Melody Fwygon

Agreed with the dislike of Brave; but my reasons of not using it are because the person(s) running that project have proven that they do not have user privacy as a priority over their own ability to stay profitable enough to operate. This lack of principal I feel makes Brave privacy hostile at random times when their company runs low on money and is vulnerable to making deals with the devils they’re trying to keep at bay. Usually these deals are horrific blows to user privacy, or introduce unwanted and unneeded bloat to the software.

I’ve seen this when bopping around in the F-Droid catalogue. Never took it seriously because it didn’t seem to communicate well what it was doing.

In general; I usually dislike using Chrome anyways…so much so that I hard disable Chrome on my device, oftentimes via ADB, and download a wide range of alternatives; Kiwi (Plugin enabled), Hermit ([Closed source] Forced Isolation of all domains/sites along a side of ad-blocking and web-app caching baked into the app wrapping it’s renderer; which is, of course System Webview. Unfortunately this one is not open source, so I do not often recommend it here and while I trust it; your decisions may be different.) and Firefox (Plugins installed, seems to be replacing Kiwi because it’s likely a dead/gone/depreciated/archived project.) I even use URLCheck from F-Droid itself as my “Default Browser” so that I have the power to review each URL and open it in a browser I feel is most appropriate to the context of my browsing and choose the browser I feel can best protect my privacy for a given site. One-off visits often go to Hermit; which promptly isolates away and forgets I ever visited the site while blocking ads with a lighter touch than most plugins I’ve seen that exist. If a site often breaks in Hermit; usually due to ad-blocking hostile scripts; I kick it over to Firefox where I have extensive plug-in tooling to defang the beast…including tools like JShelter, Canvas Blocker, LocalCDN, Chameleon, Decentraleyes and uBlock Origin.

What I do know is that Android System Webview is far more configurable than you might realize; and that it is absolutely possible to build a browser on top of it. Most importantly; Android System Webview IS NOT Chrome! Yes, it is extremely similar and it behaves mostly the same; but it is based on the Chromium project; which is basically what Chrome is before Google applies all of its own Branding, Customization, Policies and Application touches on it. Does Chromium project mirror what Chrome needs? Absolutely yes, but it does not follow Chrome exactly. In general; Android System Webview is a Web rendering component that other applications can call on and wrap their own code around. This means you are basically free to implement whatever other features you want around the webview; including adding plugins and other things like ad-blocking. My favorite closed-source lite-app browser Hermit does this; and I’m not seeing any significant privacy concerns with that one.

As the Messages RCS implementation is supposedly E2EE from device to device; No. It is not possible that a log of your messages’ contents are being kept.

Can it stop them from storing your encrypted messages to decrypt later if law enforcement should be able to confiscate your phone and extract the encryption key? Also No. It is not possible for E2EE to prevent “Store ciphertext and decrypt later” attacks.

It also cannot prevent companies from logging who you are conducting an encrypted conversation with; even if the contents cannot be seen and this information cannot be used to infer anything about the contents. It cannot stop companies from making inferences about your messaging activity due to timing of messages sent or who they are sent to.

If these kinds of attacks are on your threat model; you need to ensure you are not sending messages or information via electronic means via your phone to begin with, wherever possible.

It is absurd to assume that they have backdoored the RCS protocol without proof or evidence. This isn’t saying it’s a verifiably secure or private protocol; but I think you could trust an E2EE RCS message for long enough to help you get someone else onboarded on to Signal or another more properly encrypted messenger without needing to worry about being put on a watch list. I would trust it with my grocery list or trivial communications with family; even if I wouldn’t trust it with my truly personal or private conversations.

In general Fwy does not agree with the Privacy Guides assessment; and feels that the concerns about the project are simply not credible without stronger evidence of excessively slowed or missed updates.

Project devs do have lives and I’m not personally going to punish that; so long as the software remains reasonably maintained and free of bugs while still considering the project’s number of devs.

Is it better than Mullvad Browser? Probably not in the strictest sense; but I’m also not happy with “Mullvad Browser” either; as this browser makes more choices that breaks functionality than Librewolf does in the pursuit of privacy.

Additionally; I cannot trust that “Mullvad Browser” will not enshittify; it is maintained by a company who is REQUIRED to some extent to make profits. That breeds enshittification. Mullvad would be one bad CEO or core executive team shift away from potentially being targeted as a profit vehicle and it’s privacy benefits weakened or removed entirely so the company can make money.

In general I trust Librewolf on a pretty regular basis to protect my privacy when my Addon-driven version of manually hardened Firefox breaks up a websites functionality too badly. It provides essential privacy protections without breaking too many things and serves as a good baseline browser.

As a rule; I keep several different browsers installed to mitigate lack of website function and isolate away any websites that would be more invasive in what privacy protections must be disabled to use properly. “Setting-Hardened and Privacy-Addon-driven Firefox” is what I use day to day, but “a semi-Amnesic* Librewolf (Incognito windows if untrusted website)” is second and is used daily in trusted website scenarios or in case a website is breaking too badly from plugin interactions. Finally; a fairly vanilla and infrequently used copy of Ungoogled Chromium is kept on hand for situations where Chromium is just required; where I can spin up empty profiles easily for anything I don’t trust and configure it to just flush everything on exit.