The Ultimate Guide to Privacy and Security Tools

Online security and anonymity

• ProtonVPN makes your connection go through one or several servers before reaching its destination, which makes it very complex for someone to discover your IP address, or match online activities to your IP address. An IP address is a network’s unique identifier provided by your ISP (Internet Service Provider), whether it’s from a mobile data plan or an at-home router.
• Each session generates its own encryption key.
• Another interest of VPNs is the ability to channel your traffic via other countries. Don’t hesitate to check privacy laws there. For instance, ISPs in the United States, China, and France are required to hand logs over if the government asks for them. Here’s an interesting comparison among 13 countries.
• Proton VPN is open source.
• The company is regularly vocal about protecting journalists and activists, as well as freedom of speech. 50% of their July and August revenue from Hong Kong is to be donated to 2 organisations expected to make a ‘meaningful impact on democracy and rule of law for Hong Kong residents’. 

• They prevent their users’ connection and history from being handed over to any third party.
• Your Internet Service Provider doesn’t know what websites you visit.
• You can browse the Internet from different countries.
• Using your true IP address, governmental authorities in most countries can require ISPs to provide them with the identity of whoever subscribed to the associated Internet plan.

• Brave is an open source web browser that blocks most invasive ad trackers. It’s like having AdBlock or uBlock, but you don't have to install anything on top of your browser. You can configure it to adapt it to your specific needs.
• It's built on top of Google’s open source version of Chrome: Chromium. As a result, most browser extensions built for Google Chrome automatically work on Brave.
• Brave (amongst other goodies) supports the Tor network which allows you to limit the possibilities of disclosure and tracking of your IP addresses.

• Brave is great if you want a hassle-free privacy-oriented browser - please note it isn't foolproof, nothing is. You will be tracked by some, but at least you'll block most identifiable trackers.
• You can use it on Windows, MacOS, GNU/Linux, iOS and Android.
• It’s one of the simplest ways to connect to the Tor network.

• Exact GPS location
• Date and time your photo was taken
• Information on your device: unique ID number, manufacturer, model
• Camera settings: compression, orientation, aperture, shutter speed, focal length, whether the flash was used, etc.

• Exif has been used to locate people and events. The location data can be very precise, and even include your phone’s orientation at the time of the photo, via the GPSImgDirection tag.
• Painting over faces and any identifying details can also protect you. Just make note that covering a zone seems safer than blurring it, as blurring could be reversed - with varying accuracy.
• It is free software (under MIT license).
• It’s a web tool, you don’t need to download anything to use it. It’s perfect to be used on the fly.

Passwords and authentication

• Something I know: any type of password, code, information
• Something I am: biometrics
• Something I own: a specific object or device

• Multi-factor authentication is an additional layer of security compared to single-factor authentication. It's some kind of safety net in case someone has your password and wants to break into your account.

• MFA can also be an interesting protection against credential stuffing attacks.

• LessPass is an open source tool created by @guillaume20100.

• Given several parameters, it provides you with strong and customisable passwords.

• It works like a hashing tool: it uses the URL you are on, your username/email, a (possibly unique) strong password and a few settings (length, symbols, numbers, etc.) to generate your hard-to-guess unique password.

• It’s a stateless tool, meaning that nothing is stored, and therefore nothing can be stolen. I have been using it for nearly 3 years, and I enjoy the philosophy and simplicity of statelessness.

• LessPass is available as a browser extension, a website and an Android application.

• The specific advantage of LessPass is that you only have 1 password to remember for all your accounts, while also being protected against evil hackers (brrr) who might break into your password vault, because *pause for dramatic effect* there is no vault. Thus, there is no vault to break into. Unstoppable. We love it.

• It’s highly customisable, as you can see in the screenshot below

• It’s a web tool allowing you to check whether your email address has been part of one or several data leaks. It also lets you know which platforms leaked your private information.

• You can register an email or a whole domain name to be notified whenever they're included in new data breaches.

• Have I Been Pwned was created and is maintained by Troy Hunt. He has received several awards from Microsoft, recognising his contribution and evangelisation of Microsoft technologies. He has also testified before the US congress on the topic of data breaches.

• The tool is about to be open sourced.

• Not all companies victims of data breaches notify you, even though companies operating in the EU should legally send a notification for a personal data breach within 72 hours.

• Even when most of them do send an email to their userbase after an incident, those emails might end up in SPAM or not be read. Have I Been Pwned is quite an exhaustive and quick way to know when and by whom your password, email address or other private information has been leaked.

Conversations

• This is the email tool from the company that provides the ProtonVPN service we’ve mentioned above.

• Storage on ProtonMail's servers and transmission between the servers and users' devices are encrypted.

• Emails between ProtonMail users are end-to-end encrypted. It’s also possible to encrypt emails when your contact is on another provider.

• They use proven open source cryptographic algorithms.

• ProtonMail's web client is open source.

• Contrary to most email providers, ProtonMail can't read or search your emails to extract information (thanks to end-to-end encryption).

• Also contrary to many big providers, with ProtonMail your data isn't stored in the US, it's stored in Switzerland which has strict privacy laws.

• You don't need to provide any personal information to create your ProtonMail account, it can be reasonably anonymous.

• Telegram is a messaging service built by a Russian team who moved to Dubai because of Russian IT regulations.

• Official clients are open source.

• You can create ‘secret chats’ which are end-to-end encrypted. As we explained, this means that no one at Telegram can access what you share there.

• The team also recently announced end-to-end encrypted video calls.

• While working on the Image Scrubber part of this article, I first tried sending myself the photo via Telegram. As I tried scrubbing it, I noticed that Telegram had automatically scrubbed the Exif and renamed my file. Nice. Here’s a screenshot from my computer. On the left, you have the picture I sent myself via Gmail. It has the original name - giving away the date and time of the photo - and carries the Exif data. On the right is the file I sent myself via Telegram - which features a randomised name, and no Exif at all.

• Default chats are only server-side encrypted.

• Some cryptographers said the encryption algorithm isn't as secure as Signal's. That being said, it seems to remain unbroken to this day.

• It's a reasonably secure way to easily share encrypted messages and media.

• It has a nice interface and plenty of useful features: you can share your geographical position, send small voice and video messages, create bots, groups and have encrypted voice calls.

• As it is now widely used around the world, there is a plethora of groups and channels you can join on various topics.

• Whereby is a web-based tool for video calls.

• This Too Shall Grow is on the free plan, where as mentioned in the privacy policy, video and audio are: 1) peer-to-peer transmitted in most cases, meaning that information doesn't travel through Whereby’s servers, and 2) end-to-end encrypted.

• Even though it’s limited to 4 participants per call, the free plan offers super convenient features, such as locking/unlocking a room, screen sharing, recording, having a meeting timer, text-based chatting. It also has various third-party integrations (Trello, Miro, etc.).

• The UX is great, the brand design is lovely.

• Encryption protects your Whereby data from being shared with advertisers or governmental authorities. Zoom recently explained that calls on their free plan wouldn’t be end-to-end encrypted, purposely so that they could be given over to the FBI and ‘local law enforcement’. Following this declaration, the company received a heavy backlash, which has since led them to implement end-to-end encryption for all users.

• Consent is super explicit. Below is a screenshot of This Too Shall Grow’s account settings. They also have extremely clear privacy and cookie policies.

Local safety

• It encrypts your phone, so that whenever you turn it on, you need to enter your encryption key on top of your PIN code.

• You don’t need to install anything to encrypt your phone. Just go to your settings, as this feature is offered by all OSs.

• If your phone gets lost or stolen while it’s turned off, whoever has it won't be able to access its contents without the encryption key.

• When you dispose of your smartphone, encryption makes recovery of your files close to impossible.

• It’s a sliding cover on top of your webcam.

• It physically prevents your camera from capturing what's facing it.

• Make sure that your screen can handle a webcam cover, as some have been known to crack. 

• In case someone obtains remote access to your personal device (through malware or an unpatched service on your OS for instance), they might be able to turn your webcam on, in some cases even without the indicator notifying you.

• Such stealth recordings can be used as extortion material and/or shared online against your will.

• NSA’s XKeyscore collects webcam images, among other things.

Note-taking

• Notebag is an indie product created and developed by @pretzelhands. 

• It’s a note-taking app stored locally. It’s encrypted, and you're the only person who has the key. This means that if you lose your files, your device, or your encryption key, there’s no way to recover your data.

• It’s convenient and well-thought out. The app supports markdown and bi-directional linking. It’s keyboard compatible and accessible, meaning you can navigate and write notes almost entirely with keyboard shortcuts. (We wish more software was keyboard compatible.)

• Notebag comes with a public roadmap and open voting, for you to promote the features you wish for.

• It’s an encrypted note-taking tool, filled with convenient features.

• Because it’s made by an indie maker and has an open roadmap, you actually have a say in how the product develops. If you go on Spotify’s or Brave’s feature requests forums, you’ll see an ocean of entries and comments and closed topics and it feels like nothing moves forward. Notebag’s roadmap provides a lovely contrast to those communities.

• Dillinger is an indie product first built by Joe McCann and then Martin Broder.

• It's a web-based markdown editor that allows you to export documents as PDF, markdown, HTML and styled HTML.

• It's open-source.

• It keeps your documents in your browser's storage so you don't have to manually save everything to your filesystem.

• It's a quick and easy-to-use markdown editor since you don’t have anything to install.

• You get an instant preview of your markdown content.

• You can export your documents to various cloud storage services, including Github, Google Drive, and Dropbox.

• You can also import markdown files and HTML files directly into Dillinger.

Other

• Page views

• Referrals (sometimes down to the exact tweet)

• Screen sizes

• Browsers

• Countries

• No IP address collection

• No use of cookies

• User agents are anonymised

• They have a public roadmap, where you can discuss tasks and request new features

• Born in 1996, VLC is the iconic ‘traffic cone’ media player. It’s free software, in both senses of the word.
• It’s filled with cool features. For instance, if you’re looking for subtitles, VLC lets you search for them by hash. How does it work? VLC creates a hash of your video file, and compares it to a database full of video hashes and their subtitles files. Once it finds a match, it prompts you to download the corresponding subtitles file. This is faster than processing your heavier raw video. It can also read some ‘broken’ videos, convert media into another format, and extract a video’s audio track.
• VLC doesn’t track you in any way.
• It can read every media format.
• It is available on - brace yourselves - 23 platforms.

👉 Why you might want to use it

• VLC is an extremely versatile media player.
• It’s respectful of your privacy.
• Even though the UI is a bit dated, you will get by.

Wanna dig deeper?