Happy Data Privacy Day! Every January 28th, the United States joins Canada, India, and 47 European countries in raising awareness for data protection and the privacy of individuals’ personal information. This has been an important year for privacy, with successful legislation improvements such as the GDPR and CCPA, along with devastating data breaches and social media scandals. We’ve made some great progress, but there is still much to improve.
To celebrate this Data Privacy Day, we’re highlighting some of the best free and open source privacy tools for both individuals and organizations. Some offer paid versions with extra features and support or simply share the code for a commercial version on GitHub, but all are available in some form at no cost. If you find some of these tools helpful, consider giving a donation to support the projects and show your appreciation for their advancement of privacy without monetizing your personal data.
Browser Fingerprinting Analysis: Panopticlick
Panopticlick explains browser fingerprinting by showing how several innocuous browser settings can be combined to generate a unique identifier, the “fingerprint,” which makes your online activity traceable even without cookies. It shows the tracking via browser and OS versions, language setting, time zone, resolution, fonts, adblock settings, and other technical details. You can use the default simulated analysis, or you can ask Panopticlick to test your browser against an actual tracking site. The tool will assess the strength of your protection against tracking and gives suggestions for ways to improve your configuration for increased privacy.
Communication Encryption Extension: HTTPS Everywhere
The Electronic Frontier Foundation (EFF) created this browser extension to encrypt web communication by switching HTTP defaults to HTTPS if possible. While some sites simply don’t offer an encrypted option, HTTPS Everywhere will tell your browser to choose the most secure communication option available. Experienced users can support this open source project by adding rulesets for new websites.
If you don’t want the hassle of making several small privacy improvements, switching to Brave is a one-stop option. It doesn’t collect or store browsing data, blocks trackers automatically, and upgrades to HTTPS (like HTTPS Everywhere). Brave is attempting to monetize privacy-respecting ads by allowing users to reward content creators and websites with cryptocurrency microtips. However, you don’t have to participate in the experimental tipping system to benefit from Brave’s strong privacy options and default settings. Brave is a great choice if Chrome’s upcoming move to stop ad blocking bothers you.
Search Engine: DuckDuckGo
If you’ve ever been bothered by Google’s ability to display Gmail results or pages related to your browsing history in search results, consider trying DuckDuckGo. This search engine blocks sites from learning about other search terms you used and doesn’t do any search behavior profiling. The drawback to this, of course, is that your searches might seem less accurate or helpful if you’re choosing not to benefit from Google’s predictive analytics.
Anti-Tracking Extension: Privacy Badger
Another great project from the EFF, Privacy Badger prevents tracking technology from following your browsing habits across multiple websites. It works by recognizing when third-party embedded content sources are repeatedly loaded in pages that you visit, then blocking those sources. If the embedded content can’t load, the source is prevented from additional behavioral tracking. While this function will block some ads, Privacy Badger isn’t meant to replace a general advertising or script blocker. Instead, it will help prevent unknown tracking services from building a profile of your behavior or invasive cookies from feeding your data back to a third party.
If you want some visibility into just how much of your online activity is tracked, Ghostery will both block trackers and replace that content with an adorable ghost icon reminiscent of the PacMan villains. You can also view a summary of the tracker number and types for each website page. This might be distracting in the long term but is certain to be an interesting glimpse into the personal data regularly vacuumed up by marketing and social media companies. Ghostery uses known tracker lists for blocking decisions rather than responding to repeated tracking attempts like Privacy Badger, so it will be more effective right when you install it while Privacy Badger improves over time. Check out uBlock Origin for another great ad blocking option. Please note that both Ghostery and uBlock Origin will probably not work with Chrome after the next update to stop ad blocking.
Tracking and Ad Blocking Nuclear Option: Pi-hole
If you’d like to neutralize trackers and advertising before they even reach your devices, the Pi-hole is a great solution. While the software is open source, this project does require a Raspberry Pi ($10+) and some technical skill. However, the Pi-hole is a “DNS sinkhole” which blocks content prior to your devices at the network level, meaning that your wireless-connected phones and computers won’t need to spend resources on browser-based ad blocking. This will also block ads on IoT connected devices such as smart TVs and non-browser mobile apps such as Facebook, which browser extension blockers can’t protect. For mobile ad blocking away from home, you can use PiVPN and set your device to automatically connect to your home network by VPN when on mobile data.
Encrypted Messaging: Signal
Signal is the best available secure messaging app (if you can convince anyone else to use it). It can’t quite compete with WhatsApp for features and user adoption rates just yet, but anyone uncomfortable with Facebook’s acquisition of WhatsApp might consider switching platforms. It’s available for both iOS and Android or on desktop, and it’s good enough for Edward Snowden.
Sick of marketing spam in your primary email inbox? Nbox will give you disposable valid email addresses so mailing list spam won’t reach your daily email queue. Similarly, Privacy.com will generate disposable virtual credit cards so you can order online from that sketchy .ru domain retailer without compromising your actual credit card.
Device and Account Privacy Recommendations: Securityplanner.org
Securityplanner.org is a public awareness project helping citizens with minimal technical knowledge improve their security and privacy by presenting only the most relevant information in a simple format. You can select the device or account types that you have, and the tool will display only the recommendations which would improve those devices and accounts, such as two-factor authentication (2FA). The tool covers iOS and android mobile devices, IoT connected devices, Mac and Windows operating systems, social media accounts, retail and finance sites, and email. You can opt to display recommendations for a variety of security concerns or choose only the two privacy options if you’d like to focus on protecting your personal information.
Privacy Regional Law Comparison Tool: DLA Piper’s Data Protection Laws of the World
Multinational organizations are usually subject to a range of regional and national privacy laws, which can make compliance tracking a challenge. DLA Piper has created a helpful tool which allows users to browse privacy laws by country on an interactive map or compare two different countries in privacy categories such as legal requirements, national authority, data protection officers, data collection and processing, data transfers, security, breach notification, marketing rules, and enforcement. Unfortunately, the tool doesn’t yet include US sectoral or state laws like HIPAA or the CCPA.
Governance, Risk, and Compliance (GRC) Solution: Eramba
Eramba is a Governance, Risk, and Compliance (GRC) solution operating on a freemium pricing model. This is a great introduction to GRC for small companies or new compliance and governance teams operating on a limited budget. Eramba’s free version includes query functionality, CSV import of controls, data export, text or graphical reporting, a KPI dashboard with metrics and visualizations, versioning, and management of policies, controls, audits (with evidence and testing), risks, exceptions, and incident records. While paying subscribers will get access to some of the best features, the free version is a massive improvement from emailing spreadsheets back and forth.
Website Cookie Analysis Tool: Cookie-checker.com
Like Polisis, cookie-checker.com will analyze the cookies on the website of any URL you search. This is a simple, helpful check for compliance teams assessing the privacy posture of a company’s marketing practices. The site sorts cookies into “first party” and “third party,” depending on whether the cookie is placed and used only by the website or for use by a third party such as a marketing company.
Let’s Encrypt is a simple, free certificate authority (CA) run by the non-profit Internet Security Research Group (ISRG). Anyone who owns a domain name can obtain a completely free TLS certificate to encrypt website communication by enabling HTTPS. Certbot is an automatic client developed by the EFF to help users implement Let’s Encrypt wildcard certificates. Certbot can also help improve security configurations, such as HTTP to HTTPS redirects.
Disk Encryption: VeraCrypt
Encryption is one of the most fundamental security and privacy protections for data at rest, and VeraCrypt is a reliable open source disk encryption software usable on Windows, Mac, and Linux. VeraCrypt gives secure encryption with a solid range of algorithm choices for disk storage, from enterprise servers to flash drives. Even though VeraCrypt is free, it includes advanced features such as core/processor parallelization, pipelining (asynchronous processing), hardware acceleration for AES, security token and smart card support, and the ability to create hidden volumes or entire operating systems for plausible deniability if forced to reveal a password.
Team Password Manager: 1Password
Are you still writing corporate passwords on sticky notes or giving everyone a default master password, perhaps some variation of your company name with a few leet character replacements ending in 123? If your request for an enterprise password manager wasn’t approved, you can download the 1Password for Teams open source code on GitHub. 1Password allows an account manager to create segregated vaults and manage individual access by assigning or removing users from the group of passwords stored in a vault. For alternatives, consider the free versions of Psono or Passbolt.