Privacy Tool Recommendations Should Come with Caveats
This post was last edited 0Â minutes ago.
A few years ago, my enthusiastic recommendation of Tuta Mail to a friend new to privacy tools backfired. He struggled with the user interface, found the constant updates annoying and was not happy with Tuta's limited search capabilities. He dropped Tuta and transferred to Outlook. I interviewed him about his reasons in Why my Friend Quit Tuta Mail.
While I chat to my friend on Signal, I imagine he'll think twice about adopting any new privacy tools on my advice. Looking back on this, I should have
- advised my friend about Tuta
- explained why Tuta has superior privacy and security
- warned him about potential frustrations and pitfalls
It's this third part I want to highlight today. We can advocate for privacy and realistic at the same time; evangelism can backfire, and it's a simple truth that many small frustrations in my digital workflow are a direct result of my decision to use privacy tools. It doesn't hurt to warn others when we advise them to switch.
I'll use the steelman approach I used in Privacy Tools Are Not Worth the Hassle and not pull punches in describing these issues.
Here they are:
Encryption makes things difficult
Just last week, Tuta published their blog article Easier inbox rules, Faster Sync, & Search! (+More). While this is good newsâI still need to test these improvementsâit's worth noting that I've been dealing with Tuta Mail's frustratingly difficult and slow search function for nearly 8 years now.
Enabling the search for your mailbox consumes memory on your device and might consume additional traffic.
(warning on Tuta Mail when you initiate a search)
Up until now, doing a search on the desktop application involved setting the date parameters for your search, reading the warning above and waiting a long time. I was told that encryption makes seemingly simple things, like searching all your mails, hard.
Managing your own encryption keys is scary
When setting up an encrypted service like Ente Photos or Standard Notes, you are responsible for storing your password. If you lose it, you lose your photos, your notes. It can be hard to get that point across today, where everyone is used to recovery options for lost passwords.
Compartmentalisation can be tedious
I used Firefox's container option when browsing. I like the idea but it's an extra step when logging in (I get asked how I want to open the site). I also get the feeling that if I log in after I've engaged with a given website, I usually have to start over once logged in via the Firefox container.
I use different devices for work, and different users on devices for different purposes. To get to my work email, I have to start up a dedicated laptop or reboot into another operating system on this PC.
On GrapheneOS, when I want to check my bank account, I have to switch to my Google environment user. Sending information between different users can be difficult too. I'll take a screenshot in one GrapheneOS user and have to then upload that to my Nextcloud server in order to access it on my main user. There are solutions for this, but they have not worked for me.
Using a password manager and 2FA introduces annoying extra steps
I use KeePass for everything. I also close apps, like browsers, when I'm done with them, and I like to turn my PC off at night sometimes to give myself a break from my digital life. As a result, I have to open my KeePass data base regularly, type in the master password, find the relevant entry and execute an auto-fill with a keyboard shortcut (which sometimes 'misfires') whenever I want to do anything account related. I save passwords in desktop apps but don't like to do this in my browser.
For two-factor authentication I use he open source phone app Aegis Authenticator. Using 2FA when logging in to important services is essential for security, but it is an annoying to have to find my smartphone, type in the Aegis password and copy the temporary number in order to access a website. I worry that these little 2FA tasks will accumulate over time.
Alternative search tools can be puzzling
My last article was an interview with Bruno, the software engineer of Uruky, a privacy search engine that you have to pay for. I'm a fan of Uruky and have started paying for it, but have also been honest with Bruno about my frustrations.
If you leave the Settings as the default, then you end up with quite unexpected search results, as Uruky puts the most privacy-focused Web Search Providers at the top. Only when I reordered the search providers did I get expected results. I also had to jump through a few hoops in order to not have to add my account number each time I started my browser, something Bruno helped me with. Lastly, image search was non-existent when I started, though it's in beta now.
Federated social media platforms can feel limited and lonely
I killed my (music-focused) Instagram account and started a Pixelfed one. I heard the distant eagle cry and saw the tumbleweed roll through deserted streets. I now use Pixelfed to host images for this blog.
Mastodon is growing and more active than before. It's good for privacy and tech topics, but I don't know how well it holds up for knitters, musicians and gardeners compared to mainstream social media counterparts.
I've watched the tutorial videos and read the blog posts. I still don't really understand how the Fediverse works or how to connect to people on different instances. I wouldn't be able to explain it well to others.
Custom ROMS can cause frustration and the developers keep fighting
Flashing CalyxOS, GrapheneOS and /e/OS onto the right device is really quite easy nowadays, but you can't be guaranteed an experience identical to iOS or Google Android. Banking apps and government apps can be tricky, and some apps (strangely, the McDonald's app) won't work at all.
With continued dependence on existing devices and operating systems, the future of alternative mobile operating systems never feels secure.
The custom ROMs world is a battlefield, with accusations flying back and forth. It's not a discourse you want to expose someone new to privacy to right away.
Deleting social media and messenger apps can be isolating
I've deleted all my personal social media accounts and stopped using WhatsApp. I miss out on things. My neighbours all talk about the day-to-day runnings in the building, conversations I'm oblivious to. They forget I (and one other family) are not on there and assume everyone's read about the leak in the building.
My first ever blog article describes how, when I deleted Facebook, some colleagues stopped talking to me at work, because they assumed I'd unfriended them.
For better or worse, I've missed out on most extended family connections and have not been able to maintain more than a handful of friendships with people abroad. However, the most important people to me are on Signal, so perhaps that works as a kind of natural filter.
Deleting social media can lead to missed financial opportunities
Facebook and other platforms can be good for small business and the second-hand market. I like pro-audio equipment and have missed out on a lot of purchasing opportunities...but this is probably for the best.
Privacy-first VPNs don't work half the time
I love Mullvad VPN but have to turn it off quite often in order to be able to access online content. For better or worse, Reddit won't let me sign on with Mullvad VPN running, and government sites give me server errors. I don't really mind, but can't help but notice that the frequency of these events is increasing.
I can't really use Mullvad for geolocation stuff (watching Netflix in another territory) but I can live with that.
I couldn't print at home for months, until I learned that you need to enable Local network sharing in the settings. It's something you just have to know.
AppImages are a pain in the backside
The more privacy tools I run on my Linux PC, the more often I have to download and manage AppImages. These are neat, all-in-one software packages, but they require attention. You have to change permissions for each AppImage you download, including updated versions of software you already have.
This is where Tuta Mail's way too-frequent updates (sometimes over 5 times a month) really began to do my head in, as I had to keep manually deleting the old image, download the new one, change permissions and run it, until a kind person pointed me in the direction of Gear Lever which manages all of this for you.
Graphic User Interfaces can look dated
Thunderbird, KeePassXC, VeraCrypt, various RSS readers...I personally don't mind a dated look in software, but it can be off-putting to others.
Open source maps can give bad information
I always go to Organic Maps or CoMaps first when travelling abroad, but very often find that a particular restaurant or shop listed on the map is long gone. These tools generally work well for basic navigation, though sometimes it takes a while to pinpoint my own location on the map, and I tend to need Google Maps for up-to-date information on stores and restaurants.
Self-hosting is a job that comes with responsibilities
Nextcloud is an stable cloud storage platform that you can self-host without too much technical know-how. I've been running my own server on a dedicated PC for years now and have had very few issues. My kids have started backing up some of their files on there, I've made accounts for friends and I've even started using it professionally.
Because Nextcloud is so stable, you do get lulled into a false sense of security. At the time of writing, I've fallen behind on doing my extra backups, and a power outage at home while I'm broad would cause big trouble.
I've kept my pCloud subscription for this reason, but have started moving more data over to my self-hosted server. I just need to not forget how important it is to manage this data well.
Recommendations keep changing
"Extra! Extra! Bitwarden is no longer trustworthy!"
At the time of writing, my kids are using Bitwarden for their passwords, because managing their own KeePass database is a bit too tricky. I've recommended Bitwarden to family members and even at work. But now I'm hearing about Bitwarden compromises and I'm not sure where to go with that. Do I wait to see how the story develops? Do I get my kids to move their data to another tool? Do I warn family members and colleagues that I've recommended the tool to, as they won't be following privacy updates as closely as I do? This is not the first time I've been here.
Conclusions
I am not trying to discourage anyone from switching to privacy tools; my blog project should be a clear testament to that. However, I'm not a proponent of evangelizing. I've seen well-intentioned threads like Taking a stand in your circles that make the privacy community look conspiratorial and cult-like.
Privacy is more important than ever, and privacy tools play a key role in the fight against surveillance and tracking. But pulling the wool over someone's eyes as they adopt a new tool just to 'onboard them' will backfire. It's better to be transparent about the issues up front, because they're going to be running into them.
This is why first recommendations should be the low-hanging fruit ones: change your browser to Firefox with uBlock Origin or Brave, and your search engine to DuckDuckGo. Use Signal. Thank god for those easy, no-brainer starting points.
There are many potential retorts to the issues I've described here. I know about many of them, and I've tried many of them. Some have worked, like Gear Lever for managing AppImages, and some have not. I am still unable to move files between different user profiles on GrapheneOS, despite my best efforts. The bottom line is that while switching to privacy tools has made my digital life better, it hasn't necessarily made things easier.
There are days when the little frustrations build up. As I'm writing this article, I've run into a conundrum. I am trying to get to the Settings menu for Uruky, so I can see what the names of the listed Web Search Providers are for this article. I am not currently logged in, and my browser has forgotten my account number. So I open my KeePass database, search for 'Uruky', but this comes up blank: it looks like I forgot to create a KeePass entry for Uruky when I began paying for the service. Perhaps I did create an entry but had a dated version of the database open, or perhaps I just forgot to do it. In any case, I now can't get into my Uruky settings, because Uruky doesn't store emails regarding payment for long, and neither they should.
On most days, these things don't matter. I love that I can do something about my digital privacy and am grateful to the engineers that make it possible. But there are days when I want to pull my hair out in frustration, and it's only fair to be honest about that too whenever I recommend a privacy tool to someone else.
Documentation
I like this video where Side of Burritos explains how he sets up different users on GrapheneOS:
GrapheneOS: After 3 Years, This Is How I Install Apps on My âDe-Googledâ Phone
Some related previous posts:
Ente Photos, a Privacy-first Photo App
Onboarding I: Digital Privacy Tools
Privacy Tools Are Not Worth the Hassle
Moving from Gmail to Tuta Mail
-----Discuss on Mastodon-----
Find me on Mastodon.