearly documented in the background section of every article associated with the product. +``` diff --git a/i18n/fi/about/jobs.md b/i18n/fi/about/jobs.md new file mode 100644 index 00000000..598c21d2 --- /dev/null +++ b/i18n/fi/about/jobs.md @@ -0,0 +1,14 @@ +--- +title: Job Openings +description: Privacy Guides has a small, remote team of privacy researchers and advocates. Any open positions we may have in the future will be posted here. +--- + +Privacy Guides has a small, remote team of privacy researchers and advocates working to further our mission of protecting free expression and promoting privacy-respecting technology. As a non-profit, we are expanding very slowly to ensure the project is sustainable in the long term. All of our team members are listed [here](https://discuss.privacyguides.net/u?group=team&order=solutions&period=all). Please consider [donating](https://donate.magicgrants.org/privacyguides) to support our cause. + +We are occasionally looking for strong journalistic writers, product reviewers, and privacy experts to help us out, and any open positions will be posted below. + +--- + +## Open Positions + +There are no open positions at this time. diff --git a/i18n/fi/about/jobs/content-creator.md b/i18n/fi/about/jobs/content-creator.md new file mode 100644 index 00000000..acdbe3e6 --- /dev/null +++ b/i18n/fi/about/jobs/content-creator.md @@ -0,0 +1,72 @@ +--- +title: Content Creator +description: Privacy Guides is looking for a video producer and host for informative privacy-related content on YouTube and other platforms. +--- + +[:material-arrow-left-drop-circle: Job Openings](../jobs.md) + +
+

Position Closed

+ +Thank you for your interest in this position at Privacy Guides. At this time we are no longer accepting new applications, but please follow our [job openings](../jobs.md) page to learn about future opportunities. + +
+ +Are you passionate about privacy and cybersecurity? + +Privacy Guides is an international nonprofit dedicated to producing top-tier, unbiased educational content and journalism, and to fostering safe and informative online communities to discuss technical topics around improving personal privacy and cybersecurity. + +Privacy Guides is looking for a focused and motivated individual to be responsible for our social media presence from end to end, with a particular emphasis on video content. You must be comfortable being on camera to succeed in this role. + +This is a unique opportunity. Your primary goal will be to create and share privacy-based educational materials, without any motive to sell a product. If you truly value being able to create the best content that you can, and if you are passionate about privacy, then this position is for you! + +Your responsibilities will include, but aren’t limited to: + +- Scripting and hosting educational video content to be posted across various social media platforms. +- Video editing, production, and other backend work required to make successful content. +- Researching new topics to cover. +- Regular, daily posting to text-based social media platforms like Mastodon. +- Regular posting of highly educational video content to social media platforms. +- Compiling news sources for and hosting a weekly news recap (livestreamed) podcast on our YouTube channel. +- Regularly communicating with the Privacy Guides committee and other team members. + +This is a highly individualized role, and we are extremely interested in hearing your ideas on how you’ll find success and make this role your own. You will be responsible for handling virtually every aspect of this role without regular supervision, so being highly self-motivated is a must. + +As a guideline, we expect your video output to be roughly 1 video and 1 _This Week In Privacy_ livestream per week, since we think most videos which meet our quality standards will be a multi-day process to research and script, in addition to a day for recording and editing. We realize some videos can be completed more quickly, while others may take multiple weeks or longer before publishing. You will be empowered to use your best judgement and prioritize your work accordingly. + +Job requirements: + +- Excellent organization and communication skills. +- Flexibility to set and respond to varying priorities and deadlines. +- Proactive, results-driven mindset with a strong sense of initiative. +- Comfortable being on camera, and working with video production equipment. +- Personal interest in consumer privacy, cybersecurity, and technology. +- Skeptical nature and drive to investigate difficult, often niche, technologies. You will need to evaluate the truthfulness of claims. + +The following qualifications will be an asset to your application. However, we are looking for the best candidate (which isn’t always apparent on paper!), so please apply even if you don’t meet any/many of these qualifications. + +- Previous YouTube or other video creation experience. +- Previous social media management experience. +- Education in English, journalism, media production, or any other related fields. +- Fluency in Spanish, French, Portuguese, or other languages. +- Familiarity with Privacy Guides' communities, culture, and mission. +- A solid understanding of the latest trends/culture on YouTube & TikTok. +- Located between UTC-08:00 and UTC-04:00 time zones. +- At least basic familiarity with GitHub, including pull requests, branches, reviews, and issues. + +The ideal candidate can commit to this role on a full-time basis (40 hours / week), but we are open to discussing a schedule you suggest. + +For this position, our hiring pay range falls between \$20-$25 / hour USD. The base pay may vary depending on job related qualifications such as knowledge, skills, and experience. Our compensation structure is rooted in a performance and merit based approach that acknowledges performance of both the individual and the project as a whole. + +--- + +
+

Position Closed

+ +Thank you for your interest in this position at Privacy Guides. At this time we are no longer accepting new applications, but please follow our [job openings](../jobs.md) page to learn about future opportunities. + +
+ +Privacy Guides is fiscally hosted by [MAGIC Grants](https://magicgrants.org), a 501(c)(3) public charity. MAGIC Grants is an equal opportunity employer. MAGIC Grants does not discriminate against any applicant or employee because of age, color, sex, disability, national origin, race, religion, sexual orientation, sexual identity, veteran status, or other protected characteristic. + +We respect your privacy. After this position is filled, your application will be deleted. Your application will not be shared with third parties. diff --git a/i18n/fi/about/jobs/intern-news.md b/i18n/fi/about/jobs/intern-news.md new file mode 100644 index 00000000..0ee6965c --- /dev/null +++ b/i18n/fi/about/jobs/intern-news.md @@ -0,0 +1,54 @@ +--- +title: Intern (Community & News) +description: Privacy Guides is looking for an intern to discover and promote relevant news content on our platform, and to moderate and engage with our online communities. +--- + +[:material-arrow-left-drop-circle: Job Openings](../jobs.md) + +
+

Position Closed

+ +Thank you for your interest in this position at Privacy Guides. At this time we are no longer accepting new applications, but please follow our [job openings](../jobs.md) page to learn about future opportunities. + +
+ +Are you passionate about privacy and cybersecurity? + +Privacy Guides is an international nonprofit dedicated to producing top-tier, unbiased educational content and journalism, and to fostering safe and informative online communities to discuss technical topics around improving personal privacy and cybersecurity. + +This role is focused on interacting with our community members and answering their questions, keeping our online communities safe and constructive, and sharing thoughtful and informative news stories from around the internet for community discussion. + +Responsibilities will include: + +- Regularly interacting with our forum and other communities. +- Responding to moderation complaints/flags within our communities. +- Reading news stories from a variety of publications and generally staying up to date with the latest news in the privacy and cybersecurity space. +- Regularly posting interesting news stories and other topics you discover in our communities for discussion. +- Assisting our other staff and volunteers with research, writing, video production, and editing. +- Assisting with Privacy Guides' advocacy efforts. +- Remaining polite and fact-focused. + +No prior experience is necessary. We are looking for people passionate about privacy, cybersecurity, journalism, and community management regardless of your GPA or background. + +The following will be assets to your application, but please submit an application even if they don't apply to you: + +- Familiarity with Privacy Guides' communities, culture, and mission. +- Previous experience with social media management and/or journalism. +- Located between UTC-08:00 and UTC-04:00 time zones. + +This is a part-time, 10-20 hour per week role depending on your availability. We can work around your schedule and other obligations. + +This is a 6-month contract paying $15 / hour USD, with the optional opportunity for renewal or a longer-term role depending on your personal goals and the project's outcome. The specific starting and ending dates are flexible. + +--- + +
+

Position Closed

+ +Thank you for your interest in this position at Privacy Guides. At this time we are no longer accepting new applications, but please follow our [job openings](../jobs.md) page to learn about future opportunities. + +
+ +Privacy Guides is fiscally hosted by [MAGIC Grants](https://magicgrants.org), a 501(c)(3) public charity. MAGIC Grants is an equal opportunity employer. MAGIC Grants does not discriminate against any applicant or employee because of age, color, sex, disability, national origin, race, religion, sexual orientation, sexual identity, veteran status, or other protected characteristic. + +We respect your privacy. After this position is filled, your application will be deleted. Your application will not be shared with third parties. diff --git a/i18n/fi/about/jobs/journalist.md b/i18n/fi/about/jobs/journalist.md new file mode 100644 index 00000000..06d8c71e --- /dev/null +++ b/i18n/fi/about/jobs/journalist.md @@ -0,0 +1,73 @@ +--- +title: Journalist +description: Privacy Guides is looking for a determined and focused journalist to research and write stories from the privacy and cybersecurity space on a regular basis. +--- + +[:material-arrow-left-drop-circle: Job Openings](../jobs.md) + +
+

Position Closed

+ +Thank you for your interest in this position at Privacy Guides. At this time we are no longer accepting new applications, but please follow our [job openings](../jobs.md) page to learn about future opportunities. + +
+ +Are you passionate about privacy and cybersecurity? + +Privacy Guides is an international nonprofit dedicated to producing top-tier, unbiased educational content and journalism, and to fostering safe and informative online communities to discuss technical topics around improving personal privacy and cybersecurity. + +We are looking for a determined and focused journalist to join our team. As a reporter for our organization, you will conduct research, interview sources, and write engaging stories in the field of consumer privacy and cybersecurity. + +Our ideal candidate is committed to combating misinformation and clearly communicating stories on a timely basis, and dedicated to producing top-tier, unbiased journalism. + +Privacy Guides is a small, largely volunteer-driven nonprofit media organization, and we do not currently have a dedicated writing and editing team. As such, you will be expected to take charge of the entire writing process from beginning to publication. You will have the freedom to choose which topics to cover and set a schedule to release articles on our main website. + +\==Our primary mission is to publish the highest quality content surrounding consumer privacy and cybersecurity on the internet==, not the highest quantity of stories. You will be empowered to dive deep into the topics you are writing about, and expected to meet our high quality and editorial standards. + +Your responsibilities will include, but aren’t limited to: + +- Creating high-quality articles for our [knowledge base](../../basics/why-privacy-matters.md). +- Performing product reviews for our [reviews](https://www.privacyguides.org/articles/category/reviews) section and [tool recommendations](../../tools.md). +- Researching new topics to cover. +- Interviewing and fact-checking all relevant sources. +- Regular posting of high-quality, unbiased journalistic content across our platforms. + +As a guideline, we expect roughly 3-5 articles a week that meet our quality standards, since we believe a well-researched article will take at least 8 hours to research and write on average. We realize some articles can be completed quickly, while others may take weeks or longer before publishing. You will be empowered to use your best judgement and prioritize your work accordingly. + +We are much more interested in articles that deeply cover a subject area than articles that cover the news of the day. + +Job requirements: + +- Excellent organization and communication skills. +- Expertise in English and writing. +- Flexibility to set and respond to varying priorities and deadlines. +- Proactive, results-driven mindset with a strong sense of initiative. +- Personal interest in consumer privacy, cybersecurity, and technology. +- Regular communication with the Privacy Guides committee and other team members. +- Skeptical nature and drive to investigate difficult, often niche, technologies. You will need to evaluate the truthfulness of claims. + +The following qualifications will be an asset to your application. However, we are looking for the best candidate (which isn’t always apparent on paper!), so please apply even if you don’t meet any/many of these qualifications. + +- Previous writing or journalism experience. +- Previous product review experience. +- Education in English, journalism, media production, or any other related fields. +- Familiarity with Privacy Guides' communities, culture, and mission. +- Located between UTC-08:00 and UTC-04:00 time zones. +- At least basic familiarity with GitHub, including pull requests, branches, reviews, and issues. + +The ideal candidate can commit to this role on a full-time basis (40 hours / week), but we are open to discussing a schedule you suggest. + +For this position, our hiring pay range falls between \$20-$25 / hour USD. The base pay may vary depending on job related qualifications such as knowledge, skills, and experience. Our compensation structure is rooted in a performance and merit based approach that acknowledges performance of both the individual and the project as a whole. + +--- + +
+

Position Closed

+ +Thank you for your interest in this position at Privacy Guides. At this time we are no longer accepting new applications, but please follow our [job openings](../jobs.md) page to learn about future opportunities. + +
+ +Privacy Guides is fiscally hosted by [MAGIC Grants](https://magicgrants.org), a 501(c)(3) public charity. MAGIC Grants is an equal opportunity employer. MAGIC Grants does not discriminate against any applicant or employee because of age, color, sex, disability, national origin, race, religion, sexual orientation, sexual identity, veteran status, or other protected characteristic. + +We respect your privacy. After this position is filled, your application will be deleted. Your application will not be shared with third parties. diff --git a/i18n/fi/about/notices.md b/i18n/fi/about/notices.md new file mode 100644 index 00000000..a98db0bb --- /dev/null +++ b/i18n/fi/about/notices.md @@ -0,0 +1,52 @@ +--- +title: "Notices and Disclaimers" +description: Information about our website license, acceptable use policy, and other important details. +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open-source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licensing Overview + +
+ +The following is a human-readable summary of (and not a substitute for) the [license](https://github.com/privacyguides/privacyguides.org/blob/main/README.md#license). + +
+ +Unless otherwise noted, all **content** on this website is released under the [Creative Commons Attribution-ShareAlike 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE). This means that you can use the human-readable content on this website for your own project, as long as you give appropriate credit to [Privacy Guides](https://www.privacyguides.org) including a link where technically possible, and you release your project under the same license. You may not do so in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides brand trademarks in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +This does not include third-party code embedded in the Privacy Guides code repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* The [Bagnard](https://github.com/privacyguides/brand/tree/67166ed8b641d8ac1837d0b75329e02ed4056704/fonts/Bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/67166ed8b641d8ac1837d0b75329e02ed4056704/fonts/Bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/67166ed8b641d8ac1837d0b75329e02ed4056704/fonts/Public%20Sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/67166ed8b641d8ac1837d0b75329e02ed4056704/fonts/Public%20Sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/67166ed8b641d8ac1837d0b75329e02ed4056704/fonts/DM%20Mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/67166ed8b641d8ac1837d0b75329e02ed4056704/fonts/DM%20Mono/LICENSE.txt). + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--- + +*Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0).* diff --git a/i18n/fi/about/privacytools.md b/i18n/fi/about/privacytools.md new file mode 100644 index 00000000..ae035f3d --- /dev/null +++ b/i18n/fi/about/privacytools.md @@ -0,0 +1,117 @@ +--- +title: "PrivacyTools FAQ" +description: The real story behind the team transition from privacytools.io to privacyguides.org +--- + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the Subreddit. The Subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the Subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://reddit.com/comments/o9tllh) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that Subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://blog.privacyguides.org/2021/09/14/welcome-to-privacy-guides) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to `www.privacyguides.org`, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://reddit.com/comments/pnhn4a) + +- Redirecting `www.privacytools.io` to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our Subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://reddit.com/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from `www.privacytools.io` to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO Subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://reddit.com/comments/pymthv/comment/hexwrps) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our Subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open-source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both Subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://reddit.com/comments/qk7qrj) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It's not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It's unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning Subreddit control to his account in [violation](https://reddit.com/r/redditrequest/wiki/top_mod_removal) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the Subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing `jonah@triplebit.net`. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://reddit.com/comments/o9tllh) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://reddit.com/pnql46) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://reddit.com/comments/pymthv/comment/hexwrps) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://reddit.com/comments/tuo7mm/comment/i35kw5a) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/fi/about/services.md b/i18n/fi/about/services.md new file mode 100644 index 00000000..06d67cd5 --- /dev/null +++ b/i18n/fi/about/services.md @@ -0,0 +1,33 @@ +- - - +description: We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. +- - - + +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2){ class="md-button md-button--primary" } + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only. Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only. Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) diff --git a/i18n/fi/about/statistics.md b/i18n/fi/about/statistics.md new file mode 100644 index 00000000..bda81093 --- /dev/null +++ b/i18n/fi/about/statistics.md @@ -0,0 +1,18 @@ +--- +title: Traffic Statistics +description: We self-host Umami to create a nice visualization of our traffic statistics, which are made public here. +--- + + + +We self-host [Umami](https://umami.is) to create a nice visualization of our traffic statistics, which are public at the link below. + +[View Statistics](https://stats.triplebit.net/share/S80jBc50hxr5TquS/www.privacyguides.org){ .md-button .md-button--primary } + +With this process: + +- Your information is never shared with a third party, it stays on servers we control +- Your personal data is never saved, we only collect data in aggregate +- No client-side JavaScript is used + +Because of these facts, keep in mind our statistics may be inaccurate. It is a useful tool to compare different dates with each other and analyze overall trends, but the actual numbers may be far off from reality. In other words they're _precise_ statistics, but not _accurate_ statistics. diff --git a/i18n/fi/activism/index.md b/i18n/fi/activism/index.md new file mode 100644 index 00000000..babe728a --- /dev/null +++ b/i18n/fi/activism/index.md @@ -0,0 +1,29 @@ +--- +title: "Privacy Activism" +meta_title: "Guides and Tools for Privacy Activists" +description: Privacy Guides' Activism section contains tools to support the community in its privacy advocacy and activism effort, both for individuals and organizations. +hide: + - toc + - footer +cover: activism/banner-activism.webp +--- + +The **Guides and Tools for Privacy Activists** project from [_Privacy Guides_](../about.md) offers a new way to empower the digital rights community. + +This section contains information to help you become a better defender of privacy rights, both for individuals and organizations. + +## We must fight for privacy rights collectively + +Fighting to improve our privacy cannot _only_ be a matter of individual protections. + +When [regulations keep attacking](https://www.privacyguides.org/articles/2025/09/08/chat-control-must-be-stopped/) the tools and services we rely on to protect our personal information, when corporations [exploit our data](../basics/common-threats.md/#surveillance-as-a-business-model) more aggressively every day, and when platforms exponentially [erode online pseudonymity](https://www.privacyguides.org/articles/2025/10/15/real-name-policies/), we must broaden our reach to fight for our rights. + +\==For privacy to become a valued and respected human right, we must work together== to defend privacy rights as a community. + +This section will progressively grow with more tools to support the community in its privacy advocacy and activism effort. The Privacy Activist Toolbox is the first part of this new development. + +
+ +[:fontawesome-solid-toolbox:{ .toolbox-button-icon } Privacy Activist Toolbox](toolbox/index.md){ .toolbox-button .toolbox-bg } + +
diff --git a/i18n/fi/activism/toolbox/index.md b/i18n/fi/activism/toolbox/index.md new file mode 100644 index 00000000..bbf08c5f --- /dev/null +++ b/i18n/fi/activism/toolbox/index.md @@ -0,0 +1,451 @@ +--- +title: "Privacy Activist Toolbox" +description: The Privacy Activist Toolbox is a unique resource with tips for anyone interested in becoming a better privacy rights activist, or anyone who wants to start. +hide: + - feedback +cover: activism/banner-activism-toolbox.webp +--- + +The **Privacy Activist Toolbox** is a resource for anyone interested in becoming a better privacy rights activist, or anyone who wants to start advocating for privacy rights. + +This page is also a resource to help digital rights organizations that would like to expand their work focusing on privacy. + +:material-cursor-default-click: By clicking on any of the tips listed on this page, you can access more information on each topic, as well as additional resources to support your advocacy. + +--- + +## Toolbox Compartments + +
+ +[:fontawesome-solid-scale-balanced:{ .toolbox-button-icon } Check
Your Laws](#check-your-laws){ .toolbox-button .toolbox-bg-legal } + +[:fontawesome-solid-toolbox:{ .toolbox-button-icon } Choose
Your Tools](#choose-your-tools){ .toolbox-button .toolbox-bg-tools } + +[:fontawesome-solid-users-rays:{ .toolbox-button-icon } Expand Your
Perspective](#expand-your-perspective){ .toolbox-button .toolbox-bg-perspective } + +[:fontawesome-solid-hands-holding-circle:{ .toolbox-button-icon } Support The
Community](#support-the-community){ .toolbox-button .toolbox-bg-community } + +[:fontawesome-solid-handshake-angle:{ .toolbox-button-icon } Build
Alliances](#build-alliances){ .toolbox-button .toolbox-bg-alliances } + +[:fontawesome-solid-heart-circle-check:{ .toolbox-button-icon } Make It
Accessible](#make-it-accessible){ .toolbox-button .toolbox-bg-accessibility } + +[:fontawesome-solid-star:{ .toolbox-button-icon } Uphold
Integrity](#uphold-integrity){ .toolbox-button .toolbox-bg-integrity } + +[:fontawesome-solid-heart:{ .toolbox-button-icon } Stay
Persistent](#stay-persistent){ .toolbox-button .toolbox-bg-persistence } + +[:fontawesome-solid-hand-fist:{ .toolbox-button-icon } Take
Action!](#take-action){ .toolbox-button .toolbox-bg-action } + +
+ +--- + +## Check Your Laws + + +
+ +### 1. Know your privacy laws + +![Scale icon](../../assets/img/activism/icons/icon-tips/icon-tips-laws.webp){class="toolbox-tip-icon"} + +Being well-informed about the data protection regulations in your own jurisdiction can be a significant asset for your personal and collective battles to improve privacy, for yourself and for others. Learn more about what to look for when researching your local privacy laws. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + + +
+ +### 2. Report privacy violations + +![Gavel icon](../../assets/img/activism/icons/icon-tips/icon-tips-report.webp){class="toolbox-tip-icon"} + +Once you become informed on your local privacy laws, get familiar with the process to report violations. Submitting an official complaint is often simple, and can have a significant impact for yourself and your community. Learn more about why and how you should report violations of your local privacy laws. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + +
+ +## Choose Your Tools + + +
+ +### 1. Beware of privacy snake oil + +![Poison symbol icon](../../assets/img/activism/icons/icon-tips/icon-tips-snakeoil.webp){class="toolbox-tip-icon"} + +In your privacy advocacy, it's essential to use and recommend tools that reliably protect privacy. For this, you need to investigate and remain highly skeptical of any dangerous or unproven marketing claims. Learn more about how to evaluate privacy claims and recommend tools that are trustworthy. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + + +
+ +### 2. Migrate outside the surveillance ecosystem + +![Arrow pointing out of a square icon](../../assets/img/activism/icons/icon-tips/icon-tips-migrate.webp){class="toolbox-tip-icon"} + +As privacy activists, it's important to not only support the tools and organizations with good privacy practices, but to also lead by example when it comes to moving away from the surveillance ecosystem. Learn more about why and how to move away from "Big Tech" and embrace alternatives. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + + +
+ +### 3. Improve your social media and build resilient communities + +![Octagon icon](../../assets/img/activism/icons/icon-tips/icon-tips-plant.webp){class="toolbox-tip-icon"} + +Commercial social media platforms represent one of the biggest sources of data exploitation. By staying active on these platforms we continue to feed the beast, and indirectly support their invasion of our privacy rights. Learn more about how to minimize your presence there, and slowly build better social networks. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + +
+ +## Expand Your Perspective + + +
+ +### 1. Don't stop at individual solutions, consider the collective impact + +![People with radiating lines icon](../../assets/img/activism/icons/icon-tips/icon-tips-expand.webp){class="toolbox-tip-icon"} + +When we think about our privacy, we often focus on the technical tools we can use. While this is indeed an important component, it's crucial not to lose sight of how regulations and invasive practices impact us collectively. Learn more about how to expand your perspective on data privacy. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + + +
+ +### 2. Keep in mind the whole landscape + +![Globe icon](../../assets/img/activism/icons/icon-tips/icon-tips-landscape.webp){class="toolbox-tip-icon"} + +Privacy isn't just about the tools, the laws, or the practices of any individual or organization. To move our society in a place where everyone benefits from privacy by default, we must consider technologies, laws, and culture holistically. Learn more about remembering to consider the whole landscape. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + + +
+ +### 3. Consider everyone's unique situation + +![People with line over and under icon](../../assets/img/activism/icons/icon-tips/icon-tips-everyone.webp){class="toolbox-tip-icon"} + +Everyone has different needs and faces different dangers when their personal data is exposed. To give actionable privacy advice and recommendations, it's essential to keep in mind everyone's unique situation. Learn more about better evaluating each person's threat model. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + +
+ +## Support The Community + + +
+ +### 1. Lift your allies up + +![Two hands icon](../../assets/img/activism/icons/icon-tips/icon-tips-lift.webp){class="toolbox-tip-icon"} + +At times, it might feel like the privacy community is niche and isolated. The battle for privacy rights is difficult, and its defenders are often scattered. This is why it's essential that we support and uplift each other at every opportunity. Learn more about how to lift your allies up and grow the movement. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + + +
+ +### 2. Support your privacy comrades + +![Hand holding a heart icon](../../assets/img/activism/icons/icon-tips/icon-tips-support.webp){class="toolbox-tip-icon"} + +Fighting for privacy rights is a collective endeavor. You cannot do it alone. Anyone around you contributing is fighting the same battle by your side. This battle can be difficult and isolating at time. This is why it's critical to care for each other. Learn more about how you can support your privacy comrades. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
 + + +
+ +### 3. Be kind to people, but be relentless with institutions + +![Two hands holding a sphere icon](../../assets/img/activism/icons/icon-tips/icon-tips-kind.webp){class="toolbox-tip-icon"} + +Kindness is essential for privacy advocates. To grow our movement, we must meet people from a place of camaraderie. People don't change their mind by being berated. However, this isn't true for institutions. Learn more about how to integrate kindness in your work, while being relentless with institutions. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + +
+ +## Build Alliances + + +
+ +### 1. Start alliances, not wars + +![handshake icon](../../assets/img/activism/icons/icon-tips/icon-tips-alliances.webp){class="toolbox-tip-icon"} + +The privacy community consists of a patchwork of individuals and organizations that sometimes hold quite different views. When these divergences lead to infighting, we need to ask how these internal wars are impacting our community negatively. Learn more about how to start alliances instead of wars. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + + +
+ +### 2. Value allies with expertise complementary to yours + +![Sphere with half dark half light icon](../../assets/img/activism/icons/icon-tips/icon-tips-complement.webp){class="toolbox-tip-icon"} + +In privacy, like everywhere else, diversity is a strength. If you want your community to have a broad understanding of threat models, and be able to fight on multiple levels, you need to value a diversity of expertises. Learn more about recognizing, respecting, and retaining experts with skills different to yours. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + + +
+ +### 3. Give credit where credit is due + +![Thumbs up icon](../../assets/img/activism/icons/icon-tips/icon-tips-credit.webp){class="toolbox-tip-icon"} + +To succeed, we must support each other. A good way to do this is to never forget to give credit where credit is due. When another advocate or organization says something you agree with, boost them up, spread their reach, and thank them publicly. Learn more about making your allies feel seen and valued. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + +
+ +## Make It Accessible + + +
+ +### 1. Welcome beginners + +![Person with plus sign icon](../../assets/img/activism/icons/icon-tips/icon-tips-beginner.webp){class="toolbox-tip-icon"} + +For our privacy rights movement to grow, we must bring more people in. To accomplish this, it's fundamental to discuss privacy in ways that are accessible to newcomers who aren't familiar with basic concepts yet. Learn more about improving your advocacy work to make it more approachable to beginners. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + + +
+ +### 2. Keep your posts and community inclusive + +![Heart with plus sign icon](../../assets/img/activism/icons/icon-tips/icon-tips-inclusivity.webp){class="toolbox-tip-icon"} + +Inclusivity is not only the right thing to do, it's also essential to grow our movement. If we want privacy rights to succeed, it's imperative that we build communities where _everyone_ feels safe and welcomed, regardless of who they are. Learn more about keeping your communications and communities inclusive. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + + +
+ +### 3. Be mindful of accessibility + +![Heart with checkmark icon](../../assets/img/activism/icons/icon-tips/icon-tips-accessibility.webp){class="toolbox-tip-icon"} + +Accessibility is indispensable to inclusivity, and should always be a priority in our work. To make our privacy communities welcoming to all, accessibility cannot be an afterthought. We must integrate it in our practice from the start. Learn more about improving the accessibility of your privacy work. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + + +
+ +### 4. Make it cute + +![Cat icon](../../assets/img/activism/icons/icon-tips/icon-tips-cute.webp){class="toolbox-tip-icon"} + +If you are developing a privacy-focused application or website, do not neglect the design aspect of it. This is a common mistake that can have a significant negative impact on adoption by a general audience. Learn more about making your design appealing and accessible to all. Make it cute! + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + +
+ +## Uphold Integrity + + +
+ +### 1. Refuse to participate + +![Circle with x icon](../../assets/img/activism/icons/icon-tips/icon-tips-refuse.webp){class="toolbox-tip-icon"} + +As privacy advocates and activists, it's important to be a voice for resistance and take a stand against abusive practices. One substantial way to do this is to refuse to participate in privacy-intrusive requests, or use invasive software. Learn more about refusing to comply with privacy-abusive practices. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + + +
+ +### 2. Stay true to your principles + +![Star icon](../../assets/img/activism/icons/icon-tips/icon-tips-principles.webp){class="toolbox-tip-icon"} + +If you manage a digital rights group or organization, make sure you aren't subjecting your contributors to the very privacy-invasive tech you're fighting against. Sadly, it's not rare to see communities that aren't following their own advice for internal practices. Learn more about the importance of maintaining integrity _internally_ as well as externally. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + + +
+ +### 3. Protect your allies + +![Shield with heart icon](../../assets/img/activism/icons/icon-tips/icon-tips-protect.webp){class="toolbox-tip-icon"} + +Through your privacy work, be careful to never collect or share the data of others without their explicit consent. It's crucial to protect your allies' data in all that you do, whether that's individual action or organizational leadership. Learn more about safeguarding the data of your privacy comrades. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + +
+ +## Stay Persistent + + +
+ +### 1. Small actions matter + +![Puzzle piece icon](../../assets/img/activism/icons/icon-tips/icon-tips-small.webp){class="toolbox-tip-icon"} + +There is so much to do in the movement for better privacy rights. So much, that it's sometimes easy to feel discouraged when facing the scale of what's left to accomplish. But everything helps, and even the smallest action counts. Learn more about why every action and every victory matters, no matter how small. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + + +
+ +### 2. Take time to rest, but come back to fight with us + +![Low battery icon](../../assets/img/activism/icons/icon-tips/icon-tips-rest.webp){class="toolbox-tip-icon"} + +The battle for privacy rights will be a long one. This isn't a sprint, it's a marathon. If you want to be a good advocate, you _must_ take the time to rest when needed. Burning out isn't an option, we cannot afford to lose your precious contribution! Learn more about why it's fundamental to learn to rest when you need it. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + +
+ +## Take Action! + + +
+ +### 1. Engage, boost, and contribute + +![Megaphone icon](../../assets/img/activism/icons/icon-tips/icon-tips-engage.webp){class="toolbox-tip-icon"} + +Once you have the knowledge, motivation, and energy, it's time to act! Perhaps you've read all of these tips, or read through our Knowledge Base already! But you don't need to know that much about privacy to start contributing. Learn more about how to start being a privacy activist. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + + +
+ +### 2. Level up! Assemble and organize + +![Raised fist icon](../../assets/img/activism/icons/icon-tips/icon-tips-organize.webp){class="toolbox-tip-icon"} + +If you've been a privacy advocate for a while, maybe it's time to level up and grow as a leader in your community. Becoming a leader can mean starting a local group, or initiating bigger projects online. Learn more about how to become a _good_ leader in the privacy rights movement. + +Learn More :material-arrow-right-drop-circle: +{align=right} + +
+ + +
diff --git a/i18n/fi/activism/toolbox/tip-be-kind-to-people-but-be-relentless-with-institutions.md b/i18n/fi/activism/toolbox/tip-be-kind-to-people-but-be-relentless-with-institutions.md new file mode 100644 index 00000000..5101b452 --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-be-kind-to-people-but-be-relentless-with-institutions.md @@ -0,0 +1,52 @@ +--- +title: Be Kind to People, But Be Relentless With Institutions +description: Kindness and patience are essential qualities for privacy advocates. To grow our movement, we must meet people from a place of camaraderie. +icon: fontawesome/solid/hands-holding-circle +cover: activism/banner-toolbox-tip-kind.webp +--- + +Kindness and patience are essential qualities for privacy advocates. To grow our movement, we must meet people from a place of camaraderie. People don't change their mind by being berated. However, this isn't true for institutions. + +Here's how you can **integrate kindness in your work**, while being relentless with institutions: + +## Use kindness and patience while working with individuals + +Whenever you talk with individuals in your privacy work, make sure to **stay kind and calm** when communicating with them. + +Perhaps you are posting on social media, replying to posts or emails, answering questions after a talk, or writing advices on the best privacy tools to use. No matter the context, when communicating with individuals, ==kindness is your greatest asset== to persuade and bring more people to the movement. + +Sadly, it's not rare to see replies to beginners' posts by more advanced peers online that are humiliating and berating their uninformed or misinformed questions. People don't learn and don't change their mind by being yelled at. Aggression isn't an effective way to communicate. + +Furthermore, aggression is a horrible strategy to bring more people to your cause, which should be your ultimate goal as a privacy rights advocate and activist. + +Instead, be gentle and [develop your empathy skills](https://www.verywellmind.com/what-is-empathy-2795562). Write from a place of compassion, to gradually attract more and more [new people](tip-welcome-beginners.md) to the cause. + +Stay patient and compassionate, even when people ask questions that might sound obvious to you. Be patient when people don't understand the first time you explain something. Happily clarify with simpler terms when needed, without being condescending. + +Accept that some people might not be able to adopt all of your suggestions at once. It's okay, let them grow at their own pace. + +Give time for ideas to brew and change minds. Plant seeds for change, and gently wait for growth. + +## Be relentless with corporations, governments, and public institutions + +While patience and kindness are crucial to bring your message the right way to individuals, institutions do not function the same way. + +Whether you are trying to report a privacy-abusive corporate practice, push back against an invasive regulation proposal, or raise awareness about a public institution's privacy malpractices, you must be firm, loud, and determined. + +Respect and politeness are vital here as well. Violence or threat to representatives of these institutions would only be detrimental to your goals. However, patience shouldn't be extended to privacy-abusive organizations that aren't demonstrating any realistic intentions to improve. + +\==To bring significant changes to institutions and corporations, your message must be loud and clear.== + +You should try to bring as many people and allied organizations to your cause, and be as loud as possible in the media. Your campaign must be powerful enough to grab media's attention, and to send a firm message that the people want change and will not back down. + +Each time your message is ignored, and the abuse continues, **shout louder** (metaphorically). Bring even _more_ people to the cause, until the popular discontent is so strong that they have no choice but to stop the abuse. + +## More resources + +- [Rich resource for campaign strategy and community organizing (The Commons Social Change Library)](https://commonslibrary.org/) + +- [Campaign canvas template (Mobilisation Lab)](https://mobilisationlab.org/resources/campaign-canvas/) + +- [Campaigning guides for activists (Activist Handbook)](https://activisthandbook.org/) + +- [How to do public speaking for activism (Activist Handbook)](https://activisthandbook.org/communication/public-speaking) diff --git a/i18n/fi/activism/toolbox/tip-be-mindful-of-accessibility.md b/i18n/fi/activism/toolbox/tip-be-mindful-of-accessibility.md new file mode 100644 index 00000000..12757662 --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-be-mindful-of-accessibility.md @@ -0,0 +1,166 @@ +--- +title: Be Mindful of Accessibility +description: Accessibility should always be a priority in our work. To make our privacy communities welcoming to all, we must integrate it in our practice from the start. +icon: fontawesome/solid/heart-circle-check +cover: activism/banner-toolbox-tip-accessibility.webp +--- + +**Accessibility** is indispensable to [inclusivity](tip-keep-your-posts-and-community-inclusive.md), and should always be a priority in our work. To make our privacy communities welcoming to all, accessibility cannot be an afterthought. We must integrate it in our practice from the start. This means making sure the languages, visuals, tools, and venues we use are accessible to as many people as possible. + +Here's what you can do to improve accessibility for your privacy-related content and communities: + +## Accessibility for all, in all the ways + +For many people who don't need any specific accommodations, accessibility is often only thought about in terms of solutions to _mobility_ impairments, such as for people requiring the use of a wheelchair. + +While this is indeed and important factor to consider, there are many other types of disabilities and accommodations we should be mindful of in our privacy work. + +Considering how each part of our work could be accessed more easily by everyone is essential to grow our movement, and to diversify our privacy communities. + +Ethically, it's also just the right thing to do, and should be the norm everywhere. + +### Visual, auditory, and other sensorial accessibility + +Anytime you are using images, audio, or any other sensorial elements in your advocacy work, you should always make sure to follow best practices to ensure your content will be accessible to people with visual, auditory, or other sensorial impairments. + +- [x] If you use images in your websites or social media posts, make sure to always add proper [alt text](https://abilitynet.org.uk/resources/digital-accessibility/five-golden-rules-compliant-alt-text) to describe the information the image represents. Keep in mind visitors that might be using a [screen reader](https://en.wikipedia.org/wiki/Screen_reader). + +- [x] When designing websites, posters, flyers, or zines, keep in mind [visual accessibility](https://webdesign.tutsplus.com/accessibility-basics-designing-for-visual-impairment--cms-27634a) for people with blindness, low vision, color blindness, and other visual impairments. + +- [x] Be careful to refrain from using designs and videos with [flashing lights](https://developer.mozilla.org/en-US/docs/Web/Accessibility/Guides/Seizure_disorders), or display proper warning if you do. Flashing or flickering light effects, and even certain high-contrast static images, can trigger seizures in people with photosensitive epilepsy. + +- [x] If you use [audio material](https://www.w3.org/WAI/people-use-web/abilities-barriers/auditory/) in your advocacy, try to include captions or transcripts in your content for people with auditory impairments. If you organize a larger event with speakers, try to see if you could hire a sign language interpreter. + +- [x] Whenever you develop content or organize events, always be mindful of people with sensory impairments or [sensory sensitivities](https://accessforallllc.com/sensory-and-cognitive-accessibility/). + +### Website accessibility + +If you develop a website in your privacy work, make sure to follow the international standards for web accessibility. + +This is very important to ensure readers using assistive devices will be able to access your content, and that people with visual impairments will not struggle to access your content. + +- [x] Get familiar with the World Wide Web Consortium (W3C) [international Web standards](https://www.w3.org/WAI/standards-guidelines/). These standards have been reviewed for accessibility support by the Accessible Platform Architectures ([APA](https://www.w3.org/WAI/about/groups/apawg/)) Working Group. + +- [x] Use a [web accessibility evaluation tool](https://www.w3.org/WAI/test-evaluate/tools/list/) to verify that your web content meets accessibility guidelines, or otherwise make sure to follow the [Web Content Accessibility Guidelines](https://www.pivotalaccessibility.com/2024/11/how-to-perform-a-web-accessibility-audit-step-by-step-guide/) (WCAG). + +- [x] If your organization can afford it, hire a [web accessibility consultant](https://accessibilityinnovations.com/blogs/web-accessibility-consultant/). + +### Global accessibility + +Whether you write a post, an article, or a whole website in English, keep in mind that your audience is likely global. + +People from all around the world will be able to read or watch your English content, many who don't speak English as their first language. Don't assume that your audience is only coming from your own country or region. This is a good thing, by the way! ==The battle for privacy rights must be global now.== + +- [x] Be careful not to use too many references that are unique to your own country or region. If you do, make sure to explain what it is for people from other regions. + +- [x] When talking about issues related to politics, make sure to specify what governmental entities are, and explain any special rights your country has (don't just name them). That way, outsiders will be able to understand and support your cause as well, even if perhaps they aren't directly impacted by this issue at the moment. + +- [x] Don't assume everyone knows all the popular internet acronyms such as DIY (Do It Yourself) or IIRC (If I Recall Correctly). These acronyms are very challenging for non-native English speakers. When using acronyms in your content, always explain the full expression in parentheses at least once, or better yet, simply use whole words instead. + +- [x] When inviting people to an event, consider that people from other time zones might be reading your invitation. If your event is online, always specify the [time zone](https://www.timeanddate.com/time/map/) for the announced time. If your event is in person, always specify the whole location with the country and region ([do _not_ just name the city](https://www.roughmaps.com/destinations/20-places-around-the-world-that-share-the-same-name/22)). + +### Physical accessibility + +When organizing events and meetups in person, it's essential to keep in mind physical accessibility for people with mobility challenges of all kind. This includes accessibility around the venue, but also on the journey to the venue. + +- [x] Ensure the venue you select is [accessible for people using wheelchairs](https://sites.augsburg.edu/events/policies/accessible-events/accessible-event-planning-guide/). Check that there is access to an elevator if it's on an upper floor, that there are access ramps and automatic doors if required, and that doorways and hallways are wide enough to accommodate a wheelchair. + +- [x] Make certain that there will be enough comfortable seating for your guests, and that seating and eating areas will be accessible to guests using wheelchairs or other mobility aids. + +- [x] Check that there are wheelchair-accessible bathrooms nearby. + +- [x] Evaluate the accessibility of the transit options available to reach the venue you select, including specialized transits for people who are using wheelchairs, or other types of mobility aids. Publish a map of the transit accesses around your venue. + +- [x] Research if your venue has access to parking and accessible parking spots. Publish this information with your invitation. + +- [x] Verify the venue you select is accessible to people with visual or auditory impairments. For example, check if elevators are marked with Braille or raised letters, and make sure that hosts are informed on how to communicate with guests who are deaf or hard of hearing. + +### Health accessibility + +In-person accessibility isn't just about mobility. Accessibility is also important to consider for a variety of health conditions, including people who are vulnerable to infectious diseases, or require other accommodations related to their health. + +- [x] Designate a trained person responsible for accessibility, and share their contact information in advance. That way, people will be able to contact this person if they have any questions before or during the event. + +- [x] Encourage your participants to wear a mask, and try to select a venue with adequate ventilation to minimize the risks for people who are [vulnerable to respiratory infections](https://health.clevelandclinic.org/superspreader-events). If food is served, try to select a venue with an area allowing to consume food outside. + +- [x] Make sure to bring a few boxes of [protective face masks](https://health.clevelandclinic.org/do-masks-work) to your event that guests can use for free. That way, people who might be at risk in dense crowd can decide to wear a mask once they arrived, or if they forgot to bring their own. + +- [x] Try to prepare an area in your venue, or near your venue, where people can rest comfortably in a [quiet space](https://eventwell.org/ensuring-inclusive-events-the-importance-of-supervising-quiet-spaces-for-neurodivergent-attendees-and-vulnerable-adults/), if they feel tired or overstimulated during the event. + +- [x] Promote a [scent-free](https://www.chrc-ccdp.gc.ca/resources/publications/environmental-sensitivities-and-scent-free-policies) environment to make your event welcoming to people who have scent allergies, environmental sensibilities, or other health conditions that can be affected by scents. + +- [x] Provide training for hosts and event volunteers to make sure they are aware of available accommodations, and can give helpful information upon request. + +### Dietary accessibility + +If your event provides meals, snacks, or drinks, make sure to prepare well in-advance to consider the potential dietary restrictions of your guests. + +- [x] List clearly what types of food and drinks with be served (or available) at the event. + +- [x] Provide contact information for people to reach out in advance if they have special dietary requirements or requests that have not already been addressed. + +- [x] Try to provide food and beverages that will cover a variety of dietary needs, such as vegan, nut-free, gluten-free, lactose-free, alcohol-free, or low-sugar options. + +- [x] If you host a large event, consider keeping a few [epinephrine autoinjectors](https://greatergood.com/blogs/news/epinephrine-public-areas) available on site in your emergency kit, in case anyone experiences a dangerous allergic reaction. + +- [x] Make sure guests will have access to free and clean water, especially if your event is scheduled during a heat wave. + +- [x] Ensure there is a quiet and private room available for anyone who might be breastfeeding. + +- [x] Provide all this information in advance with your invitation, so that guests can evaluate properly if the event is accessible to them. + +### Safety accessibility + +Safety is also an important aspect of accessibility. Everyone has a unique threat model, and, for a variety of reasons, some people might be at an elevated risk to their physical safety when going to and participating in an event in person. + +- [x] Implement a [Code of Conduct](https://oshwa.org/resources/how-to-write-a-code-of-conduct/) for your event or community. Ensure there are clear channels to report bad behaviors, and that your Code of Conduct is enforced properly. + +- [x] Verify that access to the bathrooms is safe and well lit at your venue. + +- [x] Make sure the venue you select is safe to access by transits or cars, and that the nearest parking lot or bus stop is well lit if the event ends late at night. + +- [x] If your venue is located in an area that might be more dangerous at night, consider setting up an [accompaniment service](https://www.concordia.ca/campus-life/security/services/safe-walk.html) with a set of volunteers offering to walk guests safely back to their bus stop, for example. Make this information known in advance. + +- [x] Implement a clear [Photo Policy](https://events.ccc.de/congress/2025/infos/privacy.html#photo-policy) for your event, and forbid all nonconsensual photos. You can also provide "No Photos" or "Photos OK" stickers, buttons, or lanyards for guests upon arrival. That way, guests can explicitly opt out of being photographed at your event if they prefer not to. If your event hired an official photographer, make sure they are careful to never take photos that include people wearing these badges. Ideally, limit event photos to a minimum, and only take photos of people after asking for their explicit consent first. + +### Financial accessibility + +Another aspect of accessibility that is often overlooked is financial accessibility. Sadly, many people are unable to access certain events due to financial limitations, even if it would be very helpful to them to network and meet privacy advocacy peers. When you organize an event, be mindful of providing options to increase financial accessibility. + +- [x] Try to keep your events free or partly free whenever possible, while remaining vigilant about accepting money from [financial sponsors](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/#donations-event-sponsorships-and-other-revenues) that could be in contradiction with your privacy values. + +- [x] Reserve a quantity of free tickets for people with more severe limitations. + +- [x] Offer discounts for students or unemployed peers. + +- [x] Create opportunities for part-time volunteering, where people can offer to help a little, then participate in the rest of the event for free. + +- [x] Provide contact information for people who would like to request free or cheaper access, or discuss their unique situation with you. + +### Beginners accessibility + +[Welcoming beginners](tip-welcome-beginners.md) is crucial in all the work we do. To keep your content and events accessible to beginners, it's important to be mindful of the language you use, the ways you present content, and the places where you promote your events. + +- [x] Always explain acronyms with whole words before only using the letters only. + +- [x] Be careful when using jargon, try to be explicit and use simple words and analogies. + +- [x] Beware of gatekeeping. Try to stay aware of newcomers that might be quiet or isolated from the group. [Be inclusive](tip-keep-your-posts-and-community-inclusive.md) and invite them to participate. + +- [x] Specify that your event welcomes beginners. + +- [x] Be mindful of advertising your event in places where potential newcomers might see it. Be careful about not inviting people only from places reaching out to people who are already part of the privacy community. + +## More resources + +- [How to make your social justice event accessible (_The Commons Social Change Library_)](https://commonslibrary.org/how-to-make-your-social-justice-event-accessible/) + +- [Make your event accessible and inclusive (_Park People_)](https://parkpeople.ca/make-your-event-accessible-and-inclusive/) + +- [How to host a COVID-safe party: Tips and tricks (_Party Pro_)](https://party.pro/covid/) + +- [Dos and don'ts on designing for accessibility (UK Government)](https://accessibility.blog.gov.uk/2016/09/02/dos-and-donts-on-designing-for-accessibility/) + +- [Five golden rules for compliant alt text (_AbilityNet_)](https://abilitynet.org.uk/resources/digital-accessibility/five-golden-rules-compliant-alt-text) + +- [Accessibility developer guide (_Access for all_)](https://www.accessibility-developer-guide.com/) diff --git a/i18n/fi/activism/toolbox/tip-beware-of-privacy-snake-oil.md b/i18n/fi/activism/toolbox/tip-beware-of-privacy-snake-oil.md new file mode 100644 index 00000000..e8f61ef9 --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-beware-of-privacy-snake-oil.md @@ -0,0 +1,124 @@ +--- +title: Beware of Privacy Snake Oil +description: In your privacy advocacy, it's important to recommend tools that reliably protect your and other people's privacy. Learn how to evaluate privacy claims. +icon: fontawesome/solid/skull-crossbones +cover: activism/banner-toolbox-tip-snakeoil.webp +--- + +In your privacy advocacy, it's essential to use and recommend tools that _reliably_ protect privacy. For this, you need to **investigate and remain highly skeptical** of any dangerous or unproven marketing claims. + +Here's how to evaluate privacy claims, and recommend tools that are trustworthy: + +## Why is there so much privacy snake oil? + +Regrettably, it's quite common to see businesses using privacy promises as a mere marketing strategy to reassure understandingly concerned users. But many aren't genuinely doing the work to make these promises come true. + +Many businesses want to have their cake and eat it too, by attracting users with false promises of privacy while exploiting their data for profit all the while. Other times, failure to meet privacy promises simply comes from incompetence or negligence. + +Misleadingly, or fraudulently, presenting a product, service, or organization as being responsible and trustworthy with data privacy when it isn't is called "[privacy washing](https://www.privacyguides.org/articles/2025/08/20/privacy-washing-is-a-dirty-business/)." + +There are many things you can learn to become more resistant to privacy washing, and become better at using and recommending genuinely privacy-preserving technologies. + +## How to spot privacy snake oil + +Never trust any privacy claims at face value. + +Here are some red flags you should always keep in mind when evaluating a privacy tool, service, or organization: + + + +
+ +- [**Conflict of interest**](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/#conflict-of-interest): Is the source that is telling you this product is trustworthy independent of the company or parent-company that owns this product? + +- [**Biased reviews**](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/#fake-reviews): Is the review recommending this product truly independent, or has it received sponsorship money? Was the review AI-generated? + +- [**Meaningless attestations**](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/#meaningless-privacy-compliance-badges): Are claims of privacy law compliance or trustworthiness supported by external sources, or do they only come from the organization itself? + +- [**Buzzword language**](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/#buzzword-language): Is the advertising and description of the product using a lot of privacy buzzwords like "military-grade encryption" or "AI-powered"? + +- [**Unsupported claims**](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/#checkbox-compliance-and-copy-paste-policies): Are the product's claims supported by documentation and detailed descriptions? It's not enough to write "end-to-end encrypted." This claim should be supported by a detailed account of _how_ the data is end-to-end encrypted, including which protocols and algorithms it is using. + +- [**Unrealistic claims**](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/#unverifiable-and-unrealistic-promises): Are the privacy claims being made realistic? Nothing can be 100% private or 100% secure. A trustworthy product will give you reasonable warnings about its limitations. + +- [**Lack of deletion process**](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/#flawed-or-absent-process-for-data-deletion): Does this product or service offer a clear process to delete your data upon request? How much of your data can you delete, and how quickly can you delete it if you wanted to stop using this service tomorrow? + +- [**Untested technologies**](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/#new-and-untested-technologies): Has this technology been tested by experts before? Are there any _external_ parties who have verified its claims? + +- [**Bad reputation**](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/#critics-from-experts): What are privacy and security experts saying about this product or organization? Was the product or organization subjected to multiple critiques from privacy experts? Has the organization ever been impacted by major data breaches? + +
+ +## How to trust privacy tools and services + +You should never _completely_ trust a product, service, or organization. Additionally, your trust should always be revocable, and you should revoke it when new information comes to light that warrants it. Even privacy professional sources that you trust might not always be up-to-date. + +Things can change quickly in the tech world, and we must all be prepared to revoke our trust and adapt quickly when required. + +With that in mind, here are some green flags you can keep in mind when evaluating a privacy tool, service, or organization: + + + +
+ +- [**Good reputation**](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/#reputation-history): What are privacy and security experts saying about this product or organization? Does the product or organization have a good reputation within the field? + +- [**Access to evidence**](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/#verifiable-claims): Are you able to verify the privacy claims from independent sources that aren't related to the business itself? + +- [**Independent review**](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/#independent-reviews): Was the product reviewed by an independent third-party who had significant access to test the product in a meaningful way? + +- [**Transparency**](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/#transparency): Can you easily find detailed information about what data this organization collects, and how it processes and shares it? Would an independent expert have access to its software code to inspect it? + +- [**Clear funding model**](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/#clear-funding-model): How does this organization make money? If it's free to use, does this organization rely on donations or grants? Is the product sold to users or to businesses? Where does the money come from? + +- [**Availability**](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/#availability): Could you easily contact this organization if you needed to? Can you find an email address dedicated to privacy requests and questions? Can you find where the organization is located? Would you have access to at least two different ways to contact it? + +- [**Expert recommendation**](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/#expert-advice): Is this product recommended by independent privacy experts and nonprofit digital rights organizations? + +
+ +## More resources + +- [Tool recommendations vetted by our community (_Privacy Guides_)](../../tools.md) + +- [Extensive guide on how to evaluate better privacy tools and organizations (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/) + +- [Privacy washing is a dirty business (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/08/20/privacy-washing-is-a-dirty-business/) + +- [Understanding encryption and end-to-end encryption (_Privacy Guides_ video)](https://www.privacyguides.org/videos/2025/04/03/is-your-data-really-safe-understanding-encryption/) diff --git a/i18n/fi/activism/toolbox/tip-consider-everyones-unique-situation.md b/i18n/fi/activism/toolbox/tip-consider-everyones-unique-situation.md new file mode 100644 index 00000000..64e28931 --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-consider-everyones-unique-situation.md @@ -0,0 +1,74 @@ +--- +title: Consider Everyone's Unique Situation +description: To give actionable privacy advices, it's essential to consider everyone's situation. Learn more on how you can evaluate each person's unique threat model. +icon: fontawesome/solid/users-between-lines +cover: activism/banner-toolbox-tip-everyone.webp +--- + +Everyone has different needs, and everyone faces different dangers when their personal data gets exposed. + +To give actionable privacy advices and recommendations, it's essential to **keep in mind everyone's situation**. There isn't a one-size-fits-all approach when it comes to data privacy. + +Here's how you can get better at evaluating each person's unique [_threat model_](../../basics/threat-modeling.md): + +## What is a threat model? + +We regularly use the term "threat model" in cybersecurity and data privacy. This might sound obscure at first if you haven't seen it before, but it's quite simple: A threat model is an evaluation of what is dangerous for a certain person (or entity) in a given situation, and what protective measures should be prioritized. + +For example, if you leave near the equator, polar bears might not be an important threat to your safety. However, if you live in Nunavut, it may be important to get information on how to prevent a polar bear attack. + +Similarly, when you choose privacy protections for yourself or for others, you should first ask a few questions to understand better what information you are trying to protect, from whom, and in which context. + +## What questions to ask? + +To establish a threat model, ask the following questions: + +1. What information leak could endanger this person or organization the most? +2. Who this information should be protected from? +3. How likely is it that this person or entity could access this information? +4. What could happen if this person or entity had access to this information? +5. What are the protections available to protect this information specifically from this person or entity? +6. What would be the downside of using these protections? +7. How long do these protections need to remain in place? + +Ask, rinse, and repeat for each type of information. The answers to these questions will be unique for each person or organization. This is their unique threat model. + +
Example scenario: Threat of stalking + +**Needs:** Alice is a young celebrity sharing a lot of information about herself on social media. As part of her work, she has to be able to share photos of herself, her legal name, some of her travel information, and details about her personal life. + +**Threat:** However, to protect herself from an aggressive stalker, she must protect information about her _home address_ at all cost. + +**Level of danger:** She already received threats online, and the danger to her safety is imminent if her home address were to be known to this aggressive stalker. + +**Information to protect and solutions:** Everywhere that Alice is required to share her home address must be protected. She should use a PO box every time her personal address isn't absolutely necessary. She should make sure to only share her address with trusted people that are informed about this danger. And she should inspect all of her photos and metadata carefully, to make sure her location is never precisely [revealed](https://www.privacyguides.org/articles/2025/03/25/privacy-means-safety/#victims-of-stalkers). + +
+ +
Example scenario: Surveillance Capitalism + +**Needs:** Bob feels uncomfortable with companies using his information without his consent. He doesn't trust what they might do with this information later, or whom they might sell it to. He is especially worried about how companies and governments might use facial recognition with him. + +**Threat:** To limit facial recognition, Bob doesn't want any companies to have access to a _photo of his face_. + +**Level of danger:** If Bob or someone close to Bob posted a photo of his face online, the numerous bots constantly scanning the open web and social media platforms would have a copy of it in no time. + +**Information to protect and solutions:** To prevent this, Bob should not post any photos of his face online. He should make sure to only choose profile pictures that don't show his face for social media, and inspect any other photos posted to make sure his face doesn't show up on reflective surfaces. He should also inform his friends and family that he doesn't want photos of himself to be posted online, and he should protect his phone camera roll and cloud storage from getting [scanned](https://www.forbes.com/sites/zakdoffman/2026/01/15/google-upgrade-starts-scanning-all-your-photos-be-very-careful/) by remotely controlled AI. Bob should also opt out of any online platforms demanding a facial scan or photo ID in order to [verify his age](https://www.privacyguides.org/videos/2025/08/15/age-verification-is-a-privacy-nightmare/) or identity. + +
+ +## Respect people's choices when it comes to their own privacy, even if they are different from yours + +When advising others on data privacy, it's easy to get carried away and forget that other people might have different threat models from our own. + +Once we have provided the information to somebody who might need it, it's important to take a step back and respect their choices. If someone understands the risks, and decides that sharing this information _about themselves_ is an acceptable level of risk to them, we cannot (and shouldn't try) to force them in using the same level of protection we have adopted ourselves, if they don't want to. + +Of course, this might be a different story if their decision also affects the data of others. But if it only concerns their own data, the choice is theirs. + +To be a good privacy advocate is to provide information and support when needed. But ultimately, privacy is about deciding what one is comfortable sharing about themselves or not. We can only choose this for ourselves, not for others. + +## More resources + +- [More detailed information on threat modeling (_Privacy Guides_)](../../basics/threat-modeling.md) + +- [Examples of common threats (_Privacy Guides_)](../../basics/common-threats.md) diff --git a/i18n/fi/activism/toolbox/tip-dont-stop-at-individual-solutions.md b/i18n/fi/activism/toolbox/tip-dont-stop-at-individual-solutions.md new file mode 100644 index 00000000..f6561caf --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-dont-stop-at-individual-solutions.md @@ -0,0 +1,48 @@ +--- +title: Don't Stop at Individual Solutions, Consider The Collective Impact +description: When we think about privacy, we often focus on technical individual solutions. But it's also crucial to consider the collective impact of privacy issues. +icon: fontawesome/solid/users-rays +cover: activism/banner-toolbox-tip-expand.webp +--- + +When we think about our privacy, we often focus on the technical tools we can use to protect it. While this is an important _component_, it's crucial not to lose sight of how regulations and invasive practices impact us collectively. + +Here's what to keep in mind to **expand your perspective on data privacy** beyond individual solutions: + +## The danger of focusing only on individual solutions + +While it might feel easier to focus on our own needs, nobody lives in a vacuum. Even if you were able to somehow protect all the data you have custody of, there is a lot of data about you that isn't under your control, and a lot of data about _others_ that impact you. + +Moreover, it's important to consider others in different situations. For example, even if everyone who has access to a [VPN](../../vpn.md) service can stay protected from a particular issue, what about all the others? It's neither practical nor realistic to expect that _everyone_ would be able to circumvent a problem by using a VPN. + +While in some cases we might want to discuss immediate individual solutions in order to mitigate some harm, we must also attack the root cause of the problem. + +If we only think of _individual_ solutions when a corporation exploits our data, or a government adopts a privacy-invasive regulation, we risk letting our guard down by giving up the fight early. This makes the problem harder to fight later on, and results in more harm to our communities, and eventually to ourselves as well. + +## Things to keep in mind when a privacy issue arises + +Here are a few questions you can ask yourself whenever a new privacy issue arises in the news, to help expand your perspective beyond individual solutions: + +- [ ] What are potential mitigation solutions, and who will realistically be able to use them? + +- [ ] What will happen to the people who don't have the resources (in time, in money, in knowledge) to protect themselves individually? + +- [ ] Will this issue impact some communities more than others? Who will this affect the most negatively? + +- [ ] What will be the impact for the people who _cannot_ protect themselves individually? + +- [ ] What will be the impact for the people who _can_ protect themselves individually? + +- [ ] Are there other solutions that could be adopted to fight this issue for _everyone_ at once, without relying on _individual_ harm mitigations. + +- [ ] How can we fight against this issue in a way that will benefit _everyone_ impacted, including the people who aren't even aware of the issue? + +## More resources + +- [Why you should also care about other people's privacy (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/03/10/the-privacy-of-others/) + +- [Why privacy might be a safety matter for many (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/03/25/privacy-means-safety/) + +- [Encryption must not be outlawed for our privacy tools to work (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/04/11/encryption-is-not-a-crime/) + +- [Dangerous regulation proposals like Chat Control could impact everyone without many individual solutions (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/09/08/chat-control-must-be-stopped/) diff --git a/i18n/fi/activism/toolbox/tip-engage-boosts-and-contribute.md b/i18n/fi/activism/toolbox/tip-engage-boosts-and-contribute.md new file mode 100644 index 00000000..778821bc --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-engage-boosts-and-contribute.md @@ -0,0 +1,96 @@ +--- +title: Engage, Boost, and Contribute +description: Once you have the knowledge, motivation, and energy to fight for privacy rights, it's time to act! Learn more on what you can do to be a privacy activist. +icon: fontawesome/solid/bullhorn +cover: activism/banner-toolbox-tip-engage.webp +--- + +Once you have the knowledge, motivation, and energy, **it's time to act**! Perhaps you've read all the tips here, or have read through our [Knowledge Base](../../basics/why-privacy-matters.md) already! But you don't need to know that much about privacy to start contributing. + +The most important part is that you care about privacy rights, and want to be part of the movement to defend them. + +Here's what you can do to become a privacy activist: + +## Be active! Participate and contribute! + +Being a privacy activist means actively taking part in the movement to protect and improve fundamental privacy rights for everyone. + +
+

We want to help redefine 'activist' to a term that can include anyone who wants to work collectively to create social change. You don't have to be an expert, and you don't have to spend every waking minute trying to do 'activism'. You just have to be a person who wants to create change with other people.

+ +

Source: [*Activist Handbook*](https://activisthandbook.org/theory/what-is-activism#our-response-take-the-%E2%80%98expert%E2%80%99-out-of-%E2%80%98activism%E2%80%99)

+ +
+ +There are many ways to actively engage in the privacy rights movement. + +While a lot can be accomplished by _anyone_ interested in joining, think about how you can orient your activism around _your_ strengths, skills, and interests. This will help with sustainability. + +If you find one way doesn't really work for you, and you get tired or bored quickly, then find another way to contribute. There isn't a one-size-fits-all approach. Find the ways that work best for you. + +Perhaps you like to write, to draw, to record videos, or to build applications? Or maybe you prefer to engage with people directly, and become involved in the more social part of privacy advocacy? This can all be incredibly valuable contributions to the movement. + +Ask yourself these questions: + +- [ ] What do I enjoy doing that could also be useful to the cause? + +- [ ] What are my interests? What do I want to learn more about? + +- [ ] Which skills and social networks do I already have? + +- [ ] How much time do I have to contribute each week? + +- [ ] Who around me shares my privacy values and could be an ally? + +## Things you can do to engage, boost, and contribute + +Here are some ideas of what you can do to become a privacy activist in your community, and a valuable member of the privacy rights movement: + + + +
+ +- [**Spread** the words of your allies.](tip-lift-your-allies-up.md) Repost social media campaigns from digital rights organizations you like, and write about it on your own platforms. Encourage people to participate if there is a call to action. + +- **Write** about the privacy issues you care about. Inform the public with accurate information and effective ways of action to push back against invasive technologies and legislations. This can be through your social networks, personal blog, or even a book! + +- [**Participate**](tip-small-actions-matter.md) in the actions organized by others. Reply positively to social media posts related to privacy rights, repost the content of your allies, sign petitions, report violations, join an online forum, and contact your representatives about privacy rights in your region of the world. + +- [**Refuse**](tip-refuse-to-participate.md) to participate in privacy-invasive requests, and refuse to use privacy-invasive technologies as much as doable for your situation. Sometimes doing nothing can be a powerful action. Try to prioritize your privacy principles over [convenience](https://www.privacyguides.org/articles/2025/06/07/selling-surveillance-as-convenience/), and report on your refusal experiences on social networks and with your local communities. + +- [**Join or build** communities](https://discuss.privacyguides.net/) with people sharing your privacy values. Be a positive contributor and lift your allies up. [Support your privacy comrades](tip-support-your-privacy-comrades.md) and [ask for help](tip-take-time-to-rest.md) when you need it yourself. Look for nonprofit organizations [seeking volunteers](../../about/contributors.md). + +- [**Contribute** financially](../../about/donate.md) if you can. If you cannot afford to participate in time, consider donating money. There are many digital rights nonprofit organizations that could do _so much more_ if only they had more funding. Offering financial support when you can is a meaningful way to contribute to the privacy rights movement. + +- **Go** to local meetups related to privacy and digital rights. Meet people who share your values in-person, and grow your network to find allies in your area. + +- **Take part** in digital rights protests that support causes and raise awareness on privacy issues you care about. Actively look online for events to join in your local privacy rights community. + +- **Invite** others to join you in the movement to defend privacy rights! + +
+ +
+

People who do activism reclaim their own agency in deciding what kind of world they want to live in.

+ +

Source: [*Activist Handbook*](https://activisthandbook.org/theory/what-is-activism#personal-is-political)

+ +
+ +## More resources + +- [What is activism? (_Activist Handbook_)](https://activisthandbook.org/theory/what-is-activism#personal-is-political) + +- [How to be an activist for human rights causes (_WikiHow_)](https://www.wikihow.com/Become-an-Activist) + +- [Learn to use ethical principles of persuasion (_The Community Tool Box_ (University of Kansas))](https://ctb.ku.edu/en/table-of-contents/participation/promoting-interest/principles-of-persuasion/main) + +- [Communicate your message: Making sure your message comes across (_Activist Handbook_)](https://activisthandbook.org/communication) diff --git a/i18n/fi/activism/toolbox/tip-give-credit-where-credit-is-due.md b/i18n/fi/activism/toolbox/tip-give-credit-where-credit-is-due.md new file mode 100644 index 00000000..a2f1a5a8 --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-give-credit-where-credit-is-due.md @@ -0,0 +1,54 @@ +--- +title: Give Credit Where Credit Is Due +description: To succeed with our movement to defend privacy rights, we must support each other. One good way to do this is to give credit where credit is due. +icon: fontawesome/solid/thumbs-up +cover: activism/banner-toolbox-tip-credit.webp +--- + +To succeed in our battle, we must **support each other**. One good way to accomplish this is to never forget to give credit where credit is due. When another advocate or organization says something you agree with, boost them up, spread their reach, and thank them publicly. + +Here are a few ways you can help your allies feel seen and valued: + +## Why crediting people and organization is important + +Giving credit to the right person or organization isn't only the ethical thing to do, it's also a way to **build alliances**, to bring more people to the cause, and to retain the allies you already have. + +When people feel valued, they are usually inclined to work harder. People are also more likely to stick around places where they feel seen and appreciated. This is incredibly important for our movement. + +When giving credit to organizations, you are also making a whole team feel valued. Organizations are made of people, after all. Caring about the people who work hard at your allied organizations is fundamental to build our movement. + +## Ways to credit your allies in your advocacy work + + + +
+ +- **Quote** your allies' work in your own content and material. Make sure to always credit their name and link to their external resources when you do. + +- **Link** to your allies' resources on your own platforms. Give them credit for their work, and encourage your own audience to consult your allies' material. + +- **Support** your allies publicly on social media. Repost their content to increase their reach. Post about them while tagging them, to encourage your circle to follow them as well. Reply to their posts thanking them for their hard work for the cause. + +- **Reach out** to offer your help on their projects, whenever you have the resources to do so. + +- **Thank** your allies publicly when working with a group, whether it's for paid or volunteer work. Make the members of your group feel recognized and valued individually. + +- **Attribute** the work of each contributor to the name they have agreed to share publicly, depending on the platform you use. Ask first how they prefer to be credited, but do not forget to credit them. + +- **Nominate** your allies for rewards/awards if the opportunity arises, and make sure to add your vote to support them. + +
+ +## More resources + +- [3 ways to use recognition to boost performance and engagement (_HumanResourceMag_)](https://www.humanresourcemag.com/news/277/3-ways-to-use-recognition-to-boost-performance-and-engagement) + +- [The fine line between teamwork and taking credit: Why recognition matters (_Gwendolyn F. McGraw_)](https://blog.gwendolynmcgraw.net/2025/07/12/the-fine-line-between-teamwork-and-taking-credit-why-recognition-matters/) diff --git a/i18n/fi/activism/toolbox/tip-improve-your-social-media-and-build-resilient-communities.md b/i18n/fi/activism/toolbox/tip-improve-your-social-media-and-build-resilient-communities.md new file mode 100644 index 00000000..30a74617 --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-improve-your-social-media-and-build-resilient-communities.md @@ -0,0 +1,118 @@ +--- +title: Improve Your Social Media and Build Resilient Communities +description: Commercial social media platforms represent one of the biggest source of data exploitation. Learn how you can build better and more resilient social networks. +icon: fontawesome/solid/seedling +cover: activism/banner-toolbox-tip-plant.webp +--- + +Commercial social media platforms represent one of the biggest source of data exploitation. Facebook, Instagram, Threads, TikTok, and X all exploit their users' data to generate billions in profit every year. By staying active on these platforms, we continue to feed the beast and indirectly support this invasion of privacy rights. + +Here's how you can **minimize your presence on commercial social media**, and slowly build more autonomous communities: + +## Why it's important to move away + +Moving away from large commercial platforms can be a complex process, but it's a very important one nonetheless. + +[Reducing our dependence on Big Tech](tip-migrate-outside-the-surveillance-ecosystem.md), including for social media platforms, is essential in our fight for better privacy rights. + +Not only this allows us to stop feeding a surveillance machine that grows ever hungry for data every month, but it gives us an opportunity to build much more resilient communities, and support platforms that aren't devouring peoples' privacy. + +Many are reluctant to quit commercial social media, despite the many issues that have only become worse in the past few years. It's not always easy to leave a place that feels like home and rebuild elsewhere. However, ==when the house is on fire, it's time to leave.== + +The more we produce content, and the more we engage with our community on these privacy-invasive platforms, the more we contribute to sustain these predatory corporations making money and thriving at the expense of our followers' data. + +It's a responsibility for any privacy advocates to stay true to their values, and minimize their presence on exploitive platforms as much as feasible. + +## Minimizing your presence on commercial social media platforms + +Here are a few things you can start doing to reduce your contribution to Big Tech social media. This is presented on an escalating scale. Go as far as realistically possible for your situation: + +1. Create an account that mirrors your regular posts on a [privacy-respecting platform](#embracing-privacy-respectful-alternatives), and announce it prominently on your commercial social media accounts. + +2. Regularly post on your commercial social media that you don't support this platform and encourage your followers to meet you on your new privacy-respecting social network instead. + +3. Use your commercial social media profile pictures and banners to advertise your new social network account (this will help fight potential Big Tech [censorship](https://gizmodo.com/elon-musk-twitter-ban-mastodon-1849903839) of text posts promoting competitors). + +4. Tell your followers on commercial social media that you will stop engaging in replies here, but will reply to questions and comments on your new social network profile, and follow through. + +5. If this makes sense for your situation, after backing up your data, start deleting older content from your commercial social media profiles (you can use a tool like [Cyd](https://docs.cyd.social/docs/intro/) to help you with deletion). + +6. Gradually decrease your posting activity on commercial social media, and increase your presence and engagement with your new social network account on a privacy-respecting platform. + +7. Stop posting on your commercial social media account entirely. Only keep a pinned post and profile description with your new social network account information, and encourage your followers to meet you there. + +8. When you are ready, delete your data and close your accounts on commercial social media entirely. Before leaving permanently, make sure to post an announcement (a week before maybe) about why you are leaving and how your followers can find you on your new social network. + +## Embracing privacy-respectful alternatives + +Perhaps you are already convinced to leave exploitive social media platforms for better places, but aren't sure where to go. Thankfully, there are alternatives that genuinely respect users and their privacy. + +One such network is the [**Fediverse**](https://en.wikipedia.org/wiki/Fediverse), a decentralized collection of interconnected applications and servers that can communicate with each other. + +The Fediverse was built from a desire for social connection, not from greed for profits. ==This is a fundamental difference that leads to substantial benefits.== Most servers that are part of the Fediverse network are hosted by volunteers who simply want to support their communities. + +There are many applications that can connect to the Fediverse, the most famous probably being the microblogging platform [Mastodon](https://joinmastodon.org/). But you could also choose to join an app more similar to Instagram with [Pixelfed](https://pixelfed.org/), or more similar to YouTube with [PeerTube](https://joinpeertube.org/). They all connect together! + +Here are some resources to help you learn more about this social network, and its many applications: + + + +
+ +- [Learn why the Fediverse is a better alternative (_Elena Rossini_ video)](https://blog.elenarossini.com/fediverse-video/) + +- [What is the Fediverse and how it's interconnected (_Stefan Bohacek_ project)](https://jointhefediverse.net) + +- [Social network recommendations (_Privacy Guides_)](../../social-networks.md) + +- [Privacy and security on Mastodon (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/07/15/mastodon-privacy-and-security/) + +- [How to create a Mastodon account (_Doc Pop_)](https://docpop.org/2025/02/how-to-get-started-with-mastodon/) + +
+ +## Building resilient communities + +If you decide to make the Fediverse-connected social network Mastodon your new home, you will be able to choose between a variety of servers (instances) to create your account. + +You can also simply choose the Mastodon organization's main server [mastodon.social](https://mastodon.social/about), if you don't feel like thinking about this too much. Mastodon has a feature allowing to migrate your account from one server to another, so this isn't a permanent decision. You can always move later if you choose to (you can't move your content for now, but you can move your followers). + +That being said, if you're up for a more resilient solution, one option that is truly empowering is to host your own Mastodon server (or many other applications that are part of the Fediverse family). + +Self-hosting your Mastodon server of course requires more time and resources. But, if you can afford it, hosting your own server will allow you to be much more independent and genuinely own your own data. + +This is the best way to build a community that is truly resilient, and billionaire-resistant. + +### Wikimedia has its own Mastodon instance! + +As an example of an organization self-hosting its Mastodon account, the [Wikimedia Foundation](https://wikimediafoundation.org/) (the nonprofit organization hosting _Wikipedia_) has its [own](https://meta.wikimedia.org/wiki/Wikimedia.Social) Mastodon server at [wikimedia.social](https://wikimedia.social/about). + +From their [Wikimedia's Mastodon account](https://wikimedia.social/@wikimediafoundation) on this server, you can see that the organization's official website is listed in green. This verifies the account's authenticity by linking together the website address with the Mastodon account. It's easy to do, and entirely free. + +You can also see this page is visible to anyone, regardless of if they have a Mastodon account or not. This makes the information you want to share with your community much more accessible. It doesn't require your community to share any sensitive data if they prefer not to, like they would have to do to follow you on Facebook, Instagram, X, or TikTok. + +Additionally, this allows you to keep full control over your profile page, regardless of social media ownership, or censorship. This is how you can build a truly resilient community for your privacy advocacy work. + +Privacy Guides does this too, of course! You can [follow _Privacy Guides_](https://mastodon.neat.computer/@privacyguides) from our own self-hosted Mastodon server 💛 + +## More resources + +- [Official Mastodon website](https://joinmastodon.org/) + +- [List of curated smaller Fediverse servers (_Fedi Garden_)](https://fedi.garden/) + +- [Find answers to all your questions about Mastodon and the Fediverse (_Fedi Tips_)](https://fedi.tips/) + +- [Tutorial to optimize privacy and security on a Mastodon account (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/07/22/mastodon-tutorial-privacy-and-security/) + +- [Organizations: Tutorial to verify your Mastodon account (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/07/22/mastodon-tutorial-privacy-and-security/#verifying-yourself-and-others) + +- [Organizations and Writers: Tutorial to attribute your articles to your Mastodon account, including when others share links on the network (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/07/22/mastodon-tutorial-privacy-and-security/#author-attribution-for-journalists-and-writers) diff --git a/i18n/fi/activism/toolbox/tip-keep-in-mind-the-whole-landscape.md b/i18n/fi/activism/toolbox/tip-keep-in-mind-the-whole-landscape.md new file mode 100644 index 00000000..e727a801 --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-keep-in-mind-the-whole-landscape.md @@ -0,0 +1,100 @@ +--- +title: Keep in Mind The Whole Landscape +description: Privacy isn't just about the tools, or just about the laws, or just about the practices either. It's about all of it. Learn how to consider the whole landscape. +icon: fontawesome/solid/globe +cover: activism/banner-toolbox-tip-landscape.webp +--- + +Privacy isn't just about the tools, the laws, or the practices of any individual or organization. It's about _all_ of that. To move our society in a place where everyone benefits from privacy by default, we must consider technologies, laws, and culture holistically. + +Here's how to get better at **considering the whole landscape**: + +## The technology + +Technology plays a crucial role in how we protect our digital information. Most people are already familiar with the [tools and services](../../tools.md) we can use to better protect our privacy, and the ways technology can endanger our privacy rights. Technologies like encryption, for example, are essential in our connected world. + +But if we only consider the technological aspect, it will not be enough to defend our privacy rights. When we only think and talk about technical solutions, we are missing the bigger picture, and with it, the bigger solutions as well. + +## The legislative + +While technologies can protect our data in several ways, it becomes almost irrelevant when regulations make these technologies illegal. + +Of course, some people will always be willing to use protective technologies even once they're deemed illegal by their governments, but most will not. When our protections are outlawed, we all lose. + +Sadly, this is an overlooked area for many privacy activists. This often contributes to making our community react too little and too late when privacy-invasive laws are proposed. + +If we want to fight for privacy rights, we must take a much stronger and louder approach against intrusive regulation proposals, as soon as we are made aware of them. Because unfortunately, bad legislations _do_ have the power to limit access to the technologies and methodologies we need to stay safe. + +Here are a few examples: + + + +
+ +- [**Bad Internet Bills**](https://www.privacyguides.org/videos/2025/12/16/taylor-lorenz-on-kosa-the-screen-act-and-repealing-section-230/) have been proposed in 2025 to undermine the privacy of all Americans, and everyone around the world using American technology. + +- [**Chat Control**](https://www.privacyguides.org/articles/2025/09/08/chat-control-must-be-stopped/) proposals have been an ongoing issue since 2021. + +- [**Age Verification**](https://www.privacyguides.org/articles/2025/05/06/age-verification-wants-your-face/) regulations and proposals are growing around the world at a terrifying rate. + +- [**Data Brokers**](../../data-broker-removals.md) are incessantly exploiting our data due to weak regulations. + +- [**Funding cuts**](https://www.privacyguides.org/articles/2025/02/03/the-future-of-privacy/) from new regulations have frequently impacted negatively the organizations and privacy tools we rely on. + +- [**Attacks on encryption**](https://www.privacyguides.org/articles/2025/04/11/encryption-is-not-a-crime/) have been carried out by [multiple](https://www.privacyguides.org/articles/2025/02/28/uk-forced-apple-to-remove-adp/) governments around the world, [for _decades_](https://www.privacyguides.org/videos/2025/05/08/when-code-became-a-weapon/). + +
+ +## The culture + +While considering the tools we use and the laws that should protect us, we shouldn't neglect the impact that our _culture_ has on privacy rights. + +Unfortunately, society seems to be going in the wrong direction about this lately. As privacy activists, we have a lot of work to do to improve our culture surrounding data privacy. + +In the past few decades, technology has changed the way we interact with each other in unprecedented ways. The laws have not caught up with these changes yet, and our culture hasn't really either. + +Only a couple of decades ago, it was incredibly rare to be unknowingly filmed by a stranger while wandering in public spaces. If that happened, it was likely a television channel covering some event, a closed-circuit security camera, or a criminal offense. Unless the recording was broadcasted by national television, it was unlikely this footage of ourselves would become available for the whole world to see. + +Today, pretty much everyone on the planet has the power to film strangers and share the footage with the whole world in an instant. But sadly, very few people take the responsibility that comes with this power seriously enough. We must change that. + +We must work together to develop and promote a culture of consent around data collection, both for organizations and individuals. + +Here are a few practices to improve our culture surrounding data privacy that you can adopt yourself, and help promote in your advocacy work: + +- [x] Never publish photos or information about children online. + +- [x] Don't post pictures of others online without their explicit consent. + +- [x] If posting photos that include others cannot be avoided, blur the faces of non-consenting people before publication. + +- [x] Blur any visible vehicle license plates before publishing photos. + +- [x] Avoid taking screenshots of other people's posts without their consent (as this prevents them from exercising their right to delete). + +- [x] Never share the location or contact information of someone without their explicit consent. + +- [x] Block external applications from accessing the contact information of others (e.g. don't allow the Facebook app to access your contacts). + +- [x] Be mindful of how one's computer or phone stores and records other people's information. Never use an application that scans content with potential information about others, such as AI note-takers, AI assistants, or applications like Microsoft's Recall. + +- [x] Never share the files of others with a third-party person or application without their prior permission. + +- [x] Unplug smart devices equipped with a microphone or camera at home before any guests enter. If this isn't possible for some reason, then inform your guests about these devices _before_ they enter your home, and _before_ the device collects any information about them. + +- [x] Never use devices like Meta's Ray-Ban glasses, i.e. devices equipped with a microphone and/or camera that might record others without their consent. + +## More resources + +- **Technology:** [Privacy tools and technology recommendations (_Privacy Guides_)](https://www.privacyguides.org/en/tools/) + +- **Legislative:** [How governments and laws shape our digital lives (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/02/03/the-future-of-privacy/) + +- **Culture:** [Why protecting the data of other is our responsibility (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/03/10/the-privacy-of-others/) diff --git a/i18n/fi/activism/toolbox/tip-keep-your-posts-and-community-inclusive.md b/i18n/fi/activism/toolbox/tip-keep-your-posts-and-community-inclusive.md new file mode 100644 index 00000000..b3bfb54d --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-keep-your-posts-and-community-inclusive.md @@ -0,0 +1,90 @@ +--- +title: Keep Your Posts and Community Inclusive +description: Inclusivity is essential to grow our privacy movement. If we want privacy rights to succeed, we must build communities where everyone feels safe and welcomed. +icon: fontawesome/solid/heart-circle-plus +cover: activism/banner-toolbox-tip-inclusivity.webp +--- + +**Inclusivity** is not only the right thing to do, it's also essential to grow our movement. If we want privacy rights to succeed, it's imperative that we build communities where _everyone_ feels safe and welcomed, regardless of who they are or where they come from. + +Here's how you can keep your communications and communities inclusive: + +## Why you need communities that are diverse and inclusive + +In privacy, **diversity** is an incredible strength, a necessity even. When people with different lived experiences, identities, localities, specialties, and mentalities join our group, we benefit from a broader perspective as a whole. + +Having a broad perspective is essential to understand the scope and impact of privacy issues, as well as the actionable solutions for diverse situations. + +When people with different lived experiences and identities join our group, it expands our understanding of numerous [threat models](../../basics/threat-modeling.md), and allows us to adapt our message in ways that will be more inclusive. + +When people from different localities join our group, this helps us to regionalize our content and communication to make it accessible to people all around the world, and expand our network. And when people with different mentalities join our group, it helps us to reach out to people with different ways of thinking more easily. + +\==The more diverse is a team, the more resources it has to understand and support a diverse population of people== interested (or potentially interested) in privacy rights. + +Inclusivity allows diversity to thrive, and diversity will make it easier for your group to be inclusive. + +Of course, for all those benefits to happen, it's crucial that [group leaders](tip-level-up-assemble-and-organize.md) be good listeners, and actively nurture diversity and inclusivity. + +## Beware of gatekeeping + +**Gatekeeping** is sadly a common social phenomenon in niche communities, especially in tech communities. + +Gatekeeping happens when a group tend to restrict who can join it, or who gets opportunities within it. It can be done maliciously to exclude marginalized people, or inadvertently when it emerges from unconscious biases. + +Many of us have had experiences where we felt excluded from other social groups where our privacy values weren't understood. Once we finally find a group that makes us feel like we belong, it's easy to quickly occupy the whole space and forget that newcomers might feel pushed aside if we do not actively try to include them. + +Sometimes, gatekeeping happens unconsciously when we get overexcited about our own space, and when we tend to only communicate with the people we already know, or who look or sound like us. + +To counter this bias, we must actively and continuously examine our own behaviors, and make sure to course correct to leave the doors of our communities opened, and welcoming to all. This isn't always an easy thing to do, but it's critical for our movement to grow. + +## What can help keep your community inclusive + +There are many things you can do to keep your community inclusive and diverse. Here are a few easy tips you can start implementing right now in your privacy advocacy practice, to make more people feel safe and welcomed: + + + +
+ +- **Keep your language inclusive:** Make sure to keep the door wide open in your communications. Be mindful of the language you use to make newcomers from all origins feel like they could belong in your community. Limit the use of technical jargon, regionalisms, and unnecessarily gendered language. + +- **Listen to others:** Listen to people with experiences and identities different from yours, and try to genuinely understand their perspectives. If they don't feel safe sharing, make sure the space is safe enough for them to do so. Regularly reach out to them to ask questions, while not pressuring them to give answers if they prefer not to. + +- **Ask people their preferred name(s):** Always ask people how they want something attributed to them (or not), and what their preferred public name is before publishing it anywhere. Never assume someone is comfortable sharing their legal name publicly, and never assume someone is comfortable using publicly the name they use privately. This is doubly important for any transgender or gender diverse persons, but it's also true for anyone who might have privacy concerns. Always ask for consent first. + +- **Normalize the use of pronouns:** If you are in a leadership position, it's especially important to lead by example and display your preferred pronouns in your social media profiles, email signatures, and other relevant contexts. Encourage everyone on your team or in your group to do the same. This helps to normalize the practice, and makes a clear statement that your community is inclusive and welcoming to transgender and gender diverse people. + +- **Give credit:** Make sure to appropriately [give credit](tip-give-credit-where-credit-is-due.md) where credit is due, and make people feel supported and seen. Recognition and appreciation are fundamental to inclusion. + +- **Prioritize accessibility:** [Accessibility](tip-be-mindful-of-accessibility.md) should never be an afterthought, it should be designed in your content and events right from the start. Make sure that your website or software follows [accessibility standards](https://www.w3.org/WAI/standards-guidelines/wcag/), uses [alt text](https://webaim.org/techniques/alttext/) everywhere you can, and ensure that your [in-person events](https://parkpeople.ca/make-your-event-accessible-and-inclusive/) are accessible and enjoyable for everyone. Reach out to people experiencing disabilities to ask how you could improve accessibility for your content and events. + +- **Moderate your community:** To keep your spaces inclusive, it's important to remove bad actors promptly. This is critical if you host a platform where people exchange together such as a forum, but it's also true for replies to your social media posts, your Signal groups, or your in-person gatherings. Whenever you become aware of a reply or answer that is abusive or bigoted, make sure to intervene quickly. If you neglect to moderate the community you are responsible for adequately, marginalized people targeted by these attacks will leave your community, and bad actors will prosper and multiply. + +- **Observe special days:** Make sure that your group observes or celebrates special days that are relevant to members in your community. For example, people might have different religious celebrations that are important to them. Make sure you mention these celebrations, and give your members the time they need to observe them. Celebrating special days and months such as Pride Month, Black History Month, National Day for Truth and Reconciliation, and International Women's Day are also important events to acknowledge in your community. + +- **Representation:** Pay special attention to the diversity of representation within your group, especially for people in positions of power. For your community to be inclusive, it's important for members to see that diverse people can access leadership, and to feel like your community leaders are aware of a diversity of experiences. + +- **Be mindful of invisible barriers:** If you find your community to be quite homogeneous, take the time to think about what might keep people from different identities and origins to join your group. Perhaps there are some invisible barriers that you could identify and reduce, in order to make your group more inclusive and welcoming. If there are already a few members with diverse identities in your group, try to reach out to them for feedback on ways to improve inclusivity in your community. + +- **Ask for feedback:** Regularly ask the members of your community and people from diverse groups what you could do to improve inclusivity. Genuinely listen, and be careful not to answer defensively if you receive negative criticism. Stay open and keep in mind that constructive feedback is important to make your group more inclusive and more diverse. + +
+ +## More resources + +- [Justice, diversity, and inclusion: Start here guide (_The Commons Social Change Library_)](https://commonslibrary.org/diversity-inclusion-start-here/) + +- [Do better and win bigger by taking on marginalisation (_Mobilisation Lab_)](https://mobilisationlab.org/resources/taking-on-marginalisation/) + +- [Navigating differences in identity, ideology, and experience (_Museum of Protest_)](https://museumofprotest.org/guides/guide-navigating-differences/) + +- [How to make your social justice event accessible (_The Commons Social Change Library_)](https://commonslibrary.org/how-to-make-your-social-justice-event-accessible/) + +- [Diversity, equity, and inclusion resources and tools (_Nonprofit Learning Lab_)](https://www.nonprofitlearninglab.org/dei) diff --git a/i18n/fi/activism/toolbox/tip-know-your-privacy-laws.md b/i18n/fi/activism/toolbox/tip-know-your-privacy-laws.md new file mode 100644 index 00000000..ec86fa03 --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-know-your-privacy-laws.md @@ -0,0 +1,94 @@ +--- +title: Know Your Privacy Laws +description: Being well-informed about the data protection regulations in your own jurisdiction can be a significant asset in your battles for better privacy rights. +icon: fontawesome/solid/balance-scale +cover: activism/banner-toolbox-tip-laws.webp +--- + +Being well-informed about the **data protection regulations** in your own jurisdiction can be a significant asset for your personal and collective battles to improve privacy, for yourself and for others. + +Unfortunately, many people lucky enough to live in jurisdictions benefiting from such regulations often aren't aware of them, or of how to use them. + +Here's what to look for when searching information about your local privacy laws: + +## Where is the data subject + +For most privacy regulations, legal protections will be applicable to **data subjects** who are citizens or reside in a specific region or country. + +
+

What is a data subject?

+ +Different laws might use different terms for this. Sometimes, a regulation might simply refer to a _person_, an _individual_, a _consumer_, a _patient_, or a _customer_. + +Other times, the equivalent expression used will be a _data subject_. + +A data subject is simply anyone from whom personal information is collected by an organization. **Data subject** will be used as an umbrella term on this page. + +
+ +Contrary to what many believe, it's generally _your_ local regulations that protect you, regardless of where the organization collecting your personal data is located (in addition, organizations are also subjected to their own local regulations). + +Organizations that meet the data subject's local privacy law criteria are legally bound to comply with the laws of each region or country where their data subjects are residing (i.e. where they are conducting business). + +There are a lot of nuances and regional variations to this, but in general you should focus on _where_ the data subject is residing. + +## Finding your local regulations + +If your jurisdiction is protected by one or more privacy laws, it should be relatively easy to find this information online. _Privacy Guides_ will soon publish a tool facilitating this task. + +In the meantime, you can simply use a [trustworthy search engine](../../search-engines.md) and look for keywords with your location (be specific about country + states/provinces/region) and "privacy laws" or "data protection regulations." + +Always make sure to find a result that is from an official government source. + +
+

Beware of AI-generated information!

+ +Be careful to research this _without_ using an automated chatbot or AI-generated information. These tools can have a high error rate, and the information displayed might not be reliable. Be sure to find the official government documentation in order to get the proper _legal_ information. + +
+ +While researching about your privacy protections, keep in mind that: + +- [x] You might benefit from multiple privacy laws at once. For example, many regions have separate regulations specifically designed to protect health data, children's data, or employees' data. + +- [x] You might benefit from protections by different government levels at once, such as federal, provincial, state level, etc. Look for them all! + +- [ ] Your region might unfortunately not be protected by any significant privacy regulations at this time. If this is the case for you: It's time to contact your local representatives and advocate for a local privacy law! + +## What to look for in a privacy law + +Once you've found the official governmental documentation describing the data protection regulation that applies to your region, read it carefully to find: + + + +
+ +- Who is protected by the law, and in which situations? + +- Which types of organizations are bound to comply with the law? + +- What are your data subject rights? (Right to Delete? Right to Access? Right to Opt-out?) + +- Does the law include special protections for specific types of sensitive data? + +- Which types of data might be exempt from the law? + +- Which entity is responsible for enforcing the law? + +- What is the process to file a complaint? + +
+ +## More resources + +- [Map of data protection and privacy legislation worldwide (_UN Trade and Development_)](https://unctad.org/page/data-protection-and-privacy-legislation-worldwide) + +- [The future of privacy: How governments shape your digital life (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/02/03/the-future-of-privacy/) diff --git a/i18n/fi/activism/toolbox/tip-level-up-assemble-and-organize.md b/i18n/fi/activism/toolbox/tip-level-up-assemble-and-organize.md new file mode 100644 index 00000000..84c9c109 --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-level-up-assemble-and-organize.md @@ -0,0 +1,213 @@ +--- +title: Level Up! Assemble and Organize +description: If you've been a privacy advocate for a while, maybe it's time to level up and grow as a leader in your community. Good leaders can benefit the whole movement. +icon: fontawesome/solid/fist-raised +cover: activism/banner-toolbox-tip-organize.webp +--- + +If you've been a privacy advocate for a while, maybe it's time to level up and **grow as a leader** in your community. + +Becoming a leader can mean many things. Maybe for you, it's starting a local meetup, preparing educational workshops, organizing an event or protest, initiating online projects with a team, or even starting your own organization! + +Here's what you can do to become a _good_ leader in the privacy rights movement: + +## Becoming a leader + +There are many styles and scales of leadership. It could mean starting small by initiating actions that require fewer resources, or it can scale up to directing larger campaigns and organizations. + +Regardless of the scale, it's important to become a _good_ leader to lift your community up, which will benefit the whole movement. + +Becoming a positive leader in your community doesn't mean running everything, and it doesn't mean being the only one taking decisions while telling others what to do either. First and foremost, ==it means supporting and inspiring people== to become the best privacy advocates they can be. + +## Supporting others + +Being a good leader is primarily being a good listener. A good leader will be attuned to their community, and support community members in reaching their full potential. + +A good leader maximizes the activism strength and energy of each member. This allows the community to thrive, and multiplies the positive impact of everyone's effort. + +
+

Good leaders are the key to community organizing. They do not tell other people what to do, but help others to take charge. They do not grab center stage, but nudge others into the limelight.

+ +

Source: [The Citizen's Handbook](https://citizenshandbook.org/1_08_lead.html)

+ +
+ +## Keys to positive leadership + +Good leaders are like conductors. An orchestra conductor doesn't try to play each instrument by themselves, they trust the musicians to play each part on their own. + +A good conductor ensures that each part is played in harmony with each other, to form a coherent whole, by communicating clearly and transparently with the musicians. They make sure that each musician has the tools and conditions they need to perform at the best of their skills, and always thank the musicians first when the audience applauds. + +Here are a few tips that can help you become a positive leader in your community: + +- [x] **Learn to delegate work** and split-up tasks. Do not try to do it all by yourself. Delegating and trusting others to do the work will also help prevent activism burnout. + +- [x] **Trust the members of your group** according to their unique skill sets, and reach out to them when their [unique expertise](tip-value-allies-with-complementary-expertise.md) or experience is relevant to another part of the project. + +- [x] **Show appreciation** both in private and in public, and [give credit](tip-give-credit-where-credit-is-due.md) where credit is due. This is incredibly important to retain the dedicated members of your group, and to attract new advocates. + +- [x] **Inspire and support** your group members to reach their full potential, and to become the best privacy advocates they can be. Make sure their needs are met, and that they feel safe coming to you for requests. + +- [x] **Build a team that is inclusive and diverse.** A [diverse team](tip-keep-your-posts-and-community-inclusive.md) will help your group gain a broader perspective, and be able to do more by having access to a diversity of experiences, skills, and networks. It will also help your message reach more people. + +- [x] **Lead by example** adopting principles of [integrity](tip-stay-true-to-your-principles.md), transparency, and work-life balance. Valorize and exemplify these behaviors within your group. + +- [x] **Plan and organize projects transparently.** Make sure the members of your group are aware of the direction you have in mind, and that they support it. Avoiding surprises internally will make your members feel safer, and will help with retention and satisfaction. + +- [x] **Regularly ask** the members of your group which tasks they prefer to do, and in which direction they want to go. Your group members should enjoy what they are doing, otherwise they will not stick around. Review this regularly, as situations can change and evolve. + +- [x] **Make sure your group members have all the rest and resources they need.** This is essential if you want a motivated team, with members that will invest the best of themselves in your group projects. + +- [x] **Organize leisure opportunities** for your group to discuss together about things other than work, and bound as a team. This will help improve communication, increase morale, and build better relationships within your group, as well as nurture a sense of belonging. Don't make this mandatory, however. Respect everyone's personal availabilities and boundaries. + +- [x] **Be (temporarily) replaceable.** If all the work your group does depends on your presence, all your projects will stop when you need to rest. This is a recipe for disaster, because you need to be able to [take time off](tip-take-time-to-rest.md) as much as any other members of your group. Have a backup plan ready, and communicate it with your group in advance. That way, if you fall sick, have to travel, or need time to take care of your family for a while, you will be able to take the time you need. Until you come back, you will be able to rest fully without stress, knowing your projects will keep running well despite your absence. + +## Bigger projects to organize + +There are so many ways to be a privacy activist, and so many types of actions that can help our movement. + +In fact, it's important that we have a wide variety of initiatives to make this works. The more diverse our activism, the further we can spread the word and bring positive changes. + +Here are a few ideas of actions you might want to consider in your privacy work: + + + +
+ +- **Form a group to develop a website** to inform and facilitate concrete action from the public to fight against a privacy issue. As an example, visit this impactful [web project](https://fightchatcontrol.eu/) to fight Chat Control developed by Joachim. + +- **Develop a web page to inform the public on a privacy issues**, and conduct research to provide a list of which businesses or institutions are participating in the invasive practice, and which ones have pledged not to. As an example, check out this amazing [web page](https://www.banfacialrecognition.com/stores/#scorecard) to ban facial recognition in stores created by Fight for The Future. + +- **Organize a campaign** to fight a specific issue, and reach out to other organizations to take part in a coalition. As an example, check this [website](https://stopscanningme.eu/en/) to push back against Chat Control developed by European Digital Rights (EDRi). + +- **Start a petition** collecting citizen signatures to push against a privacy-invasive law or legislative proposal. As an example, read about the [petition](https://www.openrightsgroup.org/publications/joint-briefing-petition-debate-on-repealing-the-online-safety-act/) to repeal the invasive UK Online Safety Act, signed by over 550,000 people. + +- **Gather experts to publicly support an open letter** opposing a privacy issue or supporting a privacy solution, and share it with the media. As an example, read this [open letter](https://csa-scientist-open-letter.org/Sep2025) opposing a Chat Control proposal, signed by over 800 scientists and researchers. + +- **Speak publicly** to raise awareness on privacy issues and educate the public, if you are comfortable doing so. As an example, watch this moving TEDx [talk](https://www.youtube.com/watch?v=xSPRouBvgFE) by Carissa Véliz. + +- **Start a privacy rights video channel** on your preferred privacy-preserving platform. As an example, check out Privacy Guides' [PeerTube](https://neat.tube/c/privacyguides/videos) and [Loops](https://loops.video/@privacyguides) channels. + +- **Design educational online or printed material** to provide information about a specific privacy issue or protections. As an example, visit this [website](https://sls.eff.org/) about street level surveillance, or this border search pocket [guide](https://www.eff.org/document/eff-border-search-pocket-guide), both developed by the Electronic Frontier Foundation (EFF). + +- **Write content to share your knowledge** about solutions to push back against Big Tech and surveillance capitalism, and encourage others to join your journey. As an example, explore this [blog](https://blog.elenarossini.com/tag/the-future-is-federated/) about joining the Fediverse written by Elena Rossini. + +- Learn about more [types of actions](https://museumofprotest.org/methods/) you can use in your privacy activist work. + +
+ +## Tools that can help you to assemble and organize + +Here are a few privacy-focused tools and services that can help you to organize your groups and actions: + +
+ +
+ +![CryptPad logo](../../assets/img/document-collaboration/cryptpad.svg){ align=right } + +**CryptPad** is a free open-source collaborative office suite that uses end-to-end encryption. + +:page_with_curl: Use it as an alternative to Google Docs! + +[More info](../../document-collaboration.md#cryptpad){ .md-button .md-button--primary } +[:octicons-home-16:](https://cryptpad.fr/){ .card-link title="Homepage" } +[:octicons-feed-star-16:](https://www.privacyguides.org/articles/2025/02/07/cryptpad-review/){ .card-link title="Our CryptPad review" } + +
+ +
+ +![Mastodon logo](../../assets/img/social-networks/mastodon.svg){ align=right } + +**Mastodon** is a free and open-source microblogging social network. + +:speech_balloon: Use it as an [alternative](tip-improve-your-social-media-and-build-resilient-communities.md) to commercial social media such as _X_, _Facebook_, _Instagram_, _Threads_, _TikTok_, or _Bluesky_. + +[More info](../../social-networks.md#mastodon){ .md-button .md-button--primary } +[:octicons-home-16:](https://joinmastodon.org/){ .card-link title="Homepage" } +[:octicons-feed-star-16:](https://www.privacyguides.org/articles/2025/07/15/mastodon-privacy-and-security/){ .card-link title="Notes on Mastodon Privacy & Security" } + +
+ +
+ +![Element logo](../../assets/img/social-networks/element.svg){ align=right } + +**Element** is a free open-source client for the [Matrix](https://matrix.org/) open standard for chat-room group communication. + +:loudspeaker: Use it as a privacy-preserving alternative to _Slack_ or _Discord_. + +[More info](../../social-networks.md#element){ .md-button .md-button--primary } +[:octicons-home-16:](https://element.io/){ .card-link title="Homepage" } + +
+ +
+ +![PeerTube logo](../../assets/img/social-networks/peertube.svg){ align=right } + +**PeerTube** is a free open-source video platform developed by the French nonprofit [Framasoft](https://framasoft.org/en/). + +:video_camera: Use it to share videos with your community free from _YouTube_'s control. + +[:octicons-home-16: Homepage](../../social-networks.md#peertube){ .md-button .md-button--primary } + +
+ +
+ + + +
More Alternatives  📗 + +- **Maps & Navigation:** [Organic Maps](../../maps.md#organic-maps) or [OsmAnd](../../maps.md#osmand) +- **Calendar Sync:** [Tuta](../../calendar.md#tuta) or [Proton](../../calendar.md#proton-calendar) +- **Cloud Storage:** [Proton Drive](../../cloud.md#proton-drive), [Tresorit](../../cloud.md#tresorit), or [Peergos](../../cloud.md#peergos) +- **File Sharing:** [OnionShare](../../file-sharing.md#onionshare), [Send](../../file-sharing.md#send), or [Syncthing](../../file-sharing.md#syncthing-p2p) + +More tools for community organization could include [LAUTI](https://lauti.org/) for community calendars, and [Mobilizon](https://mobilizon.org/) for events and groups. For more on better alternatives to use, you can check this [tip on why and how to migrate away from Big Tech](tip-migrate-outside-the-surveillance-ecosystem.md) for your privacy advocacy work. + +
+ +## More resources + +### Leadership + +- [Tips to become a good leader (_The Citizen's Handbook_)](https://citizenshandbook.org/1_08_lead.html) + +- [Start a movement guide: Social movement building (_Activist Handbook_)](https://activisthandbook.org/organising/movement) + +- [Positive leadership: 30 must-have traits and skills (_Positive Psychology_)](https://positivepsychology.com/positive-leadership/) + +### Campaigns and Actions + +- [New to activism, organising and campaigning? Start here! (_The Commons Social Change Library_)](https://commonslibrary.org/new-to-activism-organising-and-campaigning-start-here/) + +- [How do we begin taking action in the community (_Community Tool Box_)](https://ctb.ku.edu/en/get-started) + +- [The methods of nonviolent action (_Museum of Protest_)](https://museumofprotest.org/methods/) + +- [Lobbying and advocacy: Start here (_The Commons Social Change Library_)](https://commonslibrary.org/lobbying-and-advocacy-start-here/) + +- [Develop your activist strategy: Writing a strategy for your movement (_Activist Handbook_)](https://activisthandbook.org/strategy/develop) + +- [Campaign accelerator training (_Mobilisation Lab_)](https://mobilisationlab.org/training-coaching/campaign-accelerator-training/) + + diff --git a/i18n/fi/activism/toolbox/tip-lift-your-allies-up.md b/i18n/fi/activism/toolbox/tip-lift-your-allies-up.md new file mode 100644 index 00000000..87f6b103 --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-lift-your-allies-up.md @@ -0,0 +1,66 @@ +--- +title: Lift Your Allies Up +description: The battle for privacy rights is difficult, and its defenders are scattered. This is why it's essential to support and uplift each other, every time we can. +icon: fontawesome/solid/hand-holding-hand +cover: activism/banner-toolbox-tip-lift.webp +--- + +At times, it might feel like the privacy community is niche and isolated. + +The battle for privacy rights is difficult, and its defenders are scattered and spread out all around the world. This is why it's essential that we **support and uplift each other**, every time we can. + +Here's how you can lift your allies up, and help to grow the movement: + +## Your allies share your goals + +It's easy to get lost in our own niche advocacy, and lose track of what others in our community are working on. + +Nevertheless, if we want to [**build a movement**](tip-start-alliances-not-wars.md) (and to succeed, we must) we need all the help we can get, from every person and organization sharing our values. + +- [x] Whenever you see an organization with a campaign compatible with your mission, lift them up! + +- [x] Even if you are an organization yourself, lift others up too! + +- [x] Even if you are also working on a similar project, lift them up with you! + +It doesn't matter if you are working on something comparable yourself, or if perhaps you would word their work slightly differently. As long as the message is aligned with your mission and values, spread the words of your allies loud and far! + +By lifting each other up, we will broaden the reach of the message we share, and ultimately this serves our goals and our community too. + +In privacy advocacy, we truly need to adopt the mindset: ==The more, the merrier.== + +## Concrete ways to support and lift your allies up + +There are infinite ways to lift your allies up. Here are some ideas to get you started, whether you are an independent advocate, a digital rights organization, or a privacy-focused business: + + + +
+ +- When an organization or business sharing you values starts a campaign, repost them on social media. Additionally, you can quote them or write about it yourself, while linking to their profile and campaign. Boost them up! + +- If you are a writer, regularly link to material created by other trustworthy organizations and people sharing your values, while giving them credit. + +- When an individual creates material favorable to your organization or project, take the time to repost them and thank them. This is bringing more people to your cause, without any work on your side! + +- Change your mindset from competition to collaboration. See your peers as people fighting by your side. Whenever they win, you win too. Congratulate them on their successes, and support them in times of need. + +- When you see that your allies need help with an expertise you have, try to offer your time and resources if you can afford it. + +- When reaching out to your community, talk about your allies' work as well, and help people discover new resources. Everyone has different ways to absorb new information. Perhaps you can help others find resources that are more compatible with their needs, even if it's not your material. You are not losing a member when you refer people externally, you are winning, because you are contributing to grow the movement. + +
+ +## More resources + +- [Bits of Freedom & Privacy Guides partnership announcement (_Privacy Guides_)](https://www.privacyguides.org/posts/2025/10/08/privacy-guides-bits-of-freedom-partnering-to-enhance-fixjeprivacy-nl/) + +- [The Tor Project's allies uplifting Tor together (_Tor Project_ short video)](https://www.youtube.com/shorts/-hFNMlsePsc) diff --git a/i18n/fi/activism/toolbox/tip-make-it-cute.md b/i18n/fi/activism/toolbox/tip-make-it-cute.md new file mode 100644 index 00000000..a3a7123d --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-make-it-cute.md @@ -0,0 +1,56 @@ +--- +title: Make It Cute +description: If you are developing a privacy-focused application or website, it's important that you do not neglect the design aspect of it. Make it cute! +icon: fontawesome/solid/cat +cover: activism/banner-toolbox-tip-cute.webp +--- + +If you are developing a privacy-focused application or website, it's important that you **do not neglect the design** aspect of it. This is a common mistake that can have a significant negative impact on adoption by a general audience. Make it cute! + +Here's why you should make your design appealing and accessible to everyone: + +## What happens when your app is ugly + +Quality design for User Interface (UI) and User Experience (UX) is fundamental to product adoption. Unfortunately, this is regularly neglected by developers working on privacy-focused projects. Often, this is due to lack of resources, but sometimes it's simply an oversight. + +The problem is that if your application or website isn't appealing visually, is awkward to use, difficult to understand, or use jargon inaccessible to newcomers, ==people who aren't already in your community are much less likely to adopt your product==, regardless of the privacy benefits it offers. Trying to tell people a billion times they should switch to using your app will be no help at all if it's unpleasant to use on a daily basis. + +When your app is ugly, fewer people want to use it, and fewer people benefit from its protections. Minimizing the importance of visual appeal and ease-of-use will only impact your goals negatively. + +## Beyond privacy features: Develop a product that is also accessible, functional, and cute! + +If you've already done your homework to build the best app for people to protect their privacy, or the best website to provide privacy advice, here are other aspects you should consider to increase your product's popularity: + + + +
+ +- Make sure that your app or website is [accessible](tip-be-mindful-of-accessibility.md) as much as possible. Accessibility will not only make more people able to use your application, but it's likely to also improve user experience for everyone. + +- Wrap your product in a pretty package. If you can afford it, hire a professional designer to polish your app or website interface, as well as your organization's logo and promotional material. Design can truly be a make-or-break moment. Do not neglect it! + +- People like cute things! Make your app and content cute! Additionally, this helps to make technically-intimidating projects feel more accessible to newcomers and beginners. + +- Use good design to reinforce your privacy features or topics. Visual elements can be great assets to bring more attention to your product or content, and to highlight important privacy features in your application. Use design to guide users instinctively towards good privacy. And use design to make the information you share on your website or other content easier to digest. + +- Make sure your application or website isn't just cute and privacy-positive, but also _functional_. Without good user experience, you will not be able to retain the users or readers you have managed to attract with cuteness or privacy, and people will move back to their old bad habits. + +
+ +## More resources + +- [Why are cute objects so seductive (_Laura Sabau Tatar_)](https://uxdesign.cc/why-are-cute-objects-so-seductive-8de1c58bd47c) + +- [The importance of User Interface (UI) and User Experience (UX) design (_Geeks for Geeks_)](https://www.geeksforgeeks.org/websites-apps/importance-of-ui-ux-design/) + +- [Why do open source applications often have less polished UIs than commercial software (_Darren Horrocks_)](https://www.darrenhorrocks.co.uk/why-open-source-ui-design-sucks/) + +- [How to start with design in your open source project (_All Things Open_)](https://allthingsopen.org/articles/start-design-open-source-project) diff --git a/i18n/fi/activism/toolbox/tip-migrate-outside-the-surveillance-ecosystem.md b/i18n/fi/activism/toolbox/tip-migrate-outside-the-surveillance-ecosystem.md new file mode 100644 index 00000000..0a747bbe --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-migrate-outside-the-surveillance-ecosystem.md @@ -0,0 +1,130 @@ +--- +title: Migrate Outside The Surveillance Ecosystem +description: As privacy activists, it's important to lead by example and support the tools and organizations with good privacy practices, by moving away from Big Tech. +icon: fontawesome/solid/arrow-right-from-bracket +cover: activism/banner-toolbox-tip-migrate.webp +--- + +As privacy activists, it's not only important to support the tools and organizations with good privacy practices, but also to lead by example when it comes to **moving away from the surveillance ecosystem**. We cannot afford to compromise our principles simply for [convenience](https://www.privacyguides.org/articles/2025/06/07/selling-surveillance-as-convenience/). + +Here's why and how to move away from Big Tech and embrace alternatives: + +## The cost of using Big Tech in our privacy work + +While using the most popular mainstream tools and platforms for our work might seem efficient at first, there can be an immense cost to it, if these tools and platforms aren't aligned with our privacy values. + + + +
+ +1. The first drawback is that by using products that are antithetical to our values, we are directly participating in sustaining anti-privacy corporations and contributing to [surveillance capitalism](../../basics/common-threats.md/#surveillance-as-a-business-model). + +2. The second drawback is that simply by using Big Tech tools, we are indirectly promoting the usage of services that are horrible for everyone's privacy. + +3. The third drawback is that if we use these tools in our action and communications, we are then endangering the data of others who rely on our expertise to keep their data safe. They might think: "If this privacy advocate asks me to fill a Google form, it's probably safe enough to use Google products for sensitive data." + + With great _knowledge_ comes great responsibility. We must protect the data people share with us, even more than we would our own. + +4. The fourth drawback is that, as privacy activists, demanding that others use tools violating their privacy rights to communicate with us can damage our credibility, and have a negative impact on the whole community. Observers might think: "If all these privacy advocates use Facebook groups, why should I listen when they recommend that I move away from Facebook?" + +5. Finally, the fifth drawback is that we need to be _leading by example_ and demonstrate that it **is** possible to live a connected life without using privacy-invasive tech. + + Because a better world _is_ actually possible, right now. It might not be as easy and as convenient, but it's certainly possible to thrive outside the Big Tech surveillance apparatus, especially for privacy activists and digital rights organizations. + + As the saying goes: ==If not us, then who? If not now, then when?== + +
+ +## How to migrate away from privacy-harmful tools and choose better alternatives + +
+

What is the best tool?

+ +For each proposed alternative, you should always first consider your own [threat model](../../basics/threat-modeling.md). One tool might be ideal for one person or organization, but another tool might be better for another. Make sure to understand well your threat model in order to choose the tools that are the best for your unique situation. + +
+ +There are two good news about this: + +- First, there are many wonderful alternatives that already exist to support all kind of tasks, and that will preserve your privacy and the privacy of the people you communicate with. + +- Second, you don't have to do it all at once! Start your migration process slowly, but be persistent about it over the whole year. + +Here's a list of alternative solutions you can start adopting to improve data privacy in your advocacy work: + +### For individuals and organizations + + + +
+ +- **[Messaging communication](../../real-time-communication.md):** Move your text message communication, audio calls, and video calls to a secure messenger like Signal. Enable features like Signal's username option, and disappearing messages. + +- **Sensitive messaging communication:** If your threat model requires a peer-to-peer solution that doesn't need a phone number and transits over the [Tor network](https://www.privacyguides.org/articles/2025/04/30/in-praise-of-tor/), you might want to use an application such as [Cwtch](https://docs.cwtch.im/) or [Briar](../../real-time-communication.md/#briar). + +- **[Email communication](../../email.md):** Migrate to a privacy-respectful email service that offers end-to-end encryption, such as Proton Mail or Tuta. Make sure to inform yourself about the limitations of email privacy when using email for sensitive communication. + +
+

Service providers disclosure and compatibility

+ + If you use your own custom domain name for email addresses, let the people you communicate with know what your service provider is. + + That way, they will know that if they use a compatible service provider, they might benefit from end-to-end encryption protections for the content of their communications with you without requiring any additional steps. + + For example, this is the case when emailing from a Proton Mail account to another Proton Mail account, or from a Tuta Mail account to another Tuta Mail account. + +
+ +- **[Document storing and sharing](../../document-collaboration.md):** Move away from privacy-invasive Google products to store and share documents. Instead, use an end-to-end encrypted solution such as [CryptPad](https://www.privacyguides.org/articles/2025/02/07/cryptpad-review/) for your collaborative documents and forms. Proton Drive also offers collaborative documents with _Proton Docs_ and _Sheets_. + +- **[Storing files](../../cloud.md):** Choose an end-to-end encrypted cloud solution to store and share files. Always keep in mind that if a cloud service provider doesn't offer solid end-to-end encryption, then it can potentially access any of your stored files. + +- **Surveys:** Stop using products such as Google Forms to poll your community. Instead, choose a privacy-focused alternative such as [CryptPad Form](https://www.privacyguides.org/articles/2025/02/07/cryptpad-review/#form) or [Framaforms](https://framaforms.org/abc/en/). + +- **[Online calendar](../../calendar.md):** Your online calendar can be an important source of sensitive data. Moreover, you might store other's people data in it, or use it to share event links with collaborators. It's essential to make sure to use a privacy-protecting solution for online and collaborative calendars. + +- **Groups and events:** When organizing groups or events, be careful to choose platforms that are privacy-respectful and don't require participants to register personal information. Keep in mind that if you only use Facebook groups, you are contributing to people staying on a privacy-invasive platform. If you only use a closed Meetup group, you are demanding people create an account and share their sensitive data in order to join. Instead, use privacy-respectful platforms such as [Mobilizon](https://mobilizon.org/) or [LAUTI](https://lauti.org/) for groups and events, [Discourse](https://www.discourse.org/) for forums, or simply use your own website to advertise in-person events. + +- **Website analytics and cookies:** If you own a website for your organization or for your individual advocacy, make sure to remove from it any [tracking technologies](https://blog.mozilla.org/en/firefox/cross-site-tracking-lets-unpack-that/) that could be sending your visitors' data to Google, Facebook, or other advertising corporations. You shouldn't need a cookie banner for your website, because _your website shouldn't use any non-essential cookies_. If you really need website analytics, try using a privacy-respectful alternative such as [Umami](https://umami.is/) or [Plausible Analytics](https://plausible.io/). + +- **Smart devices:** Whether you are meeting with other advocates at home or organizing an event, make sure the location is free from Big Tech [surveillance devices](https://www.privacyguides.org/articles/2025/03/10/the-privacy-of-others/#notify-guests-if-you-are-using-a-smart-speaker) that might get easily forgotten. This may include a doorbell equipped with a camera, a smart speaker such as Amazon Echo, Google Home or Google Nest, or any other audio or video recording devices that is on. Physically unplug any such devices in the location _before_ guests arrive. If you cannot unplug them, at least provide a proper warning to any guests before they enter the location and the device collects their audio or video data. + +- **Usage of AI:** Be extremely careful if you are using AI platforms. Most current mainstream AI products will send at least some data or metadata to the company's remote server. This can create many privacy issues, ranging from mild to severe. Never use these products to upload data about another person without their _prior explicit consent_. Ideally, refrain from using any AI tools in your advocacy work entirely. + +- **Candidates data:** If your organization hires people, be mindful of how you handle candidates' data. Try to select privacy-respecting solutions such as email communication instead of using commercial platforms that might share candidates' data with third-parties. Only request the minimum information required from applicants, and always delete all data you are no longer required to keep as soon as you don't need it anymore. + +- **Availability:** Make sure you or your organization is reachable outside the Big Tech ecosystem. If your organization only has a Facebook page, then people without a Facebook account cannot reach out to you. The same is true for other commercial social media. Instead, try to rely on a website you control yourself, or a social network page you can host yourself. + +- **[Social media](../../social-networks.md):** Move away from commercial social media platforms. Mainstream platforms are almost all abusing their users' data. By keeping an account there, you are indirectly encouraging your followers to stay there as well, perpetuating the platform's abuse. + + While you may want to keep a minimal presence to advertise that you have now moved your activity to a more privacy-respectful platform, you should keep your engagement there to a minimum. + + Instead, migrate your advocacy work to better social networks that aren't abusing users' data, and encourage your followers to migrate with you. Choose and support a platform that is more aligned with your privacy values, such as [Mastodon](https://www.privacyguides.org/articles/2025/07/15/mastodon-privacy-and-security/) or any other open-source non-commercial applications connected to the [Fediverse](https://blog.elenarossini.com/fediverse-video/). + +
+ +## More resources + +- [Alternatives to Big Tech that have been vetted by our community (_Privacy Guides_)](../../tools.md) + +- [Privacy-respecting European tech alternatives (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/03/19/private-european-alternatives/) + +- [Helpful articles and tips to migrate out of Big Tech (_The Opt Out Project_)](https://www.optoutproject.net/) + +- [More advices on how to improve your privacy if you are just getting started (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/07/24/privacy-is-like-broccoli/#tools-and-services-you-can-start-using) diff --git a/i18n/fi/activism/toolbox/tip-protect-your-allies.md b/i18n/fi/activism/toolbox/tip-protect-your-allies.md new file mode 100644 index 00000000..50fd4c40 --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-protect-your-allies.md @@ -0,0 +1,107 @@ +--- +title: Protect Your Allies +description: Through your privacy work, it's crucial to protect the data of your allies in all that you do, whether it's individual action or leading an organization. +icon: fontawesome/solid/shield-heart +cover: activism/banner-toolbox-tip-protect.webp +--- + +Through your privacy advocacy work, be careful to never collect or share the data of others without their prior explicit consent. It's crucial to **protect your allies' data** in all that you do, whether it's individual action, organizing an event, or leading an organization. + +Here's what you can do to safeguard the data of your privacy comrades: + +## Where we might collect and share the data of others + +There are many ways we might collect the data of others in the course of our advocacy, sometimes without even realizing it. + +It's important to develop an awareness of the data we collect and share ourselves, and protect the data of others with the greatest care. Not only is this critical for [integrity](tip-stay-true-to-your-principles.md), but it's also fundamental to build and keep the trust of our allies. This in return is essential to build and grow our movement. + +Here are a some examples of other people's data we might collect or share in the context of our privacy advocacy work, whether intentionally or inadvertently: + +
+ +
+ +- [ ] Contact information (personal advocacy or professional work) +- [ ] Donation information (including legal names, emails, and phone numbers) +- [ ] Purchase information (including legal names and shipping addresses) +- [ ] Mailing list email addresses +- [ ] Email content +- [ ] Instant messaging content +- [ ] Forum post content +- [ ] Login credentials +- [ ] Internet Protocol (IP) addresses +- [ ] Website telemetry data +- [ ] Website cookies and fingerprinting data +- [ ] Chatbot logs +- [ ] Survey answers +- [ ] Shared documents + +
+ +
+ +- [ ] Shared photos and images +- [ ] Legal names of people on work contracts or partnership agreements +- [ ] Home addresses of people on work contracts or partnership agreements +- [ ] Resumes and cover letters from job applicants +- [ ] Recordings or screenshots of video or audio meetings +- [ ] Behind-the-scene video footage from interviews +- [ ] Videos we take during meetups, events, or protests +- [ ] Photos we take during meetups, events, or protests +- [ ] License plates information from event photos or event parking lot management +- [ ] Security camera footage +- [ ] Dietary restrictions/preferences and health information for events +- [ ] Screenshots of people's social media posts +- [ ] And so much more + +
+ +
+ +## How to protect the data of others + +Each time we collect data from others, we become its guardian. This isn't a small responsibility, and we should always treat the data of others as [toxic asset](https://www.schneier.com/blog/archives/2016/03/data_is_a_toxic.html). + +We should always only collect and keep what was obtained consensually, and what is strictly required for operations. + +Regardless of the data we have to collect, we should always make sure to: + +1. **Minimize** data collection by verifying that it is absolutely necessary for the task ([data minimization](https://en.wikipedia.org/wiki/Data_minimization)). + +2. **Ask for consent** from the data subject _before_ collecting any data, and make sure consent is explicit and informed. + +3. **Protect** the collected data with adequate and proportional security measures, ideally using [end-to-end encryption](https://en.wikipedia.org/wiki/End-to-end_encryption) every time this is possible. + + - If this data needs to be shared with a third-party or a service provider, obtain data subject's consent prior to sharing, and verify the third-party or service provider offers adequate protections and proper deletion mechanisms. + +4. **Delete** the data as soon as it isn't needed anymore, and ensure deletion is done thoroughly. + +### Some practices to normalize in our advocacy work + +- [x] Asking for consent before sharing someone's information (legal name, location, contact information, photos, etc.). + +- [x] Asking people what name and pronouns they want to be referred to publicly. + +- [x] Asking people how (and if) they would like to be credited publicly. + +- [x] Asking for permission before using the quote of someone else in our own work. + +- [x] Asking for permission before publishing a screenshot of someone else's post. + +- [x] Respecting people's choices to show their face publicly or not. + +- [x] Asking for consent before taking photos at meetups or events. + +- [x] Blurring the faces of strangers in crowd photos (especially for children). + +- [x] Using consent badges for photo permission at event, or ideally forbidding taking nonconsensual photos entirely. + +- [x] Warning people in advance when there are recording technologies on premise (such as smart speakers or other recording devices). + +- [x] Not requiring guests to sign up for events. Making sure all the information is public, without requiring to provide any personal information in order to participate. + +## More resources + +- [Data is a toxic asset (_Bruce Schneier_)](https://www.schneier.com/blog/archives/2016/03/data_is_a_toxic.html) + +- [The importance of protecting the data of others (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/03/10/the-privacy-of-others/) diff --git a/i18n/fi/activism/toolbox/tip-refuse-to-participate.md b/i18n/fi/activism/toolbox/tip-refuse-to-participate.md new file mode 100644 index 00000000..a63042cf --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-refuse-to-participate.md @@ -0,0 +1,80 @@ +--- +title: Refuse to Participate +description: As privacy activists, we must be a voice for resistance and take a stand against abusive practices, by refusing to comply with privacy-intrusive requests. +icon: fontawesome/solid/xmark-circle +cover: activism/banner-toolbox-tip-refuse.webp +--- + +As privacy advocates and activists, it's important to **be a voice for resistance** and take a stand against abusive practices. One substantial way to do this is to refuse to participate in privacy-intrusive requests, or use invasive software. + +Here's how you can refuse to comply with privacy-abusive practices, and why it's imperative that you do whenever possible: + +## The risk of complying with privacy-invasive requests + +Requests to invade our privacy are part of our daily lives in today's world. Whether it's a store cashier banally asking for our phone number after a purchase, or a prominent facial scan at the airport with no clear instructions on how to opt out, ==privacy-invasive requests have become so normalized== that most people barely notice them anymore. + +The problem is, each time we mindlessly comply because we are tired, rushed, or failed to even notice how unnecessary and intrusive this is, we directly contribute in normalizing bad practices even more. + +While it might be ambitious to expect people who aren't even aware of privacy issues to say no, as privacy advocates we have a responsibility to lead by example, and refuse every single time we legally can. Ideally, we should also document and report on our experience, as this presents a unique opportunity to raise awareness on the issue. + +## The risk of using privacy-abusive platforms + +Each time we use a platform, tool, or service that is privacy-invasive in our practice, we also contribute in normalizing the use of privacy-abusive software. + +It's not always easy to [leave Big Tech](tip-migrate-outside-the-surveillance-ecosystem.md) and adopt more privacy-preserving technologies in our daily work. Nevertheless, it's an essential part of our advocacy. + +When we use products that do not reflect the values we are asking people to adopt, we not only undermine our own credibility as privacy advocates, but we also harm the privacy rights movement as a whole. It's crucial to lead by example and publicly refuse to use and participate in privacy-abusive platforms, as much as feasible for our situation. + +## How to refuse to participate in abusive practices, and take a stand for privacy rights + +There are many ways to refuse to participate in privacy-invasive practices and platforms. Here are a few things you can try to do in your daily life, and in your privacy advocacy work: + + + +
+ +- Use an [ad blocker](https://www.privacyguides.org/en/browser-extensions/) everywhere you can. + +- Categorically and obstinately reject all cookies, every single time. + +- Read apps' privacy-labels, and always favor applications that are the least intrusive. + +- Migrate [away from abusive Big Tech](tip-migrate-outside-the-surveillance-ecosystem.md) products and platforms. + +- Try to move out or reduce your usage of [privacy-exploiting social media](tip-improve-your-social-media-and-build-resilient-communities.md). + +- Each time you install a new application or create a new account, go through the settings to disable all the privacy-invasive features you can disable. Make sure to disable any AI features as well. + +- When requested to provide unnecessary personal information by a cashier or an online form, firmly refuse to provide anything that isn't legally necessary. + +- Inform yourself in advance about potential legal options to opt out of privacy-invasive technologies such as airport facial scanner. + +- Refuse to provide an official piece of ID online for purposes that aren't strictly necessary, such as government requests. Do not comply with intrusive [age-verification](https://www.privacyguides.org/articles/2025/05/06/age-verification-wants-your-face/) processes. Leave your account abandoned instead, or [delete it](../../basics/account-deletion.md) if you still can. Additionally, consider contacting your government representatives and the platform's complaint email to voice your privacy concerns about such practice. + +- [Report privacy violations](tip-report-privacy-violations.md) of your local privacy laws whenever you can. + +- Depending on your position, refuse to collect or share personal information on others without their prior, explicit, and informed consent (unless you are _legally_ required). Be mindful of the software or third-party partners you use that could inadvertently share more information about others than you intended, such as [website telemetry](https://sebastiangreger.net/2014/02/privacy-aware-design-replacing-google-analytics/) or [social media buttons](https://www.tunnelbear.com/blog/why-we-created-our-own-social-media-buttons-on-our-website/). + +- Never share the personal information of others with an AI chatbot or platform. Decline to do this in your work, whenever possible. + +- Promote refusal around you. Inform others of their rights and responsibilities to opt out. Create accessible guides to educate the public on how they can also refuse to participate. + +
+ +## More resources + +- [_Privacy Guides_ tools and services recommendations](../../tools.md) + +- [You can say NO (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/06/17/you-can-say-no/) + +- [Selling surveillance as convenience (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/06/07/selling-surveillance-as-convenience/) + +- [6 effective tips to politely say no (_Science of People_)](https://www.scienceofpeople.com/how-to-say-no/) diff --git a/i18n/fi/activism/toolbox/tip-report-privacy-violations.md b/i18n/fi/activism/toolbox/tip-report-privacy-violations.md new file mode 100644 index 00000000..590e185a --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-report-privacy-violations.md @@ -0,0 +1,194 @@ +--- +title: Report Privacy Violations +description: Submitting an official complaint for violation of your privacy rights is often simple, and can have a significant positive impact for your community. +icon: fontawesome/solid/gavel +cover: activism/banner-toolbox-tip-report.webp +--- + +Once you are [informed on your local privacy laws](tip-know-your-privacy-laws.md), it's important to get familiar with the process to **report violations of the law**. Submitting an official complaint is often simple, and can have a significant impact both for yourself and for your community. + +Here's why and how you should report violations of your local privacy laws: + +
+

International variations

+ +There are hundreds of privacy regulations currently in effect in the world. Moreover, each country might have multiple privacy laws protecting different regions/states/provinces, and different types of data (health data, children's data, employees' data, etc.). + +This tip cannot cover each regulation individually. There will be variations for each privacy law applicable. Read this tip as a general advice and a starting point to guide you through your own regional research. + +
+ +## Why reporting violations matters + +For many (if not most) privacy regulations, there isn't a mechanism to systematically audit every single organization collecting data from people located in its jurisdiction. + +Unless the enforcing authority decides to investigate an especially important abuse, the process often relies on individual complaints reporting violations of [**data subject**](tip-know-your-privacy-laws.md#where-is-the-data-subject) rights in order to trigger an investigation. + +If you believe that your privacy rights have been violated by an organization, infringing your local privacy regulations, you can likely report this violation to the entity responsible for enforcing the law, the **Data Protection Authority** (DPA). + +
+

What is a Data Protection Authority?

+ +Again, different laws might use different terms for this, depending on the region. For example, in Canada the enforcing authority for a privacy law is often called a _Privacy Commissioner_. In Europe, the term used is a _Data Protection Authority_. In the state of California in the United States, the entity responsible for enforcing the California Consumer Privacy Act (CCPA) is the _California Privacy Protection Agency_. + +This text will use **Data Protection Authority** or **DPA** as an umbrella term to refer to any authorities mandated to enforce a privacy regulation. + +
+ +Reporting even small violations can help improve privacy rights not only for yourself but for everyone else as well. + +Often, reporting is simple and can make a big difference down the line, especially in number. + +Once an organization is ordered to bring corrective changes or is sanctioned for malpractice by a DPA, this can have many beneficial effects at the individual and collective level: + + + +
+ +- A delinquent organization might be mandated by law to correct the problem. For example, a company without a clear privacy policy might be ordered to publish one. + +- You might be able to get personal data that you were unable to delete before finally deleted with the help of your DPA (and similarly for access requests). + +- An abusive organization might be banned from operating in your country entirely. + +- Individual complaints can create a legal precedent that could speed up enforcement for similar violations in the future. + +- Strong sanctions that are made public can send a powerful warning to other organizations to avoid making the same mistakes, and adopt corrective privacy-protective measures preventively. + +- Cases and sanctions that are publicized can notify the public about potential problems, and potential solutions. + +- If a DPA receives multiple complaints targeting a single organization, they might decide to launch a larger investigation and order the organization to improve its privacy practices more broadly. + +
+ +## When you can report a violation + +You can **submit a complaint** any time your local privacy rights have been violated by an organization required to comply with the law, and you weren't able to resolve the issue on your own. + +To report a privacy law violation, first ask yourself these questions: + +- [x] Following the criteria described in your local privacy regulation, is the organization obligated to comply with this law? + +- [x] Is your affected information considered _personal information_ under the law? + +- [x] Which article(s) of the law has the organization breached? + +When in doubt, never hesitate to send any questions you have to your local DPA. + +The people working at your local DPA are the best specialists to contact to get the most accurate information specific to your local privacy protections. + +## How to report a violation + +Most regulations will have a clear process to submit an official complaint. + +Once you've found the official documentation for your local privacy law(s), read through it to find who is responsible for enforcing the law (who is your DPA), and what the complaint process is. + +Before submitting a complaint, you may want to: + +### 1. Document everything you can + +Try to collect as much information as possible to support your case. + +Save copies of your email communication with the organization, take screenshots of the organization's chatbot replies to you, print to PDF the organization's privacy policy, etc. + +### 2. Try contacting the organization directly + +Depending on the context and violation, some legislations will require that you first contact the organization to attempt to resolve the problem directly. + +For example, let's say you want to delete your account's data but cannot find a way to do this within the application. You could then contact the organization's _privacy officer_ to request data deletion. If you don't receive any replies after a certain number of days (usually around 30 or 45 days, depending on regulations), you can then submit a complaint to your DPA to help you resolve this issue, if your local laws include a [Right to Erasure/Delete](https://gdpr-info.eu/art-17-gdpr/) or equivalent. + +This is applicable for any other data subject rights. + +### 3. File an official complaint with your Data Protection Authority + +On the website of your local DPA, you should be able to find either a form to submit a complaint or an email address you can contact with the details. + +When sending an official complaint, make sure to: + + + +
+ +- Follow the complaint process as described in the law or on the DPA's website. + +- Have the name and contact information of the organization you want to report. + +- Have a precise summary of the privacy violation and the steps you have taken so far to try resolving the issue. + +- Be mindful of the information you share in your complaint. + + This information could get shared with the organization you are complaining against, or even partially published later on. Read the DPA's privacy policy about complaint information, and do not hesitate to ask your DPA questions from an anonymous email address beforehand if needed. + +- Be ready to share additional evidences if your DPA requests it. + + This might include screenshots of the infraction, email communication with the delinquent organization, link to the organization's privacy policy, or any other evidences related to your case. + +
+ +## More resources + + + +
+ +- [European Union Member States Data Protection Authorities - List and Map (_EDPB_)](https://www.edpb.europa.eu/about-edpb/about-edpb/members_en) + +
+ +### Complaint form and process examples (region/law/DPA) + + + +
+ +- [Australia (Privacy Act): Office of the Australian Information Commissioner](https://www.oaic.gov.au/privacy/privacy-complaints/lodge-a-privacy-complaint-with-us) + +- [Canada (PIPEDA): Office of the Privacy Commissioner of Canada](https://www.priv.gc.ca/en/report-a-concern/file-a-formal-privacy-complaint/) + +- [Canada-Quebec (Law 25): Commission d’accès à l’information du Québec](https://formulaire.cai.gouv.qc.ca/) + +- [France (GDPR): Commission Nationale de l’Informatique et des Libertés](https://www.cnil.fr/fr/plaintes) + +- [Ireland (GDPR): Data Protection Commission](https://www.dataprotection.ie/en/individuals/exercising-your-rights/raising-concern-commission) + +- [Nigeria (NDPA): Nigeria Data Protection Commission](https://services.ndpc.gov.ng/breach/) + +- [United Kingdom (UK GDPR): Information Commissioner's Office](https://ico.org.uk/make-a-complaint/data-protection-complaints/) + +- [United States-California (CCPA): California Privacy Protection Agency](https://www.cppa.ca.gov/webapplications/complaint) + +- [United States-Texas (TDPSA): Office of the Attorney General](https://consumerprotection.texasattorneygeneral.gov/consumercomplaintportal/s/) + +
diff --git a/i18n/fi/activism/toolbox/tip-small-actions-matter.md b/i18n/fi/activism/toolbox/tip-small-actions-matter.md new file mode 100644 index 00000000..791b8527 --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-small-actions-matter.md @@ -0,0 +1,84 @@ +--- +title: Small Actions Matter +description: There is so much to do to improve privacy rights. So much, that it's sometimes easy to feel discouraged. But everything helps, and even small action matters. +icon: fontawesome/solid/puzzle-piece +cover: activism/banner-toolbox-tip-small.webp +--- + +There is so much to do in the movement for better privacy rights. So much, that it's sometimes easy to feel discouraged when facing the scale of what's left to accomplish. But **everything helps**. Every small improvement counts, and every small victory should be celebrated. + +Even if you don't feel like you have the [energy](tip-take-time-to-rest.md) to move a mountain today, there are plenty of small actions you can do. + +Moreover, you don't have to move this mountain alone! If you push on it a little today, and a thousand people join you tomorrow, then a thousand more the day after, this mountain will eventually move. + +Here's why every action and each victory matter, no matter how small: + +## Small actions cumulate over time, and with numbers + +Discouragement often emerges from envisioning too much of what's left to do at once. While it's important to [expand your perspective](tip-dont-stop-at-individual-solutions.md), when it comes to action, it's also important to segment the task at hand into smaller bites. + +Even if you do not have the resources to organize a large campaign around a privacy issue, do not minimize the power that you have. + +All the ==small contributions you can make will culminate over time==, and end up having a significant impact overall. + +Additionally, you are [not alone](tip-lift-your-allies-up.md) in this battle. If you can make a small contribution today, and perhaps convince one or two other advocates to do the same, you have already contributed significantly to the movement. + +## Divide your big ideas in small bites + +Whenever you have a big idea to attack a privacy issue, make sure to [plan out your action](https://commonslibrary.org/effective-activist-strategic-plans/) by splitting up the task over time, and delegating to allies. + +For example, if you want to organize a petition, perhaps ask one person to help with the website infrastructure, another with the design, another with the text, and another with the backend. Then, instead of trying to collect one million signatures by yourself, try to find allies and ask if they can help collect a few signatures each. Multiply your small impact by delegating to many. + +Each person who signs the petition is contributing their own small action. Each person who helps spread the word about the petition is adding another small action. And each person who contributes to promoting the petition on their own channels helps as well. All this counts, and it all matters. + +What can seem like a large project at first can become much more realistic and manageable after delegating and splitting up the tasks. + +## Evaluate your resources, and see what's possible within these limitations + +What you can accomplish will, of course, depend on the resources you have access to. If you are an individual, or a small organization with a very tight budget, you will not be able to commit as many resources as a large organization with lots of employees and stable funding. + +But regardless of the resources you have, there's always something you can do to contribute. + +Here are examples of some actions you might be able to do, from small tasks to larger projects: + + + +
+ +- Sign a petition related to an ongoing privacy issue, and encourage others to do the same. + +- Write a social media post about an ongoing campaign from a digital rights organization you care about. + +- Write a social media post about an ongoing privacy issue you care about. + +- Contact your local representatives to tell them how privacy rights are important to you or your organization. + +- Donate to a privacy organization and promote a privacy project you like. + +- Contribute to a privacy project you like that is looking for volunteers. + +- Build a web page to inform the public on a privacy issue (e.g. [Patrick Breyer's Chat Control page](https://www.patrick-breyer.de/en/posts/chat-control/)). + +- Build a web form or application to inform the public and facilitate taking action against a specific privacy issue (e.g. [Fight Chat Control](https://fightchatcontrol.eu/), [Stop Online ID Checks](https://www.stoponlineidchecks.org/)). + +- Find organizations sharing your values to sign a public joint statement about an ongoing privacy issue. + +- Read more on small and big [tactics you can use for your privacy activism](https://activisthandbook.org/tactics#list-of-tactics) from the Activist Handbook. + +
+ +## More resources + +- [Privacy is not dead: Beware the all-or-nothing mindset (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/02/17/privacy-is-not-dead/) + +- [Learn about Points of Intervention to better plan and divide your actions (_The Commons Social Change Library_)](https://commonslibrary.org/points-of-intervention/) + +- [Social change myths: What is a movement (_The Commons Social Change Library_)](https://commonslibrary.org/social-change-myths/) diff --git a/i18n/fi/activism/toolbox/tip-start-alliances-not-wars.md b/i18n/fi/activism/toolbox/tip-start-alliances-not-wars.md new file mode 100644 index 00000000..3449649b --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-start-alliances-not-wars.md @@ -0,0 +1,133 @@ +--- +title: Start Alliances, Not Wars +description: People in the privacy community can have different views that can create conflicts at times. For our community to thrive, we must start alliances, not wars. +icon: fontawesome/solid/handshake-angle +cover: activism/banner-toolbox-tip-alliances.webp +--- + +The privacy community consists of a patchwork of individuals, activists, organizations, and businesses that sometimes hold quite different views. These divergences can create conflict and friction at times. + +While reporting falseness and abuse is important, when other differences lead to infighting, gossiping, competitive dunking, and organizations attacking others, we need to pause and ask how these internal wars are negatively impacting the community as a whole, both internally and from an outsider's perspective. + +For our community to thrive and slowly build a movement, **we need more alliances, not wars**. + +Here's how you can nurture alliances, instead of fueling conflicts: + +## Acknowledge that you cannot win this battle alone, neither as a person nor as a single organization + +To fight for privacy rights in this hostile environment, **we need to create a movement**. Effective movements grow from collaboration, not from competition. ==You cannot do it alone.== + +Attacks on digital rights have increased exponentially in the past few years. Not one organization, and certainly not one person, can solve these complex issues on their own. Not even the most prominent ones. + +Despite our differences and diverse points of view, we are all in this together. If we want to have a chance to succeed in making privacy a valued and respected human right, we must learn to support and uplift each other as a community. We must split up the tasks and learn to work together, even if it's only for sporadic actions. + +When people and organizations sharing the same values come together, this builds a movement. And a movement is what is needed to push back against the countless attacks against privacy rights. + +## Reject competition, embrace collaboration + +Sadly, it's quite common in the privacy community to see privacy-focused businesses and organizations publicly dunking on each other instead of collaborating. + +Perhaps some businesses and organizations think they are competing for the same scarce privacy-minded customers or donors. But this is a narrow vision that doesn't represent the bigger picture. + +The digital privacy rights movement is in its infancy. + +There are in fact many more potential customers and potential donors, more than enough for every current organizations and privacy-oriented businesses on the planet. The part that is scarce is people who understand why protecting their right to privacy is important, and how to do it. + +By promoting privacy rights _together_, we all participate in growing a movement where more and more people become aware of these issues, and will be interested in taking part in the solutions. + +Competition, and especially when this competition leads to businesses and organizations badmouthing each other, ends up damaging the whole movement, therefore impacting negatively all of our goals. + +Additionally, tearing down perceived competitors sharing your values isn't a good look for you. It's draining for people already in the community, and often repulsive to potential new people on the outside. ==This behavior often results in pushing away newcomers== that were initially interested in joining our movement. This is bad for your competitors, sure, but it's _also_ bad for _you_. + +Newcomers get confused when they receive competing new information. Confusion leads to _inertia_, and inertia in the current Big Tech ecosystem means staying with Gmail instead of moving to Tuta or Proton mail, or any other privacy-focused email services. This is a bad outcome for _all_ of us. + +_None_ of us win if people stop listening and stay with Big Tech, because we are too busy fighting each other. Instead of damaging the movement with infighting, combat inertia and build alliances with each other. + +## How to start alliances + +Here are a few ideas to start building alliances within the privacy community: + +- **Keep a list** of organizations and other privacy activists sharing your values. Mastodon's [list feature](https://fedi.tips/how-to-use-the-lists-feature-on-mastodon/) can be very helpful to build a social network feed for this. Using an [RSS feed reader](../../news-aggregators.md) is another great way to do this. + +- **Get familiar** with what your allies are working on. Think about ways their mission might be compatible with yours. + +- **Reach out** to your allies and [amplify their voices](tip-lift-your-allies-up.md) whenever you can. Boost them up! 📣 + +- **Participate** in local events where you might be able to meet allies in-person, if this is something you can afford and do safely. + +- **Organize** a campaign and invite value-compatible organizations and people to join your action. Try asking for support that doesn't require too many resources on their part at first. As you build a trust relationship with your allies, you might want to increase your level of collaboration. + +- When a new privacy rights issue arises in the news, **reach out** to your allies and see how you could coordinate an action together, to make it more powerful. [Joint statements](https://museumofprotest.org/methods/signed-public-statements/) signed by multiple organizations and specialists can be an effective way to sway public opinion, bring an issue to the attention of the media, and get governments to listen. + +- Ask your trusted allies about ways you could **collaborate** together. Think about how you could exchange or share resources to make both of your work stronger with partnerships. + +## How to stop wars + +Here are a few ways that might help to reduce the impact of infighting within the privacy community: + +- **Do not badmouth** your competitors. This is a bad look for you, and has a negative impact on the whole community as well. + +- **Do not engage** when people or organizations are dunking on each other on social platforms. Disengage and do not feed the fire. + +- When trying to advertise your products or organizations, **focus on what you have** to offer that is beneficial and unique, instead of using comparison with your perceived competitors. Make sure to describe what you have to offer in simple terms, so that it's accessible to newcomers. + +- **Be a part** of the privacy rights movement. Participate in promoting privacy rights for everyone, even if that means some people might buy another company's services, or donate to another organization. + +- **Position yourself** as a mature leader in the movement who is above petty infighting. Instead, focus your energy on generously sharing resources for the cause, and promoting our shared values. Become a valued member of the privacy rights community. + +## Examples of digital rights alliances and coalitions + + + +
+ +- **Campaign:** [**Bad Internet Bills (2025)**](https://www.badinternetbills.com/) + + **Host:** [Fight for The Future](https://www.fightforthefuture.org/)
+ **Participants:** ACLU, Defending Rights & Dissent, EFF, National Coalition Against Censorship, and more. + +
+ +- **Campaign:** [**Stop Scanning Me (2022)**](https://stopscanningme.eu) + + **Host:** [EDRi](https://edri.org/)
+ **Participants:** ApTI, Bits of Freedom, Chaos Computer Club, Digital Courage, EFF, Epicenter Works, Internet Society, La Quadrature du Net, and more. + +
+

Coalition donation page example

+ + EDRi's _Stop Scanning Me_ coalition provides a great example of collaboration with a [donation page](https://stopscanningme.eu/en/donate.html) listing all the coalition members with their countries of origin, and linking to external donation pages. EDRi humbly listed their own donation link at the bottom. We need more strong coalitions like this. + +
+ +- **Campaign:** [**The Nameless Coalition (2015)**](https://act.eff.org/action/dear-facebook-authentic-names-are-authentically-dangerous-for-your-users) + + **Host:** [EFF](https://www.eff.org/)
+ **Participants:** Access, ACLU, Article 19, Center for Democracy and Technology, Human Rights Watch, OpenMedia, Transgender Law Center, and more. + +
+ +- **Campaign:** [**Protect Our Privacy Coalition (2013)**](https://openmedia.org/press/item/more-30-organizations-unite-safeguard-canadians-privacy-rights-amid-spy-agency-scandal) + + **Host:** [OpenMedia](https://openmedia.org/)
+ **Participants:** Amnesty International, BC CLA, Canadian Civil Liberties Association, EFF, FIPA, GreenPeace, Lead Now, and more. + +
+ +## More resources + +- [Coalition building: Start here (_The Commons Social Change Library_)](https://commonslibrary.org/coalition-building-start-here/) + +- [How to build a new coalition (_Activist Handbook_)](https://activisthandbook.org/organising/coalition-building/starting) + +- [How to develop nonprofit relationships to expand and scale (_Nonprofit Learning Lab_)](https://www.nonprofitlearninglab.org/post/how-to-develop-nonprofit-relationships) + +- [Templates, worksheets, and checklists for changemakers (_The Commons Social Change Library_)](https://commonslibrary.org/templates-worksheets-checklists-for-changemakers/) diff --git a/i18n/fi/activism/toolbox/tip-stay-true-to-your-principles.md b/i18n/fi/activism/toolbox/tip-stay-true-to-your-principles.md new file mode 100644 index 00000000..43bff8c0 --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-stay-true-to-your-principles.md @@ -0,0 +1,70 @@ +--- +title: Stay True to Your Principles +description: If you manage a digital rights group, it's important to make sure you aren't subjecting your contributors to the privacy-invasive tech you're fighting against. +icon: fontawesome/solid/star +cover: activism/banner-toolbox-tip-principles.webp +--- + +If you manage a digital rights group, meetup, chat room, event, or organization even, make sure you aren't subjecting your members and contributors to the very privacy-invasive tech you're fighting against. Sadly, it's not rare to see organizations and communities that aren't following their own privacy advice for internal practices. + +Here's why it's important to **stay true to your principles** and lead by example: + +## Be the groups and organizations you want to see in the world + +As a leader in your digital rights community, it's critical to set an example and apply your privacy advice internally as well. + +Sometimes, it's easy to just use the most popular tool and forget privacy best practices when we're in a rush. But the importance of maintaining integrity by applying _internally_ the principles we promote externally shouldn't be downplayed. + +Staying true to your privacy values internally has many benefits: + +- [x] It significantly increases your credibility while telling others what tools and practices they should adopt when you are following the same advice yourself. + +- [x] It supports the privacy-enhancing tools and projects you would like to see prosper. + +- [x] It demonstrates that it is possible to manage a group or organization using privacy-focused services, practices, and partners. It makes you set a positive example. + +- [x] It builds your reputation as someone who knows what they are talking about. + +- [x] It gives you valuable insight to understand better your own recommendations, and their potential downsides. You will be better equipped to answer questions about how to deal with the disadvantages of some privacy-preserving tools and practices if you have adopted them yourself internally. + +- [x] It makes your group or organization more attractive to recruit new qualified members or employees. Most privacy experts and advocates are in this field because they deeply care about privacy rights. By adopting good practices internally, you will show them that you are trustworthy, know what you're talking about, and will respect their own data if they work with you. + +- [x] It normalizes the use of privacy-preserving technologies and privacy-respectful practices with your members, contributors, and employees, as well as with any external observers. + +## How to stay true to your principles + +There are many things you can do to stay true to your principles, both in your own personal life and in your privacy advocacy work. + +Here are a few examples of practices and good habits you might want to adopt: + +- [x] Make sure to [inform yourself about the privacy laws](tip-know-your-privacy-laws.md) you have to comply with in your work, and go above and beyond to respect them carefully. + +- [x] Create a [Code of Ethics](https://www.wikihow.com/Develop-a-Code-of-Ethics) for your group or organization, and ensure it includes a special emphasis on enforcing your privacy values. + +- [x] Build protocols to minimize data _collection_ and maximize data _protection_ when collecting data internally (e.g. from employees), and externally (e.g. from subscribers). Verify that your protocols are thoroughly followed by everyone in your group or organization. + +- [x] Educate the members and contributors of your group or team. Make sure that everyone understands well your values, your Code of Ethics, and applies your established protocols. + +- [x] Pick your vendors carefully. [Research](https://www.privacyguides.org/articles/2025/09/03/red-and-green-privacy-flags/) each third-party software you use, to select the most privacy-preserving option available. + +- [x] Whenever relevant, request [Service-Level Agreements](https://en.wikipedia.org/wiki/Service-level_agreement) (SLA) from your service providers, to ensure you have a legally binding contract they have to comply with to respect your own terms of service. + +- [x] Reject any offers for partnership or sponsorship from third-parties that have not been properly vetted for being trustworthy and sharing your privacy values, or who might only have profit and advertising in mind. + +- [x] Keep your promises. As a privacy advocate, group, or organization, your reputation is the most valuable thing you have. ==If people cannot trust your integrity, they will not trust any of your advice either.== If you promise to never accept sponsorship from certain Big Tech companies, then make sure you are ready to hold this promise. If you promise to never accept venture-capital money for your privacy-preserving app, then keep your word and be ready to reject even attractive offers. + +## Integrity is essential to build our movement + +Staying true to our principles can be challenging at time. Nonetheless, when we are talking about privacy rights, we are also talking a lot about _trust_. Without integrity, there cannot be any trust. + +Maintaining integrity with leading by example and keeping our promises is therefore essential to our fight for privacy rights. It's also fundamental to build our community, and to grow our movement with alliances. + +Become a respected privacy-ally others in the community are eager to work with, by staying true to your principles, always. + +## More resources + +- [The complete guide to writing a Code of Ethics (_WikiHow_)](https://www.wikihow.com/Develop-a-Code-of-Ethics) + +- [Privacy washing is a dirty business (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/08/20/privacy-washing-is-a-dirty-business/) + +- [Policy and procedure templates for non-profit organizations (_The Commons Social Change Library_)](https://commonslibrary.org/policy-bank-policy-and-procedure-templates-for-not-for-profit-organisations/) diff --git a/i18n/fi/activism/toolbox/tip-support-your-privacy-comrades.md b/i18n/fi/activism/toolbox/tip-support-your-privacy-comrades.md new file mode 100644 index 00000000..f95ec860 --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-support-your-privacy-comrades.md @@ -0,0 +1,60 @@ +--- +title: Support Your Privacy Comrades +description: Fighting for privacy rights is a collective endeavor. This battle can be difficult and isolating at time. That's why it's critical to care for each other. +icon: fontawesome/solid/hand-holding-heart +cover: activism/banner-toolbox-tip-support.webp +--- + +Fighting for better privacy rights, privacy tools, and privacy practices is a collective endeavor. You cannot do it alone. Anyone around you contributing is fighting the same battle by your side. This battle _can_ be difficult and isolating at times. That's why it's critical to care for each other. + +Here are things you can do to **support your privacy comrades**: + +## Fighting for privacy rights can be isolating in unique ways + +We live in a world of social connections. Regrettably, when we moved these connections online, we also gave power to large corporations to monitor and monetize our social relationships and communications. + +Many privacy advocates will choose, rightly so, to completely [leave](tip-migrate-outside-the-surveillance-ecosystem.md) those abusive platforms. Sadly, a side effect of this is often severed relationships with loved ones, who refuse to join us on better, privacy-respectful environments. It's unfortunately common to lose friends when we quit Facebook, or refuse to join a Discord server. Taking a stand for our privacy values can come at the cost of some painful social losses. + +Moreover, fighting to protect privacy rights while reading about attacks on those rights every day in the news can be draining. + +Most advocates have experienced moments of great discouragement, and feelings of helplessness while facing the magnitude of the task at hand. ==Social support is a matter of survival== to recharge and continue this long battle for human rights. + +This is why we must work to rebuild communities of our own. Supportive privacy communities that are [kind](tip-be-kind-to-people-but-be-relentless-with-institutions.md), [inclusive](tip-keep-your-posts-and-community-inclusive.md), and [accessible](tip-be-mindful-of-accessibility.md). + +## Stay vigilant to spot signs of distress and fatigue + +Whether you are participating in a [privacy-oriented forum](https://discuss.privacyguides.net/) or reading posts and replies of your privacy comrades on social media, pay attention to potential signs of distress. + +Some people will periodically take time off from the internet to rest, which can be very healthy at time. But others might isolate from fatigue and discouragement. Keep your eyes open, and try to develop your compassion whenever you read comments that could be a clue someone is at the end of their rope, and in need of support. + +## Help whenever you can + +Here are a few things you can do to support your privacy comrades in times of need: + +- [x] Work on strengthening your empathy skills, and demonstrate more compassion. This is a superpower to take care of your community. + +- [x] Tell them you understand this is difficult, and that you are here to help if they need support. + +- [x] Ask if they would like to talk more about their difficulties in private. + +- [x] Offer your time to talk with them on a privacy-respectful chat, audio, or video call, if this is something you are comfortable doing. + +- [x] Invite them to join your community or group of like-minded people, if you think they might be a good fit. + +- [x] Organize a group or event to socialize with your privacy comrades regularly, offline or online, in a privacy-respectful way. + +- [x] Depending on circumstances (and only if they might be open to it), refer them to a helpful resource in private. However, be careful not to fall into [the advice trap](https://www.psychologytoday.com/us/blog/the-questionologist/202103/how-guide-people-without-giving-advice), unless they specifically asked for advice. + +- [x] Stay kind and do not take it personally if they refuse your help or disagree with your [_solicited_ advice](https://www.verywellmind.com/whats-behind-different-types-of-unsolicited-advice-3144961). Let them know the door is always open to reach out to you whenever they might need help later. + +## More resources + +- [_Privacy Guides_ Forum](https://discuss.privacyguides.net/) + +- [What is empathy, and tips for strengthening your empathy skills (_Verywell Mind_)](https://www.verywellmind.com/what-is-empathy-2795562) + +- [How to guide people without giving advice (_Psychology Today_)](https://www.psychologytoday.com/us/blog/the-questionologist/202103/how-guide-people-without-giving-advice) + +- [Take care and prevent an activist burnout (_Activist Handbook_)](https://activisthandbook.org/wellbeing) + +- [Build communities on privacy-respectful social networks, and invite your privacy comrades to join you there (_Privacy Guides_)](tip-improve-your-social-media-and-build-resilient-communities.md) diff --git a/i18n/fi/activism/toolbox/tip-take-time-to-rest.md b/i18n/fi/activism/toolbox/tip-take-time-to-rest.md new file mode 100644 index 00000000..3a2bb938 --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-take-time-to-rest.md @@ -0,0 +1,103 @@ +--- +title: Take Time to Rest, But Come Back to Fight With Us +description: The battle for privacy will be a long one. This isn't a sprint, it's a marathon. If you want to be a good advocate, you must learn to rest when you need it. +icon: fontawesome/solid/battery-quarter +cover: activism/banner-toolbox-tip-rest.webp +--- + +The battle for privacy rights will be a long one. This isn't a sprint, it's a marathon. + +If you want to be a good advocate, who will be able to fight with us for a long time, you _must_ take the time to **rest when needed**. + +Burning out isn't an option, we cannot afford to lose your precious contribution! And to prevent burning out, you must learn how to rest. + +When you are starting to feel the activist and dystopia-fighter fatigue, it's important to take the time off you need until you feel rested. Then, come back to the battlefield to fight with us again! + +Here's why it's fundamental to learn how to rest when you need it: + +## Knowing when to rest is a strength, not a weakness + +We have some bad news for you: **You are a human.** + +This has many annoying side effects, such as having limited energy and a flesh-and-bone body you need to take care of. Trying to ignore this undeniable fact will only slow you down even more. + +In our society's hustle culture, it's counterproductive that we often value overwork more than strategic rest. + +The thing is, overwork isn't a sustainable strategy for the long battle ahead of us. ==What we need to succeed is privacy activists who will fight by our side for a very long time.== We need endurance and persistence. And for this to happen, we need ourselves and our [privacy comrades](tip-support-your-privacy-comrades.md) to be well-rested, by taking pauses and adopting the strategies we all need to recharge. + +We need our movement to stay away from the often toxic hustle culture we have all observed from Big Tech companies, and instead embrace a culture of mutual support that encourages self-care. + +We shouldn't try to imitate our opponents by "[moving fast and breaking things](https://www.privacyguides.org/articles/2022/04/04/move-fast-and-break-things/)." + +We need to move at a _sustainable_ pace, and build a powerful privacy rights movement that will last. + +The important part isn't to fight for privacy rights 24/7. What matters most is that once you are well-rested after taking some time off, you come back to the battlefield to fight with us again. + +
+

Successful social change activists learn to be the tortoise rather than the hare. Looking after yourself and your family is important.

+ +

Source: [*The Activists' Handbook* by Aidan Ricketts](https://aidanricketts.com/the-activists-handbook/)

+ +
+ +## Tips to help prevent privacy activism burnout + +Unfortunately, activism burnout is quite common. And, in the privacy field, this is amplified by the well-documented effect of [privacy fatigue](https://www.sciencedirect.com/science/article/abs/pii/S0747563217306817). + +Additionally, the fact that we have to incessantly push against a tidal wave of new privacy-invasive legislations and technologies is understandingly exhausting. But we can adopt many strategies to prevent activism burnout, minimize privacy fatigue, and learn how to rest and valorize self-care as an essential part of our work: + + + +
+ +- **Take breaks:** When you start feeling completely discouraged about the state of privacy rights in the world, it's time for a break. Take a few days off if you can, and try to enjoy activities that have nothing to do with your privacy advocacy. + +- **Take care of your body:** Make sure not to neglect your bodily needs, this should always be a priority. Your body and your brain are the most essential tools you have for your privacy advocacy work. Take care of them first and foremost. + +- **Sleep well:** Prioritize quality sleep and adopt a rigorous [sleep routine](https://sleepresearchfoundation.com/2024/03/03/top-10-tips-to-create-an-ideal-sleep-routine/) with a strict schedule. + +- **Keep bedtime calm:** Try to avoid reading about stressful privacy news or exciting privacy technologies close to bedtime. This can all wait for you tomorrow. + +- **Separate devices:** If you can afford it, use separate devices for your personal usage and your privacy activism work. This can help keeping a mental barrier between personal and professional, and limiting the "always-on" privacy-advocate mode. + +- **Find friends:** Find a [community of peers](https://discuss.privacyguides.net/) you can talk to. Exchange resources and seek support from your community. Remember that you aren't alone in this battle. + +- **Split the work:** Delegate tasks to privacy comrades. Seek allies and [alliances](tip-start-alliances-not-wars.md). Reach out for help, and don't take all the responsibilities of your projects on your own shoulders. Build a team, and learn to trust others with the work. + +- **Celebrate!** Take the time to celebrate each victory, no matter how small. Celebrate with your peers too, and never miss an opportunity to [congratulate](tip-give-credit-where-credit-is-due.md) everyone's hard work. + +- **Take vacations:** Plan longer breaks through the year with activities that will have nothing to do with your privacy advocacy work. Make sure they are long enough that you have time to even miss the privacy battlefield, and come back eagerly once you are fully rested. + +- **Plan your (temporary) replacement:** If you are in a leadership position, make sure there is a system in place to take over your responsibilities fully when you need time off. You shouldn't be indispensable for your projects to keep going in the short term, and you should have the same access to time off as the rest of your team. As a leader, it's important to valorize rest for your team, leading by example. Rest is essential for you too. + +- **Keep hope with long-term objectives:** If you feel discouraged by the current state of privacy rights, try to keep in mind the bigger picture. We will lose many fights on the journey to improvement. This is to be expected. But all the work we do matters, including the fights we lose. Try to focus on the movement as a whole, and on advancing privacy rights even just a little in our lifetime. See defeats as opportunities to learn from for the next stronger and better-organized battle. + +- **Call for help:** If you feel like you are at the end of your rope and might be experiencing symptoms of [burnout](https://www.webmd.com/mental-health/burnout-symptoms-signs), seek professional help to support you. + +- **Support others:** Don't forget to [support your privacy comrades](tip-support-your-privacy-comrades.md) when you feel well-enough yourself, to prevent exhaustion as a community. + +
+ +## More resources + +- [Find a community of privacy comrades (_Privacy Guides_ forum)](https://discuss.privacyguides.net/) + +- [Privacy is like broccoli, take it one step at the time (_Privacy Guides_)](https://www.privacyguides.org/articles/2025/07/24/privacy-is-like-broccoli/) + +- [Personal sustainability for activists (_The Commons Social Change Library_)](https://commonslibrary.org/personal-sustainability-for-activists/) + +- [The role of privacy fatigue in online privacy behavior (_ScienceDirect_)](https://www.sciencedirect.com/science/article/abs/pii/S0747563217306817) + +- [What can be done about activist burnout? (_Sharon Nepstad_ YouTube video)](https://www.youtube.com/watch?v=BNm2ar3dEug) + +- [How to avoid activist burnout (_Change Atelier_)](https://www.changeatelier.org/blog/how-to-avoid-activist-burnout) + +- [Strategies to prevent activist burnout (_The Art of Living_)](https://www.newsletter.samuel-warde.com/p/strategies-to-prevent-activist-burnout) diff --git a/i18n/fi/activism/toolbox/tip-value-allies-with-complementary-expertise.md b/i18n/fi/activism/toolbox/tip-value-allies-with-complementary-expertise.md new file mode 100644 index 00000000..66a6d2b9 --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-value-allies-with-complementary-expertise.md @@ -0,0 +1,52 @@ +--- +title: Value Allies with Complementary Expertise +description: In privacy like everywhere else, diversity is a strength. If you want your community to have a broad set of skills, you need to value a diversity of expertises. +icon: fontawesome/solid/circle-half-stroke +cover: activism/banner-toolbox-tip-complement.webp +--- + +In privacy, like in other areas of life, **diversity is an incredible strength**. If you want your community to have a broad understanding of threat models, and be able to address issues on multiple levels, you need to value a diversity of expertises. + +Gathering people with a wide range of skills and experiences in your community is critical to effective work. People with different skill sets and lived experiences will together be able to reach out to a broader audience, and provide much more accurate and useful advice covering a variety of situations. + +Here's how to recognize, respect, and retain experts with skills that are different to your own: + +## Recognize people with different skills + +Privacy is a vast multidisciplinary field. It doesn't just encompass the privacy technologies we use to protect our data, but also the laws that determine the legality of the tools and practices we use. Furthermore, the culture plays an essential role in our fight for better rights, despite being often a neglected aspect of privacy. + +Being an expert in privacy can mean so many things. No two specialists have the same knowledge. + +Whatever your own privacy expertise might be, make sure to always stay aware of the [bigger picture](tip-keep-in-mind-the-whole-landscape.md), and recognize that other privacy specialists might have knowledge entirely different from yours. Your knowledge might intersect, or you might not share any at all. + +This doesn't mean they are any less valuable. On the contrary, this ==diversity of knowledge gives us the best chance to succeed== in our common cause. + +## Respect people with different knowledge + +It's easy to fall in the trap of staying with our own group of peers who share the same knowledge as ours and discard the others. Unfortunately, this attitude is detrimental to our movement. + +As a privacy activist, it's essential to **develop respect** for privacy advocates who specialize in privacy-related knowledge other than your own. You need them to fight _with_ you, and they need you to fight with them. + +Pay attention to the people in your groups that might be pushed aside because their area of expertise is different from the majority that are present. Try to make them feel respected and included in your groups and communities. Engage with them positively when they contribute, even if you don't understand their specialty. + +If you specialize in technical tools, value people with legal and social knowledge and be public about your respect for these specialties. Conversely, if you are a privacy lawyer, bring technical or cultural experts to your groups, and value their roles working for our common cause. + +## Retain specialists that are different + +**Inclusivity is key** to retaining newcomers in your groups and communities. People who are new or different from the majority of the group should feel welcome and valued. + +Work on developing your awareness of these dynamics in your groups. Try to improve your empathy skills, and [support better your privacy comrades](tip-support-your-privacy-comrades.md), especially those who might be different from the majority because of their expertise, demographic, or location. Reach out to them in private to make them feel welcome. Praise them publicly when they contribute in a way you like. [Give credit where credit is due](tip-give-credit-where-credit-is-due.md). + +If you organize an event or hire people, make sure to fairly compensate all your contributors. Pay special attention to make sure people with different expertises or demographics aren't always the ones who have to work as volunteers. + +Inclusivity, empathy, support, acknowledging successes publicly, and fair compensation are all tools that will help you retain diverse specialists with expertises that are complementary to yours in your communities. + +This is something that is _incredibly_ valuable in our fight for privacy rights, together. + +## More resources + +- [The psychology of activism and movement longevity (_Museum of Protest_)](https://museumofprotest.org/guides/guide-the-psychology-of-activism-and-movement-longevity/) + +- [Is your team using its biggest resource (_Social Science Space_)](https://www.socialsciencespace.com/2013/07/is-your-team-using-its-biggest-resource/) + +- [How to make people feel valued on projects (_PM Today_)](https://www.pmtoday.co.uk/how-to-make-people-feel-valued-on-projects/) diff --git a/i18n/fi/activism/toolbox/tip-welcome-beginners.md b/i18n/fi/activism/toolbox/tip-welcome-beginners.md new file mode 100644 index 00000000..1410ce77 --- /dev/null +++ b/i18n/fi/activism/toolbox/tip-welcome-beginners.md @@ -0,0 +1,54 @@ +--- +title: Welcome Beginners +description: For our privacy rights movement to grow, we must bring more people in. To accomplish this, it's fundamental to make our communities welcoming to newcomers. +icon: fontawesome/solid/user-plus +cover: activism/banner-toolbox-tip-beginners.webp +--- + +For our privacy rights movement to grow, we must **bring more people in**. To accomplish this, it's fundamental to discuss privacy in ways that are accessible to newcomers who aren't familiar with the basic concepts yet. + +Here's how you can improve your advocacy work to make it more approachable to beginners: + +## We cannot grow our movement without newcomers + +Beginners and newcomers are _indispensable_ to our privacy rights movement. Without them, we cannot grow. And without growth, we cannot win. + +To attract new people to our communities and our cause, we need to create an environment that is welcoming, safe, and pleasant to be in. When newcomers face rudeness and criticism, they leave. And when they leave, we lose. + +Kindness, patience, and compassion are the first steps to attract and retain newcomers. Then, knowledge accessibility is vital. There are many things you can do in your daily advocacy to help with this. + +## What to keep in mind to make beginners feel welcomed + + + +
+ +- **Beware of acronyms:** Do not assume that everyone knows the acronyms you use in your material, even the most common such as VPN (Virtual Private Network). Always make sure to write the whole expression at least once before carrying on with the acronym's letters only. + +- **Explain technologies:** As for acronyms, don't assume that everyone has the same knowledge as you when it comes to technology, even the technologies that seem basic to you. Perhaps you have been in tech for so long that you have forgotten not everyone knows what an Operating System (OS) is. Nevertheless, make sure to provide a short explanation or example to keep your content welcoming to beginners. If you talk about Operating Systems, perhaps also add "such as macOS, Windows, or Linux" to add context that could make your point more accessible. + +- **Start with the basics:** Depending on the context, do not neglect to discuss the most basic privacy concepts before jumping in the juicy tech. Fundamental ideas such as consent, data collection, data storage, or encryption are important to master in order to understand the benefits and dangers related to data privacy. Specific tech and services come and go, but _fundamental_ ideas remain. Anyone who comprehends these core concepts will have a much easier time understanding all that follows. + +- **No stupid questions:** There are no stupid questions, only impatient answerers. Whenever a beginner asks a question that seems obvious to you, refrain from replying with something dry or snarky such as "Google it," or its privacy-equivalent "DuckDuckGo it." This only has the effect of chasing people away from our community. If you don't feel like helping, just reply nothing. But if you do want to help, try to find an answer for them. If you are in a rush, something like "Hey! Sorry I don't have the answer, but maybe this [resource](../../basics/why-privacy-matters.md) might be helpful to you!" or "Sorry I'm not sure, but perhaps asking on this [forum](https://discuss.privacyguides.net/) might get you an answer." + +- **Stay patient and compassionate:** Always stay patient with beginners and newcomers (and everyone else, actually). To keep people fighting with us and grow our movement, we cannot afford to lose anyone just because we felt angry that day. Develop your [empathy skills](tip-support-your-privacy-comrades.md) to provide support and reply with compassion. People stay where they feel safe and welcomed. ==Make them feel safe and welcomed.== + +- **Do not confound lack of knowledge with lack of intelligence:** Everyone has a different set of knowledge. Lack of knowledge doesn't mean someone isn't intelligent, it just means they haven't come in contact with this area of knowledge yet. They probably know a lot of things you don't know at all. Be careful not to sound patronizing when communicating with newcomers (or anyone else really). This is a behavior sadly too common in the privacy community, and we all need to work on this to create an environment that is more welcoming and enjoyable for everyone. + +
+ +## More resources + +- [Building a community for beginners (_Jennifer Konikowski_)](https://www.jenniferkonikowski.com/blog/2017/2/10/building-a-community-for-beginners) + +- [Creating a welcoming space for beginners (_Raquel Moss_)](https://www.raquelmoss.com/creating-a-welcoming-space-for-beginners/) + +- [Bring kindness back to open source (_Scott Hanselman_)](https://www.hanselman.com/blog/bring-kindness-back-to-open-source) diff --git a/i18n/fi/advanced/communication-network-types.md b/i18n/fi/advanced/communication-network-types.md new file mode 100644 index 00000000..2f01e906 --- /dev/null +++ b/i18n/fi/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} [:material-movie-open-play-outline: Video: It's time to stop using SMS](https://www.privacyguides.org/videos/2025/01/24/its-time-to-stop-using-sms-heres-why ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server, or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over Wi-Fi or Bluetooth (for example, Briar or the [Scuttlebutt](https://scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the host with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/fi/advanced/dns-overview.md b/i18n/fi/advanced/dns-overview.md new file mode 100644 index 00000000..9c92b6a1 --- /dev/null +++ b/i18n/fi/advanced/dns-overview.md @@ -0,0 +1,362 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phone book of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, macOS, etc.) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyze](https://wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being [DNSCrypt](#dnscrypt), [DNS over TLS](#dns-over-tls-dot), and [DNS over HTTPS](#dns-over-https-doh). + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS), as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484), packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +### Native Operating System Support + +#### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +#### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). + +#### Linux + +`systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](../dns.md#dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyze the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](../advanced/tor-overview.md) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. GitHub Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc.). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when an IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address, so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello), which prevents this kind of leak. + +Governments, in particular [China](https://zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni) and [Russia](https://zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences, or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `discuss.privacyguides.net`. In the past, when resolving a domain name your DNS resolver would ask every server in the chain to provide any information it has about your full query. In this example below, your request to find the IP address for `discuss.privacyguides.net` gets asked of every DNS server provider: + +| Server | Question Asked | Response | +| ---------------------- | ------------------------------------------- | ------------------------------------------- | +| Root server | What's the IP of discuss.privacyguides.net? | I don't know, ask .net's server... | +| .net's server | What's the IP of discuss.privacyguides.net? | I don't know, ask Privacy Guides' server... | +| Privacy Guides' server | What's the IP of discuss.privacyguides.net? | 5.161.195.190! | + +With "QNAME minimization," your DNS resolver now only asks for just enough information to find the next server in the chain. In this example, the root server is only asked for enough information to find the appropriate nameserver for the .net TLD, and so on, without ever knowing the full domain you're trying to visit: + +| Server | Question Asked | Response | +| ---------------------- | ---------------------------------------------------- | --------------------------------- | +| Root server | What's the nameserver for .net? | *Provides .net's server* | +| .net's server | What's the nameserver for privacyguides.net? | *Provides Privacy Guides' server* | +| Privacy Guides' server | What's the nameserver for discuss.privacyguides.net? | This server! | +| Privacy Guides' server | What's the IP of discuss.privacyguides.net? | 5.161.195.190 | + +While this process can be slightly more inefficient, in this example neither the central root nameservers nor the TLD's nameservers ever receive information about your *full* query, thus reducing the amount of information being transmitted about your browsing habits. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location, generally your IP network. For example, if your IP address is `198.51.100.32` the DNS provider might share `198.51.100.0/24` with the authoritative server. Some DNS providers anonymize this data by providing another IP address which is approximately near your location. + +If you have `dig` installed you can test whether your DNS provider gives EDNS information out to DNS nameservers with the following command: + +```bash +dig +nocmd -t txt o-o.myaddr.l.google.com +nocomments +noall +answer +stats +``` + +Note that this command will contact Google for the test, and return your IP as well as EDNS client subnet information. If you want to test another DNS resolver you can specify their IP, to test `9.9.9.11` for example: + +```bash +dig +nocmd @9.9.9.11 -t txt o-o.myaddr.l.google.com +nocomments +noall +answer +stats +``` + +If the results include a second edns0-client-subnet TXT record (like shown below), then your DNS server is passing along EDNS information. The IP or network shown after is the precise information which was shared with Google by your DNS provider. + +```text +o-o.myaddr.l.google.com. 60 IN TXT "198.51.100.32" +o-o.myaddr.l.google.com. 60 IN TXT "edns0-client-subnet 198.51.100.0/24" +;; Query time: 64 msec +;; SERVER: 9.9.9.11#53(9.9.9.11) +;; WHEN: Wed Mar 13 10:23:08 CDT 2024 +;; MSG SIZE rcvd: 130 +``` diff --git a/i18n/fi/advanced/payments.md b/i18n/fi/advanced/payments.md new file mode 100644 index 00000000..bb9540ad --- /dev/null +++ b/i18n/fi/advanced/payments.md @@ -0,0 +1,97 @@ +--- +title: Private Payments +icon: material/hand-coin +description: Your buying habits are the holy grail of ad targeting, but you still have plenty of options when it comes to making payments privately. +--- + +Data about your buying habits is considered the holy grail of ad targeting: Your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangeable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Regulated exchanges, banks, and money services businesses must collect an ID for transactions exceeding $3,000. Cash contains serial numbers to assist law enforcement in targeted investigations. + +Despite the above, cash is typically the best option when available. + +## Prepaid Cards & Gift Cards + +You can easily purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout in an effort to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (e.g. from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards usually don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards are often sold at a discount, which make them attractive. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer high limits (with ID verification), but they usually allow basic, low-limit accounts with just an email address. Expect limits under $10,000 for basic accounts and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy (more on this below). Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a transparent blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only purchase amounts which would not be disastrous to lose. + +
+

Danger

+ +The vast majority of cryptocurrencies operate on a **transparent** blockchain, meaning that every transaction's details are public knowledge. This includes most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + +Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. Transactions are irreversible and do not include any consumer protections. + +
+ +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#monero) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can trace (at least to some extent) Bitcoin Lightning Network and/or Monero transactions. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million to further develop tools to do so. Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins in their current form only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a transparent blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a transparent blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, this example requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical (even for enthusiasts) for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and self-custody wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Self-custody wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, self-custody wallets provide greater security and censorship resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces (platforms which facilitate trades between people) are one option, though the user experience typically suffers. If using an exchange which requires KYC is acceptable for you as long as subsequent transactions can't be traced, it's much easier to purchase Monero on a centralized exchange or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own self-custody wallet to use privately from that point forward. + +[Recommended places to buy Monero](../cryptocurrency.md#buying-monero ""){.md-button} + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. + +
+

Important notices

+ +The content here is not legal or financial advice. We do not endorse or encourage illicit activities, and we do not endorse or encourage anything which violates a company's terms of service. Check with a professional to confirm that these recommendations are legal and available in your jurisdiction. [See all notices](../about/notices.md). + +
diff --git a/i18n/fi/advanced/tor-overview.md b/i18n/fi/advanced/tor-overview.md new file mode 100644 index 00000000..89298ab4 --- /dev/null +++ b/i18n/fi/advanced/tor-overview.md @@ -0,0 +1,210 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +![Tor logo](../assets/img/self-contained-networks/tor.svg){ align=right } + +[**Tor**](../alternative-networks.md#tor) is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:material-movie-open-play-outline: Video: Why You Need Tor](https://www.privacyguides.org/videos/2025/03/02/why-you-need-tor ""){.md-button} + +Tor works by routing your internet traffic through volunteer-operated servers instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +[:octicons-home-16:](https://torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org){ .card-link title=Documentation} +[:octicons-code-16:](https://gitlab.torproject.org/tpo/core/tor){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org){ .card-link title=Contribute } + +## Safely Connecting to Tor + +Before connecting to Tor, you should carefully consider what you're looking to accomplish by using Tor in the first place, and who you're trying to hide your network activity from. + +If you live in a free country, are accessing mundane content via Tor, aren't worried about your ISP or local network administrators having the knowledge that you're using Tor, and want to help [destigmatize](https://2019.www.torproject.org/about/torusers.html.en) Tor usage, you can likely connect to Tor directly via standard means like [Tor Browser](../tor.md) without worry. + +If you have the ability to access a trusted VPN provider and **any** of the following are true, you almost certainly should connect to Tor through a VPN: + +- You already use a [trusted VPN provider](../vpn.md) +- Your threat model includes an adversary which is capable of extracting information from your ISP +- Your threat model includes your ISP itself as an adversary +- Your threat model includes local network administrators before your ISP as an adversary + +Because we already [generally recommend](../basics/vpn-overview.md) that the vast majority of people use a trusted VPN provider for a variety of reasons, the following recommendation about connecting to Tor via a VPN likely applies to you. There is no need to disable your VPN before connecting to Tor, as some online resources would lead you to believe. + +Connecting directly to Tor will make your connection stand out to any local network administrators or your ISP. Detecting and correlating this traffic [has been done](https://edition.cnn.com/2013/12/17/justice/massachusetts-harvard-hoax) in the past by network administrators to identify and deanonymize specific Tor users on their network. On the other hand, connecting to a VPN is almost always less suspicious, because commercial VPN providers are used by everyday consumers for a variety of mundane tasks like bypassing geo-restrictions, even in countries with heavy internet restrictions. + +Therefore, you should make an effort to hide your IP address **before** connecting to the Tor network. You can do this by simply connecting to a VPN (through a client installed on your computer) and then accessing [Tor](../tor.md) as normal (e.g., through Tor Browser). This creates a connection chain like so: + +- [x] You → VPN → Tor → Internet + +From your ISP's perspective, it looks like you're accessing a VPN normally (with the associated cover that provides you). From your VPN's perspective, they can see that you are connecting to the Tor network, but nothing about what websites you're accessing. From Tor's perspective, you're connecting normally, but in the unlikely event of some sort of Tor network compromise, only your VPN's IP would be exposed, and your VPN would *additionally* have to be compromised to deanonymize you. + +This is **not** censorship circumvention advice because if Tor is blocked entirely by your ISP, your VPN likely is as well. Rather, this recommendation aims to make your traffic blend in better with commonplace VPN user traffic, and provide you with some level of plausible deniability by obscuring the fact that you're connecting to Tor from your ISP. + +--- + +We **very strongly discourage** combining Tor with a VPN in any other manner. Do not configure your connection in a way which resembles any of the following: + +- You → Tor → VPN → Internet +- You → VPN → Tor → VPN → Internet +- Any other configuration + +Some VPN providers and other publications will occasionally recommend these **bad** configurations to evade Tor bans (i.e., exit nodes being blocked by websites) in some places. [Normally](https://support.torproject.org/#about_change-paths), Tor frequently changes your circuit path through the network. When you choose a permanent *destination* VPN (connecting to a VPN server *after* Tor), you're eliminating this advantage and drastically harming your anonymity. + +Setting up bad configurations like these is difficult to do accidentally, because it usually involves either setting up custom proxy settings inside Tor Browser, or setting up custom proxy settings inside your VPN client which routes your VPN traffic through the Tor Browser. As long as you avoid these non-default configurations, you're probably fine. + +--- + +
+

VPN/SSH Fingerprinting

+ +The Tor Project [notes](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#vpnssh-fingerprinting) that *theoretically* using a VPN to hide Tor activities from your ISP may not be foolproof. VPNs have been found to be vulnerable to website traffic fingerprinting, where an adversary can still guess what website is being visited because all websites have specific traffic patterns. + +Therefore, it's not unreasonable to believe that encrypted Tor traffic hidden by a VPN could also be detected via similar methods. There are no research papers on this subject, and we still consider the benefits of using a VPN to far outweigh these risks, but it is something to keep in mind. + +If you still believe that pluggable transports (bridges) provide additional protection against website traffic fingerprinting that a VPN does not, you always have the option to use a bridge **and** a VPN in conjunction. + +
+ +Determining whether you should first use a VPN to connect to the Tor network will require some common sense and knowledge of your own government's and ISP's policies relating to what you're connecting to. To reiterate, though, you will be better off being seen as connecting to a commercial VPN network than directly to the Tor network in most cases. If VPN providers are censored in your area, then you can also consider using Tor pluggable transports (e.g., Snowflake or meek bridges) as an alternative, but using these bridges may arouse more suspicion than standard WireGuard/OpenVPN tunnels. + +## What Tor is Not + +The Tor network is not the perfect privacy protection tool in all cases and has a number of drawbacks which should be carefully considered. These things should not discourage you from using Tor if it is appropriate for your needs, but they are still things to think about when deciding which solution is most appropriate for you. + +### Tor is not a free VPN + +The release of the *Orbot* mobile app has lead many people to describe Tor as a "free VPN" for all of your device traffic. However, treating Tor like this poses some dangers compared to a typical VPN. + +Unlike Tor exit nodes, VPN providers are usually not *actively* [malicious](#caveats). Because Tor exit nodes can be created by anybody, they are hotspots for network logging and modification. In 2020, many Tor exit nodes were documented to be downgrading HTTPS traffic to HTTP in order to [hijack cryptocurrency transactions](https://therecord.media/thousands-of-tor-exit-nodes-attacked-cryptocurrency-users-over-the-past-year). Other exit node attacks such as replacing downloads via unencrypted channels with malware have also been observed. HTTPS does mitigate these threats to an extent. + +As we've alluded to already, Tor is also easily identifiable on the network. Unlike an actual VPN provider, using Tor will make you stick out as a person likely attempting to evade authorities. In a perfect world, Tor would be seen by network administrators and authorities as a tool with many uses (like how VPNs are viewed), but in reality the perception of Tor is still far less legitimate than the perception of commercial VPNs. As such, using a real VPN provides you with plausible deniability, e.g. "I was just using it to watch Netflix," etc. + +### Tor usage is not undetectable + +**Even if you use bridges and pluggable transports,** the Tor Project doesn't provide any tools to hide the fact that you are using Tor from your ISP. Even using obfuscated "pluggable transports" or non-public bridges do not hide the fact that you are using a private communications channel. The most popular pluggable transports like obfs4 (which obfuscates your traffic to "look like nothing") and meek (which uses domain fronting to camouflage your traffic) can be [detected](https://hackerfactor.com/blog/index.php?/archives/889-Tor-0day-Burning-Bridges.html) with fairly standard traffic analysis techniques. Snowflake has similar issues, and can be [easily detected](https://hackerfactor.com/blog/index.php?/archives/944-Tor-0day-Snowflake.html) *before* a Tor connection is even established. + +Pluggable transports other than these three do exist, but typically rely on security through obscurity to evade detection. They aren't impossible to detect—they are just used by so few people that it's not worth the effort building detectors for them. They shouldn't be relied upon if you specifically are being monitored. + +It is critical to understand the difference between bypassing censorship and evading detection. It is easier to accomplish the former because of the many real-world limitations on what network censors can realistically do en masse, but these techniques do not hide the fact that you—*specifically* you—are using Tor from an interested party monitoring your network. + +### Tor Browser is not the most *secure* browser + +Anonymity can often be at odds with security: Tor's anonymity requires every user to be identical, which creates a monoculture (e.g., the same bugs are present across all Tor Browser users). As a cybersecurity rule of thumb, monocultures are generally regarded as bad: Security through diversity (which Tor lacks) provides natural segmentation by limiting vulnerabilities to smaller groups, and is therefore usually desirable, but this diversity is also less good for anonymity. + +Additionally, Tor Browser is based on Firefox's Extended Support Release builds, which only receives patches for vulnerabilities considered *Critical* and *High* (not *Medium* and *Low*). This means that attackers could (for example): + +1. Look for new Critical/High vulnerabilities in Firefox nightly or beta builds, then check if they are exploitable in Tor Browser (this vulnerability period can last weeks). +2. Chain *multiple* Medium/Low vulnerabilities together until they get the level of access they're looking for (this vulnerability period can last months or longer). + +Those at risk of browser vulnerabilities should consider additional protections to defend against Tor Browser exploits, such as using Whonix in [Qubes](../os/qubes-overview.md) to contain your Tor browsing in a secure virtual machine and protect against leaks. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before, however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: When the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: When the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: When the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Tor never protects you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can **modify** unencrypted traffic which passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be changed by a malicious exit node. **Never** download files from an unencrypted `http://` website over Tor, and ensure your browser is set to always upgrade HTTP traffic to HTTPS. +- Tor exit nodes can also monitor traffic that passes through them. Unencrypted traffic which contains personally identifiable information can deanonymize you to that exit node. Again, we recommend only using HTTPS over Tor. +- Powerful adversaries with the capability to passively watch *all* network traffic around the globe ("Global Passive Adversaries") are **not** something that Tor protects you against (and using Tor [with a VPN](#safely-connecting-to-tor) doesn't change this fact). +- Well-funded adversaries with the capability to passively watch *most* network traffic around the globe still have a *chance* of deanonymizing Tor users by means of advanced traffic analysis. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +### Protections provided by bridges + +Tor bridges are commonly touted as an alternative method to hiding Tor usage from an ISP, instead of a VPN (as we suggest using if possible). Something to consider is that while bridges may provide adequate censorship circumvention, this is only a *transient* benefit. They do not adequately protect you from your ISP discovering you connected to Tor in the *past* with historical traffic log analysis. + +To illustrate this point, consider the following scenario: You connect to Tor via a bridge, and your ISP doesn’t detect it because they are not doing sophisticated analysis of your traffic, so things are working as intended. Now, 4 months go by, and the IP of your bridge has been made public. This is a very common occurrence with bridges; they are discovered and blocked relatively frequently, just not immediately. + +Your ISP wants to identify Tor users 4 months ago, and with their limited metadata logging they can see that you connected to an IP address which was later revealed to be a Tor bridge. You have virtually no other excuse to be making such a connection, so the ISP can say with very high confidence that you were a Tor user at that time. + +Contrast this with our recommended scenario, where you connect to Tor via a VPN. Say that 4 months later your ISP again wants to identify anybody who used Tor 4 months ago. Their logs almost certainly can identify your traffic 4 months ago, but all they would likely be able to see is that you connected to a VPN’s IP address. This is because most ISPs only retain metadata over long periods of time, not the full contents of the traffic you request. Storing the entirety of your traffic data would require a massive quantity of storage which nearly all threat actors wouldn't possess. + +Because your ISP almost certainly is not capturing all packet-level data and storing it forever, they have no way of determining what you connected to with that VPN *after* the fact with an advanced technique like deep packet inspection, and therefore you have plausible deniability. + +Therefore, bridges provide the most benefit when circumventing internet censorship *in the moment*, but they are not an adequate substitute for **all** the benefits that using a VPN alongside Tor can provide. Again, this is not advice *against* using Tor bridges—you should just be aware of these limitations while making your decision. In some cases bridges may be the *only* option (if all VPN providers are blocked, for instance), so you can still use them in those circumstances with this limitation in mind. + +If you think that a bridge can aid in defending against fingerprinting or other advanced network analysis more than a VPN's encrypted tunnel already can, you always have the option to use a bridge in conjunction with a VPN as well. That way you are still protected by the pluggable transport's obfuscation techniques even if an adversary gains some level of visibility into your VPN tunnel. If you decide to go this route, we recommend connecting to an obfs4 bridge behind your VPN for optimal fingerprinting protection, rather than meek or Snowflake. + +It is [possible](https://discuss.privacyguides.net/t/clarify-tors-weaknesses-with-respect-to-observability/3676/16) that the [WebTunnel](https://forum.torproject.org/t/tor-relays-announcement-webtunnel-a-new-pluggable-transport-for-bridges-now-available-for-deployment/8180) pluggable transport currently being trialed may mitigate some of these concerns. We will continue to keep an eye on that technology as it develops. + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://youtube.com/watch?v=QRYzre4bf7I) (YouTube) +- [Tor Onion Services - Computerphile](https://youtube.com/watch?v=lVcbq_a5N9I) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2](https://support.torproject.org/tbb/tbb-2)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html#relay-flag)) diff --git a/i18n/fi/ai-chat.md b/i18n/fi/ai-chat.md new file mode 100644 index 00000000..056b7cda --- /dev/null +++ b/i18n/fi/ai-chat.md @@ -0,0 +1,198 @@ +--- +meta_title: "Recommended AI Chat: Private ChatGPT Alternatives - Privacy Guides" +title: "AI Chat" +icon: material/assistant +description: Unlike OpenAI's ChatGPT and its Big Tech competitors, these AI tools run locally so your data never leaves your desktop device. +cover: ai-chatbots.webp +--- + +Protects against the following threat(s): + +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers){ .pg-teal } +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } +- [:material-close-outline: Censorship](basics/common-threats.md#avoiding-censorship){ .pg-blue-gray } + +The use of **AI chat**, also known as Large Language Models (LLMs), has become increasingly common since the release of ChatGPT in 2022. LLMs can help us write better, understand unfamiliar subjects, or answer a wide range of questions. They work by statistically predicting the next word in their responses based on a vast amount of data scraped from the web. + +## Privacy Concerns About LLMs + +Data used to train AI models, however, includes a massive amount of publicly available data scraped from the web, which can include sensitive information like names and addresses. Cloud-based AI software often [collects your inputs](https://openai.com/policies/row-privacy-policy), meaning your chats are not private from them. This practice also introduces a risk of data breaches. Furthermore, there is a real possibility that an LLM will leak your private chat information in future conversations with other users. + +If you are concerned about these practices, you can either refuse to use AI, or use [truly open-source models](https://proton.me/blog/how-to-build-privacy-first-ai) which publicly release and allow you to inspect their training datasets. One such model is [OLMoE](https://allenai.org/blog/olmoe-an-open-small-and-state-of-the-art-mixture-of-experts-model-c258432d0514) made by [Ai2](https://allenai.org/open-data). + +Alternatively, you can run AI models locally so that your data never leaves your device and is therefore never shared with third parties. As such, local models are a more private and secure alternative to cloud-based solutions and allow you to share sensitive information to the AI model without worry. + +## AI Models + +### Hardware for Local AI Models + +Local models are also fairly accessible. It's possible to run smaller models at lower speeds on as little as 8 GB of RAM. Using more powerful hardware such as a dedicated GPU with sufficient VRAM or a modern system with fast LPDDR5X memory offers the best experience. + +LLMs can usually be differentiated by the number of parameters, which can vary between 1.3B to 405B for open-source models available for end users. For example, models below 6.7B parameters are only good for basic tasks like text summaries, while models between 7B and 13B are a great compromise between quality and speed. Models with advanced reasoning capabilities are generally around 70B. + +For consumer-grade hardware, it is generally recommended to use [quantized models](https://huggingface.co/docs/optimum/en/concept_guides/quantization) for the best balance between model quality and performance. Check out the table below for more precise information about the typical requirements for different sizes of quantized models. + +| Model Size (in Parameters) | Minimum RAM | Minimum Processor | +| --------------------------------------------- | ----------- | -------------------------------------------- | +| 7B | 8 GB | Modern CPU (AVX2 support) | +| 13B | 16 GB | Modern CPU (AVX2 support) | +| 70B | 72 GB | GPU with VRAM | + +To run AI locally, you need both an AI model and an AI client. + +### Choosing a Model + +There are many permissively licensed models available to download. [Hugging Face](https://huggingface.co/models) is a platform that lets you browse, research, and download models in common formats like [GGUF](https://huggingface.co/docs/hub/en/gguf). Companies that provide good open-weights models include big names like Mistral, Meta, Microsoft, and Google. However, there are also many community models and [fine-tuned](https://en.wikipedia.org/wiki/Fine-tuning_\(deep_learning\)) models available. As mentioned above, quantized models offer the best balance between model quality and performance for those using consumer-grade hardware. + +To help you choose a model that fits your needs, you can look at leaderboards and benchmarks. The most widely-used leaderboard is the community-driven [LM Arena](https://lmarena.ai). Additionally, the [OpenLLM Leaderboard](https://huggingface.co/spaces/open-llm-leaderboard/open_llm_leaderboard) focuses on the performance of open-weights models on common benchmarks like [MMLU-Pro](https://arxiv.org/abs/2406.01574). There are also specialized benchmarks which measure factors like [emotional intelligence](https://eqbench.com), ["uncensored general intelligence"](https://huggingface.co/spaces/DontPlanToEnd/UGI-Leaderboard), and [many others](https://nebuly.com/blog/llm-leaderboards). + +## AI Chat Clients + +| Feature | [Kobold.cpp](#koboldcpp) | [Ollama](#ollama-cli) | [Llamafile](#llamafile) | +| -------------------- | ----------------------------------------------------------------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | +| GPU Support | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-check:{ .pg-green } | +| Image Generation | :material-check:{ .pg-green } | :material-close:{ .pg-red } | :material-close:{ .pg-red } | +| Speech Recognition | :material-check:{ .pg-green } | :material-close:{ .pg-red } | :material-close:{ .pg-red } | +| Auto-download Models | :material-close:{ .pg-red } | :material-check:{ .pg-green } | :material-alert-outline:{ .pg-orange } Few models available | +| Custom Parameters | :material-check:{ .pg-green } | :material-close:{ .pg-red } | :material-check:{ .pg-green } | +| Multi-platform | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-alert-outline:{ .pg-orange } Size limitations on Windows | + +### Kobold.cpp + +
+ +![Kobold.cpp Logo](assets/img/ai-chat/kobold.png){align=right} + +**Kobold.cpp** is an AI client that runs locally on your Windows, Mac, or Linux computer. It's an excellent choice if you are looking for heavy customization and tweaking, such as for role-playing purposes. + +In addition to supporting a large range of text models, Kobold.cpp also supports image generators such as [Stable Diffusion](https://stability.ai/stable-image) and automatic speech recognition tools such as [Whisper](https://github.com/ggerganov/whisper.cpp). + +[:octicons-repo-16: Repository](https://github.com/LostRuins/koboldcpp#readme){ .md-button .md-button--primary } +[:octicons-info-16:](https://github.com/LostRuins/koboldcpp/wiki){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/LostRuins/koboldcpp){ .card-link title="Source Code" } +[:octicons-lock-16:](https://github.com/LostRuins/koboldcpp/blob/2f3597c29abea8b6da28f21e714b6b24a5aca79b/SECURITY.md){ .card-link title="Security Policy" } + +
+Downloads + +- [:fontawesome-brands-windows: Windows](https://github.com/LostRuins/koboldcpp/releases) +- [:simple-apple: macOS](https://github.com/LostRuins/koboldcpp/releases) +- [:simple-linux: Linux](https://github.com/LostRuins/koboldcpp/releases) + +
+ +
+ +
+

Compatibility Issues

+ +Kobold.cpp might not run on computers without AVX/AVX2 support. + +
+ +Kobold.cpp allows you to modify parameters such as the AI model temperature and the AI chat's system prompt. It also supports creating a network tunnel to access AI models from other devices such as your phone. + +### Ollama (CLI) + +
+ +![Ollama Logo](assets/img/ai-chat/ollama.png){align=right} + +**Ollama** is a command-line AI assistant that is available on macOS, Linux, and Windows. Ollama is a great choice if you're looking for an AI client that's easy-to-use, widely compatible, and fast due to its use of inference and other techniques. It also doesn't involve any manual setup. + +In addition to supporting a wide range of text models, Ollama also supports [LLaVA](https://github.com/haotian-liu/LLaVA) models and has experimental support for Meta's [Llama vision capabilities](https://huggingface.co/blog/llama32#what-is-llama-32-vision). + +[:octicons-home-16: Homepage](https://ollama.com){ .md-button .md-button--primary } +[:octicons-info-16:](https://github.com/ollama/ollama#readme){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/ollama/ollama){ .card-link title="Source Code" } +[:octicons-lock-16:](https://github.com/ollama/ollama/blob/a14f76491d694b2f5a0dec6473514b7f93beeea0/SECURITY.md){ .card-link title="Security Policy" } + +
+Downloads + +- [:fontawesome-brands-windows: Windows](https://ollama.com/download/windows) +- [:simple-apple: macOS](https://ollama.com/download/mac) +- [:simple-linux: Linux](https://ollama.com/download/linux) + +
+ +
+ +Ollama simplifies the process of setting up a local AI chat by downloading the AI model you want to use automatically. For example, running `ollama run llama3.2` will automatically download and run the Llama 3.2 model. Furthermore, Ollama maintains their own [model library](https://ollama.com/library) where they host the files of various AI models. This ensures that models are vetted for both performance and security, eliminating the need to manually verify model authenticity. + +### Llamafile + +
+ +![Llamafile Logo](assets/img/ai-chat/llamafile.webp){align=right} + +**Llamafile** is a lightweight, single-file executable that allows users to run LLMs locally on their own computers without any setup involved. It is [backed by Mozilla](https://hacks.mozilla.org/2023/11/introducing-llamafile) and available on Linux, macOS, and Windows. + +Llamafile also supports LLaVA. However, it doesn't support speech recognition or image generation. + +[:octicons-repo-16: Repository](https://github.com/Mozilla-Ocho/llamafile#readme){ .md-button .md-button--primary } +[:octicons-info-16:](https://github.com/Mozilla-Ocho/llamafile#quickstart){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/Mozilla-Ocho/llamafile){ .card-link title="Source Code" } +[:octicons-lock-16:](https://github.com/Mozilla-Ocho/llamafile#security){ .card-link title="Security Policy" } + +
+Downloads + +- [:fontawesome-brands-windows: Windows](https://github.com/Mozilla-Ocho/llamafile#quickstart) +- [:simple-apple: macOS](https://github.com/Mozilla-Ocho/llamafile#quickstart) +- [:simple-linux: Linux](https://github.com/Mozilla-Ocho/llamafile#quickstart) + +
+ +
+ +Mozilla has made llamafiles available for only some Llama and Mistral models, while there are few third-party llamafiles available. Moreover, Windows limits `.exe` files to 4 GB, and most models are larger than that. + +To circumvent these issues, you can [load external weights](https://github.com/Mozilla-Ocho/llamafile#using-llamafile-with-external-weights). + +## Securely Downloading Models + +If you use an AI client that maintains their own library of model files (such as [Ollama](#ollama-cli) and [Llamafile](#llamafile)), you should download it from there. However, if you want to download models not present in their library, or use an AI client that doesn't maintain its library (such as [Kobold.cpp](#koboldcpp)), you will need to take extra steps to ensure that the AI model you download is safe and legitimate. + +We recommend downloading model files from Hugging Face since it provides several features to verify that your download is genuine and safe to use. + +To check the authenticity and safety of the model, look for: + +- Model cards with clear documentation +- A verified organization badge +- Community reviews and usage statistics +- A "Safe" badge next to the model file (Hugging Face only) +- Matching checksums[^1] + - On Hugging Face, you can find the hash by clicking on a model file and looking for the **Copy SHA256** button below it. You should compare this checksum with the one from the model file you downloaded. + +A downloaded model is generally safe if it satisfies all the above checks. + +## Criteria + +Please note we are not affiliated with any of the projects we recommend. In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project and conduct your own research to ensure it's the right choice for you. + +### Minimum Requirements + +- Must be open source. +- Must not transmit personal data, including chat data. +- Must be multi-platform. +- Must not require a GPU. +- Must support GPU-powered, fast inference. +- Must not require an internet connection. + +### Best-Case + +Our best-case criteria represent what we _would_ like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be easy to download and set up, e.g. with a one-click installation process. +- Should have a built-in model downloader option. +- The user should be able to modify the LLM parameters, such as its system prompt or temperature. + +\*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +\*[LLM]: Large Language Model (AI model such as ChatGPT) +\*[LLMs]: Large Language Models (AI models such as ChatGPT) +\*[open-weights models]: AI models that anyone can download and use, but the underlying training data and/or algorithms for them are proprietary. +\*[system prompt]: The general instructions given by a human to guide how an AI chat should operate. +\*[temperature]: A parameter used in AI models to control the level of randomness and creativity in the generated text. + +[^1]: A file checksum is a type of anti-tampering fingerprint. A developer usually provides a checksum in a text file that can be downloaded separately, or on the download page itself. Verifying that the checksum of the file you downloaded matches the one provided by the developer helps ensure that the file is genuine and wasn't tampered with in transit. You can use commands like `sha256sum` on Linux and macOS, or `certutil -hashfile file SHA256` on Windows to generate the downloaded file's checksum. diff --git a/i18n/fi/alternative-networks.md b/i18n/fi/alternative-networks.md new file mode 100644 index 00000000..7c646ae0 --- /dev/null +++ b/i18n/fi/alternative-networks.md @@ -0,0 +1,159 @@ +--- +title: "Alternative Networks" +icon: material/vector-polygon +description: These tools allow you to access networks other than the World Wide Web. +cover: alternative-networks.webp +--- + +Protects against the following threat(s): + +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers){ .pg-teal } +- [:material-eye-outline: Mass Surveillance](basics/common-threats.md#mass-surveillance-programs){ .pg-blue } +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } + +## Anonymizing Networks + +When it comes to anonymizing networks, we want to specially note that [Tor](advanced/tor-overview.md) is our top choice. It is by far the most utilized, robustly studied, and actively developed anonymous network. Using other networks could be more likely to endanger your [:material-incognito: Anonymity](basics/common-threats.md#anonymity-vs-privacy){ .pg-purple }, unless you know what you're doing. + +### Tor + +
+ +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective [:material-close-outline: Censorship](basics/common-threats.md#avoiding-censorship){ .pg-blue-gray } circumvention tool. + +[:octicons-home-16:](https://torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org){ .card-link title=Documentation} +[:octicons-code-16:](https://gitlab.torproject.org/tpo/core/tor){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org){ .card-link title=Contribute } + +
+ +The recommended way to access the Tor network is via the official Tor Browser, which we have covered in more detail on a dedicated page: + +[Tor Browser Info :material-arrow-right-drop-circle:](tor.md){ .md-button .md-button--primary } [Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md){ .md-button } + +You can access the Tor network using other tools; making this determination comes down to your threat model. If you are a casual Tor user who is not worried about your ISP collecting evidence against you, using apps like [Orbot](#orbot) or mobile browser apps to access the Tor network is probably fine. Increasing the number of people who use Tor on an everyday basis helps reduce the bad stigma of Tor, and lowers the quality of "lists of Tor users" that ISPs and governments may compile. + +
+

Try it out!

+ +You can try connecting to _Privacy Guides_ via Tor at [xoe4vn5uwdztif6goazfbmogh6wh5jc4up35bqdflu6bkdc5cas5vjqd.onion](http://www.xoe4vn5uwdztif6goazfbmogh6wh5jc4up35bqdflu6bkdc5cas5vjqd.onion). + +
+ +#### Orbot + +
+ +![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + +**Orbot** is a mobile application which routes traffic from any app on your device through the Tor network. + +[:octicons-home-16: Homepage](https://orbot.app){ .md-button .md-button--primary } +[:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://orbot.app/faqs){ .card-link title="Documentation" } +[:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } +[:octicons-heart-16:](https://orbot.app/donate){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1609461599) +- [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) +- [:simple-fdroid: F-Droid](https://guardianproject.info/fdroid) + +
+ +
+ +We previously recommended enabling the _Isolate Destination Address_ preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +\=== "Android" + +``` +Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN kill switch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +Orbot is often outdated on Google Play and the Guardian Project's F-Droid repository, so consider downloading directly from the GitHub repository instead. All versions are signed using the same signature, so they should be compatible with each other. +``` + +\=== "iOS" + +``` +On iOS, Orbot has some limitations that could potentially cause crashes or leaks: iOS does not have an effective OS-level feature to block connections without a VPN like Android does, and iOS has an artificial memory limit for network extensions that makes it challenging to run Tor in Orbot without crashes. Currently, it is always safer to use Tor on a desktop computer compared to a mobile device. +``` + +#### Snowflake + +
+ +![Snowflake logo](assets/img/self-contained-networks/snowflake.svg#only-light){ align=right } +![Snowflake logo](assets/img/self-contained-networks/snowflake-dark.svg#only-dark){ align=right } + +**Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + +People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + +[:octicons-home-16: Homepage](https://snowflake.torproject.org){ .md-button .md-button--primary } +[:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} +[:octicons-code-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org){ .card-link title=Contribute } + + + +
+ +You can enable Snowflake in your browser by opening it in another tab and turning the switch on. You can leave it running in the background while you browse to contribute your connection. We don't recommend installing Snowflake as a browser extension, because adding third-party extensions can increase your attack surface. + +[Run Snowflake in your Browser :material-arrow-right-drop-circle:](https://snowflake.torproject.org/embed.html){ .md-button } + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even more so than running a Tor relay or bridge which are already not particularly risky endeavors. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +### I2P (The Invisible Internet Project) + +
+ +![I2P logo](assets/img/self-contained-networks/i2p.svg#only-light){ align=right } +![I2P logo](assets/img/self-contained-networks/i2p-dark.svg#only-dark){ align=right } + +**I2P** is a network layer which encrypts your connections and routes them via a network of computers distributed around the world. It is mainly focused on creating an alternative, privacy-protecting network rather than making regular internet connections anonymous. + +[:octicons-home-16: Homepage](https://geti2p.net/en){ .md-button .md-button--primary } +[:octicons-info-16:](https://geti2p.net/en/about/software){ .card-link title=Documentation } +[:octicons-code-16:](https://github.com/i2p/i2p.i2p){ .card-link title="Source Code" } +[:octicons-heart-16:](https://geti2p.net/en/get-involved){ .card-link title=Contribute } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.i2p.android) +- [:simple-android: Android](https://geti2p.net/en/download#android) +- [:fontawesome-brands-windows: Windows](https://geti2p.net/en/download#windows) +- [:simple-apple: macOS](https://geti2p.net/en/download#mac) +- [:simple-linux: Linux](https://geti2p.net/en/download#unix) + +
+ +
+ +Unlike Tor, all I2P traffic is internal to the I2P network, which means regular internet websites are **not** directly accessible from I2P. Instead, you can connect to websites which are hosted anonymously and directly on the I2P network, which are called "eepsites" and have domains which end in `.i2p`. + +
+

Try it out!

+ +You can try connecting to _Privacy Guides_ via I2P at [privacyguides.i2p](http://privacyguides.i2p/?i2paddresshelper=fvbkmooriuqgssrjvbxu7nrwms5zyhf34r3uuppoakwwsm7ysv6q.b32.i2p). + +
+ +Also, unlike Tor, every I2P node will relay traffic for other users by default, instead of relying on dedicated relay volunteers to run nodes. There are approximately [10,000](https://metrics.torproject.org/networksize.html) relays and bridges on the Tor network compared to ~50,000 on I2P, meaning there is potentially more ways for your traffic to be routed to maximize anonymity. I2P also tends to be more performant than Tor, although this is likely a side effect of Tor being more focused on regular "clearnet" internet traffic and thus using more bottle necked exit nodes. Hidden service performance is generally considered to be much better on I2P compared to Tor. While running P2P applications like BitTorrent is challenging on Tor (and can massively impact Tor network performance), it is very easy and performant on I2P. + +There are downsides to I2P's approach, however. Tor relying on dedicated exit nodes means more people in less safe environments can use it, and the relays that do exist on Tor are likely to be more performant and stable, as they generally aren't run on residential connections. Tor is also far more focused on **browser privacy** (i.e. anti-fingerprinting), with a dedicated [Tor Browser](tor.md) to make browsing activity as anonymous as possible. I2P is used via your [regular web browser](desktop-browsers.md), and while you can configure your browser to be more privacy-protecting, you probably still won't have the same browser fingerprint as other I2P users (there's no "crowd" to blend in with in that regard). + +Tor is likely to be more resistant to censorship, due to their robust network of bridges and varying [pluggable transports](https://tb-manual.torproject.org/circumvention). On the other hand, I2P uses directory servers for the initial connection which are varying/untrusted and run by volunteers, compared to the hard-coded/trusted ones Tor uses which are likely easier to block. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403) and [Whonix's Stream Isolation documentation](https://whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/fi/android/distributions.md b/i18n/fi/android/distributions.md new file mode 100644 index 00000000..9b2f32f2 --- /dev/null +++ b/i18n/fi/android/distributions.md @@ -0,0 +1,78 @@ +--- +meta_title: "The Best Android Operating Systems - Privacy Guides" +title: Alternative Distributions +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +robots: nofollow, max-snippet:-1, max-image-preview:large +--- + +Protects against the following threat(s): + +- [:material-target-account: Targeted Attacks](../basics/common-threats.md#attacks-against-specific-individuals){ .pg-red } +- [:material-bug-outline: Passive Attacks](../basics/common-threats.md#security-and-privacy){ .pg-orange } + +A **custom Android-based operating system** (sometimes referred to as a **custom ROM**) can be a way to achieve a higher level of privacy and security on your device. This is in contrast to the "stock" version of Android which comes with your phone from the factory, and is often deeply integrated with Google Play Services as well as other vendor software. + +We recommend installing GrapheneOS if you have a Google Pixel as it provides improved security hardening and additional privacy features. The reasons we don't list other operating systems or devices are as follows: + +- They often have [weaker security](index.md#install-a-custom-distribution). +- Support is frequently dropped when the maintainer loses interest or upgrades their device, which is in contrast to the predictable [support cycle](https://grapheneos.org/faq#device-lifetime) that GrapheneOS follows. +- They generally have few or no notable privacy or security improvements that make installing them worthwhile. + +## GrapheneOS + +
+ +![GrapheneOS logo](../assets/img/android/grapheneos.svg#only-light){ align=right } +![GrapheneOS logo](../assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + +**GrapheneOS** is the best choice when it comes to privacy and security. + +GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_\(computing\)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + +[:octicons-home-16: Homepage](https://grapheneos.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://grapheneos.org/faq){ .card-link title="Documentation" } +[:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } +[:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title="Contribute" } + +
+ +GrapheneOS supports [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs Google Play Services fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as push notifications, while giving you full control over their permissions and access, and while containing them to a specific [work profile](../os/android-overview.md#work-profile) or [user profile](../os/android-overview.md#user-profiles) of your choice. + +[Google Pixel phones](../mobile-phones.md#google-pixel) are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#future-devices). The Pixel 8 and later support ARM's Memory Tagging Extension (MTE), a hardware security enhancement that drastically lowers the probability of exploits occurring through memory corruption bugs. GrapheneOS greatly expands the coverage of MTE on supported devices. Whereas the stock OS only allows you to opt in to a limited implementation of MTE via a developer option or Google's Advanced Protection Program, GrapheneOS features a more robust implementation of MTE by default in the system kernel, default system components, and their Vanadium web browser and its WebView. + +GrapheneOS also provides a global toggle for enabling MTE on all user-installed apps at :gear: **Settings** → **Security & privacy** → **Exploit protection** → **Memory tagging** → **Enable by default**. The OS also features per-app toggles to opt out of MTE for apps which may crash due to compatibility issues. + +### Connectivity Checks + +By default, Android makes many network connections to Google to perform DNS connectivity checks, to sync with current network time, to check your network connectivity, and for many other background tasks. GrapheneOS replaces these with connections to servers operated by GrapheneOS and subject to their privacy policy. This hides information like your IP address [from Google](../basics/common-threats.md#privacy-from-service-providers), but means it is trivial for an admin on your network or ISP to see you are making connections to `grapheneos.network`, `grapheneos.org`, etc. and deduce what operating system you are using. + +If you want to hide information like this from an adversary on your network or ISP, you **must** use a [trusted VPN](../vpn.md) in addition to changing the connectivity check setting to **Standard (Google)**. It can be found in :gear: **Settings** → **Network & internet** → **Internet connectivity checks**. This option allows you to connect to Google's servers for connectivity checks, which, alongside the usage of a VPN, helps you blend in with a larger pool of Android devices. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](../about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. diff --git a/i18n/fi/android/general-apps.md b/i18n/fi/android/general-apps.md new file mode 100644 index 00000000..800718b3 --- /dev/null +++ b/i18n/fi/android/general-apps.md @@ -0,0 +1,140 @@ +--- +title: "General Apps" +description: The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. +schema: + - "@context": http://schema.org + "@type": WebPage + name: General Android Apps + url: "./" + - "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +robots: nofollow, max-snippet:-1, max-image-preview:large +--- + +Protects against the following threat(s): + +- [:material-bug-outline: Passive Attacks](../basics/common-threats.md#security-and-privacy){ .pg-orange } + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +If your device is on Android 15 or greater, we recommend using the native [Private Space](../os/android-overview.md#private-space) feature instead, which provides nearly the same functionality without needing to place trust in and grant powerful permissions to a third-party app. + +
+ +![Shelter logo](../assets/img/android/shelter.svg){ align=right } + +**Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + +Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + +[:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } +[:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } +[:octicons-heart-16:](https://patreon.com/PeterCxy){ .card-link title=Contribute } + +
+ +
+

Warning

+ +When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +
+ +Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + +### Secure Camera + +Protects against the following threat(s): + +- [:material-account-search: Public Exposure](../basics/common-threats.md#limiting-public-information){ .pg-green } + +
+ +![Secure camera logo](../assets/img/android/secure_camera.svg#only-light){ align=right } +![Secure camera logo](../assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + +**Secure Camera** is a camera app focused on privacy and security which can capture images, videos, and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + +[:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera#readme){ .md-button .md-button--primary } +[:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } +[:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) +- [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) +- [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +
+ +
+ +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +
+

Note

+ +Metadata is not currently deleted from video files, but that is planned. + +The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](../data-redaction.md#exiferaser-android). + +
+ +### Secure PDF Viewer + +Protects against the following threat(s): + +- [:material-target-account: Targeted Attacks](../basics/common-threats.md#attacks-against-specific-individuals){ .pg-red } + +
+ +![Secure PDF Viewer logo](../assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } +![Secure PDF Viewer logo](../assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + +**Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_\(software_development\)) [WebView](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + +[Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + +[:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer#readme){ .md-button .md-button--primary } +[:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } +[:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) +- [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) +- [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +
+ +
+ +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](../about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/fi/android/index.md b/i18n/fi/android/index.md new file mode 100644 index 00000000..1432dbd0 --- /dev/null +++ b/i18n/fi/android/index.md @@ -0,0 +1,67 @@ +--- +title: "Android" +description: Our advice for replacing privacy-invasive default Android features with private and secure alternatives. +icon: 'simple/android' +cover: android.webp +schema: + - "@context": http://schema.org + "@type": WebPage + name: Android Recommendations + url: "./" + - "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) +--- + +![Android logo](../assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** (AOSP) is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[General Android Overview :material-arrow-right-drop-circle:](../os/android-overview.md){ .md-button .md-button--primary } + +## Our Advice + +### Replace Google Services + +There are many methods of obtaining apps on Android while avoiding Google Play. Whenever possible, try using one of these methods before getting your apps from non-private sources: + +[Obtaining Applications :material-arrow-right-drop-circle:](obtaining-apps.md){ .md-button } + +There are also many private alternatives to the apps that come pre-installed on your phone, such as the camera app. Besides the Android apps we recommend throughout this site in general, we've created a list of system utilities specific to Android which you might find useful. + +[General App Recommendations :material-arrow-right-drop-circle:](general-apps.md){ .md-button } + +### Install a Custom Distribution + +When you buy an Android phone, the default operating system comes bundled with apps and functionality that are not part of the Android Open Source Project. Many of these apps—even apps like the dialer which provide basic system functionality—require invasive integrations with Google Play Services, which in turn asks for privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, and numerous other things on your device in order for those basic system apps and many other apps to function in the first place. Frameworks like Google Play Services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using an alternative Android distribution, commonly known as a _custom ROM_, that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria: + +[Recommended Distributions :material-arrow-right-drop-circle:](distributions.md){ .md-button } + +### Avoid Root + +[Rooting](https://en.wikipedia.org/wiki/Rooting_\(Android\)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_\(operating_system\)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition, meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the attack surface of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Content blockers which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_\(file\)) (like AdAway) and firewalls which require root access persistently (like AFWall+) are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For content blocking, we suggest encrypted [DNS](../dns.md) or content blocking functionality provided by a VPN instead. TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN), preventing you from using privacy-enhancing services such as [Orbot](../alternative-networks.md#orbot) or a [real VPN provider](../vpn.md). + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_\(computing\)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +### Install Updates Regularly + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android receive not only security updates for the operating system but also important privacy enhancing updates too. + +For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes) any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), or your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity); whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +### Use Built-in Sharing Features + +You can avoid giving many apps permission to access your media with Android's built-in sharing features. Many applications allow you to "share" a file with them for media upload. + +For example, if you want to post a picture to Discord you can open your file manager or gallery and share that picture with the Discord app, instead of granting Discord full access to your media and photos. diff --git a/i18n/fi/android/obtaining-apps.md b/i18n/fi/android/obtaining-apps.md new file mode 100644 index 00000000..1ea08bbe --- /dev/null +++ b/i18n/fi/android/obtaining-apps.md @@ -0,0 +1,127 @@ +--- +title: "Obtaining Applications" +description: We recommend these methods for obtaining applications on Android without interacting with Google Play Services. +--- + +There are many ways to obtain Android apps privately, even from the Play Store, without interacting with Google Play Services. We recommend the following methods of obtaining applications on Android, listed in order of preference. + +## Obtainium + +
+ +![Obtainium logo](../assets/img/android/obtainium.svg){ align=right } + +**Obtainium** is an app manager which allows you to install and update apps directly from the developer's own releases page (i.e. GitHub, GitLab, the developer's website, etc.), rather than a centralized app store/repository. It supports automatic background updates on Android 12 and higher. + +[:octicons-repo-16: Repository](https://github.com/ImranR98/Obtainium#readme){ .md-button .md-button--primary } +[:octicons-info-16:](https://github.com/ImranR98/Obtainium/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/ImranR98/Obtainium){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/ImranR98){ .card-link title=Contribute } + +
+Downloads + +- [:simple-github: GitHub](https://github.com/ImranR98/Obtainium/releases) + +
+ +
+ +Obtainium allows you to download APK installer files from a wide variety of sources, and it is up to you to ensure those sources and apps are legitimate. For example, using Obtainium to install Signal from [Signal's APK landing page](https://signal.org/android/apk) should be fine, but installing from third-party APK repositories like Aptoide or APKPure may pose additional risks. The risk of installing a malicious _update_ is lower, because Android itself verifies that all app updates are signed by the same developer as the existing app on your phone before installing them. + +## GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](../device-integrity.md#auditor-android), [Camera](general-apps.md#secure-camera), and [PDF Viewer](general-apps.md#secure-pdf-viewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +## Aurora Store + +The Google Play Store requires a Google account to log in, which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +
+ +![Aurora Store logo](../assets/img/android/aurora-store.webp){ align=right } + +**Aurora Store** is a Google Play Store client which does not require a Google account, Google Play Services, or microG to download apps. + +[:octicons-home-16: Homepage](https://auroraoss.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://gitlab.com/AuroraOSS/AuroraStore/-/blob/master/POLICY.md){ .card-link title="Privacy Policy" } +[:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +
+ +
+ +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google. However, you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +## Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](../news-aggregators.md) that will help you keep track of new releases. + +![RSS APK](../assets/img/android/rss-apk-light.png#only-light) ![RSS APK](../assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](../assets/img/android/rss-changes-light.png#only-light) ![APK Changes](../assets/img/android/rss-changes-dark.png#only-dark) + +### GitHub + +On GitHub, using [Secure Camera](general-apps.md#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://oracle.com/java/technologies/downloads). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +## F-Droid + +![F-Droid logo](../assets/img/android/f-droid.svg){ align=right width=120px } + +\==We only recommend F-Droid as a way to obtain apps which cannot be obtained via the means above.== F-Droid is often recommended as an alternative to Google Play, particularly within the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds) for some applications and is dedicated to free and open-source software. However, there are some security-related downsides to how F-Droid builds, signs, and delivers packages: + +Due to their process of building apps, apps in the _official_ F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. Additionally, the requirements for an app to be included in the official F-Droid repo are less strict than other app stores like Google Play, meaning that F-Droid tends to host a lot more apps which are older, unmaintained, or otherwise no longer meet [modern security standards](https://developer.android.com/google/play/requirements/target-sdk). + +Other popular third-party repositories for F-Droid such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from code forges (GitHub, GitLab, etc.) and is the next best thing to the developers' own repositories. They also offer [reproducible builds](https://android.izzysoft.de/articles/named/iod-rbs-mirrors-clients) for hundreds of applications and have developers who verify the reproducibility of developer-signed APKs. Furthermore, the IzzyOnDroid team conducts [additional security scans](https://android.izzysoft.de/articles/named/iod-scan-apkchecks) of apps housed in the repo, which usually result in [deliberations](https://github.com/gouravkhunger/QuotesApp/issues/22) between them and app developers toward privacy improvements in their apps. Note that apps may be removed from the IzzyOnDroid repo in [certain circumstances](https://gitlab.com/IzzyOnDroid/repo#are-apps-removed-from-the-repo--and-when-does-that-happen). + +The [F-Droid](https://f-droid.org/en/packages) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid) repositories are home to countless apps, so they can be useful places to search for and discover open-source apps that you can then download through other means such as the Play Store, Aurora Store, or by getting the APK directly from the developer. You should use your best judgment when looking for new apps via this method, and keep an eye on how frequently the app is updated. Outdated apps may rely on unsupported libraries, among other things, posing a potential security risk. + +
+

F-Droid Basic

+ +In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](../health-and-wellness.md#gadgetbridge) is one example of this). If you really need an app like that, we recommend using the newer [F-Droid Basic](https://f-droid.org/en/packages/org.fdroid.basic) client instead of the original F-Droid app to obtain it. F-Droid Basic supports automatic background updates without privileged extension or root, and has a reduced feature set (limiting attack surface). + +
diff --git a/i18n/fi/assets/img/account-deletion/exposed_passwords.png b/i18n/fi/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/fi/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/fi/assets/img/android/rss-apk-dark.png b/i18n/fi/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/fi/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/fi/assets/img/android/rss-apk-light.png b/i18n/fi/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/fi/assets/img/android/rss-apk-light.png differ diff --git a/i18n/fi/assets/img/android/rss-changes-dark.png b/i18n/fi/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/fi/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/fi/assets/img/android/rss-changes-light.png b/i18n/fi/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/fi/assets/img/android/rss-changes-light.png differ diff --git a/i18n/fi/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/fi/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..0f1e0716 --- /dev/null +++ b/i18n/fi/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,129 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fi/assets/img/how-tor-works/tor-encryption.svg b/i18n/fi/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f954fb0f --- /dev/null +++ b/i18n/fi/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,129 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fi/assets/img/how-tor-works/tor-path-dark.svg b/i18n/fi/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..55f37c01 --- /dev/null +++ b/i18n/fi/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,81 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fi/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/fi/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..ce51beee --- /dev/null +++ b/i18n/fi/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,136 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + Guard + + + Relay + + + Relay + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/fi/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/fi/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..8d008447 --- /dev/null +++ b/i18n/fi/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,134 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + Guard + + + Relay + + + Relay + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + Entry + + + + + + + + + + + + + + + + + diff --git a/i18n/fi/assets/img/how-tor-works/tor-path.svg b/i18n/fi/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..3cbdbb38 --- /dev/null +++ b/i18n/fi/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fi/assets/img/ios/contact-permissions-dark.png b/i18n/fi/assets/img/ios/contact-permissions-dark.png new file mode 100644 index 00000000..d3fab50f Binary files /dev/null and b/i18n/fi/assets/img/ios/contact-permissions-dark.png differ diff --git a/i18n/fi/assets/img/ios/contact-permissions-light.png b/i18n/fi/assets/img/ios/contact-permissions-light.png new file mode 100644 index 00000000..c7f8462e Binary files /dev/null and b/i18n/fi/assets/img/ios/contact-permissions-light.png differ diff --git a/i18n/fi/assets/img/ios/photo-permissions-dark.png b/i18n/fi/assets/img/ios/photo-permissions-dark.png new file mode 100644 index 00000000..5e569774 Binary files /dev/null and b/i18n/fi/assets/img/ios/photo-permissions-dark.png differ diff --git a/i18n/fi/assets/img/ios/photo-permissions-light.png b/i18n/fi/assets/img/ios/photo-permissions-light.png new file mode 100644 index 00000000..bc0aa90a Binary files /dev/null and b/i18n/fi/assets/img/ios/photo-permissions-light.png differ diff --git a/i18n/fi/assets/img/ios/private-access-dark.png b/i18n/fi/assets/img/ios/private-access-dark.png new file mode 100644 index 00000000..6fb88130 Binary files /dev/null and b/i18n/fi/assets/img/ios/private-access-dark.png differ diff --git a/i18n/fi/assets/img/ios/private-access-light.png b/i18n/fi/assets/img/ios/private-access-light.png new file mode 100644 index 00000000..a5c0028e Binary files /dev/null and b/i18n/fi/assets/img/ios/private-access-light.png differ diff --git a/i18n/fi/assets/img/linux/screenshot_permission.png b/i18n/fi/assets/img/linux/screenshot_permission.png new file mode 100644 index 00000000..af163775 Binary files /dev/null and b/i18n/fi/assets/img/linux/screenshot_permission.png differ diff --git a/i18n/fi/assets/img/multi-factor-authentication/fido.png b/i18n/fi/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/fi/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/fi/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/fi/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/fi/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/fi/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/fi/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/fi/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/fi/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/fi/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/fi/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/fi/basics/account-creation.md b/i18n/fi/basics/account-creation.md new file mode 100644 index 00000000..fd94a80a --- /dev/null +++ b/i18n/fi/basics/account-creation.md @@ -0,0 +1,85 @@ +--- +meta_title: "How to Create Internet Accounts Privately - Privacy Guides" +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service to watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VoIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data, and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +
+

Tip

+ +You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +
+ +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email-aliasing.md ""){.md-button} + +### "Sign in with..." (OAuth) + +[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth. + +When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text). +- **Ease-of-use**: Multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: The OAuth provider you log in with will know the services you use. +- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected. + +OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md). + +All the services that use OAuth will be as secure as your underlying OAuth provider's account. For example, if you want to secure an account with a hardware key, but that service doesn't support hardware keys, you can secure the account you use with OAuth with a hardware key instead, and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your OAuth provider account means that any account tied to that login will also be weak. + +There is an additional danger when using *Sign in with Google*, *Facebook*, or another service, which is that typically the OAuth process allows for *bidirectional* data sharing. For example, logging in to a forum with your Twitter account could grant that forum access to do things on your Twitter account such as post, read your messages, or access other personal data. OAuth providers will typically present you with a list of things you are granting the external service access to, and you should always ensure that you read through that list and don't inadvertently grant the external service access to anything it doesn't require. + +Malicious applications, particularly on mobile devices where the application has access to the WebView session used for logging in to the OAuth provider, can also abuse this process by hijacking your session with the OAuth provider and gaining access to your OAuth account through those means. Using the *Sign in with* option with any provider should usually be considered a matter of convenience that you only use with services you trust to not be actively malicious. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identify you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VoIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/fi/basics/account-deletion.md b/i18n/fi/basics/account-deletion.md new file mode 100644 index 00000000..1ebf4143 --- /dev/null +++ b/i18n/fi/basics/account-deletion.md @@ -0,0 +1,61 @@ +--- +title: Account Deletion +icon: material/account-remove +description: It's easy to accumulate a large number of internet accounts. Here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach occurs when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://deceptive.design), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser ([Firefox](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Chrome](https://passwords.google.com/intro), [Edge](https://support.microsoft.com/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336)) or your phone ([Google](https://passwords.google.com/intro) on stock Android, [Passwords](https://support.apple.com/HT211146) on iOS) without even realizing it. + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows: [Credential Manager](https://support.microsoft.com/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS: [Passwords](https://support.apple.com/HT211145) +- Linux: Gnome Keyring (accessed through [Seahorse](https://gitlab.gnome.org/GNOME/seahorse#seahorse)) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past, or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://gdpr-info.eu/art-17-gdpr) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email-aliasing.md). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/fi/basics/common-misconceptions.md b/i18n/fi/basics/common-misconceptions.md new file mode 100644 index 00000000..31b1b249 --- /dev/null +++ b/i18n/fi/basics/common-misconceptions.md @@ -0,0 +1,97 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open-source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do X?" + Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities known as [:material-package-variant-closed-remove: Supply Chain Attacks](common-threats.md#attacks-against-certain-organizations ""){.pg-viridian}, which are discussed further in our [Common Threats](common-threats.md) page.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like multiple email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily deanonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + +
+

Tip

+ + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +
+ +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](../cryptocurrency.md#monero). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +[^1]: A notable supply chain attack occurred in March 2024, when a malicious maintainer added an obfuscated backdoor into `xz`, a popular compression library. The backdoor ([CVE-2024-3094](https://cve.org/CVERecord?id=CVE-2024-3094)) was intended to give an unknown party remote access to most Linux servers via SSH, but it was discovered before it had been widely deployed. diff --git a/i18n/fi/basics/common-threats.md b/i18n/fi/basics/common-threats.md new file mode 100644 index 00000000..da279c17 --- /dev/null +++ b/i18n/fi/basics/common-threats.md @@ -0,0 +1,231 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +:material-incognito: **Anonymity** +: + +Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. + +:material-target-account: **Targeted Attacks** +: + +Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. + +:material-package-variant-closed-remove: **Supply Chain Attacks** +: + +Typically, a form of :material-target-account: Targeted Attack that centers around a vulnerability or exploit introduced into otherwise good software either directly or through a dependency from a third party. + +:material-bug-outline: **Passive Attacks** +: + +Being protected from things like malware, data breaches, and other attacks that are made against many people at once. + +:material-server-network: **Service Providers** +: + +Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). + +:material-eye-outline: **Mass Surveillance** +: + +Protection from government agencies, organizations, websites, and services which work together to track your activities. + +:material-account-cash: **Surveillance Capitalism** +: + +Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. + +:material-account-search: **Public Exposure** +: + +Limiting the information about you that is accessible online—to search engines or the public. + +:material-close-outline: **Censorship** +: + +Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-package-variant-closed-remove: Supply Chain Attacks and :material-target-account: Targeted Attacks. They will likely still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +
+

Tip

+ +Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + +Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../desktop.md#qubes-os). + +
+ +## Attacks against Specific Individuals + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +
+

Tip

+ +By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +
+ +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://learn.microsoft.com/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Attacks against Certain Organizations + +:material-package-variant-closed-remove: Supply Chain Attacks + +Supply chain attacks are frequently a form of :material-target-account: Targeted Attack towards businesses, governments, and activists, although they can end up compromising the public at large as well. + +
+

Example

+ +A notable example of this occurred in 2017 when M.E.Doc, a popular accounting software in Ukraine, was infected with the *NotPetya* virus, subsequently infecting people who downloaded that software with ransomware. NotPetya itself was a ransomware attack which impacted 2000+ companies in various countries, and was based on the *EternalBlue* exploit developed by the NSA to attack Windows computers over the network. + +
+ +There are few ways in which this type of attack might be carried out: + +1. A contributor or employee might first work their way into a position of power within a project or organization, and then abuse that position by adding malicious code. +2. A developer may be coerced by an outside party to add malicious code. +3. An individual or group might identify a third party software dependency (also known as a library) and work to infiltrate it with the above two methods, knowing that it will be used by "downstream" software developers. + +These sorts of attacks can require a lot of time and preparation to perform and are risky because they can be detected, particularly in open source projects if they are popular and have outside interest. Unfortunately they're also one of the most dangerous as they are very hard to mitigate entirely. We would encourage readers to only use software which has a good reputation and makes an effort to reduce risk by: + +1. Only adopting popular software that has been around for a while. The more interest in a project, the greater likelihood that external parties will notice malicious changes. A malicious actor will also need to spend more time gaining community trust with meaningful contributions. +2. Finding software which releases binaries with widely-used, trusted build infrastructure platforms, as opposed to developer workstations or self-hosted servers. Some systems like GitHub Actions let you inspect the build script that runs publicly for extra confidence. This lessens the likelihood that malware on a developer's machine could infect their packages, and gives confidence that the binaries produced are in fact produced correctly. +3. Looking for code signing on individual source code commits and releases, which creates an auditable trail of who did what. For example: Was the malicious code in the software repository? Which developer added it? Was it added during the build process? +4. Checking whether the source code has meaningful commit messages (such as [conventional commits](https://conventionalcommits.org)) which explain what each change is supposed to accomplish. Clear messages can make it easier for outsiders to the project to verify, audit, and find bugs. +5. Noting the number of contributors or maintainers a program has. A lone developer may be more susceptible to being coerced into adding malicious code by an external party, or to negligently enabling undesirable behavior. This may very well mean software developed by "Big Tech" has more scrutiny than a lone developer who doesn't answer to anyone. + +## Privacy from Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +
+

Note on Web-based Encryption

+ +In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + +On the other hand, web-based E2EE implementations, such as Proton Mail's web app or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + +Therefore, you should use native applications over web clients whenever possible. + +
+ +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as whom you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +
+

Atlas of Surveillance

+ +If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org) by the [Electronic Frontier Foundation](https://eff.org). + +In France, you can take a look at the [Technopolice website](https://technopolice.fr/villes) maintained by the non-profit association La Quadrature du Net. + +
+ +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, as breaches of human rights, they're most often used to disproportionately target minority groups and political dissidents, among others. + +
+

ACLU: The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward

+ +In the face of Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection), intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +
+ +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods, including but not limited to: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +If you're concerned about mass surveillance programs, you can use strategies like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +## Surveillance as a Business Model + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../social-networks.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +
+

Tip

+ +While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + +You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +
+ +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://ranum.com/security/computer_security/editorials/dumb)" (or, "listing all the bad things that we know about"), as many content blockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/fi/basics/email-security.md b/i18n/fi/basics/email-security.md new file mode 100644 index 00000000..71a01850 --- /dev/null +++ b/i18n/fi/basics/email-security.md @@ -0,0 +1,52 @@ +--- +meta_title: "Why Email Isn't the Best Choice for Privacy and Security - Privacy Guides" +title: Email Security +icon: material/email +description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP. + +## What is the Web Key Directory standard? + +The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email clients to discover the OpenPGP key for other mailboxes, even those hosted on a different provider. Email clients which support WKD will ask the recipient's server for a key based on the email address' domain name. For example, if you emailed `jonah@privacyguides.org`, your email client would ask `privacyguides.org` for Jonah's OpenPGP key, and if `privacyguides.org` has a key for that account, your message would be automatically encrypted. + +In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox Mail, they can publish your OpenPGP key on their domain for you. + +If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting). + +If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smart card (such as a [YubiKey](https://support.yubico.com/hc/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](../security-keys.md#nitrokey)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc.) running an email/webmail client. The message is then decrypted by the smart card and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smart card to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc. diff --git a/i18n/fi/basics/hardware.md b/i18n/fi/basics/hardware.md new file mode 100644 index 00000000..abe30fe5 --- /dev/null +++ b/i18n/fi/basics/hardware.md @@ -0,0 +1,152 @@ +--- +title: "Choosing Your Hardware" +icon: 'material/chip' +description: Software isn't all that matters; learn about the hardware tools you use every day to protect your privacy. +--- + +When it comes to discussions about privacy, hardware is often not thought about as much as what software we use. Your hardware should be considered the foundation on which you build the rest of your privacy setup. + +## Picking a Computer + +The internals of your devices process and store all of your digital data. It is important that all devices are supported by the manufacturer and developers by continuing to receive security updates. + +### Hardware Security Programs + +Some devices will have a "hardware security program", which is a collaboration between vendors on best practices and recommendations when designing hardware, for example: + +- [Windows Secured-core PCs](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure-11) meet a higher security criteria specified by Microsoft. These protections aren't only applicable to Windows users; Users of other operating systems can still take advantage of features like [DMA protection](https://learn.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and the ability to completely distrust Microsoft certificates. +- [Android Ready SE](https://developers.google.com/android/security/android-ready-se) is a collaboration between vendors to ensure their devices follow [best practices](https://source.android.com/docs/security/best-practices/hardware) and include tamper resistant hardware backed storage for things like encryption keys. +- macOS running on an Apple SoC takes advantage of [hardware security](../os/macos-overview.md#hardware-security) which may not be available with third party operating systems. +- [ChromeOS security](https://chromium.org/chromium-os/developer-library/reference/security/security-whitepaper) is at its best when running on a Chromebook as it is able to make use of available hardware features such as the [hardware root-of-trust](https://chromium.org/chromium-os/developer-library/reference/security/security-whitepaper/#hardware-root-of-trust-and-verified-boot). + +Even if you don't use these operating systems, participation in these programs may indicate that the manufacturer is following best practices when it comes to hardware security and updates. + +### Preinstalled OS + +New computers nearly always come with Windows preinstalled, unless you buy a Mac or a specialty Linux machine. It's usually a good idea to wipe the drive and install a fresh copy of your operating system of choice, even if that means just reinstalling Windows from scratch. Due to agreements between hardware vendors and shady software vendors, the default Windows install often comes preloaded with bloatware, [adware](https://bleepingcomputer.com/news/technology/lenovo-gets-a-slap-on-the-wrist-for-superfish-adware-scandal), or even [malware](https://zdnet.com/article/dell-poweredge-motherboards-ship-with-malware). + +### Firmware Updates + +Hardware often has security issues that are discovered and patched through firmware updates for your hardware. + +Almost every component of your computer requires firmware to operate, from your motherboard to your storage devices. It is ideal for all the components of your device to be fully supported. Apple devices, Chromebooks, most Android phones, and Microsoft Surface devices will handle firmware updates for you as long as the device is supported. + +If you build your own PC, you may need to manually update your motherboard's firmware by downloading it from your OEM's website. If you use Linux, consider using the built-in [`fwupd`](https://fwupd.org) tool that will let you check for and apply any firmware updates available for your motherboard. + +### TPM/Secure Cryptoprocessor + +Most computers and phones come equipped with a TPM (or a similar secure cryptoprocessor) which safely stores your encryption keys and handles other security-related functions. If you're currently using a machine that doesn't have one of these, you might benefit from purchasing a newer computer that has this feature. Some desktop and server motherboards have a "TPM header" which can accept a small accessory board containing the TPM. + +
+

Note

+ +Virtual TPMs are susceptible to side-channel attacks and external TPMs, as a result of being separate from the CPU on the motherboard, are vulnerable to [sniffing](https://pulsesecurity.co.nz/articles/TPM-sniffing) when an attacker has access to the hardware. The solution to this problem is to include the secure processor inside the CPU itself, which is the case for Apple's chips and Microsoft's [Pluton](https://microsoft.com/en-us/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs). + +
+ +### Biometrics + +Many devices come equipped with a fingerprint reader or face recognition capabilities. These can be very convenient, but they aren't perfect and sometimes fail. Most devices will fall back to a PIN or password when this happens, meaning that the security of your devices is still only as good as your password. + +Biometrics can prevent someone from watching you type in your password, so if shoulder-surfing is part of your threat model then biometrics are a good option. + +Most implementations of face authentication require you to be looking at your phone and also only work from a relatively close distance, so you don't need to worry too much about someone pointing your phone at your face to unlock it without your consent. You can still disable biometrics when your phone is locked if you want. On iOS, you can hold the side button and a volume button for 3 seconds to disable Face ID on models that support it. On Android, hold the power button and press Lockdown on the menu. + +
+

Warning

+ +Some devices do not have the proper hardware for secure face authentication. There are two main types of face authentication: 2D and 3D. 3D face authentication makes use of a dot projector that lets the device create a 3D depth map of your face. Make sure that your device has this capability. + +
+ +Android defines three [security classes](https://source.android.com/docs/security/features/biometric/measure#biometric-classes) for biometrics; you should check that your device is Class 3 before enabling biometrics. + +### Device Encryption + +If your device is [encrypted](../encryption.md), your data is most secure when your device is completely powered off (as opposed to merely asleep), i.e. before you've entered your encryption key or lock screen password for the first time. On phones, this state of higher security is referred to as "Before First Unlock" (BFU), and "After First Unlock" (AFU) once you enter the correct password after a reboot/power-on. AFU is considerably less secure against digital forensics toolkits and other exploits, compared to BFU. Therefore, if you are concerned about an attacker with physical access to your device, you should turn it off fully whenever you aren't using it. + +This may be impractical, so consider whether it's worth it, but in either case even AFU mode is effective against most threats, given you are using a strong encryption key. + +## External Hardware + +Some threats can't be protected against by your internal components alone. Many of these options are highly situational; please evaluate if they are really necessary for your threat model. + +### Hardware Security Keys + +Hardware keys are devices that use strong cryptography to authenticate you to a device or account. The idea is that because they can not be copied, you can use them to secure accounts in such a way that they can only be accessed with physical possession of the key, eliminating many remote attacks. + +[Recommended Hardware Keys :material-arrow-right-drop-circle:](../security-keys.md){ .md-button .md-button--primary } [Learn More about Hardware Keys :material-arrow-right-drop-circle:](multi-factor-authentication.md#hardware-security-keys){ .md-button } + +### Camera/Microphone + +If you don't want to trust your OS's permission controls to prevent the camera from activating in the first place, you can buy camera blockers that physically prevent light from reaching the camera. You could also buy a device that doesn't have a built-in camera and use an external camera that you can unplug whenever you're done using it. Some devices come with built-in camera blockers or hardware switches that physically disconnect the camera from power. + +
+

Warning

+ +You should only buy covers that fit your laptop and won't cause damage when you close the lid. Covering the camera will interfere with automatic brightness and face authentication features. + +
+ +For microphone access, in most cases you will need to trust your OS's built-in permission controls. Alternatively, buy a device that doesn't have a built-in microphone and use an external microphone that you can unplug when you're done using it. Some devices, like a [MacBook or an iPad](https://support.apple.com/guide/security/hardware-microphone-disconnect-secbbd20b00b/web), feature a hardware disconnect for the microphone when you close the lid. + +Many computers have a BIOS option to disable the camera and microphone. When disabled there, the hardware won't even appear as a device on a booted system. + +### Privacy Screens + +Privacy screens are a film you can put over your normal screen so that the screen is only visible from a certain angle. These are good if your threat model includes others peeking at your screen, but it is not foolproof as anyone could just move to a different viewing angle and see what's on your screen. + +### Dead Man's Switches + +A dead man's switch stops a piece of machinery from operating without the presence of a human operator. These were originally designed as a safety measure, but the same concept can be applied to an electronic device to lock it when you're not present. + +Some laptops are able to [detect](https://support.microsoft.com/en-us/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb) when you're present and can lock automatically when you aren't sitting in front of the screen. You should check the settings in your OS to see if your computer supports this feature. + +You can also get cables, like [BusKill](https://buskill.in), that will lock or wipe your computer when the cable is disconnected. + +### Anti-Interdiction/Evil Maid Attack + +The best way to prevent a targeted attack against you before a device is in your possession is to purchase a device in a physical store, rather than ordering it to your address. + +Make sure your device supports secure boot/verified boot, and you have it enabled. Try to avoid leaving your device unattended whenever possible. + +### Kensington Locks + +Many laptops come equipped with a [Kensington slot](https://www.kensington.com/solutions/product-category/security/?srsltid=AfmBOorQOlRnqRJOAqM-Mvl7wumed0wBdiOgktlvdidpMHNIvGfwj9VI) that can be used to secure your device with a **metal cable** that locks into the slot on your machine. These locks can be combination locks or keyed. + +As with all locks, Kensington locks are vulnerable to [physical attacks](https://youtu.be/vgvCxL7dMJk) so you should mainly use them to deter petty theft. You can secure your laptop at home or even when you're out in public using a table leg or something that won't move easily. + +## Secure your Network + +### Compartmentalization + +Many solutions exist that allow you to separate what you're doing on a computer, such as virtual machines and sandboxing. However, the best compartmentalization is physical separation. This is useful especially for situations where certain software requires you to bypass security features in your OS, such as with anti-cheat software bundled with many games. + +For gaming, it may be useful to designate one machine as your "gaming" machine and only use it for that one task. Keep it on a separate VLAN. This may require the use of a managed switch and a router that supports segregated networks. + +Most consumer routers allow you to do this by enabling a separate "guest" network that can't talk to your main network. All untrusted devices can go here, including IoT devices like your smart fridge, thermostat, TV, etc. + +### Minimalism + +As the saying goes, "less is more". The fewer devices you have connected to your network, the less potential attack surface you'll have and the less work it will be to make sure they all stay up-to-date. + +You may find it useful to go around your home and make a list of every connected device you have to help you keep track. + +### Routers + +Your router handles all your network traffic and acts as your first line of defense between you and the open internet. + +
+

Note

+ +A lot of routers come with storage to put your files on so you can access them from any computer on your network. We recommend you don't use networking devices for things other than networking. In the event your router was compromised, your files would also be compromised. + +
+ +The most important thing to think about with routers is keeping them up-to-date. Many modern routers will automatically install updates, but many others won't. You should check on your router's settings page for this option. That page can usually be accessed by typing `192.168.1.1` or `192.168.0.1` into the URL bar of any browser assuming you're on the same network. You can also check in the network settings of your OS for "router" or "gateway". + +If your router does not support automatic updates, you will need to go to the manufacturer's site to download the updates and apply them manually. + +Many consumer-grade routers aren't supported for very long. If your router isn't supported by the manufacturer anymore, you can check if it's supported by [FOSS firmware](../router.md). You can also buy routers that come with FOSS firmware installed by default; these tend to be supported longer than most routers. + +Some ISPs provide a combined router/modem. It can be beneficial for security to purchase a separate router and set your ISP router/modem into modem-only mode. This way, even when your ISP-provided router is no longer getting updates, you can still get security updates and patches. It also means any problems that affect your modem won't affect your router and vice versa. diff --git a/i18n/fi/basics/multi-factor-authentication.md b/i18n/fi/basics/multi-factor-authentication.md new file mode 100644 index 00000000..c6287ad7 --- /dev/null +++ b/i18n/fi/basics/multi-factor-authentication.md @@ -0,0 +1,162 @@ +--- +title: Multifactor Authentication +icon: material/two-factor-authentication +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Multifactor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://yubico.com/products/yubico-authenticator)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and the standards for FIDO2 and [WebAuthn](https://webauthn.guide): + +- [How FIDO2 and WebAuthn Stop Account Takeovers](https://youtu.be/aMo4ZlWznao) (YouTube) + +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically, for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt-disk)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multifactor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smart card or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smart card or hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smart card/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +
+

Warning

+ +If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +
+ +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://qubes-os.org/doc/yubikey) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH) on how to set this up. + +#### TOTP + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using HOTP or Challenge-Response as a second-factor of authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/fi/basics/passwords-overview.md b/i18n/fi/basics/passwords-overview.md new file mode 100644 index 00000000..bc3b21f7 --- /dev/null +++ b/i18n/fi/basics/passwords-overview.md @@ -0,0 +1,126 @@ +--- +title: Introduction to Passwords +icon: material/form-textbox-password +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices, and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this: You sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multifactor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +
+

Checking for data breaches

+ +If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +
+ +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +
+

Note

+ +These instructions assume that you are using [EFF's large word list](https://eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other word lists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +
+ +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large word list](https://eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +
+

Important

+ +You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +
+ +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. We recommend setting the generated passphrase length to at least 6 words. + +We also recommend using [EFF's large word list](https://eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [word lists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +
+Explanation of entropy and strength of diceware passphrases + +To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large word list](https://eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + +One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as log 2 ( WordsInList ) and the overall entropy of the passphrase is calculated as: log 2 ( WordsInList WordsInPhrase ) + +Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ( log 2 ( 7776 ) ), and a seven word passphrase derived from it has ~90.47 bits of entropy ( log 2 ( 7776 7 ) ). + +The [EFF's large word list](https://eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is WordsInList WordsInPhrase , or in our case, 77767. + +Let's put all of this in perspective: A seven word passphrase using [EFF's large word list](https://eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + +On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + +- Your adversary knows that you used the diceware method. +- Your adversary knows the specific word list that you used. +- Your adversary knows how many words your passphrase contains. + +
+ +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +
+

Don't place your passwords and TOTP tokens inside the same password manager

+ +When using [TOTP codes as multifactor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md). + +Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + +Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +
+ +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/fi/basics/threat-modeling.md b/i18n/fi/basics/threat-modeling.md new file mode 100644 index 00000000..b87382d6 --- /dev/null +++ b/i18n/fi/basics/threat-modeling.md @@ -0,0 +1,111 @@ +--- +meta_title: "Threat Modeling: The First Step on Your Privacy Journey - Privacy Guides" +title: "Threat Modeling" +icon: 'material/target-account' +description: Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get hold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, this list might be something you want to destroy after you've finished developing your threat model. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/fi/basics/vpn-overview.md b/i18n/fi/basics/vpn-overview.md new file mode 100644 index 00000000..4238758e --- /dev/null +++ b/i18n/fi/basics/vpn-overview.md @@ -0,0 +1,122 @@ +--- +meta_title: "How Do VPNs Protect Your Privacy? Our VPN Overview - Privacy Guides" +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. + +[:material-movie-open-play-outline: Video: Do you need a VPN?](https://www.privacyguides.org/videos/2024/12/12/do-you-need-a-vpn ""){.md-button} + +Normally, an ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +Using a VPN hides even this information from your ISP, by shifting the trust you place in your network to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing through it. + +
+

Note

+ +When we refer to "Virtual Private Networks" on this website, we are usually referring to **commercial** [VPN providers](../vpn.md), who you pay a monthly fee to in exchange for routing your internet traffic securely through their public servers. There are many other forms of VPN, such as ones you host yourself or ones operated by workplaces which allow you to securely connect to internal/employee network resources, however, these VPNs are usually designed for accessing remote networks securely, rather than protecting the privacy of your internet connection. + +
+ +## How does a VPN work? + +VPNs encrypt your traffic between your device and a server owned by your VPN provider. From the perspective of anyone between you and the VPN server, it looks like you're connecting to the VPN server. From the perspective of anyone between the VPN server and your destination site, all they can see is the VPN server connecting to the website. + +``` mermaid +flowchart LR + 763931["Your Device
(with VPN Client)
"] ===|"VPN Encryption"| 404512{"VPN Server"} + 404512 -.-|"No VPN Encryption"| 593753(("The Internet
(Your Destination)
")) + subgraph 763931["Your Device
(with VPN Client)
"] + end +``` + +Note that a VPN does not add any security or encryption to your traffic between the VPN server and your destination on the internet. To access a website securely you **must** still ensure HTTPS is in use regardless of whether you use a VPN. + +## Should I use a VPN? + +**Yes**, almost certainly. A VPN has many advantages, including: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, helping you blend in and preventing IP based tracking. +1. Allowing you to bypass geo-restrictions on certain content. + +VPNs can provide *some* of the same benefits Tor provides, such as hiding your IP from the websites you visit and geographically shifting your network traffic, and good VPN providers will not cooperate with e.g. legal authorities from oppressive regimes, especially if you choose a VPN provider outside your own jurisdiction. + +VPNs cannot encrypt data outside the connection between your device and the VPN server. VPN providers can also see and modify your traffic the same way your ISP could, so there is still a level of trust you are placing in them. And there is no way to verify a VPN provider's "no logging" policies in any way. + +## When isn't a VPN suitable? + +Using a VPN in cases where you're using your [real-life or well-known identity](common-misconceptions.md#complicated-is-better) online is unlikely to be useful. Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +It's important to remember that a VPN will not provide you with absolute anonymity because the VPN provider itself will still have access to your real IP address, destination website information, and often a money trail that can be linked directly back to you. "No logging" policies are merely a promise; if you need complete safety from the network itself, consider using [Tor](../advanced/tor-overview.md) in addition to or instead of a VPN. + +You also should not trust a VPN to secure your connection to an unencrypted, HTTP destination. In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider and other potential adversaries in between the VPN server and your destination. You should enable HTTPS-only mode in your browser (if it's supported) to mitigate attacks which try to downgrade your connection from HTTPS to HTTP. + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers themselves, **probably not**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. All this being said, there may be some advantages to enabling encrypted DNS in order to enable other security features in your browser, such as ECH. Browser technologies which are reliant on in-browser encrypted DNS are relatively new and not yet widespread, so whether they are relevant to you in particular is an exercise we will leave to you to research independently. + +Another common reason encrypted DNS is recommended is that it prevents DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +## Should I use Tor *and* a VPN? + +Maybe, Tor is not necessarily suitable for everybody in the first place. Consider your [threat model](threat-modeling.md), because if your adversary is not capable of extracting information from your VPN provider, using a VPN alone may provide enough protection. + +If you do use Tor then you are *probably* best off connecting to the Tor network via a commercial VPN provider. However, this is a complex subject which we've written more about on our [Tor overview](../advanced/tor-overview.md) page. + +## Should I access Tor through VPN providers that provide "Tor nodes"? + +You should not use that feature: The primary advantage of using Tor is that you do not trust your VPN provider, which is negated when you use Tor nodes hosted by your VPN instead of connecting directly to Tor from your computer. + +Currently, Tor only supports the TCP protocol. UDP (used by [WebRTC](https://en.wikipedia.org/wiki/WebRTC), [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3), and other protocols), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol), and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a *convenient* way to access hidden services on Tor, not to stay anonymous. For proper anonymity, use the actual [Tor Browser](../tor.md). + +## Commercial VPN Ownership + +Most VPN services are owned by the same [few companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies). These shady companies run lots of smaller VPN services to create the illusion that you have more choice than you actually do and to maximize profit. Typically, these providers that feed into their shell company have terrible privacy policies and shouldn't be trusted with your internet traffic. You should be very strict about which provider you decide to use. + +You should also be wary that many VPN review sites are merely advertising vehicles open to the highest bidder. ==Privacy Guides does not make money from recommending external products, and never uses affiliate programs.== + +[Our VPN Recommendations](../vpn.md ""){.md-button} + +## Modern VPN Alternatives + +Recently, some attempts have been made by various organizations to address some issues which centralized VPNs have. These technologies are relatively new, but worth keeping an eye on as the field develops. + +### Multi-Party Relays + +Multi-Party Relays (MPRs) use multiple nodes owned by different parties, such that no individual party knows both who you are and what you're connecting to. This is the basic idea behind Tor, but now there are some paid services that try to emulate this model. + +MPRs seek to solve a problem inherent to VPNs: the fact that you must trust them completely. They accomplish this goal by segmenting the responsibilities between two or more different companies. + +One example of a commercially available MPR is Apple's iCloud+ Private Relay, which routes your traffic through two servers: + +1. Firstly, a server operated by Apple. + + This server is able to see your device's IP when you connect to it, and has knowledge of your payment information and Apple ID tied to your iCloud subscription. However, it is unable to see what website you are connecting to. + +2. Secondly, a server operated by a partner CDN, such as Cloudflare or Fastly. + + This server actually makes the connection to your destination website, but has no knowledge of your device. The only IP address it knows about is Apple's server's. + +Other MPRs run by different companies operate in a very similar manner. This protection by segmentation only exists if you trust the two companies to not collude with each other to deanonymize you. + +### Decentralized VPNs + +Another attempt at solving the issues with centralized VPN services are dVPNs. These are based on blockchain technology and claim to eliminate trust in a single party by distributing the nodes across lots of different people. However, many times a dVPN will default to a single node, meaning you need to trust that node completely, just like a traditional VPN. Unlike a traditional VPN, this one node that can see all your traffic is a random person instead of your VPN provider that can be audited and has legal responsibilities to uphold their privacy policy. Multi-hop is needed to solve this, but that comes with a stability and performance cost. + +Another consideration is legal liability. The exit node will need to deal with legal problems from misuse of the network, an issue that the Tor network has contended with for its entire existence. This discourages regular people from running nodes and makes it more attractive for a malicious actor with lots of resources to host one. This is a big problem if the service is single-node, as the potentially malicious exit node can see who you are and what you're connecting to. + +Many dVPNs are used to push a cryptocurrency rather than to make the best service. They also tend to be smaller networks with fewer nodes, making them more vulnerable to [Sybil attacks](https://en.wikipedia.org/wiki/Sybil_attack). + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites) +- [Free VPN App Investigation](https://top10vpn.com/research/free-vpn-investigations/ownership) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions) +- [VPN - a Very Precarious Narrative](https://overengineer.dev/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert diff --git a/i18n/fi/basics/why-privacy-matters.md b/i18n/fi/basics/why-privacy-matters.md new file mode 100644 index 00000000..3c5292b5 --- /dev/null +++ b/i18n/fi/basics/why-privacy-matters.md @@ -0,0 +1,67 @@ +--- +title: "Why Privacy Matters" +icon: 'material/shield-account' +description: In the modern age of digital data exploitation, your privacy has never been more critical, and yet many believe it is already a lost cause. It is not. +--- + +In the modern age of digital data exploitation, your privacy has never been more critical, and yet many believe it is already a lost cause. It is not. ==Your privacy is up for grabs==, and you need to care about it. Privacy is about power, and it is so important that this power ends up in the right hands. + +Privacy is ultimately about human information, and this is important because we know that human information confers power over human beings. If we care about our ability to be authentic, fulfilled, and free humans, we have to care about the rules that apply to information about us. So much of our modern society is structured around **information**. When you shop online, read the news, look something up, vote, seek directions, or really anything else, you are relying on information. If we live in an information society, our information matters, and therefore privacy matters. + +## What is Privacy? + +Many people get the concepts of **privacy**, **security**, and **anonymity** confused. You'll see people criticize various products as "not private" when really they mean it doesn't provide anonymity, for example. On this website, we cover all three of these topics, but it is important you understand the difference between them, and when each one comes into play. + +[:material-movie-open-play-outline: Video: Stop Confusing Privacy, Anonymity, and Security](https://www.privacyguides.org/videos/2025/03/14/stop-confusing-privacy-anonymity-and-security ""){.md-button} + + +**Privacy** +: + +==Privacy is the assurance that your data is only seen by the parties you intend to view it.== In the context of an instant messenger, for example, end-to-end encryption provides privacy by keeping your message visible only to yourself and the recipient. + + +**Security** +: + +Security is the ability to trust the applications you use—that the parties involved are who they say they are—and keep those applications safe. In the context of browsing the web, for example, security can be provided by HTTPS certificates. +: + +Certificates prove you are talking directly to the website you're visiting, and keep attackers on your network from reading or modifying the data sent to or from the website. + + +**Anonymity** +: + +Anonymity is the ability to act without a persistent identifier. You might achieve this online with [Tor](../tor.md), which allows you to browse the internet with a random IP address and network connection instead of your own. +: + +**Pseudonymity** is a similar concept, but it allows you to have a persistent identifier without it being tied to your real identity. If everybody knows you as `@GamerGuy12` online, but nobody knows your real name, that is your pseudonym. + +All of these concepts overlap, but it is possible to have any combination of these. The sweet spot for most people is when all three of these concepts overlap. However, it's trickier to achieve than many initially believe. Sometimes, you have to compromise on some of these, and that's okay too. This is where **threat modeling** comes into play, allowing you to make informed decisions about the [software and services](../tools.md) you use. + +[:material-book-outline: Learn More About Threat Modeling](threat-modeling.md ""){.md-button} + +## Privacy vs. Secrecy + +A common counter-argument to pro-privacy movements is the notion that one doesn't need privacy if they have **"nothing to hide."** This is a dangerous misconception, because it creates a sense that people who demand privacy must be deviant, criminal, or wrong. + +==You shouldn't confuse privacy with secrecy.== We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. There are always certain facts about us—say, personal health information, or sexual behavior—that we wouldn't want the whole world to know, and that's okay. The need for privacy is legitimate, and that's what makes us human. Privacy is about empowering your rights over your own information, not about hiding secrets. + +## Is Privacy About Control? + +A common definition of privacy is that it is the ability to *control* who has access to your data. This is an easy trap to fall into, in fact it is the definition of privacy we operated this website on for a long time. It sounds nice, and it appeals to many people, but in practice it just doesn't work. + +Take cookie consent forms, for example. You may encounter these dozens of times per day on the various websites you visit, with a nice array of checkboxes and sliders which allow you to "curate" your preferences to exactly fit your needs. In the end, we just hit the "I Agree" button, because we just want to read the article or make a purchase. Nobody wants to complete a personal privacy audit on every single website they visit. This is an exercise in [choice architecture](https://en.wikipedia.org/wiki/Choice_architecture), designed to make you take the easy route out instead of delving into a maze of configuration options that don't need to exist in the first place. + +==Control over your privacy inside most apps is an illusion.== It's a shiny dashboard with all sorts of choices you can make about your data, but rarely the choices you're looking for, like "only use my data to help me." This type of control is meant to make you feel guilty about your choices, that you "had the choice" to make the apps you use more private, and you chose not to. + +Privacy is something we need to have baked into the [software and services](../tools.md) we use by default, you can't bend most apps into being private on your own. + +[:material-movie-open-play-outline: Video: 5 Steps to Improve Your Privacy](https://www.privacyguides.org/videos/2025/02/14/5-easy-steps-to-protect-yourself-online){ class="md-button" } + +## Sources + +- [Why Privacy Matters](https://amazon.com/dp/0190939044) (2021) by Neil Richards +- [The New Oil: Why Privacy & Security Matter](https://thenewoil.org/en/guides/prologue/why) +- [@Thorin-Oakenpants on Anonymity vs Privacy vs Security](https://code.privacyguides.dev/privacyguides/privacytools.io/issues/1760#issuecomment-10452) diff --git a/i18n/fi/browser-extensions.md b/i18n/fi/browser-extensions.md new file mode 100644 index 00000000..88d1edd7 --- /dev/null +++ b/i18n/fi/browser-extensions.md @@ -0,0 +1,124 @@ +--- +title: Browser Extensions +icon: material/puzzle-outline +description: These browser extensions can enhance your browsing experience and protect your privacy. +cover: browser-extensions.webp +--- + +Protects against the following threat(s): + +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface. They have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +However, some provide functionality which can outweigh these downsides in certain situations, particularly when it comes to [content blocking](basics/common-threats.md#mass-surveillance-programs). + +Don't install extensions which you don't immediately have a need for, or ones that duplicate the functionality of your browser. For example, [Brave](desktop-browsers.md#brave) users don't need to install uBlock Origin, because Brave Shields already provides the same functionality. + +## Content Blockers + +### uBlock Origin + +
+ +![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + +**uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + +[:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } +[:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +
+ +
+ +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +### uBlock Origin Lite + +uBlock Origin also has a "Lite" version of their extension, which offers a limited feature-set compared to the original extension. However, it has a few distinct advantages over its full-fledged sibling, so you may want to consider it if... + +- ...you don't want to grant full "read/modify website data" permissions to any extensions (even a trusted one like uBlock Origin) +- ...you want a more resource (memory/CPU) efficient content blocker[^1] +- ...your browser only supports Manifest V3 extensions. This is the case for Chrome [^2] , Edge and most Chromium browsers. + +
+ +![uBlock Origin Lite logo](assets/img/browsers/ublock_origin_lite.svg){ align=right } + +**uBlock Origin Lite** is a Manifest V3 compatible content blocker. Compared to the original _uBlock Origin_, this extension does not require broad "read/modify data" permissions to function, which lowers the risk of [:material-bug-outline: Passive Attacks](basics/common-threats.md#security-and-privacy){ .pg-orange } on your browser if a malicious rule is added to a filter list. + +[:octicons-repo-16: Repository](https://github.com/uBlockOrigin/uBOL-home#readme){ .md-button .md-button--primary } +[:octicons-eye-16:](https://github.com/uBlockOrigin/uBOL-home/wiki/Privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://github.com/uBlockOrigin/uBOL-home/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/gorhill/uBlock/tree/master/platform/mv3){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin-lite/ddkjiahejlhfcafbddmgiahcphecmpfh) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/cimighlppcgcoapaliogpjjdehbnofhn) +- [:simple-safari: Safari](https://apps.apple.com/app/id6745342698) + +
+ +
+ +We only recommend this version of uBlock Origin if you never want to add any filter lists not included by default, or need advanced options such as [dynamic filtering](https://github.com/gorhill/ublock/wiki/dynamic-filtering:-quick-guide) and the network logger. These restrictions are due to limitations in Manifest V3's design, notably the hard limit on the number of filtering rules, and the fact that extensions generally cannot fetch remote resources.[^3] + +This version offers three levels of blocking: "Basic" works without requiring any special privileges to view and modify site content, while the "Optimal" and "Complete" levels do require that broad permission, but offer a better filtering experience with additional cosmetic rules and scriptlet injections. + +If you set the default filtering mode to "Optimal" or "Complete" the extension will request read/modify access to **all** websites you visit. However, you also have the option to change the setting to "Optimal" or "Complete" on a **per-site** basis by adjusting the slider in the extension's pop-up panel on any given site. When you do so, the extension will request read/modify access to that site only. Therefore, if you want to take advantage of uBlock Origin Lite's "permission-less" configuration, you should probably leave the default setting as "Basic" and only adjust it higher on sites where that level is not adequate. + +uBlock Origin Lite only receives block list updates whenever the extension is updated from your browser's extension marketplace, as opposed to on demand. Google has an [expedited review process](https://developer.chrome.com/docs/webstore/skip-review) for filter updates, which means you still typically receive filter list updates as frequently as uBlock Origin Lite chooses to publish a release (historically every 2-7 days). However, only so-called "[safe rules](https://developer.chrome.com/docs/extensions/reference/api/declarativeNetRequest#safe_rules)" can be updated, which may limit the update frequency of lists using advanced techniques. + +### AdGuard + +We recommend [Safari](mobile-browsers.md#safari-ios) for iOS users, which unfortunately is only supported by uBlock Origin **Lite**. Luckily, AdGuard provides an adequate alternative: + +
+ +![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + +**AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + +[:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } +[:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-appstore: App Store](https://apps.apple.com/app/id1047223162) + +
+ +
+ +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + +## Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: uBlock Origin Lite _itself_ will consume no resources, because it uses newer APIs which make the browser process the filter lists natively, instead of running JavaScript code within the extension to handle the filtering. However, this resource advantage is only [theoretical](https://github.com/uBlockOrigin/uBOL-home/wiki/Frequently-asked-questions-\(FAQ\)#is-ubol-more-efficient-cpu--and-memory-wise-than-ubo), because it's possible that standard uBlock Origin's filtering code is more efficient than your browser's native filtering code. This has not yet been benchmarked. + +[^2]: A [workaround](https://github.com/uBlockOrigin/uBlock-issues/discussions/3690#discussioncomment-14548779) stil exists as of early December 2025. + +[^3]: This is starting to change, as MV3 extensions can now request to use scripts. This has enabled [AdGuard](https://adguard.com/en/blog/adguard-browser-extension-v5-2.html) to propose to import custom filters list by the url, as opposed to having to manually paste the rules, as is the case with uBOL. diff --git a/i18n/fi/calendar.md b/i18n/fi/calendar.md new file mode 100644 index 00000000..6eca1f5a --- /dev/null +++ b/i18n/fi/calendar.md @@ -0,0 +1,88 @@ +--- +title: Calendar Sync +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +cover: calendar.webp +--- + +Protects against the following threat(s): + +- [:material-bug-outline: Passive Attacks](basics/common-threats.md#security-and-privacy ""){.pg-orange} +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} + +**Calendars** contain some of your most sensitive data; use products that implement end-to-end encryption at rest to prevent a provider from reading them. + +## Tuta + +
+ +![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } +![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } + +**Tuta** offers a free and encrypted calendar across their supported platforms. Features include automatic E2EE of all data, sharing features, import/export functionality, multifactor authentication, and [more](https://tuta.com/calendar-app-comparison). + +Multiple calendars and extended sharing functionality are limited to paid subscribers. + +[:octicons-home-16: Homepage](https://tuta.com/calendar){ .md-button .md-button--primary } +[:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://tuta.com/support){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } +[:octicons-heart-16:](https://tuta.com/community#donate){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.calendar) +- [:simple-appstore: App Store](https://apps.apple.com/app/id6657977811) +- [:simple-github: GitHub](https://github.com/tutao/tutanota/releases?q=Calendar) +- [:fontawesome-brands-windows: Windows](https://tuta.com/blog/desktop-clients) +- [:simple-apple: macOS](https://tuta.com/blog/desktop-clients) +- [:simple-linux: Linux](https://tuta.com/blog/desktop-clients) +- [:simple-flathub: Flathub](https://flathub.org/apps/com.tutanota.Tutanota) +- [:octicons-browser-16: Web](https://app.tuta.com) + +
+ +
+ +## Proton Calendar + +
+ +![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + +**Proton Calendar** is an encrypted calendar service available to Proton members via its web or mobile clients. Features include automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). + +Those on the free tier have access to 3 calendars, whereas paid subscribers can create up to 25 calendars. Extended sharing functionality is also limited to paid subscribers. + +[:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } +[:octicons-eye-16:](https://proton.me/calendar/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://proton.me/support/calendar){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/orgs/ProtonMail/repositories?q=calendar){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1514709943) +- [:octicons-browser-16: Web](https://calendar.proton.me) + +
+ +
+ +In 2021, Securitum [audited](https://proton.me/community/open-source#:~:text=Proton%20Calendar) Proton Calendar's web client and provided a [letter of attestation](https://res.cloudinary.com/dbulfrlrz/images/v1714639870/wp-pme/letter-of-attestation-proton-calendar-20211109_3138998f9b/letter-of-attestation-proton-calendar-20211109_3138998f9b.pdf) for the Android app. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/fi/cloud.md b/i18n/fi/cloud.md new file mode 100644 index 00000000..9ee18137 --- /dev/null +++ b/i18n/fi/cloud.md @@ -0,0 +1,152 @@ +--- +meta_title: "The Best Private and Secure Cloud Storage Providers - Privacy Guides" +title: Cloud Storage +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +cover: cloud.webp +--- + +Protects against the following threat(s): + +- [:material-bug-outline: Passive Attacks](basics/common-threats.md#security-and-privacy ""){.pg-orange} +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} + +Many **cloud storage providers** require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by implementing secure end-to-end encryption. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +
+Looking for Nextcloud? + +For more technical readers, Nextcloud is [still a recommended tool](self-hosting/file-management.md#nextcloud) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +
+ +## Proton Drive + +
+ +![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + +**Proton Drive** is an encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + +The initial free storage is limited to 2 GB, but with the completion of [certain steps](https://proton.me/support/more-free-storage-existing-users), additional storage can be obtained up to 5 GB. + +[:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } +[:octicons-eye-16:](https://proton.me/drive/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://proton.me/support/drive){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) +- [:fontawesome-brands-windows: Windows](https://proton.me/drive/download) +- [:simple-apple: macOS](https://proton.me/drive/download) + +
+ +
+ +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/community/open-source), but the brand new mobile clients have not yet been publicly audited by a third party. + +## Tresorit + +
+ +![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + +**Tresorit** is a Swiss-Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + +[:octicons-home-16: Homepage](https://tresorit.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://support.tresorit.com){ .card-link title="Documentation" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) +- [:simple-appstore: App Store](https://apps.apple.com/app/id722163232) +- [:fontawesome-brands-windows: Windows](https://tresorit.com/download) +- [:simple-apple: macOS](https://tresorit.com/download) +- [:simple-linux: Linux](https://tresorit.com/download) + +
+ +
+ +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification): ISO/IEC 27001:2013[^1] Compliance [Certification](https://certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients. They concluded: + + > Test results found no deviation from Tresorit’s data confidentiality claims. + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://efd.admin.ch/en/swiss-digital-initiative-en) which requires passing [35 criteria](https://swiss-digital-initiative.org/criteria) related to security, privacy, and reliability. + +## Peergos + +
+ +![Peergos logo](assets/img/cloud/peergos.svg){ align=right } + +**Peergos** is a decentralized protocol and open-source platform for storage, social media, and applications. It provides a secure and private space where users can store, share, view, and edit their photos, videos, documents, etc. + +Peergos secures your files with quantum-resistant E2EE and ensures all data about your files remains private. It is also [self-hostable](https://book.peergos.org/features/self). + +[:octicons-home-16: Homepage](https://peergos.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://peergos.net/privacy.html){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://book.peergos.org){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/Peergos/Peergos){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/peergos/peergos#support){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=peergos.android) +- [:simple-github: GitHub](https://github.com/Peergos/web-ui/releases) +- [:fontawesome-brands-windows: Windows](https://peergos.org/download#windows) +- [:simple-apple: macOS](https://peergos.org/download#macos) +- [:simple-linux: Linux](https://peergos.org/download#linux) +- [:octicons-browser-16: Web](https://peergos.net) + +
+ +
+ +Peergos is built on top of the [InterPlanetary File System (IPFS)](https://ipfs.tech), a peer-to-peer architecture that protects against [:material-close-outline: Censorship](basics/common-threats.md#avoiding-censorship ""){.pg-blue-gray}. + +The client, server, and command line interface for Peergos all run from the same binary. Additionally, Peergos includes a [sync engine](https://book.peergos.org/features/sync) (accessible via the native apps) for bi-directionally synchronizing a local folder with a Peergos folder, and a [webdav bridge](https://book.peergos.org/features/webdav) to allow other applications to access your Peergos storage. You can refer to Peergos's documentation for a full overview of their numerous features. + +Peergos was [audited](https://peergos.org/posts/security-audit-2024) in November 2024 by Radically Open Security and all issues were fixed. They were previously [audited](https://cure53.de/pentest-report_peergos.pdf) by Cure53 in June 2019, and all found issues were subsequently fixed. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +### Minimum Requirements + +- Must enforce E2EE. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multifactor authentication, or passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open source. +- Clients should be audited in their entirety by an independent third party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/fi/cryptocurrency.md b/i18n/fi/cryptocurrency.md new file mode 100644 index 00000000..d1e385f6 --- /dev/null +++ b/i18n/fi/cryptocurrency.md @@ -0,0 +1,94 @@ +--- +meta_title: "Private Cryptocurrency Blockchains - Privacy Guides" +description: Unlike most cryptocurrencies, these ones provide transaction privacy by default. Monero is our top choice for obfuscating transaction information. +title: Cryptocurrency +icon: material/bank-circle +cover: cryptocurrency.webp +--- + +Protects against the following threat(s): + +- [:material-eye-outline: Mass Surveillance](basics/common-threats.md#mass-surveillance-programs ""){.pg-blue} +- [:material-close-outline: Censorship](basics/common-threats.md#avoiding-censorship ""){.pg-blue-gray} + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +
+

Danger

+ +Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +
+ +## Monero + +
+ +![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + +**Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve [:material-incognito: Anonymity](basics/common-threats.md#anonymity-vs-privacy){ .pg-purple }. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + +[:octicons-home-16: Homepage](https://getmonero.org){ .md-button .md-button--primary } +[:octicons-info-16:](https://getmonero.org/resources/user-guides){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } +[:octicons-heart-16:](https://getmonero.org/get-started/contributing){ .card-link title=Contribute } + + + +
+ +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +
+Monero's resilience to mass surveillance + +In August 2021, CipherTrace [announced](https://web.archive.org/web/20240223224846/https://ciphertrace.com/enhanced-monero-tracing) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://wired.com/story/monero-privacy) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +
+ +### Monero wallets + +For optimal privacy, make sure to use a self-custody wallet where the [view key](https://getmonero.org/resources/moneropedia/viewkey.html) stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your view key, the provider can see almost everything you do (but not spend your funds). Some self-custody wallets where the view key does not leave your device include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com) (iOS, Android, Desktop) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet for iOS and Android is available at [Monero.com](https://monero.com). +- [Feather Wallet](https://featherwallet.org) (Desktop) +- [Monerujo](https://monerujo.io) (Android) + +### Monero nodes + +For maximum privacy (even with a self-custody wallet), you should run your own Monero node called the [Monero daemon](https://docs.getmonero.org/interacting/monerod-reference), which is included in the [CLI wallet](https://getmonero.org/downloads/#cli). Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over [Tor](alternative-networks.md#tor), [I2P](alternative-networks.md#i2p-the-invisible-internet-project), or a [VPN](vpn.md). + +### Buying Monero + +[General tips for acquiring Monero](advanced/payments.md#acquisition ""){.md-button} + +There are numerous centralized exchanges (CEX) as well as P2P marketplaces where you can buy and sell Monero. Some of them require identifying yourself (KYC) to comply with anti-money laundering regulations. However, due to Monero's privacy features, the only thing known to the seller is *that* you bought Monero, but not how much you own or where you spend it (after it leaves the exchange). Some reputable places to buy Monero include: + +- [Kraken](https://kraken.com): A well-known CEX. Registration and KYC are mandatory. Card payments and bank transfers accepted. Make sure not to leave your newly purchased Monero on Kraken's platform after the purchase; withdraw them to a self-custody wallet. Monero is not available in all jurisdictions that Kraken operates in.[^1] +- [Cake Wallet](https://cakewallet.com): A self-custody cross-platform wallet for Monero and other cryptocurrencies. You can buy Monero directly in the app using card payments or bank transfers (through third-party providers such as [Guardarian](https://guardarian.com) or [DFX](https://dfx.swiss)).[^2] KYC is usually not required, but it depends on your country and the amount you are purchasing. In countries where directly purchasing Monero is not possible, you can also use a provider within Cake Wallet to first buy another cryptocurrency such as Bitcoin, Bitcoin Cash, or Litecoin and then exchange it to Monero in-app. + - [Monero.com](https://monero.com) is an associated website where you can buy Monero and other cryptocurrencies without having to download an app. The funds will simply be sent to the wallet address of your choice. +- [RetoSwap](https://retoswap.com) (formerly known as Haveno-Reto) is a self-custody, decentralized P2P exchange platform based on the [Haveno](https://haveno.exchange) project which is available for Linux, Windows, and macOS. Monero can be bought and sold with maximum privacy, since most trading counterparties do not require KYC, trades are made directly between users (P2P), and all connections run through the Tor network. It is possible to buy Monero via bank transfer, PayPal, or even by paying in cash (meeting in person or sending by mail). Arbitrators can step in to resolve disputes between buyer and seller, but be careful when sharing your bank account or other sensitive information with your trading counterparty. Trading with some accounts may be against those accounts' terms of service. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +- Cryptocurrency must provide private/untraceable transactions by default. + +
+

Important notices

+ +The content here is not legal or financial advice. We do not endorse or encourage illicit activities, and we do not endorse or encourage anything which violates a company's terms of service. Check with a professional to confirm that these recommendations are legal and available in your jurisdiction. [See all notices](about/notices.md). + +
+ +[^1]: You may refer to the following pages for up-to-date information on countries in which Kraken does **not** allow the purchase of Monero: [Where is Kraken licensed or regulated?](https://support.kraken.com/hc/en-us/articles/where-is-kraken-licensed-or-regulated) and [Support for Monero (XMR) in Europe](https://support.kraken.com/hc/en-us/articles/support-for-monero-xmr-in-europe). +[^2]: You may refer to the following pages for up-to-date information on countries in which Cake Wallet and Monero.com **only** allow the direct purchase of Monero (through third-party providers): [Which countries are served by DFX?](https://docs.dfx.swiss/en/faq.html#which-countries-are-served-by-dfx) and [What are the supported countries/regions? (Guardarian)](https://guardarian.freshdesk.com/support/solutions/articles/80001151826-what-are-the-supported-countries-regions). diff --git a/i18n/fi/data-broker-removals.md b/i18n/fi/data-broker-removals.md new file mode 100644 index 00000000..d17316be --- /dev/null +++ b/i18n/fi/data-broker-removals.md @@ -0,0 +1,131 @@ +--- +title: Data Removal Services +icon: material/database-off +description: Our recommended methods for removing your personal information from data brokers and people search sites. +cover: data-broker-removals.webp +--- + +Protects against the following threat(s): + +- [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } + +"People search sites" operated by data brokers represent an immense privacy risk to the majority of Americans. For many, sensitive personal information such as your address, phone number, email, and age is a simple internet search away. While there is unfortunately no federal regulation in place to protect your data, many of these companies will remove your information from their _public_ databases upon request. + +:flag_us: **Note:** Many of these tools are only available in the United States, and data brokers collecting, sharing, and selling information from public records and other resources is largely a US-centric issue. In many other regions, your data is already protected via regulations like the GDPR. We will always advocate for similarly strong privacy protections in the United States, but those affected today may still benefit from these "stop-gap" solutions. + +Counterintuitively, removing your personal data on these sites from the internet generally requires _providing_ these companies with your personal data for them to comply with the request. Unfortunately, in most cases it is still worth doing so to minimize the amount of personal data about you which is publicly accessible. + +
+

Try it out

+ +Use your favorite [search engine](search-engines.md) to see if your data is trivially exposed by searching for your name in quotes, plus your general location. For example, search for `"Jane Smith" Chicago IL`. In many cases, you may find your personal information makes up many of the first results. Even if results about you aren't readily available though, you may still be affected. The list of data brokers linked below will provide more places to check whether your data is in any public databases. + +
+ +## Manual Opt-Outs Free + +The quickest, most effective, and most private way to remove yourself from people search sites is to submit opt-out requests manually to each site. This can _seem_ like a daunting task, because there are hundreds of people search sites, but the reality is that the vast majority of these sites are operated by a small handful of companies. + +You should search for your information on these sites first, and submit an opt-out request if your information is found. Removing your data from these providers typically removes your data from many smaller sites at the same time. + +- Advanced Background Checks ([Search](https://advancedbackgroundchecks.com), [Opt-Out](https://advancedbackgroundchecks.com/removal)) +- BeenVerified ([Search](https://beenverified.com/app/optout/search), [Opt-Out](https://beenverified.com/app/optout/address-search)) +- CheckPeople ([Search](https://checkpeople.com/do-not-sell-info), select _Remove Record_ to opt-out) +- ClustrMaps ([Search](https://clustrmaps.com), [Opt-Out](https://clustrmaps.com/bl/opt-out)) +- InfoTracer ([Search](https://infotracer.com), [Opt-Out](https://infotracer.com/optout)) +- Intelius ([Search](https://intelius.com), [Opt-Out](https://suppression.peopleconnect.us/login)) +- PeekYou ([Search](https://peekyou.com), [Opt-Out](https://peekyou.com/about/contact/ccpa_optout/do_not_sell)) +- PublicDataUSA ([Search](https://publicdatausa.com), [Opt-Out](https://publicdatausa.com/remove.php)) +- Radaris ([Search](https://radaris.com), [Opt-Out](https://radaris.com/page/how-to-remove)) +- Spokeo ([Search](https://spokeo.com/search), [Opt-Out](https://spokeo.com/optout)) +- That's Them ([Search](https://thatsthem.com), [Opt-Out](https://thatsthem.com/optout)) +- USPhonebook ([Search and Opt-Out](https://usphonebook.com/opt-out)) +- Whitepages ([Search](https://whitepages.com), [Opt-Out](https://whitepages.com/suppression_requests)) + +
+

A tip on opt-out strategy

+ +Be sure to avoid burning out or becoming overwhelmed with this process. Unless you're in immediate danger, you can take breaks and avoid doing them all at once.[^1] + +One strategy could be to look at a single website from the list above every week, starting from the top. Next week you move on to the following website on the list, and so on. When you reach the end of the list, you can start again from the beginning. + +This sets you up on a nice schedule to re-review each website approximately every 3-4 months, and breaks down the process into simple 5 minute tasks you can easily add to your weekly routine. + +
+ +Once you have opted-out of all of these sites for the first time, it's best to wait a week or two for the requests to propagate to all their sites. Then, you can start to search and opt-out of any remaining sites you find. It can be a good idea to use a web crawler like [Google's _Results about you_](#google-results-about-you-free) tool to help find any data that remains on the internet. + +Otherwise, privacy journalist Yael Grauer has compiled an excellent list of data broker sites with direct links to their search tools and opt-out pages. You can take some time to go through each site to determine whether they have your information, and remove it: + +[:simple-github: Big Ass Data Broker Opt-Out List](https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-List){ .md-button } + +If you don't use an automatic scanner to find results about you, consider setting a reminder to re-do this process every 3, 6, or 12 months depending on your risk level and the amount of personal data you have out there. Unfortunately, it is common for your data to re-appear over time or show up on brand-new people search sites even after you opt out. + +## EasyOptOuts Paid + +
+ +![EasyOptOuts logo](assets/img/data-broker-removals/easyoptouts.svg){ align=right } + +**EasyOptOuts** is a $20/year service which will search a number of different data broker sites and automatically submit opt-out requests on your behalf. They will perform the first search and removal process immediately, and then re-run the process every 4 months in case your data shows up on new sites over time. + +[:octicons-home-16: Homepage](https://easyoptouts.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://easyoptouts.com/privacy){ .card-link title="Privacy Policy" } + +
+ +Some websites supported by EasyOptOuts are publicly searchable. In those cases EasyOptOuts will perform a search and only submit an opt-out request if your personal data is already found, to prevent sending your data in an opt-out request to sites that didn't have it already. However, they do support some sites which are not publicly searchable, and in those cases your data will be sent to them in an opt-out request regardless, in case you are in their private databases. + +Our [testing](https://www.privacyguides.org/articles/2025/02/03/easyoptouts-review) indicates that EasyOptOuts provides the best value out of any data removal service we've tested, with a very affordable price and high effectiveness. Independent [findings from Consumer Reports](https://discuss.privacyguides.net/t/consumer-reports-evaluating-people-search-site-removal-services/19948) also indicate that EasyOptOuts is one of the top performing data removal services. + +
+

High priority sites not supported by EasyOptOuts

+ +EasyOptOuts does not cover the following sites we consider to be "high priority," so you should still manually opt-out of: + +- Intelius ([Search](https://intelius.com), [Opt-Out](https://suppression.peopleconnect.us/login)) +- PeekYou ([Search](https://peekyou.com), [Opt-Out](https://peekyou.com/about/contact/ccpa_optout/do_not_sell)) + +
+ +## Google _Results About You_ Free + +
+

Google is a data collector themselves

+ +This method will require you to submit your personal information to Google for them to periodically monitor their search results for. Google claims to not use the information provided to this tool to "personalize your experiences" across other Google products. + +While Google is not a data broker themselves _per se_, as they don't sell or share your data with outside parties, some may find this relationship unacceptable. You should always decide whether the benefits of this tool outweigh the drawbacks for your individual situation. + +
+ +
+ +![Google logo](assets/img/data-broker-removals/google.svg){ align=right } + +**Results about you** is a free tool which helps you discover whether your personal contact information, including your home address, phone number, and email address, appears in Google search results. If any personal information is found, you can request its removal. + +[:octicons-globe-16: Open Web Tool](https://myactivity.google.com/results-about-you){ .md-button .md-button--primary } +[:octicons-info-16:](https://support.google.com/websearch/answer/12719076){ .card-link title=Documentation} + +
+ +In many cases, a Google search is the first place a potential stalker or abuser would look to find your personal information, which could make using it a worthwhile trade-off. However, this tool does not remove your information from the discovered websites themselves, only their listings on Google. You should still consider manually opting out from the results which are discovered, or using another service which automatically opts you out from those sites directly. + +You can add up to 3 addresses, 3 phone numbers, and 3 email addresses to your Google account to monitor for. The service is only available in select markets (initially the US and UK) to users over 18. + +When results are found, they will be available for review in this web tool. You can also optionally receive an email notification delivered to the account's Gmail address that lets you know when new results are found. You will then be able to click **Request to remove** on each discovered listing, and Google will review the request. + +In our testing, this tool worked to reliably remove people search sites from Google search results, but was not effective against websites that showed _corporate_ filing information, even if you used your personal address to register a company, nor was it effective against social media profiles. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing a data removal service, and conduct your own research to ensure it's the right choice for you. + +Our picks for removal services are primarily based on independent professional testing from third-parties as noted in the sections above, our own internal testing, and aggregated reviews from our community. + +- Must not be a white labeled service or reseller of another provider. +- Must not be affiliated with the data broker industry or purchase advertising on people search sites. +- Must only use your personal data for the purposes of opting you out of data broker databases and people search sites. + +[^1]: If you _are_ immediately threatened by stalkers or other threats, you should strongly consider an automated tool like [EasyOptOuts](#easyoptouts-paid), at least for the initial "purge." When things are more manageable in the future you can come back to the manual process. Of course, in a dangerous situation your first priority should always be to seek professional help [from police](https://onlineharassmentfieldmanual.pen.org/involving-law-enforcement) or others before tackling it on your own. diff --git a/i18n/fi/data-redaction.md b/i18n/fi/data-redaction.md new file mode 100644 index 00000000..95fbde65 --- /dev/null +++ b/i18n/fi/data-redaction.md @@ -0,0 +1,137 @@ +--- +meta_title: "Remove PII with Metadata Scrubbers and Data Redaction Tools - Privacy Guides" +title: "Data and Metadata Redaction" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +cover: data-redaction.webp +--- + +Protects against the following threat(s): + +- [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information ""){.pg-green} + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +
+

Warning

+ +You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, you should draw a box over the text. + +
+ +## MAT2 + +
+ +![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + +**MAT2** is free, cross-platform software which allows you to remove metadata from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an extension for [Dolphin](https://github.com/jvoisin/mat2/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + +[:octicons-repo-16: Repository](https://github.com/jvoisin/mat2#readme){ .md-button .md-button--primary } +[:octicons-info-16:](https://github.com/jvoisin/mat2#how-to-use-mat2){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/jvoisin/mat2){ .card-link title="Source Code" } + +
+Downloads + +- [:fontawesome-brands-windows: Windows](https://pypi.org/project/mat2) +- [:simple-apple: macOS](https://github.com/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) +- [:simple-linux: Linux](https://pypi.org/project/mat2) +- [:octicons-browser-16: Web](https://github.com/jvoisin/mat2#web-interface) + +
+ +
+ +## ExifEraser (Android) + +
+ +![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + +**ExifEraser** is a modern, permissionless image metadata erasing application for Android. + +It currently supports JPEG, PNG, and WebP files. + +[:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .md-button .md-button--primary } +[:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#description){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) +- [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) +- [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +
+ +
+ +The metadata that is erased depends on the image's file type: + +- **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +- **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +- **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +- You can share an image from another application with ExifEraser. +- Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +- It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +- It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +- Lastly, it allows you to paste an image from your clipboard. + +## Shortcuts (iOS & macOS) + +On iOS and macOS, you can remove image metadata without using any third-party apps by creating a [**shortcut**](https://apps.apple.com/app/id915249334) for this purpose. Here is an example shortcut you can download to use as is: + +[:material-tag-minus: Clean Image Metadata](https://icloud.com/shortcuts/fb774ddb7b5b4296871776c67ac0fff9 ""){.md-button} + +You can also use it as a model for your own shortcut; just make sure that the **Preserve Metadata** option under the **Convert** action is unchecked. Once added, you can access the shortcut in the share sheet that appears when you select the :octicons-share-24: Share button. You can select multiple images and invoke the shortcut to remove their metadata all at once. + +This shortcut removes metadata such as location, device model, lens model, and other camera information. It also sets the image creation date to the time the shortcut was used. + +## ExifTool (CLI) + +
+ +![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + +**ExifTool** is the original Perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + +It is often a component of other Exif removal applications and in most Linux distribution repositories. + +[:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } +[:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } +[:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title="Contribute" } + +
+Downloads + +- [:fontawesome-brands-windows: Windows](https://exiftool.org) +- [:simple-apple: macOS](https://exiftool.org) +- [:simple-linux: Linux](https://exiftool.org) + +
+ +
+ +
+

Deleting data from a directory of files

+ +```bash +exiftool -all= *.file_extension +``` + +
+ +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +- Apps developed for open-source operating systems must be open source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/fi/desktop-browsers.md b/i18n/fi/desktop-browsers.md new file mode 100644 index 00000000..22cfd748 --- /dev/null +++ b/i18n/fi/desktop-browsers.md @@ -0,0 +1,394 @@ +--- +meta_title: "Privacy Respecting Web Browsers for PC and Mac - Privacy Guides" +title: Desktop Browsers +icon: material/laptop +description: These privacy-protecting browsers are what we currently recommend for standard/non-anonymous internet browsing on desktop systems. +cover: desktop-browsers.webp +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +Protects against the following threat(s): + +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model ""){.pg-brown} + +These are our currently recommended **desktop web browsers** and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +
+ +![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + +**Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed. It aims to provide to VPN users Tor Browser's anti-fingerprinting browser technologies, which are key protections against [:material-eye-outline: Mass Surveillance](basics/common-threats.md#mass-surveillance-programs){ .pg-blue }. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + +[:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } +[:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser){ .card-link title="Documentation" } +[:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + +
+Downloads + +- [:fontawesome-brands-windows: Windows](https://mullvad.net/en/download/browser/windows) +- [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) +- [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +
+ +
+ +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + +Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings). When adjusting the security level, you **must** always restart the browser before continuing to use it. Otherwise, [the security settings may not be fully applied](https://www.privacyguides.org/articles/2025/05/02/tor-security-slider-flaw), putting you at a higher risk of fingerprinting and exploits than you may expect based on the setting chosen. + +Modifications other than adjusting this setting would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) similar to other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically discourage adding *additional* [browser extensions](browser-extensions.md), these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +## Firefox + +
+ +![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + +**Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + +[:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://mozilla.org/privacy/firefox){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://support.mozilla.org/products/firefox){ .card-link title="Documentation" } +[:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.mozilla.org){ .card-link title="Contribute" } + +
+Downloads + +- [:fontawesome-brands-windows: Windows](https://mozilla.org/firefox/windows) +- [:simple-apple: macOS](https://mozilla.org/firefox/mac) +- [:simple-linux: Linux](https://mozilla.org/firefox/linux) +- [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +
+ +
+ +
+

Warning

+ +Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +
+ +### Recommended Firefox Configuration + +These options can be found in :material-menu: → **Settings**. + +#### Search + +- [ ] Uncheck **Show search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Firefox Suggest (US only) + +[Firefox Suggest](https://support.mozilla.org/kb/firefox-suggest) is a feature similar to search suggestions which is only available in the US. We recommend disabling it for the same reason we recommend disabling search suggestions. If you don't see these options under the **Address Bar** header, you do not have the new experience and can ignore these changes. + +- [ ] Uncheck **Suggestions from Firefox** +- [ ] Uncheck **Suggestions from sponsors** + +#### Privacy & Security + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Telemetry + +- [ ] Uncheck **Send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow personalized extension recommendations** +- [ ] Uncheck **Install and run studies** +- [ ] Uncheck **Send daily usage ping to Mozilla** +- [ ] Uncheck **Automatically send crash reports** + +According to Mozilla's privacy policy for Firefox, + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Mozilla Accounts service collects [some technical data](https://mozilla.org/privacy/mozilla-accounts). If you use a Mozilla Account you can opt out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### Website Advertising Preferences + +- [ ] Uncheck **Allow websites to perform privacy-preserving ad measurement** + +With the release of Firefox 128, a new setting for [privacy-preserving attribution](https://support.mozilla.org/kb/privacy-preserving-attribution) (PPA) has been added and [enabled by default](https://blog.privacyguides.org/2024/07/14/mozilla-disappoints-us-yet-again-2). PPA allows advertisers to use your web browser to measure the effectiveness of web campaigns, instead of using traditional JavaScript-based tracking. We consider this behavior to be outside the scope of a user agent's responsibilities, and the fact that it is disabled by default in Arkenfox is an additional indicator for disabling this feature. + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day-to-day browsing. + +##### DNS over HTTPS + +If you use a [DNS over HTTPS provider](dns.md): + +- [x] Select **Max Protection** and choose a suitable provider + +Max Protection enforces the use of DNS over HTTPS, and a security warning will show if Firefox can’t connect to your secure DNS resolver, or if your secure DNS resolver says that records for the domain you are trying to access do not exist. This stops the network you're connected to from secretly downgrading your DNS security. + +#### Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +
+

Use Mullvad Browser for advanced anti-fingerprinting

+ +[Mullvad Browser](#mullvad-browser) provides stronger anti-fingerprinting protections out of the box than Firefox, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Firefox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +
+ +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-%5BCommon%5D) are subjectively strict and/or may cause some websites to not work properly—which you can [easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember that you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +
+ +![Brave logo](assets/img/browsers/brave.svg){ align=right } + +**Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features), many of which are enabled by default. + +Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + +[:octicons-home-16: Homepage](https://brave.com){ .md-button .md-button--primary } +[:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } +[:octicons-eye-16:](https://brave.com/privacy/browser){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://support.brave.com){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) +- [:fontawesome-brands-windows: Windows](https://brave.com/download) +- [:simple-apple: macOS](https://brave.com/download) +- [:simple-linux: Linux](https://brave.com/linux) +- [:simple-flathub: Flathub](https://flathub.org/apps/com.brave.Browser) + +
+ +
+ +
+

Warning

+ +Brave adds a "[referral code](https://github.com/brave/brave-browser/wiki/Brave%E2%80%99s-Use-of-Referral-Codes)" to the file name in downloads from the Brave website, which is used to track which source the browser was downloaded from, for example `BRV002` in a download named `Brave-Browser-BRV002.pkg`. The installer will then ping Brave's server with the referral code at the end of the installation process. If you're concerned about this, you can rename the installer file before opening it. + +
+ +### Recommended Brave Configuration + +These options can be found in :material-menu: → **Settings**. + +#### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/articles/360022973471-What-is-Shields) feature. We suggest configuring these options [globally](https://support.brave.com/hc/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under *Trackers & ads blocking* + +
+Use default filter lists + +Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +
+ +- [x] Select **Strict** under *Upgrade connections to HTTPS* +- [x] (Optional) Select **Block Scripts** (1) +- [x] Check **Block fingerprinting** +- [x] Select **Block third-party cookies** +- [x] Check **Forget me when I close this site** (2) +- [ ] Uncheck all social media components + +
+ +1. This option disables JavaScript, which will break a lot of sites. To fix them, you can set exceptions on a per-site basis by clicking on the Shield icon in the address bar and unchecking this setting under *Advanced controls*. +2. If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis by clicking on the Shield icon in the address bar and unchecking this setting under *Advanced controls*. + +#### Privacy and security + +
+ +- [x] Select **Don’t allow sites to use JavaScript optimization** under *Security* → *Manage JavaScript optimization & security* (1) +- [x] Select **Automatically remove permissions from unused sites** under *Sites and Shields Settings* +- [x] Select **Disable non-proxied UDP** under [*WebRTC IP Handling Policy*](https://support.brave.com/hc/articles/360017989132-How-do-I-change-my-Privacy-Settings#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [x] Select **Auto-redirect AMP pages** +- [x] Select **Auto-redirect tracking URLs** +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** + +
+ +1. Disabling the V8 optimizer reduces your attack surface by disabling [*some*](https://grapheneos.social/@GrapheneOS/112708049232710156) parts of JavaScript Just-In-Time (JIT) compilation. + +##### Tor windows + +[**Private Window with Tor**](https://support.brave.com/hc/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity) allows you to route your traffic through the Tor network in Private Windows and access .onion services, which may be useful in some cases. However, Brave is **not** as resistant to fingerprinting as the Tor Browser is, and far fewer people use Brave with Tor, so you will stand out. If your threat model requires strong anonymity, use the [Tor Browser](tor.md#tor-browser). + +##### Data Collection + +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** + +#### Web3 + +Brave's Web3 features can potentially add to your browser fingerprint and attack surface. Unless you use any of these features, they should be disabled. + +- Select **Extensions (no fallback)** under *Default Ethereum wallet* +- Select **Extensions (no fallback)** under *Default Solana wallet* + +#### Extensions + +- [ ] Uncheck all built-in extensions you don't use + +#### Search engine + +We recommend disabling search suggestions in Brave for the same reason we recommend disabling this feature in [Firefox](#search). + +- [ ] Uncheck **Show search suggestions** + +#### System + +
+ +- [ ] Uncheck **Continue running background apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +#### Brave Rewards and Wallet + +**Brave Rewards** lets you receive Basic Attention Token (BAT) cryptocurrency for performing certain actions within Brave. It relies on a custodial account and KYC from a select number of providers. We do not recommend BAT as a [private cryptocurrency](cryptocurrency.md), nor do we recommend using a [custodial wallet](advanced/payments.md#wallet-custody), so we would discourage using this feature. + +**Brave Wallet** operates locally on your computer, but does not support any private cryptocurrencies, so we would discourage using this feature as well. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +### Minimum Requirements + +- Must be open-source software. +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Must be available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting must not negatively impact user experience. +- Must block third-party cookies by default. +- Must support [state partitioning](https://developer.mozilla.org/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should include built-in content blocking functionality. +- Should support cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/kb/containers)). +- Should support Progressive Web Apps (PWAs). PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps because PWAs benefit from your browser's regular security updates. +- Should not include add-on functionality (bloatware) that does not impact user privacy. +- Should not collect telemetry by default. +- Should provide an open-source sync server implementation. +- Should default to a [private search engine](search-engines.md). + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state). diff --git a/i18n/fi/desktop.md b/i18n/fi/desktop.md new file mode 100644 index 00000000..50675a81 --- /dev/null +++ b/i18n/fi/desktop.md @@ -0,0 +1,275 @@ +--- +title: "Desktop/PC" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +cover: desktop.webp +--- + +Protects against the following threat(s): + +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model ""){.pg-brown} + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Linux + +
+ +![Fedora logo](assets/img/linux-desktop/fedora.svg){ align=right } + +**Fedora Linux** is our recommended desktop distribution for people new to Linux. Fedora generally adopts newer technologies (e.g., [Wayland](https://wayland.freedesktop.org) and [PipeWire](https://pipewire.org)) before other distributions. These new technologies often come with improvements in security, privacy, and usability in general. + +[:octicons-home-16: Homepage](https://fedoraproject.org){ .md-button .md-button--primary } +[:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs){ .card-link title="Documentation" } +[:octicons-heart-16:](https://whatcanidoforfedora.org){ .card-link title="Contribute" } + + + +
+ +Fedora comes in two primary desktop editions, [Fedora Workstation](https://fedoraproject.org/workstation), which uses the GNOME desktop environment, and [Fedora KDE Plasma Desktop](https://fedoraproject.org/kde), which uses KDE. Historically, Fedora Workstation has been more popular and widely recommended, but KDE has been gaining in popularity and provides an experience more similar to Windows, which may make transitioning to Linux easier for some. The security and privacy benefits of both editions are very similar, so it mostly comes down to personal preference. + +Fedora has a semi-rolling release cycle. While some packages like the desktop environment are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +
+ +![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + +**openSUSE Tumbleweed** is a stable rolling release distribution. + +openSUSE Tumbleweed uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + +[:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed){ .md-button .md-button--primary } +[:octicons-info-16:](https://doc.opensuse.org){ .card-link title="Documentation" } +[:octicons-heart-16:](https://shop.opensuse.org){ .card-link title="Contribute" } + + + +
+ +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +
+ +![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + +**Arch Linux** is a lightweight, do-it-yourself (DIY) distribution, meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + +[:octicons-home-16: Homepage](https://archlinux.org){ .md-button .md-button--primary } +[:octicons-info-16:](https://wiki.archlinux.org){ .card-link title="Documentation" } +[:octicons-heart-16:](https://archlinux.org/donate){ .card-link title="Contribute" } + + + +
+ +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org)[^1]. + +## Atomic Distributions + +**Atomic distributions** (sometimes also referred to as **immutable distributions**) are operating systems which handle package installation and updates by layering changes atop your core system image, rather than by directly modifying the system. Advantages of atomic distros include increased stability and the ability to easily roll back updates. See [*Traditional vs. Atomic Updates*](os/linux-overview.md#traditional-vs-atomic-updates) for more info. + +### Fedora Atomic Desktops + +
+ +![Fedora logo](assets/img/linux-desktop/fedora.svg){ align=right } + +**Fedora Atomic Desktops** are variants of Fedora which use the `rpm-ostree` package manager and have a strong focus on containerized workflows and Flatpak for desktop applications. All of these variants follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + +[:octicons-home-16: Homepage](https://fedoraproject.org/atomic-desktops){ .md-button .md-button--primary } +[:octicons-info-16:](https://docs.fedoraproject.org/en-US/emerging){ .card-link title="Documentation" } +[:octicons-heart-16:](https://whatcanidoforfedora.org){ .card-link title="Contribute" } + + + +
+ +[Fedora Atomic Desktops](https://fedoramagazine.org/introducing-fedora-atomic-desktops) come in a variety of flavors depending on the desktop environment you prefer. As with the recommendation to avoid X11 in our [criteria](#criteria) for Linux distributions, we recommend avoiding flavors that support only the legacy X11 window system. + +These operating systems differ from Fedora Workstation as they replace the [DNF](https://docs.fedoraproject.org/en-US/quick-docs/dnf) package manager with a much more advanced alternative called [`rpm-ostree`](https://coreos.github.io/rpm-ostree). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete, you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily roll back if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbx](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox) to create [Podman](https://podman.io) containers which mimic a traditional Fedora environment, a [useful feature](https://containertoolbx.org) for the discerning developer. These containers share a home directory with the host operating system. + +### NixOS + +
+ +![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + +NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + +[:octicons-home-16: Homepage](https://nixos.org){ .md-button .md-button--primary } +[:octicons-info-16:](https://nixos.org/learn.html){ .card-link title="Documentation" } +[:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title="Contribute" } + + + +
+ +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates. It first downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation: you can tell NixOS to activate it after reboot, or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +The Nix package manager uses a purely functional language—which is also called Nix—to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible. Binaries built with this method are reproducible[^1]. + +## Anonymity-Focused Distributions + +### Whonix + +
+ +![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + +**Whonix** is based on [Kicksecure](#kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and [:material-incognito: Anonymity](basics/common-threats.md#anonymity-vs-privacy){ .pg-purple } on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + +[:octicons-home-16: Homepage](https://whonix.org){ .md-button .md-button--primary } +[:simple-torbrowser:](http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://whonix.org/wiki/Documentation){ .card-link title="Documentation" } +[:octicons-heart-16:](https://whonix.org/wiki/Donate){ .card-link title="Contribute" } + + + +
+ +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/roddhjav/apparmor.d) and a [sandboxed app launcher](https://whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers). We have a [recommended guide](os/qubes-overview.md#connecting-to-tor-via-a-vpn) on configuring Whonix in conjunction with a VPN ProxyVM in Qubes to hide your Tor activities from your ISP. + +### Tails + +
+ +![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + +**Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and [:material-incognito: Anonymity](basics/common-threats.md#anonymity-vs-privacy){ .pg-purple } while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + +[:octicons-home-16: Homepage](https://tails.net){ .md-button .md-button--primary } +[:octicons-info-16:](https://tails.net/doc/index.en.html){ .card-link title="Documentation" } +[:octicons-heart-16:](https://tails.net/donate){ .card-link title="Contribute" } + + + +
+ +
+

Warning

+ +Tails [doesn't erase](https://gitlab.tails.boum.org/tails/tails/-/issues/5356) the [video memory](https://en.wikipedia.org/wiki/Dual-ported_video_RAM) when shutting down. When you restart your computer after using Tails, it might briefly display the last screen that was displayed in Tails. If you shut down your computer instead of restarting it, the video memory will erase itself automatically after being unpowered for some time. + +
+ +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy, allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](browser-extensions.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.net/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +Protects against the following threat(s): + +- [:material-bug-outline: Passive Attacks](basics/common-threats.md#security-and-privacy ""){.pg-orange} + +### Qubes OS + +
+ +![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + +**Qubes OS** is an open-source operating system designed to provide strong security for desktop computing through secure virtual machines (or "qubes"). Qubes is based on Xen, the X Window System, and Linux. It can run most Linux applications and use most of the Linux drivers. + +[:octicons-home-16: Homepage](https://qubes-os.org){ .md-button .md-button--primary } +[:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } +[:octicons-eye-16:](https://qubes-os.org/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://qubes-os.org/doc){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/QubesOS){ .card-link title="Source Code" } +[:octicons-heart-16:](https://qubes-os.org/donate){ .card-link title="Contribute" } + + + +
+ +Qubes OS secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate *qubes*. Should one part of the system be compromised via an exploit in a [:material-target-account: Targeted Attack](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red}, the extra isolation is likely to protect the rest of the *qubes* and the core system. + +For further information about how Qubes works, read our full [Qubes OS overview](os/qubes-overview.md) page. + +### Secureblue + +
+ +![Secureblue logo](assets/img/linux-desktop/secureblue.svg){ align=right } + +**Secureblue** is a security-focused operating system based on [Fedora Atomic Desktops](#fedora-atomic-desktops). It includes a number of [security features](https://secureblue.dev/features) intended to proactively defend against the exploitation of both known and unknown vulnerabilities, and ships with [Trivalent](https://github.com/secureblue/Trivalent), their hardened, Chromium-based web browser. + +[:octicons-home-16: Homepage](https://secureblue.dev){ .md-button .md-button--primary } +[:octicons-info-16:](https://secureblue.dev/install){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/secureblue/secureblue){ .card-link title="Source Code" } +[:octicons-heart-16:](https://secureblue.dev/donate){ .card-link title="Contribute" } + +
+ +**Trivalent** is Secureblue's hardened Chromium for desktop Linux inspired by [GrapheneOS](android/distributions.md#grapheneos)'s Vanadium browser. + +Secureblue also provides GrapheneOS's [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) and enables it globally (including for Flatpaks). + +### Kicksecure + +While we [recommend against](os/linux-overview.md#release-cycle) "perpetually outdated" distributions like Debian for desktop use in most cases, Kicksecure is a Debian-based operating system which has been hardened to be much more than a typical Linux install. + +
+ +![Kicksecure logo](assets/img/linux-desktop/kicksecure.svg){ align=right } + +**Kicksecure**—in oversimplified terms—is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. It also serves as the base OS for [Whonix](#whonix). + +[:octicons-home-16: Homepage](https://kicksecure.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://kicksecure.com/wiki/Privacy_Policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://kicksecure.com/wiki/Documentation){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/Kicksecure){ .card-link title="Source Code" } +[:octicons-heart-16:](https://kicksecure.com/wiki/Donate){ .card-link title="Contribute" } + + + +
+ +## Criteria + +Choosing a Linux distro that is right for you will come down to a huge variety of personal preferences, and this page is **not** meant to be an exhaustive list of every viable distribution. Our Linux overview page has some advice on [choosing a distro](os/linux-overview.md#choosing-your-distribution) in more detail. The distros on *this* page do all generally follow the guidelines we covered there, and all meet these standards: + +- Free and open source. +- Receives regular software and kernel updates. +- Avoids X11, as its last major release was [more than a decade](https://x.org/wiki/Releases) ago. + - The notable exception here is Qubes, but the [isolation issues](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation) which X11 typically has are avoided by virtualization. This isolation only applies to apps *running in different qubes* (virtual machines); apps running in the *same* qube are not protected from each other. +- Supports full-disk encryption during installation. +- Doesn't freeze regular releases for more than 1 year. + - We [recommend against](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Supports a wide variety of hardware. +- Preference towards larger projects. + - Maintaining an operating system is a major challenge, and smaller projects have a tendency to make more avoidable mistakes, or delay critical updates (or worse, disappear entirely). We lean towards projects which will likely be around 10 years from now (whether that's due to corporate backing or very significant community support), and away from projects which are hand-built or have a small number of maintainers. + +In addition, [our standard criteria](about/criteria.md) for recommended projects still applies. **Please note we are not affiliated with any of the projects we recommend.** + +[^1]: Reproducibility entails the ability to verify that packages and binaries made available to the end user match the source code, which can be useful against potential [:material-package-variant-closed-remove: Supply Chain Attacks](basics/common-threats.md#attacks-against-certain-organizations ""){.pg-viridian}. diff --git a/i18n/fi/device-integrity.md b/i18n/fi/device-integrity.md new file mode 100644 index 00000000..acac6e57 --- /dev/null +++ b/i18n/fi/device-integrity.md @@ -0,0 +1,191 @@ +--- +title: "Device Integrity" +icon: material/security +description: These tools can be used to check your devices for compromise. +cover: device-integrity.webp +robots: nofollow, max-snippet:-1, max-image-preview:large +--- + +These tools can be used to validate the integrity of your mobile devices and check them for indicators of compromise by spyware and malware such as Pegasus, Predator, or KingsPawn. This page focuses on **mobile security**, because mobile devices typically have read-only systems with well-known configurations, so detecting malicious modifications is easier than on traditional desktop systems. We may expand the focus of this page in the future. + +
+

This is an advanced topic

+ +These tools may provide utility for certain individuals. They provide functionality which most people do not need to worry about, and often require more in-depth technical knowledge to use effectively. + +
+ +It is **critical** to understand that scanning your device for public indicators of compromise is **not sufficient** to determine that a device is "clean", and not targeted with a particular spyware tool. Reliance on these publicly-available scanning tools can miss recent security developments and give you a false sense of security. + +## General Advice + +The majority of system-level exploits on modern mobile devices—especially zero-click compromises—are non-persistent, meaning they will not remain or run automatically after a reboot. For this reason, we highly recommend rebooting your device regularly. We recommend everybody reboot their devices once a week at minimum, but if non-persistent malware is of particular concern for you, we and many security experts recommend a daily reboot schedule. + +This means an attacker would have to regularly re-infect your device to retain access, although we'll note this is not impossible. Rebooting your device also will not protect you against _persistent_ malware, but this is less common on mobile devices due to modern security features like secure/verified boot. + +## Post-Compromise Information & Disclaimer + +If any of the following tools indicate a potential compromise by spyware such as Pegasus, Predator, or KingsPawn, we advise that you contact: + +- If you are a human rights defender, journalist, or from a civil society organization: [Amnesty International's Security Lab](https://securitylab.amnesty.org/contact-us) +- If a business or government device is compromised: the appropriate security liaison at your enterprise, department, or agency +- Local law enforcement + +**We are unable to help you directly beyond this.** We are happy to discuss your specific situation or circumstances and review your results in our [community](https://discuss.privacyguides.net) spaces, but it is unlikely we can assist you beyond what is written on this page. + +The tools on this page are only capable of detecting indicators of compromise, not removing them. If you are concerned about having been compromised, we advise that you: + +- Consider replacing the device completely +- Consider changing your SIM/eSIM number +- Not restore from a backup, because that backup may be compromised + +These tools provide analysis based on the information they have the ability to access from your device, and publicly-accessible indicators of compromise. It is important to keep in mind two things: + +1. Indicators of compromise are just that: _indicators_. They are not a definitive finding, and may occasionally be **false positives**. If an indicator of compromise is detected, it means you should do additional research into the _potential_ threat. +2. The indicators of compromise these tools look for are published by threat research organizations, but not all indicators are made available to the public! This means that these tools can present a **false negative**, if your device is infected with spyware which is not detected by any of the public indicators. Reliable and comprehensive digital forensic support and triage require access to non-public indicators, research, and threat intelligence. + +## External Verification Tools + +Protects against the following threat(s): + +- [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals){ .pg-red } + +External verification tools run on your computer and scan your mobile device for forensic traces, which are helpful to identify potential compromise. + +
+

Danger

+ +Public indicators of compromise are insufficient to determine that a device is "clean", and not targeted with a particular spyware tool. Reliance on public indicators alone can miss recent forensic traces and give a false sense of security. + +Reliable and comprehensive digital forensic support and triage require access to non-public indicators, research, and threat intelligence. + +Such support is available to civil society through [Amnesty International's Security Lab](https://amnesty.org/en/tech) or [Access Now’s Digital Security Helpline](https://accessnow.org/help). + +
+ +These tools can trigger false-positives. If any of these tools finds indicators of compromise, you need to dig deeper to determine your actual risk. Some reports may be false positives based on websites you've visited in the past, and findings which are many years old are likely either false-positives or indicate previous (and no longer active) compromise. + +### Mobile Verification Toolkit + +
+ +![MVT logo](assets/img/device-integrity/mvt.webp#only-light){ align=right } +![MVT logo](assets/img/device-integrity/mvt-dark.png#only-dark){ align=right } + +**Mobile Verification Toolkit** (**MVT**) is a collection of utilities which simplifies and automates the process of scanning mobile devices for potential traces of targeting or infection by known spyware campaigns. MVT was developed by Amnesty International and released in 2021 in the context of the [Pegasus Project](https://forbiddenstories.org/about-the-pegasus-project). + +[:octicons-home-16: Homepage](https://mvt.re){ .md-button .md-button--primary } +[:octicons-code-16:](https://github.com/mvt-project/mvt){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-apple: macOS](https://docs.mvt.re/en/latest/install) +- [:simple-linux: Linux](https://docs.mvt.re/en/latest/install) + +
+ +
+ +
+

Warning

+ +Using MVT is insufficient to determine that a device is "clean", and not targeted with a particular spyware tool. + +
+ +MVT is _most_ useful for scanning iOS devices. Android stores very little diagnostic information useful to triage potential compromises, and because of this, `mvt-android` capabilities are limited as well. On the other hand, encrypted iOS iTunes backups provide a large enough subset of files stored on the device to detect suspicious artifacts in many cases. This being said, MVT does still provide fairly useful tools for both iOS and Android analysis. + +If you use iOS and are at high-risk, we have three additional suggestions for you: + +1. Create and keep regular (monthly) iTunes backups. This allows you to find and diagnose past infections later with MVT, if new threats are discovered in the future. + +2. Trigger _sysdiagnose_ logs often and back them up externally. These logs can provide invaluable data to future forensic investigators if need be. + + The process to do so varies by model, but you can trigger it on newer phones by holding down _Power_ + _Volume Up_ + _Volume Down_ until you feel a brief vibration. After a few minutes, the timestamped _sysdiagnose_ log will appear in **Settings** > **Privacy & Security** > **Analytics & Improvements** > **Analytics Data**. + +3. Enable [Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode). + +MVT allows you to perform deeper scans/analysis if your device is jailbroken. Unless you know what you are doing, **do not jailbreak or root your device.** Jailbreaking your device exposes it to considerable security risks. + +### iMazing (iOS) + +
+ +![iMazing logo](assets/img/device-integrity/imazing.png){ align=right } + +**iMazing** provides a free spyware analyzer tool for iOS devices which acts as a GUI-wrapper for [MVT](#mobile-verification-toolkit). This can be much easier to run compared to MVT itself, which is a command-line tool designed for technologists and forensic investigators. + +[:octicons-home-16: Homepage](https://imazing.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://imazing.com/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://imazing.com/spyware-analyzer){ .card-link title=Documentation} + +
+Downloads + +- [:fontawesome-brands-windows: Windows](https://imazing.com/download) +- [:simple-apple: macOS](https://imazing.com/download) + +
+ +
+ +iMazing automates and interactively guides you through the process of using [MVT](#mobile-verification-toolkit) to scan your device for publicly-accessible indicators of compromise published by various threat researchers. All the information and warnings which apply to MVT apply to this tool as well, so we suggest you also familiarize yourself with the notes on MVT in the sections above. + +## On-Device Verification + +Protects against the following threat(s): + +- [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals){ .pg-red } +- [:material-bug-outline: Passive Attacks](basics/common-threats.md#security-and-privacy){ .pg-orange } + +These are apps you can install which check your device and operating system for signs of tampering, and validate the identity of your device. + +
+

Warning

+ +Using these apps is insufficient to determine that a device is "clean", and not targeted with a particular spyware tool. + +
+ +### Auditor (Android) + +
+ +![Auditor logo](assets/img/device-integrity/auditor.svg#only-light){ align=right } +![Auditor logo](assets/img/device-integrity/auditor-dark.svg#only-dark){ align=right } + +**Auditor** is an app which leverages hardware security features to provide device integrity monitoring by actively validating the identity of a device and the integrity of its operating system. Currently, it only works with GrapheneOS or the stock operating system for [supported devices](https://attestation.app/about#device-support). + +[:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } +[:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} +[:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } +[:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) +- [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) +- [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +
+ +
+ +Auditor is not a scanning/analysis tool like some other tools on this page. Rather, it uses your device's hardware-backed keystore to allow you to verify the identity of your device and gain assurance that the operating system itself hasn't been tampered with or downgraded via verified boot. This provides a very robust integrity check of your device itself, but doesn't necessarily check whether the user-level apps running on your device are malicious. + +Auditor performs attestation and intrusion detection with **two** devices, an _auditee_ (the device being verified) and an _auditor_ (the device performing the verification). The auditor can be any Android 10+ device (or a remote web service operated by [GrapheneOS](android/distributions.md#grapheneos)), while the auditee must be a specifically [supported device](https://attestation.app/about#device-support). Auditor works by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an _auditor_ and _auditee_, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore) of the _Auditor_. +- The _auditor_ can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The _auditor_ records the current state and configuration of the _auditee_. +- Should tampering with the operating system of the _auditee_ happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +It is important to note that Auditor can only effectively detect changes **after** the initial pairing, not necessarily during or before due to its TOFU model. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires hiding your IP address from the attestation service, you could consider using [Orbot](alternative-networks.md#orbot) or a [VPN](vpn.md). diff --git a/i18n/fi/dns.md b/i18n/fi/dns.md new file mode 100644 index 00000000..6a1148e7 --- /dev/null +++ b/i18n/fi/dns.md @@ -0,0 +1,188 @@ +--- +title: DNS Resolvers +icon: material/dns +description: We recommend choosing these encrypted DNS providers to replace your ISP's default configuration. +cover: dns.webp +global: + - + - randomize-element + - "table tbody" +--- + +Protects against the following threat(s): + +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model ""){.pg-brown} + +Encrypted **DNS** with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + +[Learn more about DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Recommended Providers + +These are our favorite public DNS resolvers based on their privacy and security characteristics, and their worldwide performance. Some of these services offer basic DNS-level blocking of malware or trackers depending on the server you choose, but if you want to be able to see and customize what is blocked, you should use a dedicated DNS filtering product instead. + +| DNS Provider | Protocols | Logging / Privacy Policy | [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) | Filtering | Signed Apple Profile | +| -------------------------------------------------------------------------- | ------------------------------------------------------------------------ | ------------------------ | -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard Public DNS**](https://adguard-dns.io/en/public-dns.html) | Cleartext
DoH/3
DoT
DoQ
DNSCrypt | Anonymized[^1] | Anonymized | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardSDNSFilter) | Yes [:octicons-link-external-24:](https://adguard-dns.io/en/blog/encrypted-dns-ios-14.html) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setup) | Cleartext
DoH/3
DoT | Anonymized[^2] | No | Based on server choice. | No [:octicons-link-external-24:](https://community.cloudflare.com/t/requesting-1-1-1-1-signed-profiles-for-apple/571846) | +| [**Control D Free DNS**](https://controld.com/free-dns) | Cleartext
DoH/3
DoT
DoQ | No[^3] | No | Based on server choice. | Yes
[:simple-apple: iOS](https://docs.controld.com/docs/ios-platform)
[:material-apple-finder: macOS](https://docs.controld.com/docs/macos-platform#manual-setup-profile) | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | Yes [:octicons-link-external-24:](https://github.com/mullvad/encrypted-dns-profiles) | +| [**Quad9**](https://quad9.net) | Cleartext
DoH
DoT
DNSCrypt | Anonymized[^5] | Optional | Based on server choice. Malware blocking is included by default. | Yes
[:simple-apple: iOS](https://docs.quad9.net/Setup_Guides/iOS/iOS_14_and_later_(Encrypted))
[:material-apple-finder: macOS](https://docs.quad9.net/Setup_Guides/MacOS/Big_Sur_and_later_(Encrypted)) | + +## Cloud-Based DNS Filtering + +These DNS filtering solutions offer a web dashboard where you can customize the block lists to your exact needs. These services can be used easily across multiple networks. + +### Control D + +
+ +![Control D logo](assets/img/dns/control-d.svg){ align=right } + +**Control D** is a customizable DNS service which lets you block security threats, unwanted content, and advertisements on a DNS level. + +In addition to their paid plans, they offer a number of preconfigured DNS resolvers you can use for free. + +[:octicons-home-16: Homepage](https://controld.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://controld.com/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://docs.controld.com/docs/getting-started){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/Control-D-Inc/ctrld){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.controld.setuputility) +- [:simple-appstore: App Store](https://apps.apple.com/app/1518799460) +- [:simple-github: GitHub](https://github.com/Control-D-Inc/ctrld/releases) +- [:fontawesome-brands-windows: Windows](https://docs.controld.com/docs/gui-setup-utility) +- [:simple-apple: macOS](https://docs.controld.com/docs/gui-setup-utility) +- [:simple-linux: Linux](https://docs.controld.com/docs/ctrld) + +
+ +
+ +### NextDNS + +
+ +![NextDNS logo](assets/img/dns/nextdns.svg){ align=right } + +**NextDNS** is a customizable DNS service which lets you block security threats, unwanted content, and advertisements on a DNS level. + +They offer a fully functional free plan for limited use. + +[:octicons-home-16: Homepage](https://nextdns.io){ .md-button .md-button--primary } +[:octicons-eye-16:](https://nextdns.io/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://help.nextdns.io){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/nextdns/nextdns){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-appstore: App Store](https://apps.apple.com/app/nextdns/id1463342498) +- [:simple-github: GitHub](https://github.com/nextdns/nextdns/releases) +- [:fontawesome-brands-windows: Windows](https://github.com/nextdns/nextdns/wiki/Windows) +- [:simple-apple: macOS](https://apps.apple.com/us/app/nextdns/id1464122853) +- [:simple-linux: Linux](https://github.com/nextdns/nextdns/wiki) + +
+ +
+ +When used with an account, NextDNS will enable insights and logging features by default (as some features require it). You can choose retention time and log storage location for any logs you choose to keep, or disable logs altogether. + +NextDNS's free plan is fully functional, but should not be relied upon for security or other critical filtering applications, because after 300,000 DNS queries in a month all filtering, logging, and other account-based functionality are disabled. It can still be used as a regular DNS provider after that point, so your devices will continue to function and make secure queries via DNS-over-HTTPS (DoH), just without your filter lists. + +NextDNS also offers a public DoH service at `https://dns.nextdns.io` and DNS-over-TLS/QUIC (DoT/DoQ) at `dns.nextdns.io`, which are available by default in Firefox and Chromium, and subject to their default, no-logging [privacy policy](https://nextdns.io/privacy). + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically, it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +
+ +![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } +![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + +**RethinkDNS** is an open-source Android client that supports [DoH](advanced/dns-overview.md#dns-over-https-doh), [DoT](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy. It also provides additional functionality such as caching DNS responses, locally logging DNS queries, and using the app as a firewall. + +[:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://docs.rethinkdns.com){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) +- [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +
+ +
+ +While RethinkDNS takes up the Android VPN slot, you can still use a VPN or Orbot with the app by [adding a WireGuard configuration](https://docs.rethinkdns.com/proxy/wireguard) or [manually configuring Orbot as a Proxy server](https://docs.rethinkdns.com/firewall/orbot), respectively. + +### DNSCrypt-Proxy + +
+ +![DNSCrypt-Proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + +**DNSCrypt-Proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DoH](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + +[:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy#readme){ .md-button .md-button--primary } +[:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } +[:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title="Contribute" } + +
+Downloads + +- [:fontawesome-brands-windows: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) +- [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) +- [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +
+ +
+ +
+

Warning

+ +The anonymized DNS feature does [not](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic. + +
+ +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +All DNS products... + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- Must support [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Must anonymize [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) or disable it by default. + +Additionally, all public providers... + +- Must not log any personal data to disk. + - As noted in the footnotes, some providers collect query information for purposes like security research, but in such cases, the data must not be associated with any PII such as IP address, etc. +- Should support [anycast](https://en.wikipedia.org/wiki/Anycast) or geo-steering. + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested within the last 24 hours. + + > We need this information to identify and block new trackers and threats. We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters. + + AdGuard DNS: [*Privacy Policy*](https://adguard-dns.io/en/privacy.html) [^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. + + 1.1.1.1 Public DNS Resolver: [*Cloudflare’s commitment to privacy*](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver) [^3]: Control D only logs specific account data for Premium resolvers with custom DNS profiles. Free resolvers do not retain any data. + + Control D: [*Privacy Policy*](https://controld.com/privacy) [^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. + + Mullvad: [*No-logging of user activity policy*](https://mullvad.net/en/help/no-logging-data-policy) [^5]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared for purposes like furthering their security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. + + Quad9: [*Data and Privacy Policy*](https://quad9.net/privacy/policy) diff --git a/i18n/fi/document-collaboration.md b/i18n/fi/document-collaboration.md new file mode 100644 index 00000000..9aeaafbb --- /dev/null +++ b/i18n/fi/document-collaboration.md @@ -0,0 +1,53 @@ +--- +title: Document Collaboration +icon: material/account-group +description: Most online office suites do not support end-to-end encryption, meaning the cloud provider has access to everything you do. +cover: document-collaboration.webp +--- + +Protects against the following threat(s): + +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers){ .pg-teal } + +Most online **document collaboration** platforms like Google Drive do not support end-to-end encryption, meaning the cloud provider has access to everything you do. The provider's privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## CryptPad + +
+ +![CryptPad logo](assets/img/document-collaboration/cryptpad.svg){ align=right } + +**CryptPad** is a private-by-design alternative to popular, full-fledged office suites. All content on this web service is E2EE and can be shared with other users easily. + +[:material-star-box: Read our latest CryptPad review.](https://www.privacyguides.org/articles/2025/02/07/cryptpad-review) + +[:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } +[:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE){ .card-link title="Privacy Policy" } +[:octicons-server-16:](https://cryptpad.org/instances){ .card-link title="Public Instances" } +[:octicons-info-16:](https://docs.cryptpad.fr){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } +[:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title="Contribute" } + + + +
+ +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +### Minimum Requirements + +- Must be open source. +- Must make files accessible via WebDAV unless it is impossible due to E2EE. +- Must have sync clients for Linux, macOS, and Windows. +- Must support document and spreadsheet editing. +- Must support real-time document collaboration. +- Must support exporting documents to standard document formats (e.g. ODF). + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multifactor authentication support, or passkey logins. diff --git a/i18n/fi/email-aliasing.md b/i18n/fi/email-aliasing.md new file mode 100644 index 00000000..f3e83cee --- /dev/null +++ b/i18n/fi/email-aliasing.md @@ -0,0 +1,142 @@ +--- +title: "Email Aliasing" +icon: material/email-lock +description: An email aliasing service allows you to easily generate a new email address for every website you register for. +cover: email-aliasing.webp +--- + +Protects against the following threat(s): + +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } +- [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green } + +An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). + +Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +## Benefits + +Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods: + +### Over Plus Addressing + +True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes. + +### Over Catch-All Aliases + +Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +### Over Temporary Email Services + +Email aliasing services also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you. + +## Recommended Providers + +
+ +- ![Addy.io logo](assets/img/email-aliasing/addy.svg){ .twemoji } [Addy.io](email-aliasing.md#addyio) +- ![SimpleLogin logo](assets/img/email-aliasing/simplelogin.svg){ .twemoji } [SimpleLogin](email-aliasing.md#simplelogin) + +
+ +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### Addy.io + +
+ +![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right } + +**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias). + +[:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary } +[:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } +[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app) +- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app) +- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe) + +
+ +
+ +The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller. + +You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. + +Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf). + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 1 Recipient Mailbox +- [x] Automatic PGP Encryption[^1] + +If you cancel your subscription, you will still enjoy the features of your paid plan until the billing cycle ends. After the end of your current billing cycle, most paid features (including any custom domains) will be [deactivated](https://addy.io/faq/#what-happens-if-i-have-a-subscription-but-then-cancel-it), paid account settings will be reverted to their defaults, and catch-all will be enabled if it was previously disabled. + +### SimpleLogin + +
+ +![SimpleLogin logo](assets/img/email-aliasing/simplelogin.svg){ align=right } + +**SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + +[:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } +[:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) +- [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) +- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff) +- [:simple-safari: Safari](https://apps.apple.com/app/id6475835429) + +
+ +
+ +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. + +You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq). + +Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox +- [ ] Automatic PGP Encryption[^1] is only available on paid plans + +When your subscription ends, all aliases you created will still be able to receive and send emails. However, you cannot create any new aliases that would exceed the free plan limit, nor can you add a new domain, directory, or mailbox. + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you. + +[^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content. diff --git a/i18n/fi/email-clients.md b/i18n/fi/email-clients.md new file mode 100644 index 00000000..fba71884 --- /dev/null +++ b/i18n/fi/email-clients.md @@ -0,0 +1,252 @@ +--- +title: "Email Clients" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +cover: email-clients.webp +--- + +Protects against the following threat(s): + +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} +- [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} + +The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft. + +
+Email does not provide forward secrecy + +When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](basics/email-security.md#email-metadata-overview) that is not encrypted in the header of the email. + +OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + +[Real-time Communication](real-time-communication.md ""){.md-button} + +
+ +## Cross-Platform + +### Thunderbird + +
+ +![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + +**Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Matrix) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + +[:octicons-home-16: Homepage](https://thunderbird.net){ .md-button .md-button--primary } +[:octicons-eye-16:](https://mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title="Documentation" } +[:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.thunderbird.android) +- [:simple-github: GitHub](https://github.com/thunderbird/thunderbird-android/releases) +- [:fontawesome-brands-windows: Windows](https://thunderbird.net) +- [:simple-apple: macOS](https://thunderbird.net) +- [:simple-linux: Linux](https://thunderbird.net) +- [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +
+ +
+ +
+

Warning

+ +When replying to someone on a mailing list in Thunderbird Mobile, the "reply" option may also include the mailing list. For more information see [thunderbird/thunderbird-android #3738](https://github.com/thunderbird/thunderbird-android/issues/3738). + +
+ +#### Recommended Configuration + +
+ +We recommend changing some of these settings to make Thunderbird Desktop a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** (1) + +
+ +1. You may need to keep this setting checked when you're logging in to some providers such as Gmail, or via an institution’s SSO. You should uncheck it once you log in successfully. + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js) is a set of configuration options that aims to disable as many of the web-browsing features within Thunderbird Desktop as possible in order to reduce attack surface and maintain privacy. Some of the changes are backported from the [Arkenfox project](desktop-browsers.md#arkenfox-advanced). + +## Platform Specific + +### Apple Mail (macOS) + +
+ +![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + +**Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + +[:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } +[:octicons-eye-16:](https://apple.com/legal/privacy/en-ww){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://support.apple.com/mail){ .card-link title=Documentation} + + + +
+ +
+

For those using macOS Sonoma

+ +Currently, GPG Suite does [not yet](https://gpgtools.com/sonoma) have a stable release for macOS Sonoma. + +
+ +Apple Mail has the ability to load remote content in the background or block it entirely and hide your IP address from senders on [macOS](https://support.apple.com/guide/mail/mlhl03be2866/mac) and [iOS](https://support.apple.com/guide/iphone/iphf084865c7/ios). + +### FairEmail (Android) + +
+ +![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + +**FairEmail** is a minimal, open-source email app which uses open standards (IMAP, SMTP, OpenPGP) and minimizes data and battery usage. + +[:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } +[:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } +[:octicons-heart-16:](https://email.faircode.eu/donate){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) +- [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +
+ +
+ +### GNOME Evolution (GNOME) + +
+ +![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + +**Evolution** is a personal information management application that provides integrated mail, calendaring, and address book functionality. Evolution has extensive [documentation](https://gnome.pages.gitlab.gnome.org/evolution/help) to help you get started. + +[:octicons-home-16: Homepage](https://gitlab.gnome.org/GNOME/evolution/-/wikis/home){ .md-button .md-button--primary } +[:octicons-eye-16:](https://gitlab.gnome.org/GNOME/evolution/-/wikis/Privacy-Policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://gnome.pages.gitlab.gnome.org/evolution/help){ .card-link title="Documentation" } +[:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution){ .card-link title="Source Code" } +[:octicons-heart-16:](https://gnome.org/donate){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +
+ +
+ +### Kontact (KDE) + +
+ +![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + +**Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, RSS client, and an organizer. + +[:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://kontact.kde.org/users){ .card-link title="Documentation" } +[:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } +[:octicons-heart-16:](https://kde.org/community/donations){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-linux: Linux](https://kontact.kde.org/download) +- [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +
+ +
+ +### Mailvelope (Browser) + +
+ +![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + +**Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + +[:octicons-home-16: Homepage](https://mailvelope.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://mailvelope.com/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://mailvelope.com/faq){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +
+ +
+ +### NeoMutt (CLI) + +
+ +![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + +**NeoMutt** is an open-source command line email reader for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + +NeoMutt is a text-based client that has a steep learning curve. It is, however, very customizable. + +[:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } +[:octicons-info-16:](https://neomutt.org/guide){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } +[:octicons-heart-16:](https://paypal.com/paypalme/russon){ .card-link title=Contribute } + +
+Downloads + +- [:simple-apple: macOS](https://neomutt.org/distro) +- [:simple-linux: Linux](https://neomutt.org/distro) + +
+ +
+ +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/fi/email.md b/i18n/fi/email.md new file mode 100644 index 00000000..d885d6ba --- /dev/null +++ b/i18n/fi/email.md @@ -0,0 +1,377 @@ +--- +meta_title: "Encrypted Private Email Recommendations - Privacy Guides" +title: Email Services +icon: material/email +description: These email providers offer a great place to store your emails securely, and many offer interoperable OpenPGP encryption with other providers. +cover: email.webp +global: + - + - randomize-element + - "table tbody" +--- + +Protects against the following threat(s): + +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +## Recommended Providers + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. Read our [full list of criteria](#criteria) for more information. + +| Provider | OpenPGP / WKD | IMAP / SMTP | Encrypted Storage | Anonymous Payment Methods | +| ----------------------------- | -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------- | ----------------------------------------------------- | +| [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash
Monero via third party | +| [Mailbox Mail](#mailbox-mail) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash | +| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero via third party
Cash via third party | + +In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP. + +- [More Information :material-arrow-right-drop-circle:](email-aliasing.md) + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. For example, a Proton Mail user could send an E2EE message to a Mailbox Mail user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](#proton-mail) +- ![Mailbox Mail logo](assets/img/email/mailbox-mail.svg){ .twemoji } [Mailbox Mail](#mailbox-mail) + +
+ +
+

Warning

+ +When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview). + +OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. + +- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +
+ +### Proton Mail + +
+ +![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + +**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. + +The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. + +[:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } +[:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } +[:octicons-eye-16:](https://proton.me/mail/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://proton.me/support/mail){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) +- [:simple-appstore: App Store](https://apps.apple.com/app/id979659905) +- [:simple-github: GitHub](https://github.com/ProtonMail/android-mail/releases) +- [:fontawesome-brands-windows: Windows](https://proton.me/mail/bridge#download) +- [:simple-apple: macOS](https://proton.me/mail/bridge#download) +- [:simple-linux: Linux](https://proton.me/mail/bridge#download) +- [:octicons-browser-16: Web](https://mail.proton.me) + +
+ +
+ +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) such as Thunderbird. Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. The Proton Unlimited plan or any multi-user Proton plan includes access to [SimpleLogin](email-aliasing.md#simplelogin) Premium. + +A [letter of attestation](https://res.cloudinary.com/dbulfrlrz/images/v1714639878/wp-pme/letter-of-attestation-proton-mail-20211109_3138714c61/letter-of-attestation-proton-mail-20211109_3138714c61.pdf) was provided for Proton Mail's apps in November 2021 by [Securitum](https://research.securitum.com). + +Proton Mail has internal crash reports that are **not** shared with third parties and can be disabled. + +=== "Web" + + From your inbox, select :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**. + + - [ ] Disable **Collect usage dignostics** + - [ ] Disable **Send crash reports** + +=== "Mobile" + + From your inbox, select :material-menu: → :gear: **Settings** → select your username. + + - [ ] Disable **Send crash reports** + - [ ] Disable **Collect usage dignostics** + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [sub-addressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. Additionally, you can use [**Monero**](cryptocurrency.md#monero) to purchase vouchers for Proton Mail Plus or Proton Unlimited via their [official](https://discuss.privacyguides.net/t/add-monero-as-an-anonymous-payment-method-for-proton-services/31058/15) reseller [ProxyStore](https://dys2p.com/en/2025-09-09-proton.html). + +#### :material-check:{ .pg-green } Account Security + +Proton Mail supports TOTP [two-factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two-factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail stores your [emails](https://proton.me/blog/zero-access-encryption) and [calendars](https://proton.me/news/protoncalendar-security-model) with PGP-based encryption at rest, where only you have the decryption keys needed to access them later. + +Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are **not** secured with your own encryption keys, so Proton is able to read them. Contact fields which are protected with your own encryption keys, such as phone numbers, are indicated with a padlock icon. + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account. + +Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. Proton will [delete inactive free accounts](https://proton.me/support/inactive-accounts) after one year. You **cannot** reuse the email address of a deactivated account. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage. + +### Mailbox Mail + +
+ +![Mailbox Mail logo](assets/img/email/mailbox-mail.svg){ align=right } + +**Mailbox Mail** (formerly *Mailbox.org*) is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox Mail is based in Berlin, Germany. + +Accounts start with up to 2 GB storage, which can be upgraded as needed. + +[:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title="Documentation" } + +
+Downloads + +- [:octicons-browser-16: Web](https://login.mailbox.org) + +
+ +
+ +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox Mail lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/en/private/custom-domains/how-to-set-up-a-catch-all-alias-with-a-custom-domain-name) addresses. Mailbox Mail also supports [sub-addressing](https://kb.mailbox.org/en/private/account-article/what-is-an-alias-and-how-do-i-use-it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Mailbox Mail doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung. + +#### :material-check:{ .pg-green } Account Security + +Mailbox Mail supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](security-keys.md#yubikey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox Mail allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). New messages that you receive will then be immediately encrypted with your public key. + +However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox Mail, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox Mail has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox Mail's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + +Mailbox Mail also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox Mail to find the OpenPGP keys of Mailbox Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox Mail's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends. It will be irrevocably deleted after [30 days](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +You can access your Mailbox Mail account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/en/private/faq-article/the-tor-exit-node-of-mailbox-org). However, their webmail interface cannot be accessed via their .onion service, and you may experience TLS certificate errors. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox Mail also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox Mail also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox Mail has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers encrypt your emails in a way that only you can read them later, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between different providers. + +
+ +- ![Tuta logo](assets/img/email/tuta.svg#only-light){ .twemoji loading=lazy }![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ .twemoji loading=lazy } [Tuta](#tuta) + +
+ +### Tuta + +
+ +![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right } +![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right } + +**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. + +Free accounts start with 1 GB of storage. + +[:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://tuta.com/support){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } +[:octicons-heart-16:](https://tuta.com/community){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) +- [:simple-appstore: App Store](https://apps.apple.com/app/id922429609) +- [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) +- [:fontawesome-brands-windows: Windows](https://tuta.com/#download) +- [:simple-apple: macOS](https://tuta.com/#download) +- [:simple-linux: Linux](https://tuta.com/#download) +- [:octicons-browser-16: Web](https://app.tuta.com) + +
+ +
+ +Tuta doesn't support the [IMAP protocol](https://tuta.com/support#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tuta app. [Email import](https://github.com/tutao/tutanota/issues/630) is not currently supported either, though this is [due to be changed](https://tuta.com/blog/kickoff-import). Emails can be exported [individually or by bulk selection](https://tuta.com/support#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and unlimited aliases on [custom domains](https://tuta.com/support#custom-domain). Tuta doesn't allow for [sub-addressing (plus addresses)](https://tuta.com/support#plus), but you can use a [catch-all](https://tuta.com/support#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tuta only directly accepts credit cards and PayPal, however you can use [**cryptocurrency**](cryptocurrency.md) to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore. + +#### :material-check:{ .pg-green } Account Security + +Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tuta stores your [emails](https://tuta.com/support#what-encrypted), [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar) with strong encryption where only you have the decryption keys. This means the messages and other data stored in your account cannot be read by anyone other than you after they are stored. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tuta [does not use OpenPGP](https://tuta.com/support/#pgp). Tuta accounts can only receive encrypted emails from non-Tuta email accounts when sent via a [temporary Tuta mailbox](https://tuta.com/support/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount. + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an email provider, and conduct your own research to ensure the email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider has the features you require. + +**Minimum to Qualify:** + +- Must encrypt email account data at rest with asymmetric encryption, where only the user has the private keys needed to decrypt it. +- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Must operate on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Should encrypt all account data (contacts, calendars, etc.) at rest with asymmetric encryption, where only the user has the private keys needed to decrypt it. +- Should provide integrated webmail E2EE/PGP encryption as a convenience. +- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`. +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing). +- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Catch-all or alias functionality for those who use their own domains. +- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. +- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field. +- Must not require personally identifiable information (PII) besides a username and a password. +- Privacy policy must meet the requirements defined by the GDPR. + +**Best Case:** + +- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) +- Should be hosted in a jurisdiction with strong email privacy protection laws. + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp). +- Encryption at rest, using asymmetric encryption where the service provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to, or a remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Published security audits from a reputable, third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend, we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc.). +- Must not have any irresponsible marketing, which can include the following: + - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. + - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.: + - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/fi/encryption.md b/i18n/fi/encryption.md new file mode 100644 index 00000000..bcbfca1e --- /dev/null +++ b/i18n/fi/encryption.md @@ -0,0 +1,376 @@ +--- +meta_title: "Recommended Encryption Software: VeraCrypt, Cryptomator, and OpenPGP - Privacy Guides" +title: "Encryption Software" +icon: material/file-lock +description: Encryption of data is the only way to control who can access it. These tools allow you to encrypt your emails and any other files. +cover: encryption.webp +--- + +**Encryption** is the only secure way to control who can access your data. If you are currently not using encryption software for your hard disk, emails, or files, you should pick an option here. + +## Multi-platform + +The options listed here are available on multiple platforms and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +Protects against the following threat(s): + +- [:material-bug-outline: Passive Attacks](basics/common-threats.md#security-and-privacy ""){.pg-orange} + +
+ +![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + +**Cryptomator** is an encryption solution designed for privately saving files to any cloud [:material-server-network: Service Provider](basics/common-threats.md#privacy-from-service-providers){ .pg-teal }, eliminating the need to trust that they won't access your files. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + +[:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://docs.cryptomator.org){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } +[:octicons-heart-16:](https://cryptomator.org/donate){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1560822163) +- [:simple-android: Android](https://cryptomator.org/android) +- [:fontawesome-brands-windows: Windows](https://cryptomator.org/downloads) +- [:simple-apple: macOS](https://cryptomator.org/downloads) +- [:simple-linux: Linux](https://cryptomator.org/downloads) +- [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +
+ +
+ +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Cryptomator is free to use on all desktop platforms, as well as on iOS in "read only" mode. Cryptomator offers [paid](https://cryptomator.org/pricing) apps with full functionality on iOS and Android. The Android version can be purchased anonymously via [ProxyStore](https://cryptomator.org/coop/proxystore). + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices) for use in further detail. + +### VeraCrypt (Disk) + +Protects against the following threat(s): + +- [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} + +
+ +![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } +![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + +**VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + +[:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } +[:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title="Documentation" } +[:octicons-code-16:](https://veracrypt.fr/code){ .card-link title="Source Code" } +[:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title="Contribute" } + +
+Downloads + +- [:fontawesome-brands-windows: Windows](https://veracrypt.fr/en/Downloads.html) +- [:simple-apple: macOS](https://veracrypt.fr/en/Downloads.html) +- [:simple-linux: Linux](https://veracrypt.fr/en/Downloads.html) + +
+ +
+ +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +TrueCrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## Operating System Encryption + +Protects against the following threat(s): + +- [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} + +Built-in OS encryption solutions generally leverage hardware security features such as a [secure cryptoprocessor](basics/hardware.md#tpmsecure-cryptoprocessor). Therefore, we recommend using the built-in encryption solutions for your operating system. For cross-platform encryption, we still recommend [cross-platform tools](#multi-platform) for additional flexibility and to avoid vendor lock-in. + +
+ +Shut devices down when not in use. + +Powering off your devices when they’re not in use provides the highest level of security, as it minimizes the attack surface of your FDE method by ensuring no encryption keys remain in memory. + +
+ +### BitLocker + +
+ +![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + +**BitLocker** is the full volume encryption solution bundled with Microsoft Windows that uses the Trusted Platform Module ([TPM](https://learn.microsoft.com/windows/security/information-protection/tpm/how-windows-uses-the-tpm)) for hardware-based security. + +[:octicons-info-16:](https://learn.microsoft.com/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title="Documentation" } + + + +
+ +BitLocker is [officially supported](https://support.microsoft.com/en-us/windows/bitlocker-overview-44c0c61c-989d-4a69-8822-b95cd49b1bbf) on the Pro, Enterprise, and Education editions of Windows. The Home edition only supports automatic [Device Encryption](https://support.microsoft.com/en-us/windows/device-encryption-in-windows-cf7e2b6f-3e70-4882-9532-18633605b7df) and must meet specific hardware requirements. If you’re using the Home edition, we recommend [upgrading to Pro](https://support.microsoft.com/en-us/windows/upgrade-windows-home-to-windows-pro-ef34d520-e73f-3198-c525-d1a218cc2818), which can be done without reinstalling Windows or losing your files. + +Pro and higher editions also support the more secure pre-boot [TPM+PIN](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/faq#what-is-the-difference-between-a-tpm-owner-password--recovery-password--recovery-key--pin--enhanced-pin--and-startup-key) feature, configured through the appropriate [group policy](os/windows/group-policies.md#bitlocker-drive-encryption) settings. The PIN is rate limited and the TPM will panic and lock access to the encryption key either permanently or for a period of time if someone attempts to brute force access. + + + +### FileVault + +
+ +![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + +**FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault takes advantage of the [hardware security capabilities](os/macos-overview.md#hardware-security) present on an Apple Silicon SoC or T2 Security Chip. + +[:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title="Documentation" } + + + +
+ +We advise against using your iCloud account for recovery; instead, you should securely store a local recovery key on a separate storage device. + +### Linux Unified Key Setup + +
+ +![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + +**LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + +[:octicons-repo-16: Repository](https://gitlab.com/cryptsetup/cryptsetup#what-the-){ .md-button .md-button--primary } +[:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title="Documentation" } +[:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup){ .card-link title="Source Code" } + + + +
+ +
+Creating and opening encrypted containers + +```bash +dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress +sudo cryptsetup luksFormat /path-to-file +``` + +#### Opening encrypted containers + +We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + +```bash +udisksctl loop-setup -f /path-to-file +udisksctl unlock -b /dev/loop0 +``` + +
+ +
+

Remember to back up volume headers

+ +We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + +```bash +cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img +``` + +
+ +## Command-line + +Protects against the following threat(s): + +- [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +
+ +![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + +**Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign) to provide a simple, easier alternative to GPG. + +[:octicons-home-16: Homepage](https://kryptor.co.uk){ .md-button .md-button--primary } +[:octicons-eye-16:](https://kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://kryptor.co.uk/tutorial){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } +[:octicons-heart-16:](https://kryptor.co.uk/#donate){ .card-link title="Contribute" } + +
+Downloads + +- [:fontawesome-brands-windows: Windows](https://kryptor.co.uk) +- [:simple-apple: macOS](https://kryptor.co.uk) +- [:simple-linux: Linux](https://kryptor.co.uk) + +
+ +
+ +### Tomb + +
+ +![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + +**Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://dyne.org/software/tomb/#advanced-usage). + +[:octicons-home-16: Homepage](https://dyne.org/software/tomb){ .md-button .md-button--primary } +[:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } +[:octicons-heart-16:](https://dyne.org/donate){ .card-link title="Contribute" } + + + +
+ +## OpenPGP + +Protects against the following threat(s): + +- [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} +- [:material-bug-outline: Passive Attacks](basics/common-threats.md#security-and-privacy ""){.pg-orange} +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +
+

Use future defaults when generating a key

+ +When [generating keys](https://gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to): + +```bash +gpg --quick-gen-key alice@example.com future-default +``` + +
+ +### GNU Privacy Guard + +
+ +![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + +**GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + +[:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title="Documentation" } +[:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) +- [:fontawesome-brands-windows: Windows](https://gpg4win.org/download.html) +- [:simple-apple: macOS](https://gpgtools.org) +- [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +
+ +
+ +### GPG4win + +
+ +![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + +**GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + +[:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title="Documentation" } +[:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } +[:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title="Contribute" } + +
+Downloads + +- [:fontawesome-brands-windows: Windows](https://gpg4win.org/download.html) + +
+ +
+ +### GPG Suite + +
+ +![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + +**GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail-macos) and other email clients on macOS. + +We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge Base](https://gpgtools.tenderapp.com/kb) for support. + +[:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-apple: macOS](https://gpgtools.org) + +
+ +
+ +Currently, GPG Suite does [not yet](https://gpgtools.com/sequoia) have a stable release for macOS Sonoma and later. + +### OpenKeychain + +
+ +![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + +**OpenKeychain** is an implementation of GnuPG for Android. It's commonly required by mail clients such as [Thunderbird](email-clients.md#thunderbird), [FairEmail](email-clients.md#fairemail-android), and other Android apps to provide encryption support. + +[:octicons-home-16: Homepage](https://openkeychain.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://openkeychain.org/faq){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +
+ +
+ +Cure53 completed a [security audit](https://openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. The published audit and OpenKeychain's solutions to the issues raised in the audit can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/fi/file-sharing.md b/i18n/fi/file-sharing.md new file mode 100644 index 00000000..d24193c5 --- /dev/null +++ b/i18n/fi/file-sharing.md @@ -0,0 +1,122 @@ +--- +title: File Sharing and Sync +icon: material/share-variant +description: Discover how to privately share your files between your devices, with your friends and family, or anonymously online. +cover: file-sharing.webp +--- + +Protects against the following threat(s): + +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +If you already use [Proton Drive](cloud.md#proton-drive)[^1] or have a [Bitwarden](passwords.md#bitwarden) Premium[^2] subscription, consider using the file sharing capabilities that they each offer, both of which use end-to-end encryption. Otherwise, the standalone options listed here ensure that the files you share are not read by a remote server. + +### Send + +
+ +![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + +**Send** is a fork of Mozilla's discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee). You can use other public instances, or you can host Send yourself. + +[:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } +[:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} +[:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title="Contribute" } + + + +
+ +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +
+ +![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + +**OnionShare** is an open-source tool that lets you securely and [:material-incognito: anonymously](basics/common-threats.md#anonymity-vs-privacy){ .pg-purple } share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + +[:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } +[:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://docs.onionshare.org){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + +
+Downloads + +- [:fontawesome-brands-windows: Windows](https://onionshare.org/#download) +- [:simple-apple: macOS](https://onionshare.org/#download) +- [:simple-linux: Linux](https://onionshare.org/#download) +- [:simple-flathub: Flathub](https://flathub.org/apps/org.onionshare.OnionShare) + +
+ +
+ +OnionShare provides the option to connect via [Tor bridges](https://docs.onionshare.org/2.6.2/en/tor.html#automatic-censorship-circumvention) to circumvent [:material-close-outline: Censorship](basics/common-threats.md#avoiding-censorship ""){.pg-blue-gray}. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## File Sync + +### Syncthing (P2P) + +
+ +![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + +**Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + +[:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } +[:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } +[:octicons-heart-16:](https://syncthing.net/donations){ .card-link title=Contribute } + +
+Downloads + +- [:fontawesome-brands-windows: Windows](https://syncthing.net/downloads) +- [:simple-apple: macOS](https://syncthing.net/downloads) +- [:simple-linux: Linux](https://syncthing.net/downloads) +- [:simple-freebsd: FreeBSD](https://syncthing.net/downloads) + +
+ +
+ +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have mobile clients for iOS and Android which at least support document previews. +- Should support photo backups from iOS and Android, and optionally support file/folder sync on Android. + +[^1]: Proton Drive allows you to [share files or folders](https://proton.me/support/drive-shareable-link) by generating a shareable public link or sending a unique link to a designated email address. Public links can be protected with a password, set to expire, and completely revoked, while links shared via email can have custom permissions and be similarly revoked. Per Proton Drive's [privacy policy](https://proton.me/drive/privacy-policy), file contents, file and folder names, and thumbnail previews are end-to-end encrypted. +[^2]: With a [premium](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) subscription, [Bitwarden Send](https://bitwarden.com/products/send) allows you to share files and text securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the Send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). diff --git a/i18n/fi/financial-services.md b/i18n/fi/financial-services.md new file mode 100644 index 00000000..6503019a --- /dev/null +++ b/i18n/fi/financial-services.md @@ -0,0 +1,112 @@ +--- +title: Financial Services +icon: material/bank +cover: financial-services.webp +description: These services can assist you in protecting your privacy from merchants and other trackers, which is one of the biggest challenges to privacy today. +--- + +Protects against the following threat(s): + +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model ""){.pg-brown} + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +Protects against the following threat(s): + +- [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information ""){.pg-green} + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +
+

Check your current bank

+ +Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way, you are not trusting multiple parties with your personal information. + +
+ +### Privacy.com (US) + +
+ +![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } +![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + +**Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plans provide higher limits on the number of cards that can be created each month. + +[:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://support.privacy.com){ .card-link title=Documentation} + + + +
+ +Privacy.com gives information about the merchants you purchase from to your bank by [default](https://support.privacy.com/hc/en-us/articles/360012407533-What-will-I-see-on-my-bank-statement-when-I-make-a-purchase-with-Privacy). Their "[private spend mode](https://support.privacy.com/hc/en-us/articles/26732314558487-What-is-Private-Spend-Mode)" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com, but not where that money was spent. However, that is not foolproof, and of course, Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +
+ +![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } +![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + +**MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email-aliasing.md) for extensive email aliasing use. + +[:octicons-home-16: Homepage](https://mysudo.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://anonyome.com/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://support.mysudo.com){ .card-link title=Documentation} + + + +
+ +MySudo's virtual cards are currently only available via their iOS app. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +Protects against the following threat(s): + +- [:material-eye-outline: Mass Surveillance](basics/common-threats.md#mass-surveillance-programs ""){.pg-blue} + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, with significantly higher limits for ID verified accounts (if offered). + +### Coincards + +
+ +![Coincards logo](assets/img/financial-services/coincards.svg){ align=right } + +**Coincards** allows you to purchase gift cards for a large variety of merchants. Their homepage has a complete listing of the various countries where their service is available. + +[:octicons-home-16: Homepage](https://coincards.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://coincards.com/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://coincards.com/frequently-asked-questions){ .card-link title=Documentation} + + + +
+ +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. + +
+

Important notices

+ +The content here is not legal or financial advice. We do not endorse or encourage illicit activities, and we do not endorse or encourage anything which violates a company's terms of service. Check with a professional to confirm that these recommendations are legal and available in your jurisdiction. [See all notices](about/notices.md). + +
diff --git a/i18n/fi/frontends.md b/i18n/fi/frontends.md new file mode 100644 index 00000000..1b9b0a83 --- /dev/null +++ b/i18n/fi/frontends.md @@ -0,0 +1,263 @@ +--- +title: "Frontends" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +cover: frontends.webp +--- + +Protects against the following threat(s): + +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model ""){.pg-brown} + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to circumvent these restrictions. + +If you choose to self-host these frontends, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting, as other peoples' usage will be linked to your hosting. + +When you are using an instance run by someone else, make sure to read the privacy policy of that specific instance (if available). They can be modified by their owners and therefore may not reflect the default policy. Some instances have [Tor](tor.md) .onion addresses, which may grant some privacy as long as your search queries don't contain personally identifiable information. + +## Reddit + +### Redlib + +
+ +![Redlib logo](assets/img/frontends/redlib.svg){ align=right } + +**Redlib** is an open-source frontend to the [Reddit](https://reddit.com) website that is also self-hostable. You can access Redlib through a number of public instances. + +[:octicons-repo-16: Repository](https://github.com/redlib-org/redlib){ .md-button .md-button--primary } +[:octicons-server-16:](https://github.com/redlib-org/redlib-instances/blob/main/instances.md){ .card-link title="Public Instances" } +[:octicons-info-16:](https://github.com/redlib-org/redlib?tab=readme-ov-file#table-of-contents){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/redlib-org/redlib){ .card-link title="Source Code" } + +
+ +
+

Note

+ +The [Old Reddit](https://old.reddit.com) website doesn't require as much JavaScript as the new Reddit website does, but it has recently blocked access to IP addresses reserved for public VPNs. You can use Old Reddit in conjunction with the [Tor](tor.md) Onion that was [launched in October 2022](https://forum.torproject.org/t/reddit-onion-service-launch/5305) at [https://old.reddittorjg6rue252oqsxryoxengawnmo46qy4kyii5wtqnwfj4ooad.onion](https://old.reddittorjg6rue252oqsxryoxengawnmo46qy4kyii5wtqnwfj4ooad.onion). + +
+ +
+

Tip

+ +Redlib is useful if you want to disable JavaScript in your browser, such as [Tor Browser](tor.md#tor-browser) on the Safest security level. + +
+ +## TikTok + +### ProxiTok + +
+ +![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + +**ProxiTok** is an open-source frontend to the [TikTok](https://tiktok.com) website that is also self-hostable. + +There are a number of public instances, with some that offer a [Tor](tor.md) onion service or an [I2P](alternative-networks.md#i2p-the-invisible-internet-project) eepsite. + +[:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } +[:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances" } +[:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + + + +
+ +
+

Tip

+ +ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](tor.md#tor-browser) on the Safest security level. + +
+ +## YouTube + +**Note:** YouTube has gradually rolled out changes to its video player and API that have thwarted some of the methods used by third-party frontends for extracting YouTube data. If you experience reliability issues with one YouTube frontend, consider trying out another that uses a different extraction method. + +### Invidious + +
+ +![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } +![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + +**Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + +There are a number of public instances, with some that offer a [Tor](tor.md) onion service or an [I2P](alternative-networks.md#i2p-the-invisible-internet-project) eepsite. + +[:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } +[:octicons-server-16:](https://docs.invidious.io/instances){ .card-link title="Public Instances" } +[:octicons-info-16:](https://docs.invidious.io){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } +[:octicons-heart-16:](https://invidious.io/donate){ .card-link title="Contribute" } + + + +
+ +
+

Warning

+ +Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +
+ +
+

Tip

+ +Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](tor.md#tor-browser) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +
+ +### Piped + +
+ +![Piped logo](assets/img/frontends/piped.svg){ align=right } + +**Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + +Piped requires JavaScript in order to function and there are a number of public instances. + +[:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } +[:octicons-server-16:](https://github.com/TeamPiped/documentation/blob/main/content/docs/public-instances/index.md){ .card-link title="Public Instances" } +[:octicons-info-16:](https://docs.piped.video/docs){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title="Contribute" } + + + +
+ +
+

Tip

+ +Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +
+ +### FreeTube + +
+ +![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + +**FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). FreeTube extracts data from YouTube using its built-in API based on [YouTube.js](https://github.com/LuanRT/YouTube.js) or the [Invidious](#invidious) API. You can configure either as the default, with the other serving as a fallback. + +When using FreeTube, your subscription list, playlists, watch history and search history are saved locally on your device. + +[:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } +[:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://docs.freetubeapp.io){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } +[:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title="Contribute" } + +
+Downloads + +- [:fontawesome-brands-windows: Windows](https://freetubeapp.io/#download) +- [:simple-apple: macOS](https://freetubeapp.io/#download) +- [:simple-linux: Linux](https://freetubeapp.io/#download) +- [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +
+ +
+ +
+

Warning

+ +When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), or [SponsorBlock](https://sponsor.ajay.app) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](tor.md) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +
+ +By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +
+ +![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } +![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + +**LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + +Your subscription list and playlists are saved locally on your Android device. + +[:octicons-home-16: Homepage](https://libretube.dev){ .md-button .md-button--primary } +[:octicons-eye-16:](https://github.com/libre-tube/LibreTube/blob/master/PRIVACY_POLICY.md){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://libretube.dev/#faq){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/libre-tube/LibreTube#donate){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +
+ +
+ +
+

Warning

+ +When using LibreTube, your IP address will be visible to YouTube, [Piped](https://github.com/TeamPiped/Piped/wiki/Instances), or [SponsorBlock](https://sponsor.ajay.app) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](tor.md) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +
+ +By default, LibreTube blocks all YouTube advertisements. Additionally, LibreTube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +
+ +![NewPipe logo](assets/img/frontends/newpipe.svg){ align=right } + +**NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org) (1). + +Your subscription list and playlists are saved locally on your Android device. + +[:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } +[:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://newpipe.net/FAQ){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } +[:octicons-heart-16:](https://newpipe.net/donate){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +
+ +
+ +1. The default instance is [FramaTube](https://framatube.org), however more can be added via **Settings** → **Content** → **PeerTube instances**. + +
+

Warning

+ +When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](tor.md) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +
+ +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +We only consider frontends if one of the following is true for a platform: + +- Normally only accessible with JavaScript enabled. +- Normally only accessible with an account. +- Blocks access from commercial [VPNs](vpn.md). + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. diff --git a/i18n/fi/health-and-wellness.md b/i18n/fi/health-and-wellness.md new file mode 100644 index 00000000..382c287d --- /dev/null +++ b/i18n/fi/health-and-wellness.md @@ -0,0 +1,163 @@ +--- +meta_title: "Privacy-Respecting Health and Wellness apps for Android and iOS - Privacy Guides" +title: "Health and Wellness" +icon: material/heart-pulse +description: These applications are what we currently recommend for all health- and fitness-related activites on your phone. +cover: health.webp +--- + +Protects against the following threat(s): + +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers){ .pg-teal } + +Keep track of your health and fitness-related goals with these apps. Unlike their mainstream alternatives, your personal health information will be kept private. + +## Menstrual Cycle Tracking + +Popular menstrual trackers like [Flo](https://techcrunch.com/2021/01/13/flo-gets-ftc-slap-for-sharing-user-data-when-it-promised-privacy) are notorious for collecting and sharing your user data. Depending on your jurisdiction, this may lead to [legal consequences](https://forbes.com/sites/abigaildubiniecki/2024/11/14/post-roe-your-period-app-data-could-be-used-against-you) affecting your reproductive autonomy. + +### Drip + +
+ +![Drip logo](assets/img/health-and-wellness/drip.png){ align=right } + +**Drip** is a gender-inclusive and open source menstrual cycle tracker available on all mobile platforms. It relies on the "sympto-thermal method" to predict ovulation. All user data is stored locally on your device and can be protected with a password. + +[:octicons-home-16: Homepage](https://bloodyhealth.gitlab.io){ .md-button .md-button--primary } +[:octicons-eye-16:](https://bloodyhealth.gitlab.io/privacy-policy.html){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://bloodyhealth.gitlab.io/faq){ .card-link title="Documentation" } +[:octicons-code-16:](https://gitlab.com/bloodyhealth/drip){ .card-link title="Source Code" } + +
Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.drip) +- [:simple-appstore: App Store](https://apps.apple.com/us/app/drip/id1584564949) +- [:simple-android: Android](https://bloodyhealth.gitlab.io) + +
+ +
+ +### Euki + +
+ +![Euki logo](assets/img/health-and-wellness/euki.svg){ align=right } + +**Euki** is a nonprofit-backed menstrual cycle tracker that also doubles as a medication tracker and sexual wellness knowledge base. It allows you to schedule the automatic deletion of your personal data in the app. All user data is stored locally on your device and can be protected with a password. + +[:octicons-home-16: Homepage](https://eukiapp.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://eukiapp.org/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-code-16:](https://github.com/Euki-Inc/Euki-Android){ .card-link title="Source Code" } +[:octicons-heart-16:](https://every.org/euki-app){ .card-link title="Contribute" } + +
Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kollectivemobile.euki) +- [:simple-appstore: App Store](https://apps.apple.com/app/euki/id1469213846) + +
+ +
+ +## Fitness Trackers + +These general purpose apps can do everything from counting steps and tracking sleep to measuring your heartbeat. + +### Apple Fitness + +
+ +![Apple Fitness logo](assets/img/health-and-wellness/apple-fitness.webp){ align=right } + +**Apple Fitness** is the default fitness app for iOS. Apple Fitness always uses end-to-end encryption when syncing across multiple devices. Additionally, almost all measured data is processed on your device. + +[:octicons-eye-16:](https://apple.com/legal/privacy/consumer-health-personal-data/en-ww){ .card-link title="Privacy Policy" } + +
Downloads + +- [:simple-appstore: App Store](https://apps.apple.com/app/id1208224953) + +
+ +
+ +### Gadgetbridge + +
+ +![Gadgetbridge logo](assets/img/health-and-wellness/gadgetbridge.svg#only-light){ align=right }![Gadgetbridge logo](assets/img/health-and-wellness/gadgetbridge-dark.svg#only-dark){ align=right } + +**Gadgetbridge** is an open-source Android application which allows you to pair and manage your Bluetooth device without relying on the vendor’s application. When paired with a compatible smartwatch, it can mimic the health and wellness functionality of these watches without third-party data collection. + +[:octicons-home-16: Homepage](https://gadgetbridge.org){ .md-button .md-button--primary } +[:octicons-info-16:](https://gadgetbridge.org/basics){ .card-link title="Documentation" } +[:octicons-code-16:](https://codeberg.org/Freeyourgadget/Gadgetbridge){ .card-link title="Source Code" } +[:octicons-heart-16:](https://liberapay.com/Gadgetbridge/donate){ .card-link title="Contribute" } + +
Downloads + +- [:simple-fdroid: F-Droid](https://f-droid.org/packages/nodomain.freeyourgadget.gadgetbridge) + +
+ +
+ +Gadgetbridge's app functionality includes, but is not limited to: step counting, sleep tracking, heart rate monitoring, etc. + +Make sure to review the smartwatch [compatibility list](https://gadgetbridge.org/gadgets) before purchasing a device. Some devices require you to download the vendor's app and connect the smartwatch to their servers prior to installing Gadgetbridge. + +## Health Records + +These apps help you collect and manage personal health data and share it with health providers, organizations, and other apps. + +### Apple Health Records + +
+ +![Apple logo](assets/img/health-and-wellness/apple-health.webp#only-light){ align=right }![Apple logo](assets/img/health-and-wellness/apple-health-dark.webp#only-dark){ align=right } + +**Apple Health Records** is a built-in feature within [Apple Health](https://apple.com/health) that allows you to view, store, and share your health records. It shares the security and privacy features of [Apple Fitness](#apple-fitness). + +[:octicons-home-16: Homepage](https://apple.com/health){ .md-button .md-button--primary } +[:octicons-eye-16:](https://apple.com/legal/privacy/consumer-health-personal-data/en-ww){ .card-link title="Privacy Policy" } + +
Downloads + +- [:simple-appstore: App Store](https://apps.apple.com/app/apple-health/id1242545199) + +
+ +
+ +### CommonHealth + +
+ +![CommonHealth logo](assets/img/health-and-wellness/commonhealth.png){ align=right } + +**CommonHealth** is a privacy-respecting Android app that allows people to access their electronic health records and securely share it to providers. All health data is stored on your device and can be protected with a passcode or biometric authentication. + +[:octicons-home-16: Homepage](https://commonhealth.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://commonhealth.org/privacy){ .card-link title="Privacy Policy" } + +
Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thecommonsproject.android.phr) + +
+ +
+ +CommonHealth is only available in the United States. Although the app itself is closed source, the [developer SDK is open source](https://github.com/the-commons-project). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +### Minimum Requirements + +- Must support automatic updates. +- Must not store unencrypted data outside the device. +- Must function offline. diff --git a/i18n/fi/index.md b/i18n/fi/index.md new file mode 100644 index 00000000..322a8c4c --- /dev/null +++ b/i18n/fi/index.md @@ -0,0 +1,119 @@ +--- +meta_title: "Privacy Guides: Independent Privacy & Security Resources" +description: "Established in 2021, Privacy Guides is the most popular & trustworthy non-profit resource to find privacy tools and learn about protecting your digital life." +template: home.html +social: + cards_layout: home +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/ + logo: https://www.privacyguides.org/en/assets/brand/logos/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +
+
+## Why should I care? + +> “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-book-outline: Why Privacy Matters](basics/why-privacy-matters.md){ class="md-button" } +
+ +
+## What should I do? + +> First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the *privacy tools* you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md){ class="md-button" } +
+
+ +## Trustworthy Privacy Software Reviews + +
+ +
+**Privacy Guides** has a dedicated [community](https://discuss.privacyguides.net) independently reviewing various *privacy tools* and services. Each of our recommendations comply with a strict set of criteria to ensure they provide the most value to most people, and provide the best balance of privacy, security, and convenience. As part of a non-profit **public charity**, Privacy Guides has strict **journalistic standards** and policies to ensure our recommendations are free of conflict of interest, and we do not partner with providers or affiliate programs that could sway our reviews and recommendations. + +[:material-heart:{.pg-red} Support Our Work](about/donate.md){ class="md-button md-button--primary" data-portal="signup" } + +
+ +- [x] **Ad-Free Recommendations** +- [x] **Complete Editorial Independence** +- [x] **Non-Profit & Open Source** +- [x] **Frequent Updates** +- [x] **Trusted by Journalists** +- [x] **Trusted by Readers** + +
+ +--- + +## About Privacy Guides + +![Privacy Guides logo](assets/brand/logos/png/square/pg-yellow.png){ align=right loading=lazy } + +Established in 2021 due to the difficulty of finding unbiased reviewers in the VPN and privacy space, **Privacy Guides** is the most popular, trustworthy, non-profit website that provides information about protecting your *personal* data security and privacy. Our crowdsourced recommendations and reviews of **privacy tools** and our community dedicated to helping others set us apart from other blogs and content creators. The team behind this project has been researching privacy and security in the open-source space for over 5 years, originally with a now-defunct web resource that eventually became the *Privacy Guides* millions of readers trust. + +*Our website is free of advertisements and not affiliated with any of the listed providers.* + +As seen in **WIRED**, **Tweakers.net**, **The New York Times**, and many other publications as a reliable source for privacy and security knowledge. + +[:material-information: More About Who We Are](about.md){ class="md-button" } + +
+
+## What are privacy tools? + +We recommend a wide variety of **privacy tools** (a.k.a. *privacy apps*, *privacy utilities*, *privacy software*) spanning software and hardware that you can use to improve your privacy. Many of the tools we recommend are completely free to use and open-source software, while some are commercial services available for purchase. Switching from mainstream data-hungry software like Google Chrome and Windows to privacy-focused tools like [Brave](desktop-browsers.md#brave) and [Linux](desktop.md) can go a long way towards controlling the information you share with companies and others. + +[:material-check-all: Our General Criteria](about/criteria.md){ class="md-button" } +
+ +
+## Why does privacy matter? + +In the modern age of digital data exploitation, your privacy has never been more critical, yet many believe it is already a lost cause. It is not. ==Your privacy is up for grabs, and you need to care about it.== Privacy is about power, and it is so important that this power ends up in the right hands. + +Many people get the concepts of privacy, security, and anonymity confused. You'll see people criticize various products as "not private" when really they mean it doesn't provide anonymity, for example. On this website, we cover all three of these topics, but it is important you understand the difference between them, and when each one comes into play. + +[:material-movie-open-play-outline: Video: 5 Steps to Improve Your Privacy](https://www.privacyguides.org/videos/2025/02/14/5-easy-steps-to-protect-yourself-online){ class="md-button" } +
+
diff --git a/i18n/fi/language-tools.md b/i18n/fi/language-tools.md new file mode 100644 index 00000000..5d3a93b4 --- /dev/null +++ b/i18n/fi/language-tools.md @@ -0,0 +1,73 @@ +--- +title: "Language Tools" +icon: material/alphabetical-variant +description: These language tools do not send your input text to a server and can be used offline and self-hosted. +cover: language-tools.webp +--- + +Protects against the following threat(s): + +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers){ .pg-teal } +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } + +Text inputted to grammar, spelling, and style checkers, as well as translation services, can contain sensitive information which may be stored on their servers for an indefinite amount of time and sold to third parties. The language tools listed on this page do not store your submitted text on a server and can be self-hosted and used offline for maximum control of your data. + +## Grammar & Spelling + +### LanguageTool + +
+ +![LanguageTool logo](assets/img/language-tools/languagetool.svg#only-light){ align=right } +![LanguageTool logo](assets/img/language-tools/languagetool-dark.svg#only-dark){ align=right } + +**LanguageTool** is a multilingual grammar, style, and spell checker that supports more than 20 languages. According to their privacy policy, they do not store any content sent to their service for review, but for higher assurance the software is [self-hostable](https://dev.languagetool.org/http-server). + +[:octicons-home-16: Homepage](https://languagetool.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://languagetool.org/legal/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://languagetooler.freshdesk.com/en/support/solutions){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/languagetool-org){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-appstore: App Store](https://apps.apple.com/app/id1534275760) +- [:fontawesome-brands-windows: Windows](https://languagetool.org/windows-desktop) +- [:simple-apple: macOS](https://languagetool.org/mac-desktop) +- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/languagetool) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/oldceeleldhonbafppcapldpdifcinji) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/hfjadhjooeceemgojogkhlppanjkbobc) +- [:simple-safari: Safari](https://apps.apple.com/app/id1534275760) + +
+ +
+ +LanguageTool offers integration with a variety of [office suites](https://languagetool.org/services#text_editors) and [email clients](https://languagetool.org/services#mail_clients). + +## Translation Tools + +### LibreTranslate + +
+ +![LibreTranslate logo](assets/img/language-tools/libretranslate.png){ align=right } + +**LibreTranslate** is a free and open-source machine translation web interface and API server. It uses [Argos Translate](https://github.com/argosopentech/argos-translate) models on the backend for translations. + +[:octicons-home-16: Homepage](https://libretranslate.com){ .md-button .md-button--primary } +[:octicons-server-16:](https://github.com/LibreTranslate/LibreTranslate#mirrors){ .card-link title="Public Instances" } +[:octicons-code-16:](https://github.com/LibreTranslate/LibreTranslate){ .card-link title="Source Code" } + +
+ +You can use LibreTranslate through a number of public instances, with some that offer a [Tor](tor.md) onion service or an [I2P](alternative-networks.md#i2p-the-invisible-internet-project) eepsite. You can also host the software yourself for maximum control over the text submitted for translation. + +We use a self-hosted instance of LibreTranslate to automatically translate posts on our [forum](https://discuss.privacyguides.net) to multiple languages. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +- Must be open source. +- Must be possible to self-host. diff --git a/i18n/fi/maps.md b/i18n/fi/maps.md new file mode 100644 index 00000000..6593ddb9 --- /dev/null +++ b/i18n/fi/maps.md @@ -0,0 +1,102 @@ +--- +meta_title: "Recommended Maps and Navigation Apps - Privacy Guides" +title: Maps and Navigation +icon: material/map +description: Privacy-respecting map providers and navigation apps which don't build an advertising profile based on your searches and locations. +cover: maps.webp +--- + +Protects against the following threat(s): + +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } + +Use a **map and navigation app** that doesn't build an advertising profile based on your searches and location history. Instead of using Google Maps, Apple Maps, or Waze, we recommend these privacy-respecting alternatives. + +The recommendations here do not collect personally identifying information (PII) based on each application's privacy policy. There is **no guarantee** that these privacy policies are honored. + +## Organic Maps + +
+ +![Organic Maps logo](assets/img/maps/organic-maps.svg){ align=right } + +**Organic Maps** is an open-source, community-developed map display and satnav-style navigation app for walkers, drivers, and cyclists. The app offers worldwide, offline maps based on OpenStreetMap data, and navigation with privacy — no location tracking, no data collection, and no ads. The app can be used completely offline. + +Features include cycling routes, hiking trails and walking paths, turn-by-turn navigation with voice guidance, and public transport route planning (only available in supported regions and cities). + +[:octicons-home-16: Homepage](https://organicmaps.app){ .md-button .md-button--primary } +[:octicons-eye-16:](https://organicmaps.app/privacy){ .card-link title="Privacy Policy" } +[:octicons-code-16:](https://github.com/organicmaps/organicmaps){ .card-link title="Source Code" } + +
Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.organicmaps) +- [:simple-appstore: App Store](https://apps.apple.com/app/organic-maps/id1567437057) +- [:simple-github: GitHub](https://github.com/organicmaps/organicmaps/releases) +- [:simple-linux: Linux](https://flathub.org/apps/app.organicmaps.desktop) + +
+ +
+ +Please note that Organic Maps is a simple, basic app that lacks certain features many users might expect, such as satellite images, street view images, and real-time traffic information. + +## OsmAnd + +
+ +![OsmAnd logo](assets/img/maps/osmand.svg){ align=right } + +**OsmAnd** is an open-source, offline map and navigation application based on OpenStreetMap that offers turn-by-turn navigation for walking, cycling, driving, as well as public transport. You can find a detailed overview of OsmAnd's supported [features](https://wiki.openstreetmap.org/wiki/OsmAnd#Features) on the OpenStreet Map Wiki. + +[:octicons-home-16: Homepage](https://osmand.net){ .md-button .md-button--primary } +[:octicons-eye-16:](https://osmand.net/docs/legal/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://osmand.net/docs/intro){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/osmandapp){ .card-link title="Source Code" } + +
Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.osmand) +- [:simple-appstore: App Store](https://apps.apple.com/us/app/id934850257) +- [:simple-android: Android](https://osmand.net/docs/versions/free-versions) + +
+ +
+ +
+

Unique User Identifier

+ +OsmAnd generates a [unique user identifier (UUID)](https://osmand.net/docs/legal/terms-of-use/#6-unique-user-indentifier) for each app install that rotates every three months and is used for internal reports and statistics. The UUID is also sent to OsmAnd's servers when downloading maps. On Android, there is a setting that controls whether the UUID is sent with each download request. From the home screen, go to :material-menu: → :gear: **Settings** → :gear: **OsmAnd settings** → :material-web: **Identifiers**. + +- [ ] Uncheck **Send Unique User Identifier (UUID)** + +This setting is not available on the iOS app. + +
+ +The app also includes a setting for sharing anonymous data about your downloaded maps and the features you use. This setting is disabled by default on Android, but enabled by default on iOS. To disable it in the iOS app, tap the :material-menu: on the home screen to find the :gear: **Settings** menu. Select that, then select :gear: **OsmAnd settings**. + +- [ ] Uncheck **Send anonymous data** + +OsmAnd allows you to overlay or underlay external map data, such as satellite images from Microsoft or [traffic data](https://themm.net/public/osmand_traffic) from Google, although the latter is ignored by the automatic route planning. OsmAnd also has an optional integration of street view images provided by [Mapillary](https://mapillary.com). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +### Minimum Requirements + +- Must not collect PII per their privacy policy. +- Must not require users to create an account with them. +- Must not require users to share location data. If the user opts in to sharing their location, this data must be anonymized. +- Must retain core functionality when offline and allow users to download maps for offline use. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Apps should be open source. +- Should have route planning for public transport. +- Should have real-time traffic information for route planning. +- Should support advanced features such as detailed shop/point of interest (POI) information and reviews, topographic maps, and satellite and street view images. diff --git a/i18n/fi/meta/admonitions.md b/i18n/fi/meta/admonitions.md new file mode 100644 index 00000000..376c1595 --- /dev/null +++ b/i18n/fi/meta/admonitions.md @@ -0,0 +1,280 @@ +--- +title: Admonitions +description: A guide for website contributors on creating admonitions. +--- + +**Admonitions** (or "call-outs") are tools that writers can use to include side content in an article without interrupting the document flow. + +
+

Example Admonition

+ +This is an example of an admonition. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa. + +
+ +
+Example Collapsible Admonition + +This is an example of a collapsible admonition. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa. + +
+ +## Formatting + +To add an admonition to a page, you can use the following code: + +```markdown title="Admonition" +
+

TITLE

+ +ENCLOSED TEXT + +
+``` + +```markdown title="Collapsible Admonition" +
+TITLE + +ENCLOSED TEXT + +
+``` + +The `TITLE` must be specified; if you don't want a specific title you can set it to the same text as the `TYPE` (see below) in title case, e.g. `Note`. The `ENCLOSED TEXT` should be Markdown formatted. + +### Regular types + +Replace `TYPE` in the examples above with one of the following: + +#### `note` + +
+

Note

+ +Lorem ipsum dolor sit amet, consectetur adipiscing elit. + +
+ +#### `abstract` + +
+

Abstract

+ +Lorem ipsum dolor sit amet, consectetur adipiscing elit. + +
+ +#### `info` + +
+

Info

+ +Lorem ipsum dolor sit amet, consectetur adipiscing elit. + +
+ +#### `tip` + +
+

Tip

+ +Lorem ipsum dolor sit amet, consectetur adipiscing elit. + +
+ +#### `success` + +
+

Success

+ +Lorem ipsum dolor sit amet, consectetur adipiscing elit. + +
+ +#### `question` + +
+

Question

+ +Lorem ipsum dolor sit amet, consectetur adipiscing elit. + +
+ +#### `warning` + +
+

Warning

+ +Lorem ipsum dolor sit amet, consectetur adipiscing elit. + +
+ +#### `failure` + +
+

Failure

+ +Lorem ipsum dolor sit amet, consectetur adipiscing elit. + +
+ +#### `danger` + +
+

Danger

+ +Lorem ipsum dolor sit amet, consectetur adipiscing elit. + +
+ +#### `bug` + +
+

Bug

+ +Lorem ipsum dolor sit amet, consectetur adipiscing elit. + +
+ +#### `example` + +
+

Example

+ +Lorem ipsum dolor sit amet, consectetur adipiscing elit. + +
+ +#### `quote` + +
+

Quote

+ +Lorem ipsum dolor sit amet, consectetur adipiscing elit. + +
+ +### Special Types + +#### `recommendation` + +This format is used to generate recommendation cards. Notably it is missing the `

` element. + +```markdown title="Recommendation Card" +

+ +![PhotoPrism logo](assets/img/self-hosting/photoprism.svg){ align=right } + +**PhotoPrism** is a self-hostable platform for managing photos. It supports album syncing and sharing as well as a variety of other [features](https://photoprism.app/features). It does not include end-to-end encryption, so it's best hosted on a server that you trust and is under your control. + +[:octicons-home-16: Homepage](https://photoprism.app){ .md-button .md-button--primary } +[:octicons-eye-16:](https://photoprism.app/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://photoprism.app/kb){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/photoprism){ .card-link title="Source Code" } + +
+``` + +
+ +
+ +![PhotoPrism logo](../assets/img/self-hosting/photoprism.svg){ align=right } + +**PhotoPrism** is a self-hostable platform for managing photos. It supports album syncing and sharing as well as a variety of other [features](https://photoprism.app/features). It does not include end-to-end encryption, so it's best hosted on a server that you trust and is under your control. + +[:octicons-home-16: Homepage](https://photoprism.app){ .md-button .md-button--primary } +[:octicons-eye-16:](https://photoprism.app/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://photoprism.app/kb){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/photoprism){ .card-link title="Source Code" } + +
+ +
+ +#### `downloads` + +This is a special type of collapsible admonition which is used to generate sections containing download links. It is only used within recommendation cards, as shown in the example above. + +```markdown title="Downloads Section" +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) +- [:simple-appstore: App Store](https://apps.apple.com/app/id979659905) +- [:simple-github: GitHub](https://github.com/ProtonMail/android-mail/releases) +- [:fontawesome-brands-windows: Windows](https://proton.me/mail/bridge#download) +- [:simple-apple: macOS](https://proton.me/mail/bridge#download) +- [:simple-linux: Linux](https://proton.me/mail/bridge#download) +- [:octicons-browser-16: Web](https://mail.proton.me) + +
+``` + +
+ +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) +- [:simple-appstore: App Store](https://apps.apple.com/app/id979659905) +- [:simple-github: GitHub](https://github.com/ProtonMail/android-mail/releases) +- [:fontawesome-brands-windows: Windows](https://proton.me/mail/bridge#download) +- [:simple-apple: macOS](https://proton.me/mail/bridge#download) +- [:simple-linux: Linux](https://proton.me/mail/bridge#download) +- [:octicons-browser-16: Web](https://mail.proton.me) + +
+ +
+ +## Old Format + +Throughout the site, you may see some admonitions formatted like the following examples: + +```markdown title="Admonition" +!!! note + + Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod + nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor + massa, nec semper lorem quam in massa. +``` + +
+ +
+

Note

+ +Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod +nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor +massa, nec semper lorem quam in massa. + +
+ +
+ +```markdown title="Collapsible Admonition" +??? example "Custom Title" + + Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod + nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor + massa, nec semper lorem quam in massa. +``` + +
+ +
+Custom Title + +Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod +nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor +massa, nec semper lorem quam in massa. + +
+ +
+ +**This format is no longer used going forward** because it is incompatible with newer versions of our translation software at Crowdin. When adding a new page to the site, only the newer, HTML-based format should be used. + +There is no rush to convert admonitions with the old format to the new format. Pages currently using this formatting should continue to work, but we will be updating them to use the newer, HTML-based format above over time as we continue to update the site. diff --git a/i18n/fi/meta/brand.md b/i18n/fi/meta/brand.md new file mode 100644 index 00000000..3afe36ff --- /dev/null +++ b/i18n/fi/meta/brand.md @@ -0,0 +1,23 @@ +--- +title: Branding Guidelines +description: A guide for journalists and website contributors on proper branding of the Privacy Guides wordmark and logo. +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the Subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at `jonah@privacyguides.org`. Consult your legal counsel if you have questions. diff --git a/i18n/fi/meta/commit-messages.md b/i18n/fi/meta/commit-messages.md new file mode 100644 index 00000000..60e51fb7 --- /dev/null +++ b/i18n/fi/meta/commit-messages.md @@ -0,0 +1,78 @@ +--- +title: Commit Messages +description: A guide for website contributors on using useful Git commit messages when making website change requests. +--- + +For our commit messages we follow the style provided by [Conventional Commits](https://conventionalcommits.org). Not all of those suggestions are appropriate for Privacy Guides, so the main ones we use are: + +## Update to existing text + +This example could be used for an item already on the site, but includes a minor update to the description. + +```text +update: Add mention of security audit (#0000) +``` + +## Addition or removal of recommendations/pages + +This example is for the addition or removal of an item. You may elaborate why it was removed in the commit paragraph below. Note the extra `!` to draw attention to a major change. + +```text +update!: Remove foobar (#0000) + +Foobar was removed due to it having numerious security issues and being unmaintained. +``` + +You can actually add a `!` to _any_ of the types on this page to denote particularly large changes, but this is generally where it will be most appropriate. + +## Feature/enhancement + +For new features or enhancements to the site, e.g. things that have the `enhancements` label on GitHub, it may be appropriate to signify these with: + +```text +feat: Add blah blah (#0000) + +This change adds the forum topics to the main page +``` + +## Minor changes + +Small changes that **don't affect the meaning** of the article, e.g. correcting a typo, fixing grammar, changing formatting/whitespace, CSS updates, etc. + +```text +style: Typo correction in VPN overview +``` + +## Development-related types + +These commit types are typically used for changes that won't be visible to the general audience. + +We use `fix:` for changes that fix site related bugs. These things will usually have the `bug` label on GitHub. + +```text +fix: Remove broken Invidious embeds (#0000) +``` + +We use `docs:` to denote changes to the developer documentation for this website, including (but not limited to) for example the README file, or most pages in `/docs/about` or `/docs/meta`: + +```text +docs: Update Git commit message guidelines (#0000) +``` + +We use `build:` for commits related to our build process, mainly dependency updates. + +```text +build: Bump modules/mkdocs-material from 463e535 to 621a5b8 +``` + +We use `ci:` for commits related to GitHub Actions, DevContainers, or other automated build platforms. + +```text +ci: Update Netlify config (#0000) +``` + +We use `refactor:` for changes which neither fix a bug nor add a feature, e.g. rearranging files, navigation order, etc. + +```text +refactor: Move docs/assets to theme/assets +``` diff --git a/i18n/fi/meta/git-recommendations.md b/i18n/fi/meta/git-recommendations.md new file mode 100644 index 00000000..7b9ab357 --- /dev/null +++ b/i18n/fi/meta/git-recommendations.md @@ -0,0 +1,45 @@ +--- +title: Git Recommendations +description: A guide for website contributors on using Git effectively. +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + + ```bash + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` + +2. Set your SSH key for signing in Git with the following command, substituting `/PATH/TO/.SSH/KEY.PUB` with the path to the public key you'd like to use, e.g. `/home/user/.ssh/id_ed25519.pub`: + + ```bash + git config --global user.signingkey /PATH/TO/.SSH/KEY.PUB + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +```bash +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +```bash +git fetch origin +git rebase origin/main +``` diff --git a/i18n/fi/meta/pr-comments.md b/i18n/fi/meta/pr-comments.md new file mode 100644 index 00000000..be2166b9 --- /dev/null +++ b/i18n/fi/meta/pr-comments.md @@ -0,0 +1,44 @@ +--- +title: Commenting on PRs +description: A guide on participating in Pull Request discussions. +--- + +Please refrain from using the general **Add a comment** box in GitHub PRs when leaving a comment or performing a review. + +![Do not use the general "Add a comment" box in GitHub](../assets/img/meta/pr-avoid-general-comments.png) + +Comments that are left like this are not _threaded_, which makes it difficult to keep track of multiple conversations. + +Comments that are instead left in the manner described below will have a built-in reply box to keep conversations in a single thread. These comments can also be marked as resolved afterwards, so that discussion can be tracked more easily. + +![A screenshot of a comment in GitHub which has a built-in "reply" box, highlighted in orange.](../assets/img/meta/pr-threaded-comment.png) + +## Commenting + +To start a threaded comment, you should leave all comments under the :octicons-file-diff-16: **Files changed** tab in a PR. + +![Screenshot of the tabs for a pull request. The "Files changed" tab is outlined in dark orange.](https://docs.github.com/assets/cb-23571/mw-1440/images/help/pull_requests/pull-request-tabs-changed-files.webp) + +To leave a _general_ comment on a PR, click the :octicons-comment-16: comment icon to the right of a file: + +![Screenshot of an image file on the "Files changed" page of a pull request. To the right of the file, a comment icon is outlined in orange.](https://docs.github.com/assets/cb-73771/mw-1440/images/help/pull_requests/pull-request-comment-on-file.webp) + +If the PR has multiple files changed, comment on the primary or most relevant file changed, or comment on the first file if you can't decide. + +To leave a comment _on a specific line_ of a PR, hover over the line where you'd like to add a comment, and click the blue comment icon: + +![Screenshot of a diff in a pull request. Next to a line number, a blue plus icon is highlighted with an orange outline.](https://docs.github.com/assets/cb-44227/mw-1440/images/help/commits/hover-comment-icon.webp) + +(Optionally, you can add a comment on multiple lines. You can click the line number of the first line you want to comment on and drag down to select a range of lines, then click the blue comment icon on the last line you want to comment on. Alternatively, you can click the blue comment icon next to the first line you want to comment on, then drag down to the last line you want to comment on.) + +Then, type your comment and click **Add single comment**. + +## Reviewing + +When performing a review, follow the same steps as above, but click **Start a review** (and subsequently, **Add a review comment**) instead of **Add single comment**. + +Then, click the green **Finish your review** button at the top of the page. + +Do not leave any discussion comments in the _Leave a comment_ box in the review finalization pop-up. You can leave it blank, or leave a short note if it will not require any follow-up. To comment on something that will require further discussion, add a comment on a file as described above instead. + +Then, click **Submit review**. diff --git a/i18n/fi/meta/translations.md b/i18n/fi/meta/translations.md new file mode 100644 index 00000000..1f67cd98 --- /dev/null +++ b/i18n/fi/meta/translations.md @@ -0,0 +1,34 @@ +--- +title: Translations +description: A guide for website contributors on adding translations to our website. +--- + +Crowdin has good documentation, and we suggest looking at their [Getting Started](https://support.crowdin.com/crowdin-intro) guide. Our site is largely written in [Markdown](https://en.wikipedia.org/wiki/Markdown), so it should be easy to contribute. This page contains some helpful pointers for translating some specific syntax you may encounter on our site. + +Please join our localization room on Matrix ([#pg-i18n:aragon.sh](https://matrix.to/#/%23pg-i18n:aragon.sh)) if you have any additional questions, and read our [announcement blog post](https://blog.privacyguides.org/2023/02/26/i18n-announcement) for additional information about the project. + +Note that the English version of the site is the primary version, meaning changes occur there first. If you notice a language falling behind the English version, please help out. We cannot guarantee the accuracy of all our translations. If you have a suggestion about content specific to your region, please open an issue or pull request to our [main repository](https://github.com/privacyguides/privacyguides.org). + +## Translation output + +Translation software gets the translation quite accurate; however, you need to make sure the translated string is correct. + +For example: + +```text +![Software logo](assets/img/path/to/image.svg){ align=right } +``` + +We have sometimes found that the syntax for inserting an image like above was missing the `![` or an extra space was placed between the text and the path, e.g. `](`. If a translation string is clearly not correct, we encourage you to **delete** it by pressing the trash icon [or vote](https://support.crowdin.com/enterprise/getting-started-for-volunteers/#voting-view) on which one you think sounds best. When invalid strings are deleted, they are removed from the organization's [translation memory](https://support.crowdin.com/enterprise/translation-memory), meaning that when the source string is seen again, it won't suggest the incorrect translation. + +## Punctuation + +For examples like the above admonitions, quotation marks, e.g.: `" "` must be used to specify string text. MkDocs will not correctly interpret other symbols i.e., `「 」` or `« »`. Other punctuation marks are fine for marking regular quotations within the text otherwise. + +## Fullwidth alternatives and Markdown syntax + +CJK writing systems tend to use alternative "fullwidth" variants of common symbols. These are different characters and cannot be used for Markdown syntax. + +- Links must use regular parenthesis i.e. `(` (Left Parenthesis U+0028) and `)` (Right Parenthesis U+0029) and not `(` (Fullwidth Left Parenthesis U+FF08) or `)` (Fullwidth Right Parenthesis U+FF09) +- Indented quoted text must use `:` (Colon U+003A) and not `:` (Fullwidth Colon U+FF1A) +- Pictures must use `!` (Exclamation Mark U+0021) and not `!` (Fullwidth Exclamation Mark U+FF01) diff --git a/i18n/fi/meta/uploading-images.md b/i18n/fi/meta/uploading-images.md new file mode 100644 index 00000000..f945a94a --- /dev/null +++ b/i18n/fi/meta/uploading-images.md @@ -0,0 +1,95 @@ +--- +title: Uploading Images +description: A guide for website contributors on uploading images in the proper format and location. +--- + +If you make changes to this website that involve adding new images or replacing existing ones, here are a couple of general recommendations: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images. Additionally, for cover images, we prefer that they are obtained from [Unsplash](https://unsplash.com) and are in the WebP format. + +Company logos should be square if possible, and at least 200x200px if they are PNGs (non-vector images). + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng) tool to optimize PNG images: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File > Save As... +2. Set type to: Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embedded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` + +### WebP + +Use the [`cwebp`](https://developers.google.com/speed/webp/docs/using) command to convert PNG or JPEG image files to WebP format: + +```bash +cwebp -m 6 input_file -o output.webp +``` diff --git a/i18n/fi/meta/writing-style.md b/i18n/fi/meta/writing-style.md new file mode 100644 index 00000000..fdf7bb1d --- /dev/null +++ b/i18n/fi/meta/writing-style.md @@ -0,0 +1,88 @@ +--- +title: Writing Style +description: Our official writing style handbook for website contributors. +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://plainlanguage.gov/guidelines) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://plainlanguage.gov/guidelines/audience) is primarily adults who use technology. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://plainlanguage.gov/guidelines/audience/address-the-user) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://plainlanguage.gov/guidelines/design) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://plainlanguage.gov/guidelines/organize/have-a-topic-sentence) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject-matter expert, so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://plainlanguage.gov/guidelines/concise) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://plainlanguage.gov/guidelines/conversational/use-active-voice) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/fi/mobile-browsers.md b/i18n/fi/mobile-browsers.md new file mode 100644 index 00000000..be28d317 --- /dev/null +++ b/i18n/fi/mobile-browsers.md @@ -0,0 +1,399 @@ +--- +meta_title: "Privacy Respecting Web Browsers for Android and iOS - Privacy Guides" +title: Mobile Browsers +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +cover: mobile-browsers.webp +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + - iOS + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Cromite + image: /assets/img/browsers/cromite.svg + url: https://cromite.org + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://apple.com/safari + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +Protects against the following threat(s): + +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model ""){.pg-brown} + +These are our currently recommended **mobile web browsers** and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. + +## Brave + +
+ +![Brave logo](assets/img/browsers/brave.svg){ align=right } + +**Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features), many of which are enabled by default. + +Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + +[:octicons-home-16: Homepage](https://brave.com){ .md-button .md-button--primary } +[:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } +[:octicons-eye-16:](https://brave.com/privacy/browser){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://support.brave.com){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1052879175) +- [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) +- [:simple-fdroid: F-Droid](https://brave-browser-apk-release.s3.brave.com/fdroid/repo/index.html) + +
+ +
+ +### Recommended Brave Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +=== "Android" + + These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy**. + +=== "iOS" + + These options can be found in :fontawesome-solid-ellipsis: → **Settings** → **Shields & Privacy**. + +#### Brave shields global defaults + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/articles/360022973471-What-is-Shields) feature. We suggest configuring these options [globally](https://support.brave.com/hc/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +=== "Android" + +
+ + - [x] Select **Aggressive** under *Block trackers & ads* + - [x] Select **Auto-redirect AMP pages** + - [x] Select **Auto-redirect tracking URLs** + - [x] Select **Require all connections to use HTTPS (strict)** under *Upgrade connections to HTTPS* + - \[x\] (Optional) Select **Block Scripts** (1) + - [x] Select **Block third-party cookies** under *Block Cookies* + - [x] Select **Block Fingerprinting** + - [x] Select **Prevent fingerprinting via language settings** + +
+ Use default filter lists + + Brave allows you to select additional content filters within the **Content Filtering** menu or the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +
+ + - [x] Select **Forget me when I close this site** + +
+ + 1. This option disables JavaScript, which will break a lot of sites. To unbreak them, you can set exceptions on a per-site basis by tapping on the Shield icon in the address bar and unchecking this setting under *Advanced controls*. + +=== "iOS" + +
+ + - [x] Select **Aggressive** under *Trackers & Ads Blocking* + - [x] Select **Strict** under *Upgrade Connections to HTTPS* + - [x] Select **Auto-Redirect AMP pages** + - [x] Select **Auto-Redirect Tracking URLs** + - \[x\] (Optional) Select **Block Scripts** (1) + - [x] Select **Block Fingerprinting** + - [x] Select **Site Tabs Closed** under *Auto Shred* + +
+ Use default filter lists + + Brave allows you to select additional content filters within the **Content Filtering** menu. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +
+ +
+ + 1. This option disables JavaScript, which will break a lot of sites. To unbreak them, you can set exceptions on a per-site basis by tapping on the Shield icon in the address bar and unchecking this setting under *Advanced controls*. + +##### Clear browsing data (Android only) + +- [x] Select **Clear data on exit** + +##### Social Media Blocking (Android only) + +- [ ] Uncheck all social media components + +#### Other privacy settings + +=== "Android" + +
+ + - [x] Select **Disable non-proxied UDP** under [*WebRTC IP handling policy*](https://support.brave.com/hc/articles/360017989132-How-do-I-change-my-Privacy-Settings#webrtc) + - \[x\] (Optional) Select **No protection** under *Safe Browsing* (1) + - [ ] Uncheck **Allow sites to check if you have payment methods saved** + - [ ] Uncheck **Javascript optimization & security** under the setting with the same name + - [x] Select **Close tabs on exit** + - [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** + - [ ] Uncheck **Automatically send diagnostic reports** + - [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ + 1. Brave's [implementation of Safe Browsing](https://support.brave.com/hc/en-us/articles/15222663599629-Safe-Browsing-in-Brave) on Android **does not** proxy [Safe Browsing network requests](https://developers.google.com/safe-browsing/v4/update-api#checking-urls) like its desktop counterpart. This means that your IP address may be seen (and logged) by Google. Note that Safe Browsing is not available for Android devices without Google Play Services. + +=== "iOS" + + - [ ] Uncheck **Allow Privacy-Preserving Product Analytics (P3A)** + - [ ] Uncheck **Automatically send daily usage ping to Brave** + +#### Leo + +These options can be found in :material-menu: → **Settings** → **Leo**. + +
+ +- [ ] Uncheck **Show autocomplete suggestions in address bar** (1) + +
+ +1. This option is not present in Brave's iOS app. + +#### Search engines + +These options can be found in :material-menu:/:fontawesome-solid-ellipsis: → **Settings** → **Search engines**. + +- [ ] Uncheck **Show search suggestions** + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Cromite (Android) + +
+ +![Cromite logo](assets/img/browsers/cromite.svg){ align=right } + +**Cromite** is a Chromium-based browser with built-in ad blocking, fingerprinting protections, and other [privacy and security enhancements](https://github.com/uazo/cromite/blob/master/docs/FEATURES.md). It is a fork of the discontinued **Bromite** browser. + +[:octicons-home-16: Homepage](https://cromite.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://github.com/uazo/cromite/blob/master/docs/PRIVACY_POLICY.md){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://github.com/uazo/cromite?tab=readme-ov-file#docs){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/uazo/cromite){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-android: F-Droid](https://cromite.org/fdroid/repo/?fingerprint=49F37E74DEE483DCA2B991334FB5A0200787430D0B5F9A783DD5F13695E9517B) +- [:simple-github: GitHub](https://github.com/uazo/cromite/releases/latest) + +
+ +
+ +### Recommended Configuration + +These options can be found in :material-menu: → :gear: **Settings** → **Privacy and security**. + +#### Browsing data + +- [x] Select **Close all open tabs on exit** + +#### Incognito mode + +- [x] Select **Open external links in incognito** + +#### Security + +- [x] Select **Always use secure connections** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. HTTP is extremely uncommon nowadays, so this should have little to no impact on your day-to-day browsing. + +#### Adblock Plus settings + +These options can be found in :material-menu: → :gear: **Settings** → **Adblock Plus settings**. + +Cromite contains a customized version of Adblock Plus with EasyList enabled by default, as well as options to select more filter lists within the **Filter lists** menu. + +Using extra lists will make you stand out from other Cromite users and may also increase attack surface if a malicious rule is added to one of the lists you use. + +- \[x\] (Optional) Select **Enable anti-circumvention and snippets** + +This setting adds an additional Adblock Plus list that may increase the effectiveness of Cromite's content blocking. The warnings about standing out and potentially increasing attack surface apply. + +#### Legacy Adblock settings + +These options can be found in :material-menu: → :gear: **Settings** → **Legacy Adblock settings**. + +- [ ] Uncheck the autoupdate setting + +This disables update checks for the unmaintained Bromite adblock filter. + +## Safari (iOS) + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so a browser like [Brave](#brave) does not use the Blink engine (the core component of Chromium) like its counterparts on other operating systems. + +
+ +![Safari logo](assets/img/browsers/safari.svg){ align=right } + +**Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/ios) such as [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention), isolated and ephemeral Private Browsing tabs, fingerprinting protection (by presenting a simplified version of the system configuration to websites, so more devices look identical), and fingerprint randomization, as well as Private Relay for those with a paid iCloud+ subscription. + +[:octicons-home-16: Homepage](https://apple.com/safari){ .md-button .md-button--primary } +[:octicons-eye-16:](https://apple.com/legal/privacy/data/en/safari){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://support.apple.com/guide/iphone/browse-the-web-iph1fbef4daa/ios){ .card-link title="Documentation" } + + + +
+ +### Recommended Safari Configuration + +The following privacy/security-related options can be found in :gear: **Settings** → **Apps** → **Safari**. + +#### Allow Safari to Access + +Under **Siri**: + +- [ ] Disable **Learn from this App** +- [ ] Disable **Show in App** +- [ ] Disable **Show on Home Screen** +- [ ] Disable **Suggest App** + +This prevents Siri from using content from Safari for Siri suggestions. + +#### Search + +- [ ] Disable **Search Engine Suggestions** + +This setting sends whatever you type in the address bar to the search engine set in Safari. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +#### Profiles + +Safari allows you to separate your browsing with different profiles. All of your cookies, history, and website data are separate for each profile. You should use different profiles for different purposes e.g. Shopping, Work, or School. + +#### Privacy & Security + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but does not block all tracking avenues because it is designed to not interfere with website usability. + +- [x] Enable **Require Face ID/Touch ID to Unlock Private Browsing** + +This setting allows you to lock your private tabs behind biometrics/PIN when not in use. + +- [ ] Disable **Fraudulent Website Warning** + +This setting uses Google Safe Browsing (or Tencent Safe Browsing for users in mainland China or Hong Kong) to protect you while you browse. As such, your IP address may be logged by your Safe Browsing provider. Disabling this setting will disable this logging, but you might be more vulnerable to known phishing sites. + +- [x] Enable **Not Secure Connection Warning** + +This setting shows a warning screen if your connection to a website isn't using HTTPS. Safari will automatically try to upgrade the site to HTTPS, so you should only see this when there is no HTTPS connection available. + +- [ ] Disable **Highlights** + +Apple's privacy policy for Safari states: + +> When visiting a webpage, Safari may send information calculated from the webpage address to Apple over OHTTP to determine if relevant highlights are available. + +#### Settings for Websites + +Under **Camera** + +- [x] Select **Ask** + +Under **Microphone** + +- [x] Select **Ask** + +Under **Location** + +- [x] Select **Ask** + +These settings ensure that websites can only access your camera, microphone, or location after you explicitly grant them access. + +#### Other Privacy Settings + +These options can be found in :gear: **Settings** → **Apps** → **Safari** → **Advanced**. + +##### Fingerprinting Mitigations + +The **Advanced Tracking and Fingerprinting Protection** setting will randomize certain values so that it's more difficult to fingerprint you: + +- [x] Select **All Browsing** or **Private Browsing** + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +#### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the :material-format-list-bulleted: Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are other smaller privacy benefits with Private Browsing too, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed in to sites. This may be an inconvenience. + +#### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://apple.com/legal/privacy/en-ww). + +You can enable E2EE for your Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/HT212520). Go to :gear: **Settings** → **iCloud** → **Advanced Data Protection**. + +- [x] Turn on **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend setting Safari's default download location to a local folder on your device. This option can be found in :gear: **Settings** → **Apps** → **Safari** → **General** → **Downloads**. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates from upstream releases quickly. +- Must support content blocking. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. diff --git a/i18n/fi/mobile-phones.md b/i18n/fi/mobile-phones.md new file mode 100644 index 00000000..56d8d68b --- /dev/null +++ b/i18n/fi/mobile-phones.md @@ -0,0 +1,103 @@ +--- +title: Mobile Phones +icon: material/cellphone-check +description: These mobile devices provide the best hardware security support for custom Android operating systems. +cover: android.webp +schema: + - "@context": http://schema.org + "@type": WebPage + name: Mobile Phone Recommendations + url: "./" + - "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides +robots: nofollow, max-snippet:-1, max-image-preview:large +--- + +Protects against the following threat(s): + +- [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals){ .pg-red } +- [:material-bug-outline: Passive Attacks](basics/common-threats.md#security-and-privacy){ .pg-orange } + +Most **mobile phones** receive short or limited windows of security updates from OEMs; after these devices reach the end of their support period, they **cannot** be considered secure as they no longer receive firmware or driver security updates. + +The mobile devices listed here provide a long lifespan of guaranteed security updates and allow you to install a custom operating system without violating the Android security model. + +[Recommended Android Distributions :material-arrow-right-drop-circle:](android/distributions.md){ .md-button .md-button--primary } [Details about Android Security :material-arrow-right-drop-circle:](os/android-overview.md#security-protections){ .md-button } + +
+

Warning

+ +End-of-life devices (such as GrapheneOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +
+ +## General Purchasing Advice + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of it being entered in the [IMEI database](https://gsma.com/get-involved/working-groups/terminal-steering-group/imei-database). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life; additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net) to find details! + +## Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +
+ +![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + +**Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + +Beginning with the **Pixel 8** and **8 Pro**, Pixel devices receive a minimum of 7 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-5 years competing OEMs typically offer. + +[:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +
+ +### Hardware Security + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment (TEE) used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for _all_ of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The Pixel 8 series and later supports ARM's Memory Tagging Extension ([MTE](https://developer.arm.com/documentation/108035/0100/Introduction-to-the-Memory-Tagging-Extension)), a hardware security enhancement that drastically lowers the probability of exploits occurring through memory corruption bugs. The stock Pixel OS allows you to enable MTE for supported apps through Google's Advanced Protection Program or via a developer option, but its usability is quite limited. [GrapheneOS](android/distributions.md#grapheneos), an alternative Android OS we recommend, greatly improves the usability and coverage of MTE in its implementation of the feature. + +### Buying a Google Pixel + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: Cost End of Life Date Current Date + , meaning that the longer use of the device the lower cost per day. +- If the Pixel is unavailable in your region, the [NitroPhone](https://shop.nitrokey.com/shop) can be shipped globally. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://nitrokey.com/about) company. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. diff --git a/i18n/fi/multi-factor-authentication.md b/i18n/fi/multi-factor-authentication.md new file mode 100644 index 00000000..488c134b --- /dev/null +++ b/i18n/fi/multi-factor-authentication.md @@ -0,0 +1,80 @@ +--- +title: Multifactor Authentication +icon: material/two-factor-authentication +description: These tools assist you with securing your internet accounts with multifactor authentication without sending your secrets to a third-party. +cover: multi-factor-authentication.webp +--- + +Protects against the following threat(s): + +- [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} + +
+

Hardware Keys

+ +[Hardware security key recommendations](security-keys.md) have been moved to their own category. + +
+ +**Multifactor authentication apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically, these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +## Ente Auth + +
+ +![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.svg){ align=right } + +**Ente Auth** is a free and open-source app which stores and generates TOTP tokens. It can be used with an online account to back up and sync your tokens across your devices (and access them via a web interface) in a secure, end-to-end encrypted fashion. It can also be used offline on a single device with no account necessary. + +[:octicons-home-16: Homepage](https://ente.io/auth){ .md-button .md-button--primary } +[:octicons-eye-16:](https://ente.io/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://help.ente.io/auth){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/ente-io/ente/tree/main/auth#readme){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.ente.auth) +- [:simple-appstore: App Store](https://apps.apple.com/app/id6444121398) +- [:simple-github: GitHub](https://github.com/ente-io/ente/releases?q=auth) +- [:octicons-browser-16: Web](https://auth.ente.io) + +
+ +
+ +The server-side source code and infrastructure which underpins Ente Auth (if used with an online account) underwent an audit by [Cure53](https://ente.io/blog/cern-audit) in October 2025. + +## Aegis Authenticator (Android) + +
+ +![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + +**Aegis Authenticator** is a free and open-source app for Android to manage your 2-step verification tokens for your online services. Aegis Authenticator operates completely offline/locally, but includes the option to export your tokens for backup unlike many alternatives. + +[:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } +[:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } +[:octicons-heart-16:](https://buymeacoffee.com/beemdevelopment){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) +- [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +
+ +
+ +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +- Source code must be publicly available. +- Must not require internet connectivity. +- Cloud syncing must be optional; sync functionality, if available, must be E2EE. diff --git a/i18n/fi/news-aggregators.md b/i18n/fi/news-aggregators.md new file mode 100644 index 00000000..ee3ecded --- /dev/null +++ b/i18n/fi/news-aggregators.md @@ -0,0 +1,179 @@ +--- +title: "News Aggregators" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +cover: news-aggregators.webp +--- + +Protects against the following threat(s): + +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} + +A **news aggregator** is software which aggregates digital content from online newspapers, blogs, podcasts, and other resources to one location for easy viewing. Using one can be a great way to keep up with your favorite content. + +## Aggregator clients + +### Akregator + +
+ +![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + +**Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality, and an internal browser for easy news reading. + +[:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } +[:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title="Documentation" } +[:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } +[:octicons-heart-16:](https://kde.org/community/donations){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +
+ +
+ +### NewsFlash + +
+ +![NewsFlash logo](assets/img/news-aggregators/newsflash.png){ align=right } + +**NewsFlash** is an open-source, modern, and easy-to-use news feed reader for Linux. It can be used offline or with services like [Inoreader](https://inoreader.com) or [Nextcloud News](https://apps.nextcloud.com/apps/news). It has a search feature and a pre-defined list of sources that you can add directly. + +[:octicons-repo-16: Repository](https://gitlab.com/news-flash/news_flash_gtk#newsflash){ .md-button .md-button--primary } +[:octicons-code-16:](https://gitlab.com/news-flash/news_flash_gtk){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-flathub: Flathub](https://flathub.org/apps/io.gitlab.news_flash.NewsFlash) + +
+ +
+ +### Feeder + +
+ +![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + +**Feeder** is a modern RSS client for Android that has many [features](https://github.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. + +It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML), and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + +[:octicons-repo-16: Repository](https://github.com/spacecowboy/Feeder#readme){ .md-button .md-button--primary } +[:octicons-code-16:](https://github.com/spacecowboy/Feeder){ .card-link title="Source Code" } +[:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) +- [:simple-github: GitHub](https://github.com/spacecowboy/Feeder/releases) + +
+ +
+ +### Miniflux + +
+ +![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } +![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + +**Miniflux** is a web-based news aggregator that you can self-host. + +It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML), and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + +[:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } +[:octicons-info-16:](https://miniflux.app/docs/index#user-guide){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } +[:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title="Contribute" } + +
+ +### NetNewsWire + +
+ +![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + +**NetNewsWire** is a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. + +It supports conventional feed formats and includes built-in support for Reddit feeds. + +[:octicons-home-16: Homepage](https://netnewswire.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://netnewswire.com/help){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-appstore: App Store](https://apps.apple.com/app/id1480640210) +- [:simple-apple: macOS](https://netnewswire.com) + +
+ +
+ +### Newsboat + +
+ +![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + +**Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + +[:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } +[:octicons-info-16:](https://newsboat.org/releases/2.38/docs/newsboat.html){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +
+ +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS, although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to Subreddits via RSS. + +
+

Example

+ +Replace `[SUBREDDIT]` with the Subreddit you wish to subscribe to. + +```text +https://reddit.com/r/[SUBREDDIT]/new/.rss +``` + +
+ +### YouTube + +You can subscribe to YouTube channels without logging in and associating usage information with your Google account. + +
+

Example

+ +To subscribe to a YouTube channel with an RSS client, first look for its [channel code](https://support.google.com/youtube/answer/6180214). The channel code can be found in the expanded description (i.e., the "About" section) of the YouTube channel you wish to subscribe to: **About** → **Share channel** → **Copy channel ID**. Replace `[CHANNEL ID]` below: + +```text +https://youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] +``` + +
diff --git a/i18n/fi/notebooks.md b/i18n/fi/notebooks.md new file mode 100644 index 00000000..e03fee83 --- /dev/null +++ b/i18n/fi/notebooks.md @@ -0,0 +1,178 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third party. +cover: notebooks.webp +--- + +Protects against the following threat(s): + +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} + +Keep track of your notes and journals without giving them to a third party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports end-to-end encryption. + +## Cloud-based + +### Standard Notes + +
+ +![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + +**Standard Notes** is a simple and private notes app that features cross-platform sync for seamless use. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. + +Standard Notes has also undergone multiple [independent audits](https://standardnotes.com/help/2/has-standard-notes-completed-a-third-party-security-audit). + +[:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://standardnotes.com/help){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } +[:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) +- [:simple-github: GitHub](https://github.com/standardnotes/app/releases) +- [:fontawesome-brands-windows: Windows](https://standardnotes.com) +- [:simple-apple: macOS](https://standardnotes.com) +- [:simple-linux: Linux](https://standardnotes.com) +- [:octicons-browser-16: Web](https://app.standardnotes.com) + +
+ +
+ +Standard Notes has [joined Proton AG](https://standardnotes.com/blog/joining-forces-with-proton) as of April 10, 2024. + +### Notesnook + +
+ +![Notesnook logo](assets/img/notebooks/notesnook.svg){ align=right } + +**Notesnook** is a free (as in speech), open-source, and easy-to-use E2EE note-taking app focused on user privacy. + +It features sync functionality that allows you to access your notes on multiple platforms. You can easily import your notes from Evernote, OneNote, and other apps using their [official importer](https://importer.notesnook.com). + +[:octicons-home-16: Homepage](https://notesnook.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://notesnook.com/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://help.notesnook.com){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/streetwriters/notesnook){ .card-link title="Source Code" } +[:octicons-heart-16:](https://opencollective.com/notesnook){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.streetwriters.notesnook) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1544027013) +- [:simple-github: GitHub](https://github.com/streetwriters/notesnook/releases) +- [:fontawesome-brands-windows: Windows](https://notesnook.com/downloads) +- [:simple-apple: macOS](https://notesnook.com/downloads) +- [:simple-linux: Linux](https://notesnook.com/downloads) +- [:simple-flathub: Flathub](https://flathub.org/apps/com.notesnook.Notesnook) +- [:simple-firefoxbrowser: Firefox](https://notesnook.com/notesnook-web-clipper) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/kljhpemdlcnjohmfmkogahelkcidieaj) +- [:octicons-browser-16: Web](https://app.notesnook.com) + +
+ +
+ +### Joplin + +
+ +![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + +**Joplin** is a free, open-source, and fully-featured E2EE note-taking and to-do application which can handle numerous Markdown notes organized into notebooks and tags. + +It can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + +[:octicons-home-16: Homepage](https://joplinapp.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://joplinapp.org/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://joplinapp.org/help){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } +[:octicons-heart-16:](https://joplinapp.org/donate){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1315599797) +- [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) +- [:fontawesome-brands-windows: Windows](https://joplinapp.org/#desktop-applications) +- [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) +- [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) +- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/alofnhikmmkdbbbgpnglcpdollgjjfek) + +
+ +
+ +Joplin [does not support](https://github.com/laurent22/joplin/issues/289) password/PIN protection for the application itself or individual notes and notebooks. However, your data is still encrypted in transit and at the sync location using your master key. Since January 2023, Joplin [supports biometrics app lock](https://github.com/laurent22/joplin/commit/f10d9f75b055d84416053fab7e35438f598753e9) for Android and iOS. + +### Cryptee + +
+ +![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } +![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + +**Cryptee** is an open-source, web-based E2EE document editor and photo storage application. + +Cryptee offers 100 MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +[:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } +[:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://crypt.ee/help){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + +
+Downloads + +- [:octicons-browser-16: Web](https://crypt.ee/download) + +
+ +
+ +Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + +## Local notebooks + +### Org-mode + +
+ +![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + +**Org-mode** is a [major mode](https://gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining to-do lists, planning projects, and authoring documents with a fast and effective plain-text system. File synchronization is possible with tools like [Syncthing](file-sharing.md#syncthing-p2p). + +[:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } +[:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title="Documentation" } +[:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title="Contribute" } + + + +
+ +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +### Minimum Requirements + +- Clients must be open source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/fi/office-suites.md b/i18n/fi/office-suites.md new file mode 100644 index 00000000..66244891 --- /dev/null +++ b/i18n/fi/office-suites.md @@ -0,0 +1,77 @@ +--- +title: "Office Suites" +icon: material/file-edit-outline +description: These office suites offer their full functionality without an account and can be used offline. +cover: office-suites.webp +--- + +Protects against the following threat(s): + +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers){ .pg-teal } + +Choose an **office suite** that does not require logging in to an account to access its full functionality. The tools listed here can be used offline and could reasonably act as a replacement for Microsoft Office for most needs. + +## LibreOffice + +
+ +![LibreOffice logo](assets/img/office-suites/libreoffice.svg){ align=right } + +**LibreOffice** is a free and open-source office suite with extensive functionality. + +[:octicons-home-16: Homepage](https://libreoffice.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://libreoffice.org/about-us/privacy/privacy-policy-en){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation){ .card-link title=Documentation} +[:octicons-code-16:](https://libreoffice.org/about-us/source-code){ .card-link title="Source Code" } +[:octicons-heart-16:](https://libreoffice.org/donate){ .card-link title=Contribute } + +
+Downloads + +- [:simple-googleplay: Google Play](https://libreoffice.org/download/android-and-ios) +- [:simple-appstore: App Store](https://libreoffice.org/download/android-and-ios) +- [:fontawesome-brands-windows: Windows](https://libreoffice.org/download/download) +- [:simple-apple: macOS](https://libreoffice.org/download/download) +- [:simple-linux: Linux](https://libreoffice.org/download/download) +- [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + +
+ +
+ +## OnlyOffice + +
+ +![OnlyOffice logo](assets/img/office-suites/onlyoffice.svg){ align=right } + +**OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + +[:octicons-home-16: Homepage](https://onlyoffice.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) +- [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) +- [:fontawesome-brands-windows: Windows](https://onlyoffice.com/download-desktop.aspx) +- [:simple-apple: macOS](https://onlyoffice.com/download-desktop.aspx) +- [:simple-linux: Linux](https://onlyoffice.com/download-desktop.aspx) +- [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + +
+ +
+ +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. diff --git a/i18n/fi/os/android-overview.md b/i18n/fi/os/android-overview.md new file mode 100644 index 00000000..f3eaa048 --- /dev/null +++ b/i18n/fi/os/android-overview.md @@ -0,0 +1,173 @@ +--- +title: Android Overview +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +robots: nofollow, max-snippet:-1, max-image-preview:large +--- + +![Android logo](../assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is a secure mobile operating system featuring strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +[:octicons-home-16:](https://source.android.com){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/main){ .card-link title="Source Code" } + +[Our Android Advice :material-arrow-right-drop-circle:](../android/index.md ""){.md-button.md-button--primary} + +## Security Protections + +Key components of the Android security model include [verified boot](#verified-boot), [firmware updates](#firmware-updates), and a robust [permission system](#android-permissions). These important security features form the baseline of the minimum criteria for our [mobile phone](../mobile-phones.md) and [custom Android OS](../android/distributions.md) recommendations. + +### Verified Boot + +[**Verified Boot**](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +### Firmware Updates + +**Firmware updates** are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://qualcomm.com/news/releases/2020/12/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC, and they will provide a minimum of 5 years of support. With the introduction of the Pixel 8 series, Google increased that support window to 7 years. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their Fairphone 4 device as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +### Android Permissions + +[**Permissions on Android**](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a [Google Pixel](../mobile-phones.md#google-pixel). + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby Wi-Fi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby Wi-Fi access points were a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +
+

Warning

+ +If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +
+ +
+

Note

+ +Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all the analytics features that are provided by Google Firebase Analytics. + +
+ +## Privacy Features + +### User Profiles + +Multiple **user profiles** can be found in :gear: **Settings** → **System** → **Users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +### Work Profile + +[**Work Profiles**](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](../android/general-apps.md#shelter) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the owner profile and work profile simultaneously. + +### Private Space + +**Private Space** is a feature introduced in Android 15 that adds another way of isolating individual apps. You can set up a private space in the owner profile by navigating to :gear: **Settings** → **Security & privacy** → **Private space**. Once set up, your private space resides at the bottom of the app drawer. + +Like user profiles, a private space is encrypted using its own encryption key, and you have the option to set up a different unlock method. Like work profiles, you can use apps from both the owner profile and private space simultaneously. Apps launched from a private space are distinguished by an icon depicting a key within a shield. + +Unlike work profiles, Private Space is a feature native to Android that does not require a third-party app to manage it. For this reason, we generally recommend using a private space over a work profile, though you can use a work profile alongside a private space. + +### VPN kill switch + +Android 7 and above supports a VPN kill switch, and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +### Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permissions) until re-enabled. + +## Google Services + +If you are using a device with Google services—whether with the stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS—there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play Services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. Alternatively, you can use [passkeys](https://fidoalliance.org/passkeys). + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949) such as: + +- Not allowing app installation outside the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications +- Enabling ARM's hardware-based [Memory Tagging Extension (MTE)](https://developer.arm.com/documentation/108035/0100/Introduction-to-the-Memory-Tagging-Extension) for supported apps, which lowers the likelihood of device exploits happening through memory corruption bugs + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**. + +- [x] Select **Delete advertising ID** + +On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads* (this varies between OEM distributions of Android). If presented with the option to delete the advertising ID, that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/fi/os/index.md b/i18n/fi/os/index.md new file mode 100644 index 00000000..f612eacb --- /dev/null +++ b/i18n/fi/os/index.md @@ -0,0 +1,23 @@ +--- +title: Operating Systems +description: An overview of our operating system-related recommendations for all major computing hardware. +--- + +We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use privacy tools like our [recommended web browsers](../desktop-browsers.md) in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices. + +- [Recommended Linux Distros :material-arrow-right-drop-circle:](../desktop.md) +- [Recommended Android Distros :material-arrow-right-drop-circle:](../android/distributions.md) + +The articles marked with a :material-star: are our more mature articles. + +## Mobile Operating Systems + +- [Android Overview](android-overview.md) :material-star: +- [iOS Overview](ios-overview.md) + +## Desktop Operating Systems + +- [Linux Overview](linux-overview.md) :material-star: +- [macOS Overview](macos-overview.md) +- [Qubes Overview](qubes-overview.md) :material-star: +- [Windows Overview](windows/index.md) diff --git a/i18n/fi/os/ios-overview.md b/i18n/fi/os/ios-overview.md new file mode 100644 index 00000000..536978da --- /dev/null +++ b/i18n/fi/os/ios-overview.md @@ -0,0 +1,312 @@ +--- +title: iOS Overview +icon: simple/apple +description: iOS is a mobile operating system developed by Apple for the iPhone. +--- + +**iOS** and **iPadOS** are proprietary mobile operating systems developed by Apple for their iPhone and iPad products, respectively. If you have an Apple mobile device, you can increase your privacy by disabling some built-in telemetry features, and hardening some privacy and security settings which are built in to the system. + +## Privacy Notes + +iOS devices are frequently praised by security experts for their robust data protection and adherence to modern best practices. However, the restrictiveness of Apple's ecosystem—particularly with their mobile devices—does still hamper privacy in a number of ways. + +We generally consider iOS to provide better than average privacy and security protections for most people, compared to stock Android devices from any manufacturer. However, you can achieve even higher standards of privacy with a [custom Android operating system](../android/distributions.md) like GrapheneOS, if you want or need to be completely independent of Apple or Google's cloud services. + +### Activation Lock + +All iOS devices must be checked against Apple's Activation Lock servers when they are initially set up or reset, meaning an internet connection is **required** to use an iOS device. + +### Mandatory App Store + +The only source for apps on iOS is Apple's App Store, which requires an Apple Account to access. This means that Apple has a record of every app you install on your device, and can likely tie that information to your actual identity if you provide the App Store with a payment method. + +### Invasive Telemetry + +Apple has historically had problems with properly disassociating their telemetry from Apple Accounts on iOS. In [2019](https://theguardian.com/technology/2019/jul/26/apple-contractors-regularly-hear-confidential-details-on-siri-recordings), Apple was found to transmit Siri recordings—some containing highly confidential information—to their servers for manual review by third-party contractors. Though Apple temporarily stopped that program after that practice was [widely reported on](https://theverge.com/2019/8/23/20830120/apple-contractors-siri-recordings-listening-1000-a-day-globetech-microsoft-cortana), the company rolled out a switch to [**opt out** of uploading conversations with Siri](https://theguardian.com/technology/2019/oct/30/apple-lets-users-opt-out-of-having-siri-conversations-recorded) a few months later in the succeeding iOS update. Moreover, in 2021, [Apple reworked Siri](https://theguardian.com/technology/2021/jun/07/apple-overhauls-siri-to-address-privacy-concerns-and-improve-performance) so that it processes voice recordings locally rather than sending it to their servers. + +More recently, Apple has been found to transmit analytics [even when analytics sharing is disabled](https://gizmodo.com/apple-iphone-analytics-tracking-even-when-off-app-store-1849757558) on iOS, and this data [appears](https://twitter.com/mysk_co/status/1594515229915979776) to be easily linked to unique iCloud account identifiers despite supposedly being decoupled from Apple Accounts. + +### Traffic Outside Active VPN Connections + +Apple's [privacy policy regarding VPNs](https://apple.com/legal/privacy/data/en/vpns) states: + +> Even when a VPN is active, some traffic that is necessary for essential system services will take place outside the VPN so that your device can function properly. + +## Recommended Configuration + +**Note:** This guide assumes that you're running the latest version of iOS. + +### iCloud + +The majority of privacy and security concerns with Apple products are related to their cloud services, not their hardware or software. When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys which Apple has access to by default. You can check [Apple's documentation](https://support.apple.com/HT202303) for information on which services are end-to-end encrypted. Anything listed as "in transit" or "on server" means it's possible for Apple to access that data without your permission. This level of access has occasionally been abused by law enforcement to get around the fact that your data is otherwise securely encrypted on your device, and of course Apple is vulnerable to data breaches like any other company. + +Therefore, if you do use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple. + +The encryption used by Advanced Data Protection, while strong, [is not *quite* as robust](https://discuss.privacyguides.net/t/apple-advances-user-security-with-powerful-new-data-protections/10778/4) as the encryption offered by other [cloud services](../cloud.md), particularly when it comes to iCloud Drive. While we strongly encourage using Advanced Data Protection if you use iCloud, we would also suggest considering finding an alternative to iCloud from a more [privacy-focused service provider](../tools.md), although it is unlikely most people would be impacted by these encryption quirks. + +You can also protect your data by limiting what you sync to iCloud in the first place. At the top of the **Settings** app, you'll see your name and profile picture if you are signed in to iCloud. Select that, then **iCloud**, and turn off the switches for any services you don't want to sync to iCloud. You may see third-party apps listed under **Show All** if they sync to iCloud, which you can disable here. + +#### iCloud+ + +A paid **iCloud+** subscription (with any iCloud storage plan) comes with some privacy-protecting functionality. While these may provide adequate service for current iCloud customers, we wouldn't recommend purchasing an iCloud+ plan over a [VPN](../vpn.md) and [standalone email aliasing service](../email-aliasing.md) just for these features alone. + +[**Private Relay**](https://apple.com/legal/privacy/data/en/icloud-relay) is a proxy service which relays all of your Safari traffic, your DNS queries, and unencrypted traffic on your device through two servers: one owned by Apple and one owned by a third-party provider (including Akamai, Cloudflare, and Fastly). In theory this should prevent any single provider in the chain—including Apple—from having full visibility into which websites you visit while connected. Unlike a VPN, Private Relay does not protect traffic that's already encrypted. + +**Hide My Email** is Apple's email aliasing service. You can create an email aliases for free when you *Sign In With Apple* on a website or app, or generate unlimited aliases on demand with a paid iCloud+ plan. Hide My Email has the advantage of using the `@icloud.com` domain for its aliases, which may be less likely to be blocked compared to other email aliasing services, but does not offer functionality offered by standalone services such as automatic PGP encryption or multiple mailbox support. + +#### Media & Purchases + +At the top of the **Settings** app, you'll see your name and profile picture if you are signed in to an Apple Account. Select that, then select **Media & Purchases** → **View Account**. + +- [ ] Turn off **Personalized Recommendations** + +#### Find My + +**Find My** is a service that lets you track your Apple devices and share your location with your friends and family. It also allows you to wipe your device remotely in case it is stolen, preventing a thief from accessing your data. Your Find My [location data is E2EE](https://apple.com/legal/privacy/data/en/find-my) when: + +- Your location is shared with a family member or friend, and you both use iOS 17 or greater. +- Your device is offline and is located by the Find My Network. + +Your location data is not E2EE when your device is online and you use Find My iPhone remotely to locate your device. You will have to make the decision whether these trade-offs are worth the anti-theft benefits of Activation Lock. + +At the top of the **Settings** app, you'll see your name and profile picture if you are signed in to an Apple Account. Select that, then select **Find My**. Here you can choose whether to enable or disable Find My location features. + +### Settings + +Many other privacy-related settings can be found in the **Settings** app. + +#### Airplane Mode + +Enabling **Airplane Mode** stops your phone from contacting cell towers. You will still be able to connect to Wi-Fi and Bluetooth, so whenever you are connected to Wi-Fi you can turn this setting on. + +#### Wi-Fi + +You can enable [hardware address randomization](https://support.apple.com/en-us/102509#triswitch) to protect you from tracking across Wi-Fi networks, and on the same network over time. On the network you are currently connected to, tap the :material-information: button: + +- [x] Set **Private Wi-Fi Address** to **Fixed** or **Rotating** + +You also have the option to **Limit IP Address Tracking**. This is similar to iCloud Private Relay but only affects connections to "known trackers." Because it only affects connections to potentially malicious servers, this setting is probably fine to leave enabled, but if you don't want *any* traffic to be routed through Apple's servers, you should turn it off. + +#### Bluetooth + +**Bluetooth** should be disabled when you aren't using it as it increases your attack surface. Disabling Bluetooth (or Wi-Fi) via the Control Center only disables it temporarily: you must switch it off in Settings for disabling it to remain effective. + +- [ ] Turn off **Bluetooth** + +Note that Bluetooth is automatically turned on after every system update. + +#### General + +Your iPhone's device name will by default contain your first name, and this will be visible to anyone on networks you connect to. You should change this to something more generic, like "iPhone." Select **About** → **Name** and enter the device name you prefer. + +It is important to install software updates frequently to get the latest security fixes. You can enable automatic updates to keep your phone up-to-date without needing to constantly check for updates. Select **Software Update** → **Automatic Updates**: + +- [x] Turn on **Automatically Install** + +**AirDrop** is commonly used to easily share files, but it represents a significant privacy risk. The AirDrop protocol constantly broadcasts your personal information to your surroundings, with [very weak](https://usenix.org/system/files/sec21-heinrich.pdf) security protections. Your identity can easily be discovered by attackers even with limited resources, and the Chinese government has [openly acknowledged](https://arstechnica.com/security/2024/01/hackers-can-id-unique-apple-airdrop-users-chinese-authorities-claim-to-do-just-that) using such techniques to identify AirDrop users in public since 2022. + +- [x] Select **AirDrop** → **Receiving Off** + +**AirPlay** lets you seamlessly stream content from your iPhone to a TV; however, you might not always want this. Select **AirPlay & Continuity** → **Automatically AirPlay**: + +- [x] Select **Never** or **Ask** + +**Background App Refresh** allows your apps to refresh their content while you're not using them. This may cause them to make unwanted connections. Turning this off can also save battery life, but may affect an app's ability to receive updated information, particularly weather and messaging apps. + +Select **Background App Refresh** and switch off any apps you don't want to continue refreshing in the background. If you don't want any apps to refresh in the background, you can select **Background App Refresh** again and turn it **Off**. + +#### Apple Intelligence & Siri + +This is available if your device supports **[Apple Intelligence](https://support.apple.com/guide/iphone/apple-intelligence-and-privacy-iphe3f499e0e/ios)**. Apple Intelligence uses a combination of on-device processing and their **[Private Cloud Compute](https://security.apple.com/blog/private-cloud-compute)** for things that take more processing power than your device can provide. + +To see a report of all the requests made to Apple's servers, you can navigate to **Privacy & Security** → **Apple Intelligence Report** and press **Export Activity** to see activity from the either the last 15 minutes or 7 days, depending on what you set it for. Similar to the **App Privacy Report** which shows you the recent permissions accessed by the apps on your phone, the Apple Intelligence Report likewise shows what is being sent to Apple's servers while using Apple Intelligence. + +Apple Intelligence can integrate with [ChatGPT](https://support.apple.com/guide/iphone/use-chatgpt-with-apple-intelligence-iph00fd3c8c2/ios). If you want ChatGPT integration, you can navigate to **ChatGPT** and press **Set Up**. If you want to disable it, go to the same place: + +- [ ] Turn off **Use ChatGPT** + +You can also have it ask for confirmation every time if you leave ChatGPT integration on: + +- [x] Turn on **Confirm Requests** + +If you don't want anyone to be able to control your phone with Siri when it is locked, you can turn that off here. + +- [ ] Turn off **Allow Siri When Locked** + +#### Face ID/Touch ID & Passcode + +Setting a strong password on your phone is the most important step you can take for physical device security. You'll have to make trade-offs here between security and convenience: A longer password will be annoying to type in every time, but a shorter password or PIN will be easier to guess. Setting up Face ID or Touch ID along with a strong password can be a good compromise between usability and security. + +Select **Turn Passcode On** or **Change Passcode** → **Passcode Options** → **Custom Alphanumeric Code**. Make sure that you create a [secure password](../basics/passwords-overview.md). + +If you wish to use Face ID or Touch ID, you can go ahead and set it up now. Your phone will use the password you set up earlier as a fallback in case your biometric verification fails. Biometric unlock methods are primarily a convenience, although they do stop surveillance cameras or people over your shoulder from watching you input your passcode. + +If you use biometrics, you should know how to turn them off quickly in an emergency. Holding down the [side button](https://support.apple.com/en-us/105103) and *either* volume button until you see the Slide to Power Off slider will disable biometrics, requiring your passcode to unlock. Your passcode will be required after your device restarts. + +You can similarly disable biometrics by pressing the side button five times, or for devices with Touch ID, you can hold down the side button and nothing else. Make sure you try this in advance, so you know which method works for your device. + +**Stolen Device Protection** adds additional security intended to protect your personal data if your device is stolen while unlocked. If you enable both biometric authentication and the [Find My](#find-my) iPhone feature, we recommend enabling this protection: + +- [x] Turn on **Stolen Device Protection** + +After enabling Stolen Device Protection, [certain actions](https://support.apple.com/HT212510) will require biometric authentication without a password fallback (in the event that a shoulder surfer has obtained your PIN), such as using password autofill, accessing payment information, and disabling Lost Mode. It also adds a security delay to certain actions performed away from your home or another "familiar location," such as requiring a 1-hour timer to reset your Apple Account password or sign out of your Apple Account. This delay is intended to give you time to enable Lost Mode and secure your account before a thief can reset your device. + +**Allow Access When Locked** presents options for what you can allow when your phone is locked. Pick and choose which feature you want to disable to prevent unauthorized access if someone gets their hands on your phone. The more of these options you disable, the less someone without your password can do, but the less convenient it will be for you. + +iPhones are already resistant to brute-force attacks by making you wait long periods of time after multiple failed attempts; however, there have historically been exploits to get around this. To be extra safe, you can set your phone to wipe itself after 10 failed passcode attempts. + +
+

Warning

+ +With this setting enabled, someone could intentionally wipe your phone by entering the wrong password many times. Make sure you have proper backups and only enable this setting if you feel comfortable with it. + +
+ +- [x] Turn on **Erase Data** + +#### Privacy & Security + +**Location Services** allows you to use features like Find My and Maps. If you don't need these features, you can disable Location Services. Alternatively, you can review and pick which apps can use your location here. Select **Location Services**: + +- [ ] Turn off **Location Services** + +A purple arrow will appear next to an app in these settings that has used your location recently, while a gray arrow indicates that your location has been accessed within the last 24 hours. If you decide to leave Location Services on, Apple will use it for System Services by default. You can review and pick which services can use your location here. However, if you don't want to submit location analytics to Apple, which they use to improve Apple Maps, you can disable this here as well. Select **System Services**: + +- [ ] Turn off **iPhone Analytics** +- [ ] Turn off **Routing & Traffic** +- [ ] Turn off **Improve Maps** + +You can decide to allow apps to request to **track** you here. Disabling this disallows all apps from tracking you with your phone's advertising ID. Select **Tracking**: + +- [ ] Turn off **Allow Apps to Request to Track** + +This is disabled by default and cannot be changed for users under 18. + +You should turn off **Research Sensor & Usage Data** if you don't wish to participate in studies. Select **Research Sensor & Usage Data**: + +- [ ] Turn off **Sensor & Usage Data Collection** + +**[Safety Check](https://support.apple.com/guide/personal-safety/safety-check-iphone-ios-16-ips2aad835e1/1.0/web/1.0)** allows you to quickly view and revoke certain people and apps that might have permission to access your data. Here, you can perform an **Emergency Reset**, immediately resetting permissions for all people and apps which might have access to device resources. You can also **Manage Sharing & Access**, which allows you to review and customize who and what has access to your device and account resources. If you're in an abusive situation, read Apple's [Personal Safety User Guide](https://support.apple.com/guide/personal-safety/welcome/web) for guidance on what you should do. + +You should disable analytics if you don't wish to send usage data to Apple. Select **Analytics & Improvements** and unselect the type(s) of analytics that you don't want to send to Apple. + +Disable **Personalized Ads** if you don't want targeted ads. Select **Apple Advertising**: + +- [ ] Turn off **Personalized Ads** + +**App Privacy Report** is a built-in tool that allows you to see which permissions your apps are using. Select **App Privacy Report**: + +- [x] Select **Turn On App Privacy Report** + +Set wired accessories to ask for permission when you connect them. Select **Wired Accessories**: + +- [x] Select **Always Ask** or **Ask for New Accessories** + +**[Lockdown Mode](https://blog.privacyguides.org/2022/10/27/macos-ventura-privacy-security-updates/#lockdown-mode)** is a security setting you can enable to make your phone more resistant to attacks. Be aware that certain apps and features [won't work](https://support.apple.com/HT212650) as they do normally. + +- [x] Select **Turn On Lockdown Mode** + +## Additional Advice + +### E2EE Calls + +Normal phone calls made with the Phone app through your carrier are not E2EE. Both FaceTime Video and FaceTime Audio calls are E2EE. Alternatively, you can use [another app](../real-time-communication.md) like Signal for E2EE calls. + +### Encrypted iMessage + +The [color of the message bubble](https://support.apple.com/en-us/104972) in the Messages app indicates whether your messages are E2EE or not. A blue bubble indicates that you're using iMessage with E2EE, while a green bubble indicates the other party is using either the outdated SMS and MMS protocols or RCS. RCS on iOS is **not** E2EE. Currently, the only way to have E2EE in Messages is for both parties to be using iMessage on Apple devices. + +If either you or your messaging partner have iCloud Backup enabled without Advanced Data Protection, the encryption key will be stored on Apple's servers, meaning they can access your messages. + +By default, you trust Apple's identity servers that you're messaging the right person. To defend yourself from a potentially malicious server, you can enable **[Contact Key Verification](https://support.apple.com/en-us/118246)**. At the top of the **Settings** app where your name is, select it, then go to **Contact Key Verification**. + +- [x] Turn on **Verification in iMessage** + +Both you and your contacts need to enable Contact Key Verification and follow Apple's [instructions](https://support.apple.com/en-us/118246#verify) for the security assurances mentioned above to take effect. + +### Photo Permissions + +When an app prompts you for access to your device's photo library, iOS provides you with options to limit what an app can access. + +Rather than allow an app to access all the photos on your device, you can allow it to only access whichever photos you choose by tapping the "Select Photos..." option in the permission dialog. You can change photo access permissions at any time by navigating to **Settings** → **Privacy & Security** → **Photos**. + +![Photo Permissions](../assets/img/ios/photo-permissions-light.png#only-light) ![Photo Permissions](../assets/img/ios/photo-permissions-dark.png#only-dark) + +**Add Photos Only** is a permission that only gives an app the ability to download photos to the photo library. Not all apps which request photo library access provide this option. + +![Private Access](../assets/img/ios/private-access-light.png#only-light) ![Private Access](../assets/img/ios/private-access-dark.png#only-dark) + +Some apps also support **Private Access**, which functions similarly to the **Limited Access** permission. However, photos shared to apps using Private Access include their location by default. We recommend unchecking this setting if you do not [remove photo metadata](../data-redaction.md) beforehand. + +### Contact Permissions + +Similarly, rather than allow an app to access all the contacts saved on your device, you can allow it to only access whichever contacts you choose. You can change contact access permissions at any time by navigating to **Settings** → **Privacy & Security** → **Contacts**. + +![Contact Permissions](../assets/img/ios/contact-permissions-light.png#only-light) ![Contact Permissions](../assets/img/ios/contact-permissions-dark.png#only-dark) + +### Require Biometrics and Hide Apps + +iOS offers the ability to lock most apps behind Touch ID/Face ID or your passcode, which can be useful for protecting sensitive content in apps which do not provide the option themselves. You can lock an app by long-pressing on it and selecting **Require Face ID/Touch ID**. Any app locked in this way requires biometric authentication whenever opening it or accessing its contents in other apps. Also, notification previews for locked apps will not be shown. + +In addition to locking apps behind biometrics, you can also hide apps so that they don't appear on the Home Screen, App Library, the app list in **Settings**, etc. While hiding apps may be useful in situations where you have to hand your unlocked phone to someone else, the concealment provided by the feature is not absolute, as a hidden app is still visible in some places such as the battery usage list. Moreover, one notable trade off of hiding an app is that you will not receive any of its notifications. + +You can hide an app by long-pressing on it and selecting **Require Face ID/Touch ID** → **Hide and Require Face ID/Touch ID**. Note that pre-installed Apple apps, as well as the default web browser and email app, cannot be hidden. Hidden apps reside in a **Hidden** folder at the bottom of the App Library, which can be unlocked using biometrics. This folder appears in the App Library whether you hid any apps or not, which provides you a degree of plausible deniability. + +### Guided Access + +Sometimes you might want to hand your phone to someone to make a call or do a specific task, but you don't want them to have full access to your phone. In these cases, you can quickly enable **[Guided Access](https://support.apple.com/guide/iphone/lock-iphone-to-one-app-iph7fad0d10/ios)** to lock the phone to one specific app until you authenticate. + +
+

Warning

+ +Guided Access isn't foolproof, as it's possible you could leak data unintentionally or the feature could be bypassed. You should only use Guided Access for situations where you casually hand your phone to someone to use. You should not use it as a tool to protect against advanced adversaries. + +
+ +### Redacting Elements in Images + +If you need to hide information in a photo, you can use Apple's built-in editing tools to do so. + +You can use the [Clean Up](https://support.apple.com/en-us/121429) feature on supported devices to pixelate faces or remove objects from images. + +- Open the **Photos** app and tap the photo you have selected for redaction +- Tap the :material-tune: +- Tap the button labeled **Clean Up** +- Draw a circle around whatever you want to redact. Faces will be pixelated, and it will attempt to delete anything else. + +Our warning [against blurring text](../data-redaction.md) also applies here, so we recommend to instead add a black shape with 100% opacity over it. In addition to redacting text, you can also black out any face or object using the **Photos** app. + +
+ +- Tap the image you have selected for redaction +- Tap the :material-tune: → :material-dots-horizontal: (1) → Markup → :material-plus: +- Select **Add Shape** and choose the square or circle +- On the toolbar, tap the circle and choose black as the color for filling in the shape. You can also move the shape and increase its size as you see fit. + +
+ +1. This may not appear on certain iPhone models. + +**Don't** use the highlighter to obfuscate information, as its opacity is not quite 100%. + +### Avoid Jailbreaking + +Jailbreaking an iPhone undermines its security and makes you vulnerable. Running untrusted, third-party software could cause your device to be infected with malware. + +### iOS Betas + +Apple always makes beta versions of iOS available early for those that wish to help find and report bugs. We don't recommend installing beta software on your phone. Beta releases are potentially unstable and could have undiscovered security vulnerabilities. + +## Security Highlights + +### Before First Unlock + +If your threat model includes [:material-target-account: Targeted Attacks](../basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} that involve forensic tools, and you want to minimize the chance of exploits being used to access your phone, you should restart your device frequently. The state *after* a reboot but *before* unlocking your device is referred to as "Before First Unlock" (BFU), and when your device is in that state it makes it [significantly more difficult](https://belkasoft.com/checkm8_glossary) for forensic tools to exploit vulnerabilities to access your data. This BFU state allows you to receive notifications for calls, texts, and alarms, but most of the data on your device is still encrypted and inaccessible. This can be impractical, so consider whether these trade-offs make sense for your situation. + +iPhones [automatically reboot](https://support.apple.com/guide/security/protecting-user-data-in-the-face-of-attack-secf5549a4f5/1/web/1#:~:text=On%20an%20iPhone%20or%20iPad%20with%20iOS%2018%20and%20iPadOS%2018%20or%20later%2C%20a%20new%20security%20protection%20will%20restart%20devices%20if%20they%20remain%20locked%20for%20a%20prolonged%20period%20of%20time.) if they're not unlocked after a period of time. + +### MTE + +The iPhone 17 line and later offer a security enhancement called [Memory Tagging Extension](https://developer.arm.com/documentation/108035/0100/Introduction-to-the-Memory-Tagging-Extension) (MTE), which makes it significantly harder for an attacker to exploit memory corruption vulnerabilities. This always-on protection depends on hardware support, so it's not available for older devices. + +For more details on Apple's implementation of MTE, read the [blog post](https://security.apple.com/blog/memory-integrity-enforcement) published by Apple Security Research. We also cover Apple's implementation of MTE and how it compares to Android's implementation in the Google Pixel 8 series and later in our [own article](https://www.privacyguides.org/posts/2025/09/20/memory-integrity-enforcement-changes-the-game-on-ios). diff --git a/i18n/fi/os/linux-overview.md b/i18n/fi/os/linux-overview.md new file mode 100644 index 00000000..9b6fa73e --- /dev/null +++ b/i18n/fi/os/linux-overview.md @@ -0,0 +1,170 @@ +--- +title: Linux Overview +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +**Linux** is an open-source, privacy-focused desktop operating system alternative. In the face of pervasive telemetry and other privacy-encroaching technologies in mainstream operating systems, desktop Linux has remained the clear choice for people looking for total control over their computers from the ground up. + +Our website generally uses the term “Linux” to describe **desktop** Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed on this page. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Security Notes + +There are some notable security concerns with Linux which you should be aware of. Despite these drawbacks, desktop Linux distributions are still great for most people who want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Use privacy-focused systems such as [Whonix](../desktop.md#whonix) or [Tails](../desktop.md#tails) + +### Open-Source Security + +It is a [common misconception](../basics/common-misconceptions.md#open-source-software-is-always-secure-or-proprietary-software-is-more-secure) that Linux and other open-source software are inherently secure simply because the source code is available. There is an expectation that community verification occurs regularly, but this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security). + +In reality, distro security depends on a number of factors, such as project activity, developer experience, the level of rigor applied to code reviews, and how often attention is given to specific parts of the codebase that may go untouched for years. + +### Missing Security Features + +At the moment, desktop Linux [falls behind alternatives](https://discussion.fedoraproject.org/t/fedora-strategy-2028-proposal-fedora-linux-is-as-secure-as-macos/46899/9) like macOS or Android when it comes to certain security features. We hope to see improvements in these areas in the future. + +- **Verified boot** on Linux is not as robust as alternatives such as Apple’s [Secure Boot](https://support.apple.com/guide/security/secac71d5623/web) or Android’s [Verified Boot](https://source.android.com/security/verifiedboot). Verified boot prevents persistent tampering by malware and [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack), but is still largely [unavailable on even the most advanced distributions](https://discussion.fedoraproject.org/t/has-silverblue-achieved-verified-boot/27251/3). + +- **Strong sandboxing** for apps on Linux is severely lacking, even with containerized apps like Flatpaks or sandboxing solutions like Firejail. Flatpak is the most promising sandboxing utility for Linux thus far, but is still deficient in many areas and allows for [unsafe defaults](https://flatkill.org/2020) which permit most apps to trivially bypass their sandbox. + +Additionally, Linux falls behind in implementing [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) which are now standard on other operating systems, such as Arbitrary Code Guard on Windows or Hardened Runtime on macOS. Also, most Linux programs and Linux itself are coded in memory-unsafe languages. Memory corruption bugs are responsible for the [majority of vulnerabilities](https://msrc.microsoft.com/blog/2019/07/a-proactive-approach-to-more-secure-code) fixed and assigned a CVE. While this is also true for Windows and macOS, they are quickly making progress on adopting memory-safe languages such as Rust and Swift, respectively. + +## Choosing your distribution + +Not all Linux distributions are created equal. Our [Linux recommendation page](../desktop.md) is not meant to be an authoritative source on which distribution you should use, but our recommendations *are* aligned with the following guidelines. These are a few things you should keep in mind when choosing a distribution: + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes (particularly for less popular software) [do not](https://arxiv.org/abs/2105.14565) receive a [CVE ID](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) at all and therefore do not make it into the distribution with this patching model. As a result, minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme) has a presentation about this: + +- [Regular Releases are Wrong, Roll for your life](https://youtu.be/i8c0mg_mS7U) (YouTube) + +### Traditional vs Atomic Updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian-based distributions can be less reliable if an error occurs while updating. + +Distros which use atomic updates, on the other hand, apply updates in full or not at all. On an atomic distribution, if an error occurs while updating (perhaps due to a power failure), nothing is changed on the system. + +The atomic update method can achieve reliability with this model and is used for [distributions](../desktop.md#atomic-distributions) like Silverblue and NixOS. [Adam Šamalík](https://twitter.com/adsamalik) provides a presentation on how `rpm-ostree` works with Silverblue: + +- [Let's try Fedora Silverblue — an immutable desktop OS! - Adam Šamalík](https://youtu.be/-hpV5l-gJnQ) (YouTube) + +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch, or Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch and Arch-based distributions are not recommended for those new to Linux (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have a distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies on your own as they supersede older practices. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](#mandatory-access-control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository) **must** be comfortable auditing PKGBUILDs that they download from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software [:material-package-variant-closed-remove: Supply Chain Attacks](../basics/common-threats.md#attacks-against-certain-organizations ""){.pg-viridian}, which has in fact happened [in the past](https://bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository). + +The AUR should always be used sparingly, and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to the use of third-party Personal Package Archives (PPAs) on Debian-based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we generally recommend mainline Arch Linux over any of its derivatives. + +Additionally, we recommend **against** these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Linux-libre kernel and “Libre” distributions + +We recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://phoronix.com/news/GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode. + +### Mandatory access control + +Mandatory access control is a set of additional security controls which help to confine parts of the system such as apps and system services. The two common forms of mandatory access control found in Linux distributions are [SELinux](https://github.com/SELinuxProject) and [AppArmor](https://apparmor.net). Fedora and Tumbleweed use SELinux by default, with Tumbleweed offering an option in its installer to choose AppArmor instead. + +SELinux on [Fedora](https://docs.fedoraproject.org/en-US/quick-docs/selinux-getting-started) confines Linux containers, virtual machines, and service daemons by default. AppArmor is used by the snap daemon for [sandboxing](https://snapcraft.io/docs/security-sandboxing) snaps which have [strict](https://snapcraft.io/docs/snap-confinement) confinement such as [Firefox](https://snapcraft.io/firefox). There is a community effort to confine more parts of the system in Fedora with the [ConfinedUsers](https://fedoraproject.org/wiki/SIGs/ConfinedUsers) special interest group. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to back up your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Zram#Using_zram-generator) instead of a traditional swap file or partition to avoid writing potentially sensitive memory data to persistent storage (and improve performance). Fedora-based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +If you require suspend-to-disk (hibernation) functionality, you will still need to use a traditional swap file or partition. Make sure that any swap space you do have on a persistent storage device is [encrypted](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) at a minimum to mitigate some of these threats. + +### Proprietary Firmware (Microcode Updates) + +Some Linux distributions (such as [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre)-based or DIY distros) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates which patch critical security vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install microcode updates, as they contain important security patches for the CPU which can not be fully mitigated in software alone. Fedora and openSUSE both apply microcode updates by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more bare bones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that, you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +### Permission Controls + +Desktop environments that support the [Wayland](https://wayland.freedesktop.org) display protocol are [more secure](https://lwn.net/Articles/589147) than those that only support X11. Moreover, we *generally* recommend installing and using applications which are sandboxed such as those obtained via **Flatpak**. Flatpak supports the [`security-context-v1`](https://github.com/flatpak/flatpak/pull/4920) protocol and the ability to filter D-Bus protocols, which allow Flatpak to properly identify apps for the purpose of sandboxing them through permission controls.[^1] Conversely, applications outside sandboxes are free to perform privileged actions such as capturing your screen, either by [overwriting the portal permission store](https://invent.kde.org/plasma/xdg-desktop-portal-kde/-/issues/7#note_1112260), or [making use of privileged Wayland protocols](https://github.com/swaywm/sway/pull/7648#issuecomment-2507730794). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc.) come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager) to configure Ethernet and Wi-Fi settings. + +It is possible to randomize the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +In the terminal, create a new file `/etc/NetworkManager/conf.d/00-macrandomize.conf` and add the following to it: + +```text +[device] +wifi.scan-rand-mac-address=yes + +[connection] +wifi.cloned-mac-address=random +ethernet.cloned-mac-address=random +``` + +Then, restart NetworkManager: + +```sh +systemctl restart NetworkManager +``` + +Optionally, changing the connection parameter from `random` to `stable` will give you a random MAC address *per network*, but keep it stable for that network when you reconnect to it later. Using `random` will give you a random MAC address *per connection*. This may be desirable for networks with captive portals or where you have a static DHCP assignment, at the expense of making you more identifiable by a single network operator you connect to multiple times. + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +MAC address randomization is primarily beneficial for Wi-Fi connections. For Ethernet connections, randomizing your MAC address provides little (if any) benefit, because a network administrator can trivially identify your device by other means (such as inspecting the port you are connected to on the network switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the `countme` option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by emptying the `/var/lib/zypp/AnonymousUniqueId` file. + +[^1]: This exposes a reliable way for Wayland compositors to get identifying information about a client. Compositors can then apply security policies if desirable. [https://github.com/flatpak/flatpak/commit/f0e626a4b60439f211f06d35df74b675a9ef42f4](https://github.com/flatpak/flatpak/commit/f0e626a4b60439f211f06d35df74b675a9ef42f4) diff --git a/i18n/fi/os/macos-overview.md b/i18n/fi/os/macos-overview.md new file mode 100644 index 00000000..9cd9aed8 --- /dev/null +++ b/i18n/fi/os/macos-overview.md @@ -0,0 +1,312 @@ +--- +title: macOS Overview +icon: material/apple-finder +description: macOS is Apple's desktop operating system that works with their hardware to provide strong security. +--- + +**macOS** is a Unix operating system developed by Apple for their Mac computers. To enhance privacy on macOS, you can disable telemetry features and harden existing privacy and security settings. + +Older Intel-based Macs and Hackintoshes do not support all the security features that macOS offers. To enhance data security, we recommend using a newer Mac with [Apple Silicon](https://support.apple.com/HT211814). + +## Privacy Notes + +There are a few notable privacy concerns with macOS that you should consider. These pertain to the operating system itself, and not Apple's other apps and services. + +### Activation Lock + +Brand-new Apple Silicon devices can be set up without an internet connection. However, recovering or resetting your Mac will **require** an internet connection to Apple's servers to check against the Activation Lock database of lost or stolen devices. + +### App Revocation Checks + +macOS performs online checks when you open an app to verify whether an app contains known malware, and whether the developer’s signing certificate is revoked. + +Apple's OCSP service uses HTTPS encryption, so only they are able to see which apps you open. They've [posted information](https://support.apple.com/HT202491) about their logging policy for this service. They additionally [promised](http://lapcatsoftware.com/articles/2024/8/3.html) to add a mechanism for people to opt-out of this online check, but this has not been added to macOS. + +While you [can](https://eclecticlight.co/2021/02/23/how-to-run-apps-in-private) manually opt out of this check relatively easily, we recommend against doing so unless you would be badly compromised by the revocation checks performed by macOS, because they serve an important role in ensuring compromised apps are blocked from running. + +## Recommended Configuration + +Your account when you first set up your Mac will be an Administrator account, which has higher privileges than a Standard user account. macOS has a number of protections which prevent malware and other programs from abusing your Administrator privileges, so it is generally safe to use this account. + +However, exploits in protective utilities like `sudo` have been [discovered in the past](https://bogner.sh/2014/03/another-mac-os-x-sudo-password-bypass). If you want to avoid the possibility that programs you run abuse your Administrator privileges, you could consider creating a second, Standard user account which you use for day-to-day operations. This has the added benefit of making it more obvious when an app needs admin access, because it will prompt you for credentials every time. + +If you do use a second account, it is not strictly required to ever log in to your original Administrator account from the macOS login screen. When you are doing something as a Standard user which requires Administrator permissions, the system should prompt you for authentication, where you can enter your Administrator credentials as your Standard user on a one-time basis. Apple provides [guidance](https://support.apple.com/HT203998) on hiding your Administrator account if you prefer to only see a single account on your login screen. + +### iCloud + +When you use Apple services like iCloud, most of your information is stored on their servers and secured with keys *which Apple has access to* by default. This is called [Standard Data Protection](https://support.apple.com/en-us/102651) by Apple. + +Therefore, if you use iCloud you should [enable **Advanced Data Protection**](https://support.apple.com/HT212520). This encrypts nearly all of your iCloud data with keys stored on your devices (end-to-end encryption), rather than Apple's servers, so that your iCloud data is secured in the event of a data breach, and otherwise hidden from Apple. + +If you want to be able to install apps from the App Store but don't want to enable iCloud, you can sign in to your Apple Account from the App Store instead of **System Settings**. + +### System Settings + +There are a number of built-in settings you should confirm or change to harden your system. Open the **Settings** app: + +#### Bluetooth + +- [ ] Turn off **Bluetooth** (unless you are currently using it) + +#### Network + +Depending on if you are using **Wi-Fi** or **Ethernet** (denoted by a green dot and the word "connected"), click on the corresponding icon. + +Click on the "Details" button by your network name: + +- [x] Select **Rotating** under **Private Wi-Fi address** + +- [x] Turn on **Limit IP address tracking** + +##### Firewall + +Your firewall blocks unwanted network connections. The stricter your firewall settings are, the more secure your Mac is. However, certain services will be blocked. You should configure your firewall to be as strict as you can without blocking services you use. + +- [x] Turn on **Firewall** + +Click the **Options** button: + +- [x] Turn on **Block all incoming connections** + +If this configuration is too strict, you can come back and uncheck this. However, macOS will typically prompt you to allow incoming connections for an app if the app requests it. + +#### General + +By default, your device name will be something like "[your name]'s iMac". Because this name is [publicly broadcast on your network](https://support.apple.com/guide/mac-help/change-computers-local-hostname-mac-mchlp2322/26/mac/26#:~:text=The%20local%20hostname%2C%20or%20local%20network%20name%2C%20is%20displayed%20at%20the%20bottom%20of%20the%20Sharing%20settings%20window.%20It%20identifies%20your%20Mac%20to%20Bonjour%2Dcompatible%20services.), you'll want to change your device name to something generic like "Mac". + +Click on **About** and type your desired device name into the **Name** field. + +##### Software Updates + +You should automatically install all available updates to make sure your Mac has the latest security fixes. + +Click the small :material-information-outline: icon next to **Automatic Updates**: + +- [x] Turn on **Download new updates when available** + +- [x] Turn on **Install macOS updates** + +- [x] Turn on **Install Security Responses and system files** + +#### Apple Intelligence & Siri + +If you do not use these features on macOS, you should disable them: + +- [ ] Turn off **Apple Intelligence** +- [ ] Turn off **Siri** + +**[Apple Intelligence](https://apple.com/legal/privacy/data/en/intelligence-engine)** is only available if your device supports it. Apple Intelligence uses a combination of on-device processing and their [Private Cloud Compute](https://security.apple.com/blog/private-cloud-compute) for things that take more processing power than your device can provide. + +To see a report of all the data sent via Apple Intelligence, you can navigate to **Privacy & Security** → **Apple Intelligence Report** and press **Export Activity** to see activity from the either the last 15 minutes or 7 days, depending on what you set it for. Similar to the **App Privacy Report** which shows you the recent permissions accessed by the apps on your phone, the Apple Intelligence Report likewise shows what is being sent to Apple's servers while using Apple Intelligence. + +By default, ChatGPT integration is disabled. If you don't want ChatGPT integration anymore, you can navigate to **ChatGPT**: + +- [ ] Turn off **Use ChatGPT** + +You can also have it ask for confirmation every time if you leave ChatGPT integration on: + +- [x] Turn on **Confirm Requests** + +
+

Warning

+ +Any request made with ChatGPT will be sent to ChatGPT's servers, there is no on-device processing and no PCC like with Apple Intelligence. + +
+ +#### Privacy & Security + +Whenever an application requests a permission, it will show up here. You can decide which applications you want to allow or deny specific permissions. + +##### Location Services + +You can individually allow location services per-app. If you don't need apps to use your location, turning off location services entirely is the most private option. + +- [ ] Turn off **Location Services** + +##### Analytics & Improvements + +Decide whether you want to share analytics data with Apple and app developers. + +##### Apple Advertising + +Decide whether you want personalized ads based on your usage. + +- [ ] Turn off **Personalized Ads** + +##### FileVault + +On modern devices with a Secure Enclave (Apple T2 Security Chip, Apple Silicon), your data is always encrypted, but is decrypted automatically by a hardware key if your device doesn't detect it's been tampered with. Enabling [FileVault](../encryption.md#filevault) additionally requires your password to decrypt your data, greatly improving security, especially when powered off or before the first login after powering on. + +On older Intel-based Mac computers, FileVault is the only form of disk encryption available by default, and should always be enabled. + +- [x] Click **Turn On** + +##### Lockdown Mode + +**[Lockdown Mode](https://support.apple.com/guide/mac-help/lock-mac-targeted-a-cyberattack-ibrw66f4e191/mac)** disables some features in order to improve security. Some apps or features won't work the same way they do when it's off. For example, Javascript Just-In-Time ([JIT](https://hacks.mozilla.org/2017/02/a-crash-course-in-just-in-time-jit-compilers)) compilation and [WebAssembly](https://developer.mozilla.org/docs/WebAssembly) are disabled in Safari with Lockdown Mode enabled. We recommend enabling Lockdown Mode and seeing whether it significantly impacts daily usage. + +- [x] Click **Turn On** + +### MAC Address Randomization + +macOS uses a randomized MAC address when [performing Wi-Fi scans](https://support.apple.com/guide/security/privacy-features-connecting-wireless-networks-secb9cb3140c/web) while disconnected from a network. + +You can set your [MAC address to be randomized](https://support.apple.com/en-us/102509) per network and rotate occasionally to prevent tracking between networks and on the same network over time. + +Go to **System Settings** → **Network** → **Wi-Fi** → **Details** and set **Private Wi-Fi address** to either **Fixed** if you want a fixed but unique address for the network you're connected to, or **Rotating** if you want it to change over time. + +Consider changing your hostname as well, which is another device identifier that's broadcast on the network you're connected to. You may wish to set your hostname to something generic like "MacBook Air", "Laptop", "John's MacBook Pro", or "iPhone" in **System Settings** → **General** → **Sharing**. + +## Security Protections + +macOS employs defense in depth by relying on multiple layers of software and hardware-based protections, with different properties. This ensures that a failure in one layer does not compromise the system's overall security. + +### Software Security + +
+

Warning

+ +macOS allows you to install beta updates. These are unstable and may come with [extra telemetry](https://beta.apple.com/privacy) since they're for testing purposes. Because of this, we recommend you avoid beta software in general. + +
+ +#### Signed System Volume + +macOS's system components are protected in a read-only [signed system volume](https://support.apple.com/guide/security/signed-system-volume-security-secd698747c9/web), meaning that neither you nor malware can alter important system files. + +The system volume is verified while it's running and any data that's not signed with a valid cryptographic signature from Apple will be rejected. + +#### System Integrity Protection + +macOS sets certain security restrictions that can't be overridden. These are called [Mandatory Access Controls](https://support.apple.com/guide/security/system-integrity-protection-secb7ea06b49/1/web/1), and they form the basis of the sandbox, parental controls, and [System Integrity Protection](https://support.apple.com/en-us/102149) on macOS. + +System Integrity Protection makes critical file locations read-only to protect against modification from malicious code. This is on top of the hardware-based Kernel Integrity Protection that keeps the kernel from being modified in-memory. + +#### Application Security + +##### App Sandbox + +On macOS, whether an app is sandboxed is determined by the developer when they sign it. The [App Sandbox](https://developer.apple.com/documentation/xcode/configuring-the-macos-app-sandbox) protects against vulnerabilities in the apps you run by limiting what a malicious actor can access in the event that the app is exploited. The App Sandbox *alone* can't protect against [:material-package-variant-closed-remove: Supply Chain Attacks](../basics/common-threats.md#attacks-against-certain-organizations ""){.pg-viridian} by malicious developers. For that, sandboxing needs to be enforced by someone other than the developer themselves, as it is on the [App Store](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/1/web/1#:~:text=All%20apps%20from%20the%20App%20Store%20are%20sandboxed%20to%20restrict%20access%20to%20data%20stored%20by%20other%20apps.). + +
+

Warning

+ +Software downloaded from outside the official App Store is not required to be sandboxed. If your threat model prioritizes defending against [:material-bug-outline: Passive Attacks](../basics/common-threats.md#security-and-privacy){ .pg-orange }, then you may want to check if the software you download outside the App Store is sandboxed, which is up to the developer to *opt in*. + +
+ +You can check if an app uses the App Sandbox in a few ways: + +You can check if apps that are already running are sandboxed using the [Activity Monitor](https://developer.apple.com/documentation/security/protecting-user-data-with-app-sandbox#Verify-that-your-app-uses-App-Sandbox). + +
+

Warning

+ +Just because one of an app's processes is sandboxed doesn't mean they all are. + +
+ +Alternatively, you can check apps before you run them by running this command in the terminal: + +``` zsh +codesign -dvvv --entitlements - +``` + +If an app is sandboxed, you should see the following output: + +``` zsh + [Key] com.apple.security.app-sandbox + [Value] + [Bool] true +``` + +If you find that the app you want to run is not sandboxed, then you may employ methods of [compartmentalization](../basics/common-threats.md#security-and-privacy) such as virtual machines or separate devices, use a similar app that is sandboxed, or choose to not use the non-sandboxed app altogether. + +##### Hardened Runtime + +The [Hardened Runtime](https://developer.apple.com/documentation/security/hardened_runtime) is an extra form of protection for apps that prevents certain classes of exploits. It improves the security of apps against exploitation by disabling certain features like JIT. + +You can check if an app uses the Hardened Runtime using this command: + +``` zsh +codesign -dv +``` + +If Hardened Runtime is enabled, you will see `flags=0x10000(runtime)`. The `runtime` output means Hardened Runtime is enabled. There might be other flags, but the runtime flag is what we're looking for here. + +You can enable a column in Activity Monitor called "Restricted" which is a flag that prevents programs from injecting code via macOS's [dynamic linker](https://pewpewthespells.com/blog/blocking_code_injection_on_ios_and_os_x.html). Ideally, this should say "Yes". + +##### Antivirus + +macOS comes with two forms of [malware defense](https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/1/web/1): + +1. Protection against launching malware in the first place is provided by the App Store's review process for App Store applications, or *Notarization* (part of *Gatekeeper*), a process where third-party apps are scanned for known malware by Apple before they are allowed to run. Apps are required to be signed by the developers using a key given to them by Apple. This ensures that you are running software from the real developers. Notarization also requires that developers enable the Hardened Runtime for their apps, which limits methods of exploitation. +2. Protection against other malware and remediation from existing malware on your system is provided by *XProtect*, a more traditional antivirus software built-in to macOS. + +We recommend against installing third-party antivirus software as they typically do not have the system-level access required to properly function anyway, because of Apple's limitations on third-party apps, and because granting the high levels of access they do ask for often poses an even greater security and privacy risk to your computer. + +##### Backups + +macOS comes with automatic backup software called [Time Machine](https://support.apple.com/HT201250), so you can create [encrypted backups](https://support.apple.com/guide/mac-help/keep-your-time-machine-backup-disk-secure-mh21241/mac) to an external drive or a network drive in the event of corrupted/deleted files. + +### Hardware Security + +Many modern security features in macOS—such as modern Secure Boot, hardware-level exploit mitigation, OS integrity checks, and file-based encryption—rely on Apple Silicon, and Apple's newer hardware always has the [best security](https://support.apple.com/guide/security/apple-soc-security-sec87716a080/1/web/1). We only encourage the use of Apple Silicon, and not older Intel-based Mac computers or Hackintoshes. + +Some of these modern security features are available on older Intel-based Mac computers with the Apple T2 Security Chip, but that chip is susceptible to the *checkm8* exploit which could compromise its security. + +If you use Bluetooth accessories such as a keyboard, we recommend that you use official Apple ones as their firmware will [automatically be updated](https://support.apple.com/en-us/120303#:~:text=Firmware%20updates%20are%20automatically%20delivered%20in%20the%20background%20while%20the%20Magic%20Keyboard%20is%20actively%20paired%20to%20a%20device%20running%20macOS%2C%20iOS%2C%20iPadOS%2C%20or%20tvOS.) for you by macOS. Using third party accessories is fine, but you should remember to install firmware updates for them regularly. + +Apple's SoCs focus on [minimizing attack surface](https://support.apple.com/en-vn/guide/security/secf020d1074/web#:~:text=Security%2Dfocused%20hardware%20follows%20the%20principle%20of%20supporting%20limited%20and%20discretely%20defined%20functions%20to%20minimize%20attack%20surface.) by relegating security functions to dedicated hardware with limited functionality. + +#### Boot ROM + +macOS prevents malware persistence by only allowing official Apple software to run at boot time; this is known as [secure boot](https://support.apple.com/en-vn/guide/security/secac71d5623/1/web/1). Mac computers verify this with a bit of read-only memory on the SoC called the [boot ROM](https://support.apple.com/en-vn/guide/security/aside/sec5240db956/1/web/1), which is [laid down during the manufacturing of the chip](https://support.apple.com/en-vn/guide/security/secf020d1074/1/web/1#:~:text=which%20is%20laid%20down%20during%20Apple%20SoC%20fabrication). + +The boot ROM forms the hardware root of trust. This ensures that malware cannot tamper with the boot process, since the boot ROM is immutable. When your Mac boots up, the boot ROM is the first thing that runs, forming the first link in the chain of trust. + +Mac computers can be configured to boot in [three security modes](https://support.apple.com/guide/deployment/startup-security-dep5810e849c/web#dep32fb404e1): *Full Security*, *Reduced Security*, and *Permissive Security*, with the default setting being Full Security. You should ideally be using Full Security mode and avoid things like **[kernel extensions](https://support.apple.com/guide/deployment/system-extensions-in-macos-depa5fb8376f/web#dep51e097f45)** that force you to lower your security mode. Make sure to [check](https://support.apple.com/guide/mac-help/change-security-settings-startup-disk-a-mac-mchl768f7291/mac) that you're using Full Security mode. + +#### Secure Enclave + +The **[Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web)** is a security chip built into devices with Apple Silicon which is responsible for storing and generating encryption keys for data at rest as well as Face ID and Touch ID data. It contains its own [separate boot ROM](https://support.apple.com/en-vn/guide/security/sec59b0b31ff/web#sec43006c49f). + +You can think of the Secure Enclave as your device's security hub: it has an AES encryption engine and a mechanism to securely store your encryption keys, and it's separated from the rest of the system, so even if the main processor is compromised, it should still be safe. + +#### Touch ID + +Apple's Touch ID feature allows you to securely unlock your devices using biometrics. + +Your biometric data [never leaves your device](https://www.apple.com/legal/privacy/data/en/touch-id/#:~:text=Touch%C2%A0ID%20data%20does%20not%20leave%20your%20device%2C%20and%20is%20never%20backed%20up%20to%20iCloud%20or%20anywhere%20else.); it's stored only in the Secure Enclave. + +#### Hardware Microphone Disconnect + +All laptops with Apple Silicon or the T2 chip feature a [hardware disconnect](https://support.apple.com/guide/security/hardware-microphone-disconnect-secbbd20b00b/web) for the built-in microphone whenever the lid is closed. This means that there is no way for an attacker to listen to your Mac's microphone even if the operating system is compromised. + +Note that the camera does not have a hardware disconnect, since its view is obscured when the lid is closed anyway. + +#### Secure Camera Indicator + +The built-in camera in a Mac is designed so that the camera can't turn on without the camera indicator light [also turning on](https://support.apple.com/en-us/102177#:~:text=The%20camera%20is%20engineered%20so%20that%20it%20can’t%20activate%20without%20the%20camera%20indicator%20light%20also%20turning%20on.%20This%20is%20how%20you%20can%20tell%20if%20your%20camera%20is%20on.). + +#### Peripheral Processor Security + +Computers have [built-in processors](https://support.apple.com/en-vn/guide/security/seca500d4f2b/1/web/1) other than the main CPU that handle things like networking, graphics, power management, etc. These processors can have insufficient security and become compromised, therefore Apple tries to minimize the need for these processors in their hardware. + +When it is necessary to use one of these processors, Apple works with the vendor to ensure that the processor + +- runs verified firmware from the primary CPU on startup +- has its own Secure Boot chain +- follows minimum cryptographic standards +- ensures known bad firmware is properly revoked +- has its debug interfaces disabled +- is signed with Apple's cryptographic keys + +#### Direct Memory Access Protections + +Apple Silicon separates each component that requires [direct memory access](https://support.apple.com/guide/security/direct-memory-access-protections-seca4960c2b5/1/web/1). For example, a Thunderbolt port can't access memory designated for the kernel. + +#### Terminal Secure Keyboard Entry + +Enable [Secure Keyboard Entry](https://support.apple.com/guide/terminal/use-secure-keyboard-entry-trml109/mac) to prevent other apps from detecting what you type in the terminal. diff --git a/i18n/fi/os/qubes-overview.md b/i18n/fi/os/qubes-overview.md new file mode 100644 index 00000000..793ac4a2 --- /dev/null +++ b/i18n/fi/os/qubes-overview.md @@ -0,0 +1,81 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within *qubes* (formerly "VMs") for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an open-source operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated *qubes*, (which are Virtual Machines). You can assign each *qube* a level of trust based on its purpose. Qubes OS provides security by using isolation. It only permits actions on a per-case basis and therefore is the opposite of [badness enumeration](https://ranum.com/security/computer_security/editorials/dumb). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://qubes-os.org/intro) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://qubes-os.org/doc/how-to-use-disposables) *qubes*. + +
+The term qubes is gradually being updated to avoid referring to them as "virtual machines". + +Some of the information here and on the Qubes OS documentation may contain conflicting language as the "appVM" term is gradually being changed to "qube". Qubes are not entire virtual machines, but maintain similar functionalities to VMs. + +
+ +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each qube has a [colored border](https://qubes-os.org/screenshots) that can help you keep track of the domain in which it runs. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong security and isolation, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources, but the idea is that if a single qube is compromised it won't affect the rest of the system. + +Qubes OS utilizes [dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM for controlling other *qubes* on the host OS, all of which display individual application windows within dom0's desktop environment. There are many uses for this type of architecture. Here are some tasks you can perform. You can see just how much more secure these processes are made by incorporating multiple steps. + +### Copying and Pasting Text + +You can [copy and paste text](https://qubes-os.org/doc/how-to-copy-and-paste-text) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the *qube* you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the *qube* to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination *qube* to make the global clipboard available. +4. Press **Ctrl+V** in the destination *qube* to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one *qube* to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other *qubes*. This is more secure than air-gapped file transfer. An air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +
+Qubes do not have their own filesystems. + +You can [copy and move files](https://qubes-os.org/doc/how-to-copy-and-move-files) between *qubes*. When doing so the changes aren't immediately made and can be easily undone in case of an accident. When you run a *qube*, it does not have a persistent filesystem. You can create and delete files, but these changes are ephemeral. + +
+ +### Inter-VM Interactions + +The [qrexec framework](https://qubes-os.org/doc/qrexec) is a core part of Qubes which allows communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://qubes-os.org/news/2020/06/22/new-qrexec-policy-system). + +## Connecting to Tor via a VPN + +We [recommend](../advanced/tor-overview.md) connecting to the Tor network via a [VPN](../vpn.md) provider, and luckily Qubes makes this easy to do with a combination of ProxyVMs and Whonix. + +After [creating a new ProxyVM](https://forum.qubes-os.org/t/configuring-a-proxyvm-vpn-gateway/19061) which connects to the VPN of your choice, you can chain your Whonix qubes to that ProxyVM **before** they connect to the Tor network, by setting the NetVM of your Whonix **Gateway** (`sys-whonix`) to the newly-created ProxyVM. + +Your qubes should be configured in a manner similar to this: + +| Qube name | Qube description | NetVM | +| --------------- | --------------------------------------------------------------------------------------------------- | --------------- | +| sys-net | *Your default network qube (pre-installed)* | *n/a* | +| sys-firewall | *Your default firewall qube (pre-installed)* | sys-net | +| ==sys-proxyvm== | The VPN ProxyVM you [created](https://forum.qubes-os.org/t/configuring-a-proxyvm-vpn-gateway/19061) | sys-firewall | +| sys-whonix | Your Whonix Gateway VM | ==sys-proxyvm== | +| anon-whonix | Your Whonix Workstation VM | sys-whonix | + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://qubes-os.org/doc). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- [Arguably the world's most secure operating system](https://opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard) (Open Technology Fund) +- [Software compartmentalization vs. physical separation](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) (J. Rutkowska) +- [Partitioning my digital life into security domains](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) (J. Rutkowska) +- [Related Articles](https://qubes-os.org/news/categories/#articles) (Qubes OS) diff --git a/i18n/fi/os/windows/group-policies.md b/i18n/fi/os/windows/group-policies.md new file mode 100644 index 00000000..d1a033cb --- /dev/null +++ b/i18n/fi/os/windows/group-policies.md @@ -0,0 +1,135 @@ +--- +title: Group Policy Settings +description: A quick guide to configuring Group Policy to make Windows a bit more privacy respecting. +--- + +Outside modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better. + +These settings should be set on a brand-new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictable behavior and is done at your own risk. + +All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate. + +## Administrative Templates + +You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies. + +To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well. + +### System + +#### Device Guard + +- Turn On Virtualization Based Security: **Enabled** + - Platform Security Level: **Secure Boot and DMA Protection** + - Secure Launch Configuration: **Enabled** + +#### Internet Communication Management + +- Turn off Windows Customer Experience Improvement Program: **Enabled** +- Turn off Windows Error Reporting: **Enabled** +- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled** + +Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that. + +#### OS Policies + +- Allow Clipboard History: **Disabled** +- Allow Clipboard synchronization across devices: **Disabled** +- Enables Activity Feed: **Disabled** +- Allow publishing of User Activities: **Disabled** +- Allow upload of User Activities: **Disabled** + +#### User Profiles + +- Turn off the advertising ID: **Enabled** + +### Windows Components + +#### AutoPlay Policies + +AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually. + +- Turn off AutoPlay: **Enabled** +- Disallow Autoplay for nonvolume devices: **Enabled** +- Set the default behavior for AutoRun: **Enabled** + - Default AutoRun Behavior: **Do not execute any AutoRun commands** + +#### BitLocker Drive Encryption + +You may wish to re-encrypt your operating system drive after changing these settings. + +- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled** + - Select the encryption method: **AES-256** + +Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows. + +##### Operating System Drives + +- Require additional authentication at startup: **Enabled** +- Allow enhanced PINs for startup: **Enabled** + +Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the BitLocker setup wizard. + +#### Cloud Content + +- Turn off cloud optimized content: **Enabled** +- Turn off cloud consumer account state content: **Enabled** +- Do not show Windows tips: **Enabled** +- Turn off Microsoft consumer experiences: **Enabled** + +#### Credential User Interface + +- Require trusted path for credential entry: **Enabled** +- Prevent the use of security questions for local accounts: **Enabled** + +#### Data Collection and Preview Builds + +- Allow Diagnostic Data: **Enabled** + - Options: **Send required diagnostic data** (Pro Edition); or + - Options: **Diagnostic data off** (Enterprise or Education Edition) +- Limit Diagnostic Log Collection: **Enabled** +- Limit Dump Collection: **Enabled** +- Limit optional diagnostic data for Desktop Analytics: **Enabled** + - Options: **Disable Desktop Analytics collection** +- Do not show feedback notifications: **Enabled** + +#### File Explorer + +- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled** + +#### MDM + +- Disable MDM Enrollment: **Enabled** + +#### OneDrive + +- Save documents to OneDrive by default: **Disabled** +- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled** +- Prevent the usage of OneDrive for file storage: **Enabled** + +This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive. + +#### Push To Install + +- Turn off Push To Install service: **Enabled** + +#### Search + +- Allow Cortana: **Disabled** +- Don't search the web or display web results in Search: **Enabled** +- Set what information is shared in Search: **Enabled** + - Type of information: **Anonymous info** + +#### Sync your settings + +- Do not sync: **Enabled** + +#### Text input + +- Improve inking and typing recognition: **Disabled** + +#### Windows Error Reporting + +- Do not send additional data: **Enabled** +- Consent > Configure Default consent: **Enabled** + - Consent level: **Always ask before sending data** diff --git a/i18n/fi/os/windows/index.md b/i18n/fi/os/windows/index.md new file mode 100644 index 00000000..f1d08182 --- /dev/null +++ b/i18n/fi/os/windows/index.md @@ -0,0 +1,64 @@ +--- +title: Windows Overview +icon: material/microsoft-windows +description: Microsoft Windows is a common operating system which is extremely non-private out of the box. Our guide covers making some improvements to your computer without replacing your OS. +--- + +**Microsoft Windows** is a common OS shipped with many PCs by default. The following guides aim to provide some ways to improve privacy and reduce the default telemetry and data stored by disabling some unnecessary features. Over time, Microsoft adds features to the OS which can sometimes rely on cloud-based services. These features will often require certain types of [optional data](https://privacy.microsoft.com/data-collection-windows) that is sometimes sent to remote servers for processing. + +One of the newest examples was called **Recall**, a part of the Copilot AI feature set. Recall periodically screenshots anything you've seen on your PC in order to show it to you at a later date. These "helpful" features create considerable metadata which can be forensically analyzed. In most cases browsing history is sufficient and this feature can be safely disabled. The main concerns with Recall was that the data is stored in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers if the device ever becomes infected with malware. Recall will not redact sensitive information like copied passwords or financial information from the database, but it does protect against making screenshots of any copyrighted content protected by digital rights management (DRM) systems. + +Unfortunately, this feature was added without too much thought about the privacy implications of having such a feature enabled by default (which it now [no longer is](https://wired.com/story/microsoft-recall-off-default-security-concerns)). It is not an isolated example, however. Another example was Microsoft automatically [enabling folder backups to OneDrive](https://neowin.net/news/windows-11-is-now-automatically-enabling-onedrive-folder-backup-without-asking-permission) on new Windows 11 installations without asking for permission. + +You can enhance your privacy and security on Windows without downloading any third-party tools with these guides: + +- Initial Installation (coming soon) +- [Group Policy Settings](group-policies.md) +- Privacy Settings (coming soon) +- Application Sandboxing (coming soon) +- Security Hardening (coming soon) + +
+

This section is new

+ +This section is a work in progress, because it takes considerably more time and effort to make a Windows installation more privacy-friendly than other operating systems. + +
+ +## Privacy Notes + +Microsoft Windows, particularly those versions aimed at consumers like the **Home** version often don't prioritize privacy-friendly features by [default](https://theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings). As a result we often see more [data collection](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) than necessary, without any real warnings that this is the default behavior. In an attempt to compete with Google in the advertising space, [Cortana](https://en.wikipedia.org/wiki/Cortana_\(virtual_assistant\)) has included unique identifiers such as an "advertising ID" in order to correlate usage and assist advertisers in targeted advertising. At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce](https://extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) the data that is sent to them. + +With Windows 11 there are a number of restrictions or defaults such as: + +- Requiring the use of a Microsoft account instead of a local account. +- Making it more difficult to find local account options for Windows **Pro** and **Enterprise**. +- Enabling all data collection options by default, requiring users to "opt out". +- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove and presented as the only option to users. +- Setting the default browser always to Edge, or reverting to Edge if it's changed. +- Adding cloud-based AI features to many areas in Windows and various Microsoft Apps. +- Unnecessarily storing sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device. + +Microsoft often uses the automatic updates feature to add new functionality to your device and make changes that collect your data and are enabled by default. Some [privacy features](https://blogs.windows.com/windows-insider/2023/11/16/previewing-changes-in-windows-to-comply-with-the-digital-markets-act-in-the-european-economic-area) such as the option to _opt out_ of syncing an online Microsoft account with Windows, require you to select a country in the EEA (European Economic Area) during installation. It can be changed to your real country after Windows is installed. + +## Windows Editions + +Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows **Home**. Some features missing from **Home** include BitLocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be necessary. + +Windows **Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you. + +The best version available for _retail_ purchase is Windows **Pro** as it has nearly all the features you'll want to use to secure your device, including BitLocker, Hyper-V, etc. The only thing missing is some of the most restrictive limitations on Microsoft's telemetry, unfortunately. + +Students and teachers may be able to obtain a Windows **Education** (equivalent to Enterprise) or **Pro Education** license (equivalent to Pro) for free, including on personal devices, from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions. + +It is not recommended to use third party modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks, thus making you even less secure. + +## Obtaining Windows + +Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install. + +The official [Media Creation Tool](https://microsoft.com/software-download/windows11) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles when installing. + +This tool only lets you install a **Home** or **Pro** installation, as there are no publicly available downloads for Windows **Enterprise** edition. If you have an **Enterprise** license key, you can easily upgrade a **Pro** installation. To do this, install Windows **Pro** without entering a license key during setup, then enter your **Enterprise** key in the Settings app after completing the installation. Your **Pro** install will be upgraded to **Enterprise** automatically after entering a valid license key. + +If you are installing an **Education** license then you will typically have a private download link that will be provided alongside your license key when you obtain it from your institution's benefits portal. diff --git a/i18n/fi/passwords.md b/i18n/fi/passwords.md new file mode 100644 index 00000000..3596b0b9 --- /dev/null +++ b/i18n/fi/passwords.md @@ -0,0 +1,422 @@ +--- +meta_title: "The Best Password Managers to Protect Your Privacy and Security - Privacy Guides" +title: Password Managers +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +cover: passwords.webp +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Proton Pass + image: /assets/img/password-management/protonpass.svg + url: https://proton.me/pass + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://keepassdx.com + applicationCategory: Password Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Gopass + image: /assets/img/password-management/gopass.svg + url: https://gopass.pw + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Protects against the following threat(s): + +- [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} +- [:material-bug-outline: Passive Attacks](basics/common-threats.md#security-and-privacy ""){.pg-orange} +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} + +**Password managers** allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](basics/passwords-overview.md) + +
+

Info

+ +Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features that standalone offerings have. + +For example, the password manager in Microsoft Edge doesn't offer end-to-end encryption at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/HT202303) offers E2EE by default. + +
+ +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +
+ +![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + +**Bitwarden** is a free and open-source password and passkey manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + +[:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://bitwarden.com/help){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1137397744) +- [:simple-github: GitHub](https://github.com/bitwarden/android/releases) +- [:fontawesome-brands-windows: Windows](https://bitwarden.com/download) +- [:simple-apple: macOS](https://bitwarden.com/download) +- [:simple-linux: Linux](https://bitwarden.com/download) +- [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) +- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/nngceckbapebfimnlniiiahkandclblb) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) +- [:simple-safari: Safari](https://apps.apple.com/app/id1352778147) + +
+ +
+ +Bitwarden uses [PBKDF2](https://bitwarden.com/help/kdf-algorithms/#pbkdf2) as its key derivation function (KDF) algorithm by default. It also offers [Argon2](https://bitwarden.com/help/kdf-algorithms/#argon2id), which is more secure, as an alternative. You can change your account's KDF algorithm in the web vault: + +- [x] Select **Settings → Security → Keys → KDF algorithm → Argon2id** + +Bitwarden's server-side code is [open source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +### Proton Pass + +
+ +![Proton Pass logo](assets/img/password-management/protonpass.svg){ align=right } + +**Proton Pass** is an open-source, end-to-end encrypted password manager developed by Proton, the team behind [Proton Mail](email.md#proton-mail). It securely stores your login credentials, generates unique email aliases, and supports and stores passkeys. + +[:octicons-home-16: Homepage](https://proton.me/pass){ .md-button .md-button--primary } +[:octicons-eye-16:](https://proton.me/pass/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://proton.me/support/pass){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/protonpass){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=proton.android.pass) +- [:simple-appstore: App Store](https://apps.apple.com/app/id6443490629) +- [:fontawesome-brands-windows: Windows](https://proton.me/pass/download) +- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/proton-pass) +- [:simple-googlechrome: Chrome](https://chromewebstore.google.com/detail/ghmbeldphafepmbegfdlkpapadhbakde) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/gcllgfdnfnllodcaambdaknbipemelie) +- [:octicons-browser-16: Web](https://pass.proton.me) + +
+ +
+ +With the acquisition of SimpleLogin in April 2022, Proton has offered a "hide-my-email" feature that lets you create 10 aliases (free plan) or unlimited aliases (paid plans). + +The Proton Pass mobile apps and browser extension underwent an audit performed by Cure53 throughout May and June 2023. The security analysis company concluded: + +> Proton Pass apps and components leave a rather positive impression in terms of security. + +All issues were addressed and fixed shortly after the [report](https://res.cloudinary.com/dbulfrlrz/images/v1707561557/wp-pme/Cure53-proton-pass-20230717/Cure53-proton-pass-20230717.pdf). + +### 1Password + +
+ +![1Password logo](assets/img/password-management/1password.svg){ align=right } + +**1Password** is a password manager with a strong focus on security and ease-of-use that allows you to store passwords, passkeys, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up). + +1Password is [audited](https://support.1password.com/security-assessments) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + +[:octicons-home-16: Homepage](https://1password.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://1password.com/legal/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://support.1password.com){ .card-link title="Documentation" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750) +- [:fontawesome-brands-windows: Windows](https://1password.com/downloads/windows) +- [:simple-apple: macOS](https://1password.com/downloads/mac) +- [:simple-linux: Linux](https://1password.com/downloads/linux) +- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/1password-x-password-manager) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/aeblfdkhhhdcdjpifhhbdiojplfjncoa) +- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/dppgmdbiimibapkepcbdbmkaabgiofem) +- [:simple-safari: Safari](https://apps.apple.com/app/id1569813296) +- [:octicons-browser-16: Web](https://my.1password.com/signin) + +
+ +
+ +Traditionally, 1Password has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature parity across all platforms. 1Password's clients boast many features geared towards families and less technical people, such as an intuitive UI for ease-of-use and navigation, as well as advanced functionality. Notably, nearly every feature of 1Password is available within its native mobile or desktop clients. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +### Psono + +
+ +![Psono logo](assets/img/password-management/psono.svg){ align=right } + +**Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + +[:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://doc.psono.com){ .card-link title="Documentation" } +[:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1545581224) +- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/eljmjmgjkbmpmfljlmklcfineebidmlo) +- [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +
+ +
+ +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +In April 2024, Psono added [support for passkeys](https://psono.com/blog/psono-introduces-passkeys) for the browser extension only. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +
+ +![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + +**KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal of extending and improving it with new features and bug fixes to provide a feature-rich, cross-platform, and modern open-source password manager. + +[:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://keepassxc.org/docs){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } +[:octicons-heart-16:](https://keepassxc.org/donate){ .card-link title="Contribute" } + +
+Downloads + +- [:fontawesome-brands-windows: Windows](https://keepassxc.org/download/#windows) +- [:simple-apple: macOS](https://keepassxc.org/download/#mac) +- [:simple-linux: Linux](https://keepassxc.org/download/#linux) +- [:simple-flathub: Flathub](https://flathub.org/apps/details/org.keepassxc.KeePassXC) +- [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) +- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/oboonakemofpalcgghocfoadofidjkkk) + +
+ +
+ +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. You may encounter data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +
+ +![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + +**KeePassDX** is a lightweight password manager for Android; it allows for editing encrypted data in a single file in KeePass format and can fill in forms securely. + +[:octicons-home-16: Homepage](https://keepassdx.com){ .md-button .md-button--primary } +[:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } +[:octicons-heart-16:](https://keepassdx.com/#donation){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) +- [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +
+ +
+ +The [pro version](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) of the app allows you to unlock cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + +### KeePassium (iOS & macOS) + +
+ +![KeePassium logo](assets/img/password-management/keepassium.svg){ align=right } + +KeePassium is a commercial, open-source password manager made by KeePassium Labs that's compatible with other KeePass applications. It provides autofill support, passkey management, automatic two-way synchronization through [most cloud storage providers](https://support.keepassium.com/kb/sync), and more. + +[:material-star-box: Read our latest KeePassium review.](https://www.privacyguides.org/articles/2025/05/13/keepassium-review) + +[:octicons-home-16: Homepage](https://keepassium.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://keepassium.com/privacy/app){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://support.keepassium.com){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/keepassium/KeePassium){ .card-link title="Source Code" } +[:octicons-heart-16:](https://keepassium.com/donate){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-appstore: App Store](https://apps.apple.com/us/app/id1435127111) + +
+ +
+ +KeePassium offers a [Premium version](https://keepassium.com/pricing) with additional features such as support for multiple databases, YubiKey support, and a password audit tool. + +KeePassium's iOS app has been [audited](https://cure53.de/pentest-report_keepassium.pdf) by Cure53 in October 2024, and all [issues](https://keepassium.com/blog/2024/11/independent-security-audit-complete) found in the audit were subsequently fixed. + +### Gopass (CLI) + +
+ +![Gopass logo](assets/img/password-management/gopass.svg){ align=right } + +**Gopass** is a minimal password manager for the command line written in Go. It can be used within scripting applications and works on all major desktop and server operating systems. + +[:octicons-home-16: Homepage](https://gopass.pw){ .md-button .md-button--primary } +[:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title="Contribute" } + +
+Downloads + +- [:fontawesome-brands-windows: Windows](https://gopass.pw/#install-windows) +- [:simple-apple: macOS](https://gopass.pw/#install-macos) +- [:simple-linux: Linux](https://gopass.pw/#install-linux) +- [:simple-freebsd: FreeBSD](https://gopass.pw/#install-bsd) + +
+ +
+ +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +- Must be cross-platform. diff --git a/i18n/fi/pastebins.md b/i18n/fi/pastebins.md new file mode 100644 index 00000000..26561077 --- /dev/null +++ b/i18n/fi/pastebins.md @@ -0,0 +1,59 @@ +--- +title: "Pastebins" +icon: material/content-paste +description: These tools allow you to have full control of any pasted data you share to other parties. +cover: pastebins.webp +--- + +Protects against the following threat(s): + +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers){ .pg-teal } + +[**Pastebins**](https://en.wikipedia.org/wiki/Pastebin) are online services most commonly used to share large blocks of code in a convenient and efficient manner. The pastebins listed here employ client-side encryption and password protection for pasted content; both of these features prevent the website or server operator from reading or accessing the contents of any paste. + +## PrivateBin + +
+ +![PrivateBin logo](assets/img/pastebins/privatebin.svg){ align=right } + +**PrivateBin** is a minimalist, open-source, online pastebin where the server cannot decrypt and read any pasted data you submit. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. + +[:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } +[:octicons-server-16:](https://privatebin.info/directory){ .card-link title="Public Instances"} +[:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +
+ +## Paaster + +
+ +![Paaster logo](assets/img/pastebins/paaster.svg){ align=right } + +**Paaster** is a secure and user-friendly pastebin application that prioritizes privacy and simplicity. With end-to-end encryption and paste history, Paaster ensures that your pasted code remains confidential and accessible. + +[:octicons-home-16: Homepage](https://paaster.io){ .md-button .md-button--primary } +[:octicons-eye-16:](https://paaster.io/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://github.com/WardPearce/paaster#security){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/WardPearce/paaster){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/WardPearce){ .card-link title="Contribute" } + +
+ +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +### Minimum Requirements + +- Must be open source. +- Must encrypt pasted data on the client side before it is sent to the server. +- Must support password-protected files. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have a published audit from a reputable, independent third party. diff --git a/i18n/fi/photo-management.md b/i18n/fi/photo-management.md new file mode 100644 index 00000000..b6380902 --- /dev/null +++ b/i18n/fi/photo-management.md @@ -0,0 +1,63 @@ +--- +title: Photo Management +icon: material/image +description: These photo management tools keep your personal photos safe from the prying eyes of cloud storage providers and other unauthorized parties. +cover: photo-management.webp +--- + +Protects against the following threat(s): + +- [:material-bug-outline: Passive Attacks](basics/common-threats.md#security-and-privacy){ .pg-orange } +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers){ .pg-teal } + +Most cloud **photo management solutions** like Google Photos, Flickr, and Amazon Photos don't secure your photos against being accessed by the cloud storage provider themselves. These options keep your personal photos private, while allowing you to share them only with family and trusted people. + +## Ente Photos + +
+ +![Ente logo](assets/img/photo-management/ente.svg){ align=right } + +**Ente Photos** is an end-to-end encrypted photo backup service which supports automatic backups on iOS and Android. Their code is fully open source, both on the client side and on the server side. It is also [self-hostable](https://github.com/ente-io/ente/tree/main/server#self-hosting). + +The free plan offers 10 GB of storage as long as you use the service at least once a year. + +[:octicons-home-16: Homepage](https://ente.io){ .md-button .md-button--primary } +[:octicons-eye-16:](https://ente.io/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://ente.io/faq){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/ente-io/ente){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.ente.photos) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1542026904) +- [:simple-github: GitHub](https://github.com/ente-io/ente/releases?q=photos) +- [:simple-android: Android](https://ente.io/download) +- [:fontawesome-brands-windows: Windows](https://ente.io/download) +- [:simple-apple: macOS](https://ente.io/download) +- [:simple-linux: Linux](https://ente.io/download) +- [:octicons-browser-16: Web](https://web.ente.io) + +
+ +
+ +The server-side source code and infrastructure which underpins Ente Photos underwent an audit by [Cure53](https://ente.io/blog/cern-audit) in October 2025. Previous audits were completed by [Cure53](https://ente.io/blog/cryptography-audit) in March 2023 and by [Fallible](https://ente.io/reports/Fallible-Audit-Report-19-04-2023.pdf) in April 2023. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +### Minimum Requirements + +- Cloud-hosted providers must enforce E2EE. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multifactor authentication, or passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must be open source. + +### Best Case + +- Should have a published audit from a reputable, independent third party. diff --git a/i18n/fi/privacy.md b/i18n/fi/privacy.md new file mode 100644 index 00000000..df92a3a0 --- /dev/null +++ b/i18n/fi/privacy.md @@ -0,0 +1,350 @@ +--- +title: "Privacy Policy" +description: We do not sell or share your data with any third-parties. +--- + +## What is Privacy Guides? + +Privacy Guides is a community project operated by a number of active contributors. The public list of team members [can be found on our forum](https://discuss.privacyguides.net/u?group=team&order=solutions&period=all). Privacy Guides is legally administered by [MAGIC Grants](https://magicgrants.org), a 501(c)(3) public charity acting as our fiscal host. + +As a project, we make available to the public: + +- [privacyguides.org](https://www.privacyguides.org), this website +- [discuss.privacyguides.net](https://discuss.privacyguides.net), our community forum +- [code.privacyguides.dev](https://code.privacyguides.dev), public source code repositories + +This privacy notice covers all Privacy Guides projects authorized and operated by the MAGIC Privacy Guides Fund executive committee. + +Please note that when you make a donation to us on [donate.magicgrants.org](https://donate.magicgrants.org/privacyguides), MAGIC Grants has published a [separate privacy policy](https://donate.magicgrants.org/privacy) covering that platform. + +Additionally, when you browse or make a purchase on [shop.privacyguides.org](https://shop.privacyguides.org/), this is a third-party service provided by Fourthwall. Fourthwall has published a [separate privacy policy](https://shop.privacyguides.org/pages/privacy-policy) covering that platform. + +## How does Privacy Guides collect data about me? + +Privacy Guides collects data about you: + +- When you visit our websites +- When you create and use an account on our websites +- When you post, send private messages, and otherwise participate in a community that Privacy Guides hosts +- When you sign up for a mailing list, email notifications, or announcements +- When you become a donating member +- When you make a donation to us on GitHub Sponsors +- When you link your MAGIC Grants account to your Privacy Guides forum account +- When you contribute to our website or other open-source projects +- When you contact us + +Privacy Guides does not buy or receive data about you from data brokers. + +## Does Privacy Guides sell my personal information? + +No. Privacy Guides does not sell personal information. Additionally, Privacy Guides does not share personal information with third parties for the purpose of advertising. + +## What personal information does Privacy Guides collect, and why? + +### Privacy Guides collects information about visits to its websites + +When you visit one of our websites, whether you have an account or not, we use server logs and other methods to collect data about what pages you visit and when. + +We use this data to: + +- Optimize our websites, so they are quick and easy to use. +- Diagnose and debug technical errors. +- Defend our websites from abuse and technical attacks. +- Compile statistics on page/topic popularity. +- Compile statistics on the type of browser and devices our visitors use. + +We generally store the above information for just a few weeks. In special circumstances, such as during an ongoing technical attack or a subsequent investigation, we may preserve some log data longer for analysis. + +Privacy Guides stores aggregated statistics for as long as we host our websites, but those statistics do not contain data identifiable to you personally. + +### Privacy Guides collects account data + +Many features on our forum or other account-based services require an account. For example, you are required to have an account in order to post and reply to topics. + +To sign up for an account, Privacy Guides requires your email address, a username, and a password. + +We use this account data in order to identify you on the website, and to create pages specific to you, such as your profile page. We publish your account data to your public profile in accordance to your profile's configuration. + +Privacy Guides uses your email address to: + +- Notify you about posts and other activity on our website. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, like DMCA takedown requests. + +You may optionally provide additional details about your account, like your name, a short biography, your location, or your birthday, on the profile settings page for your account. Privacy Guides makes that information available to others who have access to the forum. You don’t have to provide this additional information, and you can erase it at any time. + +Privacy Guides stores this account data as long as your account remains open. + +### Privacy Guides collects data about posts and other activity + +Privacy Guides collects the content of your posts throughout our websites, plus data about bookmarks, likes, and links you follow in order to share that data with others. We also publish this activity to the public when you request it. + +Privacy Guides also collects data about private messages that you send through the forum. Privacy Guides makes private messages available to senders and their recipients, and also to forum moderators and administrators. + +Privacy Guides stores your posts and other activity as long as your account remains open. + +### Privacy Guides collects data you give to sign up for mailing lists and announcements + +When you fill out and submit a web form to sign up for mailing lists or announcements, Privacy Guides collects the information you put in the form, such as your e-mail address. + +Privacy Guides stores this information until you unsubscribe from the mailing list. + +### Privacy Guides does not collect sensitive personal information + +Privacy Guides does not intentionally collect sensitive personal information, such as government identification numbers, information on racial or ethnic origin, political opinions, genetic data, biometric data, health data, or any of the special categories of personal data specified by the GDPR. + +### Privacy Guides collects data about open source contributors + +Contributors to Privacy Guides' website may be asked to provide identifying and contact information such as your name and email address. + +Privacy Guides uses this information to maintain the integrity of our website, software, and license agreements, both our own licenses and the license between Privacy Guides and our contributors. Privacy Guides stores this information for as long as your contributions are incorporated into our open source software, including this website. + +### Privacy Guides collects data when you donate to us + +#### When you subscribe to a membership on privacyguides.org + +When you donate to us through our [membership program](#/portal), we collect your email address. Your payment information is also collected by our payment processor Stripe in order to facilitate the transaction. You can also optionally provide your name, which is used to personalize your experience, and can be removed or changed in your [profile settings](#/portal/account/profile) at any time. + +If your membership and newsletter subscription matches an email address associated with an account on our forum, we will link your membership status to your forum account. This allows you to receive special perks on the forum, such as a members-only title or flair, and access to members-only categories. + +If the Member title or Member flair is enabled on your forum profile, Privacy Guides will share your username and profile picture on our websites for the purposes of acknowledging your donation to the project. You may revoke this consent at any time by removing the title and flair from your public profile, and we will no longer share your donation status publicly. This will not affect your access to members-only benefits. It may take until the next website release for your data to be removed from public visibility. + +#### When you donate to us via GitHub Sponsors + +When you donate to us on GitHub Sponsors, we collect your GitHub username and profile picture. Your payment information is also collected by our subprocessors GitHub and Stripe in order to facilitate the transaction. + +If you choose to make your donation public during or after the checkout process on GitHub, Privacy Guides will share your username and profile picture on our websites for the purposes of fulfilling your request. You may revoke this consent at any time, and we will no longer share your donation status publicly. It may take until the next website release for your data to be removed from public visibility. + +#### When you subscribe to a membership or donate to us on donate.magicgrants.org + +When you donate to us on [donate.magicgrants.org](https://donate.magicgrants.org/privacyguides), a [separate privacy policy](https://donate.magicgrants.org/privacy) applies as noted at the beginning of this document. + +However, if you optionally link your `donate.magicgrants.org` account to your Privacy Guides forum account, our forum collects some personal data which is covered by this notice: namely your forum username and whether you have an active membership. + +We process that information in order to grant you special perks on the forum. Additionally, if you choose to make this status public by setting a members-only title or flair, we will share the status of your active membership on our websites. You may revoke this consent at any time by removing the title and flair from your public profile, and we will no longer share your donation status publicly. This will not affect your access to members-only benefits. It may take until the next website release for your data to be removed from public visibility. + +This information is stored for as long as your membership is active, or until you unlink your forum and MAGIC Grants donation accounts in your profile settings. + +### Privacy Guides collects data when you contact us + +When you contact Privacy Guides via email, Signal, or any of our other contact methods, we collect the information you submit to us, and any identifying information associated with the account you use to contact us. For example, when you contact us via Signal we will collect your Signal profile information. When you contact us via email we will collect your email address, name, and mail server IP address. + +In this case we limit the processing of any personal data you provide us to what is strictly necessary to communicate with you and organize our messages. + +Privacy Guides stores this data for as long as we are in contact with you, or for up to 1 year after your last contact with us. You have the right to request all data related to your private communication with us be deleted at any time, and we will generally do so within 7 days. + +### The Privacy Guides website stores local data + +Our website uses Local Storage in your browser to store your color scheme preference. This data is only used by client-side JavaScript to change the color scheme of this website according to your preference. + +Our website also uses Session Storage to cache the current version number of this website and the number of stars/forks of our GitHub repository. This data is fetched once per session from GitHub, and is only used by client-side JavaScript to display that information at the top of each page. + +### The Privacy Guides website uses cookies + +Our website uses features from the open-source Ghost content management system to manage your membership experience, which uses the following cookies: + +| Name | Essential | Expires | Purpose | +| --------------------------------------------------------------------------- | --------- | -------- | ---------------------------------------------------------------------------------------------------------------------- | +| ghost-members-ssr | Yes | 6 months | used to identify your membership on the website | +| ghost-members-ssr.sig | Yes | 6 months | used to validate your membership on the website | +| __stripe_sid | Yes | 1 year | [Stripe](#subprocessors-used-by-privacy-guides) allows online transactions without storing any credit card information | +| __stripe_mid | Yes | 1 year | [Stripe](#subprocessors-used-by-privacy-guides) allows online transactions without storing any credit card information | + +### The Privacy Guides forum uses cookies + +Our forum is built on Discourse, which uses the following cookies: + +| Name | Essential | Expires | Purpose | +| ------------------------------------------------------------- | --------- | -------------- | ------------------------------------------------------------------------------------------------------------------------- | +| email | Yes | Session | remembers your e-mail as you create an account | +| destination_url | Yes | Session | helps redirect you to your requested page after logging in | +| sso_destination_url | Yes | Session | helps redirect you to your request page after single sign on | +| sso_payload | Yes | Session | used during SSO authentication when two-factor authentication is enabled | +| authentication_data | Yes | Next Page View | temporarily stores user information during login flows | +| theme_ids | Yes | 1 year | remembers your theme personalization if you don’t tick “Make this my default theme on all my devices” | +| color_scheme_id | Yes | 1 year | remembers your color personalization if you don’t tick “Set default color scheme(s) on all my devices” | +| dark_scheme_id | Yes | 1 year | remembers your color personalization if you don’t tick “Set default color scheme(s) on all my devices” | +| cn | Yes | Session | temporarily stores notification read state | +| _bypass_cache | Yes | Session | allows the server-side cache to be bypassed during login flows | +| _t | Yes | 1440 Hours | remembers who you are when you log in | +| _forum_session | Yes | Session | associates an ID, and other security-related information, with your browsing session | +| dosp | Yes | Next Page View | enables client denial-of-service protection, a security protection | +| text_size | Yes | 1 year | remembers default text size when a user wants to change it on only one device | +| cookietest | Yes | Session | checks if cookies are enabled when authentication fails | +| __profilin | No | Session | used by software developers to bypass rack-mini-profiler | + +Your web browser can show you the cookies you have for any website and help you manage them. + +### Privacy Guides makes regular backups of all data + +Privacy Guides keeps automated backups of **all** data it collects. These backups are stored for up to 30 days. Any time you delete personal data from our websites, a copy may be retained in backup archives until those archives are pruned. + +## Does Privacy Guides use personal information for marketing purposes? + +Privacy Guides may use personal data about our users in order to directly promote our own resources, such as for sharing new resources or when fundraising. We also use the information you give us when signing up for our mailing lists and announcements to send those messages. + +You can always opt out of marketing communications from us, and you have the right to object to any processing of your information for marketing purposes. + +Privacy Guides never provides or sells your data to third-parties for marketing purposes. + +## How can I make choices about data collection? + +Your account on our websites has a settings page which provides you with options about how your data is used. + +Most web browsers let you make choices about whether to accept cookies, for specific websites or more generally. + +Privacy Guides does not respond to the (now deprecated) [Do Not Track HTTP header](https://en.wikipedia.org/wiki/Do_Not_Track). + +## Where does Privacy Guides store data about me? + +Most data is hosted by [Triplebit](https://www.triplebit.org) web services in the United States. + +Some publicly accessible data may be hosted by Content Delivery Networks with servers in other jurisdictions. For example, your profile picture may be stored on multiple servers around the world in order to improve the performance for visitors to our website. + +## Does Privacy Guides comply with the EU General Data Protection Regulation? + +Privacy Guides respects rights under the European Union’s General Data Protection Regulation (GDPR). Information that GDPR requires Privacy Guides to give can be found throughout this privacy notice, including information on the rights of data subjects. + +### What are my rights under the GDPR? + +The GDPR provides you with the following rights with respect to personal information about you that we collect or process: + +- the right to [access](#where-can-i-access-data-about-me) your personal data +- the right to [rectification](#how-can-i-change-or-erase-data-about-me) of inaccurate or incomplete personal data +- the right to [erasure](#how-can-i-change-or-erase-data-about-me) of your personal data +- the right to [data portability](#where-can-i-access-data-about-me) +- the right to restrict the processing of your personal data +- the right to object to certain processing of your information, including [automated decision-making](#does-privacy-guides-make-automated-decisions-based-on-my-data) and [direct marketing](#does-privacy-guides-use-personal-information-for-marketing-purposes) +- the right to lodge a complaint with a supervisory authority + +Information about how to exercise these rights is provided throughout this notice and linked above. We try to make exercising all of these rights easy to do on your own through your account settings, but for more complicated inquiries the best option will be to [contact](#how-can-i-contact-privacy-guides-about-privacy) us. + +### What is the lawful basis for data collection and processing? + +Privacy Guides generally processes your data using 3 of the 6 lawful bases for processing set out in Article 6 of the GDPR: + +- **Consent**: When you give us clear consent for us to process your personal data. This consent can be easily withdrawn at any time in your account settings, or you may always contact us for assistance with privacy-related matters. +- **Contract**: When you give us your personal data in order to participate on services we operate according to our terms of service, or when we require personal data in order to take steps prior to entering a contract or to fulfill a contract. +- **Legitimate interest**: When we process your personal data for fraud prevention, network and information security, or other reasons where the processing is required for our own legitimate interests or for those of a third party we work with. + +The lawful basis for our processing determines what rights are available to you under the GDPR. This table may be used as a reference: + +| Activity | Data Collected | Lawful Basis | Explanation | +| ------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------- | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [Website visits](#privacy-guides-collects-information-about-visits-to-its-websites) | IP Address, User Agent, Pages Visited | **Legitimate interest** | Required for defending our website from abuse and technical attacks, diagnosing and debugging technical errors, optimizing our websites, and compiling aggregated non-personal statistics for long-term analysis | +| [Account data](#privacy-guides-collects-account-data) | Email Address, IP Address | **Legitimate interest** | Required to defend our website against spam and abuse | +| [Account data](#privacy-guides-collects-account-data) | Email Address, Username, Password | **Contract** | Required to make our services available to you according to our terms of service | +| [Account data](#privacy-guides-collects-account-data) | Optional profile information (name, location, etc.) | **Consent** | Required to publish the information you provide to your public or internal profile, according to your preferences | +| [Posts & activity](#privacy-guides-collects-data-about-posts-and-other-activity) | Content of your posts, activity data like bookmarks, likes, and links you follow | **Contract** | Required to make our services available to you according to our terms of service | +| [Posts & activity](#privacy-guides-collects-data-about-posts-and-other-activity) | Content of your private messages | **Contract** | Required to make our services available to you according to our terms of service | +| [Posts & activity](#privacy-guides-collects-data-about-posts-and-other-activity) | Email Address | **Contract** | Our forum is an email-based platform, and email notifications about forum activity are an integral component required to make our services available to you according to our terms of service | +| [Mailing lists](#privacy-guides-collects-data-you-give-to-sign-up-for-mailing-lists-and-announcements) | Email Address | **Consent** | Required for sending you messages you subscribe to | +| [Open source contributions](#privacy-guides-collects-data-about-open-source-contributors) | Email address, name, GitHub profile information, other information provided via Git | **Legitimate interest** | We have a legitimate interest in tracking the provenance of contributions to our open source projects to prevent abuse and ensure intellectual property rights are respected | +| [Donations](#privacy-guides-collects-data-when-you-donate-to-us) | Payment information including billing address and email, GitHub profile information | **Legitimate interest** | We have a legitimate interest in processing this data to prevent payment abuse and fraud, and for facilitating your transaction | +| [Donations](#privacy-guides-collects-data-when-you-donate-to-us) | GitHub profile information | **Consent** | We process this information to display your donation status publicly in accordance to your wishes | +| [Donations](#privacy-guides-collects-data-when-you-donate-to-us) | Forum username and membership status | **Consent** | When your membership is linked to your forum account, you can optionally display your membership status to the public | +| [Contacting us](#privacy-guides-collects-data-when-you-contact-us) | Email address, mail server IP, message content | **Legitimate interest** | We have a legitimate interest in processing incoming email information to prevent spam and network abuse | +| [Contacting us](#privacy-guides-collects-data-when-you-contact-us) | Email address, message headers and content | **Contract** | We store your messages and process your data in order to provide a response to your communication | +| [Backups](#privacy-guides-makes-regular-backups-of-all-data) | All personal information we collect | **Legitimate interest** | We store complete backups to ensure organizational continuity and security for up to 30 days | + +### Does Privacy Guides make international data transfers? + +Currently: + +- Privacy Guides [processes personal data on servers outside the European Union](#where-does-privacy-guides-store-data-about-me). +- Privacy Guides uses [subprocessors](#subprocessors-used-by-privacy-guides) with personnel and computers outside the European Union. +- Privacy Guides has [personnel](https://discuss.privacyguides.net/u?group=team&order=solutions&period=all) in the United States, Australia, and other non-EU countries without EU adequacy decisions under GDPR. These people need access to forum personal data in order to keep forums running, address security concerns, respond to privacy-related requests from users, field technical support requests, and otherwise assist users. +- Privacy Guides is very likely subject to section 702 of the Foreign Intelligence Surveillance Act in the United States, a law that the European Court of Justice has found inadequately protects the rights and freedoms of data subjects. +- Privacy Guides has never received any order or request for personal data under FISA 702 or any similar national security or surveillance law of any other country. Privacy Guides is not subject to any court order or legal obligation that would prevent it from disclosing the existence or non-existence of such an order or request. +- Privacy Guides has a policy for how we will respond to those orders and requests, in case we ever receive one. Privacy Guides will suspend processing, notify any affected user, minimize disclosure, and resist disclosure of personal data, all as the law allows. + +Because national security and surveillance laws may be in conflict with European data protection rules, Privacy Guides continually reassesses the practical reach of these laws to ensure our data transfers are adequately safeguarded. + +## Does Privacy Guides comply with the California Consumer Privacy Act and other US state comprehensive privacy laws? + +Privacy Guides is not a "business" for the purposes of the California Consumer Privacy Act (CCPA) or a “controller” directly subject to other US state comprehensive privacy laws. + +Privacy Guides **never** sells your personal information. + +## Where can I access data about me? + +You can see your account data by visiting your profile page on any websites where we offer accounts. Your account profile will also list your posts and other activity on the website. + +On the forum, your [profile settings](https://discuss.privacyguides.net/my/preferences/account) include a link to download all of your activity in standard Comma Separated Values format. + +If you do not have an account with us but have a data access request, please [contact us](about.md). + +## How can I change or erase data about me? + +You can change your account data at any time by visiting the profile settings page for your account. You also have the option to delete your profile on the settings page of your account. Utilizing this option begins the process of erasing or anonymizing Privacy Guides' records of data you provided for your account. Forum administrators and moderators also have the option to erase and anonymize accounts. + +You may also be able to edit, anonymize, or erase your posts. When you edit posts, Privacy Guides will keep all versions of your posts. These old versions of posts are not public, but may be accessed by forum moderators or administrators. + +## Does Privacy Guides make automated decisions based on my data? + +### The Privacy Guides forum classifies posts as spam automatically + +We use data about your posts and other posts on many forums to make automated decisions about whether your posts to our websites are likely spam. + +If you think a post has been wrongfully blocked or removed, please contact a forum moderator who can override this decision. + +### The Privacy Guides forum uses data about your posts and activity to set trust levels + +We use data about your posts and activity on our forum to award you badges and calculate a trust level for your account. Your trust level may affect how you can participate in the forum, such as whether you can upload images, as well as give you access to moderation and management powers in the forum. Your trust level therefore reflects forum administrators’ confidence in you, and their willingness to delegate community management functions, like moderation. + +If you think your trust level has been set incorrectly, contact an administrator of your forum. They can manually adjust the trust level of your account. + +### The Privacy Guides forum uses community flags to take automated actions + +Your posts may be automatically hidden, or your ability to post may be automatically suspended, as a result of your posts being flagged by other users. + +These decisions are later reviewed by moderators, who can override these decisions at their discretion. + +## Does Privacy Guides share data about me with others? + +Privacy Guides shares account data with others as described in [the section about account data](#privacy-guides-collects-account-data). + +Privacy Guides shares data about your posts and other activity as described in [the section about forum data](#privacy-guides-collects-data-about-posts-and-other-activity). + +### Subprocessors used by Privacy Guides + +Privacy Guides uses the following subprocessors, and may share personal data with the service providers we use in order to host our website, deliver content, secure our services, store data, host and manage our open source website, and provide user support. + +| Subprocessor | Service | Function | Processing | Links | +| ----------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------- | ------------------------------------------------------------------------------------------------------------ | +| [Bunny.net](https://bunny.net) (Slovenia) | [Bunny CDN](https://bunny.net/cdn) | Content Delivery Network services for distributing images and other static assets. | Slovenia, Global | [Privacy Notice](https://bunny.net/privacy), [GDPR Center](https://bunny.net/gdpr) | +| [Cloudflare](https://cloudflare.com) (USA) | [Authoritative DNS](https://cloudflare.com/application-services/products/dns) | Authoritative DNS services for our domain names. | USA, Global | [Privacy Notice](https://cloudflare.com/privacypolicy), [GDPR Center](https://cloudflare.com/trust-hub/gdpr) | +| [Fediverse Communications LLC](https://fediverse.us) (USA) | PeerTube | For hosting public videos produced by Privacy Guides which are shared or embedded on this website. | USA | [More information](https://neat.tube/about/instance) | +| [GitHub](https://github.com) (USA) | Git Repositories | _For visitors to this website_: sharing information with our visitors about the current release, repo star count, etc. | USA | [Privacy Notice](https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement) | +| [GitHub](https://github.com) (USA) | Git Repositories, Issues, Pull Requests | _For contributors to this website_: hosting our source code and communications platforms such as our issues tracker. | USA | [Privacy Notice](https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement) | +| [GitHub](https://github.com) (USA) | [Sponsors](https://github.com/sponsors/privacyguides) | For collecting payments for gifts to Privacy Guides | USA | [Privacy Notice](https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement) | +| [Mailgun](https://www.mailgun.com) (USA) | Email Delivery | For sending newsletters and other email messages to users | USA | [Privacy Notice](https://www.mailgun.com/privacy-policy), [GDPR Center](https://www.mailgun.com/gdpr) | +| [Stripe](https://stripe.com) (USA) | Connect | Payment processing for donations | USA | [Privacy Notice](https://stripe.com/privacy), [GDPR Center](https://stripe.com/legal/privacy-center) | +| [Triplebit](https://www.triplebit.org) (USA) | Object Storage | For hosting static websites and static media content, and distributing static content | USA, Poland | [Privacy Notice](https://www.triplebit.org/privacy) | +| [Triplebit](https://www.triplebit.org) (USA) | [Umami Statistics](https://stats.triplebit.net/share/S80jBc50hxr5TquS/www.privacyguides.org) | For compiling aggregated statistics of our website visitor data based on server-side visitor info submissions | USA | [Privacy Notice](https://www.triplebit.org/privacy) | +| [Triplebit](https://www.triplebit.org) (USA) | Virtual Private Servers | For hosting our dynamic websites, storing and processing personal data. | USA | [Privacy Notice](https://www.triplebit.org/privacy) | + +## Does Privacy Guides delete inactive accounts? + +Privacy Guides deletes accounts that have no public activity when they have gone unused for 3 years. If the account has public activity, we will not delete it regardless of inactivity because your profile data is required to continue to publish your activity per your original request. + +You can always request the deletion of your data at any time regardless of this policy. + +## How can I contact Privacy Guides about privacy? + +You can send questions, requests, and complaints via email to us at . You may also use Signal or another [contact method](about.md#contact-us) to contact us more securely. + +For complaints under GDPR more generally, you always have the option to lodge complaints with your local data protection supervisory authorities. + +## Where do I find out about changes? + +This version of Privacy Guides' privacy notice took effect on September 24, 2025. + +Privacy Guides will post the next version here: . + +In future versions, Privacy Guides may change how it announces changes. In the meantime, Privacy Guides may update its contact information without announcing a change. Please refer to for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/privacy.md) of this page can be found on GitHub. + +In the event that a translated copy of this document conflicts with the English copy, the English copy of this document takes precedence. diff --git a/i18n/fi/real-time-communication.md b/i18n/fi/real-time-communication.md new file mode 100644 index 00000000..639ff2e7 --- /dev/null +++ b/i18n/fi/real-time-communication.md @@ -0,0 +1,197 @@ +--- +meta_title: "The Best Private Instant Messengers - Privacy Guides" +title: Real-Time Communication +icon: material/chat-processing +description: Encrypted messengers like Signal and SimpleX keep your sensitive communications secure from prying eyes. +cover: real-time-communication.webp +--- + +Protects against the following threat(s): + +- [:material-bug-outline: Passive Attacks](basics/common-threats.md#security-and-privacy ""){.pg-orange} +- [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers ""){.pg-teal} +- [:material-eye-outline: Mass Surveillance](basics/common-threats.md#mass-surveillance-programs ""){.pg-blue} +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model ""){.pg-brown} + +These recommendations for encrypted **real-time communication** are great for securing your sensitive communications. These instant messengers come in the form of many [types of communication networks](advanced/communication-network-types.md). + +[:material-movie-open-play-outline: Video: It's time to stop using SMS](https://www.privacyguides.org/videos/2025/01/24/its-time-to-stop-using-sms-heres-why ""){.md-button} + +## Signal + +
+ +![Signal logo](assets/img/messengers/signal.svg){ align=right } + +**Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging and calls secured with the Signal protocol, an extremely secure encryption protocol which supports forward secrecy[^1] and post-compromise security.[^2] + +[:octicons-home-16: Homepage](https://signal.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://support.signal.org){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } +[:octicons-heart-16:](https://signal.org/donate){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) +- [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) +- [:simple-github: GitHub](https://github.com/signalapp/Signal-Android/releases) +- [:simple-android: Android](https://signal.org/android/apk) +- [:fontawesome-brands-windows: Windows](https://signal.org/download/windows) +- [:simple-apple: macOS](https://signal.org/download/macos) +- [:simple-linux: Linux](https://signal.org/download/linux) + +
+ +
+ +Signal requires your phone number for registration, however you should create a username to hide your phone number from your contacts: + +1. In Signal, open the app's settings and tap your account profile at the top. +2. Tap **Username** and choose **Continue** on the "Set up your Signal username" screen. +3. Enter a username. Your username will always be paired with a unique set of digits to keep your username unique and prevent people from guessing it. For example if you enter "John" your username might end up being `@john.35`. By default, only 2 digits are paired with your username when you create it, but you can add more digits until you reach the username length limit (32 characters). +4. Go back to the main app settings page and select **Privacy**. +5. Select **Phone Number**. +6. Change the **Who Can See My Number** setting to **Nobody**. +7. (Optional) Change the **Who Can Find Me By Number** setting to **Nobody** as well, if you want to prevent people who already have your phone number from discovering your Signal account/username + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening) + +Contact lists on Signal are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system), where the server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs). + +### Molly (Android) + +If you use Android and your threat model requires protecting against [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals ""){.pg-red} you may consider using this alternative app, which features a number of security and usability improvements, to access the Signal network. + +
+ +![Molly logo](assets/img/messengers/molly.svg){ align=right } + +**Molly** is an alternative Signal client for Android which allows you to encrypt the local database with a passphrase at rest, to have unused RAM data securely shredded, to route your connection via Tor, and [more](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening#privacy-and-security-features). It also has usability improvements including scheduled backups, automatic locking, and the ability to use your Android phone as a linked device instead of the primary device for a Signal account. + +[:octicons-home-16: Homepage](https://molly.im){ .md-button .md-button--primary } +[:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://github.com/mollyim/mollyim-android/wiki){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/mollyim/mollyim-android){ .card-link title="Source Code" } +[:octicons-heart-16:](https://opencollective.com/mollyim){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-fdroid: F-Droid](https://molly.im/fdroid) +- [:octicons-moon-16: Accrescent](https://accrescent.app/app/im.molly.app) +- [:simple-github: GitHub](https://github.com/mollyim/mollyim-android/releases) + +
+ +
+ +Molly is updated every two weeks to include the latest features and bug fixes from Signal. The exception is security issues, which are patched as soon as possible. That said, you should be aware that there might be a slight delay compared to upstream, which may affect actions such as [migrating from Signal to Molly](https://github.com/mollyim/mollyim-android/wiki/Migrating-From-Signal#migrating-from-signal). + +Note that you are trusting multiple parties by using Molly, as you now need to trust the Signal team *and* the Molly team to deliver safe and timely updates. + +**Molly-FOSS** is a version of Molly which removes proprietary code like the Google services used by both Signal and Molly at the expense of some features (like battery-saving push notifications via Google Play Services). You can set up push notifications without Google Play Services in either version of Molly with [UnifiedPush](https://unifiedpush.org). Using this notification delivery method requires access to a [MollySocket](https://github.com/mollyim/mollysocket) server, but you can choose a public MollySocket instance for this.[^3] + +Both versions of Molly provide the same security improvements and support [reproducible builds](https://github.com/mollyim/mollyim-android/tree/main/reproducible-builds), meaning it's possible to confirm that the compiled APKs match the source code. + +## SimpleX Chat + +
+ +![SimpleX Chat logo](assets/img/messengers/simplex.svg){ align=right } + +**SimpleX Chat** is an instant messenger that doesn't depend on any unique identifiers such as phone numbers or usernames. Its decentralized network makes SimpleX Chat an effective tool against [:material-close-outline: Censorship](basics/common-threats.md#avoiding-censorship){ .pg-blue-gray }. + +[:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } +[:octicons-eye-16:](https://simplex.chat/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://simplex.chat/docs/simplex.html){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1605771084) +- [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) +- [:fontawesome-brands-windows: Windows](https://simplex.chat/downloads/#desktop-app) +- [:simple-apple: macOS](https://simplex.chat/downloads/#desktop-app) +- [:simple-linux: Linux](https://simplex.chat/downloads/#desktop-app) +- [:simple-flathub: Flathub](https://flathub.org/en/apps/chat.simplex.simplex) + +
+ +
+ +SimpleX Chat provides direct messaging, group chats, and E2EE calls secured with the [SimpleX Messaging Protocol](https://github.com/simplex-chat/simplexmq/blob/stable/protocol/simplex-messaging.md), which uses double ratchet encryption with quantum resistance. Additionally, SimpleX Chat provides metadata protection by using unidirectional ["simplex queues"](https://github.com/simplex-chat/simplexmq/blob/stable/protocol/simplex-messaging.md#simplex-queue) to deliver messages. + +To participate in conversations on SimpleX Chat, you must scan a QR code or click an invite link. This allows you to verify a contact out-of-band, which protects against man-in-the-middle attacks by network providers. Your data can be exported and imported onto another device, as there are no central servers where this is backed up. + +You can find a full list of the privacy and security [features](https://github.com/simplex-chat/simplex-chat#privacy-and-security-technical-details-and-limitations) implemented in SimpleX Chat in the app's repository. + +SimpleX Chat was independently audited in [July 2024](https://simplex.chat/blog/20241014-simplex-network-v6-1-security-review-better-calls-user-experience.html#simplex-cryptographic-design-review-by-trail-of-bits) and in [October 2022](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website). + +## Briar + +
+ +![Briar logo](assets/img/messengers/briar.svg){ align=right } + +**Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works) to other clients using the [Tor network](alternative-networks.md#tor), making it an effective tool at circumventing [:material-close-outline: Censorship](basics/common-threats.md#avoiding-censorship){ .pg-blue-gray }. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + +[:octicons-home-16: Homepage](https://briarproject.org){ .md-button .md-button--primary } +[:octicons-eye-16:](https://briarproject.org/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title="Documentation" } +[:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } +[:octicons-heart-16:](https://code.briarproject.org/briar/briar#donate){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) +- [:fontawesome-brands-windows: Windows](https://briarproject.org/download-briar-desktop) +- [:simple-linux: Linux](https://briarproject.org/download-briar-desktop) +- [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +
+ +
+ +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). Briar supports forward secrecy[^1] by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit), and the anonymous routing protocol uses the Tor network which has also been audited. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +### Minimum Requirements + +- Must have open-source clients. +- Must not require sharing personal identifiers (particularly phone numbers or emails) with contacts. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must support forward secrecy[^1] +- Must have a published audit from a reputable, independent third party. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should support future secrecy (post-compromise security)[^2] +- Should have open-source servers. +- Should use a decentralized network, i.e. [federated or P2P](advanced/communication-network-types.md). +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. +[^3]: You may refer to this step-by-step tutorial in German on how to set up UnifiedPush as the notification provider for Molly: [https://kuketz-blog.de/messenger-wechsel-von-signal-zu-molly-unifiedpush-mollysocket-ntfy](https://kuketz-blog.de/messenger-wechsel-von-signal-zu-molly-unifiedpush-mollysocket-ntfy). + +[^1]: [Forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) is where keys are rotated very frequently, so that if the current encryption key is compromised, it does not expose **past** messages as well. +[^2]: Future secrecy (or [post-compromise security](https://eprint.iacr.org/2016/221.pdf)) is a feature where an attacker is prevented from decrypting **future** messages after compromising a private key, unless they compromise more session keys in the future as well. This effectively forces the attacker to intercept all communication between parties since they lose access as soon as a key exchange occurs that is not intercepted. diff --git a/i18n/fi/router.md b/i18n/fi/router.md new file mode 100644 index 00000000..6127b8a7 --- /dev/null +++ b/i18n/fi/router.md @@ -0,0 +1,60 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +description: Alternative operating systems for securing your router or Wi-Fi access point. +cover: router.webp +--- + +Protects against the following threat(s): + +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model ""){.pg-brown} +- [:material-bug-outline: Passive Attacks](basics/common-threats.md#security-and-privacy ""){.pg-orange} + +Below are a few alternative operating systems that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +
+ +![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } +![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + +**OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All the components have been optimized for home routers. + +[:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } +[:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } +[:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + + + +
+ +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +
+ +![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + +**OPNsense** is an open-source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + +[:octicons-home-16: Homepage](https://opnsense.org){ .md-button .md-button--primary } +[:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } +[:octicons-heart-16:](https://opnsense.org/donate){ .card-link title=Contribute } + + + +
+ +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. diff --git a/i18n/fi/search-engines.md b/i18n/fi/search-engines.md new file mode 100644 index 00000000..e4983737 --- /dev/null +++ b/i18n/fi/search-engines.md @@ -0,0 +1,137 @@ +--- +meta_title: "Recommended Search Engines: Anonymous Alternatives to Google - Privacy Guides" +title: Search Engines +icon: material/search-web +description: Use privacy-respecting search engines which don't build an advertising profile based on your searches. +cover: search-engines.webp +global: + - + - randomize-element + - "table tbody" +--- + +Protects against the following threat(s): + +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model ""){.pg-brown} + +Use a **search engine** that doesn't build an advertising profile based on your searches. + +## Recommended Providers + +The recommendations here do not collect personally identifying information (PII) based on each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](tor.md) if your threat model requires hiding your IP address from the search provider. + +| Provider | Search Index | Tor Hidden Service | Logging / Privacy Policy | Country of Operation | +| ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- | ------------------------ | -------------------- | +| [Brave Search](#brave-search) | [Independent](https://brave.com/search-independence) | :material-check:{ .pg-green } | Anonymized[^1] | United States | +| [DuckDuckGo](#duckduckgo) | [Bing](https://help.duckduckgo.com/results/sources) | :material-check:{ .pg-green } | Anonymized[^2] | United States | +| [Startpage](#startpage) | [Google and Bing](https://support.startpage.com/hc/articles/4522435533844-What-is-the-relationship-between-Startpage-and-your-search-partners-like-Google-and-Microsoft-Bing) | :material-check:{ .pg-green } | Anonymized[^3] | Netherlands | + +### Brave Search + +
+ +![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + +**Brave Search** is a search engine developed by Brave. It includes unique features such as [Discussions](https://search.brave.com/help/discussions), which highlights conversation-focused results such as forum posts. + +Brave Search is the default search engine for the [Brave Browser](desktop-browsers.md#brave). + +[:octicons-home-16: Homepage](https://search.brave.com){ .md-button .md-button--primary } +[:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } +[:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://search.brave.com/help){ .card-link title="Documentation" } + +
+ +If you use Brave Search while logged in to a Premium account, there is a risk of Brave correlating search queries with your account. + +We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + +### DuckDuckGo + +
+ +![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + +**DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and a variety of [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features). The search engine uses numerous [sources](https://help.duckduckgo.com/results/sources) other than Bing for instant answers and other non-primary results. + +DuckDuckGo is the default search engine for the [Tor Browser](tor.md#tor-browser) and is one of the few available options on Apple’s [Safari](mobile-browsers.md#safari-ios) browser. + +[:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } +[:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } +[:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://help.duckduckgo.com){ .card-link title="Documentation" } + +
+ +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their Tor hidden address by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +### Startpage + +
+ +![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } +![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + +**Startpage** is a private search engine. One of Startpage's unique features is the [Anonymous View](https://startpage.com/en/anonymous-view), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + +[:octicons-home-16: Homepage](https://startpage.com){ .md-button .md-button--primary } +[:simple-torbrowser:](http://startpagel6srwcjlue4zgq3zevrujfaow726kjytqbbjyrswwmjzcqd.onion){ .card-link title="Onion Service" } +[:octicons-eye-16:](https://startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://support.startpage.com/hc/categories/4481917470356-Startpage-Search-Engine){ .card-link title="Documentation" } + +
+ +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://blog.privacyguides.org/2020/05/03/relisting-startpage) to clear up any concerns with System1's sizeable investment into the service, and we were satisfied with the answers we received. + +Startpage previously placed limitations on VPN and [Tor](tor.md) users, but they recently created an [official](https://support.startpage.com/hc/en-us/articles/24786602537364-Startpage-s-Tor-onion-service) Tor hidden service, and as of April 2024 we have no longer noticed extra roadblocks for Tor or [VPN](vpn.md) users. + +## Metasearch Engines + +A [metasearch engine](https://en.wikipedia.org/wiki/Metasearch_engine) aggregates the results of other search engines, such as the ones recommended above, while not storing any information itself. + +### SearXNG + +
+ +![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + +**SearXNG** is an open-source, self-hostable, metasearch engine. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + +[:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } +[:octicons-server-16:](https://searx.space){ .card-link title="Public Instances" } +[:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +
+ +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +### Minimum Requirements + +- Must not collect PII per their privacy policy. +- Must not require users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. + +[^1]: Brave Search collects aggregated usage metrics, which includes the OS and the user agent. However, they do not collect PII. To serve [anonymous local results](https://search.brave.com/help/anonymous-local-results), IP addresses are temporarily processed, but are not retained. + + Brave Search: [*Brave Search privacy notice*](https://search.brave.com/help/privacy-policy) [^2]: DuckDuckGo **does** log your searches for product improvement purposes, but not your IP address or any other PII. + + DuckDuckGo Privacy Policy: [*We don't track you.*](https://duckduckgo.com/privacy) [^3]: Startpage logs details such as operating system, user agent, and language. They do not log your IP address, search queries, or other PII. + + Our Privacy Policy: [*How we have implemented truly anonymous analytics*](https://startpage.com/en/privacy-policy#section-4) diff --git a/i18n/fi/security-keys.md b/i18n/fi/security-keys.md new file mode 100644 index 00000000..2497bb0a --- /dev/null +++ b/i18n/fi/security-keys.md @@ -0,0 +1,130 @@ +--- +title: Security Keys +icon: material/key-chain +description: These security keys provide a form of phishing-immune authentication for accounts that support it. +cover: multi-factor-authentication.webp +--- + +Protects against the following threat(s): + +- [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals){ .pg-red } +- [:material-bug-outline: Passive Attacks](basics/common-threats.md#security-and-privacy){ .pg-orange } + +A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the [FIDO2](basics/multi-factor-authentication.md#fido-fast-identity-online) security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multifactor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication. + +## Yubico Security Key + +
+ +
+ ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" } +
+ +The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification[^1]. It supports FIDO2/WebAuthn and FIDO Universal 2nd Factor (U2F), and works out of the box with most services that support a security key as a second factor, as well as many password managers. + +[:octicons-home-16: Homepage](https://yubico.com/products/security-key){ .md-button .md-button--primary } +[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://docs.yubico.com){ .card-link title="Documentation" } + + + +
+ +These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well. + +This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include: + +- [Yubico Authenticator](https://yubico.com/products/yubico-authenticator) +- CCID Smart Card support (PIV-compatible) +- OpenPGP + +If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) series instead. + +
+

Warning

+ +The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +
+ +## YubiKey + +
+ +
+ ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" } +
+ +The **YubiKey** series from Yubico are among the most popular security keys with FIDO Level 2 Certification[^1]. The **YubiKey 5 Series** has a wide range of features such as FIDO2/WebAuthn and FIDO U2F, [TOTP and HOTP](https://developers.yubico.com/OATH) authentication, [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), and [OpenPGP](https://developers.yubico.com/PGP). + +[:octicons-home-16: Homepage](https://yubico.com/products/yubikey-5-overview){ .md-button .md-button--primary } +[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://docs.yubico.com){ .card-link title="Documentation" } + + + +
+ +The [comparison table](https://yubico.com/store/compare) shows how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series in terms of features and other specifications. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you choose the right security key. + +YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source. + +For models which [support HOTP and TOTP](https://support.yubico.com/hc/articles/360013790319-How-many-accounts-can-I-register-my-YubiKey-with), the secrets are stored encrypted on the key and never exposed to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +
+

Warning

+ +The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +
+ +## Nitrokey + +
+ +
+ ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" } +
+ +**Nitrokey** has a cost-effective security key capable of FIDO2/WebAuthn and FIDO U2F called the **Nitrokey Passkey**. For support for features such as PIV, OpenPGP, and TOTP and HOTP authentication, you need to purchase one of their other keys like the **Nitrokey 3**. Currently, only the **Nitrokey 3A Mini** has [FIDO Level 1 Certification](https://nitrokey.com/news/2024/nitrokey-3a-mini-receives-official-fido2-certification). + +[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title="Documentation" } + + + +
+ +The [comparison table](https://nitrokey.com/products/nitrokeys#:~:text=The%20Nitrokey%20Family) shows how the different Nitrokey models compare to each other in terms of features and other specifications. Refer to Nitrokey's [documentation](https://docs.nitrokey.com/nitrokeys/features) for more details about the features available on your Nitrokey. + +Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download). + +
+

Warning

+ +Excluding the Nitrokey 3, Nitrokeys which support HOTP and TOTP do not have encrypted storage, making them vulnerable to physical attacks. + +
+ +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +### Minimum Requirements + +- Must use high-quality, tamper-resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +[^1]: Some governments or other organizations may require a key with Level 2 certification, but most people do not have to worry about this distinction. diff --git a/i18n/fi/self-hosting/dns-filtering.md b/i18n/fi/self-hosting/dns-filtering.md new file mode 100644 index 00000000..f8de2d50 --- /dev/null +++ b/i18n/fi/self-hosting/dns-filtering.md @@ -0,0 +1,49 @@ +--- +title: DNS Filtering +meta_title: "Self-Hosting DNS Solutions - Privacy Guides" +icon: material/dns +description: For our more technical readers, self-hosting a DNS solution can provide filtering for devices not covered by cloud-based DNS solutions. +cover: dns.webp +--- + +Protects against the following threat(s): + +- [:material-server-network: Service Providers](../basics/common-threats.md#privacy-from-service-providers){ .pg-teal } +- [:material-account-cash: Surveillance Capitalism](../basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } + +**Self-hosting DNS** is useful for providing [DNS filtering](https://cloudflare.com/learning/access-management/what-is-dns-filtering) on controlled platforms, such as smart TVs and other IoT devices, as no client-side software is needed. Keep in mind that the DNS solutions below are typically restricted to your home or local network unless you set up a more advanced configuration. + +## DNS Sinkholes + +[**DNS sinkholes**](https://en.wikipedia.org/wiki/DNS_sinkhole) use DNS filtering to block unwanted web content such as advertisements. + +### Pi-Hole + +
+ +![Pi-hole logo](../assets/img/self-hosting/pi-hole.svg){ align=right } + +**Pi-hole** is an open-source DNS sinkhole which features a friendly web interface to view insights and manage blocked content. Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. + +[:octicons-home-16: Homepage](https://pi-hole.net){ .md-button .md-button--primary } +[:octicons-eye-16:](https://pi-hole.net/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://docs.pi-hole.net){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } +[:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title="Contribute" } + +
+ +### AdGuard Home + +
+ +![AdGuard Home logo](../assets/img/self-hosting/adguard-home.svg){ align=right } + +**AdGuard Home** is an open-source DNS sinkhole which features a polished web interface to view insights and manage blocked content. + +[:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } +[:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +
diff --git a/i18n/fi/self-hosting/email-servers.md b/i18n/fi/self-hosting/email-servers.md new file mode 100644 index 00000000..9a307db2 --- /dev/null +++ b/i18n/fi/self-hosting/email-servers.md @@ -0,0 +1,66 @@ +--- +title: Email Servers +meta_title: "Self-Hosting Email - Privacy Guides" +icon: material/email +description: For our more technical readers, self-hosting your own email can provide additional privacy assurances by having maximum control over your data. +cover: email.webp +--- + +Protects against the following threat(s): + +- [:material-server-network: Service Providers](../basics/common-threats.md#privacy-from-service-providers){ .pg-teal } + +Advanced system administrators may consider setting up their own **email server**. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide) (August 2017) + +## Stalwart + +
+ +![Stalwart logo](../assets/img/self-hosting/stalwart.svg){ align=right } + +**Stalwart** is a newer mail server written in Rust which supports JMAP in addition to the standard IMAP, POP3, and SMTP. It has a wide variety of configuration options, but also defaults to very reasonable settings in terms of both security and features, making it easy to use immediately. It has web-based administration with TOTP 2FA support and allows you to enter your public PGP key to encrypt **all** incoming messages. + +[:octicons-home-16: Homepage](https://stalw.art){ .md-button .md-button--primary } +[:octicons-info-16:](https://stalw.art/docs/get-started){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/stalwartlabs){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/stalwartlabs){ .card-link title="Contribute" } + +
+ +Stalwart's [PGP implementation](https://stalw.art/docs/encryption/overview) is unique among our self-hosted recommendations and allows you to operate your own mail server with encrypted message storage, lessening the risk of unauthorized access to your emails. If you additionally configure Web Key Directory (WKD) on your domain, and if you use an email client which supports PGP and WKD for outgoing mail (like Thunderbird), then this is the easiest way to get self-hosted E2EE compatibility with all [Proton Mail](../email.md#proton-mail) users. + +Stalwart does **not** have an integrated webmail, so you will need to use it with a [dedicated email client](../email-clients.md) or find an open-source webmail to self-host, like Nextcloud's Mail app. + +We use Stalwart for our own internal email at _Privacy Guides_. + +## Mailcow + +
+ +![Mailcow logo](../assets/img/self-hosting/mailcow.svg){ align=right } + +**Mailcow** is an advanced mail server perfect for those with Linux experience. It has everything you need in a Docker container: a mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + +[:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } +[:octicons-info-16:](https://docs.mailcow.email){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } +[:octicons-heart-16:](https://servercow.de/mailcow?lang=en#sal){ .card-link title="Contribute" } + +
+ +## Mail-in-a-Box + +
+ +![Mail-in-a-Box logo](../assets/img/self-hosting/mail-in-a-box.svg){ align=right } + +**Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + +[:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } +[:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +
diff --git a/i18n/fi/self-hosting/file-management.md b/i18n/fi/self-hosting/file-management.md new file mode 100644 index 00000000..b0fe175d --- /dev/null +++ b/i18n/fi/self-hosting/file-management.md @@ -0,0 +1,81 @@ +--- +title: File Management +meta_title: "Self-Hosting File Management Tools - Privacy Guides" +icon: material/file-multiple-outline +description: For our more technical readers, self-hosting file management tools can provide additional privacy assurances by having maximum control over your data. +cover: cloud.webp +--- + +Protects against the following threat(s): + +- [:material-server-network: Service Providers](../basics/common-threats.md#privacy-from-service-providers){ .pg-teal } + +Self-hosting your own **file management** tools may be a good idea to reduce the risk of encryption flaws in a cloud provider's native clients. + +## Photo Management + +### PhotoPrism + +
+ +![PhotoPrism logo](../assets/img/self-hosting/photoprism.svg){ align=right } + +**PhotoPrism** is a platform for managing photos. It supports album syncing and sharing as well as a variety of other [features](https://photoprism.app/features). It does not include end-to-end encryption, so it's best hosted on a server that you trust and is under your control. + +[:octicons-home-16: Homepage](https://photoprism.app){ .md-button .md-button--primary } +[:octicons-eye-16:](https://photoprism.app/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://photoprism.app/kb){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/photoprism){ .card-link title="Source Code" } + +
+ +## File Sharing and Sync + +### FreedomBox + +
+ +![FreedomBox logo](../assets/img/self-hosting/freedombox.svg){ align=right } + +**FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications for use cases like sharing files. + +[:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } +[:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title="Documentation" } +[:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } +[:octicons-heart-16:](https://freedomboxfoundation.org/donate){ .card-link title="Contribute" } + +
+ +### Nextcloud + +
+ +![Nextcloud logo](../assets/img/self-hosting/nextcloud.svg){ align=right } + +**Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + +[:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://nextcloud.com/support){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } +[:octicons-heart-16:](https://nextcloud.com/contribute){ .card-link title="Contribute" } + +
Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) +- [:simple-github: GitHub](https://github.com/nextcloud/android/releases) +- [:fontawesome-brands-windows: Windows](https://nextcloud.com/install/#install-clients) +- [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) +- [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + +
+ +
+ +
+

Danger

+ +We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +
diff --git a/i18n/fi/self-hosting/index.md b/i18n/fi/self-hosting/index.md new file mode 100644 index 00000000..c635063c --- /dev/null +++ b/i18n/fi/self-hosting/index.md @@ -0,0 +1,243 @@ +--- +title: Self-Hosting +meta_title: "Self-Hosting Software and Services - Privacy Guides" +description: For our more technical readers, self-hosting software and services can provide additional privacy assurances since you have maximum control over your data. +cover: router.webp +--- + +Protects against the following threat(s): + +- [:material-server-network: Service Providers](../basics/common-threats.md#privacy-from-service-providers){ .pg-teal } + +**Self-hosting** software and services can be a way to achieve a higher level of privacy through digital sovereignty, particularly independence from cloud servers controlled by product developers or vendors. By self-hosting, we mean hosting applications and data on your own hardware. + +Self-hosting your own solutions requires advanced technical knowledge and a deep understanding of the associated risks. By becoming the host for yourself and possibly others, you take on responsibilities you might not otherwise have. Self-hosting privacy software improperly can leave you worse off than using e.g. an end-to-end encrypted service provider, so it is best avoided if you are not already comfortable doing so. + +## :material-dns: DNS Filtering + +
+ +- ![AdGuard Home logo](../assets/img/self-hosting/adguard-home.svg){ .twemoji loading=lazy } [AdGuard Home](dns-filtering.md#adguard-home) +- ![Pi-Hole logo](../assets/img/self-hosting/pi-hole.svg){ .twemoji loading=lazy } [Pi-Hole](dns-filtering.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns-filtering.md) + +## :material-email: Email Servers + +
+ +- ![Stalwart logo](../assets/img/self-hosting/stalwart.svg){ .twemoji loading=lazy } [Stalwart](email-servers.md#stalwart) +- ![Mailcow logo](../assets/img/self-hosting/mailcow.svg){ .twemoji loading=lazy } [Mailcow](email-servers.md#mailcow) +- ![Mail-in-a-Box logo](../assets/img/self-hosting/mail-in-a-box.svg){ .twemoji loading=lazy } [Mail-in-a-Box](email-servers.md#mail-in-a-box) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-servers.md) + +## :material-file-multiple-outline: File Management + +
+ +- ![PhotoPrism logo](../assets/img/self-hosting/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](file-management.md#photoprism) +- ![FreedomBox logo](../assets/img/self-hosting/freedombox.svg){ .twemoji loading=lazy } [FreedomBox](file-management.md#freedombox) +- ![Nextcloud logo](../assets/img/self-hosting/nextcloud.svg){ .twemoji loading=lazy } [Nextcloud](file-management.md#nextcloud) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-management.md) + +## :material-form-textbox-password: Password Management + +### Vaultwarden + +
+ +![Vaultwarden logo](../assets/img/self-hosting/vaultwarden.svg#only-light){ align=right } +![Vaultwarden logo](../assets/img/self-hosting/vaultwarden-dark.svg#only-dark){ align=right } + +**Vaultwarden** is an alternative implementation of [Bitwarden](../passwords.md#bitwarden)'s sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the resource-heavy, [official service](https://github.com/bitwarden/server) might not be ideal. + +[:octicons-repo-16: Repository](https://github.com/dani-garcia/vaultwarden#readme){ .md-button .md-button--primary } +[:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title="Contribute" } + +
+ +## :material-account-supervisor-circle-outline: Social Networks + +Self-hosting your own instance of a social network software can help circumvent potential [censorship on a server level](../social-networks.md#censorship-resistance) by a public server's administrator or admin team. + +### Mastodon + +
+ +![Mastodon logo](../assets/img/social-networks/mastodon.svg){ align=right } + +**Mastodon** is a social network based on open web protocols and free, open-source software. It uses the decentralized **:simple-activitypub: ActivityPub** protocol. + +[:octicons-home-16:](https://joinmastodon.org){ .card-link title="Homepage" } +[:octicons-info-16:](https://docs.joinmastodon.org/admin/prerequisites){ .card-link title="Admin Documentation" } + +
+ +Mastodon [integrates with the Tor network](https://docs.joinmastodon.org/admin/optional/tor) for more extreme scenarios where even your underlying hosting provider is subject to censorship, but this may limit who can access your content to only other servers which integrate with Tor (like most other hidden services). + +Mastodon benefits greatly from a large and active self-hosting community, and its administration is comprehensively documented. While many other ActivityPub platforms can require extensive technical knowledge to run and troubleshoot, Mastodon has very stable and tested releases, and it can generally be run securely without issue by anyone who can use the Linux command line and follow step-by-step instructions. + +### Element + +
+ +![Element logo](../assets/img/social-networks/element.svg){ align=right } + +**Element** is the flagship client for the **:simple-matrix: Matrix** protocol, an open standard that enables decentralized communication by way of federated chat rooms. + +[:octicons-home-16:](https://element.io){ .card-link title="Homepage" } +[:octicons-info-16:](https://element-hq.github.io/synapse/latest){ .card-link title="Admin Documentation" } +[:octicons-code-16:](https://github.com/element-hq){ .card-link title="Source Code" } + +
+ +## :material-flip-to-front: Frontends + +Self-hosting your own instance of a web-based frontend can help you circumvent rate limits that you may encounter on high-traffic, public instances. It is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting, as other peoples' usage will be linked to your hosting. + +
+ +- ![Redlib logo](../assets/img/frontends/redlib.svg){ .lg .middle .twemoji } [**Redlib (Reddit)**](../frontends.md#redlib) + + --- + + [:octicons-info-16:](https://github.com/redlib-org/redlib#deployment){ .card-link title="Admin Documentation" } + [:octicons-code-16:](https://github.com/redlib-org/redlib){ .card-link title="Source Code" } + +- ![ProxiTok logo](../assets/img/frontends/proxitok.svg){ .lg .middle .twemoji } [**ProxiTok (TikTok)**](../frontends.md#proxitok) + + --- + + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki/Self-hosting){ .card-link title="Admin Documentation" } + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +- ![Invidious logo](../assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](../assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [**Invidious (YouTube)**](../frontends.md#invidious) + + --- + + [:octicons-home-16:](https://invidious.io){ .card-link title="Homepage" } + [:octicons-info-16:](https://docs.invidious.io/installation){ .card-link title="Admin Documentation" } + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + +- ![Piped logo](../assets/img/frontends/piped.svg){ .twemoji } [**Piped (YouTube)**](../frontends.md#piped) + + --- + + [:octicons-info-16:](https://docs.piped.video/docs/self-hosting){ .card-link title="Admin Documentation" } + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + +
+ +## More Tools... + +Tool recommendations in other categories of the website also provide a self-hosted option, so you could consider this if you are confident in your ability to host the software after reading their documentation. + +
+ +- ![Peergos logo](../assets/img/cloud/peergos.svg){ .twemoji } [**Peergos**](../cloud.md#peergos) + + --- + + [:octicons-home-16:](https://peergos.org){ .card-link title="Homepage" } + [:octicons-info-16:](https://github.com/peergos/peergos#usage---running-locally-to-log-in-to-another-instance){ .card-link title="Admin Documentation" } + [:octicons-code-16:](https://github.com/Peergos/Peergos){ .card-link title="Source Code" } + +- ![Addy.io logo](../assets/img/email-aliasing/addy.svg){ .twemoji } [**Addy.io**](../email-aliasing.md#addyio) + + --- + + [:octicons-home-16:](https://addy.io){ .card-link title="Homepage" } + [:octicons-info-16:](https://addy.io/self-hosting){ .card-link title="Admin Documentation" } + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + +- ![SimpleLogin logo](../assets/img/email-aliasing/simplelogin.svg){ .twemoji } [**SimpleLogin**](../email-aliasing.md#simplelogin) + + --- + + [:octicons-home-16:](https://addy.io){ .card-link title="Homepage" } + [:octicons-info-16:](https://github.com/simple-login/app#prerequisites){ .card-link title="Admin Documentation" } + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + +- ![Ente logo](../assets/img/photo-management/ente.svg){ .twemoji } [**Ente Photos**](../photo-management.md#ente-photos) + + --- + + [:octicons-home-16:](https://ente.io){ .card-link title="Homepage" } + [:octicons-info-16:](https://help.ente.io/self-hosting){ .card-link title="Admin Documentation" } + [:octicons-code-16:](https://github.com/ente-io/ente){ .card-link title="Source Code" } + +- ![CryptPad logo](../assets/img/document-collaboration/cryptpad.svg){ .twemoji } [**CryptPad**](../document-collaboration.md#cryptpad) + + --- + + [:octicons-home-16:](https://cryptpad.fr){ .card-link title="Homepage" } + [:octicons-info-16:](https://docs.cryptpad.org/en/admin_guide/index.html){ .card-link title="Admin Documentation" } + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + +- ![Send logo](../assets/img/file-sharing-sync/send.svg){ .twemoji } [**Send**](../file-sharing.md#send) + + --- + + [:octicons-home-16:](https://send.vis.ee){ .card-link title="Homepage" } + [:octicons-info-16:](https://github.com/timvisee/send/blob/master/docs/deployment.md){ .card-link title="Admin Documentation" } + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + +- ![LibreTranslate logo](../assets/img/language-tools/libretranslate.png){ .twemoji } [**LibreTranslate**](../language-tools.md#libretranslate) + + --- + + [:octicons-home-16:](https://libretranslate.com){ .card-link title="Homepage" } + [:octicons-info-16:](https://docs.libretranslate.com){ .card-link title="Admin Documentation" } + [:octicons-code-16:](https://github.com/LibreTranslate/LibreTranslate){ .card-link title="Source Code" } + +- ![Miniflux logo](../assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](../assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [**Miniflux**](../news-aggregators.md#miniflux) + + --- + + [:octicons-home-16:](https://miniflux.app){ .card-link title="Homepage" } + [:octicons-info-16:](https://miniflux.app/docs/index.html#administration-guide){ .card-link title="Admin Documentation" } + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + +- ![Standard Notes logo](../assets/img/notebooks/standard-notes.svg){ .twemoji } [**Standard Notes**](../notebooks.md#standard-notes) + + --- + + [:octicons-home-16:](https://standardnotes.com){ .card-link title="Homepage" } + [:octicons-info-16:](https://standardnotes.com/help/47/can-i-self-host-standard-notes){ .card-link title="Admin Documentation" } + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + +- ![PrivateBin logo](../assets/img/pastebins/privatebin.svg){ .twemoji } [**PrivateBin**](../pastebins.md#privatebin) + + --- + + [:octicons-home-16:](https://privatebin.info){ .card-link title="Homepage" } + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/blob/master/doc/Installation.md){ .card-link title="Admin Documentation" } + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } + +- ![Paaster logo](../assets/img/pastebins/paaster.svg){ .twemoji } [**Paaster**](../pastebins.md#paaster) + + --- + + [:octicons-home-16:](https://paaster.io){ .card-link title="Homepage" } + [:octicons-info-16:](https://github.com/WardPearce/paaster#deployment){ .card-link title="Admin Documentation" } + [:octicons-code-16:](https://github.com/WardPearce/paaster){ .card-link title="Source Code" } + +- ![SimpleX Chat logo](../assets/img/messengers/simplex.svg){ .twemoji } [**SimpleX Chat**](../real-time-communication.md#simplex-chat) + + --- + + [:octicons-home-16:](https://simplex.chat){ .card-link title="Homepage" } + [:octicons-info-16:](https://simplex.chat/docs/server.html){ .card-link title="Admin Documentation" } + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + +
diff --git a/i18n/fi/social-networks.md b/i18n/fi/social-networks.md new file mode 100644 index 00000000..634bef7f --- /dev/null +++ b/i18n/fi/social-networks.md @@ -0,0 +1,201 @@ +--- +title: Social Networks +icon: material/account-supervisor-circle-outline +description: Find a new social network that doesn’t pry into your data or monetize your profile. +cover: social-networks.webp +--- + +Protects against the following threat(s): + +- [:material-close-outline: Censorship](basics/common-threats.md#avoiding-censorship){ .pg-blue-gray } +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown } + +These privacy-respecting **social networks** allow you to participate in online communities without giving up your personal information like your full name, phone number, and other data commonly requested by tech companies. + +A growing problem among social media platforms is censorship in two different forms. First, they often acquiesce to illegitimate censorship requests, either from malicious governments or their own internal policies. Second, they often require accounts to access walled-off content that would otherwise be published freely on the open internet; this effectively censors the browsing activities of privacy-conscious users who are unable to pay the privacy cost of opening an account on these networks. + +The social networks we recommend solve the issue of censorship by operating atop an open and decentralized social networking protocol. They also don't require an account merely to view publicly available content. + +You should note that **no** social networks are appropriate for private or sensitive communications. For chatting directly with others, you should use a recommended [instant messenger](real-time-communication.md) with strong end-to-end encryption, and only use direct messages on social media in order to establish a more private and secure chat platform with your contacts. + +## Decentralization + +Decentralized social networks are built on an architecture that is fundamentally different than mainstream social media platforms, yet quite similar to the underlying structure of email. Instead of opening an account under a single, unified service like you would for Facebook or Discord, you instead choose an independent, public server to join. The server you join can communicate with and discover other servers; this aspect of decentralization is also known as _federation_. + +A significant benefit of this decentralized model is that there is no central authority which can censor your account across the entire network, though it is possible for your account to be banned or silenced by an individual server. + +A caveat of this decentralized model is that each server is its own legal entity, with its own privacy policy, terms of use, administration team, and moderators. While many of these servers are far _less_ restrictive and more privacy-respecting than traditional social media platforms, some can be far _more_ restrictive or potentially _worse_ for your privacy. Typically, the software on which the social network runs does not discriminate between these administrators or place any limitations on their powers. + +## Censorship Resistance + +While censorship in decentralized social networks does not exist on a network level, it is very possible to experience censorship on a server level depending on a server's administrator. Administrators have the power to _defederate_ from other servers, which leads to limiting the content you can view and the people you can interact with. + +If you are greatly concerned about an existing server censoring your content, the content available to you, or other servers, you generally have two options: + +1. **Host the social network software yourself.** This approach gives you the exact same censorship resistance as any other website you can host yourself, which is fairly high. + +2. **Use a managed hosting service.** We don't have any specific recommendations, but there are a variety of hosting services which will create a brand-new server on your own domain (or occasionally a subdomain of their domain, but we recommend against this unless registering your own domain presents too much of a burden to your privacy). + + Typically, hosting providers will handle the _technical_ side of your server, but completely leave the _moderation_ side up to you. This often represents a better approach than self-hosting for most people because you can benefit from greater control over your own server without worrying about technical problems or unpatched security vulnerabilities. + + You should look closely at your hosting provider's terms of service and acceptable use policies before registering. These are often far more broad than typical hosted server rules, and they are far less likely to be enforced without recourse, but they can still be restrictive in undesirable ways. + +## Mastodon + +
+ +![Mastodon logo](assets/img/social-networks/mastodon.svg){ align=right } + +**Mastodon** is a social network based on open web protocols and free, open-source software. It uses the **:simple-activitypub: ActivityPub** protocol, which is decentralized like email: Users can exist on different servers or even different platforms but still communicate with each other. + +[:octicons-home-16: Homepage](https://joinmastodon.org){ .md-button .md-button--primary } +[:octicons-info-16:](https://docs.joinmastodon.org){ .card-link title="Documentation" } + +
+ +There are many software platforms which use ActivityPub as their backend social networking protocol, meaning they can talk to servers even when they are running different software. For example, PeerTube is a video publishing software that uses ActivityPub, meaning you can follow channels on PeerTube either with another PeerTube account, _or_ with a Mastodon account because Mastodon also uses ActivityPub. + +We chose to recommend Mastodon over other ActivityPub software as your primary social media platform for these reasons: + +1. Mastodon has a solid history of security updates. In the handful of circumstances where major security vulnerabilities have been found, they coordinate patch releases quickly and cleanly. Historically they have also backported these security patches to older feature branches. This makes it easier for less experienced server hosts who may not feel comfortable upgrading to the latest releases right away to keep their instances secure. Mastodon also has an update notification system built in to the web interface, making it much more likely for server administrators to be aware of critical security patches available for their instance. + +2. Mastodon is largely usable with most content types. While it is primarily a microblogging platform, Mastodon easily handles longer posts, image posts, video posts, and most other posts you might encounter when following ActivityPub users who aren't on Mastodon. This makes your Mastodon account an ideal "central hub" for following anyone regardless of the platform they chose to use. In contrast, if you were only using a PeerTube account, you would _only_ be able to follow other video channels, for example. + +3. Mastodon has fairly comprehensive privacy controls. It has many built-in features which allow you to limit how and when your data is shared, some of which we'll cover below. They also develop new features with privacy in mind. For example, while other ActivityPub software quickly implemented "quote posts" by merely handling links to other posts with a slightly different embed modal, Mastodon is [developing](https://blog.joinmastodon.org/2025/02/bringing-quote-posts-to-mastodon) a quote post feature which will give you more fine-grained control when your post is quoted. + +### Choosing an Instance + +To benefit the most from Mastodon, it is critical to choose a server, or "instance," which is well aligned with the type of content you want to post or read about. We do not currently recommend any specific instances, but you may find advice within our communities. We recommend avoiding _mastodon.social_ and _mastodon.online_ because they are operated by the same company which develops Mastodon itself. From the perspective of decentralization, it is better in the long term to separate software developers and server hosts so that no one party can exert too much control over the network as a whole. + +### Recommended Privacy Settings + +From Mastodon's web interface, click the **Administration** link in the right sidebar. Within the administration control panel, you'll find these sections in the left sidebar: + +#### Public Profile + +There are a number of privacy controls under the **privacy and reach** tab here. Most notably, pay attention to these: + +- [ ] **Automatically accept new followers**: You should consider unchecking this box to have a private profile. This will allow you to review who can follow your account before accepting them. + + In contrast to most social media platforms, if you have a private profile you still have the _option_ to publish posts which are publicly visible to non-followers and can still be boosted by non-followers. Therefore, unchecking this box is the only way to have the _choice_ to publish to either the entire world or a select group of people. + +- [ ] **Show follows and followers on profile**: You should uncheck this box to hide your social graph from the public. It is fairly uncommon for the list of people you follow to have some genuine benefit to others, but that information can present a risk to you. + +- [ ] **Display from which app you sent a post**: You should uncheck this box to prevent revealing information about your personal computing setup to others unnecessarily. + +The other privacy controls on this page should be read through, but we would stress that they are **not** technical controls—they are merely requests that you make to others. For example, if you choose to hide your profile from search engines on this page, **nothing** is actually stopping a search engine from reading your profile. You are merely requesting search engine indexes not publish your content to their users. + +You will likely still wish to make these requests because they can practically reduce your digital footprint. However, they should not be _relied_ upon. The only effective way to hide your posts from search engines and others is to post with non-public (followers only) visibility settings _and_ limit who can follow your account. + +#### Preferences + +You should change your **posting privacy** setting from public to: **Followers-only - Only show to followers**. + +Note that this only changes your default settings to prevent accidental over-sharing. You can always adjust your visibility level when composing a new post. + +#### Automated post deletion + +- [x] Check the **Automatically delete old posts** box. + +The default settings here are fine, and will delete any posts you make after 2 weeks, unless you favorite (star) them. This gives you an easy way to control which posts stick around forever, and which ones are only ephemeral. Many settings about how long and when posts are kept can be adjusted here to suit your own needs, however. + +It is very rare for social media posts older than a few weeks to be read or relevant to others. These older posts are often ignored because they are challenging to deal with in bulk, but they can build a fairly comprehensive profile about you over time. You should always strive to publish content ephemerally by default, and only keep posts around for longer than that very intentionally. + +### Posting Content + +When publishing a new post, you will have the option to choose from one of these visibility settings: + +- **Public**, which publishes your content to anyone on the internet. +- **Quiet public**, which you should consider equivalent to publicly posting! This is not a technical guarantee, but merely a request you are making to other servers to hide your post from some feeds. +- **Followers**, which publishes your content only to your followers. If you did not follow our recommendation of restricting your followers, you should consider this equivalent to publicly posting! +- **Specific people**, which only shares the post with people who are specifically mentioned within the post. This is Mastodon's version of direct messages, but should never be relied on for private communications as we covered earlier since Mastodon has no E2EE. + +If you used our recommended configuration settings above, you should be posting to **Followers** by default, and only posting to **Public** on an intentional and case-by-case basis. + +## Element + +
+ +![Element logo](assets/img/social-networks/element.svg){ align=right } + +**Element** is the flagship client for the **:simple-matrix: [Matrix](https://matrix.org/docs/chat_basics/matrix-for-im)** protocol, an [open standard](https://spec.matrix.org/latest) that enables decentralized communication by way of federated chat rooms. Users can exist on different homeservers but still communicate with each other. + +[:octicons-home-16: Homepage](https://element.io){ .md-button .md-button--primary } +[:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://element.io/help){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/element-hq){ .card-link title="Source Code" } + +
Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.element.android.x) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1631335820) +- [:simple-github: GitHub](https://github.com/element-hq/element-x-android/releases) +- [:fontawesome-brands-windows: Windows](https://element.io/download) +- [:simple-apple: macOS](https://element.io/download) +- [:simple-linux: Linux](https://element.io/download) +- [:octicons-browser-16: Web](https://app.element.io) + +
+ +
+ +### Choosing a Homeserver + +To benefit the most from Matrix, it is critical to choose a homeserver which is well aligned with the subject(s) you want to chat about. We do not currently recommend any specific homeservers, but you may find advice within our communities or third-party resources like [_joinmatrix.org_](https://servers.joinmatrix.org). We recommend avoiding _matrix.org_ because they are operated by the same company which develops Matrix itself. From the perspective of decentralization, it is better in the long term to separate software developers and server hosts so that no one party can exert too much control over the network as a whole. + +### Recommended Privacy Settings + +From Element's web or desktop app, go to :gear: → **All settings** to find these sections: + +#### Sessions + +By default, when you log in to Element on a new device, the session name will be automatically populated with the Matrix client and platform you used for login. This information may be visible to other users depending on the Matrix client they use. + +To prevent revealing information about your personal device to others unnecessarily, consider emptying the session name; this will change the session name to the randomly generated alphanumeric Session ID instead. + +#### Preferences + +- [ ] Uncheck **Send read receipts** +- [ ] Uncheck **Send typing notifications** + +You should uncheck these options to reduce the exposure of metadata to other users when chatting in a public room. + +#### Voice & Video + +- [ ] Uncheck **Allow Peer-to-Peer for 1:1 calls** +- [ ] Uncheck **Allow fallback call assist server (turn.matrix.org)** + +If you do decide to use Element for one-to-one communication, we recommend unchecking these settings to prevent the exposure of your IP address to the other party. + +#### Security & Privacy + +##### Manage integrations (scalar.vector.im) + +A Matrix integration manager connects Matrix to third-party services such as bots, bridges, and other enhancements. Element collects information to provide these services to those using an integration manager; you can review its detailed [Privacy Notice](https://element.io/integration-manager-privacy-notice) for the exact information Element collects and the ways it uses such information. + +As an end user on a public homeserver, you can consider unchecking the **Enable the integration manager** option, which does not affect the visibility of bots or other third-party services. As a homeserver administrator, consider whether the additional parties with which you share your data are worth the extra functionality. + +##### Sessions + +- [ ] (Optional) Uncheck **Record the client name, version, and url to recognize sessions for easily in session manager** + +Unchecking this option may make it more diffcult to discern your active sessions if you logged in to your Matrix account on multiple devices. + +#### Encryption + +- [x] (Optional) Check **In encrypted rooms, only send messages to verified users** + +With this setting enabled, unverified users (i.e., those who have not used the **Verify User** function) and unverified devices of verified users will not receive your messages in a room with encryption enabled. This may limit the messages you can view and the people you can interact with. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +- Must be free and open-source software. +- Must use a federated protocol to communicate with other instances of the social networking software. +- Must not have non-technical restrictions on who can be federated with. +- Must be usable within a standard [web browser](desktop-browsers.md). +- Must make public content accessible to visitors without an account. +- Must allow you to limit who can follow your profile. +- Must allow you to post content visible only to your followers. +- Must support modern web application security standards/features (including [multifactor authentication](multi-factor-authentication.md)). diff --git a/i18n/fi/tools.md b/i18n/fi/tools.md new file mode 100644 index 00000000..06858ee4 --- /dev/null +++ b/i18n/fi/tools.md @@ -0,0 +1,729 @@ +--- +meta_title: "Ad-Free Privacy Tool/Service Recommendations - Privacy Guides" +title: "Privacy Tools" +icon: material/tools +hide: + - toc +description: A complete list of the privacy tools, services, software, and hardware recommended by the Privacy Guides community. +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +
+ +
+[VPN Providers](vpn.md){ .md-button } +[Password Managers](passwords.md){ .md-button } +[Email Providers](email.md){ .md-button } +[Browser Extensions](browser-extensions.md){ .md-button } +[DNS Servers](dns.md){ .md-button } +[Email Aliasing Services](email-aliasing.md){ .md-button } +[Photo Organization Tools](photo-management.md){ .md-button } +
+ +
+ +
+ +
+ +[Self-hosting recommendations](self-hosting/index.md) have been moved to their own category. + +
+ +
+ +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +
+ +
+- [x] **Ad-Free Recommendations** +- [x] **Frequent Updates** +- [x] **Trusted by Readers** +
+ +
+- [x] **Complete Editorial Independence** +- [x] **Open-Source Contributions** +- [x] **Trusted by Journalists** +
+ +
+ +## Private Web Browsers + +
+ +![Tor Browser logo](assets/img/browsers/tor.svg){ align=left } + +**Tor Browser** (Desktop & Android) is the top choice if you need anonymity, as it provides you with access to the **Tor** network, a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[Read Our Full Review :material-arrow-right-drop-circle:](tor.md){ .md-button .md-button--primary } + +
+ +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .lg .middle .twemoji } **Mullvad Browser** + + --- + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. + + - [Read Full Review :material-arrow-right-drop-circle:](desktop-browsers.md#mullvad-browser) + +- ![Firefox logo](assets/img/browsers/firefox.svg){ .lg .middle .twemoji } **Firefox** + + --- + + **Firefox** is a great Chromium alternative which provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + - [Read Full Review :material-arrow-right-drop-circle:](desktop-browsers.md#firefox) + +- ![Brave logo](assets/img/browsers/brave.svg){ .lg .middle .twemoji } **Brave Browser** + + --- + + **Brave** is a private-by-default browser based on Chromium, so it should feel familiar and have minimal website compatibility issues. + + - [Brave Desktop Review :material-arrow-right-drop-circle:](desktop-browsers.md#brave) + - [Brave Mobile Review :material-arrow-right-drop-circle:](mobile-browsers.md#brave) + +- ![Cromite logo](assets/img/browsers/cromite.svg){ .lg .middle .twemoji } **Cromite (Android)** + + --- + + **Cromite** is a Chromium-based Android browser with built-in ad-blocking and [privacy enhancements](https://github.com/uazo/cromite/blob/master/docs/FEATURES.md). It is a fork of the popular, now-discontinued Bromite browser. + + - [Read Full Review :material-arrow-right-drop-circle:](mobile-browsers.md#cromite-android) + +- ![Safari logo](assets/img/browsers/safari.svg){ .lg .middle .twemoji } **Safari (iOS)** + + --- + + We recommend **Safari** due to its [anti-fingerprinting](https://webkit.org/blog/15697/private-browsing-2-0) features and default tracker blocking. It also separates your cookies in private browsing mode to prevent tracking between tabs. + + - [Read Full Review :material-arrow-right-drop-circle:](mobile-browsers.md#safari-ios) + +
+ +
+ +
+### Browser Extensions + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji loading=lazy } [uBlock Origin](browser-extensions.md#ublock-origin) +- ![uBlock Origin Lite logo](assets/img/browsers/ublock_origin_lite.svg){ .twemoji loading=lazy } [uBlock Origin Lite](browser-extensions.md#ublock-origin-lite) +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji loading=lazy } [AdGuard for iOS](browser-extensions.md#adguard) + +
+ +
+ +
+### More Tor Network Tools + +
+ +- ![Onion Browser logo](assets/img/self-contained-networks/onion_browser.svg){ .twemoji loading=lazy } [Onion Browser (Tor for iOS)](tor.md#onion-browser-ios) + +
+ +
+ +
+ +## Top 3 Private VPN Providers + +
+VPNs do not provide anonymity + +Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + +If you are looking for **anonymity**, you should use the Tor Browser. + +If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .lg .middle .twemoji } **Proton VPN** + + --- + + - [x] **112+ Countries** + - [x] WireGuard Support + - [x] Cash Payments + - [x] Partial Port Forwarding Support + - [ ] No IPv6 + + [Read Full Review :material-arrow-right-drop-circle:](vpn.md#proton-vpn) + +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .lg .middle .twemoji } **IVPN** + + --- + + - [x] **37+ Countries** + - [x] WireGuard Support + - [x] Monero & Cash Payments + - [ ] No Port Forwarding + - [ ] No IPv6 + + [Read Full Review :material-arrow-right-drop-circle:](vpn.md#ivpn) + +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .lg .middle .twemoji } **Mullvad** + + --- + + - [x] **49+ Countries** + - [x] WireGuard Support + - [x] Monero & Cash Payments + - [ ] No Port Forwarding + - [x] IPv6 Support + + [Read Full Review :material-arrow-right-drop-circle:](vpn.md#mullvad) + +
+ +## Top 3 Private Email Providers + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .lg .middle .twemoji } **Proton Mail** + + --- + + Proton Mail is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free. + + [Read Full Review :material-arrow-right-drop-circle:](email.md#proton-mail) + +- ![Mailbox Mail logo](assets/img/email/mailbox-mail.svg){ .lg .middle .twemoji } **Mailbox Mail** + + --- + + Mailbox Mail (formerly *Mailbox.org*) is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox Mail is based in Berlin, Germany. Accounts start with up to 2 GB storage, which can be upgraded as needed. + + [Read Full Review :material-arrow-right-drop-circle:](email.md#mailbox-mail) + +- ![Tuta logo](assets/img/email/tuta.svg#only-light){ .lg .middle .twemoji }![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ .lg .middle .twemoji } **Tuta** + + --- + + Tuta (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage. + + [Read Full Review :material-arrow-right-drop-circle:](email.md#tuta) + +
+ +
+ +
+### Email Aliasing Services + +
+ +- ![Addy.io logo](assets/img/email-aliasing/addy.svg){ .twemoji loading=lazy } [Addy.io](email-aliasing.md#addyio) +- ![SimpleLogin logo](assets/img/email-aliasing/simplelogin.svg){ .twemoji loading=lazy } [SimpleLogin](email-aliasing.md#simplelogin) + +
+ +
+ +
+ +### Secure Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji loading=lazy } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji loading=lazy } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji loading=lazy } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji loading=lazy } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji loading=lazy } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji loading=lazy } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji loading=lazy } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +## More Private Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji loading=lazy } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji loading=lazy } [Tresorit](cloud.md#tresorit) +- ![Peergos logo](assets/img/cloud/peergos.svg){ .twemoji loading=lazy } [Peergos](cloud.md#peergos) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### Data Removal Services + +
+ +- ![EasyOptOuts logo](assets/img/data-broker-removals/easyoptouts.svg){ .twemoji loading=lazy } [EasyOptOuts](data-broker-removals.md#easyoptouts-paid) +- ![Google logo](assets/img/data-broker-removals/google.svg){ .twemoji loading=lazy } [Google *Results about you*](data-broker-removals.md#google-results-about-you-free) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-broker-removals.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji loading=lazy }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji loading=lazy } [RethinkDNS](dns.md#rethinkdns) +- ![DNSCrypt-Proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji loading=lazy } [DNSCrypt-Proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji loading=lazy }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji loading=lazy } [Privacy.com](financial-services.md#privacycom-us) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji loading=lazy }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji loading=lazy } [MySudo](financial-services.md#mysudo-us-paid) + +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Coincards logo](assets/img/financial-services/coincards.svg){ .twemoji loading=lazy } [Coincards](financial-services.md#coincards) + +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Photo Management + +
+ +- ![Ente logo](assets/img/photo-management/ente.svg){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos) + +
+ +[Learn more :material-arrow-right-drop-circle:](photo-management.md) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji loading=lazy } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji loading=lazy } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji loading=lazy } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji loading=lazy }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji loading=lazy } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +## Software + +### AI Chat + +
+ +- ![Kobold logo](assets/img/ai-chat/kobold.png){ .twemoji loading=lazy } [Kobold.cpp](ai-chat.md#koboldcpp) +- ![Llamafile logo](assets/img/ai-chat/llamafile.webp){ .twemoji loading=lazy } [Llamafile](ai-chat.md#llamafile) +- ![Ollama logo](assets/img/ai-chat/ollama.png){ .twemoji loading=lazy } [Ollama (CLI)](ai-chat.md#ollama-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](ai-chat.md) + +### Calendar Sync + +
+ +- ![Tuta logo](assets/img/email/tuta.svg#only-light){ .twemoji loading=lazy }![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ .twemoji loading=lazy } [Tuta](calendar.md#tuta) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji loading=lazy } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji loading=lazy } [Monero](cryptocurrency.md#monero) + +
+ +[Learn more :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji loading=lazy } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji loading=lazy } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji loading=lazy } [ExifTool (CLI)](data-redaction.md#exiftool-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Document Collaboration + +
+ +- ![CryptPad logo](assets/img/document-collaboration/cryptpad.svg){ .twemoji loading=lazy } [CryptPad](document-collaboration.md#cryptpad) + +
+ +[Learn more :material-arrow-right-drop-circle:](document-collaboration.md) + +### Encryption Software + +
+Operating System Encryption + +For encrypting your OS drive, we typically recommend using the encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and take advantage of hardware encryption elements such as a [secure cryptoprocessor](basics/hardware.md/#tpmsecure-cryptoprocessor). + +[Learn more :material-arrow-right-drop-circle:](encryption.md#operating-system-encryption) + +
+ +#### Cross-Platform Tools + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji loading=lazy } [Cryptomator](encryption.md#cryptomator-cloud) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji loading=lazy }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji loading=lazy } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji loading=lazy } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji loading=lazy } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji loading=lazy } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji loading=lazy } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji loading=lazy } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji loading=lazy } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji loading=lazy } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji loading=lazy } [OnionShare](file-sharing.md#onionshare) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji loading=lazy } [Syncthing](file-sharing.md#syncthing-p2p) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Redlib logo](assets/img/frontends/redlib.svg){ .twemoji loading=lazy } [Redlib (Reddit, Web)](frontends.md#redlib) +- ![ProxiTok logo](assets/img/frontends/proxitok.svg){ .twemoji loading=lazy } [ProxiTok (TikTok, Web)](frontends.md#proxitok) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji loading=lazy } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji loading=lazy }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji loading=lazy } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji loading=lazy } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji loading=lazy }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji loading=lazy } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji loading=lazy } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Health and Wellness Apps + +
+ +- ![Drip logo](assets/img/health-and-wellness/drip.png){ .twemoji loading=lazy } [Drip](health-and-wellness.md#drip) +- ![Euki logo](assets/img/health-and-wellness/euki.svg){ .twemoji loading=lazy } [Euki](health-and-wellness.md#euki) +- ![Apple Fitness logo](assets/img/health-and-wellness/apple-fitness.webp){ .twemoji loading=lazy } [Apple Fitness](health-and-wellness.md#apple-fitness) +- ![Gadgetbridge logo](assets/img/health-and-wellness/gadgetbridge.svg#only-light){ .twemoji loading=lazy }![Gadgetbridge logo](assets/img/health-and-wellness/gadgetbridge-dark.svg#only-dark){ .twemoji loading=lazy } [Gadgetbridge](health-and-wellness.md#gadgetbridge) +- ![Apple Health logo](assets/img/health-and-wellness/apple-health.webp#only-light){ .twemoji loading=lazy } ![Apple Health logo](assets/img/health-and-wellness/apple-health-dark.webp#only-dark){ .twemoji loading=lazy } [Apple Health Records](health-and-wellness.md#apple-health-records) +- ![CommonHealth logo](assets/img/health-and-wellness/commonhealth.png){ .twemoji loading=lazy } [CommonHealth](health-and-wellness.md#commonhealth) + +
+ +[Learn more :material-arrow-right-drop-circle:](health-and-wellness.md) + +### Language Tools + +
+ +- ![LanguageTool logo](assets/img/language-tools/languagetool.svg#only-light){ .twemoji loading=lazy }![LanguageTool logo](assets/img/language-tools/languagetool-dark.svg#only-dark){ .twemoji loading=lazy } [LanguageTool](language-tools.md#languagetool) +- ![LibreTranslate logo](assets/img/language-tools/libretranslate.png){ .twemoji } [LibreTranslate](language-tools.md#libretranslate) + +
+ +[Learn more :material-arrow-right-drop-circle:](language-tools.md) + +### Maps and Navigation Apps + +
+ +- ![Organic Maps logo](assets/img/maps/organic-maps.svg){ .twemoji loading=lazy } [Organic Maps](maps.md#organic-maps) +- ![OsmAnd logo](assets/img/maps/osmand.svg){ .twemoji loading=lazy } [OsmAnd](maps.md#osmand) + +
+ +[Learn more :material-arrow-right-drop-circle:](maps.md) + +### Multi-Factor Authentication Tools + +**Note:** [Hardware security keys](#security-keys) have been moved to their own category. + +
+ +- ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.svg){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji loading=lazy } [Akregator](news-aggregators.md#akregator) +- ![NewsFlash logo](assets/img/news-aggregators/newsflash.png){ .twemoji loading=lazy } [NewsFlash](news-aggregators.md#newsflash) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder (Android)](news-aggregators.md#feeder) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji loading=lazy }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji loading=lazy } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji loading=lazy } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji loading=lazy } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji loading=lazy } [Standard Notes](notebooks.md#standard-notes) +- ![Notesnook logo](assets/img/notebooks/notesnook.svg){ .twemoji loading=lazy } [Notesnook](notebooks.md#notesnook) +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji loading=lazy } [Joplin](notebooks.md#joplin) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji loading=lazy }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji loading=lazy } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji loading=lazy } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Office Suites + +
+ +- ![LibreOffice logo](assets/img/office-suites/libreoffice.svg){ .twemoji loading=lazy } [LibreOffice](office-suites.md#libreoffice) +- ![OnlyOffice logo](assets/img/office-suites/onlyoffice.svg){ .twemoji loading=lazy } [OnlyOffice](office-suites.md#onlyoffice) + +
+ +[Learn more :material-arrow-right-drop-circle:](office-suites.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji loading=lazy } [Bitwarden](passwords.md#bitwarden) +- ![Proton Pass logo](assets/img/password-management/protonpass.svg){ .twemoji loading=lazy } [Proton Pass](passwords.md#proton-pass) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji loading=lazy } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji loading=lazy } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji loading=lazy } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji loading=lazy } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![KeePassium logo](assets/img/password-management/keepassium.svg){ .twemoji loading=lazy } [KeePassium (iOS & macOS)](passwords.md#keepassium-ios-macos) +- ![Gopass logo](assets/img/password-management/gopass.svg){ .twemoji loading=lazy } [Gopass (CLI)](passwords.md#gopass-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Pastebins + +
+ +- ![PrivateBin logo](assets/img/pastebins/privatebin.svg){ .twemoji loading=lazy } [PrivateBin](pastebins.md#privatebin) +- ![Paaster logo](assets/img/pastebins/paaster.svg){ .twemoji loading=lazy } [Paaster](pastebins.md#paaster) + +
+ +[Learn more :material-arrow-right-drop-circle:](pastebins.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji loading=lazy } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji loading=lazy } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji loading=lazy } [SimpleX Chat](real-time-communication.md#simplex-chat) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Social Networks + +
+ +- ![Mastodon logo](assets/img/social-networks/mastodon.svg){ .twemoji loading=lazy } [Mastodon](social-networks.md#mastodon) +- ![Element logo](assets/img/social-networks/element.svg){ .twemoji loading=lazy } [Element](social-networks.md#element) + +
+ +[Learn more :material-arrow-right-drop-circle:](social-networks.md) + +## Hardware + +### Security Keys + +
+ +- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key) +- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey) +- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey) + +
+ +[Learn more :material-arrow-right-drop-circle:](security-keys.md) + +### Mobile Phones + +
+ +- ![Google Pixel 6](assets/img/android/google-pixel.png){ .twemoji loading=lazy } [Google Pixel](mobile-phones.md#google-pixel) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-phones.md) + +## Operating Systems + +### Mobile + +#### Custom Android Operating Systems + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji loading=lazy }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji loading=lazy } [GrapheneOS](android/distributions.md#grapheneos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android/distributions.md) + +#### Android Apps + +
+ +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji loading=lazy } [Shelter (Work Profiles)](android/general-apps.md#shelter) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji loading=lazy }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji loading=lazy } [Secure Camera](android/general-apps.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji loading=lazy }![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji loading=lazy } [Secure PDF Viewer](android/general-apps.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android/general-apps.md) + +#### Ways to Obtain Android Apps + +
+ +- ![Obtainium logo](assets/img/android/obtainium.svg){ .twemoji loading=lazy } [Obtainium (App Manager)](android/obtaining-apps.md#obtainium) +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji loading=lazy } [Aurora Store (Google Play Client)](android/obtaining-apps.md#aurora-store) + +
+ +[Learn more :material-arrow-right-drop-circle:](android/obtaining-apps.md) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji loading=lazy } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora.svg){ .twemoji loading=lazy } [Fedora Linux](desktop.md#fedora-linux) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji loading=lazy } [openSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji loading=lazy } [Arch Linux](desktop.md#arch-linux) +- ![Fedora logo](assets/img/linux-desktop/fedora.svg){ .twemoji loading=lazy } [Fedora Atomic Desktops](desktop.md#fedora-atomic-desktops) +- ![NixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji loading=lazy } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji loading=lazy } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji loading=lazy } [Tails (Live Boot)](desktop.md#tails) +- ![Secureblue logo](assets/img/linux-desktop/secureblue.svg){ .twemoji loading=lazy } [Secureblue](desktop.md#secureblue) +- ![Kicksecure logo](assets/img/linux-desktop/kicksecure.svg){ .twemoji loading=lazy } [Kicksecure](desktop.md#kicksecure) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji loading=lazy }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji loading=lazy } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji loading=lazy } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Advanced Tools + +These tools may provide utility for certain individuals. They provide functionality which most people do not need to worry about, and often require more in-depth technical knowledge to utilize effectively. + +### Alternative Networks + +
+ +- ![I2P logo](assets/img/self-contained-networks/i2p.svg#only-light){ .twemoji loading=lazy } ![I2P logo](assets/img/self-contained-networks/i2p-dark.svg#only-dark){ .twemoji loading=lazy } [I2P](alternative-networks.md#i2p-the-invisible-internet-project) +- ![Tor logo](assets/img/self-contained-networks/tor.svg){ .twemoji loading=lazy } [Tor](alternative-networks.md#tor) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji loading=lazy } [Orbot (Mobile Tor Proxy)](alternative-networks.md#orbot) +- ![Snowflake logo](assets/img/self-contained-networks/snowflake.svg#only-light){ .twemoji loading=lazy }![Snowflake logo](assets/img/self-contained-networks/snowflake-dark.svg#only-dark){ .twemoji loading=lazy } [Snowflake](alternative-networks.md#snowflake) + +
+ +[Learn more :material-arrow-right-drop-circle:](alternative-networks.md) + +### Device Integrity Verification + +
+ +- ![MVT logo](assets/img/device-integrity/mvt.webp#only-light){ .twemoji loading=lazy }![MVT logo](assets/img/device-integrity/mvt-dark.png#only-dark){ .twemoji loading=lazy } [Mobile Verification Toolkit](device-integrity.md#mobile-verification-toolkit) +- ![iMazing logo](assets/img/device-integrity/imazing.png){ .twemoji loading=lazy } [iMazing (iOS)](device-integrity.md#imazing-ios) +- ![Auditor logo](assets/img/device-integrity/auditor.svg#only-light){ .twemoji loading=lazy }![Auditor logo](assets/img/device-integrity/auditor-dark.svg#only-dark){ .twemoji loading=lazy } [Auditor (Android)](device-integrity.md#auditor-android) + +
+ +[Learn more :material-arrow-right-drop-circle:](device-integrity.md) diff --git a/i18n/fi/tor.md b/i18n/fi/tor.md new file mode 100644 index 00000000..dfe335cf --- /dev/null +++ b/i18n/fi/tor.md @@ -0,0 +1,114 @@ +--- +meta_title: "Tor Browser and Network: Anonymous Web Browsing - Privacy Guides" +title: "Tor Browser" +icon: simple/torbrowser +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +cover: tor.webp +schema: + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Tor Browser + image: /assets/img/browsers/tor.svg + url: https://torproject.org + sameAs: https://en.wikipedia.org/wiki/Tor_(network) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + - Android + subjectOf: + "@type": WebPage + url: "./" +--- + +Protects against the following threat(s): + +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model ""){.pg-brown} +- [:material-eye-outline: Mass Surveillance](basics/common-threats.md#mass-surveillance-programs ""){.pg-blue} +- [:material-close-outline: Censorship](basics/common-threats.md#avoiding-censorship ""){.pg-blue-gray} + +**Tor** is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button.md-button--primary} [:material-movie-open-play-outline: Video: Why You Need Tor](https://www.privacyguides.org/videos/2025/03/02/why-you-need-tor ""){.md-button} + +
+

Tip

+ +Before connecting to Tor, please ensure you've read our [overview](advanced/tor-overview.md) on what Tor is and how to connect to it safely. We often recommend connecting to Tor through a trusted [VPN provider](vpn.md), but you have to do so **properly** to avoid decreasing your anonymity. + +
+ +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for [:material-incognito: anonymous](basics/common-threats.md#anonymity-vs-privacy ""){.pg-purple} browsing for desktop computers and Android. + +Some of these apps are better than others; making a determination comes down to your threat model. If you are a casual Tor user who is not worried about your ISP collecting evidence against you, using mobile browser apps like [Onion Browser](#onion-browser-ios) to access the Tor network is probably fine. Increasing the number of people who use Tor on an everyday basis helps reduce the bad stigma of Tor, and lowers the quality of "lists of Tor users" that ISPs and governments may compile. + +If more complete anonymity is paramount to your situation, you should **only** be using the desktop Tor Browser client, ideally in a [Whonix](desktop.md#whonix) + [Qubes](desktop.md#qubes-os) configuration. Mobile browsers are less common on Tor (and more fingerprintable as a result), and other configurations are not as rigorously tested against deanonymization. + +## Tor Browser + +
+ +![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + +**Tor Browser** is the top choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + +[:octicons-home-16: Homepage](https://torproject.org){ .md-button .md-button--primary } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org){ .card-link title="Documentation" } +[:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/tor-browser){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) +- [:simple-android: Android](https://torproject.org/download/#android) +- [:fontawesome-brands-windows: Windows](https://torproject.org/download) +- [:simple-apple: macOS](https://torproject.org/download) +- [:simple-linux: Linux](https://torproject.org/download) + +
+ +
+ +
+

Danger

+ +You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +
+ +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings). When modifying the security level setting, you **must** always restart the browser before continuing to use it. Otherwise, [the security settings may not be fully applied](https://www.privacyguides.org/articles/2025/05/02/tor-security-slider-flaw), putting you at a higher risk of fingerprinting and exploits than you may expect based on the setting chosen. + +In addition to installing Tor Browser on your computer directly, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser alone. + +## Onion Browser (iOS) + +
+ +![Onion Browser logo](assets/img/self-contained-networks/onion_browser.svg){ align=right } + +**Onion Browser** is an open-source browser that lets you browse the web anonymously over the Tor network on iOS devices and is endorsed by the [Tor Project](https://support.torproject.org/glossary/onion-browser). + +[:material-star-box: Read our latest Onion Browser review.](https://www.privacyguides.org/articles/2024/09/18/onion-browser-review) + +[:octicons-home-16: Homepage](https://onionbrowser.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://onionbrowser.com/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://onionbrowser.com/faqs){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/OnionBrowser/OnionBrowser){ .card-link title="Source Code" } +[:octicons-heart-16:](https://onionbrowser.com/donate){ .card-link title="Contribute" } + +
+Downloads + +- [:simple-appstore: App Store](https://apps.apple.com/app/id519296448) + +
+ +
+ +Onion Browser does not provide the same levels of privacy protections as Tor Browser does on desktop platforms. For casual use it is a perfectly fine way to access hidden services, but if you're concerned about being traced or monitored by advanced adversaries you should not rely on this as an anonymity tool. + +[Notably](https://github.com/privacyguides/privacyguides.org/issues/2929), Onion Browser does not *guarantee* all requests go through Tor. When using the built-in version of Tor, [your real IP **will** be leaked via WebRTC and audio/video streams](https://onionbrowser.com/faqs) due to limitations of WebKit. It is *safer* to use Onion Browser alongside [Orbot](alternative-networks.md#orbot), but this still comes with some limitations on iOS. diff --git a/i18n/fi/vpn.md b/i18n/fi/vpn.md new file mode 100644 index 00000000..f76b8b87 --- /dev/null +++ b/i18n/fi/vpn.md @@ -0,0 +1,392 @@ +--- +meta_title: "Private VPN Service Recommendations and Comparison, No Sponsors or Ads - Privacy Guides" +title: VPN Services +icon: material/vpn +description: The best VPN services for protecting your privacy and security online. Find a provider here that isn't out to spy on you. +cover: vpn.webp +global: + - + - randomize-element + - "table tbody" +--- + +Protects against the following threat(s): + +- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model ""){.pg-brown} + +If you're looking for additional *privacy* from your ISP, on a public Wi-Fi network, or while torrenting files, a **VPN** may be the solution for you. + +
+

VPNs do not provide anonymity

+ +Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + +If you are looking for **anonymity**, you should use the Tor Browser. If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + +[Introduction to the Tor Browser](tor.md#tor-browser){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +
+ +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Recommended Providers + +Our recommended providers use encryption, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#criteria) for more information. + +| Provider | Countries | WireGuard | Port Forwarding | IPv6 | Anonymous Payments | +| --------------------- | --------- | ----------------------------- | ------------------------------------------------------ | ---------------------------------------------------------- | ---------------------------- | +| [Proton](#proton-vpn) | 127+ | :material-check:{ .pg-green } | :material-alert-outline:{ .pg-orange } Partial Support | :material-information-outline:{ .pg-blue } Limited Support | Cash Monero via third party | +| [IVPN](#ivpn) | 41+ | :material-check:{ .pg-green } | :material-alert-outline:{ .pg-orange } | :material-information-outline:{ .pg-blue } Outgoing Only | Monero Cash | +| [Mullvad](#mullvad) | 49+ | :material-check:{ .pg-green } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero Cash | + +### Proton VPN + +
+ +![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + +**Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + +[:octicons-home-16: Homepage](https://protonvpn.com){ .md-button .md-button--primary } +[:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://protonvpn.com/support){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1437005085) +- [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) +- [:fontawesome-brands-windows: Windows](https://protonvpn.com/download-windows) +- [:simple-apple: macOS](https://protonvpn.com/download-macos) +- [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup) + +
+ +
+ +#### :material-check:{ .pg-green } 127 Countries + +Proton VPN has [servers in 127 countries](https://protonvpn.com/vpn-servers)(1) or [10](https://protonvpn.com/support/how-to-create-free-vpn-account) if you use their [free plan](https://protonvpn.com/blog/product-roadmap-winter-2025-2026).(2) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Of which at least 71 are virtual servers, meaning your IP will appear from the country but the server is in another. 12 more locations have both hardware and virtual servers. [Source](https://protonvpn.com/support/how-smart-routing-works) +2. Last checked: 2025-10-28 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Independent security researcher Ruben Santamarta conducted audits for Proton VPN's [browser extensions](https://drive.proton.me/urls/RWDD2SHT98#v7ZrwNcafkG8) and [apps](https://drive.proton.me/urls/RVW8TXG484#uTXX5Fc9GADo) in September 2024 and January 2025, respectively. Proton VPN's infrastrcture has undergone [annual audits](https://protonvpn.com/blog/no-logs-audit) by Securitum since 2022. + +Previously, Proton VPN underwent an independent audit by SEC Consult in January 2020. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform in their dedicated [blog post](https://web.archive.org/web/20250307041036/https://protonvpn.com/blog/open-source) on the audit. + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. You can also use [**Monero**](cryptocurrency.md#monero) to purchase vouchers for Proton VPN Plus and Proton Unlimited via their [official](https://discuss.privacyguides.net/t/add-monero-as-an-anonymous-payment-method-for-proton-services/31058/15) reseller [ProxyStore](https://dys2p.com/en/2025-09-09-proton.html). + +#### :material-check:{ .pg-green } WireGuard Support + +Proton VPN supports the WireGuard® protocol. [WireGuard](https://wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://wireguard.com/protocol). Additionally, WireGuard aims to be simpler and more performant. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard) the use of WireGuard with their service. Proton VPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://wireguard.com/install). + +#### :material-alert-outline:{ .pg-orange } Limited IPv6 Support + +Proton [now supports IPv6](https://protonvpn.com/support/prevent-ipv6-vpn-leaks) in their browser extension and Linux client, but only 80% of their servers are IPv6-compatible. On other platforms, the Proton VPN client will block all outgoing IPv6 traffic, so you don't have to worry about your IPv6 address being leaked, but you will not be able to connect to any IPv6-only sites, nor will you be able to connect to Proton VPN from an IPv6-only network. + +#### :material-information-outline:{ .pg-info } Remote Port Forwarding + +Proton VPN currently only supports ephemeral remote [port forwarding](https://protonvpn.com/support/port-forwarding) via NAT-PMP, with 60 second lease times. The official Windows and Linux apps provide an easy-to-access option for it, while on other operating systems you'll need to run your own [NAT-PMP client](https://protonvpn.com/support/port-forwarding-manual-setup). Torrent applications often support NAT-PMP natively. + +#### :material-information-outline:{ .pg-blue } Anti-Censorship + +Proton VPN has their [Stealth](https://protonvpn.com/blog/stealth-vpn-protocol) protocol which *may* help in situations where VPN protocols like OpenVPN or WireGuard are blocked with various rudimentary techniques. Stealth encapsulates the VPN tunnel in TLS session in order to look like more generic internet traffic. + +Unfortunately, it does not work very well in countries where sophisticated filters that analyze all outgoing traffic in an attempt to discover encrypted tunnels are deployed. Stealth is available on Android, iOS, Windows, and macOS, but it's not yet available on Linux. + +#### :material-check:{ .pg-green } Mobile Clients + +Proton VPN has published [App Store](https://apps.apple.com/app/id1437005085) and [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/ProtonVPN/android-app/releases). + +
+

How to opt out of sharing telemetry

+ +On Android, Proton hides telemetry settings under the misleadingly labeled "**Help us fight censorship**" menu in the settings panel. On other platforms these settings can be found under the "**Usage statistics**" menu. + +We are noting this because while we don't necessarily recommend against sharing anonymous usage statistics with developers, it is important that these settings are easily found and clearly labeled. + +
+ +#### :material-information-outline:{ .pg-blue } Additional Notes + +Proton VPN clients support two-factor authentication on all platforms. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer content blocking and known-malware blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](tor.md#tor-browser) for this purpose. + +##### :material-alert-outline:{ .pg-orange } Kill switch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch) on Intel-based Macs when using the VPN kill switch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +### IVPN + +
+ +![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + +**IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar and does not offer a free trial. + +[:octicons-home-16: Homepage](https://ivpn.net){ .md-button .md-button--primary } +[:octicons-eye-16:](https://ivpn.net/privacy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://ivpn.net/knowledgebase/general){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1193122683) +- [:octicons-moon-16: Accrescent](https://accrescent.app/app/net.ivpn.client) +- [:simple-github: GitHub](https://github.com/ivpn/android-app/releases) +- [:fontawesome-brands-windows: Windows](https://ivpn.net/apps-windows) +- [:simple-apple: macOS](https://ivpn.net/apps-macos) +- [:simple-linux: Linux](https://ivpn.net/apps-linux) + +
+ +
+ +#### :material-check:{ .pg-green } 41 Countries + +IVPN has [servers in 41 countries](https://ivpn.net/status).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2025-10-28 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has had multiple [independent audits](https://ivpn.net/en/blog/tags/audit) since 2019 and has publicly announced their commitment to [annual security audits](https://ivpn.net/blog/ivpn-apps-security-audit-concluded). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open source](https://ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. You can also purchase [prepaid cards](https://ivpn.net/knowledgebase/billing/voucher-cards-faq) with redeem codes. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN supports the WireGuard® protocol. [WireGuard](https://wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://wireguard.com/protocol). Additionally, WireGuard aims to be simpler and more performant. + +IVPN [recommends](https://ivpn.net/wireguard) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://wireguard.com/install). + +#### :material-information-outline:{ .pg-blue } IPv6 Support + +IVPN allows you to [connect to services using IPv6](https://ivpn.net/knowledgebase/general/do-you-support-ipv6) but doesn't allow you to connect from a device using an IPv6 address. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +IVPN previously supported port forwarding, but removed the option in [June 2023](https://ivpn.net/blog/gradual-removal-of-port-forwarding). Missing this feature could negatively impact certain applications, especially peer-to-peer applications like torrent clients. + +#### :material-check:{ .pg-green } Anti-Censorship + +IVPN has obfuscation modes using [V2Ray](https://v2ray.com/en/index) which helps in situations where VPN protocols like OpenVPN or WireGuard are blocked. It has two modes where it can use [VMess](https://guide.v2fly.org/en_US/basics/vmess) over QUIC or TCP connections. QUIC is a modern protocol with better congestion control and therefore may be faster with reduced latency. The TCP mode makes your data appear as regular HTTP traffic. + +#### :material-check:{ .pg-green } Mobile Clients + +IVPN has published [App Store](https://apps.apple.com/app/id1193122683) and [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/ivpn/android-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Notes + +IVPN clients support two-factor authentication. IVPN also provides "[AntiTracker](https://ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +
+ +![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + +**Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since 2009. Mullvad is based in Sweden and offers a 14-day money-back guarantee for [payment methods](https://mullvad.net/en/help/refunds) that allow it. + +[:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } +[:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } +[:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy){ .card-link title="Privacy Policy" } +[:octicons-info-16:](https://mullvad.net/en/help){ .card-link title="Documentation" } +[:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + +
+Downloads + +- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) +- [:simple-appstore: App Store](https://apps.apple.com/app/id1488466513) +- [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) +- [:fontawesome-brands-windows: Windows](https://mullvad.net/en/download/windows) +- [:simple-apple: macOS](https://mullvad.net/en/download/macos) +- [:simple-linux: Linux](https://mullvad.net/en/download/linux) + +
+ +
+ +#### :material-check:{ .pg-green } 49 Countries + +Mullvad has [servers in 49 countries](https://mullvad.net/servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2025-10-28 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad has had multiple [independent audits](https://mullvad.net/en/blog/tag/audits) and has publicly announced their endeavors to conduct [annual audits](https://mullvad.net/en/blog/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit) of their apps and infrastructure. + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. You can also purchase [prepaid cards](https://mullvad.net/en/help/partnerships-and-resellers) with redeem codes. Mullvad also accepts Swish and bank wire transfers, as well as a few European payment systems. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad supports the WireGuard® protocol. [WireGuard](https://wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://wireguard.com/protocol). Additionally, WireGuard aims to be simpler and more performant. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard) the use of WireGuard with their service. It is the only protocol supported on their mobile apps, and their desktop apps will [lose OpenVPN support](https://mullvad.net/en/blog/reminder-that-openvpn-is-being-removed) in 2025. Additionally, their servers will stop accepting OpenVPN connections by January 15, 2026. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://wireguard.com/install). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support) and connect from a device using an IPv6 address. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Mullvad previously supported port forwarding, but removed the option in [May 2023](https://mullvad.net/en/blog/2023/5/29/removing-the-support-for-forwarded-ports). Missing this feature could negatively impact certain applications, especially peer-to-peer applications like torrent clients. + +#### :material-check:{ .pg-green } Anti-Censorship + +Mullvad offers several features to help bypass censorship and access the internet freely: + +- **Obfuscation modes**: Mullvad has two built-in obfuscation modes: "UDP-over-TCP" and ["WireGuard over Shadowsocks"](https://mullvad.net/en/blog/introducing-shadowsocks-obfuscation-for-wireguard). These modes disguise your VPN traffic as regular web traffic, making it harder for censors to detect and block. Supposedly, China has to use a [new method to disrupt Shadowsocks-routed traffic](https://gfw.report/publications/usenixsecurity23/en). +- **Advanced obfuscation with Shadowsocks and v2ray**: For more advanced users, Mullvad provides a guide on how to use the [Shadowsocks with v2ray](https://mullvad.net/en/help/shadowsocks-with-v2ray) plugin with Mullvad clients. This setup provides an additional layer of obfuscation and encryption. +- **Custom server IPs**: To counter IP-blocking, you can request custom server IPs from Mullvad's support team. Once you receive the custom IPs, you can input the text file in the "Server IP override" settings, which will override the chosen server IP addresses with ones that aren't known to the censor. +- **Bridges and proxies**: Mullvad also allows you to use bridges or proxies to reach their API (needed for authentication), which can help bypass censorship attempts that block access to the API itself. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Notes + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers). They also provide the option to enable Defense Against AI-guided Traffic Analysis ([DAITA](https://mullvad.net/en/blog/daita-defense-against-ai-guided-traffic-analysis)) in their apps. DAITA protects against the threat of advanced traffic analysis which can be used to connect patterns in VPN traffic with specific websites. + +## Criteria + +
+

Danger

+ +It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +
+ +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide standard configuration files which can be used in a generic, open-source client. **If** a VPN provides their own custom client, we require a kill switch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard. +- Kill switch built in to clients. +- Multi-hop support. Multi-hopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what the program is actually doing. +- Censorship resistance features designed to bypass firewalls without DPI. + +**Best Case:** + +- Kill switch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- [IPv6](https://en.wikipedia.org/wiki/IPv6) support. We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). +- Obfuscation technology which camouflages the true nature of internet traffic, designed to circumvent advanced internet censorship methods like DPI. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (auto-generated username, no email required, etc.). + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Forward Secrecy. +- Published security audits from a reputable third-party firm. +- VPN servers that use full-disk encryption or are RAM-only. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Optional quantum-resistant encryption. +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- RAM-only VPN servers. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. +- Company based in a jurisdiction where it cannot be forced to do secret logging. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include content blocking functionality, warrant canaries, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/includes/abbreviations.fi.txt b/includes/abbreviations.fi.txt new file mode 100644 index 00000000..fa7cc368 --- /dev/null +++ b/includes/abbreviations.fi.txt @@ -0,0 +1,113 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[dark pattern]: A deceptive design pattern intended to trick a user into doing things +*[digital legacy feature]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[DPA]: Data Protection Authority +*[DPI]: Deep Packet Inspection identifies and blocks packet with specific payloads +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[FS]: Forward Secrecy +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LLaVA]: Large Language and Vision Assistant (multimodal AI model) +*[LLMs]: Large Language Models (AI models such as ChatGPT) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NAT]: Network address translation +*[NAT-PMP]: NAT Port Mapping Protocol +*[NTP]: Network Time Protocol +*[Nunavut]: The largest and northernmost territory of Canada +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[open-weights]: An open weights-model is an AI model that anyone can download and use, but for which the underlying training data and/or algorithms are proprietary. +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[QUIC]: A network protocol based on UDP, but aiming to combine the speed of UDP with the reliability of TCP. +*[rate limits]: Rate limits are restrictions that a service imposes on the number of times a user can access their services within a specified period of time. +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[system prompt]: The system prompt of an AI chat is the general instructions given by a human to guide how it should operate. +*[temperature]: AI temperature is a parameter used in AI models to control the level of randomness and creativity in the generated text. +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VLAN]: Virtual Local Area Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App +*[PWAs]: Progressive Web Apps +*[WKD]: Web Key Directory diff --git a/includes/strings.fi.env b/includes/strings.fi.env new file mode 100644 index 00000000..50ee25c4 --- /dev/null +++ b/includes/strings.fi.env @@ -0,0 +1,63 @@ +ANALYTICS_FEEDBACK_NEGATIVE_NAME="This page could be improved" +ANALYTICS_FEEDBACK_NEGATIVE_NOTE="Thanks for your feedback! If you want to let us know more, please leave a post on our forum." +ANALYTICS_FEEDBACK_POSITIVE_NAME="This page was helpful" +ANALYTICS_FEEDBACK_POSITIVE_NOTE="Thanks for your feedback!" +ANALYTICS_FEEDBACK_TITLE="Was this page helpful?" +DESCRIPTION_HOMEPAGE="A socially motivated website which provides information about protecting your online data privacy and security." +FOOTER_COPYRIGHT_AUTHOR="Privacy Guides and contributors." +FOOTER_INTRO="Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy." +FOOTER_NOTE="We do not make money from recommending certain products, and we do not use affiliate links." +FOOTER_PRIVACY_NOTICE="Privacy notice." +HOMEPAGE_CTA_DESCRIPTION="It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know." +HOMEPAGE_DESCRIPTION="A socially motivated website which provides information about protecting your online data privacy and security." +HOMEPAGE_RSS_CHANGELOG_LINK="https://discuss.privacyguides.net/c/site-development/changelog/9.rss" +HOMEPAGE_RSS_CHANGELOG_TITLE="Privacy Guides release changelog" +HOMEPAGE_RSS_BLOG_LINK="https://www.privacyguides.org/articles/feed_rss_created.xml" +HOMEPAGE_RSS_BLOG_TITLE="Privacy Guides blog feed" +HOMEPAGE_RSS_FORUM_LINK="https://discuss.privacyguides.net/latest.rss" +HOMEPAGE_RSS_FORUM_TITLE="Latest Privacy Guides forum topics" +HOMEPAGE_HEADER="The collaborative privacy advocacy community." +HOMEPAGE_SUBHEADER="Privacy Guides is a not-for-profit, volunteer-run project that hosts online communities and publishes news and recommendations surrounding privacy and security tools, services, and knowledge." +HOMEPAGE_BUTTON_GET_STARTED_NAME="Start Your Privacy Journey" +HOMEPAGE_BUTTON_GET_STARTED_TITLE="The first step of your privacy journey" +HOMEPAGE_BUTTON_TOOLS_NAME="Recommended Tools" +HOMEPAGE_BUTTON_TOOLS_TITLE="Recommended privacy tools, services, and knowledge" +NAV_ABOUT="About" +NAV_ABOUT_POLICIES="Policies" +NAV_ABOUT_TEAM_MEMBERS="Team Members" +NAV_ADVANCED="Advanced" +NAV_ADVANCED_TOPICS="Advanced Topics" +NAV_BLOG="Articles" +NAV_CODE_OF_CONDUCT="Code of Conduct" +NAV_COMMUNITY="Community" +NAV_CONTRIBUTING="Contributing" +NAV_FORUM="Forum" +NAV_FORUM_LINK="https://discuss.privacyguides.net/" +NAV_HOME="Home" +NAV_INTERNET_BROWSING="Internet Browsing" +NAV_KNOWLEDGE_BASE="Knowledge Base" +NAV_NEWS="News" +NAV_ONLINE_SERVICES="Online Services" +NAV_OPERATING_SYSTEMS="Operating Systems" +NAV_PROVIDERS="Providers" +NAV_RECOMMENDATIONS="Recommendations" +NAV_SOFTWARE="Software" +NAV_HARDWARE="Hardware" +NAV_TECHNICAL_GUIDES="Technical Guides" +NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials" +NAV_VIDEOS="Videos" +NAV_WRITING_GUIDE="Writing Guide" +SITE_DESCRIPTION="Privacy Guides is your central privacy and security resource to protect yourself online." +SITE_LANGUAGE="English" +SITE_LANGUAGE_ENGLISH="English" +SITE_NAME="Privacy Guides" +SOCIAL_FORUM="Forum" +SOCIAL_GITHUB="GitHub" +SOCIAL_MASTODON="Mastodon" +SOCIAL_MATRIX="Matrix" +SOCIAL_TOR_SITE="Hidden service" +THEME_AUTO="Switch to system theme" +THEME_DARK="Switch to dark mode" +THEME_LIGHT="Switch to light mode" +TRANSLATION_NOTICE="You're viewing the $SITE_LANGUAGE copy of Privacy Guides, translated by our fantastic language team on Crowdin. If you notice an error, or see any untranslated sections on this page, please consider helping out!" +TRANSLATION_NOTICE_CTA="Visit Crowdin"