New insights into clean analytics

There is a giant problem with the “collect it all” status quo that pervades on the Internet, this has been clear for a long time. Tracking people has become so widespread that organizations, communities, projects and university labs have sprung up dedicated to detecting and publicizing their presence. Data and analytics are clearly useful for software creators and funders, but they also easily lead to harming people’s privacy and well-being. [Read More]

Usability: the wonderful, powerful idea that betrayed us

Usability triggered a revolution in computing, taking arcane number crunching machines and making them essential tools in so many human endeavors, even those that have little to do with mathematics. It turned the traditional design approach on its head. Initially, experts first built a system then trained users to follow it. User experience design starts with goals, observes how people actually think and act in the relevant context, then designs around those observations, and tests with users to ensure it fits the users’ understanding. [Read More]

Clean Insights: February 2021 Update on Privacy-Preserving Measurement

Greetings, all. I hope this finds you healthy and well, finding ways to enjoy the season (whichever it may be). While everyday still provides new challenges in the life of our team at Guardian Project, we continue to strive to be productive as productive as we can be in our professional and personal lives. I’ve just posted an updated presentation on Clean Insights, reflecting on the symposium in May, and the work we have done since then. [Read More]

New Data Sources: API Key Identifiers and BroadcastReceiver Declarations

A central focus of the Tracking the Trackers project has been to find simple ways to detect whether a given Android APK app file contains code which tracks the user. The ideal scenario is a simple program that can scan the APK and tell a non-technical user whether it contains trackers, but as decades of experience with anti-virus and malware scanners have clearly demonstrated, scanners will always contain a large degree of approximation and guesswork. [Read More]

εxodus ETIP: The Canonical Database for Tracking Trackers

There is a new story to add to the list of horrors of Surveillance Capitalism: the United States’ Military is purchasing tracking and location data from companies that track many millions of people. We believe the best solution starts with making people aware of the problem, with tools like Exodus Privacy. Then they must have real options for stepping out of “big tech”, where tracking dominates. F-Droid provides Android apps that are reviewed for tracking and other “anti-features”, and F-Droid is built into mobile platforms like CalyxOS that are free of proprietary, big tech software. [Read More]

Distribution in Depth: Mirrors as a Source of Resiliency

There are many ways to get the apps and media, even when the Internet is expensive, slow, blocked, or even completely unavailable. Censorshop circumvention tools from ShadowSocks to Pluggable Transports can evade blocks. Sneakernets and nearby connections work without any network connection. Hosting on Content Delivery Networks (CDNs) can make hosting drastically cheaper and faster. One method that is often overlooked these days is repository mirrors. Distribution setups that support mirrors give users the flexibility to find a huge array of solutions for problems when things are not just working. [Read More]

Managing offline maps with F-Droid and OsmAnd

When disaster strikes, our mobile devices can provide us with many tools to deal with a wide variety of problems. The internet is not available in every corner of the planet, and large scale outages happen. Digital maps allow us to carry detailed maps of the entire planet in our pockets. And the good map apps allow the user to download entire regions to the device so that they operate without internet at all. [Read More]

Easy translation workflows and the risks of translating in the cloud

Crowdsourced translation has opened up software and websites to whole new languages, regions, and uses. Making translating easier has brought in more contributors, and deploying those languages requires less work. A number of providers now offer “live”, integrated translation, speeding up the process of delivering translated websites. On the surface, this looks like a big win. Unfortunately, the way such services have been implemented opens up a big can of worms. [Read More]

Onion Browser Release 2.6 Tutorial

In this tutorial we’re going to talk about the best practices to browse the web securely on iOS using Onion Browser Release 2.6 and the Tor network. Onion Browser for iOS is a free, open-source web browser app developed originally by Mike Tigas, with Release 2.6 as a collaboration with the Guardian Project. Onion Browser has Tor built-in and uses Tor to protect your web activity. You can also watch the Onion Browser Video Tutorial on YouTube. [Read More]

On the classification of tracking

This position paper tries to outline a framework for defining trackers in smart phones and lists mechanisms for identifying them. It hopes to serve as the foundation for the work done in the Tracking-the-Trackers project. In section 1 we start with an abstract analysis of levels of unwanted behaviour in the context of tracking. Next, in section 2, we focus on an attacker’s perspective, on anonymity and pseudonymity. This foundation allows us to define terms which are needed throughout the paper. [Read More]

Free Software Tooling for Android Feature Extraction

As part of the Tracking the Trackers project, we are inspecting thousands of Android apps to see what kinds of tracking we can find. We are looking at both the binary APK files as well as the source code. Source code is of course easy to inspect, since it is already a form that is meant to be read and reviewed by people. Android APK binaries are a very different story. [Read More]

"Features" for Finding Trackers

One key component of the Tracking the Trackers project is building a machine learning (ML) tool to aide humans to find tracking in Android apps. One of the most important pieces of developing a machine learning tool is figuring out which “features” should be fed to the machine learning algorithms. In this context, features are constrained data sets derived from the whole data set. In our case, the whole data set is terabytes of APKs. [Read More]

Figuring Out Crowdsourced Translation of Websites

Crowdsourced translation platforms like Weblate, Transifex, Crowdin, etc. have proven to be a hugely productive way to actively translate apps and desktop software. Long form texts like documentation and websites remain much more work to translate and keep translated. Many translation services currently support Markdown and HTML, but very basically, which means much more work for translators and webmasters. Translators can inadvertently break things, either with a typo or because of a lack of knowledge of a specific syntax. [Read More]

The Promise and Hazards of COVID Contact Tracing Apps

There has been increasing interest in the possibilities of tracking people who are infected with Coronavirus using all of the various methods that smart phones provide. There is good reason: “contact tracing” has been a pillar of public health efforts for decades. It is an effective means to curtail the spread of infectious disease. At the same time, governments, companies, and organizations are acting fast to offer services to help end this current pandemic. [Read More]

We Support the Open COVID Pledge

Please join this Open COVID Pledge by committing to freely share technology for all work that aims to end the Coronavirus Disease 2019 (COVID-19) pandemic. We believe that free software licenses like the GNU GPL and the Apache License already provide these key benefits. We are making this statement to make it clear that all of our code is available for any effort to end the COVID Pandemic. We grant to every person and entity that wishes to accept it, a non-exclusive, royalty-free, worldwide, fully paid-up license to fully use, practice and exploit all our patent and copyright rights, for the sole purpose of ending the COVID-19 pandemic and minimising the impact of the disease, including diagnosis, prevention, containment, and treatment. [Read More]

Improving Crowdsourced Translation of Long Form Text

We are happy to announce the start of work on another step in improving crowdsourced localization, funded by the ISC Project. This is the second part of our ongoing “Linguine” collaboration to move crowdsourced translation to privacy-respecting free software. Crowdsourced translation has proven enormously successful getting apps and website software translated into many languages. Using tools like Weblate or Transifex, developers can quite easily incorporate translated app strings into their mobile apps and websites. [Read More]


MASQUE is set of related IETF drafts for specifying flexible proxying built into a standard webserver. It is meant to be deployed on a server that is serving public websites, then this connection can be reused for proxying generic connections. It is very much a work in progress, so any of this can change. It is currently built on top of the QUIC+HTTP/3 and HTTP/2+TLS+TCP protocols. The website and proxy packets look the same, and all connections to the webserver will be shared and reused, regardless of whether its a web page request or proxy traffic. [Read More]

Tracking the Trackers: using machine learning to aid ethical decisions

F-Droid is a free software community app store that has been working since 2010 to make all forms of tracking and advertising visible to users. It has become the trusted name for privacy in Android, and app developers who sell based on privacy make the extra effort to get their apps included in the collection. These include Nextcloud, Tor Browser,, and Tutanota. Auditing apps for tracking is labor intensive and error prone, yet ever more in demand. [Read More]

NetCipher + Conscrypt for the best possible TLS

A new NetCipher library has recently been merged: netcipher-conscrypt. In the same vein as the other NetCipher libraries, netcipher-conscrypt wraps the Google Conscrypt library, which provides the latest TLS for any app that includes it. netcipher-conscrypt lets apps then disable old TLS versions like TLSv1.0 and TLSv1.1, as well as disable TLS Session Tickets. This is an alpha release because it only works on recent Android versions (8.1 or newer). The actual functionality works well, the hard part remains making sure that it is possible to inject netcipher-conscrypt as the TLS provider on all Android devices and versions. [Read More]

Trusted Update Channels vs. Scratching Your Itch

One of the great things about free software is that people can easily take a functional program or library and customize it as they see fit. Anyone can come along, submit bug fixes or improvements, and they can be easily shared across many people, projects, and organizations. With distribution systems like Python’s pypi, there is an update channel that the trusted maintainers can publish fixes so consumers of the library can easily get updates. [Read More]