The war of recommendations

What is the problem?

Every day, people interested in privacy and information security ask questions on different websites (e.g., on this forum, on Reddit, on GitHub, in the Fediverse).

While there are actually some practices in information security that are widely considered good, data protection and privacy are anything but globally standardized. Moreover, as pointed out by Claudio Guarnieri (Amnesty International) at the 2019 Honeynet Project Annual Workshop, most good practices only consider the Western culture. Therefore, the terms “secure” and “privacy-friendly” are at least whishy-washy.

However, some people replying to these questions present their recommendations as “the only truth” and “the most secure and most private way to go”, totally ignoring any threat models or use cases.

Two examples:

Windows? How dare you?

Somebody asks for ways to secure Windows. Then, some answers are like “Windows, seriously? How dare you? Migrate to Linux! It is the most secure and most private operating system.” (Also see Toxic User Mentality?)

The person then asks, “Are there any disadvantages when switching to Linux?”. People answer: “No, there are absolutely no disadvantages.” So what if this person wants to play their favorite games that are only available for Windows? What if this person needs software in general that is only available for Windows? What if this person runs into problems after switching to Linux? Then, oftentimes answers are like “Ugh, works for me, so these are your problems.”

Furthermore, Linux isn’t a specific operating system, but a family of operating systems based on the Linux kernel. There are hundreds of different Linux distributions and most come with their own pros and cons (see What Linux distro do you all use?).

Even Linux users can’t agree on “the best” Linux distribution, and recommendations look like:

  • Person B: Use Ubuntu!
  • Person C: No, don’t use Ubuntu! They are sending data to Amazon! Use Debian!
  • Person D: No, don’t use Debian! They are shipping old packages! Use Arch Linux!
  • Person E: No, don’t use Arch Linux! It isn’t beginner-friendly! Use Linux Mint!

An endless stream of instant messengers

Somebody asks for a secure instant messenger. Immediately, people list dozens of different instant messengers. Everybody claims that their favorite messenger is the most secure and most private one.

Then, the journey starts again:

  • Person B: Use Signal!
  • Person C: No, don’t use Signal! It uploads your phone book and you need a phone number!
  • Person D: Not true! You can use Signal without read access to the phonebook and provide a burner phone number!
  • Person E: Yeah, but is centralized! You must use decentralized messengers! Use Matrix!
  • Person F: No, don’t use Matrix! It is awful, broken and an XMPP clone! Stay with messengers based on XMPP! There are clients for every operating system!
  • Person G: No, don’t use XMPP! Server admins can see and modify all of your contacts, groups, and much more!
  • Person H: Bullshit! You can host your own server and use OMEMO! Then you are safe!
  • Person I: I can’t use XMPP-based messengers since they don’t work on my iPhone!
  • Person H: Oh, how can you seriously use an iPhone? Switch to Android!

The result

These are only two examples of a phenomenon that oftentimes can be observed: Everybody considers their opinion to be “the only truth”, and ignores valid points of others. Some people then provide out-of-date blog posts or stories written by non-technical people (who never verified their claims) to prove their points.

However, is all of this helpful for the person who originally asked something different? Presumably this isn’t the case.

What could be a solution?

As originally suggested on GitHub, PTIO should introduce a transparent catalog of criteria for software and services. For services, there are already suggestions by @LizMcIntyre . Furthermore, PTIO should define a list of typical threats that need to be considered when evaluating software and services. Finally, recommendations should come with sources for statements and recommendations should be regularly and transparently reviewed.

Besides, discussions are really fragmented at the moment: There is Reddit, there is this forum, there is GitHub, and there are likely other platforms where people discuss the same problems over and over again. So maybe there is a way to centralize such discussions.


I don’t want to expand a lot on this since it is kind of off-topic, but I think it’s funny that the term Western culture was used to present other terms as wishy-washy.

A good example I can think for this: In Mr. Robot, in the first season, Eliot (which is a black hat) runs Windows on a VM to be able to use DeepSound.

I think the problem with this particular issue, although everything you stated is true in any kind of recommendation in the privacy community, is that this product is one of the most needed and there just does not seem to be a product which can fully satisfy the needs of certain users. It’s true that maybe one IM can work for someone but not for other, but then again this is not clear for people who are beginning. I think the same as you, there should be certain standard (even though it’s obviously not fool proof) to help people understand what can work better for them.
In regards to VPNs, there are a lot of catalogues of criteria (PTio’s team, Techlore, TOPS, etc) used to determine whether they can, more or less, be trusted. Something similar should be adopted with other services.

Do you think we should list some standards to determine which product to use on this post?

The point of this forum is to have open discussions where each person contributes in whatever manner they wish on the topic/post.

This isn’t a problem. Having disagreements, isn’t a problem. Putting forward ones own ideas or agenda and biases on solutions, isn’t a problem. To make these a problem is a way to shutdown a conversation and limit expression.

Evidence to support this blanket statement? I can say with certainty that this does not apply to me.

We are not at university where we need to write essays to provide validity to our points or opinions. This is an informal space for discussion, not an academic setting. The fact that people even provide some source to back up their point is better than just having an unsubstantiated opinion, but it isn’t necessary. Not everyone has hours of time to scour the Internet for some article to backup their point, it just isn’t feasible to assume and demand this.

Don’t assume as it makes an a@@ out of you

I see this as point of views not “only truth” and as proof that there is no one correct answer like:

but you are right we need to type it in more nice way to starter in privacy understand it or just list all of cons and pros and let user choose

This is a very funny statement if one considers that you joined about four days ago and complained about our statements several times, especially here. So if disagreements aren’t a problem for you, why are you constantly commenting on our statements in a somewhat hostile manner? Nobody wants to read this.

Instead of complaining about a sentence, quoted out of context, you should be more open-minded when someone presents an opinion that doesn’t match your view of the world. Especially, when you write Having disagreements, isn’t a problem. Thanks again.

1 Like

Yes, this can be a good starting point. Maybe, someone has an idea to solve the problem of fragmentation.

And for this list of pros and cons we likely need some fixed threats that we consider being typical for the PTIO target group.

One other example: A manufacturer of security tokens claims that the normal-sized USB-A connectors of their security tokens are far better than the smaller USB-A connectors of a competing product. We could just list this benefit as claimed by the company, however, is this relevant to the PTIO target group?

We think of a simple list like:

Threat A: An attacker steals your device (e.g., smartphone or laptop).
Countermeasure 1: Use full-disk encryption.
Countermeasure 2: Don’t leave your devices unattended in public spaces.

Threat B: A server-side attacker is able to access all databases of a service.
Countermeasure 1: Use client-side end-to-end encryption.

With such lists we can say: Product X comes with some protection against threat A, however, you as a user still need to consider …. We could also add one sentence to inform users about why some threats are important and what are limitations of countermeasures.

1 Like

IMO, the best place if you want a bigger number of users is reddit, I’ve been checking Github recently and it is pretty quiet, maybe this forum is better to be organized and keep up with al answers. What we could do is to link this discussion on reddit (but idk how many people will create and account just to discuss this) or viceversa.

I don’t know if I’m doing this right, so please let me know if there’s something that I didn’t understand.

Threat: An attacker could have physical access to your phone out of nowhere and you would have to comply (e.g.: police people in a border, during a manifestation, etc)
Countermeasure 1: Ephemeral messages
Countermeasure 2: Support for a panic button

Threat: Companies track you and create an ad profile with your data, you need a full feature replacement that you can use with your non tech savvy closed ones.
Countermeasure: An intuitive, easy to use, that has a lot of features to convince your friends to move on that does not profit with your data and offers E2EE.

I think I could give some more examples but first let me know if I committed some mistake.

Yeah its good point of view! in my vision is just something like:

  • Signal:
    Uses Phone number for signup (maybe this not fit your thread module)
    Encrypt all data include metadata
  • Riot:
    You can sign in using email (temp mail if you want)
    Server owner maybe can spoof your messages if you did not encrypt it

So yeah something like that because if you will add thread module to every product it will be really huge page

Great post.
Thank you really.

This would be a great thing for software engineers to follow and look at.

Like this?

1 Like

Wow, thisis such a huge work, kudos to you for the effort!
I would like to know what @infosechandbook thinks about it.

yup kinda like this

One thing that comes to mind after reading your message is the phone comparison at GSMArena. Mobile phones also have dozens of characteristics that are more or less important for the users - great processor, but the camera is not that good. Small screen but large storage space, etc.
Some criteria will simple come up out of their own - i.e. centralized/decentralized, requires other means of communication for activation (phone/email), requires an account or anonymous, private keys available to the server, etc.
SecureMessagingApps site is fairly interesting in that regard as it presents the full information in a grid format and has quite a few criteria identified. Some of these might be dubious or debatable. However, I like the 2-3 item selection and comparison of GSM Arena better visually.

Countermeasures exists for pretty-much anything. Like, “don’t use Internet, etc.” and should be a part of general culture (and/or documentation). I would not necessarily use them for comparison of chat programs or services.

Edit: Moreover, after reading several threads on GitHub, I’m more and more convinced that this model makes sense. The criteria that are not complete should simply be marked as such (or N/A, if not applicable). Volunteers could inspect the missing criteria and add them over time.
The end result would be to simply show the top N records, which tick the most checkboxes. Filters like platform support (i.e. looking for an Android client), servers in [choose your favourite place on Earth], etc. will help individuals identify their best options.

In general, recommendations by PTIO should provide the following information:

Being honest: What are the pros and cons of the recommended thing?

Oftentimes, recommendations only talk about benefits, or do not list any pros or cons at all. However, there are always limitations.

For instance, some e-mail server providers allow you to add an OpenPGP key to your account, so all incoming e-mails are automatically encrypted. A benefit is that someone breaking into your account can’t easily read your e-mails since they are encrypted. Two drawbacks are that e-mail metadata is still exposed, and this doesn’t add any security during mail transport from the sender to the recipient.

Understanding relevance: Why are the pros and cons relevant to the “typical” PTIO user?

Here, threats and threat modeling come into play, already explained above.

Improving transparency: How were pros and cons identified?

Contrary to one statement above, which is like “we don’t need sources for our claims”, we should allow users to verify the reliability of statements. There are many myths out there or some statements are based on outdated information.

For instance, is a statement based on hearsay, on a technical blog post, or on an independent code analysis?


Cool, thanks, I wasn’t aware of it until today:

Secure Messaging Apps Comparison | Privacy Matters

I do like a well-presented table.

Surely. In a PTIO context, each such gap and point of contention might refer to a focused debate i.e. a topic here in Discourse.

PS flashback to for reactions to a 2017 edition of the site. One of the comments referred to another very good comparison table, in a 2016 blog post that’s now archived:

Side note (linked from the opening post) closed in favour of:

Sadly this site hasn’t been updated since 20/05/18, check the changelog.

1 Like

Hint: Ask information security researchers, not “privacy advocates”.
In the end you’ll end up with the better security and privacy.

we don’t ask anyone. We make recommendations based on research and facts that you can trace back. if your just gonna blindly follow some other researchers opinion, then your just appealing to authority.