Over the last 16 months, as I've debated this issue around the world, every single time somebody has said to me, "I don't really worry about invasions of privacy because I don't have anything to hide." I always say the same thing to them. I get out a pen, I write down my email address. I say, "Here's my email address. What I want you to do when you get home is email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you're doing online, read what I want to read and publish whatever I find interesting. After all, if you're not a bad person, if you're doing nothing wrong, you should have nothing to hide." Not a single person has taken me up on that offer.

Read also:

• Nothing to hide argument (Wikipedia)
• How do you counter the "I have nothing to hide?" argument? (reddit.com)

The UKUSA Agreement is an agreement between the United Kingdom, United States, Australia, Canada, and New Zealand to cooperatively collect, analyze, and share intelligence. Members of this group, known as the Five Eyes, focus on gathering and analyzing intelligence from different parts of the world. While Five Eyes countries have agreed to not spy on each other as adversaries, leaks by Snowden have revealed that some Five Eyes members monitor each other’s citizens and share intelligence to avoid breaking domestic laws that prohibit them from spying on their own citizens. The Five Eyes alliance also cooperates with groups of third party countries to share intelligence (forming the Nine Eyes and Fourteen Eyes), however Five Eyes and third party countries can and do spy on each other.

Why is it not recommended to choose a US based service?

Services based in the United States are not recommended because of the country’s surveillance programs, use of National Security Letters (NSLs) and accompanying gag orders, which forbid the recipient from talking about the request. This combination allows the government to secretly force companies to grant complete access to customer data and transform the service into a tool of mass surveillance.

An example of this is Lavabit – a discontinued secure email service created by Ladar Levison. The FBI requested Snowden’s records after finding out that he used the service. Since Lavabit did not keep logs and email content was stored encrypted, the FBI served a subpoena (with a gag order) for the service’s SSL keys. Having the SSL keys would allow them to access communications (both metadata and unencrypted content) in real time for all of Lavabit’s customers, not just Snowden's.

Ultimately, Levison turned over the SSL keys and shut down the service at the same time. The US government then threatened Levison with arrest, saying that shutting down the service was a violation of the court order.

Related Information

• Avoid all US and UK based services
• Proof that warrant canaries work based on the surespot example.
• http://en.wikipedia.org/wiki/UKUSA_Agreement
• http://en.wikipedia.org/wiki/Lavabit#Suspension_and_gag_order
• https://en.wikipedia.org/wiki/Key_disclosure_law
• http://en.wikipedia.org/wiki/Portal:Mass_surveillance

Sortable VPN Providers Table	Yearly Price	Free Trial	# Servers	Jurisdiction	Website
	54 €	Yes	162	Italy	AirVPN.org
	45 €	No	5	Sweden	AzireVPN.com
	99 €	No	27	Hong Kong	blackVPN.com
	$ 52	Yes	18	Iceland	Cryptostorm.is
	$ 33	No	6	Seychelles	Doublehop.me
	39,99 €	No	432	Northern Cyprus	EarthVPN.com
	$ 35.88	No	27	Sweden	FrootVPN.com
	$ 65.04	Yes	88	Malaysia	hide.me
	$ 99.96	Yes	21	Gibraltar	IVPN.net
	60 €	Yes	23	Sweden	Mullvad.net
	$ 69	Yes	475	Panama	NordVPN.com
	$ 84	Yes	24	Sweden	oVPN.se
	124.95 €	No	41	Panama	Perfect-Privacy.com
	$ 90	No	300	Seychelles	Proxy.sh
	$ 39.95	Yes	48	Seychelles	Trust.Zone
	$ 39.99	No	122	Hong Kong	VPN.ht
	$ 35.88	No	80	Sweden	VPNTunnel.com

A warrant canary is a posted document stating that an organization has not received any secret subpoenas during a specific period of time. If this document fails to be updated during the specified time then the user is to assume that the service has received such a subpoena and should stop using the service.

Warrant Canary Examples:

1. https://proxy.sh/canary
2. https://www.ivpn.net/resources/canary.txt
3. https://www.vpnsecure.me/files/canary.txt
4. https://www.bolehvpn.net/canary.html
5. https://lokun.is/canary.txt
6. https://www.ipredator.se/static/downloads/canary.txt

Related Warrant Canary Information

• Warrant Canary Frequently Asked Questions
• Companies and organizations with warrant canaries

When you visit a web page, your browser voluntarily sends information about its configuration, such as available fonts, browser type, and add-ons. If this combination of information is unique, it may be possible to identify and track you without using cookies. EFF created a Tool called Panopticlick to test your browser to see how unique it is.

Test your Browser now

You need to find what most browsers are reporting, and then use those variables to bring your browser in the same population. This means having the same fonts, plugins, and extensions installed as the large installed base. You should have a spoofed user agent string to match what the large userbase has. You need have the same settings enabled and disabled, such as DNT and WebGL. You need your browser to look as common as everyone else. Disabling JavaScript, using Linux, or even the TBB, will make your browser stick out from the masses.

Modern web browsers have not been architected to assure personal web privacy. Rather than worrying about being fingerprinted, it seems more practical to use free software plugins like Privacy Badger, uBlock Origin and Disconnect. They not only respect your freedom, but your privacy also. You can get much further with these than trying to manipulate your browser's fingerprint.

Related Information

• How Unique Is Your Web Browser? Peter Eckersley, EFF.
• Join our discussion on reddit.com about browser fingerprinting.
• Our Firefox privacy add-ons section.
• BrowserLeaks.com - Web browser security testing tools, that tell you what exactly personal identity data may be leaked without any permissions when you surf the Internet.

While software like NoScript prevents this, it's probably a good idea to block this protocol directly as well, just to be safe.

Test your Browser now

How to disable WebRTC in Firefox?

In short: Set "media.peerconnection.enabled" to "false" in "about:config".

Explained:

1. Enter "about:config" in the firefox address bar and press enter.
2. Press the button "I'll be careful, I promise!"
3. Search for "media.peerconnection.enabled"
4. Double click the entry, the column "Value" should now be "false"
5. Done. Do the WebRTC leak test again.

If you want to make sure every single WebRTC related setting is really disabled change these settings:

1. media.peerconnection.turn.disable = true
2. media.peerconnection.use_document_iceservers = false
3. media.peerconnection.video.enabled = false
4. media.peerconnection.identity.timeout = 1

Now you can be 100% sure WebRTC is disabled.

Test your Browser again

How to fix the WebRTC Leak in Google Chrome?

There is no known working solution, only a plugin that is easily circumvented. Please use Firefox instead.

What about other browsers?

Chrome on iOS, Internet Explorer and Safari does not implement WebRTC yet. But we recommend using Firefox on all devices.

Stop tracking with "Disconnect"

Block Ads and Trackers with "uBlock Origin"

An efficient wide-spectrum-blocker that's easy on memory, and yet can load and enforce thousands more filters than other popular blockers out there. It has no monetization strategy and is completely open source. We recommend Firefox but uBlock Origin also works in other browsers such as Safari, Opera, and Chromium. Unlike AdBlock Plus, uBlock does not allow so-called "acceptable ads".
https://addons.mozilla.org/firefox/addon/ublock-origin/

Hinder Browser Fingerprinting with "Random Agent Spoofer"

A privacy enhancing firefox addon which aims to hinder browser fingerprinting. It does this by changing the browser/device profile on a timer. Source code: GitHub.
https://addons.mozilla.org/firefox/addon/random-agent-spoofer/

Automatically Delete Cookies with "Self-Destructing Cookies"

Automatically removes cookies when they are no longer used by open browser tabs. With the cookies, lingering sessions, as well as information used to spy on you, will be expunged.
https://addons.mozilla.org/firefox/addon/self-destructing-cookies/

Encryption with "HTTPS Everywhere"

A Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure. A collaboration between The Tor Project and the Electronic Frontier Foundation.
https://www.eff.org/https-everywhere

Block Content Delivery Networks with "Decentraleyes"

Emulates Content Delivery Networks locally by intercepting requests, finding the required resource and injecting it into the environment. This all happens instantaneously, automatically, and no prior configuration is required. Source code: GitHub.
https://addons.mozilla.org/firefox/addon/decentraleyes/

Stop cross-site requests with uMatrix

Many websites integrate features which let other websites track you, such as Facebook Like Buttons or Google Analytics. uMatrix gives you control over the requests that websites make to other websites. This gives you greater and more fine grained control over the information that you leak online.
https://addons.mozilla.org/firefox/addon/umatrix/

Be in total control with "NoScript Security Suite"

Highly customizable plugin to selectively allow Javascript, Java, and Flash to run only on websites you trust. Not for casual users, it requires technical knowledge to configure.
https://addons.mozilla.org/firefox/addon/noscript/

Content control with "Policeman"

This addon has purpose similar to RequestPolicy and NoScript. It's different from the former in that it supports rules based on content type. For example, you can allow images and styles, but not scripts and frames for some sites. It can also be set up to act as a blacklist.
https://addons.mozilla.org/firefox/addon/policeman/

Preparation:

1. Enter "about:config" in the firefox address bar and press enter.
2. Press the button "I'll be careful, I promise!"
3. Follow the instructions below...

Getting started:

1. privacy.trackingprotection.enabled = true
• This is Mozilla’s new built in tracking protection.
2. geo.enabled = false
• Disables geolocation.
3. browser.safebrowsing.phishing.enabled = false
• Disable Google Safe Browsing and phishing protection. Security risk, but privacy improvement.
4. browser.safebrowsing.malware.enabled = false
• Disable Google Safe Browsing malware checks. Security risk, but privacy improvement.
5. dom.event.clipboardevents.enabled = false
• Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
6. network.cookie.cookieBehavior = 1
• Disable cookies
• 0 = Accept all cookies by default
• 1 = Only accept from the originating site (block third party cookies)
• 2 = Block all cookies by default
7. network.cookie.lifetimePolicy = 2
• cookies are deleted at the end of the session
• 0 = Accept cookies normally
• 1 = Prompt for each cookie
• 2 = Accept for current session only
• 3 = Accept for N days
8. browser.cache.offline.enable = false
• Disables offline cache.
9. browser.send_pings = false
• The attribute would be useful for letting websites track visitors’ clicks.
10. webgl.disabled = true
• WebGL is a potential security risk. Source
11. dom.battery.enabled = false
• Website owners can track the battery status of your device. Source
12. browser.sessionstore.max_tabs_undo = 0
• Even with Firefox set to not remember history, your closed tabs are stored temporarily at Menu -> History -> Recently Closed Tabs.

Related Information

• ffprofile.com - Helps you to create a Firefox profile with the defaults you like.
• mozillazine.org - Security and privacy-related preferences.
• user.js Firefox hardening stuff - This is a user.js configuration file for Mozilla Firefox that's supposed to harden Firefox's settings and make it more secure.
• Privacy Settings - A Firefox addon to alter built-in privacy settings easily with a toolbar panel.

Email Service	Since	Server	Storage	Price / Year	Bitcoin	Encryption	Own Domain
OpenMailBox.org	2013	France	1 GB	Free	Accepted	Built-in	No
ProtonMail.ch	2013	Switzerland	500 MB	Free	Accepted	Built-in	Yes
Tutanota.com	2011	Germany	1 GB	Free	No	Built-in	Yes
Mailfence.com	2013	Belgium	200 MB	Free	Accepted	Built-in	Yes
mailbox.org	2014	Germany	2 GB	12 €	Accepted	Built-in	Yes
Posteo.de	2009	Germany	2 GB	12 €	No	Built-in	No
Runbox.com	1999	Norway	1 GB	$ 19.95	No	No	Yes
Neomailbox.com	2003	Switzerland	1 GB	$ 49.95	Accepted	Built-in	Yes
CounterMail.com	2010	Sweden	500 MB	$ 59	Accepted	Built-in	Yes
StartMail.com	2014	Netherlands	10 GB	$ 59.95	No	Built-in	No
KolabNow.com	2010	Switzerland	2 GB	$ 60	Accepted	No	Yes
CryptoHeaven.com	2001	Canada	200 MB	$ 66	No	Built-in	Yes

Interesting Email Providers Under Development

• Confidant Mail - An open-source non-SMTP cryptographic email system optimized for large file attachments. It is a secure and spam-resistant alternative to regular email and online file drop services. It uses GNU Privacy Guard (GPG) for content encryption and authentication, and TLS 1.2 with ephemeral keys for transport encryption.

Become Your Own Email Provider with Mail-in-a-Box

Take it a step further and get control of your email with this easy-to-deploy mail server in a box. Mail-in-a-Box lets you become your own mail service provider in a few easy steps. It’s sort of like making your own gmail, but one you control from top to bottom. Technically, Mail-in-a-Box turns a fresh cloud computer into a working mail server. But you don’t need to be a technology expert to set it up. More: https://mailinabox.email/

Privacy Email Tools

• gpg4usb - A very easy to use and small portable editor to encrypt and decrypt any text-message or -file. For Windows and Linux.
• Mailvelope - A browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard.
• Enigmail - A security extension to Thunderbird and Seamonkey. It enables you to write and receive email messages signed and/or encrypted with the OpenPGP standard.
• TorBirdy - This extension configures Thunderbird to make connections over the Tor anonymity network.
• Email Privacy Tester - This tool will send an Email to your address and perform privacy related tests.

Related Information

• Aging ‘Privacy’ Law Leaves Cloud E-Mail Open to Cops - Data stored in the cloud for longer than 6 months is considered abandoned and may be accessed by intelligence agencies without a warrant. Learning: Use an external email client like Thunderbird or Enigmail, download your emails and store them locally. Never leave them on the server.
• OpenMailBox keeps one year logs of meta-data - Forum discussion, reply of the server admin.
• With May First/Riseup Server Seizure, FBI Overreaches Yet Again
• Autistici/Inventati server compromised - The cryptographic services offered by the Autistici/Inventati server have been compromised on 15th June 2004. It was discovered on 21st June 2005. One year later. During an enquiry on a single mailbox, the Postal Police may have tapped for a whole year every user's private communication going through the server autistici.org/inventati.org.

Worth Mentioning

• K-9 Mail - An independent mail application for Android. It supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP.
• GNU Privacy Guard - Email Encryption. GnuPG is a GPL Licensed alternative to the PGP suite of cryptographic software. Use GPGTools for Mac OS X.
• Mailpile (Beta) - A modern, fast web-mail client with user-friendly encryption and privacy features.