Open Source Privacy Tools Every Indian Should Use

So I've been using almost entirely open source software for my privacy setup for about three years now. Not because I'm ideologically committed to free software — though I respect the people who are — but because at some point I got tired of trusting companies that kept changing their privacy policies, getting acquired by data brokers, or quietly adding telemetry to their products after I'd already made them part of my daily routine. Open source doesn't eliminate trust entirely, but it shifts the equation. You can verify. Anyone can verify. And that's a meaningfully different arrangement than "trust us, we're good."

What follows is the set of tools I actually use, alongside some I've tested and have opinions about. Everything here is free. Everything works in India — on Jio, on Airtel, on BSNL, on whatever janky broadband connection you've got. A few are mildly annoying to set up, but nothing requires a computer science degree. If you've ever figured out how to configure a router's admin page, you can handle all of this.

Your Browser Is the Starting Point

Firefox is the only major browser whose development isn't controlled by an advertising company. Chrome is Google's. Edge is Microsoft's. Opera was bought by a Chinese consortium years ago. Brave has its own crypto token thing going on, which is a separate conversation. Firefox is built by Mozilla, a non-profit, and while Mozilla has made some questionable business decisions over the years, the browser itself remains genuinely good on privacy.

Set Enhanced Tracking Protection to Strict mode — it's under Settings, Privacy & Security. This blocks third-party cookies, tracking content, cryptominers, and fingerprinters by default. Some sites might break slightly in Strict mode (a login might not persist, an embedded widget might not load), but in my three years of using it, the breakage has been rare enough that I don't think about it. When a site does break, you can add a per-site exception, which takes two clicks.

Now pair Firefox with uBlock Origin. It's not just an ad blocker — calling it that undersells it. uBlock Origin is a broad-spectrum content filter. It blocks ads, yes, but also tracking scripts, known malware domains, social media tracking widgets, and a bunch of other garbage that slows down your browsing and leaks your data. It uses less memory than any comparable extension. The default filter lists are solid, and you can add more if you want — I use the "Annoyances" lists to block cookie banners and newsletter popups as well.

On Android, Firefox supports extensions, so you can run uBlock Origin on your phone too. This is a big deal because Chrome for Android doesn't support extensions at all. Google claims it's for security reasons, which is a convenient position for a company whose revenue depends on the ads that extensions like uBlock Origin block.

Messaging: The WhatsApp Problem

Signal is the messaging app I recommend, and the app I actually use for conversations I care about keeping private. It's end-to-end encrypted using the Signal Protocol, which is also the basis of WhatsApp's encryption, but with a key difference: Signal is open source — the server code, the client apps, everything. Independent researchers audit it regularly. It collects almost no metadata. It doesn't know who you talk to, when you talk to them, or how often. WhatsApp knows all of that and shares it with Meta.

The push-back I always get is: "But nobody I know is on Signal." Fair. Adoption is the hard part. In India, WhatsApp has something like 500 million users. Signal has... fewer. But it's growing, especially among journalists, activists, lawyers, and privacy-aware tech workers. My suggestion: install Signal alongside WhatsApp, move your most sensitive conversations there, and gradually nudge the people you talk to most. You don't have to delete WhatsApp tomorrow. Just start using Signal for the conversations that matter most — financial discussions, medical information, personal matters you wouldn't want Meta to profile.

Signal works well on Indian networks. Voice and video calls are decent on 4G. Group chats support up to 1,000 members. There's a desktop app that syncs with your phone. The one genuine limitation is that it requires a phone number to register, which means it's not fully anonymous. But for protecting the content of your conversations from corporate surveillance, it's the best tool available.

Passwords: The Vault You Actually Need

Bitwarden is the password manager I'd push on literally everyone. It's open source, independently audited, and the free tier is surprisingly complete — unlimited passwords, cross-device sync, a password generator, and auto-fill on browsers and mobile. I've used the free tier for years without feeling limited. The paid plan is about Rs 700 per year and adds features like hardware key support and encrypted file storage, but the free version covers what most people need.

The argument for a password manager is simple: you need unique passwords for every account. You can't remember unique passwords for 50+ accounts. A password manager remembers them for you. You remember one master passphrase (make it a good one — four or five random words strung together), and the manager handles everything else. It generates random 20+ character passwords, stores them encrypted, and auto-fills them when you log in. I haven't typed a password manually in years.

If cloud sync bothers you — if the idea of your encrypted vault sitting on Bitwarden's servers makes you uncomfortable — KeePassXC is the alternative. It stores everything in a local encrypted database file on your device. No cloud. No servers. You manage the backup yourself (copy the database file to an encrypted USB drive or a local NAS). It's more manual, but for people who want complete control, it's solid. The interface isn't as polished as Bitwarden's, but it does the job.

Two-Factor Authentication: Not All Apps Are Equal

Aegis Authenticator is the 2FA app I use on Android. Open source, supports TOTP and HOTP, lets you organise entries with groups and icons, and — critically — supports encrypted backups. That last point matters more than people realise. If your phone dies or gets stolen and you didn't back up your 2FA codes, you're locked out of every account that uses 2FA. Aegis lets you export an encrypted backup file that you can store on a computer, a USB drive, or a secure cloud folder. I keep a backup on my laptop and another on a USB drive in my desk drawer. It takes thirty seconds to set up and saves you from disaster.

Google Authenticator has improved — it now syncs codes to your Google account — but that means your 2FA codes are tied to your Google account, which means Google has them. If you're trying to reduce your dependence on Google's ecosystem (and you probably should be, given how much data Google already has on you), Aegis is the better choice.

On iOS, the built-in Passwords app handles TOTP codes natively now, which is convenient if you're already in the Apple ecosystem. Raivo OTP was a popular open source alternative for iOS, though its development status has been uncertain since its acquisition in 2023. Check the current situation before committing to it.

DNS: The Most Underrated Privacy Upgrade

I talked about encrypted DNS in detail in another post, so I'll keep this brief. Your DNS queries — the lookups your device does to translate website names into IP addresses — are sent in plain text by default. Your ISP sees every website you visit through these queries. Encrypting them takes five minutes and hides your browsing from your ISP.

NextDNS is what I use. It encrypts DNS queries and lets you set up custom blocking lists — ads, trackers, malware, even specific categories of content. The free tier covers 300,000 queries per month, which is plenty for a single person (a heavy user might hit 200,000). Configuration is straightforward: create a free account, get your configuration ID, and set it as your Private DNS provider on Android or configure it in your router settings for network-wide coverage.

Pi-hole is the self-hosted alternative. It runs on a Raspberry Pi (about Rs 4,000-5,000) and acts as a DNS server for your entire home network. Every device connected to your Wi-Fi gets ad and tracker blocking automatically, without needing any software installed on the device itself. Setup takes an hour if you're new to Raspberry Pi, maybe twenty minutes if you've used one before. The Pi-hole community maintains excellent blocking lists, and you can see real-time statistics of how many queries are being blocked — which is both informative and slightly horrifying when you see that 20-30% of your network's DNS queries are trackers.

VPN: When You Need One

WireGuard is the VPN protocol I'd recommend. It's open source, fast, and has a codebase that's small enough to be audited meaningfully (about 4,000 lines of code, compared to OpenVPN's 100,000+). WireGuard is a protocol, not a service — you need a VPN provider or your own server to use it.

For providers, Mullvad stands out. They accept cash payments through the mail (literally — you send an envelope with money), they don't require an email address to sign up, and they've been independently audited. They cost about Rs 450 per month. IVPN is similar in philosophy and practices. Both support WireGuard.

If you're technically inclined, you can set up your own WireGuard server on a cheap cloud VPS — DigitalOcean, Vultr, or Hetzner offer instances for $4-5 per month. You get a VPN that nobody else uses, which means your traffic isn't mixed with other users' traffic (a privacy advantage in some ways, a disadvantage in others since you can't hide in a crowd). There are scripts like wg-easy that automate the setup to about ten minutes of work.

I should note: you don't always need a VPN. A VPN hides your traffic from your ISP, but it shifts trust to the VPN provider. If you've already set up encrypted DNS, you've addressed the biggest ISP snooping concern. A VPN adds value when you're on untrusted networks (public Wi-Fi), when you want to prevent your ISP from seeing the IP addresses you connect to (encrypted DNS hides domain names but not IPs), or when you need to bypass geographic restrictions.

One more thing on VPNs: avoid free VPN services. This isn't snobbery — it's practical risk assessment. Free VPNs have to pay for their infrastructure somehow, and the "somehow" is almost always your data. Multiple free VPN apps on the Play Store have been caught logging browsing data, injecting ads, and even selling bandwidth to third parties (turning your phone into a proxy node for other people's traffic). A 2024 analysis by a security research group found that 72% of free VPN apps on the Google Play Store contained at least one tracking library. The product that's supposed to protect your privacy is, in many cases, the product that's selling it. If you can't afford a paid VPN, you're better off without one than with a free one that's actively undermining your security.

Linux Distributions: The Deep End

I won't spend too long on this because it's not for everyone, but if you're the kind of person who's reading an article about open source privacy tools and thinking "this isn't enough," you might want to consider running Linux as your desktop operating system. Linux Mint and Fedora are the two I'd recommend for people coming from Windows. Both have polished interfaces, good hardware support (much better than five years ago), and don't phone home to Microsoft or Google.

The privacy advantage of Linux over Windows is real. Windows sends telemetry to Microsoft by default — information about your hardware, your usage patterns, your installed apps, your browsing in Edge, your search queries through the Start menu. You can reduce this telemetry through settings, but you can't fully eliminate it on consumer editions of Windows. Linux sends nothing unless you directly install something that does. Your operating system is just... your operating system. It does what you tell it and nothing else.

The practical tradeoffs are real though. Some software doesn't run on Linux (especially Microsoft Office, though LibreOffice handles most use cases, and you can always use Office 365 in a browser). Some hardware peripherals lack Linux drivers, though this is increasingly rare. Gaming on Linux has improved dramatically thanks to Valve's Proton compatibility layer, but it's not 100% compatible with every Windows game. If your needs are browsing, email, office work, and development, Linux handles all of them without breaking a sweat. If you depend on specific Windows-only software, the switch is harder.

File Encryption and Email

Cryptomator encrypts files before you upload them to cloud storage. If you use Google Drive, OneDrive, or Dropbox, your cloud provider can normally see your files. With Cryptomator, they see encrypted blobs with randomised names. It's open source, cross-platform (Windows, Mac, Linux, Android, iOS), and the desktop version is free. The mobile apps cost a one-time fee of a few hundred rupees, which is reasonable. I use it for anything I wouldn't want Google to index — financial documents, personal records, medical files. The setup is simple: you create a "vault" (a folder on your cloud storage), set a password, and anything you put in the vault gets encrypted automatically before syncing. When you need to access a file, Cryptomator decrypts it on the fly on your local machine. Your cloud provider never sees the unencrypted version.

VeraCrypt is worth mentioning alongside Cryptomator for a different use case. While Cryptomator is designed for cloud storage, VeraCrypt encrypts entire drives or creates encrypted volumes on your local machine. If you're carrying sensitive data on a USB drive or want to encrypt a partition on your laptop, VeraCrypt is the standard. It's the successor to TrueCrypt (which was mysteriously abandoned in 2014), and it's been audited independently. The interface looks like it was designed in 2005 — because it was — but the cryptography is solid.

Thunderbird with built-in OpenPGP handles encrypted email if you need it. You generate a key pair, share your public key with contacts, and emails between you are encrypted end-to-end. The process is less user-friendly than Signal — PGP has always had a usability problem — but for email specifically, it's the standard. Proton Mail is the easier option if you want encrypted email without managing keys yourself. Their clients are open source, servers are in Switzerland, and the free tier includes 1 GB of storage. It's not self-hosted, so you are trusting Proton, but they've built a reputation that seems, so far, earned.

That's the stack. Firefox with uBlock Origin. Signal. Bitwarden. Aegis. NextDNS or Pi-hole. WireGuard when needed. Cryptomator for cloud files. Every piece is open source, every piece is free (or nearly free), and every piece has been around long enough to have a track record. None of it is perfect — nothing in security ever is. But the distance between this setup and the default (Chrome, WhatsApp, no password manager, no 2FA, plain DNS, files unencrypted on Google Drive) is enormous. The default is a house with all the windows open. This is the same house with the windows closed and locked. Someone determined enough can still get in, but they'll have to work for it.