Privacy Guides

Email Security: Where We Are and What the Future Holds

fria — Sat, 15 Nov 2025 22:36:51 +0000

Illustration: fria / Privacy Guides

Email is ubiquitous. If you want to function in modern society, you pretty much have to have an email address. What was originally just a simple protocol to send messages between machines has morphed beyond what it was originally intended for into the de facto authentication, identity, and "secure" communication channel for almost all technology users today. It's been updated many times to fix security issues and there are more updates to come, but is it worth trying to fix a decades-old protocol, or should we scrap it all and start over?

Current State of Email Security

The Simple Mail Transport Protocol (SMTP) is the standard used to send emails.

Over the years, multiple protocols have been introduced to fix security issues and improve the usability of email, resulting in a complex mess that we're still feeling the consequences of to this day.

Encryption

By default, there's no encryption in SMTP. Not transport encryption or end-to-end encryption, it's just a plaintext protocol.

To remedy this, several solutions have been created.

STARTTLS

STARTTLS is a command that allows email clients to negotiate TLS encryption. Importantly, the negotiation phase happens in plaintext which leaves it vulnerable to attackers.

STARTTLS allows a bit more flexibility at the cost of some security. Since you don't really know if the recipient's email client supports TLS or not, it allows you to continue with the SMTP session anyway if you want to.

Since it's just using TLS, STARTTLS can't provide E2EE, just transport encryption. The encryption looks something like:

Encrypted between your email client and your SMTP server → decrypted at your SMTP server → Encrypted between your SMTP server and recipient's SMTP server → decrypted at recipient's SMTP server → encrypted between their SMTP server and their POP3/IMAP server → decrypted at their POP3/IMAP server → encrypted between their POP3/IMAP server and their email client → decrypted by their email client.

flowchart LR A[Email Client] -->|Optional TLS Encryption| B(SMTP Server) B --> |Optional TLS Encryption| C(Other SMTP Server) C -->|Optional TLS Encryption| D[POP3 or IMAP Server] D -->|Optional TLS Encryption| F[Other Party's Email Client]

At each point in the process TLS encryption is not guaranteed. Now consider that you can have multiple recipients with their own SMTP servers as well, and you start to see how flimsy this protection can be. And since the initial negotiation is in plaintext, an attacker can simply strip away the STARTTLS command, preventing a secure connection from being established.

Authentication is left to another protocol to solve, this just handles the transport encryption.

SMTPS

Also known as "Implicit TLS" (as opposed to the "Explicit TLS" of STARTTLS), SMTPS starts with an encrypted connection, similar to HTTPS, removing the potential for an adversary to downgrade the connection.

The current recommendations are to use port 465 for SMTPS and port 587 for STARTTLS. Unfortunately, these ports aren't standardized and thus there is disagreement and confusion about what port should be used for SMTPS.

In the past, ports 25, 465, 587, and 2525 have all been used for SMTP at various points. This lack of a standardized port means that you end up with services using different ports and being unable to establish a secure connection. Particularly, there is still confusion in some email providers whether to use port 465 or port 587 for SMTPS, although the current recommendation is port 465.

POP3S

Post Office Protocol version 3 or POP3 is a protocol for retrieving mail from a mail server. It's one of the ways your email client can show you your mail.

POP3 also supports implicit TLS over port 995, so it can be encrypted by default as well.

IMAPS

Internet Message Access Protocol or IMAP is another protocol for retrieving mail from a mail server.

Like SMTPS and POP3s, IMAP supports implicit TLS. The implicit TLS port is 993.

OpenPGP

The above features only protect the email in transit and don't protect against the email providers involved, which is a massive security issue if you don't trust your email provider. On top of that, you as a user have no control over which parts of the chain are encrypted. If you want to be sure that no party in between you and your recipient can read or alter your emails, you need to use end-to-end encryption. Unfortunately, by default, email doesn't support end-to-end encryption.

Pretty Good Privacy (PGP) was originally created in 1997 by Phil Zimmerman. While originally proprietary software, an open source version of PGP called OpenPGP has been standardized by the IETF. As you can imagine from software originally conceived in the 90s, the user experience isn't the smoothest.

Unlike modern messengers like Signal, OpenPGP requires you to manually manage your keys. This is a problem not only because it's cumbersome, but the security of E2EE rests on protecting the private key. If the private key is compromised, your messages are compromised.

PGP also lacks forward secrecy, meaning that if your private key is ever exposed, all previous messages you've ever sent using that key are also exposed. All it takes is a slight user error for a catastrophic compromise.

PGP encryption also usually doesn't encrypt important metadata like To, From, Cc, Date, and Subject, stored in the email header; usually, only the body of the email is encrypted, which can be a major privacy issue. What the email is about, who you are, and who you're messaging can all be revealed even with E2EE. Some email clients use their hidden headers that can reveal more data about you.

S/MIME

Another common option for email encryption is S/MIME, or Secure/Multipurpose Internet Mail Extensions. S/MIME works a bit like HTTPS, using X.509 digital certificates and certificate authorities to encrypt and verify the authenticity of emails.

While a step up from the manual keys of PGP, S/MIME is still a pain to use, particularly because it usually requires purchasing and managing a certificate from a CA, which can be expensive and annoying. S/MIME also lacks forward secrecy just like PGP, so if there's ever a compromise of your private key, all previously sent messages are also compromised.

These issues make S/MIME nonviable for most people outside business settings.

Web Key Directory

A problem with PGP is getting your public key out to people without manually exchanging keys. This problem can be solved with Web Key Directory (WKD), which allows you to upload your public PGP key to a server and clients that want to send E2EE emails to you can ask that server to send you their public key.

You can read more on our email security page.

Authentication

SMTP by default essentially has no authentication and allows spoofing the MAIL FROM header. Your email client will just blindly accept whoever the sender says they are without any authentication. Luckily, there are several solutions for this.

There are multiple methods that email providers can implement to verify the authenticity of an email sender.

SPF

The first solution implemented was Sender Policy Framework (SPF). SPF uses DNS TXT records.

Just like the name sounds, a DNS TXT record allows you to store text in a DNS record. Here's an example of what a DNS TXT record might look like:

example.com	record type	value	TTL
@	TXT	"color=blue"	99999

SPF lists all the servers that are authorized to send from a specific domain. When an email is received, it checks the sending server against the list of authorized servers for that domain. An SPF record might look like this:

example.com	record type	value	TTL
@	TXT	"v=spf1 ip4:200.56.78.99 ip4:156.67.109.43 include:_spf.google.com -all"	99999

The IP addresses are the ones that are authorized to send email from this domain. The include: tag denotes what third-party domains are allowed to send email on behalf of example.com. The third-party SPF record will be checked and included in the allowed IP addresses.

While a good start, SPF still has several glaring weaknesses. Since it relies on DNS, an attack on the DNS infrastructure could cause spoofed DNS data to be accepted.

Since SPF doesn't authenticate individual users, it's still possible for a sender to impersonate another user. SPF does not authenticate the MAIL FROM header. If you try to send an email from a gmail.com domain, but the server doesn't match gmail.com, it will fail.

SPF has a few different modes, allowing for a hard fail, soft fail, or completely ignoring it. -all means an email that fails will be rejected, ~all will mark emails that fail as insecure or spam but still send them, and +all will specify that any server is allowed to send emails on behalf of your domain.

This flexibility, while convenient, allows for the security benefits of SPF to be completely undermined.

DKIM

DomainKeys Identified Mail (DKIM) relies on public key cryptography to verify the domain of an email.

Example of a DKIM DNS TXT record:

name	record type	value	TTL
test-email._domainkey.example.com	TXT	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtY+7sGVwvyS8w+3HgJk7EviazH+C4L8gV4gOJzAq9oKJjZ5En7LDEw3FqAh8C0M59c9sBQcC+Kj8VxMBY9y+E0Pm1fPK9V7sI3Gm7yE7Y9yU4uVZr8R3N+5z+qZ+7V76RU4oZ0mtSvw8m3pX1hZyHd7NZfXaFfKfgd18W5T7YQIDAQAB"	9999

DKIM records are stored under a specific name following the format

[selector]_domainkey.[domain]

The public and private keys are generated by the email provider, such as gmail.com. The public key is stored in a publicly available DNS TXT record like the one seen above and is used by the receiver to verify messages. The private key is kept secret by the email provider.

Emails sent from the email provider contain a DKIM header with a signature generated from the private key and the content of the message. If the email message is altered or signed with the wrong key, when the receiver verifies the signature using the public key it will be obvious it was altered.

An example of a DKIM header:

v=1; a=rsa-sha256; d=example.com; s=test-email; h=from:to:subject bh=uMixy0BsCqhbru4fqPZQdeZY5Pq865sNAnOAxNgUS0s=;b=LiIvJeRyqMo0gngiCygwpiKphJjYezb5kXBKCNj8DqRVcCk7obK6OUg4o+EufEbBtRYQfQhgIkx5m70IqA6dP+DBZUcsJyS9C+vm2xRK7qyHi2hUFpYS5pkeiNVoQk/Wk4wZG4tu/g+OA49mS7VX+64FXr79MPwOMRRmJ3lNwJU=

v= shows the version of DKIM, currently version one is the latest (we'll come back to that later). a= shows the algorithm used. d= shows the domain of the sender. s= denotes the selector that is used in the TXT record. h= shows the headers that were used to create the signature. bh= shows a hash of the body of the email. b= is the signature computed from the listed headers and the hash of the body listed in bh.

In this way, not only does DKIM provide assurance that the email was sent from the correct domain, it also protects the integrity of the message. However, since the keys are controlled by your email provider, it can't stop your email provider from tampering with your messages.

Note also that this has nothing to do with encryption of the message, only verifying the authenticity and sender. The message is still sent in plaintext unless another component encrypts it.

DMARC

Domain-based Message Authentication Reporting and Conformance (DMARC) is an authentication method that builds on SPF and DKIM. DMARC tells a receiving email server what to do after checking the SPF and DKIM. If the email fails, the DMARC policy tells the receiver whether to mark it as spam, block it, or allow it through.

DMARC also uses TXT records. An example DMARC policy might look like

v=DMARC1; p=quarantine; adkim=s; aspf=s;

The v= shows the version of DMARC to use. The p= shows what should be done with emails if they fail, in this case quarantine means the receiver should put the email in the user's spam folder. reject can be specified as well to show that emails that fail should be outright blocked. adkim= tells how DKIM should be enforced, with s meaning "strict"; for relaxed, r is listed instead. Ditto for aspf=.

DNSSEC

You may have noticed that all of these authentication methods rely on DNS. Unfortunately, DNS wasn't designed to be secure when it was invented in the 1980s. Ironically, there's no authentication built into DNS by default, so by attacking DNS, a malicious actor can poison your DNS cache with false information.

Researchers at CMU in 2014 found that emails that were supposedly to be sent by Gmail, Yahoo!, and Outlook.com were actually being sent by a rogue email server. This is disastrous for security and breaks the entire email authentication system. There are many such cases of attacks on DNS infrastructure and many more possible attacks on DNS.

The solution? DNSSEC. DNSSEC uses digital signatures to verify the authenticity of the DNS response. Unfortunately, DNSSEC isn't as widely used as it could be so DNS attacks are still a real threat.

DNSSEC forms a chain of trust, with each zone forming a parent/child relationship all the way up to the root zone.

The public key infrastructure (PKI) that we rely on for things like HTTPS in browsers similarly relies on a chain of trust, but web PKI relies on many trusted entities whereas DNSSEC effectively reduces it to one: the IANA which signs the root zone key in a root signing ceremony.

Effectively, DNSSEC is designed so that you can be sure the results of a DNS query are accurate.

DANE

DNS-Based Authentication of Named Entities or DANE applies the security of DNSSEC to email. It forces TLS to be used and binds the TLS certificate to DNS names directly using TLSA, thus allowing email providers to bypass the certificate authority system relied on by HTTPS.

MTA-STS

MTA-STS or Mail Transfer Agent Strict Transport Security is a way to force TLS connections for email and validate that the DNS is correct. Instead of DNSSEC, MTA-STS relies on HTTPS and the web PKI to validate DNS. It's not stored as a DNS record but instead an HTTPS server that serves the file.

You can think of MTA-STS like HSTS, HTML Strict Transport Security, which forces the use of TLS for websites. It's the same principal, just applied to email.

The extra reliance on web PKI introduces more trust than with DNSSEC, but it's easier to implement and relies on the already-established infrastructure of the internet.

Both DANE and MTA-STS can be used together for a multilayered approach to email security.

General Security

Email as a Backdoor into Your Accounts

Something seldom discussed is the fact that email is the default 2FA method for most accounts and also can be used to bypass your password through the password reset function on the login screen of most services. This essentially means the security of all of your accounts rests on the security of your email, which can be very shaky and lacks E2EE usually. It's most comparable to SMS 2FA which is also used a lot of the time as a method for getting into accounts when you forgot your password.

I touched on this a bit in my passkey article, but we need to stop relying on email for security critical applications and start using proper recovery methods like recovery codes. Email should be used for what it's intended for: sending messages and updates to people, announcements, etc.

Third-Party Clients

Many email providers such as Gmail provide their own clients for you to view your inbox, send messages, etc. But many people choose to use third-party clients for their email needs.

While it's great that email can support that, it does mean you need to trust another party with your sensitive email and essentially the security of all of your accounts. Not to mention that email clients can have vulnerabilities, so you need to be very careful about which one you trust.

Email Attack Surface

A big part of the reason email clients can be so vulnerable to exploits is the vast attack surface afforded by things like JavaScript support in emails. This puts email clients dangerously close to the same territory as browsers in terms of attack surface but without the same level of scrutiny or hardening effort that goes into browsers.

Since almost anyone can email you at any time, you have to trust that your email client vendor is able to protect you against vulnerabilities and also has timely patches when they're found.

Luckily, lots of email clients let you disable JavaScript and HTML if you want, but not all do, and email clients can have lots of other vulnerabilities as well not related to JavaScript.

Future of Email Security

It's been a multi-decade cross-industry effort to bring email up to snuff as a modern communication system, and we still have a long way to go. There's still efforts to improve the state of email security, so look out for these in the future.

Improvements to OpenPGP

The IETF has a working group for OpenPGP that wants to add many improvements to OpenPGP, including post-quantum encryption, forward secrecy, and usability improvements.

Key transparency is also a planned feature, similar to what apps like WhatsApp have implemented. Key transparency systems use an append-only, auditable and tamper-evident log of keys that allows you to automatically verify the authenticity of whoever you're messaging with.

There's even a plan to add the ability to verify keys manually using QR codes, similar to how some messengers let you manually verify keys.

Improvements to S/MIME

The LAMPS working group is looking at adding post-quantum encryption to S/MIME to protect against future quantum computer threats. This would include "dual-signature" schemes combining traditional encryption with PG encryption, similar to how some messengers handle it.

DKIM2

DKIM2 is the planned next version of DKIM.

An issue with the current version of DKIM is a malicious actor taking emails signed with DKIM from a different domain and replaying them, spamming them out to thousands of people and eroding trust in the original domain. The new DKIM2 specification would force each hop the email takes along its path to sign it, so any issues will be the fault of the previous hop.

DKIM2 aims to simplify the protocol and make it more standardized. For example, in practice, the vast majority of DKIM is singed using relaxed methods, so DKIM2 will only support relaxed.

The fact that DKIM relies on an explicit list of headers as part of the signature, there is inconsistent signing of headers and some security-critical headers might not be signed. In order to prevent attackers from adding headers that weren't originally part of the email, providers would sign headers with no information in them. DKIM2 would specify a fixed set of headers in alignment with best practices, so there won't be a need to specify headers.

DMARCbis

DMARCbis is a proposed updated version of DMARC.

The pct tag is going away, which was a tag that would only allow a specified percentage of emails, say 50%, to be sent if they failed. Apparently, this wasn't implemented properly so now it's being replaced with the t mode that is a binary pass or fail.

The new np tag adds the ability to define what to do with a non-existent subdomain of a real domain. This will prevent cybercriminals from subverting DMARC by using a fake subdomain.

They are also adding requirements that mail providers must meet to fully conform to the specification, which should eliminate questions about best practices and how DMARC should be implemented.

Deprecation of Cleartext Email

Since there are now protocols in place to at least allow for transport encryption at every stage of the email process, providers should work on removing support for unencrypted email entirely.

Transport encryption between servers now should be the minimum expected for email services going into the future.

Passkeys

The adoption of passkeys will eliminate the need for email as a recovery method, since users won't have to remember passwords. Email can be used for what it was originally intended for: a method of communication and sending updates and announcements, nothing more. This will take a concerted effort from service providers though, and it seems for now most services that support passkeys still require and email for some reason. Here's hoping this changes in the future.

The adoption of passkeys will also make email services themselves more secure, since at the moment they act as a sort of de facto recovery method for all of our accounts. They should focus on deprecating passwords for improved security.

Wider Adoption of DNSSEC

DNSSEC should be universally adopted to prevent DNS poisoning attacks. This would drastically improve the security of email.

Guidance for E2EE

The usability of E2EE in email is significantly lacking compared to other methods of communication, especially modern messengers like Signal that make the E2EE very seamless and simple. The handling of E2EE by email clients can also vary a lot and leave email users vulnerable to bypasses for the E2EE.

An RFC to address usability issues and best practices for email clients exists, hopefully it can lead to a future of improved user experience and security in email.

SMTP End-to-End Encryption

The biggest obstacle in the way of email privacy is it's not E2EE by default like most modern messengers we use daily. Some providers like Proton Mail will automatically encrypt emails between Proton Mail users. The obvious next step is to build E2EE into SMTP itself.

An RFC proposal exists for just such an idea. I'm hopeful something like this can be standardized and widely adopted, and finally bring email into the 21st century.

Zero Trust: What Can We Learn for Our Personal Networks

fria — Thu, 23 Oct 2025 22:52:35 +0000

Zero Trust: What Can We Learn for Our Personal Networks

You may have heard of "Zero Trust", usually in relation to corporate networks. It's used a lot as a buzzword to sell cloud products to companies, but the overall concept is sound. Even though it seems complicated, I think we can learn from it for our personal home networks.

Previous Method

A traditional approach to security focuses heavily on protecting network access. You define a "secure" network that you control, usually with a firewall and/or a NAT.

Anyone inside the secure network is considered trusted and has access to things such as network drives belonging to the organization, and other data.

Anyone outside the network is considered "untrusted" and are not given access to sensitive data.

 graph LR A[Untrusted Traffic] -.-> B{Network Boundary}; B --> C[Network Drive]; C --> B; B --> D[User]; D --> B; B --> E[Printer]; E --> B;

This doesn't just include people physically inside the network, this also includes people connecting to the network over a VPN. Once the VPN spits you out, it's like you're physically there on the network, along with all the privileges that entails.

Issues

You might notice this model leaves people on the network and the network itself highly vulnerable; once a malicious actor is inside the network, they can wreak havok and access troves of data and attack other users and devices.

 graph LR A[Untrusted Traffic] -.-> B{Network Boundary}; B --> C[Network Drive]; C --> B; B --> D[User]; D --> B; B --> E[Printer]; E --> B; C --> F(Attacker); D --> F; E --> F;

After getting past the network boundary, they can move laterally and access deeper and more sensitive parts of the network.

How does an attacker get past the network boundary though?

Virus

It's happened to us all at some point. Either through a malicious link, or maybe a fake program masquerading as a legitimate one, there's any number of ways a "trusted" machine can get infected with malware.

Once it is, as soon as that user connects to the network, it's open season to infect other devices on the network, access sensitive data, and cause all kinds of damage.

Unfortunately, technology isn't at a point where we can have 100% confidence that our devices aren't infected, which makes any "trusted" device, even if the user isn't malicious, a possible security threat.

This is especially relevant considering the rise in bring-your-own-device (BYOD) in workplaces. Devices that aren't set up by the organization can't be trusted to have the best security practices in place: automatic updates, restricted software installs, etc. For all you know, someone could be on your network with a laptop from 2004 running Windows Vista.

Malicious User

Of course, sometimes our "trusted" users are malicious. Corporate espionage is a very real threat. Even in your own home network, there's probably people you don't want to have access to your data.

Stolen Credentials

Sometimes credentials can get stolen, either through phishing, social engineering, or just plain irresponsible credential sharing.

Whatever the case may be, users can't necessarilly be trusted to keep their credentials secure.

Passwords are, of course, the most vulnerable type of credentials to phishing and compromise in general.

Offsite Devices

The reality today is, most of what we use isn't located on a network we control anymore. Whether it's a cloud service such as iCloud, streaming services, or even our own devices connecting remotely, the old model of trusting everything behind the network can't work when almost nothing is behind the network.

Zero Trust

This is where Zero Trust comes in.

Verify

The motto here is "never trust, always verify". This means that you should never assume any device accessing any resource or performing any action is trusted. You should verify explicitly every time and using as many data points as you can.

Principle of Least Privilege

The Principle of Least Privelege states that a user should only have access to the bare minimum they need in order to do what they need to do, and no more.

In a corporate network, a sales associate doesn't need full control over the network. In your home network, grandpa probably doesn't need access to your password manager or your user account on your PC.

Assume Breach

Always assume the attackers are listening: use encryption whenever you can. Treat your internal network traffic like external traffic.

You never know what could be lurking. A single infected printer for example could be scanning your network for unencrypted traffic or holes in your device's firewall.

Applying These Lessons

How do we apply all this to your home network?

User Authentication

Segmentation

In order to verify who is allowed to access what, you need to segment everything out: if you have a shared family computer, make a separate user account for everyone. If you have shared accounts on services such as Netflix, see if they support everyone making their own account and accessing that way instead of sharing your password.

From now on, every person must explicitly verify who they are using their own credentials. You don't want to be able to access anyone else's data and you don't want them accessing your data either.

In line with the principle of least privilege, set everyone who doesn't need administrator access as a standard user. This will prevent them from having more access to the system than needed. You can even make separate administrator and standard accounts for yourself and only use the administrator one when you need it.

Make sure your router has an administrator password set and don't give it to everyone, just people who need to administer it.

Two-Factor Authentication

Utilize two-factor authentication and biometrics whenever you can: they help ensure that the credentials haven't been stolen and the correct person is indeed accessing what they're allowed to access.

Avoid Passwords

Passwords can be easily phished, stolen, shared, or otherwise leave your custody. This is a big problem for Zero Trust. Whenever possible, use passkeys, biometric authentication, hardware security keys, anything other than passwords to log in if it can be avoided.

iOS and Android offer anti-theft features that require biometric authentication for certain sensitive actions: enable these so that someone who knows your phone password can't change these settings.

Network Drives

If you have a shared network drive, consider moving to a cloud solution and using the sharing feature it offers such as iCloud family sharing. This will make it so that everyone needs to authenticate with their account before accessing data.

Remember that we're treating all network traffic as untrusted whether it originates from inside or outside your network.

Encryption

Make heavy use of encryption, especially end-to-end encryption. Enable E2EE in services that support it such as iCloud Advanced Data Protection.

Many routers will allow you to use TLS encryption for accessing their web interface: enable this setting if it's available.

Firewall

Enable the firewall on your router of course, but don't rely on it to protect you.

Turn on the firewall for all devices on your network. You can tweak the settings as you see fit, but make sure it's the minimum you need in order to use the device properly. Most operating systems will give you a simple graphical user interface for changing firewall settings, so it shouldn't be too difficult.

For example, in Windows, you can set each network you connect to as either Private or Public, with Public having stricter firewall rules. We're treating all networks as public networks, so set your home network to Public.

Remove Unnecessary Devices

In this day and age, many of us own too many smart devices. We have to ask ourselves if we really need a WiFi enabled toaster, or if the added attack surface isn't worth it.

Go through networked devices in your home and assess what's needed and what's not. These typically are a pain to keep updated and give you very little control over their security anyway. Each one represents another potential entrypoint into your network.

Network Segmentation

An important part of Zero Trust is keeping devices separated on your network. You don't necessarily need to go as granular as you'd see on corporate networks, and a lot of consumer routers don't even let you anyway, but you can put devices you don't want anywhere near your sensitive data on the guest network that most routers let you enable.

This will keep them separated from your personal devices with your sensitive data.

Continuous Verification

Some devices, especially Windows devices, support continuous verification through biometrics. For example, you can set your Windows PC to automatically lock itself when it detects you've left.

Some devices also support onlooker detection, so when an unauthorized person is detected looking at your screen, it will turn off.

Unfortunately, this security feature isn't available on most devices. For devices that lack continuous verification, you can set the screen to turn off after a short timer. You can make use of attention aware features to keep your screen from dimming while you use it.

Takeaways

While the average person won't be achieving the same level of granular isolation you might get on a modern, secure corporate network, we can take the overall concepts and apply them to our home networks fairly easily. I'm sure there's plenty I missed, so feel free to let me know your ideas, and maybe I can even update this article in the future with your suggestions.

Creating a Tricked-Out Monero Server with TrueNAS

Justin Ehrenhofer — Thu, 16 Oct 2025 19:07:20 +0000

Creating a Tricked-Out Monero Server with TrueNAS

Illustration: Jonah Aragon / Privacy Guides

In this guide, we will walk you through setting up a very powerful Monero server on TrueNAS. By completing these steps, you will be able to connect to your own self-hosted Monero node with the official Monero wallet and Cake Wallet, and you will be able to connect to your own self-hosted Monero LWS server with Edge Wallet and MyMonero.

Guest Contributor

Please welcome Justin Ehrenhofer as a first-time guest contributor! Justin is the president of MAGIC Grants, a nonprofit which supports public cryptocurrency infrastructure and promotes privacy, and operates as Privacy Guides' fiscal host. Privacy Guides does not publish guest posts in exchange for compensation, and this tutorial was independently reviewed by our editorial team prior to publication.

This guide assumes that you are using TrueNAS for the first time. TrueNAS is an open-source operating system that is meant to function primarily as a NAS, and it supports running arbitrary Docker apps. MAGIC Grants spent the last few months making dedicated apps on the TrueNAS store to make this setup process simpler than starting from scratch.

Advantages of Running Your Own Node

Monero is a cryptocurrency with strong privacy properties by default, and it is the only cryptocurrency currently recommended by Privacy Guides.

Despite Monero's privacy protections, your wallet needs to communicate with the rest of the Monero network. There are two main options:

Connecting to someone else's node; or
Connecting to your own node.

By connecting to your own node, you do not need to reveal when you are using your wallet and what transactions you send to the node operator.

By following this guide, your transaction broadcasts will be protected with the Tor and/or I2P networks.

In short, if you can run your own node, you should run your own node.

Hardware/Software Recommendations

A spare machine (e.g., an old desktop computer) with:
- One or more SSDs with >100 GB of free space
- 4+ CPU cores
- 4GB+ of RAM
- TrueNAS already installed
A domain name (optional, for encrypted clearnet connections)

It's possible to undercut these recommendations, but please don't do that to yourself.

What We Will Set Up

All of these applications are optional. You can set up nearly any combination of these. For example, you can skip just the I2P app if you don't plan to use I2P.

Software	Description	Purpose
Arti	A Tor client written in Rust.	Connect to Tor nodes, broadcast transactions over Tor, and connect to TrueNAS apps over Tor.
Java I2P	The officially distributed app to connect to the I2P network.	Connect to I2P nodes, broadcast transactions over I2P, and connect to TrueNAS apps over I2P.
Monero Node	The officially distributed app for communicating with the Monero network.	The app provides the necessary information to send and receive Monero transactions. Most wallets (including the official Monero wallets and Cake Wallet) connect to Monero nodes.
Monero-LWS	A "Light-Wallet Server" that allows "light-wallets" to send and receive Monero transactions.	Monero light-wallet apps (including Edge Wallet and MyMonero) can connect to this server so that the wallet itself does not need to scan/sync Monero history; the server handles this scanning/syncing.

Configure TrueNAS Storage

We will configure storage for the Monero blockchain, and we will use default storage settings for other purposes. If you are an advanced user, you can configure the storage yourself.

Create a Monero Pool

In TrueNAS, a pool is a collection of hard drives for a specific use-case. For simplicity, we will configure the entirety of a single SSD for Monero's use.

Click Storage.
Click Create Pool.
Type monero-pool for the name. Leave encryption disabled (this will only store public blockchain data). Click Next.
Choose the layout that you will be using. We will pick Stripe in this guide.
Select the entire storage space for the SSD. Click Next.
Skip all the remaining options for metadata, log, cache, spare, and dedup. Keep clicking Next.
Finish creating the pool by clicking Create Pool.

Create a Monero Dataset

A dataset is effectively a folder inside a pool. We will make one folder for the Monero blockchain data:

Click Datasets.
Click on the monero-pool pool.
Click Add Dataset.
Set the name to monero-blockchain
Set the dataset preset to Apps.
Click Save.

Next, we will assign the ownership of that folder to the apps user:

While the monero-blockchain dataset is selected, click Edit under Permissions.
At the top, change the Owner and Owner Group from root to apps.
Check the boxes for Apply Owner and Apply Group.
Check Apply permissions recursively.
Click Save Access Control List.

Configure Arti (Tor)

Experimental software

Arti is experimental software. At the time of writing, Arti should not be used for privacy-critical applications. Connecting to your own Monero node is "low risk" in most circumstances. However, if you have very sensitive requirements you should not use Arti until it has been tested further by the community. By using Arti today, you are helping to make Arti better!

Click Apps.
Click Discover Apps.
Search for Arti. Click on the Arti app.
Click Install. This will pull up a form.
Under Hidden Services, click Add. For each of the functions below that you want to support, create a new hidden service:
1. Monero Node (for incoming P2P connections)
  1. Name: monerodp2p
  2. App Port: 18084
  3. Hidden Service Port: 18084
2. Monero Node (for incoming RPC (wallet) connections)
  1. Name: monerodrpc
  2. App Port: 18089
  3. Hidden Service Port: 18089
3. Monero LWS
  1. Name: monerolws
  2. App Port: 18090
  3. Hidden Service Port: 18090
Leave the other settings as default. Click Install.

You will see the Applications screen after it installs. After the Arti app shows the status as Running, click on the shell icon under Workloads and to the right of arti – Running (not config or perms).

In the shell, type the command arti hss --nickname monerodp2p onion-address. This will return a string that ends in .onion. In notepad, Excel, or another app, save the .onion address and the service it is associated with (monerodp2p). You might need to copy from the shell with Ctrl+Ins.

Do this again for the following two commands as well:

arti hss --nickname monerodrpc onion-address arti hss --nickname monerolws onion-address

You should have three saved and unique .onion addresses.

Configure I2P

Click Apps.
Click Discover Apps.
Search for I2P. Click on the I2P app.
Click Install. This will pull up a form.
Change the Port Bind Mode for I2P HTTP Proxy Port to None.
Change the Port Bind Mode for I2P HTTPS Proxy Port to None.
To the right of Additional Ports, click Add.
In the newly exposed fields, set the Port Number as 4447.
In the same newly exposed fields, set the Container Port as 4447.
Leave the other settings as default. Click Install.

You will see the Applications screen after it installs. After the Arti app shows the status as Running, open a browser and direct it to the I2P configuration wizard. This is available at <hostname>:7657, for example 192.168.1.100:7657.

Complete the initial I2P wizard using the default settings.

Create I2P SOCKS Proxy

Click Local Tunnels.
Click on the I2P HTTP Proxy.
Uncheck Automatically start tunnel when router starts.
Click Save.
To the right of the I2P HTTP Proxy, click Stop.
Click on the I2P HTTPS Proxy.
Uncheck Automatically start tunnel when router starts.
Click Save.
To the right of the I2P HTTP Proxy, click Stop.
At the bottom and to the right of New client tunnel:, change the type in the dropdown from Standard to SOCKS 4/4a/5 and click Create.
1. Set the name as monerod.
2. Check Automatically start tunnel when router starts.
3. Set the Access Point Port to 4447.
4. Set Reachable by to 0.0.0.0.
5. Click Save.

Create I2P Hidden Services

There is an optional step below to reduce the hidden service tunnel length from the default of 3 to 1. This will substantially increase the reliability of the server at the cost of anonymity.

However, the server's connection to the I2P network for connecting to Monero wallets and the rest of the Monero network is typically not sensitive, unless you want to completely conceal that you are running a Monero node. Thus, most users will prefer the higher performance of the shorter tunnel length.

We do not recommend shortening the tunnel lengths for the I2P SOCKS Proxy (in the previous section above) on the other hand, since transaction broadcasts tend to be sensitive.

Under I2P Hidden Services and to the right of New hidden service:, change the type in the dropdown from HTTP to Standard and click Create.
1. Set the name as monerodp2p.
2. Check Automatically start tunnel when router starts.
3. Set the target host as the server's hostname, for example 192.168.1.100.
4. Set the target port as 18085.
5. Optional: Set the Tunnel Length Option to 1 hop tunnel (low anonymity) for better performance.
6. Click Save.
Create another Standard hidden service.
1. Set the name as monerodrpc.
2. Check Automatically start tunnel when router starts.
3. Set the target host as the server's hostname, for example 192.168.1.100.
4. Set the target port as 18089.
5. Optional: Set the Tunnel Length Option to 1 hop tunnel (low anonymity) for better performance.
6. Click Save.
Create another Standard hidden service.
1. Set the name as monerolws.
2. Check Automatically start tunnel when router starts.
3. Set the target host as the server's hostname, for example 192.168.1.100.
4. Set the target port as 18090.
5. Optional: Set the Tunnel Length Option to 1 hop tunnel (low anonymity) for better performance.
6. Click Save.

You will see the three I2P Hidden Services that you configured. Under each, you will see a .b32.i2p address after Destination:. You will need to use the destination .b32.i2p addresses in later steps (just like the .onion addresses), so keep them handy.

Configure Monero Node

Initial Setup

Click Apps.
Click Discover Apps.
Search for Monero Node. Click on the Monero Node app.
Click Install. This will pull up a form.
Optional: Uncheck Prune the blockchain. This will use significantly more storage.
Under Storage Configuration and Blockchain storage location, change the Type from ixVolume to Host Path.
Under Host Path, use the folder picker to select the monero-blockchain dataset. This should usually be /mnt/monero-pool/monero-blockchain.
Optional: Under Resources Configuration, increase the CPU resource limits to as high of a value as possible for your system. This will help the node sync faster.
Leave the other settings as default. Click Install.

Why not configure Tor and I2P settings to begin with?

Some users may be sensitive to a privacy risk where your Tor and I2P addresses could be matched with your public IPV4 address while it is syncing. By waiting to configure these settings until after your node is already fully synced, we minimize this risk.

Check on the Sync Status

It will take a day or more for most systems to fully sync the Monero blockchain from scratch.

To check the status, go to the app page and click on the monerod app. Under Workloads and to the right of monerod – Running, click on the shell icon.

Type monerod status and press enter.

If the status reports Height: ####/#### (100.0%) on mainnet, then your node is fully synced. You can proceed to the next step.

Add Tor and I2P

After your Monero node is fully synced, click on the monerod app and then click Edit. This will bring up the same form that you configured when installing the app.

Check Enable Tor connections.
Set the Tor IP as your hostname, for example 192.168.1.100.
Set the Tor port as 9150.
Check Enable inbound Tor connections.
Set the Inbound onion address as the .onion address for monerodp2p that you observed earlier.
Check Enable inbound I2P connections.
Set the I2P IP as your hostname, for example 192.168.1.100.
Set the I2P Port as 4447.
Check Enable inbound I2P connections.
Set the Inbound I2P base32 address as the .b32.i2p address for monerodp2p that you observed earlier.
If you wish to enable Monero LWS, under ZMQ RPC Port, change the Port Bind Mode from None to Publish port on the host for external access.
If you wish to enable Monero LWS, under ZMQ Pub Port, change the Port Bind Mode from None to Publish port on the host for external access.
Under Tor inbound port, change the Port Bind Mode from None to Publish port on the host for external access.
Under I2P inbound port, change the Port Bind Mode from None to Publish port on the host for external access.
Click Update.

Configure Monero LWS

For security reasons, the Monero LWS app only accepts requests from allowlisted Monero addresses. Requests from other users will be rejected.

Click Apps.
Click Discover Apps.
Search for Monero LWS. Click on the Monero LWS app.
Click Install. This will pull up a form.
Under Accounts, you can add sets of allowlisted Monero wallets that will be supported by this server. Click Add to add a wallet. For each wallet, include the Address, View Key, and Restore Height. If a restore height is not provided, it will scan the entire blockchain (which is thorough but inefficient).
Optional: Under Resources Configuration, increase the CPU resource limits to as high of a value as possible for your system. This will help the server scan multiple wallets faster.
After you have added all the wallets, click Install.

You can add new Monero wallets in the future by adding them to the list of accounts.

Configure Secure Clearnet Connections

It is insecure to connect your wallet to your server over an unencrypted connection.

If you only configure your wallet to connect to your server over its I2P or Tor addresses, then you're all set. The connection is already encrypted.

There are different ways to connect to your node over an encrypted clearnet connection, each with their pros and cons:

Method	Pros	Cons
Tor	No additional configuration necessary. Private. Secure. Reliable.	Slow for non-LWS wallets.
I2P	No additional configuration necessary. Private. Secure.	Slow. Unreliable.
Nginx Proxy Manager	High degree of user control. Secure. Reliable. Fast.	Requires a domain. Requires configuration.
Cloudflare Tunnels	Secure. Reliable. Fast. Easy to set up. Extra security settings.	Requires a domain. Decrypted traffic is shared with Cloudflare.

Nginx Proxy Manager (Recommended)

Click Apps.
Click Discover Apps.
Search for Nginx Proxy Manager. Click on the Nginx Proxy Manager app.
Click Install. This will pull up a form.
Leave the settings as default. Click Install.

You will see the Applications screen after it installs. After the Nginx Proxy Manager app shows the status as Running, open a browser to <hostname>:30020, for example 192.168.1.100:30020.

Configure Your Domain and Router

You will need to create A and (optionally) AAAA records with your DNS provider that point to your public IPV4 and IPV6 IP addresses, respectively. You will then need to forward the ports in your router to your TrueNAS hostname. These steps are out of scope for this guide.

Add Proxy Hosts to Nginx Proxy Manager

From the Nginx Proxy Manager browser interface, click Hosts, Proxy Hosts, then Add Proxy Host. We recommend creating proxy hosts as follows:

Domain Name	Scheme	Forward Hostname / IP	Forward Port
`monerod-rpc.<domain>`	`http`	`<hostname>`	`18089`
`monero-lws.<domain>`	`http`	`<hostname>`	`18090`

For each entry, enable Block common exploits. Configure the SSL settings with Request a new SSL Certificate, Force SSL enabled, and HTTP/2 Support enabled.

Optionally assign an access list.

You should now be able to access these services using your domain!

A Note About Clearnet Networking

Making clearnet connections without encryption (without SSL/TLS) is insecure. This guide uses the Nginx Proxy Manager app to configure these secure connections, but you can alternatively use another approach such as Cloudflare Tunnels, Tailscale, or WireGuard.

What About Bitcoin?

Bitcoin is not recommended by Privacy Guides due to its very weak privacy properties by default. Nevertheless, MAGIC Grants has made several Bitcoin oriented applications in the TrueNAS store that you may benefit from if you need to use Bitcoin.

Test Connections

We will test connections to our node over Tor using Cake Wallet, Edge Wallet, and Orbot. Make sure you have these apps installed and already have Monero wallets set up.

Use Full Device VPN mode with Orbot for this guide.

Test with Cake Wallet

Cake Wallet will connect to your Monero node. Follow these steps to change the Monero node that Cake Wallet uses. Provide your monerodrpc onion address for the Monero Node app as the node address, 18089 as the port, no username, no password, and Use SSL unchecked.

You should see a green dot next to this newly added node, and you should notice that your wallet is able to sync. Syncing performance to a Monero node over Tor is slow.

Test with Edge Wallet

Edge Wallet will connect to your Monero-LWS server. In Edge Wallet, click on the upper right hamburger menu, then Settings, then Asset Settings, then Monero. Select Custom Light Wallet Server and provide your monerolws onion address with the port. For example, http://monerolws.onion:18090, replacing monerolws.onion with your correct onion address.

Back in the main wallet overview, you should see that your Monero wallet is fully synced.

Real-Name Policies: The War Against Pseudonymity

Em — Wed, 15 Oct 2025 03:45:32 +0000

Real-Name Policies: The War Against Pseudonymity

Illustration: Em / Privacy Guides | Photo: Marija Zaric / Unsplash

Real-name policies have existed for well over a decade already, and the problems they cause aren't new. But these problems have become exponentially harmful in today's world, where real-name policies are coupled with monopolistic platforms, increased mass surveillance, AI technologies, and facial recognition capabilities. It's time to fight back against this unsafe and discriminatory privacy-invasive practice.

Pseudonymity, or the use of a nickname or fictitious name online, has always been deeply valued on the internet. It grants people protections and freedoms that are often impossible to benefit from offline.

Women, and especially women who are part of male-dominated online communities, have regularly used pseudonyms to hide their gender online in order to protect themselves from sexual harassment, stalking, and physical violence even.

Transgender and gender-diverse people also regularly use pseudonyms for protection, or use new chosen names to explore their gender identity online.

Victims of domestic violence, victims of stalkers, activists, and even journalists often use pseudonyms to protect themselves from aggressors or oppressive regimes.

Pseudonymity saves lives. And yet, it is constantly under attack.

What are real-name policies exactly?

Increasingly more platforms demand that users provide their legal name and official identifications in order to keep using a platform.

So called "real-name" policies are platform policies requiring users and subscribers to sign up and display their "real name," often equated to a legal name.

Facebook for example claims not to require a legal name, but only the "real" name a person uses in their daily life. Yet, the social media giant regularly demands official IDs to verify this "real" name, effectively requiring people associate their account with their legal identity.

Facebook has even repeatedly taken the liberty to decide which name was "real", and changed the displayed name of users based on verification processes without any prior consent from users. For people in vulnerable situations, this can be a very dangerous practice.

Facebook is perhaps the most infamous platform implementing such discriminatory and intrusive policy, but sadly, it's not the only one.

Increasingly more platforms demand that users provide their legal name and official identifications in order to keep using a platform. And this will likely be aggravated significantly by the recent trend for age-verification policies.

Explicit and implicit policies

There is always two levels of real-name policies: The name displayed publicly to everyone (explicitly required), and the name the platform has associated with the account in its database (implicitly associated).

While a requirement to expose one's legal name publicly has clear privacy risks, storing legal names without displaying it to other users is also problematic.

For explicit requirements, users who are obligated to display their legal name publicly are not only forced to create a permanent association of this account with their legal identity (with all the problems this can bring), but are also potentially exposing their identity and account to current or future attackers.

For example, this can and does enable stalkers to find their victims online (and offline) to cause them harm.

For implicit associations, as soon as a legal name is collected and associated with an account in the backend, whether from providing official documentation for age verification, account recovery, payment, or any other processes; this data is at risk of getting leaked or breached, and eventually shared publicly as well.

Once this data is exposed, this account now also becomes permanently associated with a legal identity, publicly.

Even without having an openly stated real-name policy, platforms collecting official documentation—or otherwise storing legal names associated with accounts—can effectively end up exposing their users to similar risks.

What is a real name anyway?

Of course, your true real name is whatever you decide others should call you. Only you can decide this, and others should be respectful of your choice.

Your legal name, however, is a data marker attached to your person that can be used to trace many of your activities online and offline, with a high degree of precision going as far back as when you were born.

For everyone, but especially for vulnerable communities, exposing legal names on certain platforms can represent a significant risk. The use of pseudonymity is a critical part of online safety, and people should be able to continue using this protective measure without raising suspicion.

Who is impacted the most by real-name policies?

Everyone is impacted by real-name policies, but groups that are at higher risk of discrimination, violence, and online harassment are disproportionally harmed by them.

Moreover, anyone who for various reasons uses a name that doesn't match their official ID; has a legal name that doesn't match an expected American name pattern; needs to conceal their gender online for safety; or has to protect their identity online due to their work as an activist, journalist, dissident, or whistleblower can be severely impacted, silenced, and even endangered by requirements to provide a legal name online.

Victims of domestic violence

For many people, using pseudonyms isn't just a good privacy practice, but it can be a matter of life and death.

For anyone who is experiencing or has experienced domestic violence, creating a new online identity hidden from the perpetrator can be essential for survival, to prepare a safe escape, or to keep having access to essential support and resources.

When people are forced to only use one identity online, an identity attached to their legal identity, this empowers aggressors to find their victims, to silence them, to control them, and to harm them.

Technologies and policies are never neutral. When policies and features make it difficult or impossible for vulnerable people to use these technologies safely, they are effectively excluding vulnerable people from the platforms.

Even if this might seem minor from the outside, when Big Tech becomes so monopolistic that it's almost impossible to fully avoid it in our daily lives, when someone cannot access social groups and support without a Facebook account, and can't find a new job without LinkedIn, then it's not just a minor problem anymore, it's a major problem.

Platforms and online services should be safely accessible to everyone. And this includes allowing the use of protective pseudonymity without requiring legal identification that could put the most vulnerable in life-threatening situations.

Victims of stalking

Similarly to victims of domestic violence, victims of stalking must protect their identity online to stay safe from their stalkers. When platforms obligate people to use their legal names, explicitly or implicitly, they directly endanger these victims.

If a stalker or an aggressor knows a victim's legal name (which is often the case), then it's trivial to find their account on any platforms and services, regardless of if they have blocked them on one.

A good protection to prevent severe harassment is to create alternative accounts using a different name or different pseudonym unknown to the aggressor. This can give victims the peace of mind of knowing their stalker will not be able to find them there.

For anyone tempted to argue real-name policies reduce the number of perpetrators, this isn't the case.

Stalkers and predators of all kind feel generally quite comfortable using their own legal names, this isn't a problem for them. They feel confident knowing that victims generally have little recourses and support, and that there will be no consequences for them even when their legal name is known.

Despite the claims, removing pseudonymity doesn't remove misbehavior online, this has been demonstrated again, and again, and again. Real-name policies don't reduce crime, it only restricts the victims' ability to protect themselves from such crime.

Activists and political dissidents

Pseudonyms are hardly modern phenomena, and it's fair to say democracy wouldn't exist without it.

For activists and political dissidents around the world, using pseudonymity online can be a way to reclaim freedom of speech and criticize power in a safer way. Under oppressive regimes, online privacy can mean life or death.

This is another example showing how essential privacy rights are to democracy. Real-name policies facilitate censorship, discrimination, and political repression.

A Honduran blogger using the pseudonym La Gringa used her blog and Facebook page to criticize the Central American government for years.

Protecting her legal identity is essential to allow her to speak freely and stay safe from state repression. This isn't an exaggeration, Honduras is one of the most dangerous country for journalists. The Committee to Protect Journalists (CPJ) recorded that 37 press workers were killed in the country between 1992 and 2023. Of these murders, 90% were unpunished.

But Facebook silenced La Gringa with its real-name policy, requiring her to provide a copy of her official ID to continue advocating on the platform. Evidently, this request is asking her to put her life in danger and cannot be compromised on.

Facebook's policy is essentially silencing any dissident and marginalized voices in oppressive regimes.

By letting the community report infractions to Facebook's real-name policy, this effectively allows Facebook's rules to be weaponized against marginalized groups already plagued with constant discrimination.

It also empowers abusers to silence their victims, and sides with oppressive regimes around the world to censor any critics they might have.

As reporter Kevin Morris commented in his Daily Dot piece on the topic: "Pseudonyms are hardly modern phenomena, and it's fair to say democracy wouldn't exist without it."

Women

A site which requires real/verified names is automatically flagging itself as a potentially/probably unsafe space for women, or for anyone else at risk of harassment, violence, job discrimination, and the like.

Women have long used pseudonyms on the internet in order to conceal their gender online, and spare themselves from the sexual harassment and discrimination omnipresent on some platforms. This is even more common in male-dominated communities like online gaming, for example.

It's not rare to hear some people claiming that "there aren't any women in their online community." Well, there probably is.

Platforms allowing pseudonyms foster a culture of inclusivity where everyone can participate free from discrimination, regardless of their gender. Real-name policies encourage the opposite: platforms where participants are forced to either endure the abuse and compromise their physical safety, or be excluded entirely.

As pseudonymous author skud wrote for the Geek Feminism blog in 2010:

[...] women online are regularly admonished to use pseudonyms to protect themselves. Many websites with a culture of pseudonymity [...] have a very high proportion of female members, perhaps in part because of the sense of privacy and security that pseudonymity brings. A site which requires real/verified names is automatically flagging itself as a potentially/probably unsafe space for women, or for anyone else at risk of harassment, violence, job discrimination, and the like.

Women aren't exactly a minority group. While platforms should be inclusive to everyone of course, including minority groups, enforcing a policy that obligates roughly 50% of the population to lower its safety protections in order to participate should be obviously unacceptable.

Indigenous people

Notwithstanding its own policy, Facebook has regularly suspended accounts with legal names wrongly targeted as fake, based on criteria rooted in colonialism. Indigenous communities have been exceedingly impacted by Facebook's real-name policy, despite following all the platform's rules as requested.

In 2009, Facebook abruptly cut off account access to an Indigenous American woman named Robin Kills The Enemy, wrongly accusing her of registering under a false name. But her name was authentic, and indeed her legal name.

Facebook eventually reinstated her account, but only after a long process where she had to modify the spelling.

The burden shouldn't be on Indigenous people to have to prove their identity just because a US-based corporation can't seem to understand the global diversity of naming conventions.

Following Kills The Enemy's experience, a journalist started a Facebook group called "Facebook: don't discriminate against Native surnames!!!" that was joined by over a thousand people only a few days after its creation. Many users shared similar experiences and questioned the platform's treatment of Indigenous surnames.

Another woman named Melissa Holds The Enemy described a month-long process to recover her account.

An Indigenous man named Oglala Lakota Lance Brown Eyes had his account suspended by Facebook demanding his "real" name.

After Brown Eyes sent all the required proofs, Facebook decided without warning to Americanize his displayed name to "Lance Brown." This is blatant racism.

His name was eventually corrected and Facebook apologized, but only after Brown Eyes threatened the company with a class action lawsuit.

Dana Lone Hill also got her account suspended because of her Indigenous surname, and was forced to go through Facebook's intrusive verification process in order to recover her account.

The list goes on and on. Indigenous people have been forced by Facebook to modify and Americanize their actual legal names.

Many were forced to add hyphens, change the alphabet used, smash words together, or even remove parts of their legal name in order to please Facebook's arbitrary preferences, ignoring its own "real-name" policy.

This is yet another demonstration of systemic racism perpetrated by a monopolistic corporation quick to ignore the human rights and diversity of its users.

People with non-Anglophone names

In another case, a woman from Japan named Hiroko Yoda wasn't able to sign up for a Facebook account due to her surname.

Despite being a common surname in Japan, it seems Facebook judged it more important to ban anyone trying to "impersonate" the popular Star Wars character.

Of course, the Star Wars character uses a Japanese name because its creator has drawn inspiration from the Japanese culture. But Facebook still seems to somehow think that Star Wars comes first, and Japanese people must pay the price for daring to share a surname with the American Jedi.

A Facebook user from Hawaii named Chase Nahooikaikakeolamauloaokalani Silva also had his account suspended despite using his legal name.

As a proud Hawaiian, it was important for him to be able to display his Hawaiian given name. But Facebook just didn't like his legal name.

Silva reported to HuffPost that "Facebook should not be able to dictate what your name is, what you go by, what you answer to," and he's right.

More broadly, Facebook's policy prohibits name with "too many" words, capital letters, or first names with initials. This assumes the default for names is the Americanized format of one first name, one (short) middle name, and one last name.

But this isn't a reality for most of the world. This extremely narrow vision of what a name should look like and how it should be formatted isn't compatible with many if not most cultures.

It's unbelievable (and unacceptable) that a platform with an estimated 2.28 billion active users, who seems to want to eat even more of the world every year, is being so ignorant of non-American cultures and global naming conventions in its policies and practices.

The transgender community

For transgender and gender-diverse individuals, their legal name may be a "dead name." A dead name is a name that they were assigned at birth but no longer identify with. Commonly, transgender people change their name as part of their gender transition.

In many countries around the world, there can be many bureaucratic hurdles required to change one's name, meaning that many trans people are unable to update their legal name to reflect their gender identity. Because they no longer identify with their dead name, keeping it private is of great importance for their mental health and safety.

23% of LGBTQ+ young people reported that they have been physically threatened or harmed in the past year due to either their sexual orientation or gender identity.

Referring to a trans person with their dead name is considered offensive and often involves misgendering someone too. For transgender people, being called a name that they no longer identify with invokes feelings of depression, anxiety, gender dysphoria, and lack of acceptance.

Using someone's dead name signals that you don't respect their identity and that you don't care about them enough to use their new name.

Unfortunately, transgender people still face widespread discrimination, that's why "dead naming" can be incredibly dangerous. Revealing someone's gender identity or sexuality without their consent is called "outing". By calling someone by their dead name, you may be inadvertently revealing someone is transgender. This can be not only traumatizing and frightening for the individual, but can also lead to violence or put this person in a dangerous situation.

The Trevor Project, a non-profit LGBTQ+ organization, conducts a yearly survey on LGBTQ+ youth across the United States. In their 2024 release, they found that "23% of LGBTQ+ young people reported that they have been physically threatened or harmed in the past year due to either their sexual orientation or gender identity."

This is why when real-name policies come in, requiring transgender people to use their legal name for their social media accounts, this could force them to "come out" by displaying a name that they no longer identify with, therefore revealing they are transgender. The National LGBTQ Institute on Intimate Partner Violence describes "coming out" as an "ongoing process, by which a person shares aspects of their identity with others."

Having aspects of their identity shared without their consent can put this person in significant physical danger because of unsupportive family members, friends, colleagues, and strangers. This is especially the case with LGBTQ+ youth, who are at heightened risk of online, verbal, physical harassment, or violence due to their identity.

Coming out can be a very daunting and scary process, particularly for transgender and gender-diverse people, and often can be an ongoing process over many years. In many cases, LGBTQ+ people choose instead to hide their identity at social and work gatherings.

Platforms that enforce real-name policies take away the essential ability to control when and how that process plays out are nothing short of abusive. This might sound hyperbolic, however, "outing" is often used as a mean of control in abusive relationships to coerce an LGBTQ+ individual. The fact that social media platforms are exhibiting similar behavior is alarming.

Unfortunately, many websites don't allow updating the name attached to an account easily, often requiring to provide legal documentation showing proof that the name has been legally changed.

Having to provide your identification documents to use a website is not only terrible for your privacy, as it links your real life identity to your online account, it also puts your identity at risk.

Companies that process and verify identity documents are at a much higher risk of being targeted by malicious actors, because of the sensitive information they store and process.

One of the worst offenders of this is Facebook. They require everyone that signs up to use their legal name for their profile, and claim that this is to ensure safety on the platform so that everyone knows who they are talking to is who they say they are.

Many transgender and gender-diverse people use aliases on social media platforms to protect their identities and the identities of those around them, because they are more likely to be harassed or doxxed. Facebook's real-name policy has unforeseen consequences for these people, as one transgender Facebook user found out:

I woke up to find my Facebook account deleted. [...] I have had a Facebook since about 2007 or 2008. Other than when I was a kid and was afraid my parents would find out about my account (causing me to use an alias for a little while), my profile always bore my legal name. A week or so ago, however, I changed my display name to "Arc Angel."

Finally, because of the discrimination and danger that transgender people face in the real world, they often find refuge in online and internet communities. According to a report by Hopelab of LGBTQ+ youth:

Transgender young people more often agree that their online communities and friendships were important or very important (84%) when they began to explore their sexuality or gender compared to cisgender LGBQ+ young people (71%).

This is why it’s so important that they are able to freely express themselves with a pseudonymous or anonymous identity. If every online platform required these users to use their legal name, this would be extremely dangerous for transgender and gender-diverse people who often rely on online spaces for community, friendship, and support.

LGBTQ+ people

Moreover, real-name policies disproportionately affect LGBTQ+ people, as they often prefer to not associate their legal name with their online activities. This is especially important for people living in countries where LGBTQ+ identities are criminalized by law, meaning they can be jailed (or worse) if they associate their online activities with their real life identity.

Unfortunately, it gets even worse: harassers and trolls have weaponized Facebook's real-name policy, and are using it to silence their victims by mass reporting them as using a fake name.

In an open letter to Facebook about its real-name policy in 2015, many LGBTQ+ and digital rights organizations warned Facebook that this was being used to silence LGBTQ+ people:

Facebook users in the global LGBTQ community, South and Southeast Asia and the Middle East report that groups have deliberately organized (sometimes even coordinating via Facebook) to silence their targets using the "Report Abuse" button.

Despite all the recommendations and warnings by LGBTQ+ organizations and digital rights groups more than ten years ago, Facebook is still standing strong in its intention to keep the platform a "real name" only space.

Their help center still states that you can only use a name that appears on your official identification documents:

The name on your profile should be the name that your friends call you in everyday life. This name should also appear on a form of ID or document from our ID list.

Many platforms have been trying to improve the way they handle this and allow for users to select a preferred name that is displayed instead of their legal name. This is an improvement, however it isn't without issues.

Platforms shouldn't require you to provide your legal name to begin with.

Stage performers and small businesses

In 2014, Facebook made the news for ramping up its real-name policy and suspending hundreds of accounts from marginalized and vulnerable people (more on this in the next section). The platform was heavily criticized, and Facebook eventually reinstated many banned accounts.

At the time, drag performers were severely impacted by the policy purge. Drag queen and activist Sister Roma reported having to change her Facebook profile to a legal name she had not used publicly for 27 years.

Retired burlesque dancer Blissom Booblé explained that using a pen name on Facebook was essential to continue her advocacy for LGBTQ+ homeless youth and to raise HIV awareness while staying free from discrimination at her workplace.

Drag queen Ruby Roo reluctantly complied with Facebook's policy in order to keep contact with his friends, but expressed concerns that people would not recognize him under his legal name. If nobody ever calls you by your legal name, does this still even count as your "real" name?

During an earlier purge in 2009, small-business entrepreneur Alicia Istanbul suddenly lost access to both her personal Facebook account and her jewelry design business page. Once this happens, the burden falls on users to carry on the lengthy and intrusive verification process to restore their accounts.

There is no innocent until proven guilty with Big Tech. This can represent significant losses in time and money for small businesses.

Additionally, many professionals such as teachers, doctors, therapists, and social workers regularly use pseudonyms so that clients and patients will not be able to find their personal accounts.

Everyone should have the right to separate their professional lives from their personal lives, and using pseudonyms is a great practice to this effect.

Everyone else

Finally, everyone can be impacted negatively by real-name policies, not only marginalized or vulnerable groups.

Everyone should be able to choose the protections necessary for themselves, according to their own and unique threat model. If someone decides it's safer or more comfortable for them to use a platform under a pseudonymous account, they should be able to do so freely.

Privacy is a basic human right, and it should be accessible to all without requiring any justification.

The normalization of real-name policies online, aggravated by the growing identity and age verification industry, will have devastating consequences for everyone, and for democracies everywhere. Real-name policies are authoritarian in nature and have a chilling effect on freedom of speech and other civil liberties.

If we value privacy as a human right, we must push back against real-name policies, especially on social media.

Where are real-name policies?

About ten years ago, pseudonymity became a heated news topic during the so-called Nymwars, the wars against pseudonyms.

The term mostly refers to a series of conflicts related to real-name policies in the 2010s. It emerged in relation to waves of policy enforcement from Facebook, Google, and the video-game giant Blizzard.

With the increasing push for age verification and "human authentication" online, the Nymwars are sadly likely to make a comeback very soon. And for some platforms, the war just never stopped.

Sometimes, your legal name might be required online of course. For example, for governmental and financial services. But way too many platforms and services collect legal names when there really isn't any strong justifications for it.

While Facebook was mentioned abundantly in previous examples, this problem isn't limited to Meta's social media. You've probably encountered real-name policies everywhere already, but here are some platforms (and even countries) that have been infamous for it:

Facebook

In 2014, Facebook made the news (again) for enforcing a horrible policy (again) that was hurting marginalized and vulnerable groups the most (again).

Several human rights groups, including the Electronic Frontier Foundation, Human Rights Watch, and Access Now even joined the Nameless Coalition to demand changes to Facebook's policy.

Facebook presented this ramping up of their real-name policy enforcement as something important for "authenticity" online. Despite this dubitable claim, Facebook was in all likelihood simply worried about protecting its financial assets, as ever.

Back in 2012, Facebook's share price plummeted after a quarterly filing with the Securities and Exchange Commission revealed that an estimated 8.7% of accounts on the platform may be fake, and 5% of active accounts were duplicates (numbers that aren't really that alarming, actually). But this backlash from investors evidently scared Facebook enough to justify intensifying its policy enforcement for accounts using pseudonyms, or suspected of being fake, presumably in an attempt to soothe shareholders.

Despite the unpopularity of these policies, the real customer for Facebook isn't its users, but its advertisers (who demand access to your data, Facebook's true product).

Advertisers want some assurance that they are paying for real humans to see their ads, otherwise this diminishes Facebook's value to them. It's important to remember that Facebook is, and has always been, an advertising company.

Despicably, Facebook even encouraged people to "snitch on [their] friends if they are not using their real name."

Please help us understand how people are using Facebook. Your response is anonymous and won't affect your friend's account. Is this your friend's real name?

This kind of prompt fosters mistrust and allows users to weaponize policies against people they simply don't like. Victims of these "report attacks" are often the most vulnerable and the most marginalized in our society. Real-name policies have nothing to do with safety, in fact, they're horrible for safety.

A decade later, Facebook still encourages and enforces its real-name policy in order to protect its most valuable asset to sell: Your personal data.

LinkedIn is another well-known platform that enforces a real-name policy.

The employment-oriented social media states in its User Agreement that "LinkedIn does not allow members to use pseudonyms, fake names, business names, associations, groups, email addresses, or special characters that do not reflect your real or preferred professional name."

It's unclear how LinkedIn would enforce or verify what is an allowed "preferred professional name."

Although this might make slightly more sense on a platform focused on employment, the policy still excludes some professionals and industries that regularly work using pseudonyms, such as performers, writers, visual artists, activists, and privacy advocates even.

Additionally, the platform uses the same colonialist discrimination as Facebook, assuming that all names worldwide are composed of "first, middle, and last names" only.

Google, Quora, and Blizzard abandoned their policies

Google made the news in 2011 when it started implementing and enforcing its own real-name policy for its (now defunct) social media platform Google+, and by proxy for YouTube accounts when Google migrated YouTube comments to a Google+ system in 2013.

The policy was largely criticized after a wave of account suspensions, where some famous accounts were banned. In July 2014, Google abandoned the policy altogether and removed restrictions on account names.

The question-answering social platform Quora also enforced a real-name policy for a long time.

Verification wasn't required, but names deemed "false" could be reported by the community. Again, this kind of reporting system facilitates abuse by allowing the weaponization of platform policies against marginalized groups.

Thankfully, Quora eliminated the requirement to use a "real" name in 2021, and now allows users to register with protective pseudonyms.

The video-game developer Blizzard Entertainment spawned strong criticism online when the company announced in 2010 that it would be implementing a real-name policy for Blizzard's forums.

Gamers were not amused. The community came together to fight back in force against the announced policy. Game magazines and forums were inundated with replies and condemnations.

At one point, a Blizzard employee trying to demonstrate that the policy "wasn't a big deal" willingly shared his real name on a public post. After this revelation, forum members started to post the employee's personal information, including his phone number, age, picture, home address, and even information related to his family members.

Other members were quick to share their own experiences and show how unsafe a real-name policy would be. Following the powerful community backlash, Blizzard decided to cancel its plan for the invasive policy.

South Korea

Despite the enforcement of the system, the number of illegal or malicious postings online has not decreased.

Terrifyingly, whole countries have enforced real-name policies online. In 2007, South Korea implemented a name registration system for internet users in compliance with the country's Information Communications Law.

The law was initially enforced in an attempt to reduce malicious comments online, but was later ruled unconstitutional and revoked in 2012.

The Constitutional Court said in its verdict that "the system does not seem to have been beneficial to the public. Despite the enforcement of the system, the number of illegal or malicious postings online has not decreased."

China

Sadly, not every country implementing such a system came to the same conclusion.

In China, the Internet real-name system obligates all internet service providers and online platforms to collect users' legal names, ID numbers, and more. This affects services such as internet access, phone service, social media, instant messaging, microblogging, and online gaming.

In 2023, large Chinese platforms announced that they would make public the legal names of any accounts with over 500,000 followers.

In July 2025, China centralized this control further with the launch of the national online identity authentication system, which requires citizens to submit their personal information in order to receive an "Internet certificate" to access online accounts.

This effectively imposes a real-name policy on all internet services in the country, and makes this information accessible at all time by the government.

The new national cyber ID system has been criticized over privacy and censorship concerns.

So far, it is not mandatory to share identity through the national online identity authentication (although services are still obligated to identity their users in other ways).

However, in a country where freedom of speech and access to information is increasingly restricted, it's easy to imagine the national real-name system could become obligatory everywhere soon.

Real-name policies don't make the web safer

It has been demonstrated again and again that real-name policies do not reduce abuse and misbehavior online, and only end up harming the most vulnerable.

Despite the evidence and failed attempts, platform owners and policymakers obstinately continue to push for the implementation of these dangerous, authoritarian systems.

Platforms will often claim these policies are to protect users from harassment, but when action is required to truly protect users they refuse to act. Facebook, the most infamous platform for enforcing its real-name policy, ranks the worst for online harassment.

So, who are these real-name policies truly protecting?

It's clear that, as is the case for other oppressive policies such as Age Verification and Chat Control, "safety" is only an excuse for people to accept what this is truly about: Corporate profit and government control.

Unfortunately, as long as these platforms' business model is to sell users' data to advertisers and other stakeholders, there is no incentive for them to protect our privacy and our right to use protective pseudonyms, as the EFF's Director of Cybersecurity Eva Galperin aptly pointed out in her talk at the HOPE conference in 2012. More data just means more money to them.

When governments impose similar invasive practices, it's a dangerous and slippery slope towards totalitarianism.

Citizens need to be able to express their views freely online and criticize their government and its leaders without fear of reprisal. Real-name policies (explicit and implicit) are only a tool for censorship, and there is no democracy and no freedom under government censorship.

Fighting against policies attacking online pseudonymity, such as real-name policies, age-verification policies, and Chat Control proposals, isn't just a banal fight to keep using silly nicknames online. It's a battle for democracy, for civil liberties, and for human rights.

What you can do about real-name policies

Choose better platforms that do not require you to share your legal name and official IDs, such as Mastodon or other platforms connected to the Fediverse.
Inform yourself on the dangers related to using legal names online, and share this information with others.
Say no to sharing official documentation with commercial platforms when it isn't strictly required and when you can avoid it.
Understand the difference between privacy, security, anonymity, and pseudonymity.
Use pseudonyms on platforms where you can. Use a pseudonym persistent across platforms if you want these accounts to be linked together for trust, or use different pseudonyms to keep them separated.
Make your voice heard! Contact your government representatives to let them know that privacy is important to you, and explain to them that pseudonymity is essential for safety, democracy, and free speech online. Complain against platforms using these invasive and exclusionary practices. Citizen action matters, and abusive policies can be reversed.

Remember that pseudonymity isn't anonymity

Keep in mind that only using a pseudonym isn't enough to make you anonymous online. There are many other ways to tie an identity together, such as IP addresses, browser fingerprinting, photo comparison, facial recognition, and so on and so forth. Pseudonymity is a great practice to improve your privacy and safety online, but alone it does have limitations.

What is Differential Privacy?

fria — Tue, 30 Sep 2025 16:27:09 +0000

What is Differential Privacy?

Image: Privacy Guides / Jordan Warne

Is it possible to collect data from a large group of people but protect each individual's privacy? In this entry of my series on privacy-enhancing technologies, we'll discuss differential privacy and how it can do just that.

Problem

It's useful to collect data from a large group of people. You can see trends in a population. But it requires a lot of individual people to give up personally identifiable information. Even things that seem innocuous like your gender can help identify you.

Latanya Sweeney in a paper from 2000 used U.S. Census data to try and re-identify people solely based on the metrics available to her. She found that 87% of Americans could be identified based on only 3 metrics: ZIP code, date of birth, and sex.

Obviously, being able to identify individuals based on publicly available data is a huge privacy issue.

History

Before Differential Privacy

Being able to collect aggregate data is essential for research. It's what the U.S. Census does every 10 years.

Usually we're more interested in the data as a whole and not data of individual people as it can show trends and overall patterns in groups of people. However, in order to get that data we must collect it from individuals.

It was thought at first that simply removing names and other obviously identifying details from the data was enough to prevent re-identification, but Latanya Sweeney (a name that will pop up a few more times) proved in 1997 that even without names, a significant portion of individuals can be re-identified from a dataset by cross-referencing external data.

Previous attempts at anonymizing data have relied on been highly vulnerable to re-identification attacks.

AOL Search Log Release

A famous example is the AOL search log release. AOL had been logging its users searches for research purposes. When they released the data, they only replaced the users' real names with an identifier. Researchers were able to identify user 4417749 as Thelma Arnold based on the identifying details of her searches.

Strava Heatmap Incident

In 2018, the fitness app Strava announced a major update to its heatmap, showing the the workout patterns of users of fitness trackers like Fitbit.

Analyst Nathan Ruser indicated that these patterns can reveal military bases and troop movement patterns. This is obviously a huge op-sec problem and can endanger the lives of troops.

It was also possible to deanonymize individual users in some circumstances.

Randomized Response

One of the earliest ideas for anonymizing data was randomized response, first introduced all the way back in 1965 in a paper by Stanley L. Warner. The idea behind it is quite clever.

For certain questions like "have you committed tax fraud?" respondents will likely be hesitant to answer truthfully. The solution? Have the respondent flip a coin. If the coin is tails, answer yes. If the coin lands on heads, answer truthfully.

Respondent	Answer	Coin Flip (not included in the actual dataset just here for illustration)
1	Yes	Tails (Answer Yes)
2	No	Heads (Answer Truthfully)
3	Yes	Tails (Answer Yes)
4	Yes	Tails (Answer Yes)
5	No	Heads (Answer Truthfully)

Because we know the exact probability that a "Yes" answer is fake, 50%, we can remove it and give a rough estimate of how many respondents answered "Yes" truthfully.

Randomized Response would lay the groundwork for differential privacy, but it wouldn't truly be realized for many decades.

Unrelated Question Randomized Response

A variation used later in a paper by Greenberg et al. called unrelated question randomized response would present each respondent with either a sensitive question or a banal question like "is your birthday in January?" to increase the likelihood of people answering honestly, since the researcher doesn't know which question was asked.

Respondent	Question (not visible to researcher)	Answer
1	Have you ever committed tax evasion?	No
2	Is your birthday in January?	Yes
3	Is your birthday in January?	No
4	Have you ever committed tax evasion?	Yes
5	Have you ever committed tax evasion?	No

k-Anonymity

Latanya Sweeney and Pierangela Samarati introduced k-anonymity to the world back in 1998.

It's interesting that even all the way back in 1998 concerns constant data collection were already relevant.

Most actions in daily life are recorded on some computer somewhere. That information in turn is often shared, exchanged, and sold. Many people may not care that the local grocer keeps track of which items they purchase, but shared information can be quite sensitive or damaging to individuals and organizations. Improper disclosure of medical information, financial information or matters of national security can have alarming ramifications, and many abuses have been cited.

In a dataset, you might have removed names and other obviously identifying information, but there might be other data such as birthday, ZIP code, etc., that might be unique to one person in the dataset. If someone were to cross-reference this data with outside data, it could be possible to deanonymize individuals.

k-anonymity means that for each row, at least k-1 other rows are identical. So for a k of 2, at least one other row is identical to each row.

Generalization

This is achieved through a few techniques, one of which is generalization. Generalization is reducing the precision of data so that it's not as unique.

For example, instead of recording an exact age, you might give a range like 20-30. You've probably noticed this on surveys you've taken before. Data like this that's not directly identifiable but could be used to re-identify someone is referred to as quasi-identifiers.

Suppression

Sometimes even with generalization, you might have outliers that don't satisfy the k-anonymity requirements.

In these cases, you can simply remove the row entirely.

Attacks on k-Anonymity

k-anonymity has been demonstrated to not prevent re-identification of individuals despite the data in a dataset being properly k-anonymized by "statistical experts".

Researchers were able to deanonymize 3 students from a k-anonymized dataset from Harvard and MIT's EdX platform by cross-referencing data from LinkedIn, putting potentially thousands of students at risk of re-identification.

Dawn of Differential Privacy

Most of the concepts I write about seem to come from the 70s and 80s, but differential privacy is a relatively new concept. It was first introduced in a paper from 2006 called Calibrating Noise to Sensitivity in Private Data Analysis.

The paper introduces the idea of adding noise to data to achieve privacy, similar to randomized response. However, differential privacy is much more mathematically rigorous and provable.

Of course, adding noise to the dataset reduces its accuracy. Ɛ defines the amount of noise added to the dataset, with a small Ɛ meaning more privacy but less accurate data and vice versa. It's also referred to as the "privacy loss parameter" or "privacy budget".

Central Differential Privacy

This early form of differential privacy relied on adding noise to the data after it was already collected, meaning you still have to trust a central authority with the raw data.

Google RAPPOR

In 2014, Google introduced Randomized Aggregatable Privacy-Preserving Ordinal Response (RAPPOR), their open source implementation of differential privacy.

Google RAPPOR implements and builds on previous techniques such as randomized response and adds significant improvements on top.

Local Differential Privacy

In Google's implementation, noise is added to data on-device before it's sent off to any server. This removes the need to trust the central authority to handle your raw data, an important step in achieving truly anonymous data collection.

Bloom Filters

Google RAPPOR makes use of a clever technique called bloom filters that saves space and improves privacy.

Bloom filters work by starting out with an array of all 0's

[0, 0, 0, 0, 0, 0, 0, 0, 0]

Then, you run data such as the word "apple" through a hashing algorithm, which will give 1's in specific positions, say position 1, 3, and 5.

[0, 1, 0, 1, 0, 1, 0, 0, 0]

When you want to check if data is present, you run the data through the hashing algorithm and check if the corresponding positions are 1's. If they are, the data might be present (other data might have flipped those same bits at some point). If any of the 1's are 0's, then you know for sure that the data is not in the set.

Permanent Randomized Response

A randomization step is performed flipping some of the bits randomly. This response is then "memoized" so that the same random values are used for future reporting. This protects against an "averaging" attack where an attacker sees multiple responses from the same user and can eventually recover the real value by averaging them out over time.

Instantaneous Randomized Response

On top of the permanent randomized data, another randomization step is performed. This time, different randomness is added on top of the permanent randomness so that every response sent is unique. This prevents an attacker from determining a user from seeing the same randomized pattern over and over again.

Both the permanent and instantaneous randomized response steps can be fine-tuned to for the desired privacy.

Chrome

Google first used differential privacy in their Chrome browser for detection of malware.

Differential privacy is also used in Google's Privacy Sandbox.

Maps

Google Maps uses DP for its place busyness feature, allowing Maps to show you how busy an area is without revealing the movements of individual people.

Google Fi

Google Fi uses differential privacy as well to improve the service.

OpenDP

OpenDP is a community effort to build open source and trustworthy tools for differential privacy. Their members consist of academics from prestigious universities like Harvard and employees at companies like Microsoft.

There's been an effort from everyone to make differential privacy implementations open source, which is a breath of fresh air from companies that typically stick to closed source for their products.

Apple

Apple uses local differential privacy for much of its services, similar to what Google does. They add noise before sending any data off device, enabling them to collect aggregate data without harming the privacy of any individual user.

They limit the number of contributions any one user can make via a privacy budget (this is the same as Ɛ) so you won't have to worry about your own contributions being averaged out over time and revealing your own trends.

This allows them to find new words that people use that aren't included by default in the dictionary, or find which emojis are the most popular.

Some of the things they use differential privacy for include

QuickType suggestions
Emoji suggestions
Lookup Hints
Safari Energy Draining Domains
Safari Autoplay Intent Detection
Safari Crashing Domains
Health Type Usage

That's just based on their initial white paper, they've likely increased their use of DP since then.

Sketch Matrix

Apple uses a similar method to Google, with a matrix initialized with all zeros. The input for the matrix is encoded with the SHA-256 hashing algorithm, and then bits are flipped randomly at a probability dependent on the epsilon value.

Apple only sends a random row from this matrix instead of the entire thing in order to stay within their privacy budget.

See What's Sent

You can see data sent with differential privacy in iOS under Settings > Privacy > Analytics > Analytics Data, it will begin with DifferentialPrivacy. On macOS, you can see these logs in the Console.

U.S. Census

Differential privacy isn't just used by big corporations, in 2020 famously the U.S. Census used DP to protect the data of U.S. citizens for the first time.

As a massive collection of data from numerous U.S. citizens, it's important for the census bureau to protect the privacy of census participants while still preserving the overall aggregate data.

Impetus

Since the 90s, the U.S. Census used a less formal injection of statistical noise into their data, which they did all the way through 2010.

After the 2010 census, the bureau tried to re-identify individuals in the census data.

The experiment resulted in reconstruction of a dataset of more than 300 million individuals. The Census Bureau then used that dataset to match the reconstructed records to four commercially available data sources, to attempt to identify the age, sex, race, and Hispanic origin of people in more than six million blocks in the 2010 Census.

Considering 309 million people lived in the U.S. in 2010, that's a devastating breach of personal privacy. Clearly more formal frameworks for protecting the privacy of individuals were needed.

Nationwide, roughly 150 million individuals—almost one-half of the population, have a unique combination of sex and single year of age at the block level.

They could keep adding noise until these attacks are impossible, but that would make the data nigh unusable. Instead, differential privacy offers a mathematically rigorous method to protect the data from future re-identification attacks without ruining the data by adding too much noise. They can be sure thanks to the mathematical guarantees of DP.

DPrio

Mozilla has been constantly working to make their telemetry more private over the years. Firefox uses Prio, a Distributed Aggregation Protocol-based telemetry system. It uses Multi-Party Computation to split the processing of user data between multiple parties.

To accomplish this, Mozilla partnered with Divvi Up as their DAP provider, and Fastly as their OHTTP provider. OHTTP acts as a multi-hop proxy to separate traffic between two parties when making a connection: neither Mozilla nor Fastly will know both who you are and what you're connecting to.

In 2023 researchers from Mozilla also conducted research into making Prio differentially private. The so-named "DPrio" would combine multi-party computation, OHTTP, and differential privacy in a very impressive display of privacy protection. Unfortunately I couldn't find any evidence to suggest that DPrio has been implemented, but something to keep a lookout for in the future.

Future of Differential Privacy

Differential privacy unlocks the potential for data collection with minimal risk of data exposure for any individual. Already, DP has allowed for software developers to improve their software, for new possibilities in research in the health sector and in government organizations.

Adoption of scientifically and mathematically rigorous methods of data collection allows for organizations to collect aggregate data will allow for increased public trust in organizations and subsequently greater potential for research that will result in improvements to our everyday lives.

I think for there to be more public trust there needs to be a bigger public outreach. That's my goal with this series, I'm hoping to at least increase awareness of some of the technology being deployed to protect your data, especially since so much of the news we hear is negative. Armed with the knowledge of what's available, we can also demand companies and organizations use these tools if they aren't already.

It's heartening to see the level of openness and collaboration in the research. You can see a clear improvement over time as each paper takes the previous research and builds on it. I wish we saw the same attitude with all software.

Further Research

Any programmers interested in learning how to implement differential privacy can check out the book Programming Differential Privacy to see Python examples.

What is Multi-Party Computation?

fria — Tue, 30 Sep 2025 16:27:09 +0000

What is Multi-Party Computation?

Illustration: Jordan Warne / Privacy Guides

We know how to secure data in storage using E2EE, but is it possible to ensure data privacy even while processing it server-side? This is the first in a series of articles I'll be writing covering the privacy-enhancing technologies being rolled out.

History

In a seminal paper called "Mental Poker" by Adi Shamir, Ronald L. Rivest, and Leonard M. Adleman from 1979, the researchers attempt to demonstrate a way of playing poker over a distance using only messages and still have it be a fair game.

To explain, fan favorites Alice and Bob will make a return. First, Bob encrypts all the cards with his key, then sends them to Alice. Alice picks five to deal back to Bob as his hand, then encrypts five with her own key and sends those to Bob as well. Bob removes his encryption from all ten cards and sends Alice's cards back to her.

Notice that Bob needs to be able to remove his encryption after Alice has applied hers. This commutative property is important for the scheme to work.

This early scheme is highly specialized for this task and not applicable to different situations.

Secure Two-Party Computation

Alice and Bob have struck it rich! They're both millionaires, but they want to be able to see who has more money without revealing exactly how much they have to each other.

Luckily, we can use Multi-Party Computation (MPC) to solve this "Millionaire's Problem," using a method invented by Andrew Yao called garbled circuits. Garbled circuits allow us to use MPC for any problem as long as it can be represented as a boolean circuit, i.e. a set of logic gates such as AND OR XOR etc.

Garbled Circuits

We can split the two parties into an "Evaluator" and a "Generator". The Generator will be responsible for setting up the cryptography that'll be used, and the Evaluator will actually perform the computation.

We start by making the truth table for our inputs. In order to hide the values of the truth table, we assign each input a different label. Importantly, we need to assign a different label for each input, so 1 will not be represented by the same label for each. We also need to shuffle the order of the rows, so the values can't be inferred from that.

We can still tell what the value is based on knowing the type of logic gate. For example, an AND gate would only have one different output, so you could infer that output is 1 and the others are 0. To fix this, we can encrypt the rows using the input labels as keys, so only the correct output can be decrypted.

We still have a problem, though: how can the Evaluator put in their inputs? Asking for both labels would allow them to decrypt more than one output, and giving their input would break the whole point. The solution is something called "Oblivious Transfer".

The solution is for the Evaluator to generate two public keys, one of which they have the private key for. The Generator encrypts the two labels for the Evaluator's inputs using the provide public keys and sends them back. Since the Generator only has a private key for one of the labels, they will decrypt the one they want. The Generator puts the labels in order so that the Evaluator can choose which one they want to decrypt. This method relies on the Evaluator not to send multiple keys that can be decrypted. Because some trust is required, this protocol is considered "semi-honest".

There's a good explainer for Yao's garbled circuits here if you're interested in a step-by-step walkthrough.

Birth of Multi-Party Computation

Multi-Party Computation was solidified with the research of Oded Goldreich, Silvio Micali, and Avi Wigderson and the GMW paradigm (named after the researchers, similar to how RSA is named).

More Than Two Parties

Yao's protocol was limited to two parties. The GMW paradigm expanded the protocol to be able to handle any number of parties and can handle actively malicious actors as long as the majority are honest.

The GMW paradigm relies on secret sharing which is a method of splitting private information like a cryptographic key into multiple parts such that it will only reveal the secret if the shares are combined. The GMW protocol uses additive secret sharing, which is quite simple. You come up with a secret number, say 123, and you split it up into however many other numbers you want.

99 + 24 = 123

You distribute each number to a participant and add them all together to get the original secret. While simple, it doesn't play well with multiplication operations.

Zero-Knowledge Proofs

The GMW paradigm introduced protections against malicious adversaries, powered by zero-knowledge proofs (ZKP). ZKP allow one party to convince another party a statement is true without revealing any other information than the fact that the statement is true. The concept of ZKP was first introduced in a paper from 1985 by Shafi Goldwasser, Silvio Micali, and Charles Rackoff.

A humorous paper titled How to Explain Zero-Knowledge Protocols to Your Children gives a storybook explanation of how they work (who says academic papers can't be fun?).

The main crux revolves around probability: if a party knows the proper way to get a result, they should be able to reliably get the correct answer.

To borrow the cave explanation, imagine Alice and Bob have taken up cave exploration. They've found a cave in the shape of a loop with a magic door connecting each entrance together and Alice claims to know how to open it. However, she doesn't want Bob to know the secret to open the door.

Alice, acting as the "Prover" goes into the cave. Bob, the "Verifier", stays outside and yells which side of the cave Alice should come out of. They repeat this many times. If Alice can reliably make it out of the correct side of the cave, then she must know how to open the magic door.

BGW Protocol

While the GMW protocol was a huge leap forward for MPC, there were still huge limitations. The garbled circuit protocol is limited to boolean logic gates which makes implementing many different common operations much more difficult. It also requires communication for every single gate, which is highly inefficient.

The researchers Michael Ben-Or, Shafi Goldwassert, and Avi Wigderson in their paper Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation made several advancements in the efficiency and robustness of MPC, moving it closer to being practical to use in the real world.

Arithmetic Circuits

Instead of boolean circuits, the BGW protocol uses arithmetic circuits. These allow for easier mathematical operations like multiplication and addition instead of being limited to logic gates on individual bits. This makes a huge difference in the amount of communication between parties and thus the efficiency of the protocol.

The BGW protocol utilizes Shamir's Secret Sharing, which relies on polynomials instead of addition. This allows for more efficiency in multiplication and allows for setting a threshold where only a certain number of shares need to be present in order to reconstruct the secret.

Less Communication

The BGW protocol doesn't require as much communication between parties, partly thanks to its use of Shamir's secret sharing which works well with arithmetic operations.

Additionally, it doesn't require Oblivious Transfer or zero-knowledge proofs. Its use of Shamir's secret sharing and error correction codes instead provides the same properties in a more efficient way.

Fairplay

The field was further advanced by the introduction of the Fairplay system.

Up until this paper, MPC was limited to boolean circuits or arithmetic circuits: not exactly friendly if you're a programmer that's used to using higher level languages. Fairplay introduces a compiler, SFDL, which can compile higher level languages to boolean circuits and then securely computes the circuit.

Fairplay also brings some advancements in efficiency. It utilizes constant rounds, with a fixed 8 rounds, reducing the communication overhead. It also uses the free XOR technique so that encryption operations don't have to be performed on XOR gates, improving efficiency.

Real-World Usage

As MPC saw gradual optimizations and improvements, it grew from an interesting thought experiment to something that could have real-world uses.

Danish Sugar Beet Auction

The first instance of MPC being used in a real-world scenario wouldn't occur until 2008.

Denmark's sugar beet industry faced a problem: with the EU significantly reducing its financial support for sugar beet production, they needed to figure out what price the thousands of sugar beet farmers were willing to sell at, and which price the company that bought all the sugar beets would be willing to buy them at, a so-called "double auction" where the buyer and seller figure out the market clearing price, or the price at which demand meets supply most effectively.

But who should be in charge of the auction? Farmers don't want to trust Danisco with their bids as it reveals information about each individual farmer's business. The farmers can't be in charge of it because they don't trust each other. They could use an external consulting firm, but then the entire operation would rely on that one firm's confidentiality and the reliability of their tools.

The solution was to use a "virtual auctioneer" that relied on MPC to fairly carry the auction out.

It relied on three servers, with one representing each party: Danisco, DKS (the Danish sugar beet growers association), and The SIMAP project (Secure Information Management and Processing, a project sponsored by the Danish National Research Agency).

The solution was so successful that it was used every year until 2015 when it was no longer needed. A survey of the farmers found that the vast majority found the system simplified the process of trading contracts and that they were satisfied with the level of confidentiality it provided.

The first test run of MPC was a massive success and the potential was now proven.

The Boston Women's Workforce Council

In 2016, the Boston Women's Workforce Council worked with 69 companies to investigate if women are paid the same as men.

Using MPC, the companies were able to process their data without revealing the actual wages of any employees. The wage data of 112,600 employees was collected, representing about 11% of the Greater Boston workforce.

You can read their detailed findings in the report, but they found that women were indeed being paid less than men: 77 cents for every dollar a man makes on average.

It was reported in 2023 that thanks to this data, the Boston Women's Workforce Council was able to reduce the wage gap by 30%.

Allegheny County

In 2018, Allegheny County Department of Human Services partnered with the Bipartisan Policy Center to implement MPC, allowing for private and secure sharing of county data on services to the homeless, behavioral health services, causes and incidence of mortality, family interventions, and incarceration.

The experiment was considered a success, with a recommendation from the U.S. Commission on Evidence-Based Policymaking to further explore the use of MPC.

MPC Today

Today, the MPC Alliance represents a collective of companies that have come together to advance the use of MPC.

MPC is used for everything from cryptocurrency to HIPAA-compliant medical uses. There are ongoing efforts to standardize it from organizations like NIST, although it's a difficult proposition due to the sheer variation in MPC protocols and use cases.

There's been research into using MPC for secure and verifiably fair electronic voting, something that's much needed as countries move toward electronic voting. It's important to not completely dismiss the march of technology, but these things should be implemented with the utmost caution and scientific rigor. I feel that implementing black-box electronic voting without open and provably secure technologies like MPC is irresponsible and endangers elections.

MPC acts as an essential privacy tool in the toolbox. It intersects with other PETs like homomorphic encryption, a method of encrypting data in such a way that operations can still be performed on it without revealing the unencrypted data.

MPC is just one tool among many that's reshaping the privacy landscape. I'm excited to see how it's used in the future and what new advancements it unlocks.

Age Verification Wants Your Face, and Your Privacy

Em — Thu, 25 Sep 2025 04:09:21 +0000

Age Verification Wants Your Face, and Your Privacy

Photo: Kyle Glenn / Unsplash

Age verification laws and propositions forcing platforms to restrict content accessed by children and teens have been multiplying in recent years. The problem is, implementing such measures necessarily requires identifying each user accessing this content, one way or another. This is bad news for your privacy.

For a few years now, several legislators in North America, Europe, and Australia have expressed concern about children and teens accessing certain types of content online. While there is no doubt some online content can be worrisome, implementing a technological solution for this is extremely problematic.

By mandating platforms to be legally responsible to verify a user's age, regulators effectively force them to identify each user requesting access to content deemed inappropriate under a certain age threshold.

If these regulations continue to proliferate, this could lead to the end of pseudonymity online.

How can age be verified online

Verifying age online is difficult. There isn't any magical solution to it, it's either recording how a user looks or scanning official documents.

Conducting verification "on-device" offers only few additional protections considering this information still has to be checked and reported with an external service, somehow.

Moreover, processes used to keep this data "on-device" are often opaque. Taking into account how valuable this information is, it becomes very difficult to trust any for-profit third-party services which such a sensitive task.

Users' faces and official documents are two types of very sensitive information. Who becomes responsible to collect, process, store, and safeguard this data? With whom does this data get shared, and for which other purposes? And how accurate is this data anyway?

Facial scans

Some platforms and third-party providers of the rapidly growing "identity verification industry" have started to use facial recognition and face scan systems in order to determine a user's age.

The problem is, the systems are horrible for everyone's privacy, extremely problematic to use due to racist and gendered biases, inaccurate to determine the correct age, and on top of all that, can be cheated.

Official documents

The second solution is to require users to provide an official piece of ID. Considering an official ID often contain a photo, full legal name, date of birth, home address, and government specific codes, this is even worse.

All this sensitive data then gets collected by either the platform itself or a third-party provider with little oversight or incentive to protect this data at all. Leaks and breaches for this enormous data trove are just around the corner. Unfortunately, this isn't speculative, data leaks have already occurred.

The more copies of your official documents exist online, the greater the risk this data will get exposed, and the less value this document has to actually identify you when it's truly needed.

And again, this sort of verification is easy to cheat. Any determined teenager will soon learn how to either create a fake ID, use someone else's ID, or go around this verification system in another way.

Age verification laws will without a doubt support a flourishing criminal industry to provide fake or stolen IDs even more easily online.

Where age verification is (or will be) required

In April this year, Discord started to test age verification systems using facial or ID scans, as a way to comply with Australia's and UK's new laws.

This measure only applies to access certain protected posts for users located in Australia and the United Kingdom and at this time, but don't be surprised if it soon gets implemented at the account level for users everywhere.

In the United States, many states have already passed some types of age verification laws, and several others have proposed such laws. In Canada and Europe, legislators have also been pushing for similar regulations to block content online subject to age verification.

There is no doubt the more countries pass similar prohibitive laws, the more other countries will soon follow.

Some hope however, this month a US federal judge ruled an age verification law in Arkansas unconstitutional.

Who decides what is sensitive content

When talking about age verification, most assume this only applies to obvious pornographic content. However, many of these laws have much wider reach.

For example, the Australian law prohibits access to social media altogether for anyone under the age of 16. This means that, once the law comes into full effect after its transitional period, anyone who uses social media in Australia will have to prove they are older than this age. It is likely that all Australian users will have to provide some form of identifying data to continue using their social media accounts. This is a privacy nightmare.

When laws target specific content, definition of what is appropriate and what isn't is often too broad. Moreover, this definition is subject to change from one administration to another.

There are also wide differences from one country to another. For example, some countries sadly consider simple discussions of gender identity or sexual orientation to be sensitive content. What is deemed inappropriate to children in one culture might not be the same in another.

Automating this sort of censorship leads to a lot of misfiring. There has already been numerous instances of breastfeeding photos mislabelled for nudity. Important educational material for sex education could get censored and inaccessible to children, who critically need access to it before adulthood.

Who will decide which content should be censored and which shouldn't? Will countries hosting the big tech platforms end up having a greater decision power in the matter? Will platforms simply decide to apply the strongest level of restriction worldwide?

Age verification isn't effective

Even if we could somehow find a global consensus that is perfectly ethical and never misfires on which content children shouldn't access, it will likely fail.

Children, and teenagers especially, are and have always been incredibly effective at going around such limitation to feed their curious minds.

First, there are technical tools such as VPNs and proxies of all sort to go around location-based restrictions. Then, there's the classic fake ID, and its modern evolution: deepfake face. There will also be without a doubt a growing market of pre-verified "adult" accounts up for sale online.

Perhaps age verification measures will work for a couple of months, until products to evade it get the word out, then they'll become useless. Only leaving the ashes of your social media legal consenting adult pseudonymity in its path.

Why it's bad news for everyone's privacy

Age verification will require all platforms and/or third-party identification service providers to collect an enormous trove of sensitive data on everyone.

This goes against all principles of data minimization, generally a vital part of data protection regulations.

Daily occurrences of data breach incidents have taught us we cannot trust these services to safeguard our data. Data breaches for this sensitive information are only a matter of time.

The concentration of such valuable data will likely be monetized and resold either by the platforms themselves, by the for-profit third-party "age assurance" providers they use, or eventually by the criminals who stole it from them.

This data trove will include face scans of children with their location (trying to pass as adults), and faces and official documents from every adult in the world using social media, if this kind of regulation gets implemented at large.

The privacy and safety implications of this are absolutely disastrous.

Age verification is not the solution

Sadly, age verification legislation will not help safeguard children from harmful content online, but it will effectively remove protection for anyone needing pseudonymity online to stay safe. Moreover, it will put everyone at a much greater risk of victimization by identify theft, impersonation, stalking, and worse.

Despite the perhaps well-intended legislators, technological solutions aren't always adequate to solve every problem we have. Here again, education and content moderation are likely much better ways to deal with this sort of issues.

In the meantime, don't be surprised if you cross a teenager on the street suddenly pointing their phone to scan your adult face, or a young relative looking in your wallet. They probably won't be looking for your money, but most likely for your adult ID.

Encryption Is Not a Crime

Em — Thu, 25 Sep 2025 04:09:21 +0000

Encryption Is Not a Crime

Photo: Matt Artz / Unsplash

Contrary to what some policymakers seem to believe, whether naively or maliciously, encryption is not a crime. Anyone asserting encryption is a tool for crime is either painfully misinformed or is attempting to manipulate legislators to gain oppressive power over the people.

Encryption is not a crime, encryption is a shield.

Encryption is the digital tool that protects us against all sorts of attacks. It is the lock on your digital door preventing harmful intruders from entering your home. Encryption is also the door itself, protecting your privacy and intimacy from creepy eavesdroppers while you go about your life.

It's not a crime to lock your home's door for protection, why would it be a crime to lock your digital door?

Encryption protects you from cyberattack, identity theft, discrimination, doxxing, stalking, sexual violence, physical harm, and much more.

Who says encryption is a crime

Anyone who is well-informed will find it hard to believe someone could want to sabotage such fantastic protection.

Yet, year after year, oppressive regimes and lazy or greedy law enforcement entities around the world have attempted to undermine encryption using the pretext this is needed to "solve crime", despite all the experts repeatedly warning on how unnecessary and dangerous this would be. And this is without accounting for all the countries where encryption is already severely restricted, such as Russia, China, India, Iran, Egypt, Cuba, and others.

Whether breaking encryption is brought up naively by misinformed authorities, or as a disguised excuse for mass surveillance is up for debate.

Nevertheless, the result is the same: An attempt to destroy a tool we all need to stay safe.

Encryption is a protective shield

Encryption, moreover end-to-end encryption, is a tool we all use in our digital life to stay safe.

In today's world, the boundary between online and offline life is largely dissolved. Almost everything we do "offline" has a record of it "online". Online life is regular life now. It's not just your browsing history.

Your medical record from a visit at the clinic, your purchase transaction from a trip to the store, your travel photos saved in the cloud, your text conversations with your friends, family, and children, are all likely protected with encryption, perhaps even with end-to-end encryption.

Such a large trove of personal data needs to be protected against eavesdropping and malicious attacks for everyone to stay safe.

Encryption offers this protection. End-to-end encryption all the more.

What is end-to-end encryption, and what is the war against it

End-to-end encryption is a type of encryption where only the intended recipient(s) have the ability to decrypt (read) the encrypted data.

This means that if you send a message through Signal for example, only the participants to this conversation will be able to read the content of this conversation. Even Signal cannot know what is being discussed on Signal.

This greatly annoys some over-controlling authorities who would like to be granted unlimited power to spy on anyone anytime they wish, for vaguely defined purposes that could change at any moment.

End-to-end encryption can also mean a situation where you are "both ends" of the communication.

For example, when enabling Apple's Advanced Data Protection for iCloud (ADP), it activates end-to-end encryption protection for almost all of iCloud data, including photos. This means that even Apple could not see your photos, or be forced to share your photos with a governmental entity.

Without ADP, Apple can read or share your photos (or other data) if they are legally compelled to, or if they feel like it. The same is true for Google's services, Microsoft's services, and any other online services that aren't end-to-end encrypted.

This is at the root of the latest attack on encryption:

In February this year, it was reported that Apple was served with a notice from the UK's Home Office to force it to break ADP's end-to-end encryption. In response, Apple removed access to ADP from the UK entirely, making this protection unavailable to UK residents.

Do not mistakenly think this attack is limited to the UK and Apple users, however. If this regulation notice or a similar one gets enforced, it would impact the whole world. Other countries would likely soon follow, and other services would likely soon get under attack as well.

Moreover, do not feel unaffected just because you use end-to-end encryption with Signal or Proton services instead of Apple, they are both under attack as well in this war.

Just in recent years, the war against encryption has affected the US, the UK, Sweden, France, Australia, New Zealand, Canada, India, Japan, and all the European Union countries with proposals such as Chat Control.

The arguments given to break encryption make no sense

Authoritarian entities generally use the same populist excuses to justify their senseless demands. "Protecting the children" is always a fashionable disingenuous argument.

Because no one would disagree that protecting the children is important, it is often used as an attempt to deceitfully make an irrefutable argument to justify breaking encryption.

The problem is, breaking encryption doesn't protect the children, it endangers them.

When law enforcement officials claim they need to be able to read everyone's messages and see everyone's personal photos to be able to fight child predators, they seem to neglect that:

This means they will expose the children's messages, contact information, locations, and photos in the process, potentially endangering the children further.
Exposing everyone's data will make this data much more likely to be found and exploited by criminals, making everyone more vulnerable to attacks.
Predators will simply move to underground channels, unbothered.

They use the same kind of deceptive argument trying to justify weakening the protections we have to supposedly catch "criminals" and "terrorists".

Of course the exact definition of what is a "criminal" or a "terrorist" is always vague and subject to change. In the past, human rights activists and authoritarian regime dissidents have been labeled as such, climate change activists as well, LGBTQ+ people even in some countries. Maybe next year this label will include "DEI advocates", who knows where they draw the line and what can be considered a "criminal" worth spying on.

You cannot remove everyone's right to privacy and protection from harm while pretending it is to protect them. No one who is well-informed and well-intended could possibly consider this a smart thing to do.

An attack on end-to-end encryption isn't an attack on criminals, it's an attack on all of us.

Magical backdoor only for "the good guys" is a complete fantasy

Let's say the strategy is akin to creating a MagicalKey that unlocks every door (a magical key because thinking encryption backdoors would only be used by "the good guys" is a great example of magical thinking).

Imagine, for the sake of this exercise, the MagicalLock for this MagicalKey is impossible to pick, and imagine only police officers have MagicalKeys. Let's say one thousand police officers each have a MagicalKey.

They argue they need to be able to unlock anyone's door if they suspect a crime is happening inside. "It's for safety!"

Overtime, let's say only 1% of the police officers accidentally lose their MagicalKey. This kind of things happen. Now 10 MagicalKeys are lost in the wild and could be used by anyone else, for any purposes, including crime.

Then, let's say only 0.1% of police officers get corrupted by a crime gang. That's just one right? This corrupted "good guy" lets the gang create a double of the MagicalKey. Which crime gang wouldn't want a key that can magically open any door? They pay the police officer good money for this. It's an investment.

Now, the gang creates doubles of the MagicalKey they have. They obfuscate its serial number, so it cannot be traced back to them. They use it subtly at first to avoid detection. They make sure they never leave traces behind, so victims have no idea their door got unlocked.

During this time, they steal your data, they sell it, they use it to impersonate you, they use it to harm you and your loved ones.

Then, another criminal figures out on their own how to emulate a MagicalKey without even having access to one. The criminal creates a reproducible mold for this Emulated-MagicalKey and sells it to other criminals on the criminal market. Now, the MagicalKey™️ is available to any criminals looking for it. Restrictions on the backdoor are off. Your personal data is up for grabs.

This is what is going to happen if backdoors are implemented in end-to-end encryption. But don't worry they say, "it's only for the good guys!".

At least, the criminals' data will also be up for grabs, right?

Nope! The criminals knew about this, so they just started using different channels that weren't impacted. Criminals will have their privacy intact, they don't care about using illegal tools, but your legal privacy protections will be gone.

Backdoored end-to-end encryption isn't end-to-end anymore, it's just open-ended encryption. This offers pretty much no protection at all.

Ignoring experts doesn't make facts disappear

Where is the opposition to this? Where are the experts pushing against this nightmare? Everywhere.

Thankfully, opposition has been strong, despite the relentless ignorance or malevolence from authoritarian authorities repeatedly pushing against encryption.

Many people and groups have been fighting valiantly to defend our collective right to privacy and security. Countless experts have patiently taken the time to explain again and again and again how an encryption backdoor only for "the good guys" is simply impossible.

Weakening encryption to let "the good guys" enter, lets anyone enter, including criminals. There is no way around this.

Seemingly ignoring warnings and advice from the most respected specialists in the field, authoritarian officials continue to push against encryption. So much so that it has become difficult to assume good intent misguided by ignorance at this point.

Unfortunately, ignoring the experts or silencing the debate will not make the facts magically disappear.

In an encouraging development this week, Apple won a case fighting an attempt from the UK Home Office to hide from the public details of their latest attack on encryption.

This battle and all battles to protect our privacy rights, must be fought is broad daylight, for all to see and to support.

Fight for encryption rights everywhere you can

The war against encryption isn't anything new, it has been happening for decades. However, the quantity of data, personal and sensitive data, that is collected, stored, and shared about us is much larger today. It is essential we use the proper tools to secure this information.

This is what have changed, and what is making encryption and end-to-end encryption even more indispensable today.

Mass surveillance will not keep us safe, it will endanger us further and damage our democracies and freedoms in irreparable ways.

We must fight to keep our right to privacy, and use of strong end-to-end encryption to protect ourselves, our friends, our family, and yes also to protect the children.

How can you support the right to encryption?

Use end-to-end encryption everywhere you can.
Talk about the benefits of end-to-end encryption to everyone around you, especially your loved ones less knowledgeable about technology. Talk about how it is essential to protect everyone's data, including the children's.
Use social media to promote the benefits of end-to-end encryption and post about how it protects us all.
Write or call your government representatives to let them know you care about end-to-end encryption and are worried about dangerous backdoors or chat control proposals.
Support organizations fighting for encryption, such as:

Finally, have a look at our recommendations if you want to start using more tools protecting your privacy using end-to-end encryption.

This is a long war, but the importance of it doesn't allow us to give up.

We must continue fighting for the right to protect our data with end-to-end encryption, we owe it to ourselves, our loved ones, and the future generations.

The Importance of Data Privacy For The Queer Community

Em — Thu, 25 Sep 2025 04:09:21 +0000

The Importance of Data Privacy For The Queer Community

Illustration: Em / Privacy Guides | Photo: Chris Robert / Unsplash

Data privacy is important for everyone. But for some marginalized populations, data privacy is indispensable for social connection, access to information, and physical safety. For Pride month this year, we will discuss topics at the intersection of data privacy and experiences specific to the LGBTQ+ community.

While it's difficult to get a complete estimate on this, due to fear of discrimination and other factors, a 2021 survey conducted by Ipsos in 27 countries revealed that only 80% of the population surveyed identified as heterosexual. Additionally, about 1% of adults identified as a gender different from the one they were assigned at birth. This percentage is even higher for Gen Z and Millennials.

In the United States alone, it's estimated there are 20 million adults who are part of the LGBTQ+ community. That's a lot of people!

Despite the progress of the past decades, the queer population still faces many challenges to being free and safe from discrimination.

Discrimination online, at work, at school, at the national or even the familial level, can put LGBTQ+ individuals in dangerous situations, where data privacy may be the only shield available for protection.

In this context, it's essential for the queer community to be well-informed on the tools and practices that can help mitigate the risks, so that information, services, and support can still be accessed safely.

Higher risk when data gets exposed

Unfortunately, LGBTQ+ people are still at a higher risk when their personal data gets exposed.

First, for people living in environments hostile to their sexual orientation or gender identity, keeping personal information private can literally mean life or death. Tragically, even today many countries still criminalize homosexuality and gender identities different from cisgender. When this personal information gets exposed, people might lose support from their family, lose their job, get arrested, or even be executed in some countries.

People in these very vulnerable situations have to be extremely careful about protecting their data in order to stay safe, online and offline.

Moreover, organizations collecting data that could put anyone at risk of getting accidentally or maliciously outed should feel a strong responsibility to protect this data fiercely, and be held legally accountable when they fail.

Being outed against one's will

For a queer person, deciding when, how, and to whom to reveal their sexuality or gender identity is a very important and intimate moment. It must be a personal choice, and only on the person's own terms.

Even in countries where queer identities and sexualities are legal and accepted, being outed against one's will can have devastating consequences.

If someone lives with family members who do not accept who they are, getting outed against their will could mean losing their home and familial support. In other situations, perhaps their family is supportive, but their employer isn't, or maybe some of their friends or co-workers are hostile. They might want to keep this information from them in order to avoid conflicts at work, or avoid losing friendships. Further, there is of course the risk for discrimination, online harassment, and worse.

No matter the situation, coming out as queer should always be an individual and intentional choice.

It is an act of violence to out someone against their consent, even when performed by the intermediary of an algorithm or a neglectful data leak.

Each time there is a data breach that includes information about gender identity, sexuality, browsing history, location history, installed applications, or legal names, this data leak risks outing people against their will.

For all these reasons, it is vital that information be safeguarded so that a queer person is empowered to choose when, how, and to whom to come out on their own terms.

In today's political climate, this is unfortunately even truer for trans people, who are at a greater risk of getting outed against their will when data about their gender, sex, or legal name leaks. Sadly, there are still too many online forms and software that needlessly collect gender data when it's completely unnecessary. Similarly, requiring full legal name is completely irrelevant in many situations where it is currently asked.

Developers must take responsibility and design software and forms considering these risks. As data scientist and civic technologist Soren Spicknall explains brilliantly, gender data should never be collected unless absolutely necessary and absolutely protected, which in most instances it really isn't:

"Is the danger to your LGBT+ users worth the ability to roughly guess whether somebody is buying a purse for themselves or as a gift, or to assume you know what kind of movie they want to watch?"

Algorithms shouldn't be able to target sexuality and gender identity as markers for advertising purposes. Unfortunately, there have already been reported incidents where people were outed against their will by Facebook spitting around rainbow ads everywhere, because of Facebook secretly tying someone's browsing activity back to their profile.

Facebook (and most other commercial platforms) uses cookies and other tracking technologies to follow users online and build an advertising profile based on their online activity, even outside of Facebook. Then, it shows ads on Facebook related to that activity, no matter if this information was shared or not on the platform.

This kind of non-consensual outing can have devastating consequences, and should be forbidden by law. Everyone should be able to come out when and how they see fit, and not be aggressively outed by some Facebook or Google ad algorithm, or by some negligent data leak.

Online harassment and extortion

The risk of having data about one's sexuality or gender identity revealed against one's will can be very dangerous for some people.

With online harassment on the rise, this intimate information can be weaponized by bigots and extortionists to cause severe harm. Unfortunately, this isn't a rare occurrence, even in countries where the LGBTQ+ community is well accepted. Regrettably, some platforms have even started to roll back previous protections against hate speech and harassment. This will have a severely detrimental impact on the safety of the queer community online.

This year, the LGBTQ advocacy organization GLAAD produced a Social Media Safety Index rating six major platforms: TikTok, Facebook, Instagram, YouTube, Threads, and X. X (formerly Twitter) received the worst safety score of them all.

Seeking health information

People questioning their gender identity or sexuality might seek information online about the health procedures or treatments they need.

This sensitive search history can reveal a lot of personal details that should never be exposed against one's will. Sadly, browsing the internet without any tracking is a task that becomes harder every year, and many people aren't aware of the protections they can use against this tracking.

People can suffer from severe harm when sensitive data related to their gender-affirming care or sexual health is exposed, ranging from non-consensual outing to imprisonment. Discrimination related to this type of health information is still rampant in every country in the world.

Seeking community online

Seeking the support of online communities is common for queer people who can more easily feel isolated. This is especially true for youth living in hostile or rural environments, where smaller population density often means less supportive local resources and venues.

For people in these situations, finding community online can be essential to survival.

Despite all its flaws, the internet still offers a wonderful way to connect with others regardless of physical distances, and this is doubly true for the queer community.

The need for social connection and support from peers is a fundamental human need. No matter how dangerous this can be, not sharing information online is simply not a viable option for many queer people.

Privacy-invasive practices that are exponentially worse for queer people

Real-name policies

Many privacy-invasive practices and policies are significantly more dangerous for LGBTQ+ people. For example, the "real-name" policies on Facebook and other platforms are absolutely horrendous for transgender people.

If a trans person uses an older account, or has not changed their name on official documentation, a real-name policy could either out them against their will, force them to keep their deadname online, or even lock them out of their account if official ID is requested for account recovery and doesn't match the name they used for the account.

For many people around the world, the use of pseudonyms or chosen names online means safety, and this is even truer for trans people and other queer people.

Single-account policies

Thankfully, most platforms aren't using such policies yet. But unfortunately, it does seem there could be a push to implement single-account policies in the near future.

With the multiplication of age verification laws and the proliferation of unregulated AI systems, there has been some talk of using unique identifiers to prevent the creation of multiple accounts. This is a horrible idea for everyone, and should never be allowed, but it's even worse for LGBTQ+ people.

Creating multiple accounts for different purposes, for example to separate work life from personal life, is a great privacy practice for anyone.

Multiple accounts on a same platform, or "alt accounts", are regularly used by queer people in order to be their full selves online, when they aren't fully out in their public or personal life, or just because they prefer to keep their queer identity and activities separated.

Sadly, if single-account policies begin to be implemented on platforms, this great privacy protection could soon disappear.

Facial recognition

Facial recognition is an especially problematic technology for transgender people. Many times, these algorithms will not only create a faceprint from the data, but will also try to infer gender from it.

These systems are deeply flawed and have discrimination biases built-in. They can't even reliably identify the correct gender of cisgender people. Because of the way these algorithms were developed, the use of this technology is worse for transgender people, and exponentially worse for transgender people of color.

Tragically, privacy legislation is lagging behind at protecting us by regulating this biased, invasive, and inaccurate technology that is spreading faster and further every year.

Public photos during events

These days, it's pretty much impossible to attend many events without having our photo intrusively taken by a stranger and posted on Instagram without our consent.

This is a generally bad behavior that we should all work on improving culturally. Posting photos of strangers online without their consent can be much more harmful for queer people.

For example, taking photos at a Pride event and posting it online can out people against their will. While it's perhaps fair to assume most people performing in a Pride parade or on a stage might implicitly be comfortable with it, this isn't necessarily the case for people in the audience.

This non-consensual practice, coupled with the corporate social media tendency to use facial recognition to tag everyone's faces, can cause harm in all sorts of ways.

We should all develop more respectful practices when taking photos at events, and be mindful not to post anything online which could identify anyone in the audience who did not give their explicit consent.

Background checks and algorithmic biases

Even for people who are publicly out and live in regions that are supportive, discrimination and biases are still there. Despite new legislations and a more progressive culture, data remnants of previous oppressive times can still have a severe negative impact on someone's life. Too few efforts are made by institutions to correct records properly after legislation has passed.

This is especially problematic with opaque systems where embedded discrimination might not be obvious. Algorithmic decision-making is a growing danger for this, considering there is often no way to trace back the reasons a decision was made, and no accountability for whomever fed biased data to the black-box algorithm, whether negligently or maliciously.

There are also older systems of decision-making, such as background checks. Last year, a 78-year-old woman from West Sussex learned that she had a criminal record for 56 years for being a lesbian in the military (at a time when it was illegal). Completely unaware of this outdated data trail, this woman spent her whole life with this discriminatory tag attached to her records. This likely cost her countless opportunities throughout the decades, without her ever knowing the cause.

Unfortunately, this kind of incident is likely to multiply by millions with the increased use of algorithmic decision-making using closed systems, often impossible to audit.

Dating apps data

Last but not least, data collected by dating apps is an especially sensitive issue for the queer population.

Regrettably, there have already been numerous data breaches showing this risk is very real. Intimate photos have been leaked, location data has been leaked, health data has been leaked, and even private messages have been leaked.

The harm caused by these leaks and breaches have consequences ranging from accidental outing, to loss of employment, extortion by criminals, imprisonment, and even death.

In countries where homosexuality is criminalized, cruel state authorities and homophobic bigots are weaponizing dating apps to entrap LGBTQ+ people to attack or arrest them. Weighing the need for support, love, and affection, with the very real risk of physical aggression is a dreadful challenge many queer people face.

Things to keep in mind to stay safe

Despite the increased risks the queer community is exposed to, staying offline and disconnected from the world isn't a viable option.

Indeed, disconnection and isolation can be a worse risk for many LGBTQ+ people, especially younger people. Tragically, queer youth are more than four times as likely to attempt suicide. Disconnecting from the internet communities that accept them isn't an option, and would pose dangers of its own.

Thankfully, there are many tools and practices that can be adopted to improve privacy online, and reduce the risk of sensitive data getting exposed. Here are a few ideas that might help yourself or your loved ones to stay safer online:

Social media usage leaves a lot of digital footprints online, and some platforms are worse than others for this. Staying mindful about which platform to choose, and how to use it, can greatly improve one's experience and security.

Favoring alternative social media platforms that do not have a commercial incentive to monetize data can really help.

For example, platforms that are developed and managed by a community of volunteers, rather than a for-profit corporation, tend to keep their users' benefits and safety in mind much more.

If you are ready to make a change, Mastodon is a non-profit platform that we recommend.

Mastodon is a social media platform that somewhat resembles Twitter prior to its rebranding. It is composed of multiple servers you can choose from, which makes it easier to move your account if you aren't satisfied with the moderation on one particular server.

To get started, you can choose the server administrated by the team who develops the Mastodon software (mastodon.social), or you can choose a smaller server run by volunteers (you can also self-host, but that's a longer story).

Don't let this choice intimidate you too much though, these servers connect with each other, and you can always move later on. Just pick one you like. Some servers will have a focus on a region, a topic, a hobby, and there are even servers focused on LGBTQ+ communities, such as tech.lgbt, lgbtqia.space, and more.

All the servers listed on the Mastodon website have committed to hold active moderation against racism, sexism, homophobia, and transphobia.

Additionally, Mastodon connects with other social media platforms that are also part of the larger Fediverse network.

If you prefer something similar to Instagram, you can replace it with Pixelfed. For something similar to Facebook, look for Friendica. For something more like TikTok, try Loops. For a replacement to YouTube, check videos on PeerTube, and more!

These alternative platforms often benefit from stronger moderation and better respect for their users' data. Because they aren't for-profit corporations, they have no interest in collecting your data, tracking you, or imposing invasive "real-name" policies. Additionally, they run no ads!

No matter what social media platform(s) you choose to use, the first step should always be to make sure you go through all the settings to secure your account (enable multifactor authentication!), and adjust the available privacy options to your needs and preferences (consider locking your account if you wish to restrict visibility to your followers).

This is true for Mastodon as well, but you should make adjusting all the privacy and security options an absolute priority for any corporate social media, especially if you stay on Facebook.

Additionally, keep in mind that many platforms, including X, Facebook, and Reddit, will now use all your posted content to train their AI systems, making this information and embedded biases likely impossible to delete in the future.

Developing an awareness of what data is shared, who can access it, how it is secured, and how it is used is very important for staying safe online.

Securing data when communicating

Outside of social media platforms, many tools are available to help you secure your intimate and private communications.

While chatting on dating apps may be the first step to meeting new people, moving early to end-to-end encrypted channels is likely a good idea for data security and privacy.

That being said, also take into account that because your communications there will be fully end-to-end encrypted (only visible by its intended sender and recipient), there will be no moderation with it. Make sure you trust a person enough before moving the discussion to an end-to-end encrypted, more personal channel.

Instant messaging communication

Signal is a wonderful end-to-end encrypted and free-to-use instant messaging app. Signal will collect your phone number to create the account, but nothing else.

When using Signal, you should enable the username feature. That way, you can (and should) share your username only, instead of sharing your phone number to connect with others.

Additionally, you should enable the disappearing messages feature from Signal, to help clean up the data you no longer need as time goes, and reduce the risk of leaks.

Only send sensitive information to people you genuinely trust!

Keep in mind that even when using end-to-end encrypted apps and a disappearing message features, this will not prevent a malicious person from downloading this data on their device or taking a screenshot of it.

Be especially careful when sending very sensitive information, such as intimate photos for example. No matter how secure the application is, you should only send sensitive information and pictures to people you know and sincerely trust.

Email communication

For email communication, migrating to an end-to-end encrypted alternative can make a big difference for your privacy.

For example, services like Gmail (Google) and Hotmail (Microsoft) could access the content of all your communications, and often use this information in various ways to build advertising profiles. Because email content isn't end-to-end encrypted, this data could get requested by authorities as well, and handed to them in plain text (unencrypted).

For secure and more private end-to-end encrypted email services, we recommend Proton Mail or Tuta. These services will not make you anonymous when you email someone (email address, IP address, and subject line, could still identify you), but the content of your communication will be encrypted end-to-end (if used with a compatible service), and only visible to its intended recipient(s).

Encrypted email service limitations

Stay aware that if you email someone who is not using the same end-to-end encrypted email service as you, and you aren't using any additional measures to encrypt the message, this email will likely be accessible to the service you sent it to.

For example, if you send an email from a Proton Mail address, to someone using a Gmail address, without asking the recipient to use your encryption key or use any additional services, then the email you sent will be stored on Google's servers, and could get accessed by Google.

If you send a Proton Mail email to another Proton Mail user, the content of the message will be fully end-to-end encrypted and Proton could not access it.

The same is true for any other email providers. Make sure to verify compatibility fully before sending any sensitive information that way.

Securing data when traveling

When traveling, keep in mind that different countries or regions might have different laws related to LGBTQ+ people.

Your marriage might not be recognized in the location you are visiting. Your new legal name might also not get the same recognition, sadly. The first step to take when planning a trip should always be to gather information on the legal and cultural differences between your own region and the one you are visiting.

If you are visiting a country hostile to your sexuality or gender identity, make sure to take the proper precautions to secure your data before you cross the border.

This could mean leaving your phone at home and only bringing a burner phone with you. It could also mean bringing additional (or different) types of official ID that are less likely to get you in trouble, and more likely to get accepted by the authorities of your visiting country.

Be extremely careful when connecting to Wi-Fi services from a foreign country. If you were to connect to a service or website that is illegal there, and could accidentally out yourself as queer, you could get in trouble with few recourses. Using a trustworthy VPN can help mitigate some of this risk.

Securing data when protesting

For this month of Pride, you might feel the need to join a protest more than a parade.

If you decide to join the action, make sure to secure your data properly to stay safe. Prepare your devices adequately to be ready and resist surveillance targeted at protesters. Consult our Protesters' Guide to Smartphone Security, and make sure you understand well the level of risk of this particular protest. Different protests in different regions require different levels of data protection.

If you are organizing actions, try to stay away from corporate platforms who will willingly and quickly share your data with authorities (even private messages). If you must use corporate platforms, then make sure to limit the personal data you share there, and ensure attendees have alternative ways to contact you that do not require them to create an account, to register, or to use their legal name.

Having an independent website, or using a Fediverse-connected platform that will be accessible to everyone even without an account, are better ways to organize.

For example, if you create a Mastodon account for your organization, people will not need to create a Mastodon account to read your posts and event announcements. All your posts will be accessible just like any independent website would be (if you leave your posts' visibility public).

Setting up an end-to-end encrypted email address and using an alias email address are also good ways to stay accessible without requiring attendees to use a Facebook account.

Additionally, there are federated platforms, such as Mobilizon, that can be a great non-commercial way to organize in a safer and more accessible space.

Data shared on federated platforms isn't necessarily end-to-end encrypted, and could also get shared with authorities if requested. But by using non-commercial platforms, this data will not be compiled and attached to an account the same way this would happen on a for-profit corporate platform such as Facebook. Using alternative not-for-profit platforms isn't perfect nor anonymous, but it's still a great improvement from the corporate default.

Protections for extreme situations

Finally, if you are living in an extreme situation where being yourself is dangerous to your physical safety, caution must be a priority.

There isn't a single solution that can protect all your data at once, and anyone telling you there is one is lying to sell you something. Remain skeptical of such claims.

However, there are a multitude of practices and tools that can help reduce your data trails, and improve your privacy greatly. The tools and practices you need to adopt will depend on the threat model specific to your situation.

Take the time to evaluate well which data could put you in danger, and focus on protecting this first.

If you are in a situation where someone hostile to you has access to your device, for example because you are living with an unsupportive family and need to browse the internet on a family device, Tails may be a tool that can help you. If you can use this computer unobserved, by using the live system Tails installed on a USB stick, you can keep your browsing activity hidden from this device. Your Internet Service Provider (ISP) could still know you have been visiting a special network, however. Make sure to read our tutorial thoroughly if you decide to use Tails.

If the information stored on your computer isn't a risk to you, but visiting LGBTQ+ websites from your country could be dangerous, perhaps using Tor with a Bridge or through a trustworthy VPN could be another solution to allow you to access this information in a safer way.

It's impossible to cover every specific situation, but know that there are many solutions to reduce the risks greatly, and improve data protection to allow you to stay connected, stay yourself, and stay safe 💛

Caution: This isn't an exhaustive list!

This is only a short introduction to some practices and tools that can improve your privacy online. Not one solution will be enough to be anonymous online.

It's important to stay aware of what data will still be shared and which will be better protected, but nothing will make you 100% anonymous.

For more information on how to improve further your data protection online, you can consult our various guides. If you are just starting in your privacy-improving journey, be patient. Adopt one small improvement at the time, then add another one. Each additional step you take will slowly but surely reduce your data trails, and improve your privacy overtime.

Improving data privacy is vital for everyone, but critical for the queer community

Every situation is different and requires different protections. While data privacy is important for everyone, it's also essential to acknowledge that marginalized populations are often at a heightened risk when their data gets exposed.

Protection cannot be only an individual responsibility. Protecting vulnerable and marginalized populations is a societal responsibility that concerns everyone.

We all have a duty of care to protect the data of others. Whether it's from the photos we take at public events, or the discussions we have about others on Facebook or X-Twitter's direct messages, everyone must improve their practices on this.

Moreover, anyone in a position to improve how data is collected from users must be held accountable, and must feel morally liable on the decisions taken that could endanger anyone, but especially marginalized groups like the queer community.

In an ideal world, laws and cultures would protect everyone and particularly the most vulnerable by default.

But until we get there, we have to empowered ourselves to bring change and stop predatory data collection, prevent negligent data security, and educate everyone on the tools we can use to help ourselves and the most vulnerable to stay safe.

Additional resources

Helplines

Mindline Trans+ (UK): A confidential emotional, mental health support helpline for people who identify as Trans, Agender, Gender Fluid or Non-Binary.
Trans Lifeline Hotline (US and Canada): Trans peer support over the phone.
Suicide & Crisis Helpline (US and Canada): General support 24/7 phone number 988.
Suicide & Crisis Helpline (International): List of suicide crisis lines around the world.

Supportive organizations

Egale (Canada, International): Resources for LGBTQ+ asylum and immigration requests from outside and inside Canada.
SOS Homophobie (France): Non-profit, volunteer-run organization committed to combatting hate-motivated violence and discrimination against LGBTI people.
The Trevor Project (US): Suicide prevention and crisis intervention non-profit organization for LGBTQ+ young people.
Trans Rescue (International): Organization assisting trans and queer individuals in relocating from dangerous areas to safer places.
Twenty10 (Australia): Sydney-based organization providing a broad range of free support programs to the LGBTIQA+ community.

International advocacy

Amnesty International: Human rights organization running campaigns to protect and uphold the rights of LGBTI people globally.
Human Rights Watch: Human rights non-profit who documents and exposes abuses based on sexual orientation and gender identity worldwide, and advocate for better protective laws and policies.

Stay aware of your data trail

If the traces of this article in your browsing history could put you at risk, visit our guide to properly delete this data from your device.

KeePassium Review: A Flexible Password Manager for iOS and macOS

Em — Thu, 25 Sep 2025 04:09:21 +0000

Illustration: Em / Privacy Guides | Photo: PicJumbo / Pexels

If you have been looking for a password manager giving you full control over your data, KeePassium is a fantastic option. The application available for iOS and macOS keeps your password database offline by default. KeePassium still offers synchronization and backup options, but allows you to choose which storage provider to trust with your database, and change it whenever you want.

KeePassium is a commercial open-source application made by KeePassium Labs, based in Luxembourg.

Because it's open-source, anyone can inspect and download its code if they wish. Anyone could even build the entire application by themselves, and use the advanced features completely for free.

However, if you do not want to bother with code, you can use either the basic plan for free, or pay for a premium plan to access advanced features and to support the project.

KeePassium is a KeePass-compatible project. If you are already familiar with any software from the KeePass ecosystem, you will feel right at home with KeePassium.

KeePassium's strength resides in how it integrates KeePass' security and features into a well-rounded and well-designed application, that is very instinctive to use, while not compromising on flexibility and customizability.

The KeePassium application

For this review, the words "KeePassium" and "application" refer to both the KeePassium iOS and macOS applications simultaneously, unless otherwise specified. The mobile application was tested first and will be more prominent in the examples and screenshots.

Platforms and Compatibility

KeePassium is written in Apple's Swift programming language and is available for Apple devices.

Mobile

For iPhone and iPad, KeePassium works on iOS 17.0 or later.

Desktop

For Mac computers, KeePassium works on macOS 14.0 (Sonoma) or later.
KeePassium is compatible with both Apple Silicon and Intel hardware.
The desktop application is new and was released on December 17th, 2024.

Apple Vision

For Apple Vision, KeePassium works on visionOS 1.0 or later.

Languages

The KeePassium application is available in the following languages: English, Arabic, Czech, Dutch, French, German, Italian, Japanese, Korean, Polish, Portuguese, Russian, Simplified Chinese, Slovak, Spanish, Swedish, Thai, Traditional Chinese, Turkish, and Ukrainian.

Cross-compatibility

One great strength of any applications derivative of KeePass is compatibility with other KeePass applications. This is due to implementing of the same .kdbx file format for password databases, and often sharing similar features as well.

If you use KeePassium to store your passwords, you will be able to easily transfer your password database to other KeePass-compatible applications, and vice versa. This offers powerful portability for your password database.

File formats and encryption

KeePassium supports the KDB, KDBX3, and KDBX4 file formats, and implements AES, ChaCha20, Twofish, and Argon2 for encryption algorithms.

Even if compatibility with older database formats is available, it is recommended to use the more recent and more secure KDBX4 format. This latest format will be the default when you create a new database in KeePassium.

This cross-compatibility is so versatile that you could, for example, use KeePassium on mobile but sync it with KeePassXC on desktop.

Similarly, if you have a Mac computer but an Android phone, you could use KeePassium on desktop but KeePassDX on mobile, and so on and so forth. You can consult KeePassium's documentation for a list of all compatible apps.

Testing compatibility

If you plan on using KeePassium with cloud storage and synchronization between devices, make sure to test your settings well before adding all your passwords to it.

Depending on your usage and settings, glitches in synchronization could corrupt your database file. This has more chances to happen if you use a cloud storage that isn't fully supported, or a KeePass-compatible application that isn't listed in KeePassium's documentation.

Ideally, if you use synchronization, create a dummy database at first to test that synchronization works properly with your specific cloud configuration and between all the devices you use.

It's also advisable to enable the backup feature and even keep a backup copy of your database file in a different directory. That way, if your main synced file were to get corrupted or lost somehow, you could always rely on this secondary backup.

This is important because there is no remote database management done by KeePassium. You are fully in control of your own data, but you are also fully responsible to protect it.

Pricing

KeePassium can be used completely for free!

That being said, if you need advanced features, you might want to pay for a Premium plan (monthly or yearly), or a Pro or Business plan. Fortunately, the monthly Premium plan is very affordable, allowing users to test the Premium features one month at the time before committing to a longer subscription.

Alternatively, if you do not need any advanced features but would like to support the project, you could use the free plan and donate a fix amount to KeePassium.

Rent-to-own

Something interesting about KeePassium Premium's plan is that it offers a "rent-to-own" license. This means that if you pay for a KeePassium subscription for 12 months or more, you will always "own" the features you've paid for, even if you stop paying.

For example, if you pay for Premium for only one year then stop, you will keep access to all the Premium features that were available while you paid for Premium, but will not have access to new features added after your stopped paying. This is an excellent model that more applications should adopt.

Security and Trust

Security and trust are without a doubt the most important characteristics of a good password manager.

While functionality and features are also important, there is no point in having a pretty application that doesn't safeguard your passwords properly. It would defeat the whole purpose of the password manager.

KeePassium does not neglect security for convenience, and has done its homework to earn its users' trust. The database format it uses, its transparency with open source, and its independent security audit, are all factors contributing to build trust in KeePassium.

Trusted database format

The application is using an encrypted database file format developed by KeePass, an open-source project with a good reputation in the security and privacy community. KeePass' code and formats are trusted by many other KeePass-compatible projects, including KeePassXC, KeeWeb, OneKeePass, ModernKeePass, MacPass, Keepass2Android, and more.

Even if the KeePassium application is relatively recent with its first launch in 2019, the formats it uses to secure password databases had many eyes on since the initial KeePass release in 2003. The fact that so many people have inspected, used, tested, and improved the security foundation of this file format through the years contributes to KeePassium's security as well.

Open-source code

KeePassium was created by Dr. Andrei Popleteev, who founded KeePassium Labs, and continues as its director to develop and maintain the app with a small team of contributors. Like KeePass, KeePassium's code is open-source under a GNU General Public License.

Open-source code isn't magical, but it helps to build trust by providing full transparency. Because all of KeePassium's code is publicly accessible, anyone could inspect it. This can help to detect and reporting potential vulnerabilities early on, and quickly verifying any claims made. Of course, at least some independent qualified people have to inspect the code in order to make this meaningful at all. But this is true for any open-source projects.

A note on KeePassium's open-source commercial model

More precisely, KeePassium is a commercial open-source application. This means its code is fully open and available to inspect, download, and use (within its license's limits). However, users can also purchase paid plans to access advanced features, without having to build and manage the code themselves.

Paid plans provide a source of revenue to KeePassium, which helps to maintain the application adequately to keep it compatible and secure, providing support to customers, and adding new features down the line.

This commercial model can actually add stability to a project, making it more likely to survive long term. This is reassuring considering all the other KeePass-compatible projects that have stopped getting maintained and are unfortunately no longer usable.

Furthermore, there is some conflict between certain open-source licenses and publication on Apple's App Store. Because it isn't possible to download an iOS app outside of Apple's App Store (unless you adventure in the perilous waters of jailbreaking), KeePassium and all other iOS apps are confined to operate within the App Store's requirements.

Also for this reason, the KeePassium projects cannot accept external contributions to its code, but can still accept contributions for bug reports, feature suggestions, and translations.

Independent security audit (iOS)

Perhaps one of the most compelling argument for trusting KeePassium is the independent security audit the iOS application went through last year.

The Berlin-based cybersecurity firm Cure53 conducted a full evaluation and professional pentest of the mobile application in November 2024.

The review included an audit of the source code, application, network communications, and the implemented cryptography. The few vulnerabilities found were all fixed following reception of the report.

It's important to note that only KeePassium for iOS was audited, and not KeePassium for macOS, which was released after the audit. However, many aspects of KeePassium for iOS that were included in the audit are likely to be similar for KeePassium for macOS.

Interestingly, Cure53 has audited many other well-known security and privacy-focused or open-source applications such as Proton Pass, 1Password, Bitwarden, Obsidian, Mullvad VPN, Onion Browser, Threema, Briar, SecureDrop, Mastodon, and much more.

Recommended by other applications

Finally, if you already trust KeePassXC for your desktop password manager, know that KeePassium is one of the apps suggested by KeePassXC to use on iOS.

Privacy and Encryption

Data privacy and encryption are fundamental aspects of any password managers. Because pretty much all data stored in a password manager is highly sensitive data, all data should be protected by strong end-to-end encryption.

Data collection

On this point, KeePassium delivers. First, a quick look at Apple's privacy label indicates that "the developer does not collect any data from this app". This is a good start, and this description is true for both the iOS and macOS applications.

Second, in its current version, KeePassium's Privacy Policy is excellent. This is never a guarantee of course, but the app's security audit shows the Privacy Policy statements are likely founded.

KeePassium separates its privacy policies for the application and the website. This is an excellent practice way too rarely adopted by companies. This approach provides much more clarity for what data is collected from where, and is a positive sign that an organization understands well data privacy legal requirements.

The Privacy Policy for the app is detailed and thorough, which are essential qualities to any respectable privacy policies.

It starts by stating clearly that KeePassium does not send any personal data to KeePassium Labs, the company developing the app. Then, it lists all instances where data could be collected through the purchase or use of KeePassium, and gives clear instructions on how to opt out for each. This is the kind of privacy policy that shows an organization genuinely values and understands data privacy. I highly encourage you to have a look at it from the link above.

Worth noting as well, KeePassium's Privacy Policy for its website states it does not use any cookies. This is certainly refreshing to read.

Encryption

Although the application is compatible with older formats, KeePassium by default will use the newer KDBX4 file format to encrypt password databases.

This is important because the KDBX4 format offers significant security improvements over the previous KDBX3 format. If you import an older database in KeePassium, it is recommended to upgrade it to KDBX4 and use a different main password for the upgraded database if you keep a backup of the previous one.

Upgrade from KDB to KDBX

If you need to upgrade an older database file to the newest file format to benefit from better security and KeePassium's full functionality, you can follow KeePassium's instructions.

To secure the database, and all the content included in it, KeePassium uses AES256, ChaCha20, Twofish, HMAC, and Argon2 (for KDBX4 only). Because the KeePass database file format (and so KeePassium's as well) encrypts the whole database, this means that not only passwords are encrypted but also usernames, website URLs, notes, attachments, etc.

Encrypting all data, not just passwords

Encrypting all user data contained in a password manager entry is extremely important, because encrypting passwords only just isn't enough.

In August 2022, the password manager LastPass suffered a security breach where users' password vaults (databases) were stolen from LastPass' servers.

This is bad enough even with end-to-end encrypted data (because vaults with a weak main password could get cracked), but even worse than this, some important data like website URLs were not encrypted at all, so this information was stolen in plain text.

This is the perfect example of why encrypting all data and metadata input by the user is crucial for data privacy and security.

Additionally, the LastPass' breach is a great argument in favor of keeping one's password database offline, whenever possible. Something that KeePassium makes possible even by default.

Encryption algorithms used by KeePassium

AES256: The Advanced Encryption Standard (AES) is a trusted and commonly used block cipher symmetric-key algorithm. It was established in 2001 by NIST, the American National Institute of Standards and Technology. The number following the acronym describes the key size in bits (128, 192, or 256 bits).

Twofish: Twofish is another block cipher symmetric-key algorithm, which KeePassium can use to secure databases, in 256-bit key size as well. Famous cryptographer Bruce Schneier was part of the team who designed Twofish.

ChaCha20 (KDBX4 only): The ChaCha20 algorithm is a variant of Salsa20, both stream ciphers that encrypt and decrypt data in continuous stream instead of blocks. The number refers to the number of rounds in its structure.

HMAC (Key Derivative Function): Hash-based Message Authentication Code (HMAC) is a robust hash function. In KeePass-compatible apps, it is used to verify the integrity and authenticity of the database before decryption.

Argon2 (Key Derivative Function, for KDBX4 only): Argon2 is a memory-hard function that offers better resistance against GPU cracking attacks compared to AES-KDF. Argon2 was the winner of the Password Hashing Competition in 2015.

AES-KDF (Key Derivative Function, for KDBX3 only): AES-KDF is a key derivative function based on AES. This method was previously used for the KDBX3 database format, but has since been replaced by Argon2 for KDBX4. This is partly because AES-KDF is not memory-hard, which makes it easier to crack for an attacker using modern technologies.

Usage and Features

Once solid security and privacy protections have been confirmed, the second important part of a good password manager is how easy it is to use and the features it offers.

In this regard, KeePassium excels again. Not only does KeePassium offer the features users familiar with KeePass-compatible applications will recognize, but importantly, it implements these features with a polished user interface and obvious consideration for accessibility and user experience.

Starting with KeePassium on iOS

Installing the app from the App Store is a smooth process. Once installed, make sure to go in Apple's "Settings" > "KeePassium" > "Siri & Search" and disable the Siri options you are not using. Apple very annoyingly puts them all on by default for each new app installed.

Additionally, you can follow KeePassium's instructions from its Privacy Policy to opt out of other Apple settings related to KeePassium.

After installing the app, KeePassium will guide you step-by-step to set up an application PIN (you can also enable application lock with biometrics), and import or create a new database.

If you are not familiar with it already, it's a good idea to read each popup from the welcome screen.

Secure the application properly

When prompted to select a Passcode to lock the application (which is different from the main password to secure your database), you will have the option to switch from the numeric keypad to a full alphanumeric keyboard. This is recommended to set up a stronger Passcode to protect the application, where your database(s) might be kept unlocked if you choose this option.

If you create a new database to store your passwords, make sure to choose a strong main password (or "Master Key") that is unique, complex, and long.

KeePassium will guide you to determine if your main password is sufficiently strong. However, the app cannot know if you have used this password before, so you should make sure that you haven't and this main password is unique.

Be careful to remember your main password!

This is the only password that cannot be stored in your password manager, so it's important to secure it properly and also ensure you can remember it well.

Due to the nature of end-to-end encryption, there is no way for KeePassium to recover a lost password. Not remembering your main password could mean getting locked out of your password database permanently.

After creating a new database, you will be prompted to unlock it with your new main password ("Master Key").

After you have either created or imported a database, you are ready to explore KeePassium's features.

Starting with KeePassium on macOS

To download KeePassium on macOS, you will need to go through Apple's App Store. Alternatively, you could also build the application from the source code, but that is an entirely different process.

Installing the application is a breeze, and the macOS app shares the same welcome sections and features the iOS version has, with a slightly different format.

The application will guide you to either create or import a database, then you will recognize the same features described below for the iOS version.

Accessibility

There are a few great accessibility features with KeePassium. First, KeePassium fully works with Apple's VoiceOver. To enable it on iPhone, you can go in the iOS "Settings" > "Accessibility" > "VoiceOver" and enable "VoiceOver".

Second, from the KeePassium app you can tap on the "Settings" gear button on the lower-right to access the "Appearance" menu. From there, you will see a sliding option to adjust the entry's text size. This will change the size of the text in all entries' sections. You also have the option to change the font type from there.

Additionally, when tapping on a Password in an entry section, you can quickly tap on the magnified "a" button (while the blue "Copied" overlay appears) to display the password in large font, with each character separated in an indexed table.

Security features

In the "Access Control" category of "Settings", there are some important options to customize the app's security features:

App Protection

This section gives options to secure the application itself. It includes using the device's biometric lock instead of the app's Passcode, changing the app's Passcode, and choosing when the app gets locked.

Data Protection

This section gives options to enable or disable if the database(s)' main password(s) is remembered locally in the device's secure keychain, or if it must be re-entered each time to unlock a database. It also allows you to choose when (if remembered) the database will lock itself again, how long to keep data (including copied passwords) in the device's clipboard, and other security preferences.

A fun (and useful) feature you will find there is that you can decide what happens when the device is "shaken". This can be an important security feature for people in sensitive situations.

Protection against weak passwords

When first creating a database, KeePassium will indicate if the main password chosen is too weak and display a warning.

This is an important security feature because a database is only as protected as the strength of its main password. It goes without saying the main password for a database should always be unique (has never been used elsewhere), complex (uses a variety of character types), and long (is long enough to not be vulnerable to brute-force attacks).

Passwords chosen for each entry will also display an indicator of strength under each field.

YubiKey support (Premium)

For users with Premium plans, KeePassium offers support for YubiKey to add extra protection to a database using the challenge-response implementation.

The same feature is available on KeePassXC on desktop. For more details on this, you can check our tutorial for KeePassXC, or our tutorial on how to set up and back up a YubiKey's challenge-response.

Passwords audit (Premium)

KeePassium offers to audit database's passwords for potential leaks. This feature works by comparing an obfuscated version of a password with the Have I Been Pwned service. The password is never shared externally during this process. This is helpful information to get an early warning and change a compromised password before the exposed account is attacked.

Groups and Smart Groups

Before starting to add entries to a new database, it's a good idea to explore the Groups and Smart Groups features. Groups are directories that can be created inside a database to separate categories of passwords.

Smart Groups are simply Groups created from a search query. If you imported a database already full of passwords, you might not feel like sorting them manually. Smart Groups will help to create Groups using queries to categorize entries automatically. This can be very convenient to organize larger databases.

When creating a new database, KeePassium will suggest some Groups, which you can be used as provided, changed, or deleted. To add a new Group or Smart Group, tap on the 3-dot button on the upper-right from inside a database and select "New Group" or "New Smart Group".

Separate databases vs Groups

Using separate databases for different categories of passwords, for example one database for personal passwords, work-related passwords, and family-shared passwords is a good idea because it takes advantage of compartmentalization to add extra security and privacy.

Each database will have its own main password, and if one database were to get compromised, the others might still be protected. KeePassium's free plan only allow to use one database at the time, however.

Groups mainly serve to organize passwords and do not provide any additional security, privacy, or portability like separate databases do. For free plan users, Groups can still be a great feature to separate passwords when it isn't a security issue to encrypt them all together using a same main password.

Entry options

Once inside a database, users can add a new entry there or first create/enter a Group directory. To create a new entry, tap on the 3-dot menu on the upper-right, then select "New Entry".

Each New Entry section will include a field for the entry's name, choice of icon (or option to download the service's favicon), "User Name", "Password", "URL", "Tags", "Notes", and option to "Set up one-time password (OTP)".

Tapping the plus-sign button at the top will create a new custom text field for an entry. Enabling the "Protected Field" option on the lower-right will hide this field as if it was a password field. That being said, all fields from an entry will be fully encrypted with the database.

An entry section from macOS:

Finally, to edit, move, copy or delete an entry on iOS, a long press over its name from the directory will show these options. Swiping left on a password entry will also show the edit and delete options.

Password generator

Conveniently, KeePassium includes a password generator. This is a common feature for password managers, and KeePassium implements this feature very well.

The generator can be used from either the die-shaped button on the right of every password field, the tool-shaped button menu on the lower-left from inside a database selecting "Random Generator", or the die-shaped button on the lower-left from the "Databases" section. The latter is a nice touch if you ever need to generate a random string while your database is locked.

Each time you open the Random Generator, it will automatically generate new random strings for all 3 modes: Basic, Expert, and Passphrase.

The Random Generator can also be customized. To customize each mode, tap on the gears-shaped button on the upper-right of the generator and change the mode to adjust the parameters for each. The app will remember the parameters every time it is used.

The customization for Passphrase does not include the options for "MIXED" case at this time, however, considering this option was just added to KeePassXC last month, maybe it will be added to KeePassium as well in the near future.

One-Time Password (OTP)

KeePassium offers the option to store one-time password codes with each entry. This can be a convenient way to manage second-factor of authentication, and keep these codes stored locally only.

However, this can also introduce additional risks. If a database file was to get compromised at some point, it would also compromise all the OTP codes within it, making this second-factor protection useless against an attack of the whole database.

If this isn't a risk you are concerned with, then KeePassium's OTP can be a useful feature.

OTP codes are easy to set up and can be entered manually or using a QR code. Once set up, the code will be displayed as a field in the entry. Tap on it to copy it.

AutoFill

Depending on your usage, AutoFill can be an important feature for a password manager. AutoFill will allow KeePassium to recognize a login page and automatically fill all in the login credentials.

To ensure AutoFill works smoothly, it's important to enter the correct website URL for each entry, specifically the page's URL where the credentials will be required.

Ultimately, it's possible some websites will just not work with KeePassium's AutoFill. Some issues have been experienced while testing the app for this review. If you experience the same issue with a website, you can simply copy-paste the credentials manually in each corresponding field.

AutoFill issues for some websites

A possible cause of AutoFill issues can be an incorrect entry URL that isn't the proper "Caller ID". To troubleshoot this, you can consult KeePassium's helpful instructions here.

AutoFill for iOS

When set up correctly on iOS, a "Passwords" button should appear above the keyboard for websites where credentials have been stored in your database. If it doesn't, this could mean AutoFill was not set up properly from the iOS Settings.

AutoFill for macOS

There isn't a browser extension available for KeePassium on macOS. The desktop AutoFill feature integrates with the system as a credential provider. Browser implementation depends on how each browser integrates this function. The desktop AutoFill feature does work flawlessly with Safari.

To set up AutoFill for KeePassium, you will have to enable it from the macOS Settings. KeePassium will guide you through the process with clear instructions to follow:

Once enabled, every website with a corresponding URL in your database will display a small key icon on the right of the credential fields.

Despite lacking a browser extension, integration with Safari and the macOS ecosystem works smoothly, and it will work with applications that aren't browsers as well.

Backups

Backing up your database is essential with any KeePass-compatible app. Because there is no remote backup automatically stored by the application, you become responsible for protecting this data properly.

KeePassium offers many options to help users back up their databases.

Enable backup copies

The option to back up local copies automatically will be enabled by default. You can disable it if you prefer (ideally not), or enable the option to "Show Backup Files" in "Settings" > "Database Backup". You can also adjust for how long you wish to keep the local backups (the default value is 2 months).

Exclude from iCloud/iTunes

There is an important feature to exclude your database file and KeePassium's backups of your database from your device's iCloud or iTunes backups. If you do not trust Apple with your encrypted database, you should enable this everywhere (excluding from iCloud/iTunes is disabled by default).

If your database is stored locally (you might not see the option otherwise): From the "Databases" page, tap on the 3-dot button right to your database name (not the circled 3-dot button at the top, the one below). Then tap on "File Info" and enable the option "Exclude From iCloud/iTunes Backup" to make sure your database file stays outside your device's iCloud or iTunes backups.

Secondly, to also exclude the backups created by KeePassium, inside a database tap on the "Settings" gear button on the lower-right, then "Database Backup", and enable "Exclude Backup Files from System Backup".

You will find the same option on macOS:

Auto-delete backup files

You can choose the backup files to get deleted automatically after a certain period of time. For this, go to "Settings" then the "Database Backup" again, and scroll down to "Keep Backup Files". Select a retention period that is secure for your threat model. You can also tap on "Delete ALL Backup Files" below to delete all backups at any time.

Manual backups

Finally, you can simply back up your database .kdbx file manually. For this you have the options to transfer the file from KeePassium via cable, cloud storage, local network, AirDrop, email, or even Signal's Note to Self!

To transfer your database file entirely offline to another Apple device, connect your device together via USB cable and follow these instructions.

If you stored your database locally on iPhone, you will find the file in Apple's "Files" > "On My iPhone" > "KeePassium". From there, you can long press the file to see options to move or share it.

Restore database from backup

If you encounter any errors while managing your database, you can always restore it from a backup. Keeping multiple backup versions is a good idea to ensure you always have a functional file. Glitches and bugs are more likely to happen if you handle your database in unusual ways, with other software that may not have been tested for this usage yet.

Restoring a database in KeePassium is a very straightforward operation. In the "Databases" section, tap on the 3-dot button on the upper-right, then select "Show Backup Files", if it isn't already on. Follow KeePassium's instructions to restore a previous version.

Synchronization and direct connection

While you can use KeePassium entirely offline, the app also offers options to synchronize your database with other KeePassium installations or other KeePass-compatible applications.

There are two ways to do this. You can either simply store your database file in a cloud service of your choice and let KeePassium access this file, or you can use KeePassium's direct connection with certain cloud providers.

You can see these two options from the app in "Settings" > "Network Access". From there, you have the option to select "Stay Offline", for maximum privacy, or "Allow Network Access", for maximum functionality.

Whether you choose simple file synchronization or a direct connection, you can consult this list of cloud storage providers that have been tested by the KeePassium team and users to determine if your provider is supported.

Stay offline, and synchronize through a cloud provider (recommended)

This is KeePassium's recommended method to synchronize your database file(s) while maximizing privacy and minimizing external accesses. By default, KeePassium will remain offline, but you can store your database file with a cloud provider of your choice.

This way, your cloud provider will manage the network communication, and KeePassium will only take care of decrypting your database. Because of system-enforced sandboxing, KeePassium will not have access to anything else on your cloud storage, only the database file(s) your have granted it access to.

For example, you can store your database file on a cloud storage of your choice, then open it from KeePassium for iOS and also from KeePassXC on desktop. Both applications will access and manage the same file, therefore synchronizing your database.

Be careful however when modifying your database. If synchronization isn't handled properly, this could cause errors that could corrupt your file. This is why it's important to test your setting first, and a good practice to keep a backup in a secure secondary location.

Synchronization through Proton Drive

Proton Drive isn't part of the recommended and tested list of cloud providers for KeePassium. However, it was briefly tested during this review.

Between KeePassium iOS and KeePassXC on desktop, some synchronization was possible through Proton Drive, but with mixed results.

To make it work, first the Proton Drive app needed to stay unprotected by a PIN or biometrics, which isn't ideal if you have other sensitive files on this drive. There was also some delay to sync the database between mobile and desktop, and a few bugs occurred while testing.

That being said, synchronization was possible through Proton Drive between KeePassium for iOS and KeePassXC on desktop, but maybe not recommended. If you choose this setup for yourself, it is strongly recommended to conduct adequate testing first using a dummy database, and once set up with your actual database, to keep a secondary backup in a separate location.

Testing couldn't make synchronization work between KeePassium iOS and KeePassium macOS through Proton Drive. Issues seem to come from conflict resolutions on the Proton Drive side. Of course, because Proton Drive isn't even listed by KeePassium as a supported storage, this was simply conducted as an experiment and not an expectation.

Because many of our readers might use Proton Drive as a cloud provider, just be aware it probably isn't a usable synchronization solution at this time.

Using Proton Drive to simply back up a password database file manually without synchronization is still a viable option, however.

Allow network access, to connect directly from KeePassium

In 2022, KeePassium added direct connection options for certain cloud storage providers as a workaround solution for providers that were not integrating well with the system. This should however be a secondary choice only, as it will have some downsides for your data privacy.

You can find this option from the "Data Encryption" welcome window at the start where you can either create a database, import a database, or "Connect to Server".

Although KeePassium will only use what is necessary for this functionality, it will access more data than with the "Stay Offline" synchronization option. The data used for this functionality will however remain between your device and the cloud provider.

Supported cloud storage providers

KeePassium offers full support for iCloud Drive, Box, Dropbox, Google Drive, OneDrive, Resilio Sync, Nextcloud, SFTP / WebDAV, and limited support for Mega and Cryptomator.

You might be able to make it work with cloud providers that aren't listed here. However, if you decide to use a provider that isn't fully supported, make sure to properly test your setup with a dummy database first.

Additional features

This review focused testing on the most commonly used features that are accessible from a free plan. Nonetheless, KeePassium offers many more features, and additional ones for paid plans. Here's a summary of some other interesting features that have not been covered yet:

Passkeys

Since December 2024, KeePassium added support for passkeys with its 2.0 release.

You can use Apple's Family Sharing feature to share your KeePassium paid license with your family members.

Multiple databases (Premium)

With a paid plan, it's possible to create or import multiple databases with KeePassium. This can be very convenient if you use a separate database for work and for your personal life, for example.

Printing database

KeePassium has a quick option to print an entire database in plain text, in an easy-to-read format. If this is secure for you, it can be a convenient way to keep a backup paper copy of all your passwords in case of emergency (or for inheritance purposes).

To do this, while inside your database tap on the tool-shaped button on the lower-left, then select "Print". Of course make sure to secure this printed data very well, as it could be your weakest link.

Important security warning!

Depending on your printer's settings, you should be very careful when using the print function. This data will be sent in plain text to your printer, and even perhaps through a network (depending on your printer's settings).

This can represent a very high security risk, depending on your printer setup and situation. The file with your plain text passwords could also remain stored in the printer's queue!

The print function can be disabled for users with a Business license.

Read-only database

You can protect a database from accidental changes by enabling this option. This will prevent any entries from being added, removed, or modified.

It can be very useful if you have installed the app for someone who isn't comfortable with technology and want to make sure they cannot inadvertently delete an entry, for example.

To enable it from KeePassium on iOS, go to the "Databases" section, long press on your database file, select "Database Settings", then enable "Read Only" at the top.

File storage (attachments)

You can use your database to store files!

It's probably best to stay reasonable with this because files will quickly make your database very heavy. This could significantly slow down the encryption and decryption processes.

That being said, it's a great way to store more sensitive files securely. The files will be encrypted with your database.

You can either add files to an entry already created, or create a new entry named "Files" (or anything else you wish) to store all of your files together.

To add a file, select the paperclip-icon tab at the top of an entry, then tap the plus-sign button at the bottom. Your files (attachments) will be accessible from any other KeePass-compatible application, like KeePassXC for example.

Interestingly, KeePassium even uses a quite decent PDF viewer on iOS:

Nice to have

You can see what was added, changed, or fixed for each KeePassium version from "Settings" in the "What's New" section.
You can change the KeePassium and database icons from "Settings" > "Appearance" > in "App Icon" and "Database Icons".
KeePassium has excellent documentation! This is handy to learn about features or to troubleshoot if you encounter any errors.
You can see the full credits for the app from "Settings" in the "About KeePassium" section.

Check the credits!

KeePassium not only credits its direct contributors but also lists credits for each graphics, code, and encryption algorithms used. You will find the same list of credits on KeePassium's GitHub page. This is a wonderful idea that more software should get inspired by.

Downsides

Even if KeePassium is a great secure application that is easy and pleasant to use, there are still a few downsides that should be mentioned:

People with older versions of iOS or macOS will unfortunately not be able to use the application at all.
KeePassium only works in the Apple ecosystem, and there are no versions for other systems at this time.
If you are using a cloud provider that doesn't work smoothly with KeePassium and you need synchronization, you will unfortunately need to synchronize your database manually or change your cloud storage provider.
AutoFill on iOS might not work for every account. This can be an inconvenience depending on your usage and which of your accounts (if any) are impacted.
AutoFill on macOS might not work with your favorite browser (if it isn't Safari).

Conclusion

Overall, KeePassium is a privacy-focused, offline-first application, that has clearly prioritized user experience and user interface, while not neglecting security and privacy.

When used with the basic and supported settings, it works fairly smoothly and allows enough customization to adapt to a variety of user needs and situations.

The fact that KeePassium allows full compatibility with most other KeePass-compatible applications is an immense benefit compared to proprietary password managers.

If you already keep your database in the KeePass file format, there are no downsides in trying KeePassium. If you aren't using this database format yet, this is a great opportunity to start and free yourself from locked-in systems that secure your precious passwords with obscurity rather than with openness.

Unless credited otherwise, all screenshots from: Privacy Guides

Selling Surveillance as Convenience

Em — Thu, 25 Sep 2025 04:09:21 +0000

Selling Surveillance as Convenience

Illustration: Em / Privacy Guides | Photo: Zeki Okur / Unsplash

Increasingly, surveillance is being normalized and integrated in our lives. Under the guise of convenience, applications and features are sold to us as being the new better way to do things. While some might be useful, this convenience is a Trojan horse. The cost of it is the continuous degradation of our privacy rights, with all that that entails.

As appalling as it is, the truth is the vast majority of software companies do not consider privacy rights and data minimization practices strongly enough, if at all. Most fail to implement the principles of Privacy by Design that should guide development from the start.

Whether this comes from ignorance, incompetence, greed, or malicious intent can be debated. It matters little, because the result is the same: Technologies collecting (and monetizing) a shameful amount of data from everyone.

This horrifying trend ends up facilitating and normalizing surveillance in our daily lives. It is the opposite direction of where we should be going.

The more we accept this normalized surveillance, the harder it becomes to fight back. It is critical that we firmly and loudly object to this banalized invasion of our privacy.

There are countless examples of this growing issue, but for now let's focus on three of them: Airport face scans, parking apps, and AI assistants.

Face scans in airports (and elsewhere)

Some airports and airlines around the world have started to install face scanning stations to screen travelers. This is supposedly a quick and convenient way to verify your identity when passing through airport security lines.

Facial scans and facial recognition data are biometric data. Biometric data is especially sensitive because once it's collected, there is no way for you to modify it later, ever.

Imagine having a password stolen a thousand times, yet there is no way for you to change it. This is the security system that biometric data collectors are building. When their database eventually leaks, and someone steals it to impersonate you, you cannot simply get a new face like you would generate a new password.

Moreover, facial data is the perfect tool to track you around without your consent. Systems using facial recognition are being installed in schools, sport stadiums, and other venues around the world.

Everyone should be extremely worried about sharing any biometric data with others, and should never do so simply for "convenience".

Sadly, many people do not know they might have a right to refuse.

Refusing to provide biometric data everywhere we can is crucial.

If people never refuse and simply accept surveillance without objection, we will soon lose any right we had to refuse. Without changes, this is the dystopia we are running towards.

If everyone said no instead of complying for convenience, these intrusive technologies would stop being imposed on us. We have a duty to say no when we can.

Parking apps

Parking applications might feel like a boring but necessary sacrifice. With the slow disappearance of parking meters and cash money, more parking facilities now require parking apps for registration and payment.

The problem is, these applications collect lots of sensitive information. Necessarily, they collect parking location, parking duration, license plate number, phone number, email, payment information, and often even your full legal name. This information can be shared across multiple applications and organizations (partners) to track a car's location even beyond the parking facility.

Despite how sensitive this data is, it's very likely most applications have not invested the time and effort to protect it properly. Inevitably, data breaches have already occurred.

Once this data is exposed, it can be challenging or impossible to change or delete it. People in vulnerable situations can be put in grave danger when such data becomes accessible to anyone looking for it.

Even without criminal breaches, security researcher Inti De Ceukelaire revealed in 2022 that some parking apps could allow anybody to track a car around. This is due to poor security practices which allowed anyone to register and track any car's license plate, whether it's their car or not.

Despite repeated warnings from privacy experts, parking applications remain largely under-regulated.

AI assistants and note-takers

Last but not least, AI assistant and note-taking applications have spawned in every corner of our lives for the past few years. Unfortunately, these AI applications are an absolute nightmare for data privacy.

Very few AI systems of this type provide data without also taking in data.

Most fresh AI startups simply utilize a subscription to OpenAI under the hood. This means it is likely any data you input into an AI assistant or note-taker will be shared back with OpenAI in the end. This includes any personal information you type and any photos you upload.

Some applications offer options to opt out of input sharing, but given the track record of tech companies asking for forgiveness rather than permission, can this really be trusted?

Additionally, regardless of the stated purpose for this data collection, nothing stops these companies from using it for another purpose down the road, or selling it to someone else.

AI note-taking applications that seem to be all the rage in remote meetings these days are no exception.

To provide a transcript then a summary, these applications will record the whole meeting, often including both audio and video. This data will be stored by the AI note-taking company, and maybe also shared with at least OpenAI, potentially with other third-parties as well.

This is incredibly intrusive, not to say straight out creepy.

Besides, it can even be illegal. If you use this kind of application with someone living in a region with a two-party consent law, recording without prior consent of all participants is criminal.

Even without this, any personal information collected by an AI system is still subject to the privacy regulation protecting its data subject. Nobody should take lightly the legal and moral obligations they have when using or developing such invasive technology.

Even if you don't care about sending your own personal data to these companies, you are still responsible for the data of others you input in these systems.

For organizations, using AI doesn't remove any legal obligations to comply with privacy laws. You are still responsible for any personal data collected by your usage of AI systems, even when delegating the task to OpenAI or any other subcontractor.

How to opt out?

There are multiple ways to opt out of surveillance disguised as convenience. The first thing of course is to avoid using any such technology whenever possible.

Before taking a plane, spend some time researching if your citizenship and the region you are visiting grant you opt-out rights. If it does, print this documentation and be ready to politely ask for a traditional identify verification instead of a face scan.

If you own a car, try to find a parking application that has been more thoughtful regarding security and privacy. Report any parking apps which infringe on your local privacy laws to your local Data Protection Authority or equivalent. If you go somewhere that could put you in danger if tracked — for example, because you are victim of domestic violence or stalking — consider renting a car with a different license plate, sharing a ride with a trusted friend, or parking at another location you can safely walk from.

Do NOT use any AI note-taker! This technology might seem convenient at first, but it is completely unnecessary (and also unreliable). If you use this technology carelessly without providing proper privacy notice, you could run into serious legal risks. Additionally, you risk eroding the trust of everyone communicating with you when the inevitable data breach occurs.

If someone invites you to a meeting using an AI note-taker, do not hesitate to refuse being recorded, and share your discomfort about this technology.

If you must use an AI assistant, try to find one that can run offline, and does not upload your inputs back to the company's server. When this isn't possible, make sure at least to never share any personal information with these systems. Be especially vigilant not to share any data related to other people, and especially children. This could lead to severe legal consequences for you down the road.

Why it is crucial to oppose everywhere we can

If we all do everything we can to opt out every time we can, it will become harder and harder to implement mass surveillance systems in our society.

The response provided when privacy experts raise the alarm is often to minimize concerns saying "it's only optional, and people can opt out".

But for how long will we keep the right to opt out if we never exercise this right? How many dark patterns and intimidation techniques are used to pressure people into saying yes, or to make sure they never know about their right to opt out?

Furthermore, write to your representatives about your concerns related to privacy rights and the rise of surveillance systems in our society. Discuss this with your family and your friends. Post about it on social media. Share your experience of surveillance with the press.

The more we are talking about this problem, the stronger the opposition becomes, and the more chances we have to keep our privacy rights alive.

If we do not stand firm to defend our rights, even when it's inconvenient to do, we might soon lose them.

Additional resources

The Future of Privacy: How Governments Shape Your Digital Life

Em — Thu, 25 Sep 2025 04:09:21 +0000

The Future of Privacy: How Governments Shape Your Digital Life

Photo: ev / Unsplash

Data privacy is a vast subject that encompasses so much. Some might think it is a niche focus interesting only a few. But in reality, it is a wide-ranging field influenced by intricate relationships between politics, law, technology, and much more. Further, it affects everyone in one way or another, whether they care about it or not.

I routinely read articles discussing changes in politics on the advocacy side of data privacy. Then, I read articles talking about changes in regulations on the legal side of data privacy. And then, I see all the articles and guides presenting new tools and privacy features on the tech side of data privacy. Of course, all of this is linked together.

Let's talk about how politics, law, and technological features are intertwined, all at once.

Privacy laws are always one election away from getting better, or worse

Each change in government can have a serious effect on data privacy legislation. Privacy is a politically charged field. For example, authoritarian regimes might want to remove or weaken privacy rights to exert strict control over their population. While democratic governments generally bring more freedom and protections to its citizens, including privacy rights. It's important to keep in mind who in the past has bettered citizen rights and protections, and who has actively worked to undermine civil rights.

Each time a new government takes power, its values will be put forward and influence legislation in place, or legislation not in place yet. While the Western world has benefited from some improvements in data privacy law for the past few years, we must consider these gains are fragile and protections could get removed or lessened at any time.

Unfortunately, it seems there is currently a political push towards deregulation, mass surveillance, and a focus on corporate gains. This is extremely worrisome for the future of privacy rights, human rights, and individual liberties.

Following politics and advocating for better privacy rights and legislation is essential in improving access to privacy tools and features around the world. Privacy is never politically neutral.

The tools you use might depend on government funding

Many privacy tools we use depend at least partially on government funding or on other tools which depend on government funding. This is especially true for open-source nonprofit organizations needing some (usually) more stable income, in addition to donations.

Which privacy and security tools could be impacted

One notable example of a privacy-related project receiving government funding is the Tor Project. If this source of funding were cut off, the impact on Tor could be quite detrimental, not only to the Tor Project but to all projects relying on Tor as well. Many privacy-focus software are built around the Tor network. To name only a few, whistleblowing software such as Hush Line and SecureDrop both utilize the Tor network to harden privacy. Briar, Cwtch, and SimpleX, are examples of messaging applications also using Tor to add a layer of security and privacy to communications. Tor is critical infrastructure in the world of data privacy.

Another important project receiving government funding is Let's Encrypt. Let's Encrypt is a nonprofit Certificate Authority providing TLS certificates to websites. It is run by the Internet Security Research Group (ISRG), which receives funding from the Sovereign Tech Agency, supported by the German Federal Ministry for Economic Affairs and Climate Action. The ISRG also receives funding from the Open Technology Fund (OTF), which receives the majority of its funding from the United States government, through the U.S. Agency for Global Media.

In current events, last month an executive order in the United States from the Trump administration led the National Science Foundation (NSF) to freeze grant reviews. This is currently impacting many important projects in the tech world, including the Python Software Foundation (PSF). The repercussions of this freeze could be devastating for many open-source projects, in privacy and beyond.

Government funding should support civil liberties and protections

Governments funding nonprofit projects and organizations working on improving human rights, civil liberties, and technological security and safety is a good thing. This can bring an important source of stable income to nonprofit projects that could not stay afloat solely from donations.

However, this dependency can become precarious when governments aren't working for the good of the people anymore, and when organizations rely too heavily on such support, making them vulnerable to change in power. Such a change of regime can have devastating repercussions on the privacy tools we use.

On the good side of regulatory influence, there are regulations like the General Data Protection Regulation (GDPR). Saying the GDPR revolutionized the world of data privacy would not be an overstatement. While many privacy regulations pre-date the GDPR, in the Western world none had the scope nor the grit the GDPR has.

The GDPR is a data privacy regulation that was adopted by the European Union (EU) in 2016 and became effective in May 2018. Its scope encompasses all the EU member states as well as all the countries part of the European Economic Area (EEA), which together count 30 countries to this day. The United Kingdom also uses an amended version of the GDPR post-Brexit.

However, the reach of the GDPR isn't limited to Europe. Every organization based outside the EU that is offering goods or services to, or is monitoring the behavior of, individuals located in the EU must comply as well. This means that most organizations operating worldwide, regardless of where they are located in the world, must comply with the GDPR.

As is often the case with data privacy laws, it took a few years before Data Subjects (your legal designation under the GDPR) noticed any concrete changes. One change that has become prominent in the past few years, and is likely a direct product of the GDPR, is data deletion features within apps and accounts.

An important right granted by the GDPR to Data Subjects is the Right to Erasure (or the Right to be Forgotten). Other legislation such as the California Consumer Privacy Act (CCPA) calls for a similar right, the Right to Delete. This and similar rights have existed before, but through the GDPR and its enforcement it has affected technology in a much broader and impactful way.

Slowly since 2018, applications requiring accounts have started to implement data deletion and account deletion features within the account itself. A probable reason for this is that due to the GDPR, and a now growing number of privacy regulations from various states in the United States, organizations are obligated to respond to Data Subject requests to get their personal data deleted. Managing this can be quite cumbersome for organizations. The burden of answering and implementing each data deletion request manually is often not worth the value of the data itself. Organizations with enough resources have simply added it as an internal product feature. This makes data deletion requests manageable by each Data Subject themselves (at least partially), freeing the organization from legally having to answer each individual request. When implemented properly, this is what we can call a win-win situation.

Request to delete

Unfortunately, not all applications have integrated automatic deletion features internally (yet). Additionally, some applications and accounts will allow you to delete information only partially this way.

If you wish to exercise or have questions related to your Right to Erasure or Right to Delete, first consult your local privacy regulation to check if you have this right as a Data Subject, Individual, or Consumer. Then, you can contact the organization's Privacy Officer with your request. You can usually find information about an organization's designated Privacy Officer by reading its privacy policy or privacy notice. In any case, it never hurts to ask.

Chat Control wants to break end-to-end encryption

If you are not European, please bear with me. First, everyone outside of Europe should care about what is happening in Europe, regardless. But even if you don't care, you should know this kind of mass surveillance proposition will inevitably leak west, and if adopted will affect us all globally.

What is Chat Control

In 2021, the EU approved a derogation to the ePrivacy Directive to allow communication service providers to scan all exchanged messages to detect child sexual abuse material (CSAM). Although this first derogation was not mandatory, some policymakers kept pushing with new propositions.

A year later, a new regulation (CSAR) was proposed by the European Commissioner for Home Affairs to make scanning messages for CSAM mandatory for all EU countries, and also allow them to break end-to-end encryption. In 2023, the UK passed a similar legislation called the Online Safety Act. These types of messaging mass scanning regulations have been called by critics Chat Control.

Why is Chat Control horrible for privacy, and for children

Such legislation might sound like a noble cause at first, but consider this: Scanning all messages exchanged for any reason treats everyone like a criminal, no matter what. This is not hunting criminals, this is mass surveillance. Not only is this horrifying for privacy rights, but it also endangers democracy. Once a system to mass monitor all written communications is implemented to (supposedly) stop CSAM, new topics to detect, block, and report could be added anytime, and by any future governments. There is nothing that would prevent much less reasonable topics from being added to the list to be filtered out at a later date.

Chat Control would hurt everyone, including the children. Not only would mass scanning of all messages be ineffective at reducing CSAM, but it would endanger the children even further by also scanning their communications. Because yes, children also communicate online. Parents also communicate sensitive information about their children online, with trusted family or doctors. All this data would get scanned and collected, only one breach away from being made public.

Protecting the children is a pretext regularly used to implement abusive regulations undermining individual liberties and protections. Do not get fooled by this demagogic stratagem. Chat Control is the opposite of protecting the children.

Chat Control would only lead to destroying the end-to-end encryption messaging features that are protecting us and the children so well already. Criminals exploiting children would simply move to underground channels, unbothered.

Who opposes Chat Control

Thankfully, opposition from experts and advocates alike has been strong. To name only a few, Meredith Whittaker, president of the Signal Foundation which develops the messaging app Signal, has taken a clear stand against Chat Control. The Electronic Frontier Foundation has also firmly opposed Chat Control legislation. In the UK, the Open Rights Group has led powerful campaigns to fight against the Online Safety Act. In Europe, privacy advocacy organization noyb and former Member of the European Parliament Patrick Breyer have both been fervent defenders of privacy rights raising relentless resistance to Chat Control.

Harmful policies such as Chat Control are a direct example of how politics can affect laws that can cause unimaginable damage to the privacy-preserving technologies we use every day.

Age Verification wants to collect your sensitive data

Another potent example of the protecting-the-children stratagem to undermine privacy rights is Age Verification legislation. In the past few years, this idea of controlling which online content should be accessible to children has raised new proposals around the world.

Age Verification policies generally start with the premise that some content should not be accessible to children online. Again, this could seem like a reasonable idea at first. Nobody would debate that children should be shielded from some type of content. Sadly, we have all witnessed how horrifying the internet can be at times. However, both the premise and methodology to achieve this goal are wrong.

Who will decide what content should be walled online?

First, even putting aside the fact that there is plenty of disturbing content accessible outside the internet (newspapers, television, movies, radio, advertising, etc.), who would be the deciders of which specific content can be accessed by children or not? This can be extremely problematic, to say the least.

There is no objective measure to decide on this, and what might be deemed appropriate by one might not be by another. More importantly in the context of our discussion, what one government might judge appropriate might be very different from the next or previous administration.

This is again a dangerous slippery slope opening the door wide to authoritarian policies.

Age Verification undermines privacy and security

Secondly, how can age be verified online? Of course by collecting more data, on everyone. Age Verification policies don't affect only the children, they affect everyone who wants to access content online. If a website is deemed to display content that should not be accessed by children, the only way to enforce this rule would be to ask for some form of official identity verification from all adults who want to access it.

Proponents of these regulations often refer to "age assurance processes" and suppose these processes to be undoubtedly secure. Anyone familiar with data security will understand how naive this approach is. I will not go into the details here, but you probably can already see how having each private website (or third-party processor) collect such sensitive information from each visitor is horrendous for privacy rights, and data security as well. Of course, these websites or third-party "age assurance processors" will unavoidably become a large treasure trove for thieves, and their sensitive data will be inevitably leaked or stolen sooner rather than later.

Age Verification is one of the biggest privacy threats online. Continuing in this direction could ultimately lead to the end of pseudonymous browsing. Additionally, this could also mean the end of your official ID having any value at all. After all, what unique identification value does a piece of ID keep after it has been leaked in a thousand different data breaches? Maybe even one day bought on a darknet market by a curious teenager in need of accessing some website...

Age Verification is already here, sadly

Regrettably, this is not a hypothetical scare. Age Verification legislation has already passed in Australia, in the UK, as well as in many U.S. states. It is also on the table federally in the United States, Canada, France, Norway, and Europe.

There is some tenacious opposition to Age Verification policies from digital rights and free speech advocates. Unfortunately, there is also a strong push in support of Age Verification from the rapidly growing "age assurance" and identity verification industry, and from many governments worldwide moving towards a surveillance state.

Again, government values are deciding on digital features that impact our data privacy in disastrous ways. If you want to take a stand against Age Verification, you can join the Stop Online ID Checks campaign from the nonprofit organization Fight for the Future.

The future of privacy

There's a lot to be worrying about in today's privacy landscape. Unfortunately, recent political tendencies in the Western world make it difficult to stay optimistic. The trend toward authoritarian regimes and surveillance capitalism is bad news for the future of privacy around the globe.

There is no question that privacy is intrinsically intertwined with politics, and can therefore never be politically neutral. The latest decisions taken by the new U.S. administration running full speed into deregulation and defunding, growing pressure in Europe to break end-to-end encryption in favor of a surveillance state, and invasive age verification policies to censor the web and collect even more data on every netizen is admittedly frightening.

But one thing frightens me even more than all of this. One thing that could end privacy rights, forever. This threat to privacy is never far and always looming.

This threat is giving up.

Despite all the gloom menacing privacy rights, privacy will never be dead as long as we stand up to defend it. Governments might have the power to remove our privacy rights on paper and proclaim privacy features illegal. But the people have the power to keep pushing for better privacy rights and to keep developing even more robust and more accessible privacy tools.

We must continue to advocate loudly for privacy rights and all human rights every chance we have. The fight for better privacy rights is only over when we give up.

Do not give up.

Privacy is Also Protecting the Data of Others

Em — Thu, 25 Sep 2025 04:09:21 +0000

Privacy is Also Protecting the Data of Others

Illustration: Em / Privacy Guides | Photo: J W / Unsplash

In privacy, we talk a lot about how to protect our own data, but what about our responsibility to protect the data of others?

If you care about privacy rights, you must also care for the data of the people around you. To make privacy work, we need to develop a culture that normalizes caring for everyone's data, not just our own. Privacy cannot solely be a personal responsibility, data privacy is team work.

Whatever measures and tools you use to protect your own data, you would never be able to protect it fully without the collaboration of others.

In this context, the people around you might be your family or your friends, but also includes your boss, your doctor, your therapist, your school, your government, and any other person or organization that has control over some of your data.

Conversely, you are also in control of other people's data.

Even if you are not a boss, a doctor, or a therapist yourself, you probably have some photos of your friends, a list of contact information, and copies of sensitive conversations exchanged in private messages with your family. All of this data is under your guard too.

Once you have control over someone else's data, you become its guardian.

Data protection is a communal responsibility

Now to be clear, this isn't necessarily in relationship with the law, although it can be part of it. In this context, I am referring more to ethics. Do we have a moral obligation to care for and protect others to at least the same level we wish to be protected ourselves?

As a connected society, we constantly exchange information with each other. This information is now mostly stored on digital mediums, and can be very easily duplicated and shared elsewhere. Actually, on a technical level, it's even difficult not to constantly involuntarily create duplicates of this data and send it elsewhere.

This is why we must increase our vigilance about protecting the data of others.

Considering the quantity of data that ends up in everyone's possession, data has become a communal responsibility.

We must develop a culture that normalizes data privacy

Privacy is a human right, and a good starting point to protect any human right is legislation. Legislation is undeniably an aspect of data privacy that is in constant evolution, and we can hope that privacy laws will only get better over time. Well, let's not just hope, let's also work to make sure it does.

That being said, laws simply aren't enough.

To truly improve data privacy rights, we must integrate them into our whole culture. This might sound like an over-ambitious endeavor, but culture is flexible and evolves with people's needs.

In the past few decades, our culture and customs have begun to shift against data privacy. Some of us are old enough to remember a time when everyone didn't have a camera in their pocket. At that time, it would have been considered unacceptable in most places to suddenly point a recording camera at a stranger in the street and start filming them without any explanation and without their consent.

Now this kind of disrespectful behavior is a common occurrence, because everyone has the tool to do it. Our society evolved with technological tools, but we neglected to course-correct our culture for it.

We have reached a point where we need to develop a culture of individual responsibility towards each other's data.

This means caring not just for our own data, but caring for everyone's data, whether it's the data of our friends, our family, our employees, our patients, or even complete strangers in the streets, or online.

This will take a lot of time and effort, but we owe it to the next generations to start now.

The principles we should consider in relation to privacy

Our society already has adopted or improved many ethical principles in the past decades that are intimately linked to data privacy.

Some of these principles and values have become much more prevalent in our culture recently, consent being one great example for this.

Consent in privacy is incredibly important. What one person might feel comfortable sharing publicly might be completely different from another person, for example. Privacy cannot be established on a fixed basis without considering individuality and circumstances.

Someone might be happy sharing their name on social media, and someone else might safeguard this information and only use pseudonyms. One person might feel safe sharing their home address online, yet another person could be killed for doing this.

This is why informed and explicit individual consent (with true choices) should always be the center of such decisions, for any type of personal information.

Other principles we must integrate in our culture of data privacy include empathy (my threat model isn't your threat model), trust and respect (secure this data properly if you must collect it), safety (consider someone could get severely harmed by a data breach), and individual liberties (sharing data must be a personal choice, even if there's no danger, it's still valid even if it's just a preference).

Of course, these are only a few principles indispensable to build a culture of data privacy, but since most people are already familiar with these we'll start here.

How we can start building a better culture around data privacy

So, what concrete actions can we take right now to improve our culture around data privacy? What can we do today at the individual level to start better protecting the data of others?

Here are a few practices you can adopt in your daily life to improve the data of the people around you. However, I insist you not just demand others do this for you, but do this for others too. Re-shaping our culture needs to start with ourselves:

Do not post photos of people online without their prior consent. Especially if there are children involved! Before sharing photos of others online, always ask for their consent first.

Be very careful when taking pictures during a protest. There's a lot of nuance to this because it's also important to show protests and make them known (that's usually the goal!), but in some circumstances people might be put in danger if their faces are shown online associated with certain causes.

Be mindful and make sure no one is singled out without consent in your pictures if you post them online. When possible, try to blur/block the faces of the people you couldn't ask for consent.

Blur license plates

When taking photos in the streets and posting them online, be mindful to blur license plates. This might sound extreme but imagine a situation where someone is a victim of domestic violence and their abuser sees their car parked at a shelter, or at someone's place. This information could literally get someone killed. Always keep in mind different people have different threat models.

Safeguard contact information

Never share the contact information of someone with someone else (or something else) without their prior explicit consent. This includes email addresses, phone numbers, legal names, locations, photos, and especially home addresses. This information in the wrong hands could literally get someone killed. Always ask first!

Additionally, be vigilant when importing your contact list in a new application. This could get it shared further than you intended. Ideally, always keep your contact list in an end-to-end encrypted application only.

If someone trusted you with a file (photo, music, video, PDF, text file, etc.), always ask for consent before sharing this file with someone else.

Additionally, always keep this file only locally or stored in a secure end-to-end encrypted service. If this person gives you consent to share this file, ensure that metadata has been removed from it. This person might not be aware of the metadata on this file.

Keep confidences secret

If someone trusts you enough to share something personal with you, do not betray that trust by talking about it with someone else, and especially not on unencrypted services such as Gmail or Twitter's DM. In doing so, you would expose this secret to even more unintended recipients. Respect people's trust in you. Do not share confidences.

If you have private conversations on social media, be mindful not to spread this information elsewhere. If you delete your account, be mindful to also delete the information of others you have stored in your private messages. If someone wants to share sensitive information with you, always invite them to move to an end-to-end encrypted messaging service instead.

Safeguard and delete intimate pictures you received

If someone trust you enough to send you intimate photos of themselves, take this responsibility extremely seriously. If they use an end-to-end encrypted service, do not move the photos out of there. If you do, you could inadvertently upload them to an unencrypted service and compromise the security of these pictures.

If your relationship with this person ends, you should delete all intimate pictures you have received. This is extremely important for their safety, and also possibly for yours. Things could get very problematic legally if your copies were to get accidentally leaked or stolen. No matter how difficult this might be emotionally, do the right thing and delete these pictures fully.

If you are still unconvinced about this one, maybe have a look at Ted Lasso season 3, episode 8 which has a great story demonstrating the dangers related to this.

Avoid taking screenshot of people's posts

Each time you take a screenshot of someone's post to repost it somewhere else, you are effectively removing this person's ability to delete their content later. This is horrible for privacy and for consent. Instead, use links to other people's posts. That way, if they decide later to delete their content, the link will simply not work anymore, but their right to deletion will remain intact.

Notify guests if you are using a smart speaker

If you are using a smart speaker device in your home such as Amazon's Echo (Alexa), Apple's HomePod (Siri), Google's Nest, inform your guests about it when they enter your home. These devices have the capacity to record all conversations, and there has already been instances of accidental privacy invasion reported about this. Even if you don't mind yourself, offer your guests to unplug your smart speaker while they are visiting you. The same is valid for any voice assistant on your phone.

Do not use Windows Recall (or anything similar)

If you are a Microsoft user, make sure to disable Windows Recall from your computer. If it's enabled, this application will continuously take screenshots of your computer, including the faces of anyone video-chatting with you on Signal, the email content of anyone contacting your through Tuta Mail, the secrets of anyone chatting with you on Matrix. Windows Recall completely defeats the protections of anyone using end-to-end encryption to contact you. This is a huge breach of trust! If you somehow use this feature, at least be mindful to disable it each time you communicate with others.

Don't use Meta's Ray-Ban "AI" glasses!

Don't use "smart" glasses recording people.

Just don't.

Ever.

This is extremely creepy.

Never buy nor use this.

If you encounter someone in the street wearing this, run away.

This is only a start, but together we can do this

Improving our culture around data privacy will take time and effort, but we have to start now. The best place to start is with yourself.

Remember:

"Be the change you wish to see in the world."

Be the data protector you wish to see in the world.

Your Online Life Is IRL

Em — Thu, 25 Sep 2025 04:09:21 +0000

Your Online Life Is IRL

Leon Seibert / Unsplash

If you, like myself, have been inhabiting the internet for a few decades, you're probably familiar with the old adage IRL: In Real Life.

The acronym was used a lot when the distinction between online life and offline life was much greater than it is now. In today's world, can we really keep referring to our digital life as being somehow disconnected from our "real life"?

While it's true that pseudo-anonymity online is still alive and well, most people don't hide their real identity online because it's much different from their personality offline, but generally simply as a protection.

Even when using pseudonyms, online life is still part of real life.

The proportion of time we spend on the connected world today is also far greater than it was before. We often chat with friends online, work online, communicate with our family online, play games online, assist to events online, go to school online, watch recipe videos online, and so on and so forth.

Our offline life is happening (and tracked) online too

Another thing that has changed is how much data about what we do offline ends up getting collected and stored online.

Maybe it's the places we visit during the day getting tracked by our phones and then stored by Google in our profile.

Maybe it's our smart speaker recording an intimate conversation and sending it to Amazon.

Completely outside our control, maybe it's the street cameras, cellular towers, car license readers tracking our movement outside as we go about our day.

Or even more dystopian, maybe it's our doctor using an AI note-taking app, sending a copy of our very personal in-person medical consultation to who knows which for-profit company.

Our digital lives and IRL lives are intertwined

All this data collected on what we do offline, can sometimes get aggregated together with the data collected on us online, even while using pseudo-anonymity.

The social media account where we use a pseudonym and cat profile picture to stay anonymous can get aggregated from the same IP address we used to log in another account using our legal name.

Our offline data and our online data often get connected and bundled up together. This is especially concerning with the growing practice of social media monitoring used by governments and companies.

What we do online have offline consequences

Taking this into account, there isn't a separation between our online life and offline life anymore.

What we do online affects what we do offline, and vice versa. All of our life, online and offline, is In Real Life now.

Our digital life and communications can affect our employment, our dating life, our family life, our housing situation, and even the capacity we have to visit a country or not.

The data collected on us online should be cared for even more

Because there isn't much separation anymore, we should treat all data collected about us online as sensitive data intrinsically attached to our person.

An invasion of online privacy, of our online life, becomes the same as an invasion of our home, our body, our IRL life. Not only because this data can be used to find our IRL location, identify our person, and have important repercussions offline, but also because all data about us is an essential part of who we are.

It's not just data points, it's a part of us.

Considering how the world has evolved in the past decades, and shows no sign of slowing down its greedy appropriation of every single piece of information about us, we should defend our online lives as fiercely as we would our offline lives.

We need to fight for a future anchored in human rights, and for this, we need to firmly enforce the principle that digital rights are fundamental human rights.

Ghosts in the Machine: The Fight for Privacy After Death

Peter Marsden — Tue, 16 Sep 2025 17:58:44 +0000

Ghosts in the Machine: The Fight for Privacy After Death

Photo: Panyawat Auitpol / Unsplash

In the early hours of 6 June 2020, Nicole Smallman and her sister Bibaa Henry had just finished celebrating Bibaa's birthday with friends in a park in London. Alone and in the dark, they were both fatally and repeatedly stabbed 36 times.

Guest Contributor

Please welcome Peter Marsden as a first-time guest contributor! Privacy Guides does not publish guest posts in exchange for compensation, and this tutorial was independently reviewed by our editorial team prior to publication.

But the police didn’t just fail them in life—they failed them in death too. PC Deniz Jaffer and PC Jamie Lewis, both of the Metropolitan Police, took selfies with the dead bodies of the victims, posting them on a WhatsApp group. And no privacy laws prevented them from doing so.

This horrific case is just one in the murky, often sinister realm of posthumous privacy. In the UK, Europe, and across the world, privacy protections for the dead are at best a rarity—and at worst, a deep moral and societal failing that we cannot and must not accept.

Let’s take a step back. The case of the Smallmans starkly draws attention to the denial in death of guarantees to the living.

This abrupt collapse in privacy rights leaves the deceased and their families [...] newly vulnerable, and at a time when they are already utterly broken.

As a Privacy Guides reader, you are no doubt aware that the UK and Europe have firm privacy protections in The General Data Protection Regulation (GDPR) and Article 8 of the European Convention on Human Rights (ECHR).

However, the picture elsewhere is less clear, with a challenging patchwork of laws and regional statutes being the only protection for those in the US and much of the rest of the world. And once you die? Almost universally, these protections immediately cease.

Here the problem begins. This abrupt collapse in privacy rights leaves the deceased and their families—like the Smallman family—newly vulnerable, and at a time when they are already utterly broken.

In the absence of law comes the pursuit of it, against a backdrop of flagrant privacy violations. What this pursuit means, in practical terms, is that two primary categories of posthumous privacy dominate legal debate: the medical, where the law has intervened tentatively, and the digital, where it simply hasn’t kept up.

Medical protections are tentative because of piecemeal development. Typically involving legal workarounds, they offer rare precedent for what might happen to your digital ghosts now and in the future, with the only clear trend being a reluctance to protect.

That said, the US is one country that has taken measures to protect the medical privacy of the dead. The Health Insurance Portability and Accountability Act (HIPAA) dictates that 50 years of protection must be given to your personally identifiable medical information after you die.

Except there’s a catch. State laws also apply, and state laws differ. In Colorado, Louisiana, and many others, its efficacy is severely challenged by laws dictating the mandatory release of information regarded as public—including autopsy reports and even your genetic information.

In lieu of any protections, surviving relatives in Europe have found some success claiming that their own Article 8 rights—that ECHR right to privacy—have been violated through disclosures or inspections related to their deceased.

In one case, Leyla Polat, an Austrian national, suffered the awful death of her son just two days after birth following a cerebral hemorrhage. The family refused a postmortem examination, wanting to bury their child in accordance with Muslim beliefs; but doctors insisted it take place, covertly removing his internal organs and filling the hollows with cotton wool.

When this was discovered during the funeral rites, the boy had to be buried elsewhere, and without ceremony. After several court cases and appeals, The European Court of Human Rights found that Leyla’s Article 8 and 9 rights had been violated.

As an aside: Stalin’s grandson tried the same Article 8 route in relation to reputational attacks on his grandfather, reflecting attempts to apply the workaround more widely.

It’s not that there hasn’t been some progress. The fundamental problem is that protections—already sparse—are only as good as their material and geographic scopes, their interactions with other laws, and how they are interpreted in a court.

Nowhere is this more apparent than in the case of the Smallman sisters. Judge Mark Lucraft KC found that PCs Jaffer and Lewis, in taking selfies with the murdered victims, had:

“…wholly disregarded the privacy of the two victims of horrific violence and their families for what can only have been some cheap thrill, kudos, a kick or some form of bragging right by taking images and then passing them to others.”

Yet this acknowledgement of privacy violation is precisely just that. The crime the officers committed was misconduct in public office; they were not convicted on the basis of privacy law. That sense of progress—that we might be beginning to recognize the importance of posthumous privacy—has all but gone out of the window.

That does not leave your digital privacy in a good place. Whatever little protection you may be able to tease out for our medical privacy far, far exceeds the control you have over your virtual ghosts. And with AI just about everywhere, the prospects for your data after death are terrifying.

Account deleted or not, our ghosts will all be stuck in the machine.

We’ve already established that data protections for the living—such as GDPR—expire at death. The simple reality is that dying places your data at the mercy of large technology corporations, and their dubious afterlife tools.

Even if you trust such tools to dispose of or act on our data, there is a disconnect between demand and take-up. A study of UK nationals found a majority that wanted their data deleted at death were unaware of the tools, with large tech companies unwilling to share any details on their uptake. Reassuring stuff.

But the reality is, you shouldn’t. You’ll recall that deletion doesn’t usually mean deletion, and after death even GDPR can’t force big tech to delete the data of those lucky enough to have benefited from it. Account deleted or not, our ghosts will all be stuck in the machine.

Recent reports have acknowledged dire possibilities. Almost worldwide, you can legally train AI models on the data of a deceased person and recreate them in digital form—all without their prior consent. Organizations exist purely to scour your social media profiles and activity for this exact purpose. Your ghost could be used to generate engagement against your will, disclosing what you tried to hide.

You may ask: why should the law care? Why indeed, when it deems we cannot be harmed after death. To argue thus is to miss the point. A lack of privacy after death harms the living, often in ways others cannot see.

The effect of postmortem anxiety is a real one that deeply troubles individuals wishing to keep a part of them hidden from public—or even family—view, whether it be it an illicit affair or whatever else. Revelation at the point of death can be just as harmful to those still alive.

There is cause for optimism. Article 85 of the French Data Protection Act allows you to include legally enforceable demands concerning your personal data in your will. This is truly a landmark piece of legislation by the French that indicates what the global direction of travel should be, and what we should ultimately demand: protections for the dead, by the dead.

But even more urgently, we must demand that governments across the world introduce even the most basic legal framework for postmortem privacy that protects you, your family, and community from egregious harm.

The Smallmans deserved dignity, and so does everyone else in death. The law must catch up.

This article hasn’t even begun to scratch the surface of the complexity of postmortem privacy, and there are innumerable relevant cases and laws that simply wouldn’t fit. If the topic has caught your interest, and you’d like to dig in more, this white paper by Uta Kohl is a good starting point.

Privacy-Respecting European Tech Alternatives

Jonah Aragon — Mon, 15 Sep 2025 17:25:27 +0000

Privacy-Respecting European Tech Alternatives

Illustration: Jonah Aragon / Privacy Guides

There is a growing sentiment that the US shouldn't be relied upon for the technologies that many people and businesses use every day. Lately, the US has been unilaterally cutting off access to critical technologies to European countries, prompting calls for "radical action" to bolster European tech stacks from EU lawmakers.

At Privacy Guides, we generally value technical guarantees over matters like jurisdiction. There is simply no alternative to privacy technologies like strong end-to-end encryption when it comes to protecting your information.

That being said, the United States certainly does not have a monopoly on the best technologies, and many of our favorite recommended tools come from Europe and all over the world. Tools from the European Union also generally benefit from much stronger data protection laws, thanks to the EU's General Data Protection Regulation (GDPR).

If supporting the European tech industry is something that is important to you, here's a non-exhaustive list of some of our favorites. We have many more recommendations throughout our website if you are interested in learning more about privacy-respecting tech alternatives!

Email Services

Many people and businesses are tied to Google's Gmail or Microsoft's Outlook products, but there are far more secure and private alternative email providers out there!

Tuta

Based in Hanover, Germany, Tuta is an email service with a focus on security and privacy through the use of encryption. Tuta has been in operation since 2011.

Free accounts start with 1 GB of storage.

More Info

Proton Mail

Based in Geneva, Switzerland, Proton Mail is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013.

The Proton Mail Free plan comes with 500 MB of Mail storage, which you can increase up to 1 GB for free.

More Info

Office Suites

Of course, email isn't the only thing offered by solutions like Google Workspace and Microsoft 365. Many people use their entire suite of productivity tools to manage their businesses and collaborate with others.

Luckily, there are plenty of alternatives that incorporate strong encryption and can even be self-hosted, which will not only decrease your reliance on the traditional Big Tech companies, but keep your data far more secure as well.

CryptPad

Developed and hosted by XWiki in Paris, France, CryptPad is a complete online office suite with applications including Documents, Rich Text, Spreadsheets, Code/Markdown, Kanban, Slides, Whiteboard and Forms.

CryptPad is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily.

More Info

We recently did a full review of CryptPad, which you should definitely check out if you might be interested in switching!

Nextcloud

Nextcloud comes from German startup Nextcloud GmbH, and offers a complete cloud drive alternative to Google Drive or OneDrive.

Nextcloud is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control.

More Info

LibreOffice

LibreOffice is developed by The Document Foundation based in Berlin, Germany. It's a free and open-source office suite with extensive functionality.

Web-based editors aren't for everyone. If you need a full-fledged office suite that runs locally on your computer, LibreOffice is a fantastic alternative to Microsoft Office.

More Info

Search Engines

One of the most frequently used tools on the internet is the venerable search engine. Switching from Google to an alternative is one of the biggest impact approaches to improving your privacy that you can make.

Startpage

Headquartered and developed in the Netherlands, Startpage is one great alternative to Google you could consider:

Startpage is a private search engine. One of Startpage's unique features is the Anonymous View, which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding some network and browser properties. However, unlike the name suggests, the feature should not be relied upon for total anonymity.

Homepage

It is worth noting that since 2020, Startpage has been a subsidiary of American company System1. Their operations and employees remain in the Netherlands, and you can choose to utilize only European servers if you wish.

Web Browsers

Web browsers are historically very tricky to build, and the three major browser engines, Chromium, Gecko (Firefox), and WebKit (Safari) are all primarily developed by American companies. This is a space that could certainly use improvement.

Mullvad Browser

One of our recommended browsers is spearheaded by Swedish VPN company Mullvad, although it's worth noting that its development is somewhat reliant on American non-profits Mozilla and the Tor Project, being a Tor Browser fork.

Mullvad Browser is a version of Tor Browser with Tor network integrations removed. It aims to provide to VPN users Tor Browser's anti-fingerprinting browser technologies, which are key protections against mass surveillance programs. It is developed by the Tor Project and distributed by Mullvad, although it does not require the use of Mullvad's VPN.

More Info

Mapping and location apps like Google Maps can track your every move, and that data is used by tech companies for a wide variety of purposes, including for military and defense. The best mapping apps for your privacy can be used completely offline:

Organic Maps

Based in Estonia, Organic Maps is an open source, community-developed map display and satnav-style navigation app for walkers, drivers, and cyclists. The app offers worldwide offline maps based on OpenStreetMap data, and navigation with privacy — no location tracking, no data collection, and no ads. The app can be used completely offline.

More Info

OsmAnd

Based in the Netherlands, OsmAnd is an offline map and navigation application based on OpenStreetMap, offering turn-by-turn navigation for walking, cycling, driving, as well as public transport. It is open-source and does not collect any user data.

More Info

Password Managers

KeePassXC

KeePassXC is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal of extending and improving it with new features and bug fixes to provide a feature-rich, cross-platform, and modern open-source password manager.

More Info

We recently published an article on securely using KeePassXC with a YubiKey!

Proton Pass

Proton Pass is an open-source, end-to-end encrypted password manager developed by the Swiss company Proton AG, the team behind Proton Mail. It securely stores your login credentials, generates unique email aliases, and supports and stores passkeys.

More Info

Instant Messengers

Switching off of WhatsApp, Facebook Messenger, or iMessage in favor of a more private instant messenger is an excellent way to safeguard your chats.

Element

Element is based in the United Kingdom, which is of course no longer in the European Union. However, it is a trusted messaging platform by the French government, and the German military, among many other organizations in Europe and around the world looking for sovereignty from Big Tech messaging platforms like Slack and Google Messages.

Element is the flagship client for the Matrix protocol, an open standard for secure decentralized real-time communication.

Messages and files shared in private rooms (those which require an invite) are by default E2EE, as are one-to-one voice and video calls.

More Info

SimpleX

Another open-source option from the United Kingdom, SimpleX chat has very strong security features, and can be entirely self-hosted anywhere in the world if you prefer the assurances a custom server can bring.

SimpleX Chat is an instant messenger that doesn't depend on any unique identifiers such as phone numbers or usernames. Its decentralized network makes SimpleX Chat an effective tool against censorship.

More Info

Briar

Briar is an open source project not legally incorporated in any jurisdiction, although it has received funding from European initiatives like NGI and the NLnet Foundation, and includes many Europeans in their voluntary board and team.

Briar is an encrypted instant messenger that connects to other clients using the Tor Network, making it an effective tool at circumventing censorship. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem.

More Info

More Services...

Looking for more? Here's a short (and non-exhaustive) list of other recommendations of ours which are based in Europe:

VPN Services: Mullvad and Proton VPN
DNS Providers: dns0.eu, Mullvad DNS, and Quad9
Calendars: Tuta and Proton Calendar
Notes Apps: Joplin and Crypt.ee
Pastebins: PrivateBin
Linux Distros: openSUSE

If you're in Europe and looking to build or host your own European technology, there are also plenty of alternatives to the typical American IT providers. Topics like cloud computing platforms, web analytics services, and content delivery networks are currently out of scope for what we cover here at Privacy Guides, but European Alternatives is one great resource for finding more services like these.

At the end of the day, we trust all of our recommended privacy tools to keep you safe from prying eyes, but there are many valid reasons you may prefer to stick to the European market.

Chat Control Must Be Stopped, Act Now!

Em — Mon, 15 Sep 2025 16:30:00 +0000

Chat Control Must Be Stopped, Act Now!

Illustration: Em / Privacy Guides | Photo: Ramaz Bluashvili / Pexels

If you've heard of Chat Control already, bad news: it's back. If you haven't, this is a pressing issue you should urgently learn more about if you value privacy, democracy, and human rights. This is happening right now, and we must act to stop it right now.

Take a minute to visualize this: Every morning you wake up with a police officer entering your home to inspect it, and staying with you all day long.

The agent checks your bathroom, your medicine cabinet, your bedroom, your closets, your drawers, your fridge, and takes photos and notes to document everything. Then, this report is uploaded to the police's cloud. It's "for a good cause" you know, it's to make sure you aren't hiding any child sexual abuse material under your bed.

Every morning. Even if you're naked in bed. Even while you're having a call with your doctor or your lover. Even when you're on a date. Even while you're working and discussing your client's confidential information with their attorney. This police officer is there, listening to you and reporting on everything you do.

This is the in-person equivalent of Chat Control, a piece of legislation that would mandate all services to scan all private digital communications of everyone residing in the European Union.

This is an Orwellian nightmare.

Act now!

This is happening right now. European governments will be finalizing their positions on the regulation proposal on September 12th, and there will be a final vote on October 14th, 2025.

Important: If you are reading this article after September 12th

Regardless of the outcome on September 12th, the fight isn't over. The next deadline will be the final vote on October 14th, 2025.

If you've missed September 12th, make sure to contact your representatives right now to tell them to oppose Chat Control on October 14th.

If you are not located in Europe: Keep reading, this will affect you too.
If you are still unconvinced: Keep reading, we discuss Chat Control in more details below.
If you are located in Europe: You must act now to stop it.

How to stop this? Contact your MEPs today

Use this website to easily contact your government representatives, and tell them they should oppose Chat Control. Even if your country already opposes Chat Control, contact your representatives to tell them you are relieved they oppose, and support them in this decision to protect human rights. This will help reinforce their position.

But if your country supports Chat Control, or is undecided, it is vital that you contact your representatives as soon as possible. To support your point, you can share this article with them or one of the many great resources listed at the end.

At the time of this writing, the list of countries to contact is:

Supporting (15)		Undecided (6)
Bulgaria	Latvia	Estonia
Croatia	Lithuania	Germany
Cyprus	Malta	Greece
Denmark	Portugal	Luxembourg
France	Slovakia	Romania
Hungary	Spain	Slovenia
Ireland	Sweden
Italy

Image: Patrick Breyer / chatcontrol.eu

What is Chat Control?

"Chat Control" refers to a series of legislative proposals that would make it mandatory for all service providers (text messaging, email, social media, cloud storage, hosting services, etc.) to scan all communications and all files (including end-to-end encrypted ones), in order to supposedly detect whatever the government deems "abusive material."

The push for Chat Control started in 2021 with the approval of a derogation to the ePrivacy Directive by the European Parliament. This derogation escalated to a second proposal for mandatory scanning a year later, which was rejected in 2023. Nevertheless, lawmakers and lobbyists determined to undermine our safety and civil liberties are bringing it back again two years later, literally trying to wear you down.

We cannot let authoritarians wear us down until we lose all our privacy rights. Our privacy rights are fundamental to so many other human rights, to civil liberties, to public safety, and to functioning democracies.

Chat Control undermines all of this.

Cryptography professor and cybersecurity expert Matthew Green described the 2022 proposal document for Chat Control as "the most terrifying thing I've ever seen".

And terrifying, it is.

The most recent proposal for Chat Control comes from the EU Council Danish presidency pushing for regulation misleadingly called the Child Sexual Abuse Regulation (CSAR). Despite its seemingly caring name, this regulation will not help fight child abuse, and will even likely worsen it, impacting negatively what is already being done to fight child abuse (more on this in the next section).

The CSAR proposal (which is the latest iteration of Chat Control) could be implemented as early as next month, if we do not stop it.

The problem is this: Chat Control will not work, it is unreliable, it will escalate in scope, and it will endanger everyone (including the children).

Even if you are not in Europe, know that Chat Control will affect everyone inside and outside of Europe one way or another. Regardless of where you are, you should be concerned and pay attention, and there are things you can do to fight back. This is important.

Still image from video: Stop Scanning Me / EDRi

Why is this bad?

The idea that it's possible to somehow magically protect information properly while giving access to unquestionably well-intended law enforcement comes from either extreme naivety, lack of information, and plain dishonesty.

This proposal would effectively break any end-to-end encryption protections, and potentially expose all your files and communications to not only law enforcement, but eventually also to criminals of all sorts (with the data breaches, data leaks, and corruption that will inevitably follow).

Here's a summary of some dangers this regulation would create if approved:

Breaking end-to-end encryption: Removing crucial protections for all sensitive files and communications of vulnerable populations, victims, whistleblowers, journalists, activists, and everyone else.
Mission creep: Once this mass surveillance system is in place, authorities can decide to add more criteria such as searching all communications for references to drug use, protest attendances, political dissidence, or even negative comments about a leader. Europol (the EU law enforcement agency) has already called for expanding the program.

Image: Lorna Schütte / chatcontrol.eu

Criminal attacks: Each time a backdoor exists, it doesn't take long for criminals to find access and steal our information. This could include criminals finding access to each service independently or to the entire database authorities would keep. A database that would be filled with material tagged as sexually explicit text or photos of children. This could even create new Child Sexual Abuse Material (CSAM) for criminals. For example, consenting teenagers innocently sexting together could have their photos collected in this database, after being wrongly flagged by the automated system. Then, criminals could steal their intimate photos from the governments.
False positives: With a mass surveillance system this large, moreover a system with no transparency and little oversight, false positives are inevitable. Despite marketing promises from the organizations lobbying government officials, we all know AI technologies regularly misfire and cannot be reliable for anything of such importance. Loving parents could get flagged as pedophiles just for innocently uploading a photo of their child in the bathtub on their private cloud. Teenagers exploring their sexuality consensually with each other could get tagged as sexual predators (a label that might stick on them decades later). The police could receive reports for breastfeeding mothers. The list is infinite.

Image: Lorna Schütte / chatcontrol.eu

Overwhelming resources: The inevitable false positives will completely overwhelm the agencies responsible for investigating flagged material. This will cost them precious time they will not have to investigate actual abuse cases. Organizations fighting child sexual abuse are already overwhelmed and lack resources to prosecute real criminals.
Hurting victims: Such system of mass surveillance could prevent victims of child sexual abuse (and other crimes) to reach out for help. Knowing that all their communications would be scanned, they would lose all confidentiality while reporting crimes. The evidences they share could even be tagged by Chat Control, as if they were the perpetrator rather than the victim. Sadly, many will likely decide it's safer not to report at all.
Self-censorship: With Chat Control in place, not only victims might censor themselves and stop reaching out for help, but everyone else as well. When people know they are being observed, they feel less free to be themselves and to share openly. This is doubly true for anyone who is part of a marginalized group, such as LGBTQ+ people, or anyone who is being victimized or at risk of victimization.

Image: Lorna Schütte / chatcontrol.eu

Undermining democracy: This surveillance system would allow governments to spy on opposition. Chat logs from opposing candidates, activists, and journalists could all be accessed by authorities in order to silence opponents or blackmail candidates. Even if you trust your government to not do this now, this doesn't mean it could not be used in this way by the next government. We have all seen how fast the political landscape can change.
Violating the GDPR (and other laws): The General Data Protection Regulation (GDPR) offers wonderful protections to Europeans. Sadly, Chat Control would make a complete farce of it. The Right to Erasure (right to delete) could be reduced to ashes by Chat Control, including for any highly sensitive information wrongly caught in the CSAR net. Moreover, it would violate Article 7 and Article 8 of the EU Charter of Fundamental Rights.

Protecting the children is only the excuse used in hope of convincing a misinformed public. Chat Control is authoritarian mass surveillance.

Authorities understand well how important protecting communication and information is. This is why they included an exemption to protect their own communications, but not yours.

Would this protect the children?

No.

This cannot be stressed enough: This regulation would not protect the children, it would harm the children, and everyone else too, worldwide. Claiming otherwise is either naivety, or misinformation.

Last year, the civil and human rights association European Digital Rights (EDRi) put together a joint statement from 48 organizations for children's protection, digital rights, and human rights, demanding that the European Parliament invest instead in proven strategies to fight child abuse. This appeal to reason does not seem to have been heard by most EU Member States.

There are many things we can do as a society to increase protections for children and fight abusers and criminals, but Chat Control is far from it all. Protection of the children is clearly only an excuse here, and a very misleading one.

Image: Stop Scanning Me / EDRi

Mislabelling children as criminals

First, this automated system is flawed in many ways, and the false-positive rate would likely be high. But let's imagine that, magically, the system could flag CSAM at an accuracy rate of 99%. This still means 1% of reports would be false. Expanded to the size of European Union's population of approximately 450 million people, exchanging likely billions of messages and files every day, this still means millions could be falsely tagged as sexual predators, with all the consequences this implies.

Worse, the Swiss federal police reported that currently about 80% of all automated reports received were false-positives. This means in reality, the error rate is likely far higher than 1%, and actually closer to an 80% error rate. Of the approximate 20% of positive reports, in Germany, over 40% of investigations initiated targeted children themselves.

Sometimes, flagged content is simply teenagers innocently sexting each other consensually. Not only would they be wrongly tagged as criminals under Chat Control, but they'd be triggering an investigation that would expose their intimate photos to some faceless officers or tech employees working on the system.

Even in a magical world where Chat Control AI is 99% accurate, it would still wrongly tag and expose sensitive data from millions of children. In reality, no AI system is even remotely close to this accuracy level, and proprietary algorithms are usually opaque black boxes impossible to audit transparently. The number of children Chat Control would harm, and likely traumatize for life, would be disastrous.

Exposing children's sensitive and sexual information

Any content that could be deemed suspicious or explicit by the system, accurately or not, would be flagged and reported.

When this content is reported, it will likely be uploaded to a database for human review. This means that if a teenager was sending an intimate photo of themselves to another consenting teenager, they could be flagged as sharing CSAM, even if it's their own photo. Then, their photo would be sent to the police for review. Information that should very much have stayed protected and private between these two teenagers is now exposed to strangers. This is wrong, and dangerous.

Even innocuous communications such as daily conversations, teenagers chatting with each other, parents reporting information about their child to a doctor, and therapists talking with their patients, could all inadvertently expose children sensitive information. This is information that should have remained private, and would now be uploaded to a police database, likely stored there forever with few recourses to remove it.

The more we collect sensitive information about children (photos, faces, locations, identifications, medical information, private chats, experiences, etc.), the more we risk exposing children to harm. This includes systems used by authorities and governments. Even if everyone with legitimate access to this data is miraculously 100% exemplary and incorruptible citizens, the databases and scanning systems will still be vulnerable to attacks from criminals and hostile governments alike.

The only way to protect children's information properly is to 1) not collect it, and 2) use end-to-end encryption to protect it when we cannot avoid collecting it. Spying on everyone and every child is the opposite of that.

Authorities' databases will be attacked

It's impossible to perfectly secure information online. There is a lot we can do to improve security (much more than is done now), but data breaches will happen.

If governments mandate a backdoor to have access to all our online communication and stored files, it's inevitable that at least some criminals will eventually get access to it as well. This is even truer if this system is closed-source, privatized, and isn't subjected to frequent independent audits with strong accountability.

Once a vulnerability is found by criminals, they will have the same access as authorities have to our data. With Chat Control, this means pretty much all our data.

In addition, Chat Control could facilitate the proliferation of even more spyware and stalkerware on the market, thriving on the vulnerabilities found in the powerful system. This would allow anyone to purchase access to spy on anyone, including databases of identified children. It could give a direct backdoor-access to pedophiles. How could this be helping to protect the children?

The danger is inside

Even if the idea of online strangers accessing children's sensitive data is terrifying, the worse danger in often much closer.

Sadly, we already know that the vast majority of child sexual abuse is perpetrated by adults close to the child, not strangers, and that two-thirds of CSAM images appear to have been produced at home. Chat Control would do nothing to fight this. In fact, it could facilitate it.

Child abuse is an incredibly important topic to discuss and to fight against as a society. Utilizing this issue as an excuse to pass a surveillance law that would endanger everyone, including the victims, is despicable.

When children are living with the abuser, the only escape is outside the home, and sometimes this means online. Abusers often use spying technologies to control and restrict access to help for their victims. If we make mass surveillance mandatory and normalized, this risks aggravating the stalkerware problem by obligating providers to implement backdoors in their systems. We would effectively be helping abusers at home to restrict access to help for their victims, including victims of CSAM. This is completely unacceptable.

How to actually help the children

Despite the politicization of this issue to manipulate the public opinion in accepting mass surveillance, there are actually proven solutions to help to protect the children, online and offline.

First, governments should listen to organizations already doing the work. Most are understaffed and under-resourced to properly support the victims and prosecute the criminals. Thousands of more reports every day would not help them do any effective work. More capacity to conduct targeted investigation and arrest criminals, and more capacity to create safe spaces to support the victims and witnesses will help.

Privacy should be the default, for everyone.

If all our services were using end-to-end encryption when possible, and implemented proper security and privacy features and practices, this would effectively help to protect the children as well. Abusers and criminals are looking for leaked and stolen data all the time. When a cloud photo storage gets hacked, your photos are up for grabs online, including the photos of your children. When parents upload photos of their children and their address online, and this data gets exposed (leaked, breached, AI-scraped, etc.), this data then becomes accessible to criminals.

Better privacy protections also means better protections for the children.

Children themselves should receive better education on how their data is used online and how to protect it. Additionally, it is vital to provide better education on what behaviors aren't normal coming from an adult, and how to reach out for help when it happens. Children should have access to safe and confidential resources to report abuse, whether it's happening outside or inside their home.

Parents should be careful when sharing information about their children. And when they have to, they should benefit from complete confidentiality, knowing their communication is fully end-to-end encrypted and not shared with anyone else.

There is so much we can do to help to protect better the children online, surveillance is the opposite of it all.

How would this affect me?

If this regulation is approved on October 14th, 2025 (the date for the final vote), the consequences would be devastating for everyone, even outside the European Union.

We have seen how platforms implemented better privacy practices and features after the GDPR became effective in 2018, features that often benefited people worldwide. This could have the same effect in reverse.

Every platform potentially handling data of people located in the EU would be subjected to the law. Platforms would be obligated to scan all communications and all files of (at least) data subjects located in the EU, even data currently protected with end-to-end encryption. This would affect popular apps and services like Signal, Tuta, Proton, WhatsApp, Telegram, and much more.

Outside of Europe

This would not only affect Europeans' data, but also the data of anyone outside communicating with someone located in the European Union. Because end-to-end encryption can only work if both ends are protected.

If Chat Control gets approved and applied, it will become very difficult to communicate with anyone located in the EU while keeping strong protections for your data. Many people might just accept the surveillance passively, and as a result lose their rights, their protections, and compromise their democratic processes. Overtime, this will likely lead to a slippery slope towards dystopian authoritarianism.

Outside of Europe, you could expect to see services removing some privacy-protective features, downgrading encryption, blocking European countries that are subjected to the law, or moving outside of Europe entirely. If localization-based scanning is too complicated to handle for an application, some companies might just decide it's simpler to scan communications for all users, worldwide.

Additionally, Five Eyes countries (Australia, Canada, New Zealand, the United Kingdom, and the United States) have already expressed support for Chat Control, and might be keen to try the same at home, if this gets approved and tested in Europe first.

Inside of Europe

Without using tools that would be now deemed illegal, you would lose any protections currently granted by end-to-end encryption. It would become impossible for you to send an email, a text message, or a photo without being observed by your government, and potentially also by criminals and foreign governments, following the inevitable data breaches.

You would have to constantly self-censor to avoid triggering the system and getting reported to the authorities. At first, you would probably just have to stop sending nudes, sexting, or sending photos of naked children in the bathtub or playing at the beach. Then, this would escalate to never mentioning drug or anything that could sound like drug, even as a joke. Later, you might have to stop texting about going to a protest, and stop organizing protests online. Further down the line, you might even have to self-censor to make sure you are not saying anything negative about a leader, or a foreign politician even. This isn't that hypothetical, this sort of oppressive surveillance already exists in some countries.

Many services you currently rely on right now would simply shut down, or move away from Europe entirely. Businesses might also move outside of Europe if they worry about protecting their proprietary information. This could cause massive layoffs, while organizations move to jurisdictions where they are allowed to keep their data protected and unobserved.

Finally, even if this doesn't affect you personally, or you don't believe it will, this isn't just about you.

The data of vulnerable people would be exposed and their safety put at risk. Victims might decide to stop reaching out for help or reporting crimes. Sources requiring anonymity might decide the risk isn't worth reporting valuable information to journalists. Opponents of governments in power could be silenced. Every democracy in the European Union would suffer greatly from it.

Chat Control is completely antithetical to the values the European Union has been presenting to the world in recent years.

Image: Stop Scanning Me / EDRi

What can I do about it?

Even if the landscape seems dismal, the battle isn't over. There are many things you can do, right now, to fight against this authoritarian dystopia.

For Europeans, specifically

Contact your country representatives TODAY. The group Fight Chat Control has put together an easy tool making this quick with only a few clicks.
After September 12th, the battle isn't over. Although governments will finalize their positions on that day, the final vote happens on October 14th, 2025. If you missed the September 12th deadline, keep contacting your representatives anyway.
Tell your family and friends to contact their representatives as well, talk about it, make noise.

For Everyone, including Europeans

Talk about Chat Control on social media often, especially this month. Make noise online. Use the hashtags #ChatControl and #StopScanningMe to help others learn more about the opposition movement.
Share informative videos and memes about Chat Control. Spread the word in various forms.
Contact your European friends in impacted countries and tell them to contact their representatives NOW.
Even outside the EU, you can contact your own representatives as well, to let them know regulations like Chat Control are horrible for human rights, and you hope your country will never fall for such repressive laws. Tell your political representatives that privacy rights are important to you. Your voice matters.

We need your help to fight this. For democracy, for privacy, and for all other human rights, we cannot afford to lose this battle.

Screenshot: fightchatcontrol.eu

Resources to learn more, and fight for human rights

Videos about Chat Control

Memes about Chat Control

Websites with more information

Update (9/15): Added modifications related to the second important deadline for action, on October 14th.

Update (9/8): Added clarification about what Chat Control is for readers unfamiliar with it.

“We [Don't] Care About Your Privacy”

Em — Wed, 03 Sep 2025 20:41:37 +0000

“We [Don't] Care About Your Privacy”

Illustration: Em / Privacy Guides | Photo: Lilartsy / Unsplash

They all claim "Your privacy is important to us." How can we know if that's true? With privacy washing being normalized by big tech and startups alike, it becomes increasingly difficult to evaluate who we can trust with our personal data. Fortunately, there are red (and green) flags we can look for to help us.

If you haven't heard this term before, privacy washing is the practice of misleadingly, or fraudulently, presenting a product, service, or organization as being trustworthy for data privacy, when in fact it isn't.

Privacy washing isn't a new trend, but it has become more prominent in recent years, as a strategy to gain trust from progressively more suspicious prospect customers. Unless politicians and regulators start getting much more serious and severe about protecting our privacy rights, this trend is likely to only get worse.

In this article, we will examine common indicators of privacy washing, and the "red" and "green" flags we should look for to make better-informed decisions and avoid deception.

Spotting the red flags

Marketing claims can be separated from facts by an abysmally large pit of lies

It's important to keep in mind that it's not the most visible product that's necessarily the best. More visibility only means more marketing. Marketing claims can be separated from facts by an abysmally large pit of lies.

Being able to distinguish between facts and marketing lies is an important skill to develop, doubly so on the internet. After all, it's difficult to find a single surface of the internet that isn't covered with ads, whether in plain sight or lurking in the shadows, disguised as innocent comments and enthusiastic reviews.

So what can we do about it?

There are some signs that should be considered when evaluating a product to determine its trustworthiness. It's unfair this burden falls on us, but sadly, until we get better regulations and institutions to protect us, we will have to protect ourselves.

It's also important to remember that evaluating trustworthiness isn't binary, and isn't permanent. There is always at least some risk, no matter how low, and trust should always be revoked when new information justifies it.

Examine flags collectively, and in context

It's important to note that each red flag isn't necessarily a sign of untrustworthiness on its own (and the same is true for green flags, in reverse). But the more red flags you spot, the more suspicious you should get.

Taken into account together, these warning signs can help us estimate when it's probably reasonably safe to trust (low risk), when we should revoke our trust, or when we should refrain from trusting a product or organization entirely (high risk).

Conflict of interest

Conflict of interest is one of the biggest red flag to look for. It comes in many shapes: Sponsorships, affiliate links, parent companies, donations, employments, personal relationships, and so on and so forth.

Content sponsorships and affiliate links

Online influencers and educators regularly receive offers to "monetize their audience with ease" if they accept to overtly or subtly advertise products within their content. If this isn't explicitly presented as advertising, then there is obviously a strong conflict of interest. The same is true for affiliate links, where creators receive a sum of money each time a visitor clicks on a link or purchase a product from this link.

It's understandable that content creators are seeking sources of revenue to continue doing their work. This isn't an easy job. But a trustworthy content creator should always disclose any potential conflicts of interest related to their content, and present paid advertising explicitly as paid advertising.

What to do?

Before trusting content online, try to examine what the sources of revenue are for this content. Look for affiliate links and sponsorships, and try to evaluate if what you find might have influenced the impartiality of the content.

Parent companies

This one is harder to examine, but is extremely important. In today's corporate landscape, it's not rare to find conglomerates of corporations with a trail of ownership so long it's sometimes impossible to find the head. Nevertheless, investigating which company owns which is fundamental to detect conflicts of interest.

For example, the corporation Kape Technologies is the owner of both VPN providers (ExpressVPN, CyberGhost, Private Internet Access, and Zenmate) and websites publishing VPN reviews. Suspiciously, their own VPN providers always get ranked at the top on their own review websites. Even if there were no explicit directive for the websites to do this, which review publisher would dare to rank negatively a product owned by its parent company, the one keeping them alive? This is a direct and obvious conflict of interest.

What to do?

Look at the Terms of Service and Privacy Policy (or Privacy Notice) for declarations related to a parent company. This is often stated there. You can also examine an organization's About page, Wikipedia page, or even the official government corporate registries to find out if anyone else owns an organization.

Donations, event sponsorships, and other revenues

When money is involved, there is always a potential for conflict of interest. If an organization receives a substantial donation, grant, or loan from another, it will be difficult to remain impartial about it. Few would dare to talk negatively about a large donor.

This isn't necessarily a red flag in every situation of course. For example, a receiving organization could be in a position where the donor's values are aligned, or where impartiality isn't required. Nevertheless, it's something important to consider.

In 2016, developer and activist Aral Balkan wrote about how he refused an invitation to speak at a panel on Surveillance Capitalism at the Computers, Privacy, & Data Protection Conference (CPDP). The conference had accepted sponsorship from an organization completely antithetical to its stated values: Palantir.

Balkan wrote: "The sponsorship of privacy and human rights conferences by corporations that erode our privacy and human rights is a clear conflict of interests that we must challenge."

How could one claim to defend privacy rights while receiving money from organizations thriving on destroying them?

This is a great example of how sponsors can severely compromise not only the impartiality of an organization, but also its credibility and its values. How could the talks being put forward at such a conference be selected without bias? How could one claim to defend privacy rights while receiving money from organizations thriving on destroying them?

It's worth nothing that this year's CPDP 2025 sponsors included Google, Microsoft, TikTok, and Uber.

What to do?

Examine who sponsors events and who donates to organizations. Try to evaluate if an organization or event received money from sources that could be in contradiction with its values. Does this compromise its credibility? If a sponsor or donor has conflicting values, what benefit would there be for the sponsor supporting this event or organization?

Employment and relationships

Finally, another important type of conflicts of interest to keep in mind are the relationships between the individuals producing the content and the companies or products they are reporting on.

For example, if a content creator is working or previously worked for an organization, and the content requires impartiality, this is a potential conflict of interest that should be openly disclosed.

The same can be true if this person is in a professional or personal relationship with people involved with the product. This can be difficult to detect of course, and is not categorically a sign of bias, but it's worth paying attention to it in our evaluations.

What to do?

Look for disclaimers related to conflict of interest. Research the history of an organization to gain a better understanding of the people involved. Wikipedia can be a valuable resource for this.

Checkbox compliance and copy-paste policies

Regrettably, many organizations have no intention whatsoever to genuinely implement privacy-respectful practices, and are simply trying to get rid of these "pesky privacy regulation requirements" as cheaply and quickly as possible.

They treat privacy law compliance like an annoying list of annoying tasks. They think they can complete this list doing the bare cosmetic minimum, so that it will all look like it's compliant (of course, it is not).

A good clue this mindset might be ongoing in an organization is when it uses a very generic privacy policy and terms of service, policies that are often simply copy-pasted from another website or AI-generated (which is kind of the same thing).

Not only this is extremely unlikely to truly fulfill the requirements for privacy compliance, but it also almost certainly infringes on copyright laws.

What to do?

If you find few details in a privacy policy that are specific to the organization, try copying one of its paragraph or long sentence in a search engine (using quotation marks around it to find the exact same entry). This will help detect where other websites are using the same policy.

Some might be using legitimate templates of course, but even legal usable policy templates need to be customized heavily to be compliant. Sadly, many simply copy-paste material from other organizations without permission, or use generative AI tools doing the same.

If the whole policy is copied without customization, it's very unlikely to describe anything true.

Meaningless privacy compliance badges

Many businesses and startups have started to proudly display privacy law "compliance badges" on their websites, to reassure potential clients and customers.

While it can indeed be reassuring at first glance to see "GDPR Compliant!", "CCPA Privacy Approved", and other deceitful designs, there is no central authority verifying this systematically. At this time, anyone could decide to claim they are "GDPR Compliant" and ornate their website with a pretty badge.

Moreover, if this claim isn't true, this is fraudulent of course and likely to break many laws. But some businesses bet on the assumption that no one will verify or report it, or that data protection authorities simply have better things to do.

While most privacy regulations adopt principles similar to the European General Data Protection Regulation (GDPR) principle of accountability (where organizations are responsible for compliance and for demonstrating compliance), organizations' assertions are rarely challenged or audited. Because most of the time there isn't anyone verifying compliance unless there's an individual complaint, organizations have grown increasingly fearless with false claims of compliance.

What to do?

Never trust a claim of privacy compliance at face value, especially if it comes in the shape of a pretty website badge.

Examine organizations' privacy policies, contact them and ask questions, look for independent reviews, investigate to see if an organization has been reported before. Never trust a first-party source to tell you how great and compliant the first-party is.

Fake reviews

Fake reviews are a growing problem on the internet. And this was only aggravated by the arrival of generative AI. There are so many review websites that are simply advertising in disguise. Some fake reviews are generated by AI, some are paid for or influenced by sponsorships and affiliate links, some are in conflict of interest from parent companies, and many are biased in other ways. Trusting an online review today feels like trying to find the single strand of true grass through an enormous plastic haystack.

Genuine reviews are (were?) usually a good way to get a second opinion while shopping online and offline. Fake reviews pollute this verification mechanism by duping us in believing something comes from an independent third-party, when it doesn't.

What to do?

Train yourself to spot fake reviews. There are many signs that can help with this, such as language that suspiciously uses the complete and correct product and feature brand each time, reviewers who published an unnatural quantity of reviews in a short period of time, excessively positive review, negative reviews talking about how great this other brand is, etc. Make sure to look for potential conflicts of interest as well.

Fake AI-generated content

Sadly, the internet has been infected by a new plague in recent years: AI-generated content. This was mentioned before, but truly deserves its own red flag.

Besides AI-generated reviews, it's important to know there are also now multiple articles, social media posts, and even entire websites that are completely AI-generated, and doubly fake. This affliction makes it even harder for readers to find genuine sources of reliable information online. Learning to recognize this fake content is now an internet survival skill.

What to do?

If you find a blog that publishes 5 articles per day from the same author every day, be suspicious. Look for publication dates, and if they are inhumanly close to each other, this can be a sign of AI-generated content.

When reading an article, AI-generated text will often use very generic sentences, you will rarely find the colorful writing style that is unique to an author. AI-writing is generally bland with no personality shinning through. You might also notice the writing feels circular. It will seems like it's not really saying anything specific, except for that one thing, that is repeated over and over.

Excessive self-references

When writing an article, review, or a product description, writers often use text links to add sources of information to support their statements, or to provide additional resources to readers.

When all the text links in an article point to the same source, you should grow suspicious. If all the seemingly external links only direct to material created from the original source, this can give the impression of supporting independent evidences, when in fact there aren't any.

Of course, organizations will sometimes refer back to their own material to share more of what they did with you (we certainly do!), but if an article or review only uses self-references, and these references also only use self-references, this could be a red flag.

What to do?

Even if you do not click on links, at least hover over them to see where they lead. Usually, trustworthy sources will have at least a few links pointing to external third-party websites. A diversity of supporting resources is important when conducting impartial research, and should be demonstrated there whenever relevant.

Deceptive designs

Deceptive design can be difficult to spot. Sometimes it's obvious, like a cookie banner with a ridiculously small "reject all" button, or an opt-out option hidden under twenty layers of menu.

Most of the time however, deceptive design is well-planned to psychologically manipulate us to pick the option most favorable to the company, at the expense of our privacy. The Office of the Privacy Commissioner of Canada has produced this informative web page to help us recognize better deceptive design.

What to do?

Favor tools and services that are built for privacy from the ground up, and always default to privacy first. Train yourself to spot deceptive patterns and be persistent to choose the most privacy-protective option.

Don't be afraid to say no, to reject options and products, and to also report them when deceptive design becomes fraudulent or infringes privacy laws.

Buzzword language

Be suspicious of buzzword language, especially when it becomes excessive or lacks any supportive evidences. Remember that buzzwords aren't a promise, but only marketing to get your attention. These words don't mean anything on their own.

Expressions like "military-grade encryption" are usually designed to inspire trust, but there is no such thing that grants better privacy. Most military organizations likely use industry-standard encryption from solid and tested cryptographic algorithms, like any trustworthy organizations and privacy-preserving tools do.

Newer promises like "AI-powered" are completely empty, if not scary. Thankfully, many "AI-powered" apps aren't really AI-powered, and this is a good thing because "AI" is more often a danger to your privacy, and not an enhancement at all.

What to do?

Remain skeptical of expressions like "privacy-enhancing", "privacy-first approach", "fully-encrypted", or "fully compliant" when these claims aren't supported with evidences. Fully encrypted means nothing if the encryption algorithm is weak, or if the company has access to your encryption keys.

When you see claims of "military-grade encryption", ask which cryptographic algorithms are used, and how encryption is implemented. Look for evidences and detailed information on technological claims. Never accept vague promises as facts.

Unverifiable and unrealistic promises

Along the same lines, many businesses will be happy to promise you the moon. But then, they become reluctant to explain how they will get you the moon, how they will manage to give the moon to multiple customers at once, and what will happen to the planet once they've transported the moon away from its orbit to bring it back to you on Earth... Maybe getting the moon isn't such a good promise after all.

companies promising you software that is 100% secure and 100% private are either lying or misinformed themselves

Similarly, companies promising you software that is 100% secure and 100% private are either lying or misinformed themselves.

No software product is 100% secure and/or 100% private. Promises like this are unrealistic, and (fortunately for those companies) often also unverifiable. But an unverifiable claim shouldn't default to a trustworthy claim, quite the opposite. Trust must be earned. If a product cannot demonstrate how their claims are true, then we must remain skeptical.

What to do?

Same as for buzzwords and compliance claims, never trust at face value. If there are no ways for you to verify a claim, remain skeptical and aware this promise could be empty.

Be especially suspicious with organizations repeating exaggerated guarantees such as 100% secure. Organizations that are knowledgeable about security and privacy will usually restrain from such binary statement, and tend to talk about risk reduction with nuanced terms like "more secure", or "more private".

Flawed or absent process for data deletion

Examining an organization's processes for data deletion can reveal a lot on their privacy practices and expertise. Organizations that are knowledgeable about privacy rights will usually be prepared to respond to data deletion requests, and will already have a process in place, a process that doesn't require providing more information than they already have.

Be especially worried if:

You don't find any mentions of data deletion in their privacy policy.
From your account's settings or app, you cannot find any option to delete your account and data.
The account and data deletion process uses vague terms that make it unclear if your data will be truly deleted.
You cannot find an email address to contact a privacy officer in their privacy policy.
The email listed in their privacy policy isn't an address dedicated to privacy.
You emailed the address listed but didn't get any reply after two weeks.
Their deletion process requires to fill a form demanding more information than they already have on you, or uses a privacy-invasive third-party like Google Forms.
They argue with you when you ask for legitimate deletion.

What to do?

If this isn't already explicitly explained in their policies (or if you do not trust their description), find the privacy contact for an organization and email them before using their products or services, to ask about their data deletion practices.

Ask in advance which information will be required from you in order to delete your data. Also ask if they keep any data afterward, and (if they do) what data they keep. Once data is shared, this could be much harder to deal with. It's best to verify data deletion processes before trusting an organization with our data.

False reassurances

The goal of privacy washing is to reassure worried clients, consumers, users, patients, and investors into using the organization's products or services. But making us feel more secure doesn't always mean that we are.

Privacy theaters

You might have heard the term "security theater" already, but there's also "privacy theater". Many large tech organizations have mastered this art for decades now. In response to criticisms about their dubious privacy practices, companies like Facebook and Google love to add seemingly "privacy-preserving" options to their software's settings, to give people the impression it's possible to use their products while preserving their privacy. But alas, it is not.

Unfortunately, no matter how much you "harden" your Facebook or Google account for privacy, these corporations will keep tracking everything you do on and off their platforms. Yes, enabling these options might very slightly reduce exposure for some of your data (and you should enable them if you cannot leave these platforms). However, Facebook and Google will still collect enough data on you to make them billions in profits each year, otherwise they wouldn't implement these options at all.

Misleading protections

The same can be said for applications that have built a reputation on a supposedly privacy-first approach like Telegram and WhatsApp. In fact, the protections these apps offer are only partial, often poorly explained to users, and the apps still collect a large amount of data and/or metadata.

When deletion doesn't mean deletion

In other cases, false reassurance comes in the form of supposedly deleted data that isn't truly deleted. In 2019, Global News reported on Amazon's Alexa virtual assistant speaker that didn't always delete voice-recorded data as promised. Google was also found guilty of this, even after receiving an order from UK's Information Commissioner's Office.

This can also happen with cloud storage services that display an option to "delete" a file, when in fact the file is simply hidden from the interface, while remaining available in a bin directory or from version control.

How many unaware organizations might have inadvertently (or maliciously) kept deleted data by misusing their storage service and version control system? Of course, if a copy of the data is kept in backups or versioning system, then it's not fully deleted, and doesn't legally fulfill a data deletion requirement.

What to do?

Do not simply trust a "privacy" or "opt-out" option. Look at the overall practices of an organization to establish trust. Privacy features have no value at all if we cannot trust the organization that implemented them.

Investigate to find an organization's history of data breaches and how they responded to it. Was this organization repeatedly fined by data protection authorities? Do not hesitate to ask questions to an organization's privacy officer about their practices. And look for independent reviews of the organization.

New and untested technologies

Many software startups brag about how revolutionary their NewTechnology™ is. Some even dare to brag about a "unique" and "game-changing" novel encryption algorithm. You should not feel excited by this, you should feel terrified.

For example, any startups serious about security and privacy will know that you should never be "rolling your own crypto".

Cryptography is a complex discipline, and developing a robust encryption algorithm takes a lot of time and transparent testing to achieve. Usually, it is achieved with the help of an entire community of experts. Some beginners might think they had the idea of the century, but until their algorithm has been rigorously tested by hundreds of experts, this is an unfounded claim.

The reason most software use the same few cryptographic algorithms for encryption, and usually follow strict protocols to implement them, is because this isn't an easy task to do, and the slightest mistake could render this encryption completely useless. The same can be true for other types of technology as well.

Novel technologies might sound more exciting, but proven and tested technologies are usually much more reliable when it comes to privacy, and especially when it comes to encryption.

What to do?

If a company brags about its new technology, investigate what information they have made available about it. Look for a document called a White Paper, which should describe in technical details how the technology works.

If the code is open source, look at the project's page and see how many people have worked on it, who is involved, since how long, etc.

More importantly, look for independent audits from trustworthy experts. Read the reports and verify if the organization's claims are supported by professionals in the field.

Critics from experts

if you find multiple reports of privacy experts raising the alarm about it, consider this a dark-red red flag

No matter how much an organization or product claims to be "privacy-first", if you find multiple reports of privacy experts raising the alarm about it, consider this a dark-red red flag.

If a company has been criticized by privacy commissioners, data protection authorities, privacy professionals, and consumer associations, especially if this has happened repeatedly, you should be very suspicious.

Sometimes, criticized corporations will use misleading language like "we are currently working with the commissioner", this isn't a good sign.

The marketing department will try to spin any authority audits into something that sounds favorable to the corporation, but this is only privacy washing. They would not be "working with" the privacy commissioner if they hadn't been forced to in the first place. And they wouldn't have been forced to if they truly had privacy-respectful practices.

What to do?

Use a search engine to look for related news using keywords such as the company's name with "data breach", "fined", or "privacy".

Check the product's or corporation's Wikipedia page, sometimes there will be references to previous incidents and controversies listed there. Follow trustworthy sources of privacy and security news to stay informed about reported data leaks and experts raising the alarm.

Looking for the green(ish) flags

Now that we have discussed some red flags to help us know when we should be careful, let's examine the signs that can be indicator of trustworthiness.

Like for red flags, green flags should always be taken into context and considered together. One, or even a few green flags (or greenish flags) aren't on their own a guarantee that an organization is trustworthy. Always remain vigilant, and be ready to revoke your trust at any time if new information warrants it.

Independent reviews

Independent reviews from trustworthy sources can be a valuable resource to help to determine if a product is reliable. This is never a guarantee of course, humans (even experts) can also make mistakes (less than AI, but still) and aren't immune to lies.

However, an impartial review conducted by an expert in the field has the benefit of someone who has likely put many hours investigating this topic, something you might understandably not always have the time to do yourself. But be careful to first evaluate if this is a genuine unbiased assessment, or simply marketing content disguised as one.

Independent audits

Similarly, independent audits from credible organizations are very useful to assess a product's claims. Make sure the company conducting the audit is reputable, impartial, and that you can find a copy of the audit's report they produced, ideally from a source that isn't the audited company's website (for example, the auditing organization might provide access to it transparently).

Transparency

Transparency helps a lot to earn trust, and source code that is publicly available helps a lot with transparency. If a piece of software publishes its code for anyone to see, this is already a significant level of transparency above any proprietary code.

Open source code is never a guarantee of security and privacy, but it makes it much easier to verify any organization assertions. This is almost impossible to do when code is proprietary. Because no one outside the organization can examine the code, they must be trusted on their own words entirely. Favor products with code that is transparently available whenever possible.

Verifiable claims

If you can easily verify an organization's claims, this is a good sign. For example, if privacy practices are explicitly detailed in policies (and match the observed behaviors), if source code is open and easy to inspect, if independent audits have confirmed the organization's claims, and if the organization is consistent with its privacy practices (in private as much as in public), this all helps to establish trust.

Well-defined policies

Trustworthy organizations should always have well-defined, unique, and easy to read privacy policies and terms of service. The conditions within it should also be fair. You shouldn't have to sell your soul to 1442 marketing partners just to use a service or visit a website.

Read an organization's privacy policy (or privacy notice), and make sure it includes:

Language unique to this organization (no copy-paste policy).
Disclosure of any parent companies owning this organization (if any).
A dedicated email address to contact for privacy-related questions and requests.
Detailed information on what data is collected for each activity. For example, the data collected when you use an app or are employed by an organization shouldn't be bundled together indistinctly with the data collected when you simply visit the website.
Clear limits on data retention periods (when the data will be automatically deleted).
Clear description of the process to follow in order to delete, access, or correct your personal data.
A list of third-party vendors used by the organization to process your information.
Evidences of accountability. The organization should demonstrate accountability for the data it collects, and shouldn't just transfer this responsibility to the processors it uses.

Availability

Verify availability. Who will you contact if a problem arises with your account, software, or data? Will you be ignored by an AI chatbot just repeating what you've already read on the company's website? Will you be able to reach out to a competent human?

If you contact an organization at the listed privacy-dedicated email address to ask a question, and receive a thoughtful non-AI-generated reply within a couple of weeks, this can be a good sign. If you can easily find a privacy officer email address, a company's phone number, and the location where the organization is based, this also can be encouraging signs.

Clear funding model

If a free service is provided by a for-profit corporation, you should investigate further. The old adage that if you do not pay for a product you are the product is sadly often true in tech, and doubly so for big tech.

Before using a new service, try to find what the funding model is. Maybe it's a free service run by volunteers? Maybe they have a paid tier for businesses, but remain free for individual users? Maybe they survive and thrive on donations? Or maybe everyone does pay for it (with money, not data).

Look for what the funding model is. If it's free, and you can't really find any details on how it's financed, this could be a red flag that your data might be used for monetization. But if the funding model is transparent, fair, and ethical, this can be a green flag.

Reputation history

Some errors are forgivable, but others are too big to let go. Look for an organization's track record to help to evaluate its reputation overtime. Check if there was any security or privacy incidents, or expert criticisms, and check how the organization responded to it.

If you find an organization that has always stuck to its values (integrity), is still run by the same core people in recent years (stability), seems to have a generally good reputation with others (reputability), and had few (or no) incidents in the past (reliability), this can be a green flag.

Expert advice

Seek expert advice before using a new product or service. Look online for reliable and independent sources of recommendations (like Privacy Guides!), and read thoroughly to determine if the description fits your privacy needs. No tool is perfect to protect your privacy, but experts will warn you about a tool's limitations and downsides.

There's also added value in community consensus. If a piece of software is repeatedly recommended by multiple experts (not websites or influencers, experts), then this can be a green flag that this tool or service is generally trusted by the community (at this point in time).

Take a stand for better privacy

Trying to evaluate who is worthy of our trust and who isn't is an increasingly difficult task. While this burden shouldn't fall on us, there are unfortunately too few institutional protections we can rely on at the moment.

Until our governments finally prioritize the protection of human rights and privacy rights over corporate interests, we will have to protect ourselves. But this isn't limited to self-protection, our individual choices also matter collectively.

Each time we dig in to thoroughly investigate a malicious organization and expose its privacy washing, we contribute in improving safety for everyone around us.

Each time we report a business infringing privacy laws, talk publicly about our bad experience to get our data deleted, and more importantly refuse to participate in services and products that aren't worthy of our trust, this all helps to improve data privacy for everyone overtime.

Being vigilant and reporting bad practices is taking a stand for better privacy. We must all take a stand for better privacy, and expose privacy washing each time we spot it.

Privacy Washing Is a Dirty Business

Em — Wed, 03 Sep 2025 19:24:12 +0000

Privacy Washing Is a Dirty Business

Photo: Marija Zaric / Unsplash

Perhaps you haven't heard the term privacy washing before. Nonetheless, it's likely that you have already been exposed to this scheme in the wild. Regrettably, privacy washing is a widespread deceptive strategy.

What is privacy washing

Similarly to whitewashing (concealing unwanted truths to improve a reputation) and greenwashing (deceptively presenting a product as environmentally friendly for marketing purposes), privacy washing misleadingly, or fraudulently, presents a product, service, or organization as being responsible and trustworthy with data protection, when it isn't.

Your privacy is* important to us. *not!

The term has been used for over a decade already. It's saddening to see that not only is this not a new problem, but it has only gotten worse through the years.

With the acceleration of data collection, the accumulation of data breaches, and the erosion of customers' trust, companies have an increased need for reassuring users to gain their business.

Despite consumers' rights and expectations, implementing proper data protection takes time, expertise, and money. Even if the long term benefits are colossal, the time invested often doesn't translate into direct short term profits, the main objective for most businesses. On the other hand, collecting more data to sell it to third parties often does translate into short term profits.

For these reasons, many companies quickly realize the need for advertising better privacy, but aren't necessarily willing to invest what it takes to make these claims true.

There comes privacy washing: "Your privacy is* important to us." *not!

Privacy washing comes with a selection of washer cycles, from malicious trap to deceptive snake oil to perhaps the most common wash: plain negligence.

Negligence, incompetence, or malevolence

In some other contexts, intentions might matter more. But when it comes to privacy washing, the result is often the same regardless of intentions: Personal data from users, customers, employees, patients, or children even being leaked and exploited in all sorts of ways.

Whether false claims come from negligence by failing to verify that data protections are properly implemented, incompetence to evaluate if they are, or maliciously trying to trick users in using a service that is actually detrimental to their privacy, harm is done, and sometimes permanently so.

Nonetheless, understanding the different types of privacy washing can help us to evaluate how to detect it, respond to it, and report it.

Negligence and greed

They know what they are doing, but they care more about money

The most common occurrence of privacy washing likely comes from negligence and greed. One of the biggest drivers for this is that the current market incentivizes it.

Today's software industry is largely inflated by venture capitalist funding, which creates expectations for a substantial return on investment. This funding model often encourages startups to quickly build an app following the minimum viable product principles, grow its user base as fast as possible, increase its value, and then sell it off for profits.

The problem is, this model is antithetical to implementing good privacy, security, and legal practices from the start. Data privacy cannot only be an afterthought. It must be implemented from the start, before users' data even gets collected.

Many startups fail to see how being thorough with data privacy will benefit them in the long term, and view privacy and security requirements only as a burden slowing down their growth. This mindset can result in perceiving privacy as a simple marketing asset, something businesses talk to users about for reassurance, but without putting any real effort into it beneath the surface.

Perhaps moving fast and breaking things wasn't such a good idea after all.

Outside of privacy, this common startup mindset of playing fast and loose with customers and their safety frequently has devastating consequences. One recent and tragic example comes from OceanGate's Titan deep-sea submersible that infamously imploded during an exploration, killing its five passengers in an instant.

The final report blamed a problematic safety culture at OceanGate that was “critically flawed and at the core of these failures were glaring disparities between their written safety protocols and their actual practices.”

Perhaps moving fast and breaking things wasn't such a good idea after all.

Alas, similar "glaring disparities" between policies and practices are widespread in the tech industry. While maybe not as dramatic and spectacular as an imploding submersible, data leaks can also literally kill people.

Data privacy is the "passenger safety protocol" for software, and it should never be trivialized.

Privacy isn't just "risk management", it is a human right. Analogous to safety protocols, organizations are responsible for ensuring their data protection policies are being followed, and are accurately describing their current practices. Anything less is negligence, at best.

Unfortunately, users (like passengers) often have very few ways to verify false claims about allegedly privacy-respectful features and policies. But this burden should never be on them in the first place.

Incompetence and willful ignorance

They don't know what they are doing, or they just don't want to know

Partly related to negligence, is plain incompetence and willful ignorance. Some organizations might be well-intentioned initially, but either lack the internal expertise to implement proper privacy practices, or conveniently decide not to spend much time researching about what their data protection responsibilities are.

For example, most businesses have heard by now of the requirement to present a privacy policy to their users, customers, and even web visitors. Deplorably, in a failed attempt to fulfill this legal obligation, many simply copy someone else's privacy policy and paste it on their own website. Not only this is very unlikely to be compliant with applicable privacy regulations, but it also possibly infringes copyright laws.

Do not simply copy-paste another organization's privacy policy and claim it as your own!

It's important to remember that legal requirements for policies aren't the end goal here. The true requirements are the data protection practices.

The policies must accurately describe what the practices are in reality. Because no two organizations have the exact same internal practices and third-party vendors, no two organizations should have the exact same privacy policy.

Copy-paste privacy policies aren't compliance, they're deception.

A privacy policy that isn't accurately describing an organization's practices is a form of privacy washing. Sadly, a quite commonly used one, like some quick light-wash cycle.

It's worth noting these days that creating a privacy policy using generative AI will lead to the exact same problems related to accuracy and potential infringement of both privacy and copyright laws. This is not a smart "shortcut" to try.

While lack of understanding of policies and legal requirements is only one example of how incompetence can become a form of privacy washing, there are infinitely more ways this can happen.

As soon as data is collected by an organization (or by the third-party software it uses), there is almost certainly legal obligations to protect this data, to restrict its collection and retention, and to inform data subjects.

Organizations that do not take this responsibility seriously, or blissfully decide to remain unaware of it, while presenting an empty privacy policy, are effectively doing privacy washing.

Implementing protections and limiting collection cannot be an afterthought. Once data is leaked, there is often nothing that can be done to truly delete it from the wild. The damage caused by leaked data can be tragic and permanent.

Organizations must take this responsibility much more seriously.

Malevolence and fraud

They lie, and they want your data

Greed and ignorance are common causes of privacy washing, but they can quickly escalate to fraud and ambush.

It's worth noting that a large amount of negligence or incompetence can be indistinguishable from malice, but there are organizations that deliberately lie to users to exploit them, or to trick them into unwillingly revealing sensitive information.

Anom, the secret FBI operation

Perhaps one of the most infamous example of this is the Anom honeypot. Anom was an encrypted phone company promising privacy and security, but that was in fact part of an undercover operation staged by the American Federal Bureau of Investigation (FBI), Operation Trojan Shield.

Investigative journalist Joseph Cox reported in 2021 that Anom advertised their products to criminal groups, then secretly sent a copy of every message on the device to the FBI. It was so secret, even Anom developers didn't know about the operation. They were told their customers were corporations.

A screenshot shared by Motherboard shows an Anom slogan: "Anom, Enforce your right to privacy". It's hard to tell how many non-criminal persons (if any) might have accidentally been caught in this FBI net. Although this specific operation seems to have been narrowly targeting criminals, who knows if a similar operation could not be casting a wider net, inadvertently catching many innocent privacy-conscious users in its path.

Navigating VPN providers can be a minefield

Using a trustworthy Virtual Private Network (VPN) service is a good strategy to improve your privacy online. That being said, evaluating trustworthiness is critical here. Using a VPN is only a transfer of trust, from your Internet Service Provider (ISP) to your VPN provider. Your VPN provider will still know your true IP address and location, and could technically see all your online activity while using the service, if they decided to look.

Different VPN services are not equal, unfortunately, snake oil products and traps are everywhere in this market. As with anything, do not assume that whoever screams the loudest is the most trustworthy. Loudness here only means more investment in advertising.

For example, take the interesting case of Kape Technologies, a billionaire-run company formerly known as Crossrider. This corporation has now acquired four different VPN services: ExpressVPN, CyberGhost, Private Internet Access, and Zenmate. This isn't that suspicious in itself, but Kape Technologies has also acquired a number of VPN review websites, suspiciously always ranking its own VPN services at the top. This is a blatant conflict of interest, to say the least.

Sadly, on the VPN market — estimated at $41.33 billion USD in 2022 — what is called a "review" is often just advertising.

Moreover, many free VPN providers break their privacy promises regarding users' data. In 2013, Facebook bought the free VPN provider Onavo, and included it in a Facebook feature deceptively labeled "Protect". As is now standard behavior for Facebook, the social media juggernaut actually collected and analyzed the data from Onavo users. This allowed Facebook to monitor the online habits of its users even when they weren't using the Facebook app. This is very much the opposite of data privacy, and of any implied promises to "Protect".

Then there's the case of Hotspot Shield VPN, accused in 2017 of breaking its privacy promises by the Center for Democracy & Technology, a digital rights nonprofit organization. While promising "anonymous browsing", Hotspot Shield allegedly deployed persistent cookies and used more than five different third-party tracking libraries. The parent company AnchorFree denied the accusations, but even if it wasn't the case for AnchorFree, how tempting would it be for a business with an ad-based revenue model to utilize the valuable data it collects for more of this revenue? And indeed, many free VPN services do monetize users' data.

Worst of all are the fake, free VPN services. Like stepping on a landmine, criminals are luring users looking for a free VPN service and tricking them into downloading malware on their devices. While this goes beyond privacy washing, it's still a piece of software actively harming users and deceptively gaining their trust with the false promise of better privacy. Wherever privacy washing is being normalized by greedy or lazy organizations, criminals like this flourish.

Using compliance to appear legitimate

Another fraudulent case of privacy washing is organizations using false claims related to privacy law compliance to appear more legitimate.

Earlier this year, the digital rights organization Electronic Frontier Foundation (EFF) called for an investigation into deceptive anti-abortion militant organizations (also called "fake clinics") in eight different US states.

These fake clinics were claiming to be bound by the Health Insurance Portability and Accountability Act (HIPAA) in order to appear like genuine health organizations. HIPAA is an American federal privacy law that was established in 1996 to protect sensitive health information in the United States.

Not only are many of these fake clinics not complying with HIPAA, but they collect extremely sensitive information without being bound by HIPAA in the first place, because they aren't licensed healthcare providers. Worse, some have leaked this data in all sorts of ways.

Thanks to the EFF's work, some of those fake clinics have now quietly removed misleading language from their websites. But sadly, this small victory doesn't make these organizations any more trustworthy, it only slightly reduces the extent of their privacy washing.

Deception and privacy-masquerading

They talk privacy, but their words are empty

Perhaps the most obvious and pernicious examples of privacy washing are organizations that are clearly building products and features harming people's privacy, while using deceptive, pro-privacy language to disguise themselves as privacy-respectful organizations. There are likely more occurrences of this than there are characters in this article's text.

Buzzwords like "military-grade encryption", "privacy-enhancing", and the reassuring classic "we never share your data with anyone" get thrown around like candies falling off a privacy-preserving-piñata.

But words are meaningless when they are deceitful, and these candies quickly turn bitter once we learn the truth.

Google, the advertising company

An infamous recent example of this is Google, who pushed a new Chrome feature for targeted advertising in 2023 and dared to call it "Enhanced Ad Privacy"

This enabled by default technology allows Google to target users with ads customized around their browsing history. It's really difficult to see where the "privacy" is supposed to be here, even when squinting very hard.

Of course, Google, an advertising company, has long mastered the art of misleading language around data privacy to reassure its valuable natural resource, the user.

Google continued to collect personally identifiable user data from their extensive server-side tracking network.

Everyone is likely familiar with Chrome's infamously deceptive "Incognito mode". In reality, becoming "Incognito" stopped at your own device where browsing history will not be kept, while Google continued to collect personally identifiable user data from their extensive server-side tracking network. Understandably, disgruntled users filed an official class action lawsuit to get reparation from this deception. In 2023, Google agreed to settle this $5 billion lawsuit.

Despite claims of "privacy" in their advertising to users, Google, like many other big tech giants, has in reality spent millions lobbying against better privacy protections for years.

World App, the biometric data collector

Similarly, Sam Altman's World project loves to throw privacy-preserving language around to reassure prospect users and investors. But despite all its claims, data protection authorities around the world have been investigating, fining, and even banning its operations.

The World App (developed by the World project) is an "everything app" providing users with a unique identifier called a World ID. This World ID, which grants various perks and accesses while using the World App, is earned by providing biometric data to the organization, in the form of an iris scan.

Providing an iris scan to a for-profit corporation with little oversight will rightfully scare away many potential users. This is why the company has evidently invested heavily in branding itself as a "privacy-preserving" technology, claims that are questionable to say the least.

Despite catchy declarations such as "privacy by default and by design approach", the World project has accumulated an impressive history of privacy violations, and multiplies contradicting and misleading statements in its own documentation.

There are some stains that even a powerful, billionaire-backed, privacy wash just cannot clean off.

In 2019, the Wall Street Journal reported that the period tracking application Flo had been sharing sensitive health data with Facebook (Meta), despite its promises of privacy.

The app, developed by Flo Health, repeatedly reassured users that the very sensitive information they shared with the app would remain private and would not be shared with any third parties without explicit consent.

Despite this pledge, the Flo app did share sensitive personal data with third parties, via the software development kits incorporated into the app.

This extreme negligence (or malevolence) have likely harmed some users in unbelievable ways. Considering the state of abortion rights in the United States at the moment, it's not an exaggeration to say this data leak could severely endanger Flo App's users, including with risk of imprisonment.

In response, users have filed several class action lawsuits against Flo Health, Facebook, Google, AppsFlyer, and Flurry.

Trivializing health data privacy while promising confidentiality to gain users' trust should never be banalized. This is a very serious infringement of users' rights.

Remain skeptical, revoke your trust when needed

Regardless of the promises to safeguard our personal data, it's sad to say, we can never let our guard down.

Privacy washing isn't a trend that is about to fade away, it's quite likely that it will even worsen in the years to come. We must prepare accordingly.

The only way to improve our safety (and our privacy) is to remain vigilant at all time, and grant our trust only sparsely. We also need to stay prepared to revoke this trust at any time, when we learn new information that justifies it.

Always remain skeptical when you encounter privacy policies that seem suspiciously too generic; official-looking badges on websites advertising unsupported claims of "GDPR compliance", reviews that are lacking supporting evidence and doubtfully independent; and over usage of buzzwords like "military-grade encryption", "privacy-enhancing", "fully encrypted", and (more recently) "AI-powered".

It's not easy to navigate the perilous waters of supposedly privacy-respectful software. And it's even worse in an age where AI-spawned websites and articles can create the illusion of trustworthiness with only a few clicks and prompts.

Learning how to spot the red flags, and the green(ish) flags, to protect ourselves from the deceptive manipulation of privacy washing is an important skill to develop to make better informed choices.

The Power of Digital Provenance in the Age of AI

fria — Wed, 27 Aug 2025 22:30:25 +0000

The Power of Digital Provenance in the Age of AI

Photo: Kseniya Lapteva / Pexels | Logo: Content Credentials

With the popularity of generative AI, it's becoming more and more difficult to distinguish reality from fiction. Can this problem be solved using cryptography? What are the privacy implications of the currently proposed systems?

The Problem

Can you tell which of these images are AI generated?

...Have a guess?

Actually, they're all real. But the fact that you may have believed some of them were AI generated poses a problem: How can we tell where an image came from, if it was AI generated, and whether it was edited?

Provenance

Provenance is the history of ownership of an object, typically used when referring to antiques or art. Knowing the history of a piece of art can affect the value a lot, but you need a way to prove it's an original piece by the artist instead of a reproduction, or was owned by a famous person.

Provenance can take many forms, from an original receipt or documentation from the artist themselves to stickers from a gallery attached to it. Typically, you want a signed certificate from an expert on the artist in order to verify its authenticity.

Hoaxes

It's important for historical preservation as well to know that an object is really from a certain time period. There's no shortage of historical hoaxes. These can distort our view of history and make us all a bit dumber.

Cardiff Giant

One of the most famous hoaxes was that of the Cardiff Giant.

An atheist named George Hull got into an argument with a preacher. Hull was frustrated with the preacher's literal interpretation of the bible, particularly his belief that giants were real.

Hull devised a plan to trick the religious and make some money at the same time. He would have a statue of a giant man constructed and pass it off as a petrified human.

After securing the materials needed, specifically a soft material called gypsum, he convinced a marble dealer to help him with his scheme. A pair of sculptors carved out the visage of a giant 10-foot man, with Hull posing as a model. They even poured sulfuric acid over it to give it an aged look.

He settled on burying the giant in Cardiff, New York, where he cut a deal with a distant relative and farmer named William "Stub" Newell.

On October 16, 1869, Newell hired an unsuspecting pair of workers to dig a well on his property. After they inevitably uncovered the giant, it wasn't long before the whole town was in a frenzy.

Photo: Wikimedia Commons (Public Domain)

Speculation that the sculpture was an ancient, petrified man quickly began to spread. Eventually, a syndicate of businessmen offered Newell $30,000 (worth $705,438.97 in today's money) for a three-fourths stake, and he took them up on that offer.

P.T. Barnum even tried to buy the sculpture, and after being turned down, he had a replica built and displayed it in a Manhattan museum. Several other copies were made afterward, and soon, there were petrified giants being exhibited all over the country.

In a way that seems familiar to us now, you couldn't even be sure you were looking at the real hoax. Misinformation can so easily mutate and spread when left unchecked.

A famed Yale paleontologist named Othniel Charles Marsh declared it "of very recent origin, and a most decided humbug." Unfortunately, as is so often the case, Hull had already cashed in on the fervor by the time experts had properly debunked his hoax.

AI Hoaxes

Many modern hoaxes tend to make use of social media and focus on getting views and clicks over selling a physical object.

Miniminuteman is a great YouTube channel covering misinformation on the internet, specifically about archaeology. Misinformation can spread quickly, especially now with the rise of generative AI that can make convincing fake images and videos.

Here you can see an example of AI being used to make a fake Joe Rogan podcast clip. Now, whether or not you view Joe Rogan as a reliable source of information is another topic, but as one of the most popular podcasts, his reach could be leveraged to spread dangerous misinformation like that a meteor is going to hit earth and kill everyone.

The effort required is low, and the return is high. With TikTok's Creator Rewards Program, content that's at least 60 seconds long and has high engagement will be rewarded. That means longer videos with alarming content like conspiracy theory videos will do very well since they will have lots of comments from people either fooled by the content posting about how scared they are or people debunking the claims. The insidious thing is the creators get rewarded either way.

Several history channels on YouTube have expressed their concerns about misinformation being spread about history through AI generated images and videos and how they can distort our view of the past. There's even the possibility that these AI generated images could end up polluting the historical record.

Content Authenticity Initiative

In 2019, Adobe announced that it was partnering with the New York Times and Twitter on a project to develop an industry standard for digital content attribution called the Content Authenticity Initiative.

Twitter has since dropped out of the partnership.

Project Origin

At the same time, Project Origin was designing their system for content transparency. This started as a partnership between Microsoft and the BBC.

C2PA

The Coalition for Content Provenance and Authenticity, or C2PA, combines the efforts of Project Origin and the Content Authenticity Initiative. Together, they created the C2PA standard used to add verifiable provenance data to files, which they dub "Content Credentials."

Content Credentials

Content Credentials are the implementation of digital provenance by the C2PA, the culmination of years of research and development by major tech companies, from camera manufacturers to photo editing software and AI companies to social media sites.

The way Content Credentials work draws on concepts both familiar and alien. The standard is designed to be flexible and cover the myriad ways media is used online.

It's important to note that Content Credentials aren't attempting to determine "truth"; that's a much more complex and philosophical topic. Rather, they're trying to show where an image came from, edits made to it, its constituent parts, etc. so that you can decide for yourself if you trust the source. It's trying to show you that an image came from the BBC, rather than whether you should trust the BBC.

Manifest

Content Credentials are contained in what's called the manifest. The manifest consists of the claim, claim signature, and assertions.

Illustration: C2PA

The manifest is created by hardware or software called a "claim generator."

Files can have multiple manifests, and the set of manifests comprise its provenance data.

Assertions

An assertion is labelled data such as the type of camera used, actions performed on the image such as color corrections, a thumbnail image, or other types of data.

Claim

The claim gathers together all the assertions and then hashes and cryptographically signs them. The claim is the part that backs up the assertions with cryptography; without it, there wouldn't be a way to verify the authenticity of the data.

Signatures

The foundation is based around cryptographic signatures, similar to how you'd cryptographically sign software or text with a PGP signature.

The parts of a file that are cryptographically verified are called "hard bindings." This allows programs to detect tampering.

Certificate Authorities

There are certificate authorities similar to how HTTPS works, which allow only signatures from trusted sources. Non-trusted signatures will give a warning in whatever C2PA-enabled software you're using.

Content Credentials allow for each application to provide its own trust lists: lists of certificate authorities trusted by the application.

The C2PA gives a few examples to illustrate. A news organization might rely on a non-profit organization that verifies the authenticity of sources through real-world due diligence. An insurance company might operate its own internal CA to verify only its own employees handled the images.

Ingredients

However, what's interesting is Content Credentials can cover multiple assets being combined and still be able to verify each element of the image. Each element is called an "ingredient." When the ingredients come together, the result is called a "composed asset," with "asset" referring to a digital media file or data stream.

Chain of Provenance

It also supports a chain of provenance, showing all steps in the life cycle of the file that change its contents such as edits. These are referred to as "actions."

The specification supports a list of pre-defined actions such as edits, changing the color, translating to a different language, etc. It's really quite flexible, but the flexibility of information that can be provided allows for more opportunities for errors and means you need to trust the entity providing the information more.

An issue I noticed is when making edits using software that doesn't support Content Credentials, they will be corrupted and can't be read by verification programs. This poses a problem for the "unbroken chain of provenance" that the standard promises.

These verification programs tend to offer a way to check against a database of images with Content Credentials, so you can find an image with unbroken provenance data. They use "soft bindings" or a type of fingerprinting of the image in order to find similar images in the database.

I think this problem will be less and less of an issue when more software supports the standard. It will need to be so ubiquitous that image viewing programs don't trust images without provenance data, similar to how browsers don't trust websites without HTTPS. But for now with its very limited availability, that's not the case.

Privacy

Since Content Credentials are all about attaching extra data to images, concerns about privacy are reasonable.

However, it's important to remember that metadata has always existed in relation to digital files. Just like the metadata we've always had, Content Credentials are optional.

Of course, it'll be up to programs we use to mediate what data is included. In order for the system to work as intended, certain things like "this photo was edited in Adobe Photoshop" will need to be automatically applied. Clear lines between personal data such as names, location, etc. need to be kept up to the user to add.

Privacy was one of the stated goals when the C2PA was designing Content Credentials, and I think they've done a good job giving users control over their information.

Support

There are several online verification tools you can use to try out Content Credentials. ContentCredentials.org offers a verification tool that lets you upload a media file and check its Content Credentials. They have some example images on their site you can try, or you can upload images from elsewhere and see where Content Credentials are supported, for example you can upload any image generated in ChatGPT.

Content Credentials also offers an official command line tool, so you can view exactly what data is being stored in the image. They provide some samples as well that you can play around with. To view the content credentials, just run

c2patool sample/C.jpg

for any image you want to inspect, replacing sample/C.jpg with a path to your image.

BBC

The BBC is doing a limited trial run of Content Credentials with BBC Verify. Not all media in these articles have Content Credentials attached. This article has Content Credentials for the video at the bottom. They also ask for feedback, so feel free to provide some. I'd like to see more Content Credentials show up in news reporting, so please add your voice.

OpenAI

OpenAI has embraced Content Credentials, with images generated using ChatGPT identifying themselves using Content Credentials. Try generating an image and upload it to the verification tool. You should see it identify the origin as OpenAI.

TikTok

TikTok became the first video sharing platform to support Content Credentials. For now, it's limited to being able to read Content Credentials from certain AI platforms. They say in the future they'll start labeling all content from TikTok with Content Credentials, but it seems they haven't enabled that yet, as if you download a video from TikTok, the C2PA verify tool will say it doesn't have any Content Credentials.

Leica

Leica's M11-P camera is the first camera in the world to support Content Credentials. That's a huge step toward adoption; camera manufacturers need to support Content Credentials if they're going to be included from the creation of the image.

Nikon

Nikon is planning to release a firmware update for their Z6III camera that will support Content Credentials.

Adobe

Much of Adobe's software supports Content Credentials, including Photoshop, Lightroom, and Adobe Camera Raw as well as Adobe's Firefly AI.

Qualcomm

With the Snapdragon 8 Gen 3 chipset, Qualcomm is embedding Content Credential capabilities into the Trusted Execution Environment, allowing for Content Credentials to be added right as the photo is produced.

Limitations

Lack of Support

Content Credentials will need widespread support at every level, from hardware OEMs to photo editing software vendors and AI generators to sites that host and display images. The rollout of Content Credentials will be slow, although more and more companies are starting to support them.

There are still major players missing support like Apple and Android, which is a big problem considering how many images are taken, edited, and shared on smartphones. Once photos taken from your phone can be imbued with Content Credentials in the default camera app, we'll see much wider adoption I think.

Easy to Remove

In my testing, any edits from a program that doesn't support Content Credentials will render them unreadable after that point. This problem won't be as bad if and when support for Content Credentials becomes widespread, since you can just decide not to trust images without them, sort of like not trusting a website without HTTPS. Platforms could even display a warning.

But for now, removing Content Credentials won't be noticed.

Reliant on Certificate Authorities

The system shares a flaw with HTTPS in that you need to rely on trusted Certificate Authorities to verify the validity of the information, except that Content Credentials are trying to verify a lot more information than just who originally made the image.

Since anyone can add their own Content Credentials to an image, a warning is displayed similar to a certificate warning in your browser that the Content Credentials come from an untrusted entity.

Complexity

One of the issues I ran into while researching was just how complex the standard is, since it needs to cover so many use cases and situations. This is pure speculation, but I can imagine the sheer complexity makes it unattractive for platforms to implement and maintain, which could be contributing to the very slow and partial rollout we're seeing on the platforms of even founding members of the project like the BBC.

I think this will be less of an issue as it rolls out however, as platforms will likely be able to use each other's implementations, or at least reference them when implementing it on their platform.

The standard is still in early stages and there's plenty of room to shape it and improve it in the future, so make your voice heard about how you want to see it implemented. I think with more awareness about Content Credentials, platforms will feel more pressure to support them, so if you want to see this feature on your favorite platform, speak up and gather support.