Writing review of Common Threats (#1836 )

Co-authored-by: Jonah Aragon <github@aragon.science> Signed-off-by: Daniel Gray <dng@disroot.org> Signed-off-by: matchboxbananasynergy <107055883+matchboxbananasynergy@users.noreply.github.com>
Update Tor window setting location (#1840 )
2025-07-13 06:52:37 +00:00 · 2022-10-16 01:12:29 +10:30 · 2022-10-15 14:12:23 +10:30 · 2022-10-15 03:38:38 +10:30 · 2022-10-14 04:09:34 +00:00 · 2022-10-11 19:22:39 +10:30
30 changed files with 295 additions and 216 deletions
--- a/.github/workflows/pages.yml
+++ b/.github/workflows/pages.yml
@ -37,7 +37,7 @@ jobs:
          python-version: '3.10'
      
      - name: Cache files
-        uses: actions/cache@v3.0.8
+        uses: actions/cache@v3.0.11
        with:
          key: ${{ github.ref }}
          path: .cache
--- a/docs/android.en.md
+++ b/docs/android.en.md
@ -61,12 +61,13 @@ Google Pixel phones are the only devices that currently meet GrapheneOS's [hardw
    [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" }
    [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute }

-DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, a custom [hosts](https://divested.dev/index.php?page=dnsbl) file, and [F-Droid](https://www.f-droid.org) as the app store. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates.
-
+DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates.
 DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled.

 DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](android/grapheneos-vs-calyxos.md#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features).

+DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply.
+
 !!! warning

    DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative.
@ -135,7 +136,6 @@ We recommend a wide variety of Android apps throughout this site. The apps liste
    ??? downloads

        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter)
-        - [:simple-fdroid: F-Droid](https://f-droid.org/en/packages/net.typeblog.shelter)

 !!! warning

@ -251,7 +251,6 @@ The Google Play Store requires a Google account to login which is not great for

    ??? downloads

-        - [:simple-fdroid: F-Droid](https://f-droid.org/en/packages/com.aurora.store/)
        - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases)

 Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device.
@ -319,4 +318,4 @@ That said, the [F-droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](htt

 !!! note

-    In some rare cases, the developer of an app will only distribute it through F-droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-droid app to obtain it.
+    In some rare cases, the developer of an app will only distribute it through F-droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-droid app to obtain it.
--- a/docs/assets/img/file-sharing-sync/send.svg
+++ b/docs/assets/img/file-sharing-sync/send.svg
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="64mm" height="64mm" version="1.1" viewBox="0 0 64 64" xmlns="http://www.w3.org/2000/svg"><path id="cloud-upload" d="m64 34.286a17.033 17.033 0 0 1-4.4062 11.429 14.857 14.857 0 0 1-10.558 4.5714h-2.1786v-6.8571h2.1786a8.0044 8.0044 0 0 0 5.4688-2.3103 10.184 10.184 0 0 0 2.6384-6.8326 11.442 11.442 0 0 0-11.429-11.429c-0.37683 0-2.3126 0.2418-3.4903 0.3935a1.136 1.136 0 0 1-1.2211-0.76359l-0.46538-1.3576a14.103 14.103 0 0 0-11.716-9.6317 13.666 13.666 0 0 0-14.73 16.779l0.4881 2.0877a1.1429 1.1429 0 0 1-0.78226 1.3542l-2.054 0.62062a6.7941 6.7941 0 0 0-4.8861 6.5178 4.6044 4.6044 0 0 0 0.94642 2.808 5.5388 5.5388 0 0 0 4.0893 1.7634h5.25v6.8571h-5.25a12.236 12.236 0 0 1-9.6808-4.6518 11.506 11.506 0 0 1-2.212-6.7768 13.573 13.573 0 0 1 6.9442-11.884c-0.057884-0.6138-0.087074-1.2254-0.087074-1.8304a20.563 20.563 0 0 1 38.987-9.1428 18.307 18.307 0 0 1 18.156 18.286zm-31.077-2.1632a1.1429 1.1429 0 0 0-1.8465 0l-8.5917 11.775a1.1429 1.1429 0 0 0 0.92327 1.8165h5.1631v12.571a1.1429 1.1429 0 0 0 1.1428 1.1429h4.5714a1.1429 1.1429 0 0 0 1.1429-1.1429v-12.571h5.1631a1.1429 1.1429 0 0 0 0.92326-1.8165z" fill="#45a1ff" stroke-width="2.2857"/></svg>
--- a/docs/basics/common-threats.en.md
+++ b/docs/basics/common-threats.en.md
@ -3,191 +3,195 @@ title: "Common Threats"
 icon: 'material/eye-outline'
 ---

-Broadly speaking, we categorize our recommendations into these general categories of [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat imaginable.
+Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat.

- <span class="pg-purple">:material-incognito: Anonymity</span> - Shielding your online activity from your real-life identity, protecting you from people who are trying to uncover *your* identity specifically
- <span class="pg-red">:material-target-account: Targeted Attacks</span> - Being protected  from dedicated hackers or other malicious agents trying to gain access to *your* data or devices specifically
- <span class="pg-orange">:material-bug-outline: Passive Attacks</span> - Being protected from things like malware, data breaches, and other attacks that are made against many people at once
- <span class="pg-teal">:material-server-network: Service Providers</span> - Protecting your data from service providers, e.g. with end-to-end encryption rendering your data unreadable to the server
- <span class="pg-blue">:material-eye-outline: Mass Surveillance</span> - Protection from government agencies, organizations, websites, and services working together to track your activities
- <span class="pg-brown">:material-account-cash: Surveillance Capitalism</span> - Protecting yourself from big advertising networks like Google and Facebook, as well as a myriad of other third-party data collectors
- <span class="pg-green">:material-account-search: Public Exposure</span> - Limiting the information about you online that is accessible to search engines or the general public
- <span class="pg-blue-gray">:material-close-outline: Censorship</span> - Avoiding censored access to information and being censored yourself when speaking online
+- <span class="pg-purple">:material-incognito: Anonymity</span> - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically.
+- <span class="pg-red">:material-target-account: Targeted Attacks</span> - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically.
+- <span class="pg-orange">:material-bug-outline: Passive Attacks</span> - Being protected from things like malware, data breaches, and other attacks that are made against many people at once.
+- <span class="pg-teal">:material-server-network: Service Providers</span> - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server).
+- <span class="pg-blue">:material-eye-outline: Mass Surveillance</span> - Protection from government agencies, organizations, websites, and services which work together to track your activities.
+- <span class="pg-brown">:material-account-cash: Surveillance Capitalism</span> - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors.
+- <span class="pg-green">:material-account-search: Public Exposure</span> - Limiting the information about you that is accessible online—to search engines or the general public.
+- <span class="pg-blue-gray">:material-close-outline: Censorship</span> - Avoiding censored access to information or being censored yourself when speaking online.

-Some of these threats may weigh more than others depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with <span class="pg-red">:material-target-account: Targeted Attacks</span>, but beyond that they probably still want to protect their personal data from being swept up in <span class="pg-blue">:material-eye-outline: Mass Surveillance</span> programs. Similarly, an "Average Joe" may be primarily concerned with <span class="pg-green">:material-account-search: Public Exposure</span> of their personal data, but they should still be wary of security-focused issues such as <span class="pg-orange">:material-bug-outline: Passive Attacks</span> like malware affecting their devices.
+Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with <span class="pg-red">:material-target-account: Targeted Attacks</span>, but they probably still want to protect their personal data from being swept up in <span class="pg-blue">:material-eye-outline: Mass Surveillance</span> programs. Similarly, many people may be primarily concerned with <span class="pg-green">:material-account-search: Public Exposure</span> of their personal data, but they should still be wary of security-focused issues, such as <span class="pg-orange">:material-bug-outline: Passive Attacks</span>—like malware affecting their devices.

-## Anonymity vs Privacy
+## Anonymity vs. Privacy

 <span class="pg-purple">:material-incognito: Anonymity</span>

-Anonymity is often confused for privacy, but it's a distinct concept. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real-life identity.
+Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity.

-Whistleblowers and journalists, for example, can have a much more extreme threat model requiring total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by hackers or governments, but also hiding who they are entirely. They will sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, as their lives could depend on it. Most regular people do not need to go so far.
+Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far.

 ## Security and Privacy

 <span class="pg-orange">:material-bug-outline: Passive Attacks</span>

-Security and privacy are often conflated, because you need security to obtain any semblance of privacy: Using tools which appear private is futile if they could easily be exploited by attackers to release your data later. However, the inverse is not necessarily true; the most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google, who, given their scale, have had minimal security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides a very secure service, very few would consider their data private in Google's free consumer products (Gmail, YouTube, etc).
+Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.)

-When it comes to application security, we generally do not (and sometimes cannot) know if the software that we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there is generally no guarantee that their software does not have a serious vulnerability that could later be exploited.
+When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited.

-To minimize the potential damage that a malicious piece of software can do, you should employ security by compartmentalization. This could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control.
+To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control.

 !!! tip

-    Mobile operating systems are generally safer than desktop operating systems when it comes to application sandboxing. Apps cannot obtain root access and only have access to system resources which you grant them.
+    Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources.

-    Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing properties to Android, and macOS has full system permission control and opt-in (for developers) sandboxing for applications, however these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make heavy use of virtual machines or containers, such as Qubes OS.
+    Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as Qubes OS.

 <span class="pg-red">:material-target-account: Targeted Attacks</span>

-Targeted attacks against a specific user are more problematic to deal with. Common avenues of attack include sending malicious documents via emails, exploiting vulnerabilities in the browser and operating systems, and physical attacks. If this is a concern for you, you may have to employ more advanced threat mitigation strategies.
+Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies.

 !!! tip

-    **Web browsers**, **email clients**, and **office applications** all typically run untrusted code sent to you from third-parties by design. Running multiple virtual machines to separate applications like these from your host system as well as each other is one technique you can use to avoid an exploit in these applications from compromising the rest of your system. Technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this seamlessly, for example.
+    By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this.

-If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) for rate limiting attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems do not encrypt data separately per-user.
+If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user.

 ## Privacy From Service Providers

 <span class="pg-teal">:material-server-network: Service Providers</span>

-We live in a world where almost everything is connected to the internet. Our "private" messages, emails, social interactions are typically stored on a server somewhere. Generally, when you send someone a message, that message is then stored on a server, and when your friend wants to read the message, the server will show it to them.
+We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them.

-The obvious problem with this is that the service provider (or a hacker who has compromised the server) can look into your "private" conversations whenever and however they want, without you ever knowing. This applies to many common services like SMS messaging, Telegram, Discord, and so on.
+The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord.

-Thankfully, end-to-end encryption can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, so long as the service provider does not have access to the private keys of either party.
+Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party.

-!!! note "Note on web-based encryption"
+!!! note "Note on Web-based Encryption"

-    In practice, the effectiveness of different end-to-end encryption implementations varies. Applications such as [Signal](../real-time-communication.md#signal) run natively on your device, and every copy of the application is the same across different installations. If the service provider were to backdoor their application in an attempt to steal your private keys, that could later be detected using reverse engineering.
+    In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering).

-    On the other hand, web based end-to-end encryption implementations such as Proton Mail's webmail or Bitwarden's web vault rely on the server dynamically serving JavaScript code to the browser to handle cryptographic operations. A malicious server could target a specific user and send them malicious JavaScript code to steal their encryption key, and it would be extremely hard for the user to ever notice such a thing. Even if the user does notice the attempt to steal their key, it would be incredibly hard to prove that it is the provider trying to do so, because the server can choose to serve different web clients to different users.
+    On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt.

-    Therefore, when relying on end-to-end encryption, you should choose to use native applications over web clients whenever possible.
+    Therefore, you should use native applications over web clients whenever possible.

-Even with end-to-end encryption, service providers can still profile you based on **metadata**, which is typically not protected. While the service provider could not read your messages to see what you're saying, they can still observe things like who you're talking to, how often you message them, and what times you're typically active. Protection of metadata is fairly uncommon, and you should pay close attention to the technical documentation of the software you are using to see if there is any metadata minimization or protection at all, if that is a concern for you.
+Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](basics/threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all.

 ## Mass Surveillance Programs

-Mass surveillance is an effort to surveil many or all of a given population. It often refers to government programs such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative.
-
-Online, you can be tracked via a wide variety of methods, including but not limited to:
-
- Your IP address
- Browser cookies
- Data you submit to websites
- Your browser or device fingerprint
- Payment method correlation
-
-Therefore, your goals could be to segregate your online identities from each other, to blend in with other users, and to simply avoid giving out identifying information to anyone as much as possible.
-
 <span class="pg-blue">:material-eye-outline: Mass Surveillance</span>

-Governments often cite mass surveillance programs as necessary to combat terrorism and prevent crime, however it is most often used to disproportionately target minorities, political dissidents and many other groups to create a chilling effect on free speech.
+Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative.

-!!! quote "ACLU: [The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)"
+Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others.
+
+!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)"

    In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline.

-Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^1]
+Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2]
+
+Online, you can be tracked via a variety of methods:
+
+- Your IP address
+- Browser cookies
+- The data you submit to websites
+- Your browser or device fingerprint
+- Payment method correlation
+
+\[This list isn't exhaustive].
+
+If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information.

 <span class="pg-brown">:material-account-cash: Surveillance Capitalism</span>

-> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^2]
+> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3]

-Tracking and surveillance by private corporations is a growing concern for many as well. Pervasive ad networks like those operated by Google and Facebook span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries, but can never completely protect you from all tracking.[^3]
+For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4]

-Additionally, even companies outside of the ad-tech/tracking space can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (like Cambridge Analytica, Experian, or Datalogix) or other parties, so you can't automatically assume your data is safe merely because the service you are using doesn't fall within a typical data sharing/tracking category. The strongest protection against corporate data collection is to always encrypt or obfuscate your data whenever possible to make it as difficult as possible for different providers to correlate data with each other and build a profile on you.
+Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you.

 ## Limiting Public Information

 <span class="pg-green">:material-account-search: Public Exposure</span>

-The best way to ensure your data is private is to simply not put it out there in the first place. Deleting information you find about yourself online is one of the best first steps you can take to regain your privacy.
+The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy.

 - [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md)

-On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, if your accounts have a "private mode," enable it to make sure your account isn't being indexed by search engines and can't be viewed by people you don't vet beforehand.
+On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission.

-If you have already submitted your real information to a number of sites which shouldn't have it, consider employing disinformation tactics such as submitting fictitious information related to the same online identity to make your real information indistinguishable from the false information.
+If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information.

 ## Avoiding Censorship

 <span class="pg-blue-gray">:material-close-outline: Censorship</span>

-Censorship online can be carried out to varying degrees by actors including totalitarian governments, network administrators, and service providers seeking to control the speech of their users and the information they can access. These efforts to filter the internet will always be incompatible with the ideals of free speech.
+Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5]

-Censorship on corporate platforms is increasingly common as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video; or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship.
+Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship.

-People concerned with the threat of censorship can use technologies like Tor to circumvent it, and support platforms which provide censorship-resistant communication such as Matrix, which has no centralized account authority which can close down accounts arbitrarily.
+People concerned with the threat of censorship can use technologies like [Tor](tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily.

 !!! important

-    While simply evading censorship itself is relatively easy, hiding the fact that you are evading the censorship system from the censors can be very problematic.
+    While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic.

-    You should consider what aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using encrypted DNS can help you bypass rudimentary censorship systems based solely on DNS, but it cannot truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from the network administrators, but cannot hide that you are using those networks. Pluggable transports like Obfs4proxy, Meek or Shadowsocks can help you evade firewalls that block common VPN protocols or Tor, but an adversary can still figure out that you are actively trying to bypass their censorship system as opposed to just protecting your privacy through probing or deep packet inspection.
+    You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](basics/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection).

-You must always consider the risks involved with trying to bypass censorship, what the potential consequences are, and how sophisticated your adversary may be. Be extra cautious with your software selection and have a backup plan in case you are caught.
+You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught.

 ## Common Misconceptions

-:material-numeric-1-circle: **Open-source software is always secure** or **Proprietary software is more secure**
+:material-numeric-1-circle: **"Open-source software is always secure"** or **"Proprietary software is more secure"**

-These myths stem from a number of prejudices, but the source-availability and licensure of a software product does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you need to look at the reputation and security of each tool on an individual basis.
+These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis.

-Open-source software *can* be audited by third-parties and is often more transparent regarding potential vulnerabilities than their proprietary counterparts. They can also be more flexible, allowing you to delve into the code and disable any suspicious functionality you find yourself. However, unless you review the code yourself there is no guarantee that code has ever been evaluated, especially with smaller software projects, and the open development process can sometimes be exploited by malicious parties to introduce new vulnerabilities into even large projects.[^4]
+Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^6]

-On the flip side, proprietary software is less transparent, but that does not imply it is not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering.
+On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering.

-At the end of the day, it is **vital** that you research and evaluate the privacy and security properties of each piece of software being used and avoid making decisions based on biases.
+To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use.

-:material-numeric-2-circle: **Shifting trust can increase privacy**
+:material-numeric-2-circle: **"Shifting trust can increase privacy"**

-We talk about "shifting trust" a lot when discussing solutions like VPNs, which shift the trust you place in your ISP to the VPN provider. While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data is not yet completely secured from all parties. This means that:
+We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that:

-1. You need to exercise caution when choosing a provider to shift trust to, rather than choosing blindly.
-2. You still need to employ other techniques like end-to-end encryption to protect your data completely, merely distrusting one provider to trust another is not hiding your data.
+1. You must exercise caution when choosing a provider to shift trust to.
+2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data.

-:material-numeric-3-circle: **Privacy-focused solutions are inherently trustworthy**
+:material-numeric-3-circle: **"Privacy-focused solutions are inherently trustworthy"**

-Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a privacy solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem, in this case, is a lack of end-to-end encryption, so you should make sure the provider you switch to actually implements end-to-end encryption or use a tool like Cryptomator which provides end-to-end encryption on any cloud provider. Blindly switching to a "privacy-focused" provider which does not provide end-to-end encryption does not solve your problem, it merely shifts trust from Google to that provider.
+Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider.

-The privacy policies and business practices of a provider you choose are very important, but should be considered secondary to technical guarantees of your privacy: Don't elect to merely shift trust to another provider when trusting a provider isn't a requirement at all.
+The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all.

-:material-numeric-4-circle: **Complicated is better**
+:material-numeric-4-circle: **"Complicated is better"**

-We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with a lot of moving parts and conditions. The replies are usually answers to, "What is the best way to do X?".
+We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?"

 Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips:

-1. <mark>Actions need to serve a particular purpose</mark>, think about how to do what you want with the least amount of actions.
-2. <mark>Remove human failure points</mark> (don't have a bunch of conditions you must remember to do what with which accounts). Humans fail, they get tired, they forget things... don't have many conditions or manual processes you must remember in order to maintain operational security.
-3. <mark>Use the right level of protection for what you intend.</mark> We often see recommendations of so-called law-enforcement, subpoena proof solutions. These require a lot of special case knowledge (knowing about how things truly work under the hood) and are generally not what people want. There is no point in building an intricately anonymous threat model if you can be easily de-anonymized by a simple oversight.
+1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions.
+2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember.
+3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight.

 So, how might this look?

-One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and places where you can get away without doing so.
+One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to.

-1. **Known identity** - A known identity is used for things where you must declare your name. There are many such legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, a customs declaration when importing an item or otherwise dealing with your Government. These things will usually lead back credentials such as credit cards, credit rating checks, account numbers and possibly physical addresses.
+1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your Government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses.

-    We don't suggest using a VPN or Tor for any of these things as your identity is already known through other means.
+    We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means.

    !!! tip

        When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private.

-2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're a part of an online community, you may wish to retain a persona that others know. The reason this is not anonymous is that if monitored over a period of time details about the owner may reveal further information, such as the way they write (linguistics), general knowledge about topics of interest, etc.
+2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc.

-    You may wish to use a VPN for this to mask your IP address. Financial transactions are more difficult and for this we'd suggest using anonymous cryptocurrencies such as Monero. Employing alt-coin shifting may also help disguise where your currency originated. Typically exchanges require KYC (know your customer) to be completed before they will allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution, however those often are more expensive and sometimes also require KYC.
+    You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC.

-3. **Anonymous identity** - Anonymous identities are difficult to maintain over long periods of time for even the most experienced. They should be short-term and short lived identities which are rotated regularly.
+3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly.

-    Using Tor can help with this, it's also worth noting greater anonymity is possible through asynchronous (not real-time communication). Real-time communication is vulnerable to typing analysis patterns (more than a slab of text distributed on a forum, email, etc) that you've had time to think about, maybe even put through a translator and back again.
+    Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.)

-[^1]: United States Privacy and Civil Liberties Oversight Board: [Report on the Telephone Records Program Conducted under Section 215](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf)
-[^2]: Wikipedia: [Surveillance capitalism](https://en.wikipedia.org/wiki/Surveillance_capitalism)
-[^3]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about") as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You need to additionally employ other mitigation techniques to be fully protected.
-[^4]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident).
+[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance).
+[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf)
+[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism)
+[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques.
+[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights).
+[^6]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident).
--- a/docs/basics/threat-modeling.en.md
+++ b/docs/basics/threat-modeling.en.md
@ -3,19 +3,19 @@ title: "Threat Modeling"
 icon: 'material/target-account'
 ---

-Balancing security, privacy and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, et cetera. Often people find that the problem with the tools they see recommended is they're just too hard to start using!
+Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using!

-If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important.
+If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important.

-**So, what are these threat models anyways?**
+**So, what are these threat models, anyway?**

-==A threat model is a list of the most probable threats to your security/privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is a potential event that could undermine your efforts to stay private and secure.
+==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure.

-By focusing on the threats that matter to you, this narrows down your thinking about the protection you need, so you can choose the tools that are right for the job.
+Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job.

-## Creating your threat model
+## Creating Your Threat Model

-To identify what could happen to the things you value and determine from whom you need to protect them, you want to answer these five questions:
+To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions:

 1. What do I want to protect?
 2. Who do I want to protect it from?
@ -43,7 +43,7 @@ Depending on who your adversaries are, under some circumstances, this list might

 It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not).

-Assessing risks is both a personal and a subjective process. Many people find certain threats unacceptable no matter the likelihood they will occur because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem.
+Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem.

 *Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.*

@ -53,7 +53,7 @@ There are many ways that an adversary could gain access to your data. For exampl

 ==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing.

-Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities.
+Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities.

 *Write down what your adversary might want to do with your private data.*

@ -61,15 +61,15 @@ Security planning involves understanding how bad the consequences could be if an

 ==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy.

-For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email than a mother who regularly emails her daughter funny cat videos.
+For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos.

 *Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.*

-### Try it yourself: Protecting your belongings
+### Try it yourself: Protecting Your Belongings

 These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe.

-**What do you want to protect? (Or *what do you have that is worth protecting?*)**
+**What do you want to protect? (Or, *what do you have that is worth protecting?*)**

 :   Your assets might include jewelry, electronics, important documents, or photos.

@ -79,11 +79,11 @@ These questions can apply to a wide variety of situations, online and offline. A

 **How likely is it that you will need to protect it?**

-:   Does your neighborhood have a history of burglaries? How trustworthy are your roommates/guests? What are the capabilities of your adversaries? What are the risks you should consider?
+:   Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider?

 **How bad are the consequences if you fail?**

-:   Do you have anything in your house that you cannot replace? Do you have the time or money to replace these things? Do you have insurance that covers goods stolen from your home?
+:   Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home?

 **How much trouble are you willing to go through to prevent these consequences?**

@ -93,7 +93,7 @@ Only once you have asked yourself these questions will you be in a position to a

 Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face.

-## Further reading
+## Further Reading

 For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. 

--- a/docs/basics/vpn-overview.en.md
+++ b/docs/basics/vpn-overview.en.md
@ -17,6 +17,12 @@ VPNs cannot encrypt data outside of the connection between your device and the V

 However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking.

+## When shouldn't I use a VPN?
+
+Using a VPN in cases where you're using your [known identity](../basics/common-threats.en.md#common-misconceptions) is unlikely be useful.
+
+Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website.
+
 ## What about encryption?

 Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption.
@ -43,7 +49,7 @@ VPNs cannot provide anonymity. Your VPN provider will still see your real IP add

 Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit).

-Thus, this feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For true anonymity, use the Tor Browser Bundle, TorSocks, or a Tor gateway.
+The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway.

 ## When are VPNs useful?

--- a/docs/calendar-contacts.en.md
+++ b/docs/calendar-contacts.en.md
@ -23,14 +23,13 @@ Calendars and contacts contain some of your most sensitive data; use products th

    ??? downloads

-        - [:octicons-browser-16: Web](https://mail.tutanota.com/)
+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota)
+        - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609)
        - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/)
        - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/)
        - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/)
-        - [:simple-flathub: Flatpak](https://flathub.org/apps/details/com.tutanota.Tutanota)
-        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota)
-        - [:simple-fdroid: F-Droid](https://f-droid.org/en/packages/de.tutao.tutanota)
-        - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609)
+        - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota)
+        - [:octicons-browser-16: Web](https://mail.tutanota.com/)

 ## EteSync

@ -50,10 +49,9 @@ Calendars and contacts contain some of your most sensitive data; use products th

    ??? downloads

-        - [:octicons-device-desktop-16: Client Setup](https://github.com/etesync/etesync-dav/blob/master/README.md#specific-client-notes-and-instructions)
        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.etesync.syncadapter)
-        - [:simple-fdroid: F-Droid](https://f-droid.org/app/com.etesync.syncadapter)
        - [:simple-appstore: App Store](https://apps.apple.com/us/app/apple-store/id1489574285)
+        - [:octicons-device-desktop-16: Client Setup](https://github.com/etesync/etesync-dav/blob/master/README.md#specific-client-notes-and-instructions)
        - [:simple-docker: Docker Hub](https://hub.docker.com/r/victorrds/etesync)

 ## Proton Calendar
@ -73,8 +71,8 @@ Calendars and contacts contain some of your most sensitive data; use products th

    ??? downloads

-        - [:octicons-browser-16: Web](https://calendar.proton.me)
        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar)
+        - [:octicons-browser-16: Web](https://calendar.proton.me)

 !!! warning
    Proton [does not](https://proton.me/support/proton-contacts#verify) use E2EE for your contact names and email addresses.
--- a/docs/cloud.en.md
+++ b/docs/cloud.en.md
@ -22,6 +22,10 @@ If these alternatives do not fit your needs, we suggest you look into [Encryptio
    [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation}
    [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" }

+    ??? downloads
+    
+        - [:octicons-globe-16: PWA](https://crypt.ee/download)
+
 ## Nextcloud

 !!! recommendation
@ -38,15 +42,15 @@ If these alternatives do not fit your needs, we suggest you look into [Encryptio

    ??? downloads

+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client)
+        - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102)
+        - [:simple-github: GitHub](https://github.com/nextcloud/android/releases)
        - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients)
        - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients)
        - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients)
        - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud)
        - [:simple-openbsd: OpenBSD](https://openports.se/www/nextcloud)
        - [:simple-netbsd: NetBSD](https://pkgsrc.se/www/php-nextcloud)
-        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client)
-        - [:simple-fdroid: F-Droid](https://f-droid.org/packages/com.nextcloud.client)
-        - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102)

 We recommend checking if your Nextcloud provider supports E2EE, otherwise you have to trust the provider to not look at your files.

@ -69,4 +73,4 @@ When self-hosting, you should also enable E2EE to protect against your hosting p

        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive)

-Proton Drive is currently only available through a web client and an Android app.
+Proton Drive is currently only available through a web client and an Android app.
--- a/docs/data-redaction.en.md
+++ b/docs/data-redaction.en.md
@ -64,7 +64,6 @@ When sharing files, be sure to remove associated metadata. Image files commonly
    ??? downloads

        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser)
-        - [:simple-android: IzzyOnDroid (APK)](https://android.izzysoft.de/repo/apk/com.none.tom.exiferaser)
        - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases)

 The metadata that is erased depends on the image's file type:
@ -114,7 +113,6 @@ The app offers multiple ways to erase metadata from images. Namely:
    ??? downloads

        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur)
-        - [:simple-fdroid: F-Droid](https://f-droid.org/en/packages/de.mathema.privacyblur/)
        - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106)

 !!! warning
--- a/docs/desktop-browsers.en.md
+++ b/docs/desktop-browsers.en.md
@ -23,7 +23,7 @@ These are our currently recommended desktop web browsers and configurations for
        - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows)
        - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac)
        - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux)
-        - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.firefox)
+        - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox)

 !!! warning
    Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/).
@ -98,6 +98,7 @@ The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of ca

    ??? downloads annotate

+        - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases)
        - [:simple-windows11: Windows](https://brave.com/download/)
        - [:simple-apple: macOS](https://brave.com/download/)
        - [:simple-linux: Linux](https://brave.com/linux/) (1)
@ -142,6 +143,7 @@ Shields' options can be downgraded on a per-site basis as needed, but by default
 - [ ] Uncheck **Allow privacy-preserving product analytics (P3A)**
 - [ ] Uncheck **Automatically send daily usage ping to Brave**
 - [x] Select **Always use secure connections** in the **Security** menu
+- [ ] Uncheck **Private window with Tor** (1)

    !!! important "Sanitizing on Close"
        - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu
@ -155,7 +157,6 @@ Disable built-in extensions you do not use in **Extensions**
 <div class="annotate" markdown>

 - [ ] Uncheck **Hangouts**
- [ ] Uncheck **Private window with Tor** (1)
 - [ ] Uncheck **WebTorrent**

 </div>
--- a/docs/dns.en.md
+++ b/docs/dns.en.md
@ -93,7 +93,7 @@ Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](ba
    ??? downloads

        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns)
-        - [:simple-fdroid: F-Droid](https://f-droid.org/packages/com.celzero.bravedns)
+        - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases)

 ### dnscrypt-proxy

--- a/docs/email-clients.en.md
+++ b/docs/email-clients.en.md
@ -31,7 +31,7 @@ Our recommendation list contains email clients that support both [OpenPGP](encry
        - [:simple-windows11: Windows](https://www.thunderbird.net)
        - [:simple-apple: macOS](https://www.thunderbird.net)
        - [:simple-linux: Linux](https://www.thunderbird.net)
-        - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.Thunderbird)
+        - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird)

 ## Platform Specific

@ -61,10 +61,9 @@ Our recommendation list contains email clients that support both [OpenPGP](encry

    ??? downloads

-        - [:simple-apple: Mac App Store](https://apps.apple.com/app/id1236045954)
+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android)
        - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954)
        - [:simple-windows11: Windows](https://canarymail.io/downloads.html)
-        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android)

 !!! attention

@ -89,7 +88,7 @@ Canary Mail is closed-source. We recommend it due to the few choices there are f
    ??? downloads

        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email)
-        - [:simple-fdroid: F-Droid](https://f-droid.org/packages/eu.faircode.email/)
+        - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases)

 ### GNOME Evolution (GNOME)

@ -107,7 +106,7 @@ Canary Mail is closed-source. We recommend it due to the few choices there are f

    ??? downloads

-        - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.gnome.Evolution)
+        - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution)

 ### K-9 Mail (Android)

@ -128,7 +127,6 @@ Canary Mail is closed-source. We recommend it due to the few choices there are f
    ??? downloads

        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9)
-        - [:simple-fdroid: F-Droid](https://f-droid.org/packages/com.fsck.k9)
        - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases)

 ### Kontact (KDE)
@ -148,7 +146,7 @@ Canary Mail is closed-source. We recommend it due to the few choices there are f
    ??? downloads

        - [:simple-linux: Linux](https://kontact.kde.org/download)
-        - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.kde.kontact)
+        - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact)

 ### Mailvelope (Browser)

@ -186,5 +184,5 @@ Canary Mail is closed-source. We recommend it due to the few choices there are f

    ??? downloads

-        - [:simple-linux: Linux](https://neomutt.org/distro)
        - [:simple-apple: macOS](https://neomutt.org/distro)
+        - [:simple-linux: Linux](https://neomutt.org/distro)
--- a/docs/email.en.md
+++ b/docs/email.en.md
@ -24,7 +24,7 @@ For everything else, we recommend a variety of email providers based on sustaina

    **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan.

-    Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts are available starting at **€48/y** which include features like Proton Mail Bridge, additional storage, and custom domain support.
+    Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support.

    If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free.

@ -34,6 +34,16 @@ For everything else, we recommend a variety of email providers based on sustaina
    [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation}
    [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" }

+    ??? downloads
+
+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android)
+        - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905)
+        - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases)
+        - [:simple-windows11: Windows](https://proton.me/mail/bridge#download)
+        - [:simple-apple: macOS](https://proton.me/mail/bridge#download)
+        - [:simple-linux: Linux](https://proton.me/mail/bridge#download)
+        - [:octicons-browser-16: Web](https://mail.proton.me)
+
 ??? check "Custom Domains and Aliases"

    Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain.
@ -74,6 +84,10 @@ For everything else, we recommend a variety of email providers based on sustaina
    [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" }
    [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation}

+    ??? downloads
+
+        - [:octicons-browser-16: Web](https://login.mailbox.org)
+
 ??? check "Custom Domains and Aliases"

    Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain.
@ -117,6 +131,10 @@ For everything else, we recommend a variety of email providers based on sustaina
    [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" }
    [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation}

+    ??? downloads
+
+        - [:octicons-browser-16: Web](https://mail.startmail.com/login)
+
 ??? check "Custom Domains and Aliases"

    Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available.
@ -157,12 +175,20 @@ For everything else, we recommend a variety of email providers based on sustaina
    [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" }
    [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute }

+    ??? downloads
+
+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota)
+        - [:simple-appstore: App Store](https://itunes.apple.com/de/app/tutanota/id922429609)
+        - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases)
+        - [:simple-windows11: Windows](https://tutanota.com/#download)
+        - [:simple-apple: macOS](https://tutanota.com/#download)
+        - [:simple-linux: Linux](https://tutanota.com/#download)
+        - [:octicons-browser-16: Web](https://mail.tutanota.com/)
+
 Tutanota [doesn't allow](https://tutanota.com/faq/#imap) the use of third-party [email clients](email-clients.md). Tutanota has no plans pull email from [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) using the IMAP protocol. [Email import](https://github.com/tutao/tutanota/issues/630) is currently not possible.

 Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail). Tutanota does not allow for [subfolders](https://github.com/tutao/tutanota/issues/927) as you might expect with other email providers.

-Tutanota is working on a [desktop client](https://tutanota.com/blog/posts/desktop-clients/) and they have an app [available in F-Droid](https://f-droid.org/packages/de.tutao.tutanota). They also have their app in conventional stores such as [App Store](https://apps.apple.com/us/app/tutanota/id922429609) on iOS and [Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) for Android.
-
 ??? check "Custom Domains and Aliases"

    Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain.
@ -228,10 +254,11 @@ Using an aliasing service requires trusting both your email provider and your al
    [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute }

    ??? downloads
+
+        - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app)
+        - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app)
        - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/)
        - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe)
-        - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app)
-        - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app)

 The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year.

@ -257,13 +284,14 @@ Notable free features:
    [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" }

    ??? downloads
+    
+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android)
+        - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858)
+        - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases)
        - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/)
        - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn)
        - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff)
        - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017)
-        - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858)
-        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android)
-        - [:simple-fdroid: F-Droid](https://f-droid.org/en/packages/io.simplelogin.android.fdroid/)

 SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf).

--- a/docs/encryption.en.md
+++ b/docs/encryption.en.md
@ -24,13 +24,13 @@ The options listed here are multi-platform and great for creating encrypted back

    ??? downloads

+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator)
+        - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163)
+        - [:simple-android: Android](https://cryptomator.org/android)
        - [:simple-windows11: Windows](https://cryptomator.org/downloads)
        - [:simple-apple: macOS](https://cryptomator.org/downloads)
        - [:simple-linux: Linux](https://cryptomator.org/downloads)
-        - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.cryptomator.Cryptomator)
-        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator)
-        - [:simple-android: Android](https://cryptomator.org/android)
-        - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163)
+        - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator)

 Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders.

@ -267,10 +267,10 @@ When encrypting with PGP, you have the option to configure different options in

    ??? downloads

+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain)
        - [:simple-windows11: Windows](https://gpg4win.org/download.html)
        - [:simple-apple: macOS](https://gpgtools.org)
        - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary)
-        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain)

 ### GPG4win

@ -330,4 +330,3 @@ When encrypting with PGP, you have the option to configure different options in
    ??? downloads

        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain)
-        - [:simple-fdroid: F-Droid](https://f-droid.org/packages/org.sufficientlysecure.keychain/)
--- a/docs/file-sharing.en.md
+++ b/docs/file-sharing.en.md
@ -6,6 +6,26 @@ Discover how to privately share your files between your devices, with your frien

 ## File Sharing

+### Send
+
+!!! recommendation
+
+    ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right }
+
+    **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself.
+
+    [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary }
+    [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"}
+    [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation}
+    [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" }
+    [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute }
+
+Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server:
+
+```bash
+ffsend upload --host https://send.vis.ee/ FILE
+```
+
 ### OnionShare

 !!! recommendation
@ -16,7 +36,7 @@ Discover how to privately share your files between your devices, with your frien

    [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary }
    [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" }
-    [:octicons-info-16:](https://docs.onionshare.org/){ .card-link title=Documentation}
+    [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation}
    [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" }

    ??? downloads
@ -55,11 +75,10 @@ Discover how to privately share your files between your devices, with your frien

    ??? downloads

+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid)
        - [:simple-windows11: Windows](https://syncthing.net/downloads/)
        - [:simple-apple: macOS](https://syncthing.net/downloads/)
        - [:simple-linux: Linux](https://syncthing.net/downloads/)
        - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/)
        - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/)
        - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/)
-        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid)
-        - [:simple-fdroid: F-Droid](https://f-droid.org/packages/com.nutomic.syncthingandroid/)
--- a/docs/frontends.en.md
+++ b/docs/frontends.en.md
@ -84,7 +84,7 @@ When you are using a Nitter instance, make sure to read the privacy policy of th
        - [:simple-windows11: Windows](https://freetubeapp.io/#download)
        - [:simple-apple: macOS](https://freetubeapp.io/#download)
        - [:simple-linux: Linux](https://freetubeapp.io/#download)
-        - [:simple-flathub: Flatpak](https://flathub.org/apps/details/io.freetubeapp.FreeTube)
+        - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube)

 !!! Warning

@ -109,15 +109,10 @@ When you are using a Nitter instance, make sure to read the privacy policy of th

    ??? downloads

-        - [:simple-fdroid: F-Droid](https://newpipe.net/FAQ/tutorials/install-add-fdroid-repo)
        - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases)

 1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances**

-!!! note
-
-    NewPipe is available on the main [F-Droid](https://www.f-droid.org)'s repository. We recommend that you use NewPipe's own [F-Droid repository](https://newpipe.net/FAQ/tutorials/install-add-fdroid-repo) instead to get faster updates.
-
 !!! Warning
    
    When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address.
@ -173,4 +168,4 @@ When you are using an Invidious instance, make sure to read the privacy policy o

 When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting.

-When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy.
+When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy.
--- a/docs/index.en.md
+++ b/docs/index.en.md
@ -12,7 +12,7 @@ hide:

 ##### “I have nothing to hide. Why should I care about my privacy?”

-Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, we didn't always have the right to privacy. In several dictatorships, many still don't. Generations before ours fought for our right to privacy. ==Privacy is a human right inherent to all of us== that we are entitled to without discrimination.
+Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination).

 You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes you human.

@ -22,9 +22,9 @@ You shouldn't confuse privacy with secrecy. We know what happens in the bathroom
 <div style="margin-left:auto;margin-right:0;text-align:right;max-width:38rem;" markdown>
 ## What should I do?

-##### First, you need to make a plan
+##### First, you need to make a plan.

-Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and by thinking ahead you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can counter them.
+Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them.

 ==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan.

@ -33,18 +33,18 @@ Trying to protect all your data from everyone all the time is impractical, expen
 </div>

 <div style="padding:3em;max-width:960px;margin:auto;text-align:center;" markdown>
-## We need you! Here's how to get involved
+## We need you! Here's how to get involved:

 It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know.

 <div class="grid cards" style="margin:auto;max-width:800px;text-align:center;" markdown>

- [:simple-reddit: Join the r/PrivacyGuides Subreddit](https://www.reddit.com/r/privacyguides)
+- [:simple-discourse: Join our forum](https://discuss.privacyguides.org/)
 - [:simple-mastodon: Follow us on Mastodon](https://mastodon.social/@privacyguides){ rel=me }
 - [:material-book-edit: Contribute to this website](https://github.com/privacyguides/privacyguides.org)
 - [:simple-matrix: Chat with us on Matrix](https://matrix.to/#/#privacyguides:matrix.org)
- [:material-information-outline: Learn More About Us](about.md)
- [:material-hand-coin-outline: Support the Project](about/donate.md)
+- [:material-information-outline: Learn more about us](about.md)
+- [:material-hand-coin-outline: Support the project](about/donate.md)

 </div>
 </div>
--- a/docs/mobile-browsers.en.md
+++ b/docs/mobile-browsers.en.md
@ -27,6 +27,7 @@ On Android, Firefox is still less secure than Chromium-based alternatives: Mozil
    ??? downloads annotate

        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser)
+        - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases)

 #### Recommended Configuration

--- a/docs/multi-factor-authentication.en.md
+++ b/docs/multi-factor-authentication.en.md
@ -84,7 +84,6 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
    ??? downloads

        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis)
-        - [:simple-fdroid: F-Droid](https://f-droid.org/en/packages/com.beemdevelopment.aegis)
        - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases)

 ### Raivo OTP
@ -103,4 +102,3 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
    ??? downloads

        - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137)
-        - [:simple-apple: Mac App Store](https://apps.apple.com/us/app/raivo-otp/id1498497896)
--- a/docs/news-aggregators.en.md
+++ b/docs/news-aggregators.en.md
@ -23,7 +23,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k

    ??? downloads

-        - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.kde.akregator)
+        - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator)

 ### Feeder

@ -40,7 +40,6 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
    ??? downloads

        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play)
-        - [:simple-fdroid: F-Droid](https://f-droid.org/en/packages/com.nononsenseapps.feeder/)

 ### Fluent Reader

@ -59,7 +58,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
    ??? downloads

        - [:simple-windows11: Windows](https://hyliu.me/fluent-reader)
-        - [:simple-apple: Mac App Store](https://apps.apple.com/app/id1520907427)
+        - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427)

 ### GNOME Feeds

@ -76,7 +75,7 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k
    ??? downloads

        - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install)
-        - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.gabmus.gfeeds)
+        - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds)

 ### Miniflux

@ -107,8 +106,8 @@ A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to k

    ??? downloads

-        - [:simple-apple: macOS](https://netnewswire.com)
        - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210)
+        - [:simple-apple: macOS](https://netnewswire.com)

 ### Newsboat

--- a/docs/notebooks.en.md
+++ b/docs/notebooks.en.md
@ -28,7 +28,6 @@ If you are currently using an application like Evernote, Google Keep, or Microso
    ??? downloads

        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.etesync.notes)
-        - [:simple-fdroid: F-Droid](https://f-droid.org/packages/com.etesync.notes)
        - [:simple-appstore: App Store](https://apps.apple.com/us/app/etesync-notes/id1533806351)
        - [:octicons-globe-16: Web](https://notes.etesync.com)

@ -48,13 +47,14 @@ If you are currently using an application like Evernote, Google Keep, or Microso

    ??? downloads

+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin)
+        - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797)
+        - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases)
        - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications)
        - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications)
        - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications)
        - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/)
        - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek)
-        - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797)
-        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin)

 Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key.
  
@ -74,12 +74,12 @@ Joplin does not support password/PIN protection for the [application itself or i

    ??? downloads

+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes)
+        - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450)
+        - [:simple-github: GitHub](https://github.com/standardnotes/app/releases)
        - [:simple-windows11: Windows](https://standardnotes.com)
        - [:simple-apple: macOS](https://standardnotes.com)
        - [:simple-linux: Linux](https://standardnotes.com)
-        - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450)
-        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes)
-        - [:simple-fdroid: F-Droid](https://f-droid.org/en/packages/com.standardnotes)
        - [:octicons-globe-16: Web](https://app.standardnotes.com/)

 ## Local notebooks
--- a/docs/passwords.en.md
+++ b/docs/passwords.en.md
@ -25,13 +25,12 @@ These password managers sync your passwords to a cloud server for easy accessibi

    ??? downloads

-        - [:simple-windows11: Windows](https://bitwarden.com/download)
-        - [:simple-apple: Mac App Store](https://apps.apple.com/app/bitwarden/id1352778147)
-        - [:simple-linux: Linux](https://bitwarden.com/download)
-        - [:simple-flathub: Flatpak](https://flathub.org/apps/details/com.bitwarden.desktop)
-        - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744)
        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden)
-        - [:simple-fdroid: F-Droid](https://mobileapp.bitwarden.com/fdroid)
+        - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744)
+        - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases)
+        - [:simple-windows11: Windows](https://bitwarden.com/download)
+        - [:simple-linux: Linux](https://bitwarden.com/download)
+        - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop)
        - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager)
        - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb)
        - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh)
@ -61,6 +60,15 @@ Bitwarden's server-side code is [open-source](https://github.com/bitwarden/serve
    [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" }
    [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation}

+    ??? downloads
+
+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android)
+        - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8)
+        - [:simple-windows11: Windows](https://1password.com/downloads/windows/)
+        - [:simple-apple: macOS](https://1password.com/downloads/mac/)
+        - [:simple-linux: Linux](https://1password.com/downloads/linux/)
+        
+
 Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality.

 Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data.
@ -82,10 +90,10 @@ One advantage 1Password has over Bitwarden is its first-class support for native

    ??? downloads

-        - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager)
-        - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo)
        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono)
        - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224)
+        - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager)
+        - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo)
        - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client)

 Psono provides [extensive documentation](https://doc.psono.com/) for their product. The [web-client](https://doc.psono.com/admin/installation/install-webclient.html#installation-with-docker) for Psono can be self-hosted; alternatively, you can choose the full [Community Edition](https://doc.psono.com/admin/installation/install-server-ce.html) or the [Enterprise Edition](https://doc.psono.com/admin/installation/install-server-ee.html) with additional features.
@ -135,7 +143,6 @@ KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-se
    ??? downloads

        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free)
-        - [:simple-fdroid: F-Droid](https://www.f-droid.org/packages/com.kunzisoft.keepass.libre)
        - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases)

 ### Strongbox (iOS & macOS)
@ -144,7 +151,7 @@ KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-se

    ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right }

-    **Strongbox** is an open-source password manager for iOS and macOS that supports KeePass and Password Safe formats. It offers a [premium version](https://strongboxsafe.com/pricing/) with more features such as TouchID and FaceID unlocking.
+    **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license.

    [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary }
    [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" }
@ -154,10 +161,9 @@ KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-se

    ??? downloads

-        - [:simple-apple: Mac App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731)
        - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731)

-There is also an offline-only version available called [Strongbox Zero](https://apps.apple.com/us/app/strongbox-keepass-pwsafe/id1581589638) if you don't need syncing; this version is stripped down so it has less attack surface.
+Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface.

 ## Command-line

@ -181,4 +187,4 @@ These products are minimal password managers that can be used within scripting a
        - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows)
        - [:simple-apple: macOS](https://www.gopass.pw/#install-macos)
        - [:simple-linux: Linux](https://www.gopass.pw/#install-linux)
-        - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd)
+        - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd)
--- a/docs/productivity.en.md
+++ b/docs/productivity.en.md
@ -26,15 +26,15 @@ For other platforms, consider below:

    ??? downloads

+        - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/)
+        - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/)
        - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/)
        - [:simple-apple: macOS](https://www.libreoffice.org/download/download/)
        - [:simple-linux: Linux](https://www.libreoffice.org/download/download/)
-        - [:simple-flathub: Flatpak](https://www.libreoffice.org/download/download/)
+        - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice)
        - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/)
        - [:simple-openbsd: OpenBSD](https://openports.se/editors/libreoffice)
        - [:simple-netbsd: NetBSD](https://pkgsrc.se/misc/libreoffice)
-        - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/)
-        - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/)

 ### OnlyOffice

@ -51,12 +51,12 @@ For other platforms, consider below:

    ??? downloads

+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents)
+        - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972)
        - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx)
        - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx)
        - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx)
        - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/)
-        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents)
-        - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972)

 ### CryptPad

--- a/docs/real-time-communication.en.md
+++ b/docs/real-time-communication.en.md
@ -27,11 +27,12 @@ These are our recommendations for encrypted real-time communication.

    ??? downloads

-        - [:simple-windows11: Windows](https://signal.org/download)
-        - [:simple-apple: macOS](https://signal.org/download)
-        - [:simple-linux: Linux](https://signal.org/download)
        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms)
        - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669)
+        - [:simple-android: Android](https://signal.org/android/apk/)
+        - [:simple-windows11: Windows](https://signal.org/download/windows)
+        - [:simple-apple: macOS](https://signal.org/download/macos)
+        - [:simple-linux: Linux](https://signal.org/download/linux)

 Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier.

@ -58,13 +59,13 @@ We have some additional tips on configuring and hardening your Signal installati

    ??? downloads

+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app)
+        - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067)
+        - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases)
        - [:simple-windows11: Windows](https://element.io/get-started)
        - [:simple-apple: macOS](https://element.io/get-started)
        - [:simple-linux: Linux](https://element.io/get-started)
        - [:octicons-globe-16: Web](https://app.element.io)
-        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app)
-        - [:simple-fdroid: F-Droid](https://f-droid.org/packages/im.vector.app/)
-        - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067)

 Profile pictures, reactions, and nicknames are not encrypted.

@ -89,12 +90,12 @@ The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matr

    ??? downloads

+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger)
+        - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868)
+        - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases)
        - [:simple-windows11: Windows](https://getsession.org/download)
        - [:simple-apple: macOS](https://getsession.org/download)
-        - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868)
        - [:simple-linux: Linux](https://getsession.org/download)
-        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger)
-        - [:simple-fdroid: F-Droid](https://fdroid.getsession.org)

 Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design.

@ -122,9 +123,8 @@ Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the

    ??? downloads

-        - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.briarproject.Briar)
        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android)
-        - [:simple-fdroid: F-Droid](https://f-droid.org/packages/org.briarproject.briar.android)
+        - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar)

 To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby.

@ -132,4 +132,4 @@ The client software was independently [audited](https://briarproject.org/news/20

 Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec).

-Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol.
+Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol.
--- a/docs/real-time-communication/signal-configuration-hardening.en.md
+++ b/docs/real-time-communication/signal-configuration-hardening.en.md
@ -212,7 +212,6 @@ On Android you can consider using **Molly**, a fork of the Signal mobile client

    ??? downloads

-         - [:simple-fdroid: F-Droid](https://molly.im/download/fdroid/)
         - [:simple-github: GitHub](https://github.com/mollyim/mollyim-android/releases)

 Molly offers two variants of the app: **Molly** and **Molly-FOSS**.
--- a/docs/router.en.md
+++ b/docs/router.en.md
@ -11,7 +11,7 @@ Below are a few alternative operating systems, that can be used on routers, Wi-F
    ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right }
    ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right }

-    **OpenWrt** is an operating system (in particular, an embedded operating system) based on the Linux kernel, primarily used on embedded devices to route network traffic. The main components are the Linux kernel, util-linux, uClibc, and BusyBox. All components have been optimized for size, to be small enough for fitting into the limited storage and memory available in home routers.
+    **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers.

    [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary }
    [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation}
--- a/docs/tools.en.md
+++ b/docs/tools.en.md
@ -7,7 +7,7 @@ hide:

 If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your use case.

-If you want assistance figuring out the best privacy tools and alternative programs for your workload/use-case, start a discussion in our [Reddit](https://www.reddit.com/r/privacyguides) or [Matrix](https://matrix.to/#/#privacyguides:matrix.org) communities!
+If you want assistance figuring out the best privacy tools and alternative programs for your workload/use-case, start a discussion on our [forum](https://discuss.privacyguides.org/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community!

 For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page.

@ -322,6 +322,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b

 <div class="grid cards" markdown>

+- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send)
 - ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare)
 - ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox)
 - ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing)
--- a/docs/tor.en.md
+++ b/docs/tor.en.md
@ -43,15 +43,14 @@ There are a variety of ways to connect to the Tor network from your device, the

    ??? downloads

+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser)
+        - [:simple-android: Android](https://www.torproject.org/download/#android)
        - [:simple-windows11: Windows](https://www.torproject.org/download/)
        - [:simple-apple: macOS](https://www.torproject.org/download/)
        - [:simple-linux: Linux](https://www.torproject.org/download/)
        - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor)
        - [:simple-openbsd: OpenBSD](https://openports.se/net/tor)
        - [:simple-netbsd: NetBSD](https://pkgsrc.se/net/tor)
-        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser)
-        - [:simple-fdroid: F-Droid](https://support.torproject.org/tormobile/tormobile-7/)
-        - [:simple-android: Android](https://www.torproject.org/download/#android)

 !!! danger

@ -76,9 +75,8 @@ The Tor Browser is designed to prevent fingerprinting, or identifying you based
    ??? downloads

        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android)
-        - [:simple-fdroid: F-Droid](https://guardianproject.info/fdroid)
-        - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases)
        - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599)
+        - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases)

 For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* in :material-menu: → **Settings** → **Connectivity**. This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to.

--- a/docs/vpn.en.md
+++ b/docs/vpn.en.md
@ -40,6 +40,14 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.
    [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation}
    [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" }

+    ??? downloads
+
+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android)
+        - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085)
+        - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases)
+        - [:simple-windows11: Windows](https://protonvpn.com/download-windows)
+        - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/)
+
 ??? check annotate "64 Countries"

    Proton VPN has [servers in 64 countries](https://protonvpn.com/vpn-servers) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination.
@ -91,6 +99,15 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.
    [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation}
    [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" }

+    ??? downloads
+    
+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client)
+        - [:simple-appstore: App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683)
+        - [:simple-github: GitHub](https://github.com/ivpn/android-app/releases)
+        - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/)
+        - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/)
+        - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/)
+
 ??? check annotate "34 Countries"

    IVPN has [servers in 34 countries](https://www.ivpn.net/server-locations) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination.
@ -143,6 +160,15 @@ Find a no-logging VPN operator who isn’t out to sell or read your web traffic.
    [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation}
    [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" }

+    ??? downloads
+    
+        - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn)
+        - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513)
+        - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases)
+        - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/)
+        - [:simple-apple: macOS](https://mullvad.net/en/download/macos/)
+        - [:simple-linux: Linux](https://mullvad.net/en/download/linux/)
+
 ??? check annotate "39 Countries"

    Mullvad has [servers in 39 countries](https://mullvad.net/servers/) (1). Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination.
--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -15,9 +15,9 @@ extra:
    - icon: simple/matrix
      link: https://matrix.to/#/#privacyguides:matrix.org
      name: Matrix
-    - icon: simple/reddit
-      link: https://reddit.com/r/PrivacyGuides
-      name: Reddit
+    - icon: simple/discourse
+      link: https://discuss.privacyguides.org/
+      name: Forum
    - icon: simple/mastodon
      link: https://mastodon.social/@privacyguides
      name: Mastodon
Author	SHA1	Message	Date
Kai Tebay	812558db5c	Writing review of Common Threats (#1836 ) Co-authored-by: Jonah Aragon <github@aragon.science> Signed-off-by: Daniel Gray <dng@disroot.org> Signed-off-by: matchboxbananasynergy <107055883+matchboxbananasynergy@users.noreply.github.com>	2022-10-16 01:12:29 +10:30
datoshkr	7a3fdd42ab	Update Tor window setting location (#1840 ) Signed-off-by: Daniel Gray <dng@disroot.org>	2022-10-15 14:12:23 +10:30
matchboxbananasynergy	a263b5a95a	Add Send & ffsend to File Sharing page (#1837 ) Signed-off-by: Daniel Gray <dng@disroot.org>	2022-10-15 03:38:38 +10:30
dependabot[bot]	27fec327fd	Bump actions/cache from 3.0.10 to 3.0.11 Bumps [actions/cache](https://github.com/actions/cache) from 3.0.10 to 3.0.11. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/v3.0.10...v3.0.11) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2022-10-14 04:09:34 +00:00
john	6c9dc8c5d4	Update Strongbox information (#1835 )	2022-10-11 19:22:39 +10:30
Kai Tebay	7f09bd69a9	Standardize download sections (#1826 ) Co-authored-by: Jonah Aragon <github@aragon.science> Co-authored-by: matchboxbananasynergy <107055883+matchboxbananasynergy@users.noreply.github.com> Signed-off-by: Daniel Gray <dng@disroot.org>	2022-10-11 16:28:18 +10:30
JustLuckNoSkill	226b9f7885	Mention NeoStore in DivestOS description (#1829 ) Signed-off-by: Daniel Gray <dng@disroot.org>	2022-10-10 04:17:24 +10:30
matchboxbananasynergy	a74b6cc7bc	Remove pricing from Proton Mail card (#1832 )	2022-10-10 04:13:59 +10:30
matchboxbananasynergy	f3086e4416	Replace Reddit Link with Forum Link in Tools Page (#1833 )	2022-10-10 04:13:52 +10:30
Daniel Nathan Gray	126805b5ba	Clarifications, VPN overview (#1825 )	2022-10-10 04:13:46 +10:30
dependabot[bot]	4235d62136	Bump actions/cache from 3.0.8 to 3.0.10 Bumps [actions/cache](https://github.com/actions/cache) from 3.0.8 to 3.0.10. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/v3.0.8...v3.0.10) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2022-10-05 00:43:38 +10:30
Freddy	a87d5cb227	Replaced Reddit with Forum link (#1831 ) Signed-off-by: Daniel Gray <dng@disroot.org>	2022-10-05 00:42:09 +10:30
JustLuckNoSkill	df90475594	Revise OpenWrt card (#1827 )	2022-10-02 13:01:51 +00:00
Kai Tebay	ebf589096b	Writing style changes to index page (#1817 ) Signed-off-by: Daniel Gray <dng@disroot.org>	2022-09-30 20:51:19 +09:30
Kai Tebay	64c7e30e37	Writing style changes to threat-modeling page (#1819 ) Co-authored-by: matchboxbananasynergy <107055883+matchboxbananasynergy@users.noreply.github.com> Signed-off-by: Daniel Gray <dng@disroot.org>	2022-09-30 20:47:48 +09:30