What is the problem?
Every day, people interested in privacy and information security ask questions on different websites (e.g., on this forum, on Reddit, on GitHub, in the Fediverse).
While there are actually some practices in information security that are widely considered good, data protection and privacy are anything but globally standardized. Moreover, as pointed out by Claudio Guarnieri (Amnesty International) at the 2019 Honeynet Project Annual Workshop, most good practices only consider the Western culture. Therefore, the terms “secure” and “privacy-friendly” are at least whishy-washy.
However, some people replying to these questions present their recommendations as “the only truth” and “the most secure and most private way to go”, totally ignoring any threat models or use cases.
Windows? How dare you?
Somebody asks for ways to secure Windows. Then, some answers are like “Windows, seriously? How dare you? Migrate to Linux! It is the most secure and most private operating system.” (Also see Toxic User Mentality?)
The person then asks, “Are there any disadvantages when switching to Linux?”. People answer: “No, there are absolutely no disadvantages.” So what if this person wants to play their favorite games that are only available for Windows? What if this person needs software in general that is only available for Windows? What if this person runs into problems after switching to Linux? Then, oftentimes answers are like “Ugh, works for me, so these are your problems.”
Furthermore, Linux isn’t a specific operating system, but a family of operating systems based on the Linux kernel. There are hundreds of different Linux distributions and most come with their own pros and cons (see What Linux distro do you all use?).
Even Linux users can’t agree on “the best” Linux distribution, and recommendations look like:
- Person B: Use Ubuntu!
- Person C: No, don’t use Ubuntu! They are sending data to Amazon! Use Debian!
- Person D: No, don’t use Debian! They are shipping old packages! Use Arch Linux!
- Person E: No, don’t use Arch Linux! It isn’t beginner-friendly! Use Linux Mint!
An endless stream of instant messengers
Somebody asks for a secure instant messenger. Immediately, people list dozens of different instant messengers. Everybody claims that their favorite messenger is the most secure and most private one.
Then, the journey starts again:
- Person B: Use Signal!
- Person C: No, don’t use Signal! It uploads your phone book and you need a phone number!
- Person D: Not true! You can use Signal without read access to the phonebook and provide a burner phone number!
- Person E: Yeah, but is centralized! You must use decentralized messengers! Use Matrix!
- Person F: No, don’t use Matrix! It is awful, broken and an XMPP clone! Stay with messengers based on XMPP! There are clients for every operating system!
- Person G: No, don’t use XMPP! Server admins can see and modify all of your contacts, groups, and much more!
- Person H: Bullshit! You can host your own server and use OMEMO! Then you are safe!
- Person I: I can’t use XMPP-based messengers since they don’t work on my iPhone!
- Person H: Oh, how can you seriously use an iPhone? Switch to Android!
These are only two examples of a phenomenon that oftentimes can be observed: Everybody considers their opinion to be “the only truth”, and ignores valid points of others. Some people then provide out-of-date blog posts or stories written by non-technical people (who never verified their claims) to prove their points.
However, is all of this helpful for the person who originally asked something different? Presumably this isn’t the case.
What could be a solution?
As originally suggested on GitHub, PTIO should introduce a transparent catalog of criteria for software and services. For services, there are already suggestions by @LizMcIntyre . Furthermore, PTIO should define a list of typical threats that need to be considered when evaluating software and services. Finally, recommendations should come with sources for statements and recommendations should be regularly and transparently reviewed.
Besides, discussions are really fragmented at the moment: There is Reddit, there is this forum, there is GitHub, and there are likely other platforms where people discuss the same problems over and over again. So maybe there is a way to centralize such discussions.