Which Linux distro is best for protecting your privacy?
12th Nov 2013 | 11:00
Stay anonymous with our guide to secretive distros
Among other things here at Linux Format we are also a bit clairvoyant. We decided that it was the right moment to look at 'anonymous' Linux distributions many weeks before mainstream media started discussing PRISM.
Of course, even if nothing like that existed, there would still be many good reasons to protect at least part of what you want or need to do online: the examples go from whistle-blowing to home banking or super-invasive advertising. In all these cases, proper configuration of (at least!) the tools you use for web surfing, email, instant messaging and file sharing is crucial.
Linux 'anonymous' distros are designed to help in just these kinds of situations. As a minimum, these systems are pre-configured to make it easier to surf the web without telling everybody in clear text where, or who, you really are.
We put 'anonymous' between quotes for a couple of reasons: first of all, successfully hiding one's identity online takes quite more attention and discipline than just installing the right software. In the second place, and sometimes the first, the eye that you may want to appear anonymous to is the computer you're using! Why risk leaking passwords (or worse) to trojans and keyloggers when you must temporarily use somebody else's machine? We hope this roundup will help you cope with all this stress.
How we tested...
In the next pages, you'll find five Linux distributions designed with anonymity and general privacy protection as their primary objectives. The first selection criterion was ease of use for beginners and being actively maintained. There are other similar distros out there, but some haven't been updated for a long time.
Next, we deliberately chose systems as diverse as possible, in order to give you an idea of the many faces of (Linux-based) secure computing. We've tested these distros as virtual machines or in live mode and we've also noted how they will cope with wired and wireless Internet connections. In all cases, the primary goals were to check how complete each system is, and how easy it is to start using the most privacy-sensitive applications in their default configurations.
What's in the box? What are the main features of each distribution?
As important as it is, careful selection and configuration of applications is not the initial task of a 'privacy first!' Linux developer. Before that, it's essential to define, and restrict as much as possible, how the system should interact with the hardware it runs on and the Internet.
Though not sufficient, an effective part of online anonymity is a distro that is created from scratch every single time you use it, and destroyed as soon as that session is over. This guarantees that no cookies or malware that you may get will be there to do more damage the next time you go online.
All but one of the distros reviewed here use this as their default approach: they are available as binary images that you may and should directly install on CD-ROM or (better) on USB keys.
Liberté ships with a Secure Boot-based trusted boot chain and the Hardened Gentoo kernel with all the GR security patches. Their function is to give each process and user only the absolute lowest privileges they need to work properly.
Liberté is also available as a virtualisation appliance (the OVA file on the website) ready to load inside VirtualBox. I2P is a P2P anonymizing network that, like Tor, provides encrypted communications. IprediaOS is built, on a Fedora foundation to use all the features of I2P.
Privatix and Tails are Debian spin-offs. They both have (like Liberté) utilities that clean the RAM at every shut-down and tools that make installation of persistent directories for your files on encrypted USB drives a snap.
Whonix is very different. It's a pair of Debian-based virtual appliances that you must download and run, simultaneously, in two virtual machines. The first one is the Gateway: its only task is to filter and route, through the Tor anonymizing network, all the Internet traffic of the other one, called 'Workstation'. This is the desktop that you will see and use: besides having all its applications configured to maximize privacy, it's built so it can only reach the Internet through the Gateway.
The result is something, as its developer puts it, in which "IP and DNS leaks are impossible". Malware running in the Workstation can't find out the user's real location, because no part of that system knows what its IP address is. You may also run the two Whonix components on different machines, or use only the Gateway to isolate, in the same way, other operating systems.
The downside is that Whonix isn't a portable operating system ready to be run on other computers off an USB key.
IprediaOS - 4/5
Liberté - 4/5
Privatix - 4/5
Tails - 4/5
Whonix - 4/5
Hard to sum up such diverse architectures in numbers. They are all good.
Different identities, computing on the road and file persistence.
Do you need different anonymous digital identities simultaneously (eg one for Twitter and one for online payments)? Do you also need to preserve many files from one session to the next, perhaps on different computers? Can you be anonymous all the time, for everything? We can answer the last question quite easily: Probably not.
Registration to public Wi-Fi hotspots or services like Paypal may not work through Tor. Whonix can't be used on computers without VirtualBox, while the other distributions, instead, are explicitly made to run from CD-ROM or USB drives and all let you disable Tor with little or no effort.
All the distros offer persistence, except for Whonix, this feature comes in the form of encrypted folders ( / persist in Liberté) if you install to hard drive or USB key. Alternatively, there are utilities to encrypt external drives.
Whonix makes it easier to have multiple simultaneous identities with persistence: by setting up in VirtualBox multiple independent Workstations, attached to the one Whonix Gateway that you should have created anyway. Doing the same with the installable or ISO versions of the other distribution is also possible, of course, but Whonix explains how to handle configuration details in a better way.
IprediaOS - 4/5
Liberté - 4/5
Privatix - 4/5
Tails - 4/5
Whonix - 3/5
Whonix is harder to run on portable drives and, therefore, scored lower.
Can you be anonymous, and still use a familiar Linux-based desktop?
If you are serious about anonymity but also cannot spend lots of time tinkering with source code, you'll need to use a specialized Gnu/Linux system instead of general purpose distributions, such as Ubuntu, Fedora, Mint or SUSE.
The focus on anonymity and, in general, security means that all these systems need to include as little code as possible, but be as stable as possible, and in case you hadn't realised it yet, here is one corollary of this fact: almost surely, your usual, favourite Linux desktop will not be available. Not in its latest and greatest version, at least.
While you'll have to accept this, it is also important to figure out which system will require the least adaptation effort. So let's then assess how each of these distributions looks and feels.
IprediaOS - 4/5
Built on top of Fedora, IprediaOS's default desktop environment is a Gnome/Unity-like one (pictured right). Besides English, the system is also available in French, German, Spanish, Swedish and Russian. If you really dislike the default look, or need anonymity even on pretty old computers, that's not a big deal. You can always download the LXDE-based edition.
The boot menu has entries for a Safe Mode (how much you would need it, is another issue) and for memory tests. The ORCA tools and the eekboard virtual keyboard offer some accessibility support.
IprediaOS can take up to a few minutes, after boot, before being able to access the Internet. We didn't experience any such delay, but should it happen to you: it only means that the internal I2P router hasn't found other I2P peers immediately ready to forward your packets.
Liberté Linux - 4/5
The distribution's home page says that Liberté "assumes willingness and capability to study operation of non-mainstream operating systems and software." Don't let that warning scare you. This actually applies to all the distributions in this roundup, but you don't need to be a real hacker to use them.
Besides, we didn't find Liberté to be more difficult than the others. The window manager is OpenBox, which maybe intimidating at first sight, but is really slick and fast to use. If you need to run Liberté on low-end hardware you can even boot it in VESA graphics mode.
The default web browser (pictured), with the Figaro Password Manager, Claws Email and the cables communication system set up panel, is Epiphany with HTML5 support. The Florence virtual keyboard will protect your passwords from any keylogger that may be present in the host computer.
Being based on Debian 6, Privatix sports a traditional Gnome desktop, with IceWeasel as default browser. Some may find the simple, clean desktop layout a bit dated, but we liked it, and it may feel much less alien to newbies than those of some competitors.
The same applies to the Application menu, that only contains six entries: Accessories, Graphics, Internet, Office, Sound & Video and System Tools. Another thing we liked a lot about Privatix is one of its settings, which is a good reminder that online anonymity must include certain easy configuration tricks: the default search engine for IceWeasel isn't Google or any of the other big ones, but Ixquick which calls itself "the world's most private search engine."
Tails - 4/5
Tails is an acronym standing for 'The Amnesic Incognito Live System'. At first sight, after presenting Privatix, it's also hard to say something about its look and feel. Not because this is a bad distribution, no! It's simply that since Tails too is based on Debian 6, the default desktop is almost identical to the one in Privatix.
After playing with Tails a bit, however, several differences emerge. To begin with, Tails was the only system tested on which setting a non-English keyboard worked without problems on all the computers used for the roundup. On average, Tails was also the faster system to boot (the boot options only are Tails and Tailsafe). As in Liberté, a virtual keyboard is just one click away, together with the ORCA reader and magnifier for short-sighted users.
Whonix - 3/5
Besides its dual-virtual-machine architecture, Whonix is unique in this roundup also for another reason: instead of some Gnome variant or simpler interfaces such as LXDE or OpenBox, this is the only system that uses a dull-looking, but full blown KDE as desktop environment. The left part of the root window is full of icons. Maybe a bit too many.
Anyway, even if it's a bit heavier visually, Whonix may help inexperienced users feel less estranged. Of course, remember to start the Whonix Gateway first, or you won't be able to see much besides a huge warning window!
Every now and then, select Applications >System >Whonix Check from the system menu: in a couple of minutes you'll get a complete report of how up to date your Whonix installation is!
Media and hardware support
Let's see online videos anonymously. No, wait…
This is likely to be the section of the roundup that you'll be less happy to read. To be fair, it's not the fault of the distributions, but a direct consequence of the constraints they must respect. In all our tests, the sound and graphics cards were always recognized. We found playback of local files worked without problems, that is, whenever the necessary codecs were already present.
Otherwise, we found we had less choices than with normal Linux distros. The several browsers all play HTML5 video clips but not Flash ones. You would have to install the corresponding plug-ins manually. Unless you chose Liberté, because Epiphany and the Flash plug-ins for Linux aren't really compatible. In any case, be warned that using Flash in and by itself increases the risks of attacks to your privacy.
On to the worst news now. In theory, all these distributions should support things like 3G modems, Bluetooth and, above all, lots of Wi-Fi chipsets. In practice, as with codecs, they won't be as up to date as mainstream Linux platforms. If you only planned to use these distributions on your computers, you may be lucky, or you may have to do a lot of initial configuration.
If, instead, your hope was an USB stick ready to use 'as is' for every Wi-Fi chipset you may throw at it you'll be disappointed! The exception would be Whonix which, as running only inside VirtualBox, couldn't care less of how its host accesses the Internet.
IprediaOS - 3/5
Liberté - 3/5
Privatix - 3/5
Tails - 3/5
Whonix - 3/5
Basically, expect to face issues with Wi-Fi access or media playback.
Office and graphics apps
What? No slide-shows?
Yes, the primary purpose of an anonymous distribution is to help you surf and do other things online anonymously. Sometimes, however, it's just impossible to limit yourself to that. The most common case may be the one in which you receive some graphic or office document over the net that you must check, or maybe edit quickly and then send somewhere else: logging off just to open one file would be really annoying, wouldn't it?
From this point of view, the best distructions are Tails and Privatix: as they both come with OpenOffice 3, Gimp and Inkscape. Tails also includes publishing software, Scribus.
Liberté and (at least by default) Whonix have much less on offer. The Office menu of Liberté only lists AbiWord, Gnumeric, Evince for PDF files and FBreader for ebooks. Slide-shows? No, sorry. That's still more than Whonix, which, in the same menu, only lists the Okular PDF reader. IprediaOS? Well, reading PDFs using Evince is pretty much all you'll find in the box.
On the positive side, both IprediaOS and Whonix may allow for additional software, using the same GUI interfaces available on Ubuntu, Fedora and many other popular Linux distributions. In theory, that is. In practice, while Synaptic in Whonix found and let us install an old version of LibreOffice (18.104.22.168!), the Gnome Package Manager in IprediaOS found no office packages in its pre-configured repositories.
IprediaOS - 2/5
Liberté - 3/5
Privatix - 5/5
Tails - 5/5
Whonix - 3/5
Tails and Privatix have all you need to do most office and graphics work.
Privacy and anonymity
The Internet is much more than websites!
Web surfing isn't everything, you may want to use your anonymous system more for email or instant messaging. All the distros are well equipped for this with one caveat: some of the most secure solutions may work out of the box only between users of the same distro. Let's look at email first.
All the systems include some standard email client for Linux with plug-ins. Whonix, for example, provides Thunderbird with the TorBirdy interface to Tor. Privatix contains both Evolution and IceDove, with digital signatures and message encryption enabled by default. Tails achieves the same goal with Claws.
Liberté users get a more interesting alternative: Claws with the Cables Communications system, a server-less protocol that routes messages directly between Tor or I2P nodes. A Cables identity consists of two long, very cryptic host names. After creating it, you'll be able to exchange email anonymously with other Cables users with the anonymous email address YourUserName@hostname. It will be much slower (up to a few days) than normal email, but you will get repudiability, delivery receipts and perfect forward secrecy.
Besides Evolution, IprediaOS has an interface to Susimail, a free pseudonymous email service that routes messages via the I2P network. All the distros include some support for anonymous file sharing, normally via Bit Torrent. In IM terms, Liberté and Tails have Pidgin with the OTR (Off The Record) plug-in to provide authentication, encryption and deniability. Liberté also has XChat, which is also the default IM client in IprediaOS and Whonix. Privatix has Pidgin and Empathy.
Another service present in all the systems we reviewed is unified management of passwords or encryption keys, with tools like Figaro or the GNU Privacy Assistant. Curiously, while all distros make creation of encrypted file systems easy, there seems to be no explicit, built-in support for steganography.
Our roundup contenders offer many more applications and functions to enhance privacy and anonymity, and we'll close this section by mentioning just a couple that we found interesting. In IprediaOS, all the services of the I2P network are accessible from one simple, web-based I2P console. Tails, instead, has the Metadata Anonymisation Toolkit. This service removes sensitive metadata hidden in files, from geographical coordinates in photos to the editing history in office documents.
IprediaOS - 5/5
Liberté - 5/5
Privatix - 4/5
Tails - 4/5
Whonix - 4/5
IprediaOS and Liberté get the top score for their support of alternatives.
How can I learn what I should do?
Good tutorials and other helpful documentation are always important for any software program you want to use. This is certainly the case with anonymous distributions, which may otherwise cause frustration even for people familiar with running Linux. Unfortunately, as it stands, the IprediaOS website only contains one video tutorial, explaining how to start the operating system in VirtualBox.
This lack of material, however, is compensated by the many links to forums and other resources in the I2P Web console. The documentation for Privatix is also scarce, at least in English. The full FAQ and manual is only available in German.
Liberté, Tails and Whonix, each have plenty of useful stuff in their respective websites. (Strictly speaking, most of the pages apply as they only cover the specific distro). Do yourself a big favour by following this little bit of advice: even if you decide now, just by reading this article, which system fits your needs, spend some time browsing the tutorials, FAQs and other documents of these three platforms. This will help you a lot to understand both the potential and the general limits of online anonymity and privacy.
Whonix, for example, has a great list of things that you should not do if you don't want to nullify all your attempts to anonymity. Most of that advice is valid on any operating system.
On the Tails website, we'd recommend that you should read at least the article on how to securely delete files and clean disk space.
IprediaOS - 3/5
Liberté - 4/5
Privatix - 2/5
Tails - 4/5
Liberté, Tails and Whonix all provide plenty of documentation for their distros.
Your ultimate anonymous Linux distribution will be the one closer to your actual needs. It'll take a trial period to figure out what those needs are. Sometimes, it will be really easy: the winning distro may just be the only one you'll manage, without recompiling code, to get to speak with the Wi-Fi chipset of your laptop.
That said, we were mainly interested to find which distro could make it easier for you to use the web anonymously, and learn the best practices that you should always follow, regardless of what operating system you're running.
IprediaOS is perfect if you prefer I2P to Tor, or if both you and your partners need something like Susimail. Whonix is great for multiple simultaneous identities. It is also the only way to provide more guarantees of anonymity to relatives etc who, for whatever reason, may continue to go online with Windows.
Whonix, however, is not made to go as-is on portable drives. We must say that we miss a turn-key bundle for Whonix and VirtualBox, that would make it possible to launch them with one click, even on Windows boxes, without rebooting. Oh, and if that bundle included some other barebone Linux distribution that does nothing but boot, connect to the Internet (which means having as many up to date Wi-Fi drivers as possible) and start the VirtualBox appliances then that would be even better!
Right now, and looking at online anonymity from a beginner's point of view, the distribution that comes out as the winner is Tails. The decision would have been harder if Privatix had supplied more English documentation, because that, too, is one really nice little system.
The main advantages of Tails are its readiness for USB installation and the complete nature of its desktop and its documentation. The Tails system menu also contains enough applications to make you do almost everything you may need without rebooting. The documentation, while not interesting as the one for Whonix, is more than adequate to help even Linux beginners. Yay for Tails, then!
1st: Tails - 4/5
Web:https://tails.boum.org | Licence: GPL Version 0.18
The best compromise for beginners between security and ease of use.
2nd: Privatix - 3/5
Web:www.mandalka.name/privatix | Licence: GPL Version 11.04.11_en
Almost as good as Tails, but with fewer applications and documentation.
3rd: Liberté Linux - 3/5
Web:http://dee.su/liberte | Licence: GPL Version 2012.3
Very well designed, but not a good first anonymous distro for beginners.
Web:http://www.ipredia.org/ | Licence: GPL Version 1-i686
The way to go when Tor isn't enough, but has fewer apps than Tails.
Web:http://sourceforge.net/p/whonix/ | Licence: GPL Version 0.5.6
An interesting architecture, but not as easily portable as the others.
The structure of software reviews strongly depends on the type of apps being reviewed. As obvious as it is, this isn't a banal issue. The actual distro test was both fun and relatively easy, but figuring out how to structure what we found and wanted to share was much harder.
The reason simply is that, with this kind of software, the user attitude is a much more critical component than in, say, office suites. How do you group (or define) the several features of a distro to take this into account, in a way that helps everybody to understand why they should care? We hope we succeeded.
Now download the distros, and try them all! No, wait! Here's one last bit of advice. Please spend some time looking at all the privacy plug-ins and extensions that these distros put in their browsers: learn what they are, how they are configured and why they were added in the first place.
Then, install and use them in the browser of your everyday Linux distro too. It won't hurt, and it may be the best way to become gradually familiar with the world of anonymous browsing.