tags: software hardware service article
- Intro
- Software
- Service
- Is it open source?
- Is it non-KYC?
- Terms of Service / Code of Conduct
- Is it self-hostable?
- Does it rely on Cloudflare?
- Does their website require JavaScript?
- Do they accept cryptocurrency payment?
- What is the company behind it?
- Can you create an account without email / with temporary email / with email alias?
- What data is stored by the service / can you remove it?
- Hardware
- Other checks
Intro
In this article we will go through some important questions you should ask yourself before choosing a piece of software, hardware or a service to use or pay for. This will ensure you won’t sacriface your security, privacy and freedom to a certain product or a service.
Software
Is it open source?
This is the first question you ask yourself when judging software. Normally, you can find the source repository by searching for “[software name] source” with your search engine. The code is usually hosted on platforms like GitHub, GitLab, Codeberg, Gerrit, SourceHut, Gitea, etc. The software license is found in a file named LICENSE.* in the root of the source code folder. GitHub automatically detects the license and displays in a side bar on the right of the page (see screenshot). Sometimes software may be distributed without a license, making he code public domain. Non-licensed software does not restrict While entities like FSF consider non-licensed software copyrighted, this doesn’t prevent you from running, reviewing, modifying, and distributing the software under any terms.
Is it free (libre) software?
Occasionally, the source code is accessible to the public but protected by copyright or a non-free license, making the software as “source-available”. This practice is detrimental to open source software, and therefore, source-available software should be avoided.
Is it maintained?
Software that is not actively maintained may have security vulnerabilities or bugs. Software that does not go online and does not require root priviledge to run is generally and most importantly does not deal with sensitive data (like passwords or encrypted files) is safe to use even if it’s unmaintained. Web browsers, messengers, and crypto wallets should be kept up to date for security and stability. You can tell if the software is maintained by looking at its latest git commits (see screenshot below).
If it provides security/privacy/anonymity - how?
TL;DR: doubt their claims, do your own research.
Service
Is it open source?
Verify that both the frontend (app, website) and backend (server side) of the service are free and open source. For example, Telegram cloient is licensed under GPLv3, while its backend is proprietary.
Is it non-KYC?
KYC (Know Your Customer) is a policy that requires users to prove their identity to use a service. It is unsafe to share personal details with third parties, as this is could be leaked or sold. To find awesome non-KYC services visit kycnot.me.
Terms of Service / Code of Conduct
These are an agreement between developer and user that determines how the service should or should not be used. For a quick summary of key points of ToS, visit ToS;DR or use their browser extension.
Is it self-hostable?
The safest way to use an online service is to host it yourself. There are some networks are peer-to-peer and can’t be self hosted.
Does it rely on Cloudflare?
Cloudflare is a privacy nightmare and it is better to avoid it. To detect and block cloudflared websites use ‘Block Cloudflare MITM Attack’ browser extension for Chromium and Firefox link.
Does their website require JavaScript?
JavaScript code can be used for fingerprinting so it is advised to disable it in your browser to avoid de-anonymization. On Chromium-based browsers you can do this through per-site settings or use uBlockOrigin Hard mode (recommended) / NoScript extension for both Firefox and Chromium.
Do they accept cryptocurrency payment?
If the service requires payment or accepts donations, using cryptocurrency is the only way to send funds without revealing your identity. The best anonymous cryptocurrency is Monero. Other cryptocurrencies, like Bitcoin or Etherium, can be excanged to Monero via anonymous P2P exchanges, like Bisq, or anonymized with mixing services, like unijoin.io. To find services and stores that accept crypto payments Cryptwerk (you can filter by currency). To find places to spend crypto near you - visit BTC Map or download their FOSS Android app. To find exchanges near you - visit Coin ATM radar (WARNING: this website is cloudflared and its mobile app is proprietary).
What is the company behind it?
Investigate the company’s executives, sponsors, and motivations for providing the service. Check for any reports of leaking/selling data to third parties or authorities.
Can you create an account without email / with temporary email / with email alias?
Some services blacklist temporary email / email alias addresses or even worse, only allow whitelisted email providers to register. Don’t use seuch services.
What data is stored by the service / can you remove it?
Visit JustDeleteMe or install their extension to learn how to delete your account and personal data from the service. Alternatively, visit JustGetMyData or JustWhatsTheData to obtain your data or learn what part of it is stored by the service.
Hardware
Is the firmware / driver open source?
Check whether the firmware / driver for the hardware is open source. Proprietary firmware / drivers may contrain backdoors or vulnerabilities, that are much more dangerous there, than if they were in in userspace.
Motherboards normally come with a proprietary UEFI/BIOS firmware, but sometimes an alternative can be installed [ADD LINK].
Some computer parts require proprietary drivers to work properly; you can check your hardware for compatibility with Linux on linux-hardware.org or use their desktop app to make a probe yourself, but since Linux includes some proprietary deivers (also called blobs), you can visit EFF’s h-node to find hardware compatible with de-blobbed fork of Linux - Linux-libre.
Are parts available?
Ideally, hardware manufacturers should provide replacement parts for their devices; DIY hardware projects could provide shopping lists instead. When possible, models for 3D printing should also be available. This ensures that users can easily obtain replacement parts or upgrade the hardware, contributing to its lifecycle.
Example:
Is documentation available?
Firmware development resources, datasheets, schematics and other kind of documentation allow users to repair or modify their hardware freely and therefore extends it’s lifecycle.
Examples:
Is it repairable by design?
Check whether the hardware is designed with repairability in mind. Repairable design features, such as modular components, replacebale battery and accessible connectors, make it easier for users to fix issues or replace parts, extending the lifespan of the hardware.
Examples:
- Fairphone features a user-replaceable battery, sells spare parts for their phones.
- Framework features modular design laptops with replaceable parts, provides repair guides, sells spare parts.
Other checks
Things listed here are specific to certain use cases and have a quick way to check.
Linux software: Is it available in distro-specific packaging format? - cheсk on repology.org
Android app: Does it contain trackers? - check on Exodus Privacy or download their app or download ClassyShark3xodus
Android app: Does it run on a de-googled Android? - check on Plexus
Android app: Does it run on a rooted Android or with mictoG? - download and check with Sapio
XMPP client: Does it suppotr OMEMO encryption? - check on Are we OMEMO yet?
XMPP client: What XEPs does it suppurt? - check on XMPP Software Comparison
XMPP public server: What XEPs does it support? - check on XMPP Compliance tester
Bitcoin wallet: Is it secure? - check on WalletScrutiny