Key questions for anonymization tools


Is the product Open Source?

Open Source means that the code of a programme is publicly available. Everybody can review it, search for vulnerabilities and develop it further. The opposite is "Closed Source", so that no one but the developer – e.g. a company developing an app – can review it. Especially if a service is popular, Open Source is a real benefit. A lot of experts review the code and constantly improve it. Journalists do not have to trust a service that it really does what it claims to do – they can see in the code how the system works.

Does the service store user data?

The most secure data is the one that does not even exist. Therefore, it is important that an anonymisation tool does not store users’ data, for example in log files. Some (mostly free) VPN providers store and analyse that data to make money out of it. This can compromise anonymity.

In which jurisdiction is the service legally based?

Although the service itself may not have access to the content or metadata of users' online activity, it might have to hand over certain information about its users. For example, metadata about communication – who sent what to whom, when and where – might be stored. Journalists and their sources should check whether a service is legally bound to cooperate with a government that they identified as a potential adversary in their threat model. This is especially important for VPN providers.

to top