Jonah Aragon's (PrivacyGuides) Failed Attempt to Takeover PrivacyTools.io
This long overdue blog post covers the failed takeover attempt of this website, cryptocurrency donations theft, a successful smear campaign, corruption and censorship. All initiated, fabricated by Jonah Aragon, the project lead of PrivacyGuides.org and Aragon Ventures LLC.
Donation of Recovered Stolen Funds
An attorney reached out on Twitter already to help to recover these funds by representing me in the US via Power of Attorney. If Jonah Aragon saves us the legal work and make things right by paying back in a timely manner, then I will donate the recovered funds to any privacy organization the community chooses to. We will do a poll on r/privacytoolsIO to make this happen. You can quote me on this anytime.
Update July 11, 2022: Last message from Jonah Aragon "Would you be willing to settle for 0.09 BTC? This is all that I have, you can try suing me with your US lawyer if you want, but I quite literally don't have anything else to give you.". Sadly he never followed up with a settlement and blocked me on Twitter instead.
YouTuber Tom Spark made a video about the events: Exposing PrivacyGuides.org's Toxicity and Hateful Comments
Posts mentioning this article in the Privacy subreddits are being actively deleted and censored by trai_dep and JonahAragon only minutes after they have been posted. On a side note a newly created Twitter Community called "Privacy" is also under full control of JonahAragon and PrivacyGuides.
- Our Twitter profile was removed from the Twitter Privacy Community, moderated by PrivacyGuides and Jonah.
Why is this drama made public?
The amount of times I’ve outreached with the responsible parties in private messages on Twitter or Reddit are countless. My pleas to reason and sort things out by talking to each other and find solutions all failed by the fact that all these messages have been ignored. Sadly, the PrivacyGuides team was and is until today very quick and active to do public damage control on reddit and Twitter. There was never an interest to sort anything out, just to keep the story/agenda straight: PrivacyTools.io is bad and PrivacyGuides is good. Way too many people swallowed that pill, since they’ve never heard the other side. English is not my first language, so preparing a wall of text like this is challenging and takes way too much time. Plus I was up against 4 to 5 native English speakers who already had a prepared story to feed the concerned community on what is happening. Instead of defending myself with long discussions and walls of text, I’ve decided to be productive and relaunch the complete website within 10 days and move on. That is what you now know as the minimal and clean version of PrivacyTools.io today.
Why is this statement so delayed?
I’ve taken the time until today to make a proper public statement about the failed takeover attempt of PrivacyTools.io, but I feel like the time is right to set the facts straight. Why now? I am just tired to defend myself constantly with people who are misinformed and didn’t know how things went down. It became too hard to move on with people questioning and making wild assumptions. People deserve an answer.
So far I’ve dealt with the incident with humour (Remember the famous Rick Roll?), an optimistic outlook by just moving on, starting over and going back to the roots with how I started back in 2015: Alone and with a motivation to spread privacy conciseness on an easy to use website. Hell, I’ve even tried to partner up with the PrivacyGuides Team to form a long-term relationship with both websites supporting each other, but it became pretty clear from the get go that they want full control over the privacy space and are hostile towards the original project that was established 7 years ago.
The early days of PrivacyTools.io
The website was started after I’ve followed the revelations of Julian Assange and Edward Snowden. Feeling the need to inform people and hand them proper tools, services and knowledge on how to fight mass surveillance. Slowly people joined in and wanting to help out with text snippets, tool suggestions and so on. Mostly loose agreements and volunteer helpers, we did things nice and slow. After a few weeks I’ve decided to open source the website on GitHub to make the website less dependent on my person, nobody was under pressure to actively work on it or forced to update it. This way people could enforce “Cunningham's Law”, it states "the best way to get the right answer on the internet is not to ask a question; it's to post the wrong answer.". Basically the Wikipedia principle. And it worked perfectly fine, the moment wrong information was posted on the website it was corrected within minutes.
Goal and motivation at the time
The project slowly developed, some more ambitious people joined in with big plans for changes and content. I’ve always operated the project under an anonymous nickname “BurungHantu” with 0 interest in gaining any form of internet fame or financial gain. In fact I was lucky enough to financially retire, so I’ve figured it’s a good thing that the PrivacyTools.io domain will stay under my sole ownership since the core idea can’t be corrupted by individuals who want to become or famous or rich.
The first red flag: Change of website license without approval
The website was initially released under the "DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE Version 2, Free Software License." and used the Kopimi symbol to encourage people to copy the website, translate it, and start their own privacy related project or a translation of it. At any given time any person was able to copy the whole website and host it under a new domain. It was basically asking people to steal it.
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE Version 2, December 2004 Copyright (C) 2004 Sam Hocevar <[email protected]> Everyone is permitted to copy and distribute verbatim or modified copies of this license document, and changing it is allowed as long as the name is changed. DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. You just DO WHAT THE FUCK YOU WANT TO.
After recruiting Jonah Aragon in the team he laid his first foundation bricks and removed the “WTFPL V2” License and later on even the “Kopime symbol” without my approval, even though he admitted that at that time 90% of the content was created by me.
“If we're being honest, @BurungHantu1605 is probably responsible for 90% of the content from before the license switch anyways. The risk is minimal and easy to resolve in the moment, as far as I'm aware.”
All relevant sources to unauthorized the license change:
At any given time any person was able to copy the whole website and host it under a new domain. It was basically asking people to steal it, but not actually stealing a subreddit, hijacking a domain, donations and a GitHub account. Classic case of: "Offer him a finger and he will bite a hand off up to the elbow". More about that later.
The second red flag: Intend to gain fame, power and control
Up to that point I’ve appreciated that most contributors use an anonymous nickname, nobody request an “about us” page or wanting to get his/her name out there. Nobody wanted to became famous for updating a trivial privacy tools website, understandably. This quickly changed as well after Jonah Aragon joined the project. He created an “about us” page to get his name, website links etc. out there and later even made himself the #1 ranking member on that page, even though he just recently joined and was not a founding member or even to be considered as an early bird. I’ve requested several times to delete the “about us” in order for us all to remain anonymous, for protection.
Several newcomers suggested to turn PrivacyTools.io into a public Organization and hand out administration rights. I gave in, since contributors were ambitious and active. Doing a great job in keeping PrivacyTools.io alive and adding fresh content on a regular basis. I’ve had mixed feelings, since I’ve seen that things go in the wrong direction by people not remaining anonymous. Shortly after a reddit “We are the privacytools.io team -- Ask Us Anything!” was initiated to get the word out there about the people involved. I wasn’t actively involved in the project at the time and Jonah took the lead. In my opinion this lead to unwanted attention to everyone involved in our anonymous project.
Power, Donations and Bureaucracy
To be fair, Jonah did invest at this point a fair amount of time of his day to setup forums, chatrooms and other vital services to create a community for PrivacyTools.io. This took a lot of time, energy and focus and if I remember correctly he was looking for a job at the time. The idea was to collect enough donations to be able to afford and support him as a permanent server administrator. The idea was accepted, but also split the team in half. Long discussions ensued on if its a good idea to start collecting money on OpenCollective.com in order to sustain a part time server admin job.
We’ve decided to signup for the Brave Rewards program. Website owners get paid by Brave Browser basically. Supposedly these payouts are split and shared, but Jonah never sent any of it to me. Only american citizens are able to receive payments (A total of 3650 BAT = 3832.5 USD was paid out). Until this day the PrivacyGuides team advocates against the use of Brave Browser, but happily accepts payments from the same company it advocates against.
BurungHantu and Jonah setup a shared multi cryptocurrency wallet on Guarda.com in order to collect funds for PrivacyTools.io and the agreement was to HODL these fund until they gain in value and use it someday to expand the project or donate ourself to privacy developers.
GitHub at the time became a bureaucracy hell. Every little change on the website took often times several weeks or months of discussions, like beating a dead horse. Updating the website turned out too complex for me personally, involved endless discussions and made no actual progress on the final product. I’ve lost interest, my little project turned into a bureaucracy nightmare. Here is an example of PrivacyGuides taking almost 10 months to add two tools to a website.
Things turn sour: Stolen cryptocurrency donations
Users appreciated the hosted services and started donating to PrivacyTools.io via OpenCollective and Cryptocurrencies. But funds started to disappear. Upon confrontation Jonah Aragon confirmed that he withdraw, without any approval, ~3.749.96 USD (0.08252224 BTC). Reason: “Just testing my hardware wallet.”. The hardware wallet turned out be working, but the funds were never returned to PrivacyTools.io.
In this transaction Jonah Aragon transfers the stolen funds into his publicly known wallet:
- Even years later it's still possible, without a doubt where these funds went since the Bitcoin address is posted on on jonaharagon.com/accounts. Leading to the trail: "bc1qqtathhjeu0578qfhwe2spnfmc0pjppd7rzcape".
An appropriate reaction at that time would have been to kick him instantly from the project, but I didn’t care about money and was happy someone looks after the project. Little did I know that this was just the start of a bigger takeover plan.
The atmosphere turned sour, trust was broken, communication came to an all time low. Few updates being released on PrivacyTools.io due to the crazy bureaucracy mechanism. What was once fun and exciting turned into a huge machine with slow wheels. A simple privacy tools recommendation website was turned into a shiny rocket science project, that produced self proclaimed privacy experts. My communication attempts with Jonah turned into one word answers like “yes” and “no”, no discourse and no teamwork. After the trust was broken, it felt like working in a snake pit. I let them be, what could go wrong? Dont wanna be near snakes.
Sickness, Sabbatical, Health and BurungHantu Missing in Action
Unfortunatly shortly after the broken trust my health situation worsened and decided to take time off the internet after working behind the screen for over 20y. I took a sabbatical, focused on health, gardening, planting trees and quality family time. Thinking about joining the team chat channel gave me anxiety and joining pointless GitHub discussions a headache. I’ve stayed away and the gap was filled with power, control, fame hungry individuals. I’ve always wondered why people didn’t take off with the content, ideas and concept I’ve asked them to take with the “ WTFPL V2” Licensing and the Kopimi Symbol.
In fact Jonah Aragon did attempt this, to quote him: “I wasn’t interested in the direction of privacytools at the time. i was just going to start privacy guides on my own last spring just for fun. the rest of the team asked me to join them again and were a bit more upset about your absence than i’d thought, kind of got this “rebranding” ball rolling. i always just wanted to start fresh but whatever.“
The Failed Takeover Attempt
Permission was given to copy all my content, the concept, the ideas. It would have not been a fresh start, it was just more convenient to take it all and burn the ground after.
Even though I was absent and still healing I’ve check in daily on PrivacyTools.io since I’ve had already mixed feeling and trust was broken. To my surprise the project was being redirected to a new domain name “privacyguides.org”. My frist thought was: “Oh nice, they’ve finally decided to move on and start something that doesn’t need to involve me. Let me check on reddit what the deal is.” Only to find out that I’ve been removed completely from the moderation team, my user flair “founder” was stripped, removed from the GitHub Organization, removed from the OpenCollective donation platform, the stolen crypto funds came back to mind. Basically barred from everything “PrivacyTools.io” related, even though the team moved onto a new venture and had permission to copy everything. But it was copied and burned.
PrivacyGuides Team Labeled the Takover a Rebranding
It took me a few hours to realize things are not in order and had to catch up first. Upon entering the chat room I was immediately hit with hostility by a team member, others reacted rather awkward: “Oh, we thought u’ve died of Covid”. Which was a possibility at that time, to be fair. Trying to talk things out and getting to the bottom of why I’ve been completely removed from my own project was met with blaming, shaming, hostility or outright ignoring the issue. At that time I’ve offered to keep even the redirect to the new domain, to support the new venture until I get back up on my own feet. That was of course quickly cancelled after realising that nobody is planning to return any account access back to me that is in any way PrivacyTools.io related. Instead of working out a plan, figuring out how to cooperate in the future etc. The main interest of every PrivacyGuides member was: “Give us more control. We wan’t to buy your domain with the stolen funds. You need to keep the social media services online that we have full control over, but legally run under your domain.”
Still somewhat supportive of my old collegues I’ve asked for advice on how to configure the subdomains to keep the services alive, how to protect myself from legal threats in case users under my domain using a server I have 0 control over etc. Quickly turned into a political and public relations matter, with a complete prepared storyline and smear campaign. Let me tell you a whole team arguing against a single person is a stressful situation. Without any legal protection and technical support I was forced to shutdown the chat and other social media services, this was later also used to badmouth PrivacyTools.io.
I’ve granted one PrivacyGuides team member access to the @privacytoolsIO Twitter handle in the past that was instanlty abused to inform the community that PrivacyTools.io rebranded into a new project PrivacyGuides.
Fabricated Domain Expiration Claim
The main argument at the time was: “We’ve saved the project, since the domain would have expired in a few months and we couldn’t reach you.”. This claim was completely fabricated to create a sense of urgency and make the takover look like a necessity. But in fact I’ve used the donations to pre pay the hosting account with enough money to renew the domain for at least 20 years. Everything was setup to run without me. GitHub updates were automatically pushed onto the server and team members had full server access, that I didn’t even have. Both server and domain were later used to create a story "how it was impossible to run privacytools.io without BurungHantu" and how they had every right to take everything and burn down to the ground.
Reddit War, Censorship and Public Damage Control
Soon the private communications stopped completely, and the Ministry of Truth on reddit in the user form of “trai_dep” became active and prepared. From this point on it became clear we’re not gonna solve anything, now it’s a public blame game, keeping the story straight, staying in power, looking like the good guy even after a hostile takeover. At this point I am not sure if trai_dep knew all the dirty little secrets and wrongdoings, but he was hungry to takeover a 200,000 user subreddit and succeeded. He used a loophole on reddit, where inactive reddit users can be removed as an admin after 3 months of inactivity. He took the chance. At the same time Jonah Aragon took the chance to make sure PrivacyTools.io can’t recover from the takeover attempt and reserved an additional subreddit that have 0 relations with his new project PrivacyGuides:
https://www.reddit.com/r/privacytools but is being used to redirect traffic.
https://www.reddit.com/r/privacytoolsIO/ is shutdown and purely being used to redirect traffic. All involved parties have refused to return the 200,000 user subreddit to it’s founder who build the community from scratch. This was done to hurt PrivacyTools.io and benefit PrivacyGuides.
I’ve reached out to reddit already, they’re refusing to help out even though the intensions of the actors are clearly flawled. Turns out trai_dep is quiet influencal on reddit and moderates several big subreddit, uses english as his first language and is willing to write walls of text for hours for good publicity. Something which I’m not able to do. I've researched new content additions instead.
Eventually some users realized on their own that things appear to be shady and were confused about the shutdown of the privacytoolsIO subreddit and started to ask questions in this thread:
Sadly most comments have been censored by the PrivacyGuides team that didn’t support their version of the story. They were in full control and used every tool available to make this look good. Still worth a read, some are not censored yet.
Takeover of GitHub: Used in Public Relations to Badmouth PrivacyTools
Exact same strategy with the PrivacyTools GitHub Organization: https://github.com/privacytools/privacytools.io
It was taken over, I was completely removed from it. Shutdown to hurt PrivacyTools.io and remarks and redirects set in place to benefit PrivacyGuides. The fact that I’ve lost access to GitHub was later being used by the PrivacyGuides team to badmouth the PrivacyTools.io project. Quote: “You’re not even open source anymore.”. GitHub as well refused to release the account without a legal proceeding.
Removed Project Funding: Used in Public Relations to Badmouth PrivacyTools
PrivacyTools.io was removed from any project funding in benefit of PrivacyGuides.
10,000 USD+ from OpenCollective transferred to PrivacyGuides
3,731 USD Bitcoin Donations (Theft)
3,832 USD Revenue from Brave Browser (Theft)
= 17,563 USD in total
Now my current funding model explained on privacytools.io/donate is being used to devalidate any efforts made in the name of PrivacyTools.io. To give you up a rough idea what amounts we’re talking about: The combined hundreds of hours of work with the current stream of donations and affiliate revenue won’t even come close to a minimum wage. It’s literally for Beer, Coffee and Pizza. And I highly appreciate it, every Pizza PrivacyTools.io buys me, makes me smile and keep going. Now it’s being used to shame me and it’s not working. The narrative is: "We've removed you from your project funding but we're using any attempt to recover from it to discredit your work."
I am happy. I don’t work in a snake pit anymore. No need for endless discussions. Visitors are at an all time high with daily 10,000 unique visitors. Twitter followers received a huge gain after the relaunch and we’re getting close to 22,000 Followers.
Jonah Aragon should make things right and return accounts and project funding. I am willing to forgive. Fix it and we move on. No more badmouthing of PrivacyTools.io. I am still willing to cooperate and support everyone in the PrivacyGuides Team who was unaware what was going on in the background. The subreddit and GitHub account belongs to PrivacyTools.io and is in absolut no relation with PrivacyGuides. The privacy community is small enough, we need to stick together not fuck each other over. Spread the word, spread awareness, keep your heart in the right place. We're doing the right thing.
Believe me when I say I’d have rather used the time to do something more productive for the privacy community, like adding more tools or looking for GitHub Gems, instead of making this post. People deserve to know the truth in the end and hope this was worthwhile. I am just really fed up with having to reply to “I thought PrivacyTools.io rebranded into PrivacyGuides and therefor PrivacyTools.io shouldn’t be trusted anymore.” Here is the full story guys. I am here to stay.
Fuck fame, fuck money, fuck dishonesty. Your BurungHantu, since 2015.
Noteworthy User Feedback
"Honestly having come across this multiple times over the last couple months both around reddit and discord this 100% seems like a hostile takeover.
It seems like the original privacytools.io owner disappeared for a while due to health reasons and you guys straight up just took over the whole project. Why remove him from the GitHub and reddit communities if you didn't want to take it over? If you were really standing in for his lack of leadership you would have left him as a member and admin (given, you know, how he started the whole thing) and just continued with him as an inactive member.
You try to justify it to yourself and everyone around with half-assed excuses but in reality you took advantage of him being absent to take over the site and the brand. Every other problem listed by you guys that "justified" removing him could just have been solved by you guys not removing him and simply reaching out to him or putting in the effort to do something at a critical time such as buying the domain if/when it expired.
It seems like you felt like the work you put in wasn't bring appropriately compensated or appreciated, but the work you put into the project does not, in any way, justify the takeover. It was an open-source project that you willingly participated in without compensation. The fact that you and the rest of the team tried to make it more "professional" shows your real aim: commercializing it the site, which is a clear conflict of interest since there is now a commercial interest.
You should be ashamed to call yourselves members of the privacy community." Permalink to the post
"there are still a lot of unknowns, so far, and the fact that they're quite literally going out of their way to make sure this is censored everywhere they can sickens me. FOSS and privacy advocates censoring information under the guise of it being "Developer Drama TM" and "debunked months ago" the post just came out today, as an official statement from the founder of privacytools.io and it's filled with things that make a lot of sense. my whole thing with it is, if it's information that's been debunked, why censor it? why not keep the discussion thread open in the community it has a direct effect on, let the users have a spot to gather, view, and discuss the statements and explanations from both parties. if it's been debunked, then typing up an official statement that serves as a response to today's post would be the most logical and easy route for them to take, at least in my mind. instead, they 're going out of their way to report any posts and try to have them taken down, if they can, as well as in the main privacy sub, where they have an inside mod. this behavior is questionable and no doubt shady, as it throws up a huge red flag. just because the entity that now holds all the cards claims something's been debunked and handled internally or that they never could get answer from the owner, well, that's just he said she said. there's no proof to any of it and there's still a huge disagreement between both parties. they're making accusations against him and blowing the whole thing off like it's no big deal. i'm still shocked over this. i would not have any issue if they wouldn't be so adamant about censoring it. having the information pubicly accessible and viewable, well, that's the only fair move, the only way this will get resolved, and it's something they really owe to the user-base." Permalink to the post