Update blog/posts/taking-advantage-of-android-user-profiles.md

Co-authored-by: redoomed1 <redoomed1@privacyguides.org>
Signed-off-by: Jonah Aragon <jonah@triplebit.net>

.all-contributorsrc

@@ -2986,6 +2986,26 @@
         "promotion",
         "question"
       ]
+    },
+    {
+      "login": "Spirizer",
+      "name": "Spirizer",
+      "avatar_url": "https://avatars.githubusercontent.com/u/51120100?v=4",
+      "profile": "https://github.com/Spirizer",
+      "contributions": [
+        "translation"
+      ]
+    },
+    {
+      "login": "jordbm",
+      "name": "jordbm",
+      "avatar_url": "https://avatars.githubusercontent.com/u/160433264?v=4",
+      "profile": "https://github.com/jordbm",
+      "contributions": [
+        "doc",
+        "maintenance",
+        "security"
+      ]
     }
   ],
   "contributorsPerLine": 5,

.vscode/ltex.dictionary.en-US.txt

@@ -554,3 +554,10 @@ MWEB
 Cyd
 Semiphemeral
 Dangerzone
+simple-activitypub
+ActivityPub
+pseudorandom
+Chaum
+unlinkability
+Kagi
+Secureblue

README.md

@@ -611,6 +611,8 @@ Privacy Guides wouldn't be possible without these wonderful people ([emoji key](
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/bruch-alex"><img src="https://avatars.githubusercontent.com/u/173354246?v=4" width="100px;" loading=lazy /><br /><sub><b>Alex Bruch</b></sub></a><br /><a href="#translation-bruch-alex" title="Translation">🌍</a></td>
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/qiyongzheng"><img src="https://avatars.githubusercontent.com/u/153378707?v=4" width="100px;" loading=lazy /><br /><sub><b>qiyongzheng</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=qiyongzheng" title="Documentation">📖</a></td>
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/hashcatHitman"><img src="https://avatars.githubusercontent.com/u/155700084?v=4" width="100px;" loading=lazy /><br /><sub><b>Sam K</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=hashcatHitman" title="Documentation">📖</a> <a href="#promotion-hashcatHitman" title="Promotion">📣</a> <a href="#question-hashcatHitman" title="Answering Questions">💬</a></td>
+      <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/Spirizer"><img src="https://avatars.githubusercontent.com/u/51120100?v=4" width="100px;" loading=lazy /><br /><sub><b>Spirizer</b></sub></a><br /><a href="#translation-Spirizer" title="Translation">🌍</a></td>
+      <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/jordbm"><img src="https://avatars.githubusercontent.com/u/160433264?v=4" width="100px;" loading=lazy /><br /><sub><b>jordbm</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=jordbm" title="Documentation">📖</a> <a href="#maintenance-jordbm" title="Maintenance">🚧</a> <a href="#security-jordbm" title="Security">🛡️</a></td>
     </tr>
   </tbody>
   <tfoot>

blog/.authors.yml

@@ -40,6 +40,13 @@ authors:
     name: fria
     description: Team Member
     avatar: https://github.com/friadev.png
+  jordan:
+    name: Jordan Warne
+    description: Video Producer
+    avatar: https://forum-cdn.privacyguides.net/user_avatar/discuss.privacyguides.net/jordan/288/7793_2.png
+    mastodon:
+      username: jw
+      instance: social.lol
   jonah:
     name: Jonah Aragon
     description: Project Director

blog/posts/encryption-is-not-a-crime.md

@@ -0,0 +1,183 @@
+---
+date:
+    created: 2025-04-11T16:00:00Z
+categories:
+    - Opinion
+authors:
+    - em
+description: Encryption is not a crime, encryption protects all of us. Encryption, and especially end-to-end encryption, is an essential tool to protect everyone online. Attempts to undermine encryption are an attack to our fundamental right to privacy and an attack to our inherent right to security and safety.
+schema_type: OpinionNewsArticle
+preview:
+  cover: blog/assets/images/encryption-is-not-a-crime/encryption-is-not-a-crime-cover.webp
+---
+# Encryption Is Not a Crime
+
+![Photo of a red key on an all black background.](../assets/images/encryption-is-not-a-crime/encryption-is-not-a-crime-cover.webp)
+
+<small aria-hidden="true">Photo: Matt Artz / Unsplash</small>
+
+Contrary to what some policymakers seem to believe, whether naively or maliciously, encryption is not a crime. Anyone asserting encryption is a tool for crime is either painfully misinformed or is attempting to manipulate legislators to gain oppressive power over the people.<!-- more -->
+
+Encryption is not a crime, encryption is a shield.
+
+Encryption is the digital tool that protects us against all sorts of attacks. It is the lock on your digital door preventing harmful intruders from entering your home. Encryption is also the door itself, protecting your privacy and intimacy from creepy eavesdroppers while you go about your life.
+
+It's not a crime to lock your home's door for protection, **why would it be a crime to lock your digital door?**
+
+[Encryption protects you](privacy-means-safety.md) from cyberattack, identity theft, discrimination, doxxing, stalking, sexual violence, physical harm, and much more.
+
+## Who says encryption is a crime
+
+Anyone who is well-informed will find it hard to believe someone could want to sabotage such fantastic protection.
+
+Yet, [year](https://www.wired.com/1993/02/crypto-rebels/) after [year](https://www.wired.com/story/a-new-era-of-attacks-on-encryption-is-starting-to-heat-up/), oppressive regimes and lazy or greedy [law enforcement](https://www.techradar.com/computing/cyber-security/anonymity-is-not-a-fundamental-right-experts-disagree-with-europol-chiefs-request-for-encryption-back-door) entities around the world have attempted to [undermine encryption](https://www.howtogeek.com/544727/what-is-an-encryption-backdoor/) using the pretext this is needed to "solve crime", despite all the experts *repeatedly* warning on how [unnecessary](https://arstechnica.com/tech-policy/2019/08/post-snowden-tech-became-more-secure-but-is-govt-really-at-risk-of-going-dark/) and [dangerous](https://www.globalencryption.org/2020/11/breaking-encryption-myths/) this would be. And this is without accounting for all the countries where encryption is *already* [severely restricted](https://www.gp-digital.org/world-map-of-encryption/), such as Russia, China, India, Iran, Egypt, Cuba, and others.
+
+Whether breaking encryption is brought up naively by misinformed authorities, or as a disguised excuse for mass surveillance is up for debate.
+
+Nevertheless, the result is the same: An attempt to destroy **a tool we all need to stay safe**.
+
+## Encryption is a protective shield
+
+Encryption, moreover end-to-end encryption, is a tool we all use in our digital life to stay safe.
+
+In today's world, the boundary between online and offline life is largely dissolved. Almost everything we do "offline" has a record of it "online". Online life is regular life now. It's not just your browsing history.
+
+Your medical record from a visit at the clinic, your purchase transaction from a trip to the store, your travel photos saved in the cloud, your text conversations with your friends, family, and children, are all likely protected with encryption, perhaps even with *end-to-end* encryption.
+
+Such a large trove of personal data needs to be protected against eavesdropping and malicious attacks for everyone to stay safe.
+
+Encryption offers this protection. End-to-end encryption all the more.
+
+## What is end-to-end encryption, and what is the war against it
+
+End-to-end encryption is a type of encryption where only the intended recipient(s) have the ability to decrypt (read) the encrypted data.
+
+This means that if you send a message through [Signal](https://signal.org/) for example, only the participants to this conversation will be able to read the content of this conversation. Even Signal cannot know what is being discussed on Signal.
+
+This greatly annoys some over-controlling authorities who would like to be granted unlimited power to spy on anyone anytime they wish, for vaguely defined purposes that could change at any moment.
+
+End-to-end encryption can also mean a situation where you are "both ends" of the communication.
+
+For example, when enabling Apple's [Advanced Data Protection for iCloud](https://support.apple.com/en-ca/guide/security/sec973254c5f/web) (ADP), it activates end-to-end encryption protection for almost all of iCloud data, including photos. This means that even Apple could not see your photos, or be forced to share your photos with a governmental entity.
+
+Without ADP, Apple can read or share your photos (or other data) if they are legally compelled to, or if they feel like it. The same is true for Google's services, Microsoft's services, and any other online services that aren't end-to-end encrypted.
+
+This is at the root of the latest attack on encryption:
+
+In February this year, it was reported that [Apple was served with a notice](uk-forced-apple-to-remove-adp.md) from the UK's Home Office to force it to break ADP's end-to-end encryption. In response, Apple removed access to ADP from the UK entirely, making this protection unavailable to UK residents.
+
+Do not mistakenly think this attack is limited to the UK and Apple users, however. If this regulation notice or a similar one gets enforced, it would **impact the whole world.** Other countries would likely soon follow, and other services would likely soon get under attack as well.
+
+Moreover, do not feel unaffected just because you use end-to-end encryption with [Signal](https://www-svt-se.translate.goog/nyheter/inrikes/signal-lamnar-sverige-om-regeringens-forslag-pa-datalagring-klubbas?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp) or [Proton](https://www.techradar.com/vpn/vpn-privacy-security/secure-encryption-and-online-anonymity-are-now-at-risk-in-switzerland-heres-what-you-need-to-know) services instead of Apple, they are both **under attack** as well in this war.
+
+Just in recent years, the war against encryption has affected the [US](https://www.eff.org/deeplinks/2023/04/earn-it-bill-back-again-seeking-scan-our-messages-and-photos), the [UK](https://www.bbc.co.uk/news/articles/cgj54eq4vejo), [Sweden](https://www.globalencryption.org/2025/04/joint-letter-on-swedish-data-storage-and-access-to-electronic-information-legislation/), [France](https://www.laquadrature.net/en/warondrugslaw/), [Australia, New Zealand, Canada, India, Japan](https://www.theverge.com/2020/10/12/21513212/backdoor-encryption-access-us-canada-australia-new-zealand-uk-india-japan), and all the European Union countries with proposals such as [Chat Control](the-future-of-privacy.md/#chat-control-wants-to-break-end-to-end-encryption).
+
+## The arguments given to break encryption make no sense
+
+Authoritarian entities generally use the same populist excuses to justify their senseless demands. "Protecting the children" is always a fashionable disingenuous argument.
+
+Because no one would disagree that protecting the children is important, it is often used as an attempt to deceitfully make an irrefutable argument to justify breaking encryption.
+
+The problem is, **breaking encryption doesn't protect the children**, it [endangers](https://www.theguardian.com/technology/2022/jan/21/end-to-end-encryption-protects-children-says-uk-information-watchdog) them.
+
+When law enforcement officials claim they need to be able to read everyone's messages and see everyone's personal photos to be able to fight child predators, they seem to neglect that:
+
+- This means they will expose the children's messages, contact information, locations, and photos in the process, potentially *endangering the children further*.
+
+- Exposing everyone's data will make this data much more likely to be found and exploited by criminals, making *everyone* more vulnerable to attacks.
+
+- Predators will simply move to underground channels, [unbothered](https://www.schneier.com/blog/archives/2015/07/back_doors_wont.html).
+
+They use the same kind of deceptive argument trying to justify weakening the protections we have to supposedly catch "criminals" and "terrorists".
+
+Of course the exact definition of what is a "criminal" or a "terrorist" is always vague and subject to change. In the past, human rights activists and authoritarian regime dissidents have been labeled as such, climate change activists as well, LGBTQ+ people even in some countries. Maybe next year this label will include "DEI advocates", who knows where they draw the line and what can be considered a "criminal" worth spying on.
+
+You *cannot* remove everyone's right to privacy and protection from harm while pretending it is to protect them. No one who is well-informed and well-intended could possibly consider this a smart thing to do.
+
+**An attack on end-to-end encryption isn't an attack on criminals, it's an attack on all of us.**
+
+## Magical backdoor only for "the good guys" is a complete fantasy
+
+Let's say the strategy is akin to creating a MagicalKey that unlocks every door (a magical key because thinking encryption backdoors would only be used by "the good guys" is a great example of [magical thinking](https://www.britannica.com/science/magical-thinking)).
+
+Imagine, for the sake of this exercise, the MagicalLock for this MagicalKey is impossible to pick, and imagine only police officers have MagicalKeys. Let's say one thousand police officers each have a MagicalKey.
+
+They argue they need to be able to unlock anyone's door if they suspect a crime is happening inside. "It's for safety!"
+
+Overtime, let's say only 1% of the police officers accidentally lose their MagicalKey. This kind of things happen. Now 10 MagicalKeys are lost in the wild and could be used by anyone else, for any purposes, including crime.
+
+Then, let's say only 0.1% of police officers get corrupted by a crime gang. That's just one right? This corrupted "good guy" lets the gang create a double of the MagicalKey. Which crime gang wouldn't want a key that can magically open any door? They pay the police officer good money for this. It's an investment.
+
+Now, the gang creates doubles of the MagicalKey they have. They obfuscate its serial number, so it cannot be traced back to them. They use it subtly at first to avoid detection. They make sure they never leave traces behind, so victims have no idea their door got unlocked.
+
+During this time, they steal your data, they sell it, they use it to impersonate you, they use it to harm you and your loved ones.
+
+Then, another criminal figures out on their own how to emulate a MagicalKey without even having access to one. The criminal creates a reproducible mold for this Emulated-MagicalKey and sells it to other criminals on the criminal market. Now, the MagicalKey™️ is available to any criminals looking for it. Restrictions on the backdoor are off. **Your personal data is up for grabs.**
+
+This is what is going to happen if backdoors are implemented in end-to-end encryption. But don't worry they say, "it's only for the good guys!".
+
+At least, the criminals' data will also be up for grabs, right?
+
+Nope! The criminals knew about this, so they just started using different channels that weren't impacted. Criminals will have their privacy intact, they don't care about using illegal tools, but **your legal privacy protections will be gone**.
+
+*Backdoored* end-to-end encryption isn't end-to-end anymore, it's just open-ended encryption. This offers pretty much no protection at all.
+
+## Ignoring experts doesn't make facts disappear
+
+Where is the opposition to this? Where are the experts pushing against this nightmare? Everywhere.
+
+Thankfully, opposition has been strong, despite the relentless ignorance or malevolence from authoritarian authorities repeatedly pushing against encryption.
+
+Many people and groups have been fighting valiantly to defend our collective right to privacy and security. Countless experts have patiently taken the time to explain [again](https://signal.org/blog/uk-online-safety-bill/) and [again](https://www.globalencryption.org/2020/10/cdt-gpd-and-internet-society-reject-time-worn-argument-for-encryption-backdoors/) and [again](https://www.schneier.com/wp-content/uploads/2016/09/paper-keys-under-doormats-CSAIL.pdf) how an encryption backdoor only for "the good guys" is simply impossible.
+
+Weakening encryption to let "the good guys" enter, lets *anyone* enter, including criminals. There is no way around this.
+
+Seemingly ignoring warnings and advice from the most respected specialists in the field, authoritarian officials continue to push against encryption. So much so that it has become difficult to assume good intent misguided by ignorance at this point.
+
+Unfortunately, ignoring the experts or silencing the debate will not make the facts magically disappear.
+
+In an encouraging development this week, Apple [won a case](https://www.bbc.co.uk/news/articles/cvgn1lz3v4no) fighting an attempt from the UK Home Office to hide from the public details of their latest attack on encryption.
+
+This battle and all battles to protect our privacy rights, *must* be fought is broad daylight, for all to see and to support.
+
+## Fight for encryption rights everywhere you can
+
+The war against encryption isn't anything new, it has been happening for decades. However, the quantity of data, personal and sensitive data, that is collected, stored, and shared about us is much larger today. It is essential we use the proper tools to secure this information.
+
+This is what have changed, and what is making encryption and end-to-end encryption even more indispensable today.
+
+Mass surveillance will not keep us safe, it will endanger us further and damage our democracies and freedoms in irreparable ways.
+
+We must fight to keep our right to privacy, and use of strong end-to-end encryption to protect ourselves, our friends, our family, and yes also to protect the children.
+
+### How can you support the right to encryption?
+
+- [x] Use end-to-end encryption everywhere you can.
+
+- [x] Talk about the benefits of end-to-end encryption to everyone around you, especially your loved ones less knowledgeable about technology. Talk about how it is essential to protect everyone's data, including the children's.
+
+- [x] Use social media to promote the benefits of end-to-end encryption and post about how it protects us all.
+
+- [x] Write or call your government representatives to let them know you care about end-to-end encryption and are worried about dangerous backdoors or chat control proposals.
+
+- [x] Support organizations fighting for encryption, such as:
+
+    - [Global Encryption Coalition](https://www.globalencryption.org/)
+
+    - [Open Rights Group](https://www.openrightsgroup.org/campaign/save-encryption/)
+
+    - [Fight For The Future](https://www.makedmssafe.com/)
+
+    - [Signal app](https://signal.org/donate/)
+
+    - [Internet Society](https://www.internetsociety.org/open-letters/fix-the-take-it-down-act-to-protect-encryption/)
+
+    - [Electronic Frontier Foundation](https://www.eff.org/issues/end-end-encryption)
+
+    - [Privacy Guides](https://www.privacyguides.org/en/about/donate/) 💛
+
+Finally, have a look at our [recommendations](https://www.privacyguides.org/en/tools/) if you want to start using more tools protecting your privacy using end-to-end encryption.
+
+This is a long war, but the importance of it doesn't allow us to give up.
+
+We must continue fighting for the right to protect our data with end-to-end encryption, **we owe it to ourselves, our loved ones, and the future generations.**

blog/posts/hide-nothing.md

@@ -24,7 +24,7 @@ On the surface, this seems true to many people – but the reality is very diffe
 
 In the end it only convicted one person.
 
-Now, many have argued that stopping one terrorist might be worth giving up some security for, but [according](https://www.aclu.org/issues/national-security/privacy-and-surveillance/surveillance-under-patriot-act) to the ACLU, the conviction would have occurred without the Patriot Act.
+Now, many have argued that stopping one terrorist might be worth giving up some security for, but [according](https://web.archive.org/web/20230318132243/https://www.aclu.org/issues/national-security/privacy-and-surveillance/surveillance-under-patriot-act) to the ACLU, the conviction would have occurred without the Patriot Act.
 
 Many legal actions you take today could be deemed illegal by future laws or future government. In the US today there is discussion around the possibility of Roe v. Wade being overturned, allowing states to outlaw abortions. You may not currently feel the need to hide internet searches, menstrual cycle apps, or donations to women's health clinics today because it's not illegal, but tomorrow that information could be used against you.
 

blog/posts/privacy-pass.md

@@ -0,0 +1,245 @@
+---
+date:
+    created: 2025-04-21T17:30:00Z
+categories:
+    - Explainers
+authors:
+    - fria
+tags:
+    - Privacy Pass
+license: BY-SA
+schema_type: BackgroundNewsArticle
+description: |
+  Privacy Pass is a new way to privately authenticate with a service. Let's look at how it could change the way we use services.
+---
+# Privacy Pass: The New Protocol for Private Authentication
+
+![Cover photo of the Privacy Pass logo over a yellow background](../assets/images/privacy-pass/cover.webp)
+
+<small aria-hidden="true">Background Image: Thomas Ensley / Unsplash</small>
+
+Services that require authentication can correlate your activity on that service with your account, and that account is normally linked with payment information that could potentially link back to your real identity. With the Privacy Pass protocol, it doesn't have to be that way.<!-- more -->
+
+## History
+
+The story of Privacy Pass begins with a [paper](https://dl.acm.org/doi/pdf/10.1145/4372.4373) by David Chaum from 1985 (he actually has an earlier paper from [1982](https://chaum.com/wp-content/uploads/2022/02/chaum_dissertation.pdf), but I'll be referencing this one), in which he laments the ever-increasing data collection by companies and government agencies.
+
+It's funny that all the way back in 1985 he talks about the same issues we deal with today: persistent identifiers tied to our real identity for transactions, government IDs, etc.
+
+Chaum proposes three solutions to the state of affairs he describes.
+
+### Pseudorandom Identifiers
+
+Instead of persistent identifiers like we now have with our government IDs, credit cards, etc., Chaum suggests randomly generated identifiers. For example, you could have a one-time unique identifier for each transaction at a shop.
+
+For ongoing relationships such as a bank, you can use a single pseudorandom identifier for that organization that you use continuously.
+
+### Card Computers
+
+One of the more quaint ideas in the paper is the idea of a small "card computer" on which you would perform transactions. Chaum's theoretical device resembles "a credit-card-sized calculator, and [includes] a character display, keyboard, and a limited distance communication capability (like that of a television remote control)".
+
+Nowadays, we carry around credit-card sized computers like it's nothing. The secret "card number" he describes would probably be your device PIN or even biometric authentication, which are already used to authenticate transactions.
+
+We still haven't *quite* reached Chaum's vision yet in some areas. His idea is for these "card computers" to fully replace ATMs and checkout terminals in stores. Essentially, he wants all transactions to be online transactions, with something like Apple Pay or Google Pay on your device mediating the transaction and using your device PIN to prevent fraudulent transactions.
+Making all transactions online transactions is an interesting idea. I think most people can share in the frustration of dealing with checkout terminals, especially the self-checkout ones with cameras pointed at your face.
+
+We're still falling short in a major area though.
+
+> card computers could be purchased or constructed just like any other personal computer, and would have no secrets from or structures unmodifiable by their owners.
+
+Current smartphones are non-upgradeable by their owners and can't be built from scratch like a desktop computer can. They also contain lots of black-box proprietary code. Even a Google Pixel, the gold standard of Android smartphone freedom that allows you to install your own operating system securely, still suffers from the same pitfalls.
+
+### Cryptography
+
+How do we ensure the pseudonyms can't be linked together? We already use cryptography to protect our communications. Chaum presents ways to similarly protect unlinkability using cryptography:
+
+> Simple mathematical proofs show that, with appropriate use of the systems, even conspiracy of all organizations and tapping of all communication lines cannot yield enough information to link the pseudonyms-regardless of how clever the approach is or how much computation is expended.
+
+## Blind Signatures
+
+Digital signatures normally are used to ensure that something like a piece of software or a message comes from the original sender and hasn't been tampered with. You want to know who the signer is for this system to work.
+
+But what if the signer and the one sending a request are different? Say you have a membership to a hypothetical *PrivacyGuides+ subscription service*, and you want to authenticate with it, but don't want to identify yourself. That's where blind signatures come in.
+
+### How it Works
+
+You can imagine blind signatures like an envelope that's been wrapped in [carbon paper](https://en.wikipedia.org/wiki/Carbon_paper) with a window showing your pseudonym for that account, whether it be an account number, username, etc. They never see anything but the account identifier, or whatever they need to verify that you're a valid customer.
+The organization then signs it, indicating you're a valid customer, and you're allowed to access the service.
+
+Later, when you're presented with a request to authenticate as an active subscriber of PrivacyGuides+, you unwrap the envelope and discard it along with the carbon paper. You rewrap it in a new envelope with a window showing the signature and a different pseudonym, and the requester can then be sure that you're allowed to access PrivacyGuides+.
+
+![A diagram showing an envelope being wrapped in carbon paper, transferred to an organization, then passing over a boundary representing the unlinkability between the two transactions. Then the envelope is unwrapped, put in a new envelope with a window showing the signature from the previous organization, and presented to a different organization.](../assets/images/privacy-pass/blind-signatures.webp)
+
+<small aria-hidden="true">Illustration: [David Chaum](https://dl.acm.org/doi/pdf/10.1145/4372.4373)</small>
+
+This system relies on the same strong cryptography that tried and true systems use, with the difference being the unlinkability between the credential issuer and the credential receiver.
+
+## Problems
+
+Services that don't require an account or payment to use are great; you can use them with Tor, clear your browser history, whatever you need to do to keep your activity private.
+
+But logging into an account completely invalidates all of that. Every time you log in or authenticate with a service, you have to identify yourself as the same person, linking all your previous activity together. Increasingly, we're asked to provide personal information in order to be able to use certain websites or services.
+
+### Linkability
+
+As long as you're logged into an account with a service, all your previous and current activity can be linked together, along with any data you provided such as an email address, payment information, etc.
+
+### Data Collection
+
+A lot of websites and services want to — [or are forced to](https://en.wikipedia.org/wiki/Social_media_age_verification_laws_in_the_United_States) — filter out users below a certain age.
+
+We're starting to see a rise in extremely privacy-invasive age verification systems such as submitting a government ID when you want to access a website or invasive facial scans.
+
+### Blocking VPN and Tor Users
+
+Bots are a rampant problem for online services, leading them to sometimes block non-residential IP addresses such as those used for commercial VPNs and Tor.
+
+### CAPTCHAs
+
+When VPN and Tor users aren't blocked, they often have to deal with annoying [CAPTCHAs](http://www.captcha.net) that take up your precious time and use invasive [fingerprinting](https://developers.google.com/recaptcha/docs/v3).
+
+CAPTCHAs aren't even particularly good at detecting bots. With advances in AI, [bots can solve CAPTCHAs better than humans can](https://arxiv.org/pdf/2307.12108).
+
+## Privacy Pass
+
+Several blind signature-based solutions are in various states, some being implemented but not widely used, some being proposed browser APIs, and some being IETF standards.
+
+The landscape is very confusing right now, so I'll try to elucidate what I've found.
+
+[Privacy Pass](https://privacypass.github.io) started out as an attempt at a privacy-preserving way to bypass CAPTCHAs.
+
+It started out and is still an extension that can be installed on the [Chrome](https://chromewebstore.google.com/detail/silk-privacy-pass-client/ajhmfdgkijocedmfjonnpjfojldioehi) or [Firefox](https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/) extension store, but it's since expanded to become an [IETF standard](https://datatracker.ietf.org/wg/privacypass/about/).
+
+The Privacy Pass protocol has massively outgrown its original purpose. It's been updated to support multiple different schemes and purposes.
+
+There are three main roles that need to be played for the authentication mechanism to work. These can be filled by all the same party, by three separate parties, or any combination in between. You'll have increased privacy the more separation there is between each role, so ideally they should all be filled by different parties.
+
+### Origin
+
+The origin is the original website or service that's requesting a token for redemption. The client presents a valid token, or it must request more tokens.
+
+### Attester
+
+The attester is responsible for verifying something about the client. There are several ways it can achieve this, and it can use multiple at the same time if desired.
+
+#### CAPTCHA
+
+The attester can make the client solve a CAPTCHA to prove that it's not a bot. Not the most elegant solution but solving one CAPTCHA instead of multiple is preferable.
+
+#### Client State
+
+The attester can verify something about the client's state like the geographic location, whether the client has a valid account, or the number of issuance protocol invocations.
+
+#### Trusted Device
+
+If your client is running on hardware that's capable of producing device-level attestation, like a device with a secure element, then it can use that to verify that the device is trusted.
+
+For example, in Apple's Private Access Token implementation, they use certificates stored in the Secure Enclave and verify that your Apple account is in good standing.
+
+### Issuer
+
+The issuer is responsible for issuing tokens in response to requests from clients.
+
+The client presents tokens to the Origin once they're provided by the issuer.
+
+![diagram showing the structure of Private Access Tokens. The origin asks the client for a token, the client forwards the request to the attester which then forwards it to the issuer which then generates a token, sends it to the client which then sends it to the origin.](../assets/images/privacy-pass/private-access-tokens.webp)
+
+<small aria-hidden="true">Illustration: [Cloudflare](https://blog.cloudflare.com/eliminating-captchas-on-iphones-and-macs-using-new-standard/)</small>
+
+The tokens need to identify which issuers are trusted.
+
+They can also be interactive or non-interactive. Interactive means that you need a fresh token based on the challenge, whereas a non-interactive token can be stored for later use.
+
+Tokens can also be constrained to one specific Origin, or they can be used across Origins.
+
+### Private State Tokens
+
+[Private State Tokens](https://developers.google.com/privacy-sandbox/protections/private-state-tokens) (PSTs) are a [proposed browser API](https://github.com/WICG/trust-token-api) by Google as part of their [Privacy Sandbox](https://developers.google.com/privacy-sandbox). They're based on the Privacy Pass protocol.
+
+The main benefit of PSTs is that they provide a secure place for websites to store their tokens so that you don't need a separate extension for every service.
+
+A browser-level API, I imagine, would significantly reduce the development burden of browser-based services looking to implement Privacy Pass, but it would leave non-browser apps like VPNs high and dry.
+
+### Private Access Tokens
+
+[Private Access Tokens](https://blog.cloudflare.com/eliminating-captchas-on-iphones-and-macs-using-new-standard/) are based on Privacy Pass as well, but they don't seem to be specifically bound to the browser.
+
+It's unclear to me what really makes Private Access Tokens different from Privacy Pass itself, other than that Private Access Tokens seem to call for separation of the Attester and Issuer while Privacy Pass allows the origin, attester, and issuer to be the same. Delegating each role to a different party adds extra privacy.
+
+The origin website only knows your URL and IP from the initial connection.
+
+The attester only knows the data needed to verify you as a valid user.
+
+The issuer knows the site you visited, but doesn't know any of your device information that the attester used to verify you.
+
+### Kagi
+
+There are scant services actively using Privacy Pass to authenticate users, but a recent and very exciting example is [Kagi](https://blog.kagi.com/kagi-privacy-pass).
+
+With their implementation, you can now install their extension for [Firefox](https://addons.mozilla.org/en-US/firefox/addon/kagi-privacy-pass/) and [Chrome](https://chromewebstore.google.com/detail/kagi-search/cdglnehniifkbagbbombnjghhcihifij). Safari isn't supported at the moment, but their [Orion](https://chromewebstore.google.com/detail/kagi-search/cdglnehniifkbagbbombnjghhcihifij) browser supports it and is WebKit-based.
+
+The need for an extension and lack of support for some platforms highlights the need for widespread support for Privacy Pass in browsers and platforms. It's not reasonable to expect every single platform to implement Privacy Pass themselves and users likely don't want to install a separate extension for every platform either.
+
+That said, I applaud Kagi for their efforts. They went above and beyond to protect their users' privacy. A few notes for future improvements, though.
+
+#### No Account Requirement
+
+Currently, Kagi requires an account in order to use it. Although they allow you to put in a fake email address on account creation since they don't [check it](https://kagifeedback.org/d/3813-enable-anonymous-registration-no-email/16), it's still a persistent identifier that could be eliminated.
+
+Their announcement blog post states that the ability to use Kagi fully without an account is a possibility for the future with an invitation to request the feature on their [forum](https://kagifeedback.org/d/6163-kagi-privacy-pass), so feel free to add your voice. A fully accountless search engine that doesn't rely on ads would be great to see.
+
+#### Separation of Origin, Attester, Issuer
+
+Kagi uses the [Shared Origin, Attester, Issuer](https://www.ietf.org/archive/id/draft-ietf-privacypass-architecture-03.html?_fsi=jKxFixnl#section-4.1) model for their implementation, which leaves the possibility of data being correlated between each step of the process, such as device fingerprinting or IP address being used to correlate a user who is issued tokens with when they redeem them.
+
+Kagi's onion service helps to mitigate this issue, but I think it would be a significant privacy improvement to separate all three entities.
+
+#### Remove Requirement for an Extension
+
+Having to install an extension is annoying as an end user and surely incurs some development cost in both the initial development and upkeep over time. I'm not sure how it would be possible to get rid of the extension as it seems like there's no good way to do so at the moment, but I'm hopeful that the Private State Token API could be used for that in the future if it ever gets fully standardized as a browser API.
+
+## Future Possibilities
+
+Overall, Privacy Pass is an exciting standard that is already improving the privacy of users on a wide scale.
+
+### Easier Adoption
+
+However, for widespread adoption of anonymous authentication for all online services, there needs to be an easier way for developers to implement it. I see Private State Tokens and Private Access Tokens as paths toward that goal, but they have their own limitations.
+
+Private State Tokens seem to be restricted to browsers, which is mostly fine since so many online services are accessed through the browser. It does put services like VPNs that operate outside the browser in a tight spot though.
+
+Private Access Tokens seem like a possible solution for device-wide Privacy Pass authentication, but the only place I've seen them implemented is in Apple's operating systems to identify users as real iOS or macOS users. I'd like to see wider adoption for more use cases than just that. It's unclear what the vision for Private Access Tokens is for the moment.
+
+### Carriers
+
+One of the biggest and most privacy-invasive services is mobile carriers. They take lots of personal information when you sign up, and then you have permanent identifiers, both IMSI identifying you as a subscriber and IMEI identifying your device, tied to that information while you use it. Because of how the cell network works, they also can tie that information to your physical location and all the traffic you send through their network.
+
+[Cape](https://www.cape.co/research) is a privacy-focused carrier that says they're "studying the use of blinded tokens and zero-knowledge proofs to disaggregate subscriber information." This would have a massive impact on user privacy, possibly allowing a KYC'd mobile subscriber to use their carrier at least semi-anonymously (it's unclear how IMSI and IMEI fit into this scheme, as well as location information).
+
+### VPNs
+
+Commercial VPNs typically require some kind of account identifier, even if it's just a randomized number.
+
+Apple's iCloud Private Relay uses RSA blind signatures to anonymously authenticate users to each of the two hops.
+
+Google's former [VPN](https://www.gstatic.com/vpn/google_vpn_white_paper.pdf) service also used blind signatures to protect users.
+
+![Diagram showing Google's blind signature VPN authentication scheme](../assets/images/privacy-pass/google-vpn.webp)
+
+<small aria-hidden="true">Image: [Google](https://www.gstatic.com/vpn/google_vpn_white_paper.pdf)</small>
+
+Hopefully we can see more VPN companies start to use Privacy Pass to authenticate users, I think it would be a massive improvement to user privacy.
+
+### Digital Cash
+
+Part of Chaum's vision was anonymous digital transactions using blind signatures, which he made a reality with his company [DigiCash](https://chaum.com/wp-content/uploads/2022/01/05-27-94-World_s-first-electronic-cash-payment-over-computer-networks.pdf).
+
+For whatever reason, *eCash*, as it was called, never caught on and the company filed for bankruptcy in 1998. We're left with the terrible current system where you need to input your credit card and personal information in order to make a transaction, which is easily traceable back to you. Not to mention the security implications, [credit card fraud](https://www.security.org/digital-safety/credit-card-fraud-report/) is rampant today.
+
+The dream isn't dead, however. Chaum's [eCash 2.0](https://chaum.com/ecash-2-0/) is quantum-resistant and has been built and tested in the Bank for International Settlements' [Project Tourbillon](https://www.bis.org/about/bisih/topics/cbdc/tourbillon.htm).
+
+### Digital ID
+
+Laws are being passed forcing 18+ websites and even [app stores](https://thehill.com/policy/technology/5179865-utah-app-store-age-verification-law/) to collect verify the ID of users. This is a massive slap in the face to the privacy and security of everyone. Data breaches and tracking are inevitable under the current system.
+
+Blind signatures could provide a private and secure way to verify age or other information without having to submit your entire ID or submit invasive face scans.

blog/posts/signal-configuration-and-hardening.md

@@ -1,7 +1,7 @@
 ---
 date:
     created: 2022-07-07T19:00:00Z
-    updated: 2024-08-23T19:00:00Z
+    updated: 2025-04-15T04:00:00Z
 authors:
     - contributors
     - matchboxbananasynergy
@@ -176,9 +176,16 @@ On Android/iOS:
 
 For incoming calls from people who are not in your Contacts app, the call will be relayed through the Signal server regardless of how you've set it up.
 
-### Proxy Support
+### Bypass Internet Censorship
 
-If Signal is blocked in your country, Signal allows you to set up a proxy to bypass it.
+If Signal is blocked in your country, it has a built-in "Censorship Circumvention" feature that uses domain fronting to bypass restrictions.
+
+On Android/iOS:
+
+- Select :material-dots-vertical: → **Settings** → **Privacy** → **Advanced**
+- [x] Turn on **Censorship Circumvention**
+
+Additionally, Signal allows you to set up a proxy to bypass censorship.
 
 !!! Warning
 

blog/posts/taking-advantage-of-android-user-profiles.md

@@ -0,0 +1,120 @@
+---
+date:
+    created: 2025-04-23T19:00:00Z
+categories:
+    - Tutorials
+authors:
+    - jonah
+description: Android's ability to support multiple user profiles is one of the simplest ways to isolate applications and data on Android, which can provide you with huge privacy and security advantages.
+schema_type: AnalysisNewsArticle
+---
+# How to Take Advantage of Multiple Users on Android
+
+![Article cover photo showing a tablet with 3 user profile icons](../assets/images/taking-advantage-of-android-user-profiles/multiple-users-tablet-cover.webp)
+
+<small aria-hidden="true">Illustration: Jonah Aragon / Privacy Guides</small>
+
+One of the simplest ways to isolate different applications and personal data on an Android device is to use **multiple users**. This is a feature which has been widely available on Android phones since 2014, but goes fairly underutilized by most people.<!-- more -->
+
+Originally, this feature was intended to support multiple physical people sharing the same device, with the AOSP team envisioning a second user being added to a tablet for children to use, or critical response teams sharing a phone for on-call duty.
+
+There are two main types of users on Android:
+
+- The **system user**, which is the first user on the device. This user has special privileges and settings that only it can set. The name of this user defaults to "Owner" on English language devices.
+- **Secondary users**, which are any users added to the device other than the system user. These users can be removed (either by the system user or by themselves) and cannot impact other users set up on the device.
+
+## Advantages
+
+While originally intended for multiple people, there are a number of advantages to setting up secondary users on your phone that will benefit even a single person!
+
+### Isolating Apps
+
+Apps installed in one user profile cannot communicate with apps installed in a different user profile. It is not possible to access the app data or storage of one user from a different user at all. The workspaces are completely isolated.
+
+If you have multiple accounts with any apps that don't support multiple logins, this feature can really come in handy. Using multiple users allows you to have multiple, independent copies of an app installed on your device, one per user. Each app install can be logged in with different credentials and have access to different data.
+
+### Isolating Data
+
+Each user has its own set of files, contacts, and media. Apps installed by that user can only access data owned by that user.
+
+This could come in handy if you have two different sets of contacts, say, a work address book and a personal address book, and you want to sync each one to a different user. It also allows you to have a profile for highly sensitive data that only needs to be accessed by a minimal number of apps.
+
+### Resource Management
+
+It is also possible to end the sessions of secondary users, which puts its data at rest (a more secure state) and stops its apps from running in the background.
+
+This is particularly relevant when using a [custom ROM](https://www.privacyguides.org/en/android/distributions) with non-system Google Play Services, such as sandboxed Google Play on GrapheneOS. For example, you could have a secondary user with Google Play Services, and a primary user without, letting you choose when exactly you are making connections to Google. We'll delve deeper into this example later on.
+
+Additionally, each user makes its own independent [VPN](https://www.privacyguides.org/en/vpn) connections. If you have two user sessions running, they could be connected to different VPN providers or different countries. You could even have one user connected to a VPN and one that doesn't use a VPN at all.
+
+### GrapheneOS Specific
+
+If you use [**GrapheneOS**](https://www.privacyguides.org/en/android/distributions/#grapheneos), you can take advantage of additional [features](https://grapheneos.org/features#improved-user-profiles){rel=nofollow} not available with a standard Android phone:
+
+- **Notification forwarding**: Normally, only the notifications of the currently active user on Android are shown. On GrapheneOS, you can optionally configure secondary users to forward their notifications to the currently active profile, so you can make sure you don't miss anything important occurring in a background user session. Remember that you must unlock secondary user profiles before you can receive notifications from them. Otherwise, you will miss important notifications after your phone reboots.
+
+- **Additional user profiles:** GrapheneOS raises the maximum number of secondary users to 31, which means you have the option to be much more granular with how you isolate apps and data than you normally would (the maximum number is configurable by OEMs, but a stock Google Pixel only supports 3).
+
+## Common Setups
+
+When it comes to juggling multiple users, the best approach will always be highly dependent on your data, the apps you use, and your typical workflows.
+
+It's important to think about how **you** use your device because you might use apps in conjunction with one another in ways that someone else might not. Similarly to [Qubes](https://www.privacyguides.org/en/os/qubes-overview), the correct number of isolated users and the apps you install within them is basically subjective. There's no "best" approach.
+
+This being said, there are a few common or popular setups we see within the *Privacy Guides* [community](https://discuss.privacyguides.net/) which might make sense for you, or at least could help you start thinking about the best ways to isolate your apps and data from each other. You could also certainly use any combination of these approaches. At least within the confines of the maximum number of users available on your device, the sky's the limit!
+
+### Isolating Google Dependencies
+
+To preserve your privacy, the most commonly recommended "minimum" setup for multiple users on Android *with GrapheneOS* is a two-user setup, where only one secondary user has Google Play Services installed.
+
+In this setup, the system user only contains apps that don't require Google Play Services, like open source apps installed with [Obtainium](https://www.privacyguides.org/en/android/obtaining-apps/#obtainium) or [F-Droid](https://www.privacyguides.org/en/android/obtaining-apps/#f-droid). The secondary user would contain apps from [Aurora Store](https://www.privacyguides.org/en/android/obtaining-apps/#aurora-store) or the Google Play Store that rely on Google Play Services, such as some banking apps, social media apps, etc.
+
+This configuration is really only viable with GrapheneOS and sandboxed Google Play (or [another](grapheneos-or-calyxos.md) custom ROM with non-system microG) because that setup doesn't require Google Play Services be integrated with the system. On your typical stock Android device, Google Play Services will be installed with system-level permissions, meaning that it will be present in all user profiles on your phone.
+
+### Minimal Owner Profile
+
+Another frequently utilized configuration is keeping the system user as bare-bones as possible and *only* using (a) secondary user(s) to increase the security of your device.
+
+This is because the system user has a number of special privileges that other users do not, such as the ability to enable ADB or other developer tools, for example. By avoiding regular usage of the system user, these settings become harder to unintentionally access.
+
+An additional advantage of this approach is that it makes cleaning up and erasing portions of your device easier. Secondary users can be erased very easily if the need to do so for any reason arises. Doing so won't affect other users on the device. On the other hand, the system user can only really be erased with a full factory reset, which would also wipe out all users on the device at once.
+
+### Per-Persona
+
+Some people choose to group their apps on a "per-persona" basis, for example, having a user for school, one for work, one for games, one for social media, etc. If you find your time spent on your phone can be easily categorized into different groups of apps, this approach might make the most sense to you.
+
+Not only does this limit the data that each group of apps can access (you can completely avoid accidentally sharing *personal* photos in your work chat, for example), but this approach can be also a huge boon to focus and productivity. Switching users on Android *does* add some friction, so keeping distractions in a separate user that can be disabled when you're not intentionally using them is an approach some find very helpful.
+
+## Alternatives
+
+### No Secondary Users At All
+
+While secondary users can offer substantial privacy and security benefits, they are not necessary for everyone.
+
+From a security perspective, all apps on Android are strongly sandboxed from each other. While this sandbox does not provide the complete isolation of data and interactions between apps, it does prevent apps from exploiting your device or other apps, and interactions that *do* occur between apps are typically gated behind permission prompts and other access controls. This means that for many [threat models](https://www.privacyguides.org/en/basics/threat-modeling/), enhancing app isolation beyond the default may be a bit overkill!
+
+It's perfectly reasonable to decide that the standard sandboxing is all you require, *especially* if you have minimal apps installed in the first place, if you're only using [trustworthy](https://www.privacyguides.org/en/tools/) and open-source apps, or if you simply find managing multiple users too cumbersome for everyday use.
+
+### Users vs. Profiles
+
+Another alternative to multiple users on Android are **profiles**, which are separate workspaces contained within a single user.
+
+The most well known implementation of profiles on Android is the **Work Profile** functionality. In normal usage, a Work Profile might be set up on your phone by your employer in order for them to install work-related apps without giving them full access to your device and personal apps. However, if you don't already have a work profile installed, you can also create a personally-managed one yourself by using an app like [Shelter](https://www.privacyguides.org/en/android/general-apps/#shelter) or Insular.
+
+A big advantage of Work Profiles is that apps installed in the profile are accessible from your regular launcher without having to log out and switch user sessions. It is also very easy to multitask between apps installed in a work profile and personal apps.
+
+Work profiles are much more isolated from your personal apps compared to the typical app sandbox, but they *do* share some underlying resources with the rest of your user profile, making them a bit of a middle-ground between standard app sandboxing and full multi-user isolation.
+
+#### Private Space
+
+In Android 15, a new feature called **Private Space** was introduced, which is very similar to work profiles in function, but does not require a separate management app like Shelter to use. Because this is a built-in feature, we always recommend using private profiles before or instead of using Work Profile functionality whenever possible.
+
+Again, Private Space is a middle-ground between the standard sandboxing and multiple users. One example of a shared resource between the system user and the private profile within is the clipboard. This is a very significant vector to leak information between your standard apps and apps installed in the private space if you do not manage it properly.
+
+Private Space is currently only available for the system user, not by secondary users. You also have the option to enable both a private space *and* a work profile, meaning you could have up to three semi-isolated workspaces contained within a single user.
+
+## Sources
+
+- <https://source.android.com/docs/devices/admin/multi-user>{rel=nofollow}
+- <https://seprand.github.io/articles/best-user-profile-setup>{rel=nofollow}
+- <https://arxiv.org/html/1904.05572v3/#S4.SS3>{rel=nofollow}

blog/posts/the-dangers-of-end-to-end-encryption.md

@@ -2,7 +2,7 @@
 date:
     created: 2025-04-01T05:40:00Z
 categories:
-    - Announcements
+    - Opinion
 tags:
     - April Fools
 authors:
@@ -13,7 +13,7 @@ schema_type: SatiricalArticle
 preview:
   logo: blog/assets/images/the-dangers-of-end-to-end-encryption/fire.svg
 ---
-# The Dangers of End-to-End Encryption - Happy April fools!
+# The Dangers of End-to-End Encryption
 
 ![An image showing a burning car](../assets/images/the-dangers-of-end-to-end-encryption/cover.webp)
 

docs/ai-chat.md

@@ -11,7 +11,7 @@ cover: ai-chatbots.webp
 - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown }
 - [:material-close-outline: Censorship](basics/common-threats.md#avoiding-censorship){ .pg-blue-gray }
 
-Since the release of ChatGPT in 2022, interactions with Large Language Models (LLMs) have become increasingly common. LLMs can help us write better, understand unfamiliar subjects, or answer a wide range of questions. They can statistically predict the next word based on a vast amount of data scraped from the web.
+The use of **AI chat**, also known as Large Language Models (LLMs), has become increasingly common since the release of ChatGPT in 2022. LLMs can help us write better, understand unfamiliar subjects, or answer a wide range of questions. They work by statistically predicting the next word in their responses based on a vast amount of data scraped from the web.
 
 ## Privacy Concerns About LLMs
 
@@ -41,7 +41,7 @@ To run AI locally, you need both an AI model and an AI client.
 
 ### Choosing a Model
 
-There are many permissively licensed models available to download. [Hugging Face](https://huggingface.co/models) is a platform that lets you browse, research, and download models in common formats like [GGUF](https://huggingface.co/docs/hub/en/gguf). Companies that provide good open-weights models include big names like Mistral, Meta, Microsoft, and Google. However, there are also many community models and 'fine-tunes' available. As mentioned above, quantized models offer the best balance between model quality and performance for those using consumer-grade hardware.
+There are many permissively licensed models available to download. [Hugging Face](https://huggingface.co/models) is a platform that lets you browse, research, and download models in common formats like [GGUF](https://huggingface.co/docs/hub/en/gguf). Companies that provide good open-weights models include big names like Mistral, Meta, Microsoft, and Google. However, there are also many community models and [fine-tuned](https://en.wikipedia.org/wiki/Fine-tuning_(deep_learning)) models available. As mentioned above, quantized models offer the best balance between model quality and performance for those using consumer-grade hardware.
 
 To help you choose a model that fits your needs, you can look at leaderboards and benchmarks. The most widely-used leaderboard is the community-driven [LM Arena](https://lmarena.ai). Additionally, the [OpenLLM Leaderboard](https://huggingface.co/spaces/open-llm-leaderboard/open_llm_leaderboard) focuses on the performance of open-weights models on common benchmarks like [MMLU-Pro](https://arxiv.org/abs/2406.01574).  There are also specialized benchmarks which measure factors like [emotional intelligence](https://eqbench.com), ["uncensored general intelligence"](https://huggingface.co/spaces/DontPlanToEnd/UGI-Leaderboard), and [many others](https://www.nebuly.com/blog/llm-leaderboards).
 
@@ -62,7 +62,7 @@ To help you choose a model that fits your needs, you can look at leaderboards an
 
 ![Kobold.cpp Logo](assets/img/ai-chat/kobold.png){align=right}
 
-Kobold.cpp is an AI client that runs locally on your Windows, Mac, or Linux computer. It's an excellent choice if you are looking for heavy customization and tweaking, such as for role-playing purposes.
+**Kobold.cpp** is an AI client that runs locally on your Windows, Mac, or Linux computer. It's an excellent choice if you are looking for heavy customization and tweaking, such as for role-playing purposes.
 
 In addition to supporting a large range of text models, Kobold.cpp also supports image generators such as [Stable Diffusion](https://stability.ai/stable-image) and automatic speech recognition tools such as [Whisper](https://github.com/ggerganov/whisper.cpp).
 
@@ -82,7 +82,7 @@ In addition to supporting a large range of text models, Kobold.cpp also supports
 
 </div>
 
-<div class="admonition note" markdown>
+<div class="admonition info" markdown>
 <p class="admonition-title">Compatibility Issues</p>
 
 Kobold.cpp might not run on computers without AVX/AVX2 support.
@@ -97,7 +97,7 @@ Kobold.cpp allows you to modify parameters such as the AI model temperature and
 
 ![Ollama Logo](assets/img/ai-chat/ollama.png){align=right}
 
-Ollama is a command-line AI assistant that is available on macOS, Linux, and Windows. Ollama is a great choice if you're looking for an AI client that's easy-to-use, widely compatible, and fast due to its use of inference and other techniques. It also doesn't involve any manual setup.
+**Ollama** is a command-line AI assistant that is available on macOS, Linux, and Windows. Ollama is a great choice if you're looking for an AI client that's easy-to-use, widely compatible, and fast due to its use of inference and other techniques. It also doesn't involve any manual setup.
 
 In addition to supporting a wide range of text models, Ollama also supports [LLaVA](https://github.com/haotian-liu/LLaVA) models and has experimental support for Meta's [Llama vision capabilities](https://huggingface.co/blog/llama32#what-is-llama-32-vision).
 
@@ -123,9 +123,9 @@ Ollama simplifies the process of setting up a local AI chat by downloading the A
 
 <div class="admonition recommendation" markdown>
 
-![Llamafile Logo](assets/img/ai-chat/llamafile.svg){align=right}
+![Llamafile Logo](assets/img/ai-chat/llamafile.png){align=right}
 
-Llamafile is a lightweight single-file executable that allows users to run LLMs locally on their own computers without any setup involved. It is [backed by Mozilla](https://hacks.mozilla.org/2023/11/introducing-llamafile) and available on Linux, macOS, and Windows.
+**Llamafile** is a lightweight, single-file executable that allows users to run LLMs locally on their own computers without any setup involved. It is [backed by Mozilla](https://hacks.mozilla.org/2023/11/introducing-llamafile) and available on Linux, macOS, and Windows.
 
 Llamafile also supports LLaVA. However, it doesn't support speech recognition or image generation.
 
@@ -137,7 +137,9 @@ Llamafile also supports LLaVA. However, it doesn't support speech recognition or
 <details class="downloads" markdown>
 <summary>Downloads</summary>
 
-- [:fontawesome-solid-desktop: Desktop](https://github.com/Mozilla-Ocho/llamafile#quickstart)
+- [:fontawesome-brands-windows: Windows](https://github.com/Mozilla-Ocho/llamafile#quickstart)
+- [:simple-apple: macOS](https://github.com/Mozilla-Ocho/llamafile#quickstart)
+- [:simple-linux: Linux](https://github.com/Mozilla-Ocho/llamafile#quickstart)
 
 </details>
 
@@ -170,11 +172,11 @@ Please note we are not affiliated with any of the projects we recommend. In addi
 
 ### Minimum Requirements
 
-- Must be open-source.
+- Must be open source.
 - Must not transmit personal data, including chat data.
 - Must be multi-platform.
 - Must not require a GPU.
-- Must support GPU-powered fast inference.
+- Must support GPU-powered, fast inference.
 - Must not require an internet connection.
 
 ### Best-Case
@@ -185,4 +187,11 @@ Our best-case criteria represent what we *would* like to see from the perfect pr
 - Should have a built-in model downloader option.
 - The user should be able to modify the LLM parameters, such as its system prompt or temperature.
 
+*[LLaVA]: Large Language and Vision Assistant (multimodal AI model)
+*[LLM]: Large Language Model (AI model such as ChatGPT)
+*[LLMs]: Large Language Models (AI models such as ChatGPT)
+*[open-weights models]: AI models that anyone can download and use, but the underlying training data and/or algorithms for them are proprietary.
+*[system prompt]: The general instructions given by a human to guide how an AI chat should operate.
+*[temperature]: A parameter used in AI models to control the level of randomness and creativity in the generated text.
+
 [^1]: A file checksum is a type of anti-tampering fingerprint. A developer usually provides a checksum in a text file that can be downloaded separately, or on the download page itself. Verifying that the checksum of the file you downloaded matches the one provided by the developer helps ensure that the file is genuine and wasn't tampered with in transit. You can use commands like `sha256sum` on Linux and macOS, or `certutil -hashfile file SHA256` on Windows to generate the downloaded file's checksum.

docs/alternative-networks.md

@@ -34,6 +34,8 @@ The recommended way to access the Tor network is via the official Tor Browser, w
 
 [Tor Browser Info :material-arrow-right-drop-circle:](tor.md){ .md-button .md-button--primary } [Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md){ .md-button }
 
+You can access the Tor network using other tools; making this determination comes down to your threat model. If you are a casual Tor user who is not worried about your ISP collecting evidence against you, using apps like [Orbot](#orbot) or mobile browser apps to access the Tor network is probably fine. Increasing the number of people who use Tor on an everyday basis helps reduce the bad stigma of Tor, and lowers the quality of "lists of Tor users" that ISPs and governments may compile.
+
 <div class="admonition example" markdown>
 <p class="admonition-title">Try it out!</p>
 
@@ -41,12 +43,50 @@ You can try connecting to *Privacy Guides* via Tor at [xoe4vn5uwdztif6goazfbmogh
 
 </div>
 
+#### Orbot
+
+<div class="admonition recommendation" markdown>
+
+![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right }
+
+**Orbot** is a mobile application which routes traffic from any app on your device through the Tor network.
+
+[:octicons-home-16: Homepage](https://orbot.app){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://orbot.app/faqs){ .card-link title="Documentation" }
+[:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" }
+[:octicons-heart-16:](https://orbot.app/donate){ .card-link title="Contribute" }
+
+<details class="downloads" markdown>
+<summary>Downloads</summary>
+
+- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android)
+- [:simple-appstore: App Store](https://apps.apple.com/app/id1609461599)
+- [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases)
+- [:simple-fdroid: F-Droid](https://guardianproject.info/fdroid)
+
+</details>
+
+</div>
+
+We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1]
+
+=== "Android"
+
+    Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN kill switch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**.
+
+    Orbot is often outdated on Google Play and the Guardian Project's F-Droid repository, so consider downloading directly from the GitHub repository instead. All versions are signed using the same signature, so they should be compatible with each other.
+
+=== "iOS"
+
+    On iOS, Orbot has some limitations that could potentially cause crashes or leaks: iOS does not have an effective OS-level feature to block connections without a VPN like Android does, and iOS has an artificial memory limit for network extensions that makes it challenging to run Tor in Orbot without crashes. Currently, it is always safer to use Tor on a desktop computer compared to a mobile device.
+
 #### Snowflake
 
 <div class="admonition recommendation" markdown>
 
-![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right }
-![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right }
+![Snowflake logo](assets/img/self-contained-networks/snowflake.svg#only-light){ align=right }
+![Snowflake logo](assets/img/self-contained-networks/snowflake-dark.svg#only-dark){ align=right }
 
 **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser.
 
@@ -109,4 +149,5 @@ Also, unlike Tor, every I2P node will relay traffic for other users by default,
 
 There are downsides to I2P's approach, however. Tor relying on dedicated exit nodes means more people in less safe environments can use it, and the relays that do exist on Tor are likely to be more performant and stable, as they generally aren't run on residential connections. Tor is also far more focused on **browser privacy** (i.e. anti-fingerprinting), with a dedicated [Tor Browser](tor.md) to make browsing activity as anonymous as possible. I2P is used via your [regular web browser](desktop-browsers.md), and while you can configure your browser to be more privacy-protecting, you probably still won't have the same browser fingerprint as other I2P users (there's no "crowd" to blend in with in that regard).
 
+[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403) and [Whonix's Stream Isolation documentation](https://whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people.
 Tor is likely to be more resistant to censorship, due to their robust network of bridges and varying [pluggable transports](https://tb-manual.torproject.org/circumvention). On the other hand, I2P uses directory servers for the initial connection which are varying/untrusted and run by volunteers, compared to the hard-coded/trusted ones Tor uses which are likely easier to block.

docs/android/index.md

@@ -50,7 +50,7 @@ Ideally, when choosing a custom Android distribution, you should make sure that
 
 [Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition, meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the attack surface of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses.
 
-Content blockers which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For content blocking, we suggest encrypted [DNS](../dns.md) or content blocking functionality provided by a VPN instead. TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN), preventing you from using privacy enhancing services such as [Orbot](../tor.md#orbot) or a [real VPN provider](../vpn.md).
+Content blockers which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (like AdAway) and firewalls which require root access persistently (like AFWall+) are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For content blocking, we suggest encrypted [DNS](../dns.md) or content blocking functionality provided by a VPN instead. TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN), preventing you from using privacy-enhancing services such as [Orbot](../alternative-networks.md#orbot) or a [real VPN provider](../vpn.md).
 
 AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations.
 

docs/basics/account-creation.md

@@ -42,7 +42,7 @@ You will be responsible for managing your login credentials. For added security,
 
 #### Email aliases
 
-If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to.
+If you don't want to give your real email address to a service, you have the option to use an alias. We describe them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign-up process. Those can be filtered automatically based on the alias they are sent to.
 
 Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked.
 
@@ -50,19 +50,19 @@ Should a service get hacked, you might start receiving phishing or spam emails t
 
 ### "Sign in with..." (OAuth)
 
-OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth.
+[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth) is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of "Sign in with *provider name*" on a registration form, it's typically using OAuth.
 
 When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won't be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account.
 
 The main advantages are:
 
-- **Security**: you don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials, because they are stored with the external OAuth provider, which when it comes to services like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text).
-- **Ease of use**: multiple accounts are managed by a single login.
+- **Security**: You don't have to trust the security practices of the service you're logging into when it comes to storing your login credentials because they are stored with the external OAuth provider. Common OAuth providers like Apple and Google typically follow the best security practices, continuously audit their authentication systems, and don't store credentials inappropriately (such as in plain text).
+- **Ease-of-use**: Multiple accounts are managed by a single login.
 
 But there are disadvantages:
 
-- **Privacy**: the OAuth provider you log in with will know the services you use.
-- **Centralization**: if the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected.
+- **Privacy**: The OAuth provider you log in with will know the services you use.
+- **Centralization**: If the account you use for OAuth is compromised, or you aren't able to log in to it, all other accounts connected to it are affected.
 
 OAuth can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with [MFA](multi-factor-authentication.md).
 

docs/basics/email-security.md

@@ -2,34 +2,34 @@
 meta_title: "Why Email Isn't the Best Choice for Privacy and Security - Privacy Guides"
 title: Email Security
 icon: material/email
-description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications.
+description: Email is insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications.
 ---
 
-Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed.
+Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add end-to-end encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications.
 
 As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others.
 
 ## Email Encryption Overview
 
-The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org).
+The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](../encryption.md#gnu-privacy-guard) and [OpenPGP.js](https://openpgpjs.org).
 
-There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480).
+Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible.
 
-Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible.
+There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates, and often a yearly payment is required). In some cases it is more usable than PGP because it has support in popular/mainstream email applications like Apple Mail, [Google Workplace](https://support.google.com/a/topic/9061730), and [Outlook](https://support.office.com/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). However, S/MIME does not solve the issue of lack of forward secrecy, and isn't particularly more secure than PGP.
 
 ## What is the Web Key Directory standard?
 
-The Web Key Directory (WKD) standard allows email clients to discover the OpenPGP key for other mailboxes, even those hosted on a different provider. Email clients which support WKD will ask the recipient's server for a key based on the email address' domain name. For example, if you emailed `jonah@privacyguides.org`, your email client would ask `privacyguides.org` for Jonah's OpenPGP key, and if `privacyguides.org` has a key for that account, your message would be automatically encrypted.
+The [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) standard allows email clients to discover the OpenPGP key for other mailboxes, even those hosted on a different provider. Email clients which support WKD will ask the recipient's server for a key based on the email address' domain name. For example, if you emailed `jonah@privacyguides.org`, your email client would ask `privacyguides.org` for Jonah's OpenPGP key, and if `privacyguides.org` has a key for that account, your message would be automatically encrypted.
 
 In addition to the [email clients we recommend](../email-clients.md) which support WKD, some webmail providers also support WKD. Whether *your own* key is published to WKD for others to use depends on your domain configuration. If you use an [email provider](../email.md#openpgp-compatible-services) which supports WKD, such as Proton Mail or Mailbox.org, they can publish your OpenPGP key on their domain for you.
 
-If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from keys.openpgp.org, by setting a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then uploading your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting).
+If you use your own custom domain, you will need to configure WKD separately. If you control your domain name, you can set up WKD regardless of your email provider. One easy way to do this is to use the "[WKD as a Service](https://keys.openpgp.org/about/usage#wkd-as-a-service)" feature from the `keys.openpgp.org` server: Set a CNAME record on the `openpgpkey` subdomain of your domain pointed to `wkd.keys.openpgp.org`, then upload your key to [keys.openpgp.org](https://keys.openpgp.org). Alternatively, you can [self-host WKD on your own web server](https://wiki.gnupg.org/WKDHosting).
 
-If you use a shared domain from a provider which doesn't support WKD, like @gmail.com, you won't be able to share your OpenPGP key with others via this method.
+If you use a shared domain from a provider which doesn't support WKD, like `@gmail.com`, you won't be able to share your OpenPGP key with others via this method.
 
 ### What Email Clients Support E2EE?
 
-Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication.
+Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to decreased security if either the provider or the email client does not support [OAuth](account-creation.md#sign-in-with-oauth) or a bridge application as [multifactor authentication](multi-factor-authentication.md) is not possible with plain password authentication.
 
 ### How Do I Protect My Private Keys?
 
@@ -39,14 +39,14 @@ It is advantageous for the decryption to occur on the smart card to avoid possib
 
 ## Email Metadata Overview
 
-Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account.
+Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as `To`, `From`, `Cc`, `Date`, and `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account.
 
 Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent.
 
 ### Who Can View Email Metadata?
 
-Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages.
+Email metadata is protected from outside observers with [opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages.
 
 ### Why Can't Metadata be E2EE?
 
-Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, the subject lines, when you're emailing, etc.
+Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into standard email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt some of this email metadata required for identifying the parties communicating. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as whom you're emailing, when you're emailing, etc.

docs/basics/vpn-overview.md

@@ -51,7 +51,7 @@ VPNs cannot encrypt data outside the connection between your device and the VPN
 
 Using a VPN in cases where you're using your [real-life or well-known identity](common-misconceptions.md#complicated-is-better) online is unlikely to be useful. Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website.
 
-It's important to remember that a VPN will not provide you with absolute anonymity, because the VPN provider itself will still see your real IP address, destination website information, and often has a money trail that can be linked directly back to you. You can't rely on "no logging" policies to protect your data from anyone who is able to protect. If you need complete safety from the network itself, consider using [Tor](../advanced/tor-overview.md) in addition to or instead of a VPN.
+It's important to remember that a VPN will not provide you with absolute anonymity because the VPN provider itself will still have access to your real IP address, destination website information, and often a money trail that can be linked directly back to you. "No logging" policies are merely a promise; if you need complete safety from the network itself, consider using [Tor](../advanced/tor-overview.md) in addition to or instead of a VPN.
 
 You also should not trust a VPN to secure your connection to an unencrypted, HTTP destination. In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider and other potential adversaries in between the VPN server and your destination. You should enable HTTPS-only mode in your browser (if it's supported) to mitigate attacks which try to downgrade your connection from HTTPS to HTTP.
 
@@ -91,7 +91,9 @@ Recently, some attempts have been made by various organizations to address some
 
 Multi-Party Relays (MPRs) use multiple nodes owned by different parties, such that no individual party knows both who you are and what you're connecting to. This is the basic idea behind Tor, but now there are some paid services that try to emulate this model.
 
-MPRs seek to solve a problem inherent to VPNs: the fact that you must trust them completely. They accomplish this goal by segmenting the responsibilities between two or more different companies. For example, Apple's iCloud+ Private Relay routes your traffic through two servers:
+MPRs seek to solve a problem inherent to VPNs: the fact that you must trust them completely. They accomplish this goal by segmenting the responsibilities between two or more different companies.
+
+One example of a commercially available MPR is Apple's iCloud+ Private Relay, which routes your traffic through two servers:
 
 1. Firstly, a server operated by Apple.
 
@@ -101,7 +103,7 @@ MPRs seek to solve a problem inherent to VPNs: the fact that you must trust them
 
     This server actually makes the connection to your destination website, but has no knowledge of your device. The only IP address it knows about is Apple's server's.
 
-Other MPRs run by different companies like Google or INVISV operate in a very similar manner. This protection by segmentation only exists if you trust the two companies to not collude with each other to deanonymize you.
+Other MPRs run by different companies operate in a very similar manner. This protection by segmentation only exists if you trust the two companies to not collude with each other to deanonymize you.
 
 ### Decentralized VPNs
 

docs/cloud.md

@@ -95,33 +95,36 @@ They have also received the Digital Trust Label, a certification from the [Swiss
 
 ![Peergos logo](assets/img/cloud/peergos.svg){ align=right }
 
-**Peergos** is a decentralized protocol and open-source platform for storage, social media, and applications. It provides a secure and private space where users can store, share, and view their photos, videos, documents, etc. Peergos secures your files with quantum-resistant end-to-end encryption and ensures all data about your files remains private. It is built on top of [IPFS (InterPlanetary File System)](https://ipfs.tech), a peer-to-peer architecture that protects against [:material-close-outline: Censorship](basics/common-threats.md#avoiding-censorship){ .pg-blue-gray }.
+**Peergos** is a decentralized protocol and open-source platform for storage, social media, and applications. It provides a secure and private space where users can store, share, and view their photos, videos, documents, etc. Peergos secures your files with quantum-resistant end-to-end encryption and ensures all data about your files remains private.
 
 [:octicons-home-16: Homepage](https://peergos.org){ .md-button .md-button--primary }
 [:octicons-eye-16:](https://peergos.net/privacy.html){ .card-link title="Privacy Policy" }
 [:octicons-info-16:](https://book.peergos.org){ .card-link title="Documentation" }
 [:octicons-code-16:](https://github.com/Peergos/Peergos){ .card-link title="Source Code" }
+[:octicons-heart-16:](https://github.com/peergos/peergos#support){ .card-link title="Contribute" }
 
 <details class="downloads" markdown>
 <summary>Downloads</summary>
 
-- [:octicons-globe-16: Web](https://peergos.net)
+- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=peergos.android)
+- [:simple-github: GitHub](https://github.com/Peergos/web-ui/releases)
 - [:fontawesome-brands-windows: Windows](https://github.com/Peergos/web-ui/releases)
 - [:simple-apple: macOS](https://github.com/Peergos/web-ui/releases)
 - [:simple-linux: Linux](https://github.com/Peergos/web-ui/releases)
+- [:octicons-browser-16: Web](https://peergos.net)
 
 </details>
 
 </div>
 
+Peergos is built on top of the [InterPlanetary File System (IPFS)](https://ipfs.tech), a peer-to-peer architecture that protects against [:material-close-outline: Censorship](basics/common-threats.md#avoiding-censorship){ .pg-blue-gray }.
+
 Peergos is primarily a web app, but you can self-host the server either as a local cache for your remote Peergos account, or as a standalone storage server which negates the need to register for a remote account and subscription. The Peergos server is a `.jar` file, which means the Java 17+ Runtime Environment ([OpenJDK download](https://azul.com/downloads)) should be installed on your machine to get it working.
 
 Running a local version of Peergos alongside a registered account on their paid, hosted service allows you to access your Peergos storage without any reliance on DNS or TLS certificate authorities, and keep a copy of your data backed up to their cloud. The user experience should be the same whether you run their desktop server or just use their hosted web interface.
 
 Peergos was [audited](https://peergos.org/posts/security-audit-2024) in November 2024 by Radically Open Security and all issues were fixed. They were previously [audited](https://cure53.de/pentest-report_peergos.pdf) by Cure53 in June 2019, and all found issues were subsequently fixed.
 
-An Android app is not available, but it is [in the works](https://discuss.privacyguides.net/t/peergos-private-storage-sharing-social-media-and-application-platform/11825/25). The current workaround is to use the mobile [PWA](https://peergos.net) instead.
-
 ## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.

docs/desktop-browsers.md

@@ -317,15 +317,6 @@ Brave allows you to select additional content filters within the internal `brave
 
 1. Disabling the V8 optimizer reduces your attack surface by disabling [*some*](https://grapheneos.social/@GrapheneOS/112708049232710156) parts of JavaScript Just-In-Time (JIT) compilation.
 
-<div class="admonition tip" markdown>
-<p class="admonition-title">Sanitizing on close</p>
-
-- [x] Select **Delete data sites have saved to your device when you close all windows** under *Sites and Shields Settings* → *Content* → *Additional content settings* → *On-device site data*.
-
-If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section.
-
-</div>
-
 ##### Tor windows
 
 [**Private Window with Tor**](https://support.brave.com/hc/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity) allows you to route your traffic through the Tor network in Private Windows and access .onion services, which may be useful in some cases. However, Brave is **not** as resistant to fingerprinting as the Tor Browser is, and far fewer people use Brave with Tor, so you will stand out. If your threat model requires strong anonymity, use the [Tor Browser](tor.md#tor-browser).

docs/desktop.md

@@ -14,15 +14,15 @@ Linux distributions are commonly recommended for privacy protection and software
 
 ## Traditional Distributions
 
-### Fedora Workstation
+### Fedora Linux
 
 <div class="admonition recommendation" markdown>
 
 ![Fedora logo](assets/img/linux-desktop/fedora.svg){ align=right }
 
-**Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies (e.g., [Wayland](https://wayland.freedesktop.org) and [PipeWire](https://pipewire.org)) before other distributions. These new technologies often come with improvements in security, privacy, and usability in general.
+**Fedora Linux** is our recommended desktop distribution for people new to Linux. Fedora generally adopts newer technologies (e.g., [Wayland](https://wayland.freedesktop.org) and [PipeWire](https://pipewire.org)) before other distributions. These new technologies often come with improvements in security, privacy, and usability in general.
 
-[:octicons-home-16: Homepage](https://fedoraproject.org/workstation){ .md-button .md-button--primary }
+[:octicons-home-16: Homepage](https://fedoraproject.org){ .md-button .md-button--primary }
 [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs){ .card-link title=Documentation}
 [:octicons-heart-16:](https://whatcanidoforfedora.org){ .card-link title=Contribute }
 
@@ -30,7 +30,9 @@ Linux distributions are commonly recommended for privacy protection and software
 
 </div>
 
-Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months.
+Fedora comes in two primary desktop editions, [Fedora Workstation](https://fedoraproject.org/workstation), which uses the GNOME desktop environment, and [Fedora KDE Plasma Desktop](https://fedoraproject.org/kde), which uses KDE. Historically, Fedora Workstation has been more popular and widely recommended, but KDE has been gaining in popularity and provides an experience more similar to Windows, which may make transitioning to Linux easier for some. The security and privacy benefits of both editions are very similar, so it mostly comes down to personal preference.
+
+Fedora has a semi-rolling release cycle. While some packages like the desktop environment are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months.
 
 ### openSUSE Tumbleweed
 
@@ -213,6 +215,25 @@ Qubes OS secures the computer by isolating subsystems (e.g., networking, USB, et
 
 For further information about how Qubes works, read our full [Qubes OS overview](os/qubes-overview.md) page.
 
+### Secureblue
+
+<div class="admonition recommendation" markdown>
+
+![Secureblue logo](assets/img/linux-desktop/secureblue.svg){ align=right }
+
+**Secureblue** is a security-focused operating system based on [Fedora Atomic Desktops](#fedora-atomic-desktops). It includes a number of [security features](https://secureblue.dev/features) intended to proactively defend against the exploitation of both known and unknown vulnerabilities, and ships with [Trivalent](https://github.com/secureblue/Trivalent), their hardened, Chromium-based web browser.
+
+[:octicons-home-16: Homepage](https://secureblue.dev){ .md-button .md-button--primary }
+[:octicons-info-16:](https://secureblue.dev/install){ .card-link title="Documentation" }
+[:octicons-code-16:](https://github.com/secureblue/secureblue){ .card-link title="Source Code" }
+[:octicons-heart-16:](https://secureblue.dev/donate){ .card-link title="Contribute" }
+
+</div>
+
+**Trivalent** is Secureblue's hardened Chromium for desktop Linux inspired by [GrapheneOS](android/distributions.md#grapheneos)'s Vanadium browser.
+
+Secureblue also provides GrapheneOS's [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) and enables it globally (including for Flatpaks).
+
 ### Kicksecure
 
 While we [recommend against](os/linux-overview.md#release-cycle) "perpetually outdated" distributions like Debian for desktop use in most cases, Kicksecure is a Debian-based operating system which has been hardened to be much more than a typical Linux install.

docs/device-integrity.md

@@ -69,7 +69,8 @@ These tools can trigger false-positives. If any of these tools finds indicators
 
 <div class="admonition recommendation" markdown>
 
-![MVT logo](assets/img/device-integrity/mvt.webp){ align=right }
+![MVT logo](assets/img/device-integrity/mvt.webp#only-light){ align=right }
+![MVT logo](assets/img/device-integrity/mvt-dark.png#only-dark){ align=right }
 
 **Mobile Verification Toolkit** (**MVT**) is a collection of utilities which simplifies and automates the process of scanning mobile devices for potential traces of targeting or infection by known spyware campaigns. MVT was developed by Amnesty International and released in 2021 in the context of the [Pegasus Project](https://forbiddenstories.org/about-the-pegasus-project).
 
@@ -186,4 +187,4 @@ It is important to note that Auditor can only effectively detect changes **after
 
 No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring.
 
-If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service.
+If your [threat model](basics/threat-modeling.md) requires hiding your IP address from the attestation service, you could consider using [Orbot](alternative-networks.md#orbot) or a [VPN](vpn.md).

docs/dns.md

@@ -1,7 +1,7 @@
 ---
 title: "DNS Resolvers"
 icon: material/dns
-description: These are some encrypted DNS providers we recommend switching to, to replace your ISP's default configuration.
+description: We recommend choosing these encrypted DNS providers to replace your ISP's default configuration.
 cover: dns.webp
 global:
  - [randomize-element, "table tbody"]
@@ -16,23 +16,43 @@ Encrypted DNS with third-party servers should only be used to get around basic [
 
 ## Recommended Providers
 
-These are our favorite public DNS resolvers based on their privacy and security characteristics, and their worldwide performance. Some of these services offer basic DNS-level blocking of malware or trackers depending on the server you choose, but if you want to be able to see and customize what is blocked you should use a dedicated DNS filtering product instead.
+These are our favorite public DNS resolvers based on their privacy and security characteristics, and their worldwide performance. Some of these services offer basic DNS-level blocking of malware or trackers depending on the server you choose, but if you want to be able to see and customize what is blocked, you should use a dedicated DNS filtering product instead.
 
 | DNS Provider | Protocols | Logging / Privacy Policy | [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) | Filtering | Signed Apple Profile |
 |---|---|---|---|---|---|
-| [**AdGuard Public DNS**](https://adguard-dns.io/en/public-dns.html) | Cleartext   DoH/3   DoT   DoQ   DNSCrypt | Anonymized[^1] | Anonymized | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | Yes [:octicons-link-external-24:](https://adguard-dns.io/en/blog/encrypted-dns-ios-14.html) |
-| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setup) | Cleartext   DoH/3   DoT | Anonymized[^2] | No | Based on server choice. | No [:octicons-link-external-24:](https://community.cloudflare.com/t/requesting-1-1-1-1-signed-profiles-for-apple/571846) |
-| [**Control D Free DNS**](https://controld.com/free-dns) | Cleartext   DoH/3   DoT   DoQ | No[^3] | No | Based on server choice. | Yes [:octicons-link-external-24:](https://docs.controld.com/docs/macos-platform) |
-| [**dns0.eu**](https://dns0.eu) | Cleartext   DoH/3   DoH   DoT   DoQ | Anonymized[^4] | Anonymized | Based on server choice. | Yes [:octicons-link-external-24:](https://dns0.eu/zero.dns0.eu.mobileconfig) |
-| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | DoH   DoT | No[^5] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | Yes [:octicons-link-external-24:](https://mullvad.net/en/blog/profiles-to-configure-our-encrypted-dns-on-apple-devices) |
-| [**Quad9**](https://quad9.net) | Cleartext   DoH   DoT   DNSCrypt | Anonymized[^6] | Optional | Based on server choice, malware blocking by default. | Yes [:octicons-link-external-24:](https://quad9.net/news/blog/ios-mobile-provisioning-profiles) |
+| [**AdGuard Public DNS**](https://adguard-dns.io/en/public-dns.html) | Cleartext <br>DoH/3 <br>DoT <br>DoQ <br>DNSCrypt | Anonymized[^1] | Anonymized | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | Yes [:octicons-link-external-24:](https://adguard-dns.io/en/blog/encrypted-dns-ios-14.html) |
+| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setup) | Cleartext <br>DoH/3 <br>DoT | Anonymized[^2] | No | Based on server choice. | No [:octicons-link-external-24:](https://community.cloudflare.com/t/requesting-1-1-1-1-signed-profiles-for-apple/571846) |
+| [**Control D Free DNS**](https://controld.com/free-dns) | Cleartext <br>DoH/3 <br>DoT <br>DoQ | No[^3] | No | Based on server choice. | Yes <br>[:simple-apple: iOS](https://docs.controld.com/docs/ios-platform) <br>[:material-apple-finder: macOS](https://docs.controld.com/docs/macos-platform#manual-setup-profile) |
+| [**DNS0.eu**](https://dns0.eu) | Cleartext <br>DoH/3 <br>DoH <br>DoT <br>DoQ | Anonymized[^4] | Anonymized | Based on server choice. | Yes [:octicons-link-external-24:](https://dns0.eu/zero.dns0.eu.mobileconfig) |
+| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | DoH <br>DoT | No[^5] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | Yes [:octicons-link-external-24:](https://github.com/mullvad/encrypted-dns-profiles) |
+| [**Quad9**](https://quad9.net) | Cleartext <br>DoH <br>DoT <br>DNSCrypt | Anonymized[^6] | Optional | Based on server choice. Malware blocking is included by default. | Yes <br>[:simple-apple: iOS](https://docs.quad9.net/Setup_Guides/iOS/iOS_14_and_later_(Encrypted)) <br>[:material-apple-finder: macOS](https://docs.quad9.net/Setup_Guides/MacOS/Big_Sur_and_later_(Encrypted)) |
 
-[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard-dns.io/en/privacy.html](https://adguard-dns.io/en/privacy.html)
-[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver)
-[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy)
-[^4]: dns0.eu collects some data for their threat intelligence feeds, to monitor for newly registered/observed/active domains and other bulk data. That data is shared with some [partners](https://docs.dns0.eu/data-feeds/introduction) for e.g. security research. They do not collect any Personally Identifiable Information. [https://dns0.eu/privacy](https://dns0.eu/privacy)
-[^5]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy)
-[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://quad9.net/privacy/policy](https://quad9.net/privacy/policy)
+[^1]:
+    AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested within the last 24 hours.
+    > We need this information to identify and block new trackers and threats.
+    > We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters.
+
+    AdGuard DNS: [*Privacy Policy*](https://adguard-dns.io/en/privacy.html)
+[^2]:
+    Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours.
+
+    1.1.1.1 Public DNS Resolver: [*Cloudflare’s commitment to privacy*](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver)
+[^3]:
+    Control D only logs specific account data for Premium resolvers with custom DNS profiles. Free resolvers do not retain any data.
+
+    Control D: [*Privacy Policy*](https://controld.com/privacy)
+[^4]:
+    DNS0.eu collects some data for their threat intelligence feeds to monitor for newly registered/observed/active domains and other bulk data. That data is shared with some [partners](https://docs.dns0.eu/data-feeds/introduction) for e.g. security research. They do not collect any personally identifiable information.
+
+    DNS0.eu: [*Privacy Policy*](https://dns0.eu/privacy)
+[^5]:
+    Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way.
+
+    Mullvad: [*No-logging of user activity policy*](https://mullvad.net/en/help/no-logging-data-policy)
+[^6]:
+    Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared for purposes like furthering their security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable.
+
+    Quad9: [*Data and Privacy Policy*](https://quad9.net/privacy/policy)
 
 ## Self-Hosted DNS Filtering
 
@@ -97,12 +117,12 @@ These DNS filtering solutions offer a web dashboard where you can customize the
 <details class="downloads" markdown>
 <summary>Downloads</summary>
 
-- [:fontawesome-brands-windows: Windows](https://docs.controld.com/docs/gui-setup-utility)
-- [:simple-apple: macOS](https://docs.controld.com/docs/gui-setup-utility)
-- [:simple-linux: Linux](https://docs.controld.com/docs/ctrld)
 - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.controld.setuputility)
 - [:simple-appstore: App Store](https://apps.apple.com/app/1518799460)
 - [:simple-github: GitHub](https://github.com/Control-D-Inc/ctrld/releases)
+- [:fontawesome-brands-windows: Windows](https://docs.controld.com/docs/gui-setup-utility)
+- [:simple-apple: macOS](https://docs.controld.com/docs/gui-setup-utility)
+- [:simple-linux: Linux](https://docs.controld.com/docs/ctrld)
 
 </details>
 
@@ -124,11 +144,11 @@ These DNS filtering solutions offer a web dashboard where you can customize the
 <details class="downloads" markdown>
 <summary>Downloads</summary>
 
+- [:simple-appstore: App Store](https://apps.apple.com/app/nextdns/id1463342498)
+- [:simple-github: GitHub](https://github.com/nextdns/nextdns/releases)
 - [:fontawesome-brands-windows: Windows](https://github.com/nextdns/nextdns/wiki/Windows)
 - [:simple-apple: macOS](https://apps.apple.com/us/app/nextdns/id1464122853)
 - [:simple-linux: Linux](https://github.com/nextdns/nextdns/wiki)
-- [:simple-appstore: App Store](https://apps.apple.com/app/nextdns/id1463342498)
-- [:simple-github: GitHub](https://github.com/nextdns/nextdns/releases)
 
 </details>
 
@@ -136,9 +156,9 @@ These DNS filtering solutions offer a web dashboard where you can customize the
 
 When used with an account, NextDNS will enable insights and logging features by default (as some features require it). You can choose retention time and log storage location for any logs you choose to keep, or disable logs altogether.
 
-NextDNS's free plan is fully functional, but should not be relied upon for security or other critical filtering applications, because after 300,000 DNS queries in a month all filtering, logging, and other account-based functionality is disabled. It can still be used as a regular DNS provider after that point, so your devices will continue to function and make secure queries via DNS-over-HTTPS, just without your filter lists.
+NextDNS's free plan is fully functional, but should not be relied upon for security or other critical filtering applications, because after 300,000 DNS queries in a month all filtering, logging, and other account-based functionality are disabled. It can still be used as a regular DNS provider after that point, so your devices will continue to function and make secure queries via DNS-over-HTTPS (DoH), just without your filter lists.
 
-NextDNS also offers public DNS-over-HTTPS service at `https://dns.nextdns.io` and DNS-over-TLS/QUIC at `dns.nextdns.io`, which are available by default in Firefox and Chromium, and subject to their default no-logging [privacy policy](https://nextdns.io/privacy).
+NextDNS also offers a public DoH service at `https://dns.nextdns.io` and DNS-over-TLS/QUIC (DoT/DoQ) at `dns.nextdns.io`, which are available by default in Firefox and Chromium, and subject to their default, no-logging [privacy policy](https://nextdns.io/privacy).
 
 ## Encrypted DNS Proxies
 
@@ -151,7 +171,7 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](ad
 ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right }
 ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right }
 
-**RethinkDNS** is an open-source Android client that supports [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy. It also provides additional functionality such as caching DNS responses, locally logging DNS queries, and using the app as a firewall.
+**RethinkDNS** is an open-source Android client that supports [DoH](advanced/dns-overview.md#dns-over-https-doh), [DoT](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy. It also provides additional functionality such as caching DNS responses, locally logging DNS queries, and using the app as a firewall.
 
 [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary }
 [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" }
@@ -170,13 +190,13 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](ad
 
 While RethinkDNS takes up the Android VPN slot, you can still use a VPN or Orbot with the app by [adding a WireGuard configuration](https://docs.rethinkdns.com/proxy/wireguard) or [manually configuring Orbot as a Proxy server](https://docs.rethinkdns.com/firewall/orbot), respectively.
 
-### dnscrypt-proxy
+### DNSCrypt-Proxy
 
 <div class="admonition recommendation" markdown>
 
-![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right }
+![DNSCrypt-Proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right }
 
-**dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS).
+**DNSCrypt-Proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DoH](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS).
 
 [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary }
 [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation}
@@ -205,14 +225,14 @@ The anonymized DNS feature does [not](advanced/dns-overview.md#why-shouldnt-i-us
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
-All DNS products must support:
+All DNS products...
 
-- [DNSSEC](advanced/dns-overview.md#what-is-dnssec).
-- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization).
-- Anonymize [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) or disable it by default.
+- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec).
+- Must support [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization).
+- Must anonymize [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) or disable it by default.
 
-Additionally, all public providers:
+Additionally, all public providers...
 
-- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support.
-- Must not log any personal data to disk
-    - As noted in our footnotes, some providers collect query information for example, for purposes like security research, but in that case that data must not be associated with any PII such as IP address, etc.
+- Must not log any personal data to disk.
+    - As noted in the footnotes, some providers collect query information for purposes like security research, but in that case the data must not be associated with any PII such as IP address, etc.
+- Should support [anycast](https://en.wikipedia.org/wiki/Anycast) or geo-steering.

docs/email-aliasing.md

@@ -9,61 +9,77 @@ cover: email-aliasing.webp
 - [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown }
 - [:material-account-search: Public Exposure](basics/common-threats.md#limiting-public-information){ .pg-green }
 
-An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md). True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes.
-
-<div class="grid cards" markdown>
-
-- ![addy.io logo](assets/img/email-aliasing/addy.svg){ .twemoji } [addy.io](email-aliasing.md#addyio)
-- ![SimpleLogin logo](assets/img/email-aliasing/simplelogin.svg){ .twemoji } [SimpleLogin](email-aliasing.md#simplelogin)
-
-</div>
+An **email aliasing service** allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your [email provider](email.md).
 
 Email aliasing can also act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning.
 
-Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain:
+## Benefits
+
+Using a service which allows you to individually manage email aliases has a number of benefits over conventional mailbox management/filtering methods:
+
+### Over Plus Addressing
+
+True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like `yourname+[anythinghere]@example.com`, because websites, advertisers, and tracking networks can trivially remove anything after the `+` sign. Organizations like the [IAB](https://en.wikipedia.org/wiki/Interactive_Advertising_Bureau) require that advertisers [normalize email addresses](https://shkspr.mobi/blog/2023/01/the-iab-loves-tracking-users-but-it-hates-users-tracking-them) so that they can be correlated and tracked, regardless of users' privacy wishes.
+
+### Over Catch-All Aliases
+
+Using a dedicated email aliasing service has a number of benefits over a catch-all alias on a custom domain:
 
 - Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly.
 - Replies are sent from the alias address, shielding your real email address.
 
-They also have a number of benefits over "temporary email" services:
+### Over Temporary Email Services
+
+Email aliasing services also have a number of benefits over "temporary email" services:
 
 - Aliases are permanent and can be turned on again if you need to receive something like a password reset.
 - Emails are sent to your trusted mailbox rather than stored by the alias provider.
 - Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, while aliases are private to you.
 
-Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign.
+## Recommended Providers
+
+<div class="grid cards" markdown>
+
+- ![Addy.io logo](assets/img/email-aliasing/addy.svg){ .twemoji } [Addy.io](email-aliasing.md#addyio)
+- ![SimpleLogin logo](assets/img/email-aliasing/simplelogin.svg){ .twemoji } [SimpleLogin](email-aliasing.md#simplelogin)
+
+</div>
+
+Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as on your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the `@` symbol.
 
 Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption[^1], which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider.
 
-### addy.io
+### Addy.io
 
 <div class="admonition recommendation" markdown>
 
-![addy.io logo](assets/img/email-aliasing/addy.svg){ align=right }
+![Addy.io logo](assets/img/email-aliasing/addy.svg){ align=right }
 
-**addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited "standard" aliases.
+**Addy.io** lets you create 10 domain aliases on a shared domain for free, or unlimited ["standard" aliases](https://addy.io/faq/#what-is-a-standard-alias).
 
 [:octicons-home-16: Homepage](https://addy.io){ .md-button .md-button--primary }
 [:octicons-eye-16:](https://addy.io/privacy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://addy.io/faq){ .card-link title=Documentation}
+[:octicons-info-16:](https://addy.io/faq){ .card-link title="Documentation" }
 [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" }
-[:octicons-heart-16:](https://addy.io/donate){ .card-link title=Contribute }
+[:octicons-heart-16:](https://addy.io/donate){ .card-link title="Contribute" }
 
 <details class="downloads" markdown>
 <summary>Downloads</summary>
 
-- [:simple-android: Android](https://addy.io/faq/#is-there-an-android-app)
-- [:material-apple-ios: iOS](https://addy.io/faq/#is-there-an-ios-app)
+- [:simple-googleplay: Google Play](https://addy.io/faq/#is-there-an-android-app)
+- [:simple-appstore: App Store](https://addy.io/faq/#is-there-an-ios-app)
 - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/addy_io)
-- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/addyio-anonymous-email-fo/iadbdpnoknmbdeolbapdackdcogdmjpe)
+- [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/iadbdpnoknmbdeolbapdackdcogdmjpe)
 
 </details>
 
 </div>
 
-The number of shared aliases (which end in a shared domain like @addy.io) that you can create is limited to 10 on addy.io's free plan, 50 on their $1/month plan and unlimited on the $4/month plan (billed $3 for a year). You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), addy.io's official reseller.
+The number of shared aliases (which end in a shared domain like `@addy.io`) that you can create depends on the [plan](https://addy.io/#pricing) you are subscribed to. You can pay for these plans using [cryptocurrency](https://addy.io/help/subscribing-with-cryptocurrency) or purchase a voucher code from [ProxyStore](https://addy.io/help/voucher-codes), Addy.io's official reseller.
 
-You can create unlimited standard aliases which end in a domain like @[username].addy.io or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service. Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf).
+You can create unlimited standard aliases which end in a domain like `@[username].addy.io` or a custom domain on paid plans. However, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. They are useful where a shared domain might be blocked by a service.
+
+Securitum [audited](https://addy.io/blog/addy-io-passes-independent-security-audit) Addy.io in September 2023 and no significant vulnerabilities [were identified](https://addy.io/addy-io-security-audit.pdf).
 
 Notable free features:
 
@@ -85,7 +101,7 @@ If you cancel your subscription, you will still enjoy the features of your paid
 
 [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary }
 [:octicons-eye-16:](https://simplelogin.io/privacy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title=Documentation}
+[:octicons-info-16:](https://simplelogin.io/docs){ .card-link title="Documentation" }
 [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }
 
 <details class="downloads" markdown>
@@ -96,18 +112,18 @@ If you cancel your subscription, you will still enjoy the features of your paid
 - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases)
 - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/simplelogin)
 - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn)
-- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff)
+- [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/diacfpipniklenphgljfkmhinphjlfff)
 - [:simple-safari: Safari](https://apps.apple.com/app/id6475835429)
 
 </details>
 
 </div>
 
-SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf).
+SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing.
 
-You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free.
+You can link your SimpleLogin account in the settings with your Proton account. If you have Proton Pass Plus, Proton Unlimited, or any multi-user Proton plan, you will have SimpleLogin Premium for free. You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller [ProxyStore](https://simplelogin.io/faq).
 
-You can also purchase a voucher code for SimpleLogin Premium anonymously via their official reseller, [ProxyStore](https://simplelogin.io/faq).
+Securitum [audited](https://simplelogin.io/blog/security-audit) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf).
 
 Notable free features:
 
@@ -120,6 +136,6 @@ When your subscription ends, all aliases you created will still be able to recei
 
 ## Criteria
 
-**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email service, and conduct your own research to ensure the provider you choose is the right choice for you.
+**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we evaluate email aliasing providers to the same standard as our regular [email provider criteria](email.md#criteria) where applicable. We suggest you familiarize yourself with this list before choosing an email aliasing service, and conduct your own research to ensure the provider you choose is the right choice for you.
 
 [^1]: Automatic PGP encryption allows you to encrypt non-encrypted incoming emails before they are forwarded to your mailbox, making sure your primary mailbox provider never sees unencrypted email content.

docs/email-clients.md

@@ -9,7 +9,7 @@ cover: email-clients.webp
 - [:material-server-network: Service Providers](basics/common-threats.md#privacy-from-service-providers){ .pg-teal }
 - [:material-target-account: Targeted Attacks](basics/common-threats.md#attacks-against-specific-individuals){ .pg-red }
 
-The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
+The **email clients** we recommend support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](basics/account-creation.md#sign-in-with-oauth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) to prevent account theft.
 
 <details class="warning" markdown>
 <summary>Email does not provide forward secrecy</summary>
@@ -110,39 +110,6 @@ Currently, GPG Suite does [not yet](https://gpgtools.com/sonoma) have a stable r
 
 Apple Mail has the ability to load remote content in the background or block it entirely and hide your IP address from senders on [macOS](https://support.apple.com/guide/mail/mlhl03be2866/mac) and [iOS](https://support.apple.com/guide/iphone/iphf084865c7/ios).
 
-### Canary Mail (iOS)
-
-<div class="admonition recommendation" markdown>
-
-![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right }
-
-**Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock.
-
-[:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://canarymail.io/help){ .card-link title="Documentation" }
-
-<details class="downloads" markdown>
-<summary>Downloads</summary>
-
-- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android)
-- [:simple-appstore: App Store](https://apps.apple.com/app/id1155470386)
-- [:fontawesome-brands-windows: Windows](https://canarymail.io/downloads.html)
-- [:simple-apple: macOS](https://apps.apple.com/app/id1236045954)
-
-</details>
-
-</div>
-
-<details class="warning" markdown>
-<summary>Warning</summary>
-
-Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts.
-
-</details>
-
-Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE.
-
 ### FairEmail (Android)
 
 <div class="admonition recommendation" markdown>

docs/email.md

@@ -19,19 +19,19 @@ Email is practically a necessity for using any online service, however we do not
 
 For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. Read our [full list of criteria](#criteria) for more information.
 
-| Provider | OpenPGP / WKD | IMAP / SMTP | Zero Access Encryption | Anonymous Payments |
+| Provider | OpenPGP / WKD | IMAP / SMTP | Zero-Access Encryption | Anonymous Payment Methods |
 |---|---|---|---|---|
 | [Proton Mail](#proton-mail) | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Paid plans only | :material-check:{ .pg-green } | Cash |
 | [Mailbox.org](#mailboxorg) | :material-check:{ .pg-green } | :material-check:{ .pg-green } | :material-information-outline:{ .pg-blue } Mail only | Cash |
-| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero & Cash via third-party |
+| [Tuta](#tuta) | :material-alert-outline:{ .pg-orange } | :material-alert-outline:{ .pg-orange } | :material-check:{ .pg-green } | Monero <br>Cash via third party |
 
-In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP.
+In addition to (or instead of) an email provider recommended here, you may wish to consider a dedicated [email aliasing service](email-aliasing.md#recommended-providers) to protect your privacy. Among other things, these services can help protect your real inbox from spam, prevent marketers from correlating your accounts, and encrypt all incoming messages with PGP.
 
 - [More Information :material-arrow-right-drop-circle:](email-aliasing.md)
 
 ## OpenPGP Compatible Services
 
-These providers natively support OpenPGP encryption/decryption and the [Web Key Directory standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it.
+These providers natively support OpenPGP encryption/decryption and the [Web Key Directory (WKD) standard](basics/email-security.md#what-is-the-web-key-directory-standard), allowing for provider-agnostic end-to-end encrypted emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it.
 
 <div class="grid cards" markdown>
 
@@ -45,7 +45,9 @@ These providers natively support OpenPGP encryption/decryption and the [Web Key
 
 When using E2EE technology like OpenPGP your email will still have some metadata that is not encrypted in the header of the email, generally including the subject line! Read more about [email metadata](basics/email-security.md#email-metadata-overview).
 
-OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
+OpenPGP also does not support forward secrecy, which means if the private key of either you or the message recipient is ever stolen, all previous messages encrypted with it will be exposed.
+
+- [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys)
 
 </div>
 
@@ -55,7 +57,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the
 
 ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right }
 
-**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland. The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free.
+**Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. Proton AG is based in Geneva, Switzerland.
+
+The Proton Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free.
 
 [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary }
 [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" }
@@ -78,9 +82,9 @@ OpenPGP also does not support Forward secrecy, which means if either your or the
 
 </div>
 
-Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com).
+Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g., Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free.
 
-If you have the Proton Unlimited plan or any multi-user Proton plan, you also get [SimpleLogin](email-aliasing.md#simplelogin) Premium for free.
+A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com).
 
 Proton Mail has internal crash reports that are **not** shared with third parties. This can be disabled in the web app: :gear: → **All Settings** → **Account** → **Security and privacy** → **Privacy and data collection**.
 
@@ -90,7 +94,7 @@ Paid Proton Mail subscribers can use their own domain with the service or a [cat
 
 #### :material-check:{ .pg-green } Private Payment Methods
 
-Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments.
+Proton Mail [accepts](https://proton.me/support/payment-options) **cash** by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments.
 
 #### :material-check:{ .pg-green } Account Security
 
@@ -104,9 +108,9 @@ Certain information stored in [Proton Contacts](https://proton.me/support/proton
 
 #### :material-check:{ .pg-green } Email Encryption
 
-Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. Proton also supports automatic external key discovery with [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account.
+Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. Proton also supports automatic external key discovery with WKD. This means that emails sent to other providers which use WKD will be automatically encrypted with OpenPGP as well, without the need to manually exchange public PGP keys with your contacts. They also allow you to [encrypt messages to non-Proton Mail addresses without OpenPGP](https://proton.me/support/password-protected-emails), without the need for them to sign up for a Proton Mail account.
 
-Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like @proton.me. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately.
+Proton Mail also publishes the public keys of Proton accounts via HTTP from their WKD. This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Proton's own domains, like `@proton.me`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately.
 
 #### :material-information-outline:{ .pg-blue } Account Termination
 
@@ -114,9 +118,7 @@ If you have a paid account and your [bill is unpaid](https://proton.me/support/d
 
 #### :material-information-outline:{ .pg-blue } Additional Functionality
 
-Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage.
-
-Proton Mail doesn't offer a digital legacy feature.
+Proton Mail's [Unlimited](https://proton.me/support/proton-plans#proton-unlimited) plan also enables access to other Proton services in addition to providing multiple custom domains, unlimited hide-my-email aliases, and 500 GB of storage.
 
 ### Mailbox.org
 
@@ -124,7 +126,9 @@ Proton Mail doesn't offer a digital legacy feature.
 
 ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right }
 
-**Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with up to 2 GB storage, which can be upgraded as needed.
+**Mailbox.org** is an email service with a focus on being secure, ad-free, and powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany.
+
+Accounts start with up to 2 GB storage, which can be upgraded as needed.
 
 [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary }
 [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" }
@@ -145,23 +149,23 @@ Mailbox.org lets you use your own domain, and they support [catch-all](https://k
 
 #### :material-check:{ .pg-green } Private Payment Methods
 
-Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and a couple of German-specific processors: paydirekt and Sofortüberweisung.
+Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept **cash** by mail, **cash** payment to bank account, bank transfer, credit card, PayPal, and a couple of German-specific processors: Paydirekt and Sofortüberweisung.
 
 #### :material-check:{ .pg-green } Account Security
 
-Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported.
+Mailbox.org supports [two-factor authentication](https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa) for their webmail only. You can use either TOTP or a [YubiKey](https://en.wikipedia.org/wiki/YubiKey) via the [YubiCloud](https://yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) are not yet supported.
 
 #### :material-information-outline:{ .pg-blue } Data Security
 
 Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/en/private/e-mail-article/your-encrypted-mailbox). New messages that you receive will then be immediately encrypted with your public key.
 
-However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information.
+However, [Open-Xchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/en/private/security-privacy-article/encryption-of-calendar-and-address-book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that data.
 
 #### :material-check:{ .pg-green } Email Encryption
 
 Mailbox.org has [integrated encryption](https://kb.mailbox.org/en/private/e-mail-article/send-encrypted-e-mails-with-guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/en/private/e-mail-article/my-recipient-does-not-use-pgp) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox.
 
-Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like @mailbox.org. If you use a custom domain, you must [configure WKD](./basics/email-security.md#what-is-the-web-key-directory-standard) separately.
+Mailbox.org also supports the discovery of public keys via HTTP from their WKD. This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily for cross-provider E2EE. This only applies to email addresses ending in one of Mailbox.org's own domains, like `@mailbox.org`. If you use a custom domain, you must [configure WKD](basics/email-security.md#what-is-the-web-key-directory-standard) separately.
 
 #### :material-information-outline:{ .pg-blue } Account Termination
 
@@ -173,7 +177,7 @@ You can access your Mailbox.org account via IMAP/SMTP using their [.onion servic
 
 All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/en/private/drive-article/encrypt-files-on-your-drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/en/private/e-mail-article/ensuring-e-mails-are-sent-securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3.
 
-Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address.
+Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs, providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address.
 
 ## More Providers
 
@@ -192,7 +196,9 @@ These providers store your emails with zero-knowledge encryption, making them gr
 ![Tuta logo](assets/img/email/tuta.svg#only-light){ align=right }
 ![Tuta logo](assets/img/email/tuta-dark.svg#only-dark){ align=right }
 
-**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany. Free accounts start with 1 GB of storage.
+**Tuta** (formerly *Tutanota*) is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011 and is based in Hanover, Germany.
+
+Free accounts start with 1 GB of storage.
 
 [:octicons-home-16: Homepage](https://tuta.com){ .md-button .md-button--primary }
 [:octicons-eye-16:](https://tuta.com/privacy){ .card-link title="Privacy Policy" }
@@ -223,7 +229,7 @@ Paid Tuta accounts can use either 15 or 30 aliases depending on their plan and u
 
 #### :material-information-outline:{ .pg-blue } Private Payment Methods
 
-Tuta only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore.
+Tuta only directly accepts credit cards and PayPal, however [**cryptocurrency**](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tuta.com/support/#cryptocurrency) with ProxyStore.
 
 #### :material-check:{ .pg-green } Account Security
 
@@ -231,7 +237,7 @@ Tuta supports [two-factor authentication](https://tuta.com/support#2fa) with eit
 
 #### :material-check:{ .pg-green } Data Security
 
-Tuta has [zero access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you.
+Tuta has [zero-access encryption at rest](https://tuta.com/support#what-encrypted) for your emails, [address book contacts](https://tuta.com/support#encrypted-address-book), and [calendars](https://tuta.com/support#calendar). This means the messages and other data stored in your account are only readable by you.
 
 #### :material-information-outline:{ .pg-blue } Email Encryption
 
@@ -245,8 +251,6 @@ Tuta will [delete inactive free accounts](https://tuta.com/support#inactive-acco
 
 Tuta offers the business version of [Tuta to non-profit organizations](https://tuta.com/blog/secure-email-for-non-profit) for free or with a heavy discount.
 
-Tuta doesn't offer a digital legacy feature.
-
 ## Self-Hosting Email
 
 Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. In addition to the "all-in-one" solutions below, we've picked out a few articles that cover a more manual approach:
@@ -312,22 +316,22 @@ We regard these features as important in order to provide a safe and optimal ser
 
 **Minimum to Qualify:**
 
-- Encrypts email account data at rest with zero-access encryption.
-- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard.
+- Must encrypt email account data at rest with zero-access encryption.
+- Must be capable of exporting emails as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .EML with [RFC5322](https://datatracker.ietf.org/doc/rfc5322) standard.
 - Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy.
-- Operates on owned infrastructure, i.e. not built upon third-party email service providers.
+- Must operate on owned infrastructure, i.e. not built upon third-party email service providers.
 
 **Best Case:**
 
-- Encrypts all account data (Contacts, Calendars, etc.) at rest with zero-access encryption.
-- Integrated webmail E2EE/PGP encryption provided as a convenience.
-- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP.
-    GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com`
-- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP.
-- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion).
-- [Sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) support.
+- Should encrypt all account data (contacts, calendars, etc.) at rest with zero-access encryption.
+- Should provide integrated webmail E2EE/PGP encryption as a convenience.
+- Should support WKD to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key with this command: `gpg --locate-key example_user@example.com`.
+- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP.
+- Should support [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing).
+- Should allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy.
 - Catch-all or alias functionality for those who use their own domains.
-- Use of standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider.
+- Should use standard email access protocols such as IMAP, SMTP, or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider.
+- Email provider's services should be available via an [onion service](https://en.wikipedia.org/wiki/.onion).
 
 ### Privacy
 
@@ -335,30 +339,30 @@ We prefer our recommended providers to collect as little data as possible.
 
 **Minimum to Qualify:**
 
-- Protect sender's IP address, which can involve filtering it from showing in the `Received` header field.
-- Don't require personally identifiable information (PII) besides a username and a password.
-- Privacy policy that meets the requirements defined by the GDPR.
+- Must protect sender's IP address, which can involve filtering it from showing in the `Received` header field.
+- Must not require personally identifiable information (PII) besides a username and a password.
+- Privacy policy must meet the requirements defined by the GDPR.
 
 **Best Case:**
 
-- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.)
-- Hosted in a jurisdiction with strong email privacy protection laws.
+- Should accept [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.)
+- Should be hosted in a jurisdiction with strong email privacy protection laws.
 
 ### Security
 
-Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their customers.
+Email servers deal with a lot of very sensitive data. We expect that providers will adopt industry best practices in order to protect their customers.
 
 **Minimum to Qualify:**
 
-- Protection of webmail with 2FA, such as TOTP.
-- Zero access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server.
+- Protection of webmail with 2FA, such as [TOTP](basics/multi-factor-authentication.md#time-based-one-time-password-totp).
+- Zero-access encryption, which builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server.
 - [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support.
 - No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://hardenize.com), [testssl.sh](https://testssl.sh), or [Qualys SSL Labs](https://ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)).
-- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption.
+- A server suite preference (optional on TLS 1.3) for strong cipher suites which support forward secrecy and authenticated encryption.
 - A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy.
 - Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records.
 - Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records.
-- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`.
+- Must have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`.
 - A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996).
 - [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used.
 - Website security standards such as:
@@ -368,10 +372,10 @@ Email servers deal with a lot of very sensitive data. We expect that providers w
 
 **Best Case:**
 
-- Support for hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online).
+- Should support hardware authentication, i.e. U2F and [WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online).
 - [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support.
-- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617).
-- Published security audits from a reputable third-party firm.
+- Should implement [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), which is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617).
+- Published security audits from a reputable, third-party firm.
 - Bug-bounty programs and/or a coordinated vulnerability-disclosure process.
 - Website security standards such as:
     - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy)
@@ -396,18 +400,15 @@ With the email providers we recommend, we like to see responsible marketing.
 **Minimum to Qualify:**
 
 - Must self-host analytics (no Google Analytics, Adobe Analytics, etc.).
-
-Must not have any irresponsible marketing, which can include the following:
-
-- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it.
-- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.:
-
-    - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN, etc.)
-    - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint)
+- Must not have any irresponsible marketing, which can include the following:
+    - Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it.
+    - Guarantees of protecting anonymity 100%. When someone makes a claim that something is 100%, it means there is no certainty for failure. We know people can quite easily de-anonymize themselves in a number of ways, e.g.:
+        - Reusing personal information e.g. (email accounts, unique pseudonyms, etc.) that they accessed without anonymity software such as Tor
+        - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint)
 
 **Best Case:**
 
-- Clear and easy to read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc.
+- Clear and easy-to-read documentation for tasks like setting up 2FA, email clients, OpenPGP, etc.
 
 ### Additional Functionality
 

docs/encryption.md

@@ -367,13 +367,6 @@ gpg --quick-gen-key alice@example.com future-default
 
 ### GPG Suite
 
-<div class="admonition note" markdown>
-<p class="admonition-title">Note</p>
-
-We suggest [Canary Mail](email-clients.md#canary-mail-ios) for using PGP with email on iOS devices.
-
-</div>
-
 <div class="admonition recommendation" markdown>
 
 ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right }

docs/health-and-wellness.md

@@ -3,7 +3,7 @@ meta_title: "Privacy Respecting Health and Wellness apps for Android and iOS - P
 title: "Health and Wellness Apps"
 icon: material/heart-pulse
 description: These applications are what we currently recommend for all health and fitness-related activites on your phone.
-cover: health-cover.webp
+cover: health.webp
 ---
 <small>Protects against the following threat(s):</small>
 
@@ -15,13 +15,13 @@ Keep track of your health and fitness-related goals with these apps. Unlike thei
 
 Popular menstrual trackers like [Flo](https://techcrunch.com/2021/01/13/flo-gets-ftc-slap-for-sharing-user-data-when-it-promised-privacy) are notorious for collecting and sharing your user data. Depending on your jurisdiction, this may lead to [legal consequences](https://forbes.com/sites/abigaildubiniecki/2024/11/14/post-roe-your-period-app-data-could-be-used-against-you) affecting your reproductive autonomy.
 
-### drip.
+### Drip
 
 <div class="admonition recommendation" markdown>
 
-![drip logo](assets/img/health-and-wellness/drip.png){ align=right }
+![Drip logo](assets/img/health-and-wellness/drip.png){ align=right }
 
-**drip.** is a gender-inclusive and open source menstrual cycle tracker available on all mobile platforms. It relies on the "sympto-thermal method" to predict ovulation. All user data is stored locally on your device and can be protected with a password.
+**Drip** is a gender-inclusive and open source menstrual cycle tracker available on all mobile platforms. It relies on the "sympto-thermal method" to predict ovulation. All user data is stored locally on your device and can be protected with a password.
 
 [:octicons-home-16: Homepage](https://bloodyhealth.gitlab.io){ .md-button .md-button--primary }
 [:octicons-eye-16:](https://bloodyhealth.gitlab.io/privacy-policy.html){ .card-link title="Privacy Policy" }

docs/maps.md

@@ -25,14 +25,14 @@ Features include cycling routes, hiking trails and walking paths, turn-by-turn n
 
 [:octicons-home-16: Homepage](https://organicmaps.app){ .md-button .md-button--primary }
 [:octicons-eye-16:](https://organicmaps.app/privacy){ .card-link title="Privacy Policy" }
-[:octicons-code-16:](https://github.com/organicmaps/organicmaps){ .card-link title="Source Code" }
+[:octicons-code-16:](https://git.omaps.dev/organicmaps/organicmaps){ .card-link title="Source Code" }
 
 <details class="downloads" markdown>
 <summary>Downloads</summary>
 
-- [:simple-github: GitHub](https://github.com/organicmaps/organicmaps)
 - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.organicmaps)
 - [:simple-appstore: App Store](https://apps.apple.com/app/organic-maps/id1567437057)
+- [:simple-forgejo: Forgejo](https://git.omaps.dev/organicmaps/organicmaps/releases)
 - [:simple-linux: Linux](https://flathub.org/apps/app.organicmaps.desktop)
 
 </details>

docs/meta/pr-comments.md

@@ -0,0 +1,43 @@
+---
+title: Commenting on PRs
+description: A guide on participating in Pull Request discussions.
+---
+Please refrain from using the general **Add a comment** box in GitHub PRs when leaving a comment or performing a review.
+
+![Do not use the general "Add a comment" box in GitHub](../assets/img/meta/pr-avoid-general-comments.png)
+
+Comments that are left like this are not *threaded*, which makes it difficult to keep track of multiple conversations.
+
+Comments that are instead left in the manner described below will have a built-in reply box to keep conversations in a single thread. These comments can also be marked as resolved afterwards, so that discussion can be tracked more easily.
+
+![A screenshot of a comment in GitHub which has a built-in "reply" box, highlighted in orange.](../assets/img/meta/pr-threaded-comment.png)
+
+## Commenting
+
+To start a threaded comment, you should leave all comments under the :octicons-file-diff-16: **Files changed** tab in a PR.
+
+![Screenshot of the tabs for a pull request. The "Files changed" tab is outlined in dark orange.](https://docs.github.com/assets/cb-23571/mw-1440/images/help/pull_requests/pull-request-tabs-changed-files.webp)
+
+To leave a *general* comment on a PR, click the :octicons-comment-16: comment icon to the right of a file:
+
+![Screenshot of an image file on the "Files changed" page of a pull request. To the right of the file, a comment icon is outlined in orange.](https://docs.github.com/assets/cb-73771/mw-1440/images/help/pull_requests/pull-request-comment-on-file.webp)
+
+If the PR has multiple files changed, comment on the primary or most relevant file changed, or comment on the first file if you can't decide.
+
+To leave a comment *on a specific line* of a PR, hover over the line where you'd like to add a comment, and click the blue comment icon:
+
+![Screenshot of a diff in a pull request. Next to a line number, a blue plus icon is highlighted with an orange outline.](https://docs.github.com/assets/cb-44227/mw-1440/images/help/commits/hover-comment-icon.webp)
+
+(Optionally, you can add a comment on multiple lines. You can click the line number of the first line you want to comment on and drag down to select a range of lines, then click the blue comment icon on the last line you want to comment on. Alternatively, you can click the blue comment icon next to the first line you want to comment on, then drag down to the last line you want to comment on.)
+
+Then, type your comment and click **Add single comment**.
+
+## Reviewing
+
+When performing a review, follow the same steps as above, but click **Start a review** (and subsequently, **Add a review comment**) instead of **Add single comment**.
+
+Then, click the green **Finish your review** button at the top of the page.
+
+Do not leave any discussion comments in the *Leave a comment* box in the review finalization pop-up. You can leave it blank, or leave a short note if it will not require any follow-up. To comment on something that will require further discussion, add a comment on a file as described above instead.
+
+Then, click **Submit review**.

docs/meta/uploading-images.md

@@ -88,8 +88,8 @@ scour --set-precision=5 \
 
 ### WebP
 
-Use the [cwebp](https://developers.google.com/speed/webp/docs/using) command to convert PNG or JPEG image files to WebP format:
+Use the [`cwebp`](https://developers.google.com/speed/webp/docs/using) command to convert PNG or JPEG image files to WebP format:
 
 ```bash
-cwebp -q 70 -m 6 input_file -o output.webp
+cwebp -m 6 input_file -o output.webp
 ```

docs/os/android-overview.md

@@ -89,11 +89,13 @@ Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/
 
 ## Privacy Features
 
-### User Profiles
+### Multiple Users
 
-Multiple **user profiles** can be found in :gear: **Settings** → **System** → **Users** and are the simplest way to isolate in Android.
+The option to enable **multiple users** can be found in :gear: **Settings** → **System** → **Users**, and are the simplest way to isolate in Android.
 
-With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation.
+Even a single person can take advantage of using multiple user accounts. To limit the applications you run on your phone, you can impose restrictions on a specific account, such as making calls, using SMS, or installing apps. Each account is encrypted using its own encryption key and cannot access the data of any other users. Even the device owner cannot view the data of secondary users without knowing their password. Multiple users are a more secure method of isolation than work profiles or a private space.
+
+[:material-star-box: How to Take Advantage of Multiple Users](/articles/2025/04/23/taking-advantage-of-android-user-profiles/){ .md-button }
 
 ### Work Profile
 
@@ -131,7 +133,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr
 
 The Advanced Protection Program provides enhanced threat monitoring and enables:
 
-- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth)
+- Stricter two-factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](../basics/account-creation.md#sign-in-with-oauth)
 - Only Google and verified third-party apps can access account data
 - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts
 - Stricter [safe browser scanning](https://google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome
@@ -153,7 +155,9 @@ If you have an EOL device shipped with Android 10 or above and are unable to run
 
 All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248) used for targeted advertising. Disable this feature to limit the data collected about you.
 
-On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*.
+On Android distributions with [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **All services** → **Ads**.
+
+- [x] Select **Delete advertising ID**
 
 On Android distributions with privileged Google Play Services (which includes the stock installation on most devices), the setting may be in one of several locations. Check
 

docs/os/linux-overview.md

@@ -55,7 +55,7 @@ Distros which use atomic updates, on the other hand, apply updates in full or no
 
 The atomic update method can achieve reliability with this model and is used for [distributions](../desktop.md#atomic-distributions) like Silverblue and NixOS. [Adam Šamalík](https://twitter.com/adsamalik) provides a presentation on how `rpm-ostree` works with Silverblue:
 
-- [Let's try Fedora Silverblue — an immutable desktop OS! - Adam Šamalík](https://youtu.be/aMo4ZlWznao) <small>(YouTube)</small>
+- [Let's try Fedora Silverblue — an immutable desktop OS! - Adam Šamalík](https://youtu.be/-hpV5l-gJnQ) <small>(YouTube)</small>
 
 ### “Security-focused” distributions
 

docs/os/macos-overview.md

@@ -195,7 +195,7 @@ Just because one of an app's processes is sandboxed doesn't mean they all are.
 Alternatively, you can check apps before you run them by running this command in the terminal:
 
 ``` zsh
-% codesign -dvvv --entitlements - <path to your app>
+codesign -dvvv --entitlements - <path to your app>
 ```
 
 If an app is sandboxed, you should see the following output:
@@ -215,7 +215,7 @@ The [Hardened Runtime](https://developer.apple.com/documentation/security/harden
 You can check if an app uses the Hardened Runtime using this command:
 
 ``` zsh
-codesign --display --verbose /path/to/bundle.app
+codesign -dv <path to your app>
 ```
 
 If Hardened Runtime is enabled, you will see `flags=0x10000(runtime)`. The `runtime` output means Hardened Runtime is enabled. There might be other flags, but the runtime flag is what we're looking for here.

docs/passwords.md

@@ -105,7 +105,7 @@ schema:
   -
     "@context": http://schema.org
     "@type": SoftwareApplication
-    name: gopass
+    name: Gopass
     image: /assets/img/password-management/gopass.svg
     url: https://gopass.pw
     applicationCategory: Password Manager
@@ -363,13 +363,13 @@ KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-se
 
 </div>
 
-### gopass (CLI)
+### Gopass (CLI)
 
 <div class="admonition recommendation" markdown>
 
-![gopass logo](assets/img/password-management/gopass.svg){ align=right }
+![Gopass logo](assets/img/password-management/gopass.svg){ align=right }
 
-**gopass** is a minimal password manager for the command line written in Go. It can be used within scripting applications and works on all major desktop and server operating systems.
+**Gopass** is a minimal password manager for the command line written in Go. It can be used within scripting applications and works on all major desktop and server operating systems.
 
 [:octicons-home-16: Homepage](https://gopass.pw){ .md-button .md-button--primary }
 [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title="Documentation" }

docs/photo-management.md

@@ -15,10 +15,9 @@ Most cloud **photo management solutions** like Google Photos, Flickr, and Amazon
 
 <div class="admonition recommendation" markdown>
 
-![Ente logo](assets/img/photo-management/ente.svg#only-light){ align=right }
-![Ente logo](assets/img/photo-management/ente-dark.svg#only-dark){ align=right }
+![Ente logo](assets/img/photo-management/ente.svg){ align=right }
 
-**Ente Photos** is an end-to-end encrypted photo backup service which supports automatic backups on iOS and Android. Their code is fully open-source, both on the client side and on the server side. It is also [self-hostable](https://github.com/ente-io/ente/tree/main/server#self-hosting). The free plan offers 5 GB of storage as long as you use the service at least once a year.
+**Ente Photos** is an end-to-end encrypted photo backup service which supports automatic backups on iOS and Android. Their code is fully open-source, both on the client side and on the server side. It is also [self-hostable](https://github.com/ente-io/ente/tree/main/server#self-hosting). The free plan offers 10 GB of storage as long as you use the service at least once a year.
 
 [:octicons-home-16: Homepage](https://ente.io){ .md-button .md-button--primary }
 [:octicons-eye-16:](https://ente.io/privacy){ .card-link title="Privacy Policy" }

docs/social-networks.md

@@ -0,0 +1,123 @@
+---
+title: Social Networks
+icon: material/account-supervisor-circle-outline
+description: Find a new social network that doesn’t pry into your data or monetize your profile.
+cover: social-networks.webp
+---
+<small>Protects against the following threat(s):</small>
+
+- [:material-close-outline: Censorship](basics/common-threats.md#avoiding-censorship){ .pg-blue-gray }
+- [:material-account-cash: Surveillance Capitalism](basics/common-threats.md#surveillance-as-a-business-model){ .pg-brown }
+
+These privacy-respecting **social networks** allow you to participate in online communities without giving up your personal information, like your full name, phone number, and other data commonly requested by tech companies.
+
+A growing problem among social media platforms is censorship in two different forms. First, they often acquiesce to illegitimate censorship requests, either from malicious governments or their own internal policies.
+
+Second, they often require accounts to access walled-off content that would otherwise be published freely on the open internet. This effectively censors the browsing activities of privacy-conscious users who are unable to pay the privacy cost of opening an account on these networks.
+
+The social networks we recommend solve the issue of censorship by operating atop an open and decentralized social networking protocol. While it is possible for your account to be banned or silenced by an individual server, there is no central authority which can censor your account across the entire network. They also don't require an account merely to view publicly available content.
+
+You should note that **no** social networks are appropriate for private or sensitive communications. For chatting directly with others, you should use a recommended [instant messenger](real-time-communication.md) with strong end-to-end encryption, and only use direct messages on social media in order to establish a more private and secure chat platform with your contacts.
+
+## Mastodon
+
+<div class="admonition recommendation" markdown>
+
+![Mastodon logo](assets/img/social-networks/mastodon.svg){ align=right }
+
+**Mastodon** is a social network based on open web protocols and free, open-source software. It uses the **:simple-activitypub: ActivityPub** protocol, which is decentralized like email: users can exist on different servers or even different platforms but still communicate with each other.
+
+[:octicons-home-16: Homepage](https://joinmastodon.org){ .md-button .md-button--primary }
+[:octicons-info-16:](https://docs.joinmastodon.org){ .card-link title="Documentation" }
+
+</div>
+
+There are many software platforms which use ActivityPub as their backend social networking protocol, meaning they can talk to servers even when they are running different software. For example, PeerTube is a video publishing software that uses ActivityPub, meaning you can follow channels on PeerTube either with another PeerTube account, *or* with a Mastodon account because Mastodon also uses ActivityPub.
+
+We chose to recommend Mastodon over other ActivityPub software as your primary social media platform for these reasons:
+
+1. Mastodon has a solid history of security updates. In the handful of circumstances where major security vulnerabilities have been found, they coordinate patch releases quickly and cleanly. Historically they have also backported these security patches to older feature branches. This makes it easier for less experienced server hosts who may not feel comfortable upgrading to the latest releases right away to keep their instances secure. Mastodon also has an update notification system built in to the web interface, making it much more likely for server administrators to be aware of critical security patches available for their instance.
+
+2. Mastodon is largely usable with most content types. While it is primarily a microblogging platform, Mastodon easily handles longer posts, image posts, video posts, and most other posts you might encounter when following ActivityPub users who aren't on Mastodon. This makes your Mastodon account an ideal "central hub" for following anyone regardless of the platform they chose to use. In contrast, if you were only using a PeerTube account, you would *only* be able to follow other video channels, for example.
+
+3. Mastodon has fairly comprehensive privacy controls. It has many built-in features which allow you to limit how and when your data is shared, some of which we'll cover below. They also develop new features with privacy in mind. For example, while other ActivityPub software quickly implemented "quote posts" by merely handling links to other posts with a slightly different embed modal, Mastodon is [developing](https://blog.joinmastodon.org/2025/02/bringing-quote-posts-to-mastodon/) a quote post feature which will give you more fine-grained control when your post is quoted.
+
+### Choosing an Instance
+
+To benefit the most from Mastodon, it is critical to choose a server, or "instance," which is well aligned with the type of content you want to post or read about. While censorship in Mastodon does not exist on a network level, it is very possible to experience censorship on a server level depending on your server's administrator.
+
+It is critical to understand that Mastodon is not a single, unified service in the way that X (Twitter) or Facebook are. Each server is its own legal entity, with its own privacy policy, terms of use, administration team, and moderators. While many of these servers are far *less* restrictive and more privacy-respecting than traditional social media platforms, some can be far *more* restrictive or potentially *worse* for your privacy. The Mastodon software does not discriminate between these administrators or place any limitations on their powers.
+
+We do not currently recommend any specific instances, but you may find advice within our communities. We recommend avoiding *mastodon.social* and *mastodon.online* because they are operated by the same company which develops Mastodon itself. From the perspective of decentralization, it is better in the long term to separate software developers and server hosts so that no one party can exert too much control over the network as a whole.
+
+If you are greatly concerned about an existing server censoring your content or the content you can view, you generally have two options:
+
+1. **Host Mastodon yourself.** This approach gives you the exact same censorship resistance as any other website you can host yourself, which is fairly high. Mastodon even [integrates with the Tor network](https://docs.joinmastodon.org/admin/optional/tor) for more extreme scenarios where even your underlying hosting provider is subject to censorship, but this may limit who can access your content to only other servers which integrate with Tor, like most other hidden services.
+
+    Mastodon benefits greatly from a large and active self-hosting community, and its administration is comprehensively documented. While many other ActivityPub platforms can require extensive technical knowledge to run and troubleshoot, Mastodon has very stable and tested releases, and it can generally be run securely without issue by anyone who can use the Linux command line and follow [step-by-step instructions](https://docs.joinmastodon.org/admin/prerequisites).
+
+2. **Use a managed hosting service.** We don't have any specific recommendations, but there are a variety of Mastodon hosting services which will create a brand-new Mastodon server on your own domain (or occasionally a subdomain of their domain, but we recommend against this unless registering your own domain presents too much of a burden to your privacy).
+
+    Typically, Mastodon hosting providers will handle the *technical* side of your instance, but they completely leave the *moderation* side up to you. This means that you will be able to follow any content you like, although it may expose you to more spam or unwanted content because you will not have the dedicated moderation team many larger instances will have.
+
+    This often represents a better approach than self-hosting for most people, because you can benefit from greater control over your own instance without worrying about technical problems or unpatched security vulnerabilities.
+
+    You should look closely at your hosting provider's terms of service and acceptable use policies before registering. These are often far more broad than typical hosted instance rules, and they are far less likely to be enforced without recourse, but they can still be restrictive in undesirable ways.
+
+### Recommended Privacy Settings
+
+From Mastodon's web interface, click the **Administration** link in the right sidebar. Within the administration control panel, you'll find these sections in the left sidebar:
+
+#### Public Profile
+
+There are a number of privacy controls under the **privacy and reach** tab here. Most notably, pay attention to these:
+
+- [ ] **Automatically accept new followers**: You should consider unchecking this box to have a private profile. This will allow you to review who can follow your account before accepting them.
+
+    In contrast to most social media platforms, if you have a private profile you still have the *option* to publish posts which are publicly visible to non-followers, and which can still be boosted and seen by non-followers. Therefore, unchecking this box is the only way to have the *choice* to publish to either the entire world or a select group of people.
+
+- [ ] **Show follows and followers on profile**: You should uncheck this box to hide your social graph from the public. It is fairly uncommon for the list of people you follow to have some genuine benefit to others, but that information can present a risk to you.
+
+- [ ] **Display from which app you sent a post**: You should uncheck this box to prevent revealing information about your personal computing setup to others unnecessarily.
+
+The other privacy controls on this page should be read through, but we would stress that they are **not** technical controls—they are merely requests that you make to others. For example, if you choose to hide your profile from search engines on this page, **nothing** is actually stopping a search engine from reading your profile. You are merely requesting search engine indexes not publish your content to their users.
+
+You will likely still wish to make these requests because they can practically reduce your digital footprint. However, they should not be *relied* upon. The only effective way to hide your posts from search engines and others is to post with non-public (followers only) visibility settings *and* limit who can follow your account.
+
+#### Preferences
+
+You should change your **posting privacy** setting from public to: **Followers-only - Only show to followers**.
+
+Note that this only changes your default settings to prevent accidental over-sharing. You can always adjust your visibility level when composing a new post.
+
+#### Automated post deletion
+
+- [x] Check the **Automatically delete old posts** box.
+
+The default settings here are fine, and will delete any posts you make after 2 weeks, unless you favorite (star) them. This gives you an easy way to control which posts stick around forever, and which ones are only ephemeral. Many settings about how long and when posts are kept can be adjusted here to suit your own needs, however.
+
+It is very rare for social media posts older than a few weeks to be read or relevant to others. These older posts are often ignored because they are challenging to deal with in bulk, but they can build a fairly comprehensive profile about you over time. You should always strive to publish content ephemerally by default, and only keep posts around for longer than that very intentionally.
+
+### Posting Content
+
+When publishing a new post, you will have the option to choose from one of these visibility settings:
+
+- **Public**, which publishes your content to anyone on the internet.
+- **Quiet public**, which you should consider equivalent to publicly posting! This is not a technical guarantee, merely a request you are making to other servers to hide your post from some feeds.
+- **Followers**, which publishes your content only to your followers. If you did not follow our recommendation of restricting your followers, you should consider this equivalent to publicly posting!
+- **Specific people**, which only shares the post with people who are specifically mentioned within the post. This is Mastodon's version of direct messages, but should never be relied on for private communications as we covered earlier, since Mastodon has no E2EE.
+
+If you used our recommended configuration settings above, you should be posting to **Followers** by default, and only posting to **Public** on an intentional and case-by-case basis.
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+- Must be free and open source software.
+- Must use a federated protocol to communicate with other instances of the social networking software.
+- Must not have non-technical restrictions on who can be federated with.
+- Must be usable within a standard [web browser](desktop-browsers.md).
+- Must make public content accessible to visitors without an account.
+- Must allow you to limit who can follow your profile.
+- Must allow you to post content visible only to your followers.
+- Must support modern web application security standards/features (including [multifactor authentication](multi-factor-authentication.md)).

docs/tools.md

@@ -114,7 +114,6 @@ For more details about each project, why they were chosen, and additional tips o
 
 <div class="grid cards" markdown>
 
-- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji loading=lazy } [Orbot (Smartphone Tor Proxy)](tor.md#orbot)
 - ![Onion Browser logo](assets/img/self-contained-networks/onion_browser.svg){ .twemoji loading=lazy } [Onion Browser (Tor for iOS)](tor.md#onion-browser-ios)
 
 </div>
@@ -215,7 +214,7 @@ If you're looking for added **security**, you should always ensure you're connec
 
 <div class="grid cards" markdown>
 
-- ![addy.io logo](assets/img/email-aliasing/addy.svg){ .twemoji loading=lazy } [addy.io](email-aliasing.md#addyio)
+- ![Addy.io logo](assets/img/email-aliasing/addy.svg){ .twemoji loading=lazy } [Addy.io](email-aliasing.md#addyio)
 - ![SimpleLogin logo](assets/img/email-aliasing/simplelogin.svg){ .twemoji loading=lazy } [SimpleLogin](email-aliasing.md#simplelogin)
 
 </div>
@@ -241,7 +240,6 @@ If you're looking for added **security**, you should always ensure you're connec
 
 - ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji loading=lazy } [Thunderbird](email-clients.md#thunderbird)
 - ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji loading=lazy } [Apple Mail (macOS)](email-clients.md#apple-mail-macos)
-- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji loading=lazy } [Canary Mail (iOS)](email-clients.md#canary-mail-ios)
 - ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji loading=lazy } [FairEmail (Android)](email-clients.md#fairemail-android)
 - ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji loading=lazy } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome)
 - ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji loading=lazy } [Kontact (Linux)](email-clients.md#kontact-kde)
@@ -290,7 +288,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 <div class="grid cards" markdown>
 
 - ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji loading=lazy }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji loading=lazy } [RethinkDNS](dns.md#rethinkdns)
-- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji loading=lazy } [dnscrypt-proxy](dns.md#dnscrypt-proxy)
+- ![DNSCrypt-Proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji loading=lazy } [DNSCrypt-Proxy](dns.md#dnscrypt-proxy)
 
 </div>
 
@@ -334,7 +332,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
+- ![Ente logo](assets/img/photo-management/ente.svg){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -362,7 +360,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 <div class="grid cards" markdown>
 
 - ![Kobold logo](assets/img/ai-chat/kobold.png){ .twemoji loading=lazy } [Kobold.cpp](ai-chat.md#koboldcpp)
-- ![Llamafile logo](assets/img/ai-chat/llamafile.svg){ .twemoji loading=lazy } [Llamafile](ai-chat.md#llamafile)
+- ![Llamafile logo](assets/img/ai-chat/llamafile.png){ .twemoji loading=lazy } [Llamafile](ai-chat.md#llamafile)
 - ![Ollama logo](assets/img/ai-chat/ollama.png){ .twemoji loading=lazy } [Ollama (CLI)](ai-chat.md#ollama-cli)
 
 </div>
@@ -486,7 +484,7 @@ For encrypting your OS drive, we typically recommend using the encryption tool y
 
 <div class="grid cards" markdown>
 
-- ![drip. logo](assets/img/health-and-wellness/drip.png){ .twemoji loading=lazy } [drip.](health-and-wellness.md#drip)
+- ![Drip logo](assets/img/health-and-wellness/drip.png){ .twemoji loading=lazy } [Drip](health-and-wellness.md#drip)
 - ![Euki logo](assets/img/health-and-wellness/euki.svg){ .twemoji loading=lazy } [Euki](health-and-wellness.md#euki)
 - ![Apple Health logo](assets/img/health-and-wellness/apple-health.svg#only-light){ .twemoji loading=lazy } ![Apple Health logo](assets/img/health-and-wellness/apple-health-dark.svg#only-dark){ .twemoji loading=lazy }[Apple Health](health-and-wellness.md#apple-health)
 - ![Gadgetbridge logo](assets/img/health-and-wellness/gadgetbridge.svg#only-light){ .twemoji loading=lazy }![Gadgetbridge logo](assets/img/health-and-wellness/gadgetbridge-dark.svg#only-dark){ .twemoji loading=lazy } [Gadgetbridge](health-and-wellness.md#gadgetbridge)
@@ -581,7 +579,7 @@ For encrypting your OS drive, we typically recommend using the encryption tool y
 - ![Psono logo](assets/img/password-management/psono.svg){ .twemoji loading=lazy } [Psono](passwords.md#psono)
 - ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji loading=lazy } [KeePassXC](passwords.md#keepassxc)
 - ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji loading=lazy } [KeePassDX (Android)](passwords.md#keepassdx-android)
-- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji loading=lazy } [gopass (CLI)](passwords.md#gopass-cli)
+- ![Gopass logo](assets/img/password-management/gopass.svg){ .twemoji loading=lazy } [Gopass (CLI)](passwords.md#gopass-cli)
 
 </div>
 
@@ -612,6 +610,16 @@ For encrypting your OS drive, we typically recommend using the encryption tool y
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+### Social Networks
+
+<div class="grid cards" markdown>
+
+- ![Mastodon logo](assets/img/social-networks/mastodon.svg){ .twemoji loading=lazy } [Mastodon](social-networks.md#mastodon)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](social-networks.md)
+
 ## Hardware
 
 ### Security Keys
@@ -678,13 +686,14 @@ For encrypting your OS drive, we typically recommend using the encryption tool y
 <div class="grid cards" markdown>
 
 - ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji loading=lazy } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os)
-- ![Fedora logo](assets/img/linux-desktop/fedora.svg){ .twemoji loading=lazy } [Fedora Workstation](desktop.md#fedora-workstation)
+- ![Fedora logo](assets/img/linux-desktop/fedora.svg){ .twemoji loading=lazy } [Fedora Linux](desktop.md#fedora-linux)
 - ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji loading=lazy } [openSUSE Tumbleweed](desktop.md#opensuse-tumbleweed)
 - ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji loading=lazy } [Arch Linux](desktop.md#arch-linux)
 - ![Fedora logo](assets/img/linux-desktop/fedora.svg){ .twemoji loading=lazy } [Fedora Atomic Desktops](desktop.md#fedora-atomic-desktops)
 - ![NixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji loading=lazy } [NixOS](desktop.md#nixos)
 - ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji loading=lazy } [Whonix (Tor)](desktop.md#whonix)
 - ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji loading=lazy } [Tails (Live Boot)](desktop.md#tails)
+- ![Secureblue logo](assets/img/linux-desktop/secureblue.svg){ .twemoji loading=lazy } [Secureblue](desktop.md#secureblue)
 - ![Kicksecure logo](assets/img/linux-desktop/kicksecure.svg){ .twemoji loading=lazy } [Kicksecure](desktop.md#kicksecure)
 
 </div>
@@ -710,9 +719,10 @@ These tools may provide utility for certain individuals. They provide functional
 
 <div class="grid cards" markdown>
 
-- ![I2P logo](./assets/img/self-contained-networks/i2p.svg#only-light){ .twemoji loading=lazy } ![I2P logo](./assets/img/self-contained-networks/i2p-dark.svg#only-dark){ .twemoji loading=lazy } [I2P](alternative-networks.md#i2p-the-invisible-internet-project)
-- ![Tor logo](./assets/img/self-contained-networks/tor.svg){ .twemoji loading=lazy } [Tor](alternative-networks.md#tor)
-- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji loading=lazy }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji loading=lazy } [Snowflake](alternative-networks.md#snowflake)
+- ![I2P logo](assets/img/self-contained-networks/i2p.svg#only-light){ .twemoji loading=lazy } ![I2P logo](assets/img/self-contained-networks/i2p-dark.svg#only-dark){ .twemoji loading=lazy } [I2P](alternative-networks.md#i2p-the-invisible-internet-project)
+- ![Tor logo](assets/img/self-contained-networks/tor.svg){ .twemoji loading=lazy } [Tor](alternative-networks.md#tor)
+- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji loading=lazy } [Orbot (Mobile Tor Proxy)](alternative-networks.md#orbot)
+- ![Snowflake logo](assets/img/self-contained-networks/snowflake.svg#only-light){ .twemoji loading=lazy }![Snowflake logo](assets/img/self-contained-networks/snowflake-dark.svg#only-dark){ .twemoji loading=lazy } [Snowflake](alternative-networks.md#snowflake)
 
 </div>
 
@@ -722,7 +732,7 @@ These tools may provide utility for certain individuals. They provide functional
 
 <div class="grid cards" markdown>
 
-- ![MVT logo](assets/img/device-integrity/mvt.webp){ .twemoji loading=lazy } [Mobile Verification Toolkit](device-integrity.md#mobile-verification-toolkit)
+- ![MVT logo](assets/img/device-integrity/mvt.webp#only-light){ .twemoji loading=lazy }![MVT logo](assets/img/device-integrity/mvt-dark.png#only-dark){ .twemoji loading=lazy } [Mobile Verification Toolkit](device-integrity.md#mobile-verification-toolkit)
 - ![iMazing logo](assets/img/device-integrity/imazing.png){ .twemoji loading=lazy } [iMazing (iOS)](device-integrity.md#imazing-ios)
 - ![Auditor logo](assets/img/device-integrity/auditor.svg#only-light){ .twemoji loading=lazy }![Auditor logo](assets/img/device-integrity/auditor-dark.svg#only-dark){ .twemoji loading=lazy } [Auditor (Android)](device-integrity.md#auditor-android)
 

docs/tor.md

@@ -42,7 +42,7 @@ Before connecting to Tor, please ensure you've read our [overview](advanced/tor-
 
 There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for [:material-incognito: anonymous](basics/common-threats.md#anonymity-vs-privacy){ .pg-purple } browsing for desktop computers and Android.
 
-Some of these apps are better than others, and again making a determination comes down to your threat model. If you are a casual Tor user who is not worried about your ISP collecting evidence against you, using apps like [Orbot](#orbot) or mobile browser apps to access the Tor network is probably fine. Increasing the number of people who use Tor on an everyday basis helps reduce the bad stigma of Tor, and lowers the quality of "lists of Tor users" that ISPs and governments may compile.
+Some of these apps are better than others, and again making a determination comes down to your threat model. If you are a casual Tor user who is not worried about your ISP collecting evidence against you, using mobile browser apps like [Onion Browser](#onion-browser-ios) to access the Tor network is probably fine. Increasing the number of people who use Tor on an everyday basis helps reduce the bad stigma of Tor, and lowers the quality of "lists of Tor users" that ISPs and governments may compile.
 
 If more complete anonymity is paramount to your situation, you should **only** be using the desktop Tor Browser client, ideally in a [Whonix](desktop.md#whonix) + [Qubes](desktop.md#qubes-os) configuration. Mobile browsers are less common on Tor (and more fingerprintable as a result), and other configurations are not as rigorously tested against deanonymization.
 
@@ -84,46 +84,6 @@ The Tor Browser is designed to prevent fingerprinting, or identifying you based
 
 In addition to installing Tor Browser on your computer directly, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser alone.
 
-## Orbot
-
-<div class="admonition recommendation" markdown>
-
-![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right }
-
-**Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network.
-
-[:octicons-home-16: Homepage](https://orbot.app){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation}
-[:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" }
-[:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute }
-
-<details class="downloads" markdown>
-<summary>Downloads</summary>
-
-- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android)
-- [:simple-appstore: App Store](https://apps.apple.com/app/id1609461599)
-- [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases)
-
-</details>
-
-</div>
-
-We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1]
-
-<div class="admonition tip" markdown>
-<p class="admonition-title">Tips for Android</p>
-
-Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN kill switch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**.
-
-Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead.
-
-All versions are signed using the same signature, so they should be compatible with each other.
-
-</div>
-
-On iOS, Orbot has some limitations that could potentially cause crashes or leaks: iOS does not have an effective OS-level feature to block connections without a VPN like Android does, and iOS has an artificial memory limit for network extensions that makes it challenging to run Tor in Orbot without crashes. Currently, it is always safer to use Tor on a desktop computer compared to a mobile device.
-
 ## Onion Browser (iOS)
 
 <div class="admonition recommendation" markdown>
@@ -149,6 +109,6 @@ On iOS, Orbot has some limitations that could potentially cause crashes or leaks
 
 Onion Browser does not provide the same levels of privacy protections as Tor Browser does on desktop platforms. For casual use it is a perfectly fine way to access hidden services, but if you're concerned about being traced or monitored by advanced adversaries you should not rely on this as an anonymity tool.
 
-[Notably](https://github.com/privacyguides/privacyguides.org/issues/2929), Onion Browser does not *guarantee* all requests go through Tor. When using the built-in version of Tor, [your real IP **will** be leaked via WebRTC and audio/video streams](https://onionbrowser.com/faqs) due to limitations of WebKit. It is *safer* to use Onion Browser alongside Orbot, but this still comes with some limitations on iOS (noted in the Orbot section above).
+[Notably](https://github.com/privacyguides/privacyguides.org/issues/2929), Onion Browser does not *guarantee* all requests go through Tor. When using the built-in version of Tor, [your real IP **will** be leaked via WebRTC and audio/video streams](https://onionbrowser.com/faqs) due to limitations of WebKit. It is *safer* to use Onion Browser alongside [Orbot](alternative-networks.md#orbot), but this still comes with some limitations on iOS.
 
 [^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people.

docs/vpn.md

@@ -108,6 +108,15 @@ Unfortunately, it does not work very well in countries where sophisticated filte
 
 Proton VPN has published [App Store](https://apps.apple.com/app/id1437005085) and [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/ProtonVPN/android-app/releases).
 
+<div class="admonition warning" markdown>
+<p class="admonition-title">How to opt out of sharing telemetry</p>
+
+On Android, Proton hides telemetry settings under the misleadingly labeled "**Help us fight censorship**" menu in the settings panel. On other platforms these settings can be found under the "**Usage statistics**" menu.
+
+We are noting this because while we don't necessarily recommend against sharing anonymous usage statistics with developers, it is important that these settings are easily found and clearly labeled.
+
+</div>
+
 #### :material-information-outline:{ .pg-blue } Additional Notes
 
 Proton VPN clients support two-factor authentication on all platforms. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer content blocking and known-malware blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](tor.md#tor-browser) for this purpose.

includes/abbreviations.en.txt

@@ -107,3 +107,5 @@
 *[W3C]: World Wide Web Consortium
 *[XMPP]: Extensible Messaging and Presence Protocol
 *[PWA]: Progressive Web App
+*[PWAs]: Progressive Web Apps
+*[WKD]: Web Key Directory

includes/contributors.md

@@ -450,6 +450,8 @@
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/bruch-alex"><img src="https://avatars.githubusercontent.com/u/173354246?v=4" width="100px;" loading=lazy /><br /><sub><b>Alex Bruch</b></sub></a><br /><a href="#translation-bruch-alex" title="Translation">🌍</a></td>
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/qiyongzheng"><img src="https://avatars.githubusercontent.com/u/153378707?v=4" width="100px;" loading=lazy /><br /><sub><b>qiyongzheng</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=qiyongzheng" title="Documentation">📖</a></td>
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/hashcatHitman"><img src="https://avatars.githubusercontent.com/u/155700084?v=4" width="100px;" loading=lazy /><br /><sub><b>Sam K</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=hashcatHitman" title="Documentation">📖</a> <a href="#promotion-hashcatHitman" title="Promotion">📣</a> <a href="#question-hashcatHitman" title="Answering Questions">💬</a></td>
+      <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/Spirizer"><img src="https://avatars.githubusercontent.com/u/51120100?v=4" width="100px;" loading=lazy /><br /><sub><b>Spirizer</b></sub></a><br /><a href="#translation-Spirizer" title="Translation">🌍</a></td>
+      <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/jordbm"><img src="https://avatars.githubusercontent.com/u/160433264?v=4" width="100px;" loading=lazy /><br /><sub><b>jordbm</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=jordbm" title="Documentation">📖</a> <a href="#maintenance-jordbm" title="Maintenance">🚧</a> <a href="#security-jordbm" title="Security">🛡️</a></td>
     </tr>
   </tbody>
   <tfoot>

mkdocs.blog.yml

@@ -128,6 +128,7 @@ plugins:
   blog:
     blog_dir: .
     blog_toc: true
+    pagination_per_page: 16
     post_url_format: "{date}/{file}"
     post_excerpt: required
     post_excerpt_max_authors: 0

mkdocs.videos.yml

@@ -128,6 +128,7 @@ plugins:
   blog:
     blog_dir: .
     blog_toc: true
+    pagination_per_page: 16
     post_url_format: "{date}/{file}"
     post_excerpt_max_authors: 0
     authors_profiles: false

mkdocs.yml

@@ -428,6 +428,7 @@ nav:
           - "passwords.md"
           - "pastebins.md"
           - "real-time-communication.md"
+          - "social-networks.md"
       - !ENV [NAV_HARDWARE, "Hardware"]:
           - "mobile-phones.md"
           - "security-keys.md"
@@ -473,6 +474,7 @@ nav:
               - "meta/uploading-images.md"
               - "meta/git-recommendations.md"
               - "meta/commit-messages.md"
+              - "meta/pr-comments.md"
 
 validation:
   nav:

theme/assets/img/linux-desktop/secureblue.svg

@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   width="448"
+   height="448"
+   viewBox="0 0 448 448"
+   version="1.1"
+   id="svg1"
+   xml:space="preserve"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><defs
+     id="defs1"><linearGradient
+       id="linearGradient10"
+       x1="119.00664"
+       y1="9.9706745"
+       x2="9.8707094"
+       y2="118.384"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1.1666666,0,0,1.1666666,-10.666666,-10.666666)"
+       spreadMethod="pad"><stop
+         stop-color="#76C9F6"
+         id="stop6"
+         offset="0"
+         style="stop-color:#3dc7f5;stop-opacity:1;" /><stop
+         stop-color="#76C9F6"
+         id="stop7"
+         offset="0.25"
+         style="stop-color:#0da6f2;stop-opacity:1;" /><stop
+         stop-color="#76C9F6"
+         id="stop8"
+         offset="0.5"
+         style="stop-color:#5f82c9;stop-opacity:1;" /><stop
+         stop-color="#76C9F6"
+         id="stop9"
+         offset="0.75"
+         style="stop-color:#7259a6;stop-opacity:1;" /><stop
+         offset="1"
+         stop-color="#715680"
+         id="stop10"
+         style="stop-color:#744e74;stop-opacity:1;" /></linearGradient><linearGradient
+       xlink:href="#linearGradient10"
+       id="linearGradient6"
+       x1="367.99997"
+       y1="62.010296"
+       x2="143.99998"
+       y2="449.98965"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.97816594,-32,-31.30131)" /><filter
+       style="color-interpolation-filters:sRGB"
+       id="filter40"
+       x="-0.024489796"
+       y="-0.01875"
+       width="1.0693878"
+       height="1.0609375"><feFlood
+         result="flood"
+         in="SourceGraphic"
+         flood-opacity="0.75"
+         flood-color="rgb(64,0,128)"
+         id="feFlood39" /><feGaussianBlur
+         result="blur"
+         in="SourceGraphic"
+         stdDeviation="2.000000"
+         id="feGaussianBlur39" /><feOffset
+         result="offset"
+         in="blur"
+         dx="4.000000"
+         dy="6.000000"
+         id="feOffset39" /><feComposite
+         result="comp1"
+         operator="in"
+         in="flood"
+         in2="offset"
+         id="feComposite39" /><feComposite
+         result="comp2"
+         operator="over"
+         in="SourceGraphic"
+         in2="comp1"
+         id="feComposite40" /></filter></defs><path
+     id="rect32-2"
+     style="display:inline;fill:#7a4f7b;fill-opacity:1;stroke-width:1.33345"
+     d="M 10.226928,212.286 C 10.164833,214.49216 0,220.55304 0,222.77506 0,347.54967 98.566,448 221,448 h 6 c 122.434,0 221,-100.45033 221,-225.22494 0,-2.22202 -16.24004,-3.47394 -16.30213,-5.6801 C 428.27178,340.46667 345.91556,421.48738 224,421.48738 102.08444,421.48738 13.653019,335.65771 10.226928,212.286 Z" /><rect
+     style="opacity:1;fill:url(#linearGradient6);fill-opacity:1;stroke-width:1.1203;stroke-linecap:round;stroke-linejoin:round"
+     id="rect4"
+     width="448"
+     height="438.21835"
+     x="0"
+     y="0"
+     ry="219.10918" /><g
+     id="g10"
+     style="filter:url(#filter40)"
+     transform="matrix(1,0,0,0.97816594,-32,-31.30131)"><path
+       d="m 184.50002,383.99994 c -6.73728,0 -12.50712,-2.38932 -17.30912,-7.168 -4.802,-4.77864 -7.19881,-10.51631 -7.19088,-17.21292 V 237.71429 c 0,-6.70501 2.40101,-12.44637 7.203,-17.22505 4.802,-4.77865 10.56768,-7.16426 17.297,-7.15592 h 12.25001 V 188.9524 c 0,-16.86372 5.97379,-31.24014 17.92183,-43.1297 11.9476,-11.89 26.39048,-17.83059 43.32816,-17.82269 16.94556,0 31.39264,5.94478 43.34023,17.83478 11.94808,11.88954 17.9177,26.26222 17.90972,43.11761 v 24.38092 h 12.25001 c 6.73727,0 12.50712,2.38935 17.30912,7.16798 4.802,4.77869 7.19881,10.51635 7.19088,17.21299 v 121.90473 c 0,6.70451 -2.40101,12.44636 -7.20301,17.22503 -4.802,4.77864 -10.56768,7.16378 -17.29699,7.15593 z m 73.5,-60.95235 c 6.73724,0 12.50711,-2.38932 17.30911,-7.168 4.80201,-4.77869 7.19881,-10.51631 7.19086,-17.21297 0,-6.70498 -2.40101,-12.44632 -7.20301,-17.22499 -4.802,-4.77869 -10.56765,-7.1643 -17.29696,-7.15593 -6.73777,0 -12.50715,2.38933 -17.30916,7.16801 -4.802,4.77867 -7.1988,10.5163 -7.19085,17.21291 0,6.70454 2.40101,12.44636 7.20301,17.22505 4.802,4.77867 10.56763,7.1638 17.297,7.15592 z m -36.75,-109.71427 h 73.49995 V 188.9524 c 0,-10.15874 -3.57279,-18.79377 -10.71883,-25.90466 -7.1456,-7.11136 -15.8228,-10.66679 -26.03112,-10.66679 -10.20836,0 -18.88556,3.55543 -26.03117,10.66679 -7.14603,7.11089 -10.71883,15.74592 -10.71883,25.90466 z"
+       fill="#f4f5ff"
+       id="path2"
+       style="display:inline;fill:#e5e5ff;fill-opacity:1;stroke-width:4.65526" /></g></svg>

theme/assets/img/pastebins/paaster.svg

@@ -1 +1,22 @@
-<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.99949 0 0 .99949 0 -4.3461e-6)" stroke-width=".17657"><path d="m18.887 33.875h-18.887v-33.884h33.867v33.884h-14.98m-11.23-6.4496v2.2541c0.52144-0.0234 0.91072-0.0407 1.3471-0.0603v-3.7967-3.7795c0.41355 0 0.72916 5.3e-4 1.0448-8e-5 2.8536-5e-3 5.7092 0.0554 8.5603-0.0316 4.4217-0.13491 7.8995-3.3228 8.4823-7.6524 0.5747-4.2695-1.9094-8.0926-6.177-9.378-0.97178-0.29269-2.0196-0.43877-3.036-0.45784-3.1467-0.059-6.2952-0.0252-9.443-0.0239-0.2281 9e-5 -0.45618 0.0282-0.77834 0.0495 0 7.5979 0 15.15-1.6e-5 22.877z" fill="#1a1824"/><path d="m7.657 27.338c8e-6 -7.6394 8e-6 -15.191 8e-6 -22.789 0.32216-0.0213 0.55024-0.0494 0.77834-0.0495 3.1478-1e-3 6.2963-0.0351 9.443 0.0239 1.0164 0.0191 2.0642 0.16514 3.036 0.45783 4.2676 1.2854 6.7517 5.1085 6.177 9.378-0.58279 4.3296-4.0606 7.5175-8.4823 7.6524-2.8511 0.087-5.7067 0.0263-8.5603 0.0316-0.31561 5.2e-4 -0.63122 8e-5 -1.0448 8e-5v3.7795 3.7967c-0.43638 0.0195-0.82566 0.0369-1.3471 0.0603 0-0.80413 0-1.5291 8e-6 -2.3416m5.6677-6.6578c1.7344-8e-3 3.4703 0.0274 5.2029-0.0332 3.9836-0.1393 7.0762-3.1038 7.2512-6.8959 0.18838-4.0816-2.4594-7.4006-6.5589-7.7594-3.1812-0.27844-6.4002-0.1252-9.6025-0.15673-0.19145-2e-3 -0.38352 0.0593-0.55944 0.0886v14.757h4.2667z" fill="#bdb9ba"/><path d="m13.236 20.68h-4.1784v-14.757c0.17592-0.0292 0.36799-0.0904 0.55944-0.0886 3.2023 0.0316 6.4214-0.12172 9.6025 0.15673 4.0994 0.35881 6.7472 3.6778 6.5589 7.7594-0.17502 3.792-3.2676 6.7566-7.2512 6.8959-1.7326 0.0606-3.4685 0.025-5.2912 0.0332z" fill="#1a1825"/></g></svg>
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" viewBox="265 216 515.02 606.02">
+<path transform="translate(272,216)" d="m0 0h332l26 3 21 5 21 8 16 8 16 10 14 11 18 18 12 16 11 19 8 19 6 19 5 24 2 18v35l-3 25-5 22-7 20-8 17-12 19-11 13-7 8-9 9-11 9-17 12-24 13-26 10-22 6-32 5-14 1-157 1-4 2-2 7v181l-2 8-5 4-2 1h-126l-6-4-3-5v-590l5-6zm143 126-5 3-2 7v148l2 6 4 2h135l17-3 15-5 15-8 12-11 8-9 9-16 4-12 2-12v-19l-3-15-5-12-8-12-8-9-12-9-16-8-14-4-17-2z" fill="#3757FC"/>
+<path transform="translate(726,270)" d="m0 0 7 6 10 12 11 17 8 16 7 17 6 22 4 23 1 11v35l-3 25-5 22-7 20-8 17-12 19-11 13-7 8-9 9-11 9-17 12-24 13-26 10-22 6-32 5-14 1-157 1-4 2-2 7v181l-2 8-5 4-2 1h-126l-6-4-2-4 9-2h118l5-3 1-187 2-7 5-5 5-2 164-1 23-2 22-4 21-6 21-8 22-12 17-12 14-12 13-13 13-17 11-19 7-16 7-22 4-21 2-18v-34l-2-18-6-29-9-27-6-13-4-8-6-9-9-11-4-4z" fill="#0217AF"/>
+<path transform="translate(272,216)" d="m0 0h332l26 3 21 5 21 8 12 6v3l5 1 6 5 3 1v2l3 2-1 2-4-2v-2l-7-2-19-10-13-5-9-2-8-3-15-3-11-1-26-1-19 1h-168l-58 1h-32l-4 1-4-1-1 1h-14l-9 2-5 2-1 122v171l-1 51-1 56-2 3-1 61v34l1 2v6l2 1 1 7-3 2-1 2h-2l-1-470v-55l5-6z" fill="#4A6DFE"/>
+<path transform="translate(411,332)" d="m0 0h142l19 3 17 6 13 7 10 8 7 7 9 14 1 6-3 1 1 11-2-2-6-12-10-13-11-9-14-8-15-5-21-3h-133l-5 3-1 6v148l1 6-9-1-2-5v-155l2-7 4-4z" fill="#0116AE"/>
+<path transform="translate(272,216)" d="m0 0h332l26 3 21 5 21 8 12 6v3l5 1 6 5 3 1v2l3 2-1 2-4-2v-2l-7-2-19-10-13-5-9-2-8-3-15-3-11-1-1-1-15-1h-319l-4 1-2 6-1 35-2 14 1 1v9l-2 1-1 7h3v9l-2-1-1 27 2 1-1 2-1 48-2 2-1-106v-55l5-6z" fill="#5378FD"/>
+<path transform="translate(639,430)" d="m0 0h1l-1 11-5 17-9 16-11 13-14 11-16 8-16 5-10 2-35 1h-107l-9-1 1-3 9-2 132-1 17-3 15-5 15-8 12-11 7-8 9-16 4-12 1-5 5-3 3-5z" fill="#557AFE"/>
+<path transform="translate(284,345)" d="m0 0 3 1v2h-2v2l3-1 3 6-4 2-1 3 1 4-4 5 1 8-4 10-1 5-1 19-2 7-1 7h-2l1-15 1-4v-18l1-16 4-10 1-12h3v-2l-3-1h3z" fill="#496CFE"/>
+<path transform="translate(639,430)" d="m0 0h1l-1 11-5 17-3 3v-2l-5 2h-3l-1 4-2-1 5-11 3-9 1-5 5-3 3-5z" fill="#496CFE"/>
+<path transform="translate(622,232)" d="m0 0h13l15 2 11 5 12 4 13 4 4 2-1 2-6-1-11-2-12-6-8-1-7-3-4-1-10-2h-15l-4 1-6-2v-1z" fill="#4A6DFF"/>
+<path transform="translate(651,225)" d="m0 0 9 2 23 10 1 4 5 1 6 5 3 1v2l3 2-1 2-4-2v-2l-7-2-19-10-13-5 4-1 9 3v-2l-5-1-13-5z" fill="#496CFE"/>
+<path transform="translate(266,679)" d="m0 0 2 1v48l1 2v6l2 1 1 7-3 2-1 2h-2z" fill="#4A6DFF"/>
+<path transform="translate(266,728)" d="m0 0 3 1v7l2 1 1 7-3 2-1 2h-2z" fill="#4568FE"/>
+<path transform="translate(726,270)" d="m0 0 7 6 10 12 5 8-5-2-6-10-11-12z" fill="#0A20B6"/>
+<path transform="translate(351,259)" d="m0 0 5 1v2l2 1h-5l1 3-4 1v-2l-4-2-1-2z" fill="#4A6DFF"/>
+<path transform="translate(651,225)" d="m0 0 9 2 14 6-4 1-16-6z" fill="#4163FD"/>
+<path transform="translate(270,749)" d="m0 0h1v9h-3l-1 9h-1v-17l2 3z" fill="#496BFE"/>
+<path transform="translate(417,508)" d="m0 0h7l-2 2-6 1-1 2h-8l1-3z" fill="#4A6DFF"/>
+<path transform="translate(276,406)" d="m0 0 2 1-1 5-2 13h-2l1-15z" fill="#4A6DFF"/>
+<path transform="translate(580,235)" d="m0 0 4 1v2l-10 4-1-3 4-2z" fill="#4A6DFF"/>
+<path transform="translate(684,239)" d="m0 0 6 2 8 5-4 2-2-4-5-2-3-1z" fill="#3C5DFD"/>
+</svg>

theme/assets/img/photo-management/ente-dark.svg

@@ -1 +0,0 @@
-<svg version="1.1" viewBox="0 0 1024 1024" xmlns="http://www.w3.org/2000/svg"><g fill="#fff"><path d="m258.81 611.87c-18.342 0-34.491-3.588-48.447-10.766-13.757-7.177-24.424-16.946-32-29.307-7.576-12.561-11.364-26.816-11.364-42.766 0-16.149 3.688-30.404 11.065-42.765 7.576-12.561 17.844-22.33 30.803-29.308 12.96-7.178 27.613-10.766 43.962-10.766 15.75 0 29.906 3.389 42.466 10.168 12.76 6.579 22.829 16.149 30.205 28.709 7.377 12.361 11.066 27.215 11.066 44.56 0 1.794-0.1 3.888-0.299 6.28-0.2 2.193-0.399 4.287-0.599 6.281h-130.69v-27.215h106.17l-17.944 8.075c0-8.374-1.695-15.651-5.084-21.832-3.389-6.18-8.075-10.965-14.056-14.354-5.981-3.589-12.959-5.383-20.934-5.383s-15.053 1.794-21.233 5.383c-5.981 3.389-10.667 8.274-14.056 14.654-3.389 6.18-5.084 13.557-5.084 22.13v7.177c0 8.773 1.894 16.548 5.682 23.327 3.988 6.579 9.47 11.663 16.448 15.252 7.178 3.389 15.552 5.084 25.121 5.084 8.573 0 16.05-1.296 22.43-3.888 6.579-2.592 12.56-6.479 17.943-11.663l24.822 26.915c-7.376 8.374-16.647 14.854-27.812 19.439-11.165 4.386-24.025 6.579-38.579 6.579z"/><path d="m465.42 446.2c12.76 0 24.124 2.591 34.093 7.775 10.168 4.984 18.143 12.76 23.925 23.327 5.781 10.367 8.672 23.725 8.672 40.074v92.11h-46.653v-84.933c0-12.959-2.891-22.529-8.673-28.71-5.582-6.18-13.557-9.27-23.924-9.27-7.377 0-14.056 1.595-20.037 4.785-5.782 2.99-10.368 7.675-13.757 14.055-3.19 6.38-4.785 14.555-4.785 24.523v79.55h-46.653v-160.89h44.56v44.56l-8.374-13.458c5.782-10.766 14.056-19.04 24.822-24.822s23.027-8.672 36.784-8.672z"/><path d="m640.19 611.87c-18.94 0-33.694-4.784-44.261-14.354-10.566-9.77-15.85-24.224-15.85-43.364v-141.16h46.654v140.56c0 6.779 1.794 12.062 5.383 15.85 3.588 3.589 8.473 5.383 14.654 5.383 7.376 0 13.657-1.994 18.84-5.981l12.561 32.896c-4.785 3.39-10.567 5.982-17.346 7.776-6.579 1.595-13.457 2.392-20.635 2.392zm-84.933-123.81v-35.887h111.55v35.887h-111.55z"/><path d="m779.24 611.87c-18.343 0-34.492-3.588-48.448-10.766-13.757-7.177-24.423-16.946-31.999-29.307-7.577-12.561-11.365-26.816-11.365-42.766 0-16.149 3.689-30.404 11.065-42.765 7.577-12.561 17.844-22.33 30.804-29.308 12.959-7.178 27.613-10.766 43.961-10.766 15.751 0 29.906 3.389 42.467 10.168 12.76 6.579 22.828 16.149 30.205 28.709 7.377 12.361 11.065 27.215 11.065 44.56 0 1.794-0.1 3.888-0.299 6.28-0.199 2.193-0.399 4.287-0.598 6.281h-130.69v-27.215h106.17l-17.944 8.075c0-8.374-1.694-15.651-5.084-21.832-3.389-6.18-8.074-10.965-14.055-14.354-5.982-3.589-12.96-5.383-20.935-5.383s-15.052 1.794-21.233 5.383c-5.981 3.389-10.666 8.274-14.056 14.654-3.389 6.18-5.084 13.557-5.084 22.13v7.177c0 8.773 1.894 16.548 5.683 23.327 3.987 6.579 9.47 11.663 16.448 15.252 7.177 3.389 15.551 5.084 25.121 5.084 8.573 0 16.049-1.296 22.429-3.888 6.58-2.592 12.561-6.479 17.944-11.663l24.822 26.915c-7.377 8.374-16.648 14.854-27.813 19.439-11.165 4.386-24.024 6.579-38.578 6.579z"/></g></svg>

theme/assets/img/social-networks/mastodon.svg

@@ -0,0 +1,10 @@
+<svg width="75" height="79" viewBox="0 0 75 79" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M73.8393 17.4898C72.6973 9.00165 65.2994 2.31235 56.5296 1.01614C55.05 0.797115 49.4441 0 36.4582 0H36.3612C23.3717 0 20.585 0.797115 19.1054 1.01614C10.5798 2.27644 2.79399 8.28712 0.904997 16.8758C-0.00358524 21.1056 -0.100549 25.7949 0.0682394 30.0965C0.308852 36.2651 0.355538 42.423 0.91577 48.5665C1.30307 52.6474 1.97872 56.6957 2.93763 60.6812C4.73325 68.042 12.0019 74.1676 19.1233 76.6666C26.7478 79.2728 34.9474 79.7055 42.8039 77.9162C43.6682 77.7151 44.5217 77.4817 45.3645 77.216C47.275 76.6092 49.5123 75.9305 51.1571 74.7385C51.1797 74.7217 51.1982 74.7001 51.2112 74.6753C51.2243 74.6504 51.2316 74.6229 51.2325 74.5948V68.6416C51.2321 68.6154 51.2259 68.5896 51.2142 68.5661C51.2025 68.5426 51.1858 68.522 51.1651 68.5058C51.1444 68.4896 51.1204 68.4783 51.0948 68.4726C51.0692 68.4669 51.0426 68.467 51.0171 68.4729C45.9835 69.675 40.8254 70.2777 35.6502 70.2682C26.7439 70.2682 24.3486 66.042 23.6626 64.2826C23.1113 62.762 22.7612 61.1759 22.6212 59.5646C22.6197 59.5375 22.6247 59.5105 22.6357 59.4857C22.6466 59.4609 22.6633 59.4391 22.6843 59.422C22.7053 59.4048 22.73 59.3929 22.7565 59.3871C22.783 59.3813 22.8104 59.3818 22.8367 59.3886C27.7864 60.5826 32.8604 61.1853 37.9522 61.1839C39.1768 61.1839 40.3978 61.1839 41.6224 61.1516C46.7435 61.008 52.1411 60.7459 57.1796 59.7621C57.3053 59.7369 57.431 59.7154 57.5387 59.6831C65.4861 58.157 73.0493 53.3672 73.8178 41.2381C73.8465 40.7606 73.9184 36.2364 73.9184 35.7409C73.9219 34.0569 74.4606 23.7949 73.8393 17.4898Z" fill="url(#paint0_linear_549_34)"/>
+<path d="M61.2484 27.0263V48.114H52.8916V27.6475C52.8916 23.3388 51.096 21.1413 47.4437 21.1413C43.4287 21.1413 41.4177 23.7409 41.4177 28.8755V40.0782H33.1111V28.8755C33.1111 23.7409 31.0965 21.1413 27.0815 21.1413C23.4507 21.1413 21.6371 23.3388 21.6371 27.6475V48.114H13.2839V27.0263C13.2839 22.7176 14.384 19.2946 16.5843 16.7572C18.8539 14.2258 21.8311 12.926 25.5264 12.926C29.8036 12.926 33.0357 14.5705 35.1905 17.8559L37.2698 21.346L39.3527 17.8559C41.5074 14.5705 44.7395 12.926 49.0095 12.926C52.7013 12.926 55.6784 14.2258 57.9553 16.7572C60.1531 19.2922 61.2508 22.7152 61.2484 27.0263Z" fill="white"/>
+<defs>
+<linearGradient id="paint0_linear_549_34" x1="37.0692" y1="0" x2="37.0692" y2="79" gradientUnits="userSpaceOnUse">
+<stop stop-color="#6364FF"/>
+<stop offset="1" stop-color="#563ACC"/>
+</linearGradient>
+</defs>
+</svg>

videos/.authors.yml

@@ -1,17 +0,0 @@
-authors:
-  jordan:
-    name: Jordan Warne
-    description: Video Producer
-    avatar: https://forum-cdn.privacyguides.net/user_avatar/discuss.privacyguides.net/jordan/288/7793_2.png
-    mastodon:
-      username: jw
-      instance: social.lol
-  jonah:
-    name: Jonah Aragon
-    description: Project Director
-    avatar: https://github.com/jonaharagon.png
-    mastodon:
-      username: jonah
-      instance: neat.computer
-    twitter: jonaharagon
-    bluesky: jonaharagon.com

videos/.authors.yml

@@ -0,0 +1 @@
+../blog/.authors.yml

videos/posts/is-privacy-dead.md

@@ -0,0 +1,24 @@
+---
+title: |
+  Think Privacy Is Dead? You're Wrong.
+date:
+    created: 2025-04-17T20:00:00Z
+authors:
+    - jordan
+description: |
+  Privacy isn’t dead, in fact it’s growing. In this video, we explore common arguments against protecting your privacy and why they're not only wrong but dangerous.
+readtime: 5
+thumbnail: https://neat.tube/lazy-static/previews/ebdd1d98-7136-4f5d-9a9e-449004ce47d1.jpg
+embed: https://neat.tube/videos/embed/sSx1yyXESXhvZh1E3VTwtG
+peertube: https://neat.tube/w/sSx1yyXESXhvZh1E3VTwtG
+youtube: https://www.youtube.com/watch?v=Ni2_BN_9xAY
+links:
+  - Why Privacy Matters: https://www.privacyguides.org/en/basics/why-privacy-matters/
+  - posts/5-easy-steps-to-protect-yourself-online.md
+---
+Privacy isn’t dead, in fact it’s growing. In this video, we explore common arguments against protecting your privacy and why they're not only wrong but dangerous.
+
+## Sources
+
+- <https://www.wired.com/story/google-app-gmail-chrome-data/>
+- <https://www.cloudflare.com/learning/privacy/what-is-the-gdpr/>

videos/posts/is-your-data-really-safe-understanding-encryption.md

@@ -0,0 +1,26 @@
+---
+title: |
+  Is Your Data Really Safe? Understanding Encryption
+date:
+    created: 2025-04-03T20:00:00Z
+authors:
+    - jordan
+description: |
+  Encryption is a cornerstone of security on the modern internet, in this video we dive deep into how it works and explain why it's so important.
+readtime: 7
+thumbnail: https://neat.tube/lazy-static/previews/f23bff89-bc84-46b7-ac0b-7e72a9c3ad7d.jpg
+embed: https://neat.tube/videos/embed/6gASFPMvy7EBwTiM3XetEZ
+peertube: https://neat.tube/w/6gASFPMvy7EBwTiM3XetEZ
+youtube: https://www.youtube.com/watch?v=0uQVzK8QWsw
+links:
+  - Privacy Means Safety<br><small>by Em on March 5, 2025</small>: https://www.privacyguides.org/articles/2025/03/25/privacy-means-safety/
+  - Why Privacy Matters: https://www.privacyguides.org/en/basics/why-privacy-matters/
+---
+Encryption is a cornerstone of security on the modern internet, in this video we dive deep into how it works and explain why it's so important. This is especially crucial as many governments around the world are pushing to ban encryption and breach our fundamental right to privacy.
+
+## Sources
+
+- <https://www.bbc.co.uk/news/articles/cgj54eq4vejo>
+- <https://www.eff.org/deeplinks/2025/02/uks-demands-apple-break-encryption-emergency-us-all>
+- <https://www.eff.org/deeplinks/2019/12/fancy-new-terms-same-old-backdoors-encryption-debate-2019>
+- <https://www.amnesty.org/en/latest/news/2025/02/https-www-amnesty-org-en-latest-news-2025-02-uk-encryption-order-threatens-global-privacy-rights/>