Android

Warning: The Android operating system provided with phones and tablets is often modified with the addition of proprietary applications from Google or others and may compromise your privacy. We strongly recommend replacing it with either Replicant or CyanogenMod (or compile Android from source for your device).

A must read: Mission Impossible: Hardening Android for Security and Privacy, by Mike Perry at The Tor Blog.

App Store
Proprietary
Amazon Appstore
Google Play
DNS
Notes

Google Public DNS permanently logs your ISP and location information for analysis. Your ip-address is also stored for 24 hours.

OpenNIC has not adopted an official policy concerning log query privacy/anonymization. More information here.

Proprietary
Google Public DNS
Email Accounts
Notes

For more email providers, take a look at Privacy-Conscious Email Services. Please decide for yourself whether if you trust them with your data. For more discussion about safe email providers, please see issue #461.

MyKolab is hosted in Switzerland and benefits from the strong Swiss privacy laws. It is run exclusively with free software and using the service supports the development of Kolab. Also, it lets you export all your data at any time.

Riseup’s services may also be accessed via their Tor Hidden Service addresses. A list is available here.

Why not Hushmail? See 'compromises to email privacy'.

If you have the technical aptitude, consider running your own mail server.

Proprietary
Facebook
Gmail
Microsoft Outlook.com
Yahoo! Mail
Email Clients
Notes

Switching from a proprietary service like Gmail to one of the more transparently-run email services on PRISM Break is the first step to a secure email account.

The second step is getting you and your contacts to encrypt your plain text messages with PGP encryption. This section contains free email clients that support PGP.

Here is a guide by Security In A Box to encrypting your email with Mozilla Thunderbird, GNU Privacy Guard (GPG), and Enigmail.

Find out more about the differences between Mozilla Thunderbird and Icedove.

Proprietary
Email Encryption
Notes

“Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, e-mails, files, directories and whole disk partitions to increase the security of e-mail communications.”

PRISM Break does not recommended S/MIME email encryption because of its reliance on third-party certificates from central authorities. Read more here.

Experimental PGP projects worth looking at are OpenPGP Keychain (a APG fork) and GnuPG for Android by the Guardian Project.

Proprietary
File Storage & Sync
Notes

Cloud file storage is also available via Chwala/iRony components of Kolab with the capability to integrate various storage backends. Files are accessible via storage layer access options, WebDAV and Kolab web interface integrating Roundcube.

Tarsnap is not recommended on PRISM Break due to its lack of anonymous payment options and strict copyright on the client that makes it difficult to replace the service in the event Tarsnap is shut down.

BitTorrent Sync, MEGA, and SpiderOak are services that are built on either partially or fully proprietary software. They will not be recommended on PRISM Break until they open source the entirety of their codebase.

With closed source software, you need to have 100% trust in the vendor because there's nothing except for their morality in the way of them leaking your personal information. Even if you can vouch for their integrity, proprietary software invariably has more uncaught security bugs and exploits because there are fewer eyes examining the source code.

Another alternative to cloud storage is local backup with external hard drives and USB flash drives. This method is reliably more secure than storing data on a network, but comes at a convenience cost.

Proprietary
Dropbox
Google Drive
Microsoft OneDrive
Instant Messaging
Notes

“Off-the-Record Messaging, commonly referred to as OTR, is a cryptographic protocol that provides strong encryption for instant messaging conversations. OTR uses a combination of the AES symmetric-key algorithm, the Diffie–Hellman key exchange, and the SHA-1 hash function. In addition to authentication and encryption, OTR provides perfect forward secrecy and malleable encryption.

The primary motivation behind the protocol was providing deniability for the conversation participants while keeping conversations confidential, like a private conversation in real life, or off the record in journalism sourcing.”

Note that Pidgin stores your IM account passwords in plain text. You can avoid this by (1) not saving your password in Pidgin, (2) encrypting your file system with software like TrueCrypt, or (3) storing your Pidgin password securely with the Debian package pidgin-gnome-keyring.

Pidgin with OTR and dbus enabled has a local security bug. See the upstream bug report for more information and possible workarounds.

The Guardian Project hosts a fantastic how-to guide to chatting securely on Android with ChatSecure.

Threema is not recommend by PRISM Break as it is closed source software. Freely available source code is a necessary condition for privacy and security.

Proprietary
AOL Instant Messenger
Apple Messages
Facebook
Google Hangouts
Skype
Trillian
Viber Messenger
WhatsApp
Mesh Networks
Notes

A meshnet is a decentralized peer-to-peer network, with user-controlled physical links that are usually wireless.

“Mesh networking (topology) is a type of networking where each node must not only capture and disseminate its own data, but also serve as a relay for other nodes, that is, it must collaborate to propagate the data in the network.”

Proprietary
Operating Systems (Mobile)
Notes

iOS and WP are proprietary operating systems whose source code are not available for auditing by third parties. You should entrust neither your communications nor your data to a black box device.

Proprietary
BlackBerry
Google Android
Microsoft Windows Phone
Productivity
Notes

The etherpad project maintains a list of sites that run etherpad services. Please only choose from the services that use SSL, and research the site's background before trusting them with your data.

Riseup also offers email, XMPP, and chat services, all of which are accessible through Tor Hidden Service addresses. The list of these addresses is available here.

ProtectedText encrypts/decrypts text in the browser, and password (or it's hash) is never sent to the server - so that text can't be decrypted even if requested by authorities.

Proprietary
Doodle
Evernote
Microsoft Office Web Apps
Zoho Office Suite
Social Networks
Notes

If you have system administration knowledge, please strongly consider running an instance of pump.io (or something else) for your friends, family, or favorite community. Many of them would be willing and grateful to escape Facebook if you provide them a way out.

For those of you without your own server, RetroShare is the easiest way to start your own encrypted social network.

identi.ca is a popular Twitter-like social networking hub for the free and open source software community runs a pump.io software platform.

Proprietary
Facebook
Google+
LinkedIn
Twitter
VPN Clients
Notes

Encrypted virtual private network (VPN) technology can be used by ordinary Internet users to connect to proxy servers for the purpose of protecting one’s identity and online footprint.

More on Wikipedia.

Proprietary
Web Browser Addons
Notes

Installing your own add-ons into the Tor Browser is not recommended, as they may bypass Tor or otherwise harm your anonymity and privacy. Check the EFF's Panopticlick to see how trackable your browser configuration is by third parties.

If you're using a Firefox-based browser, you can safeguard your browsing habits and stop advertising companies from tracking you by installing Adblock Edge, Disconnect, and HTTPS Everywhere.

Install NoScript and enable ‘Forbid scripts globally’ to improve the security of your browser by preventing 0day JavaScript attacks. This is a drastic option as it will render many websites unusable as they rely heavily on JavaScript. NoScript offers a whitelist you can use to selectively enable JavaScript for sites you trust, but this is considered especially bad for your anonymity if you're using NoScript with the Tor Browser Bundle.

Why is Adblock Plus not recommended? Adblock Plus shows “acceptable ads” by default, which works against the purpose of the add-on. Either disable acceptable ads or use the Adblock Edge fork instead.

Ghostery is an alternative anti-tracker add-on to Disconnect. While the code is available, the license is currently proprietary.

Proprietary
Web Browsers
Notes

Try to use Tor Browser Bundle (TBB) for all of your web surfing. It will offer you far better anonymity than any other browser. Make sure to learn the basics of Tor before using it. If the site you want to visit will not work in the TBB, try Firefox intead, but realize these browsers do not anonymize your ip by default.

TBB notes: Using the TBB to sign into websites that contain your real ID is counterproductive, and may trip the site's fraud protection. Make sure to check for HTTPS before signing in to a website through Tor. Signing into HTTP websites can result in your ID being captured by a Tor exit node.

Firefox notes: This browser uses Google search by default: replace it with a more private alternative. Another debranded alternative to Firefox is Iceweasel, a browser for Debian-based distributions.

Why are Chromium, SRWare Iron, et al. not recommended on PRISM Break? More info here.

Warning for mobile devices & Tor: Websites using HTML5 <video> tags will leak <video>-related DNS queries and data transfer outside of Tor.

Proprietary
Google Chrome
Opera
Web Search
Notes

DuckDuckGo is a software-as-a-service (SaaS) hosted around the world that provides you with anonymous search results from these sources. DDG open source components are available here.

There is also a DuckDuckGo hidden service at 3g2upl4pq6kufc4m.onion for Tor users.

MetaGer is a SaaS by the German non-profit SUMA e.V. that provides you with anonymous meta search results.

Startpage is a SaaS hosted in the USA and the Netherlands that provides you with anonymous Google search and image results through a free proxy.

Ixquick (run by the same company as Startpage) is a meta search engine that returns combined results from nearly 100 sources - excluding Google.

Seeks acts as a personalizing Web server or proxy between you and your data feeds. Connect most search engines, RSS/ATOM feeds, Twitter/Identica, Youtube/Dailymotion, wikis, and basically any source of data, and Seeks will produce a fused personalized stream of results to your queries. See list of Web Seeks nodes.

Tor users may use Seeks hidden service at 5plvrsgydwy2sgce.onion.

YaCy is a promising project that offers fully decentralized peer-to-peer search. The more people who start using it, the better the results will become.

Proprietary
Google Search
Microsoft Bing
Yahoo Search
World Maps
Proprietary
Apple Maps
Bing Maps
Google Earth