Jonah Aragon's (PrivacyGuides) Failed Attempt to Takeover PrivacyTools.io

This long overdue blog post covers the failed takeover attempt of this website, cryptocurrency donations theft, a successful smear campaign, corruption and censorship. All initiated, fabricated by Jonah Aragon, the project lead of PrivacyGuides.org and Aragon Ventures LLC.

Video coverage

Aug, 2022: Don't Trust Techlore. Here's Why

YouTuber Tom Spark made a video about the events: Exposing PrivacyGuides.org's Toxicity and Hateful Comments

Donation of Recovered Stolen Funds

An attorney reached out on Twitter already to help to recover these funds by representing me in the US via Power of Attorney. If Jonah Aragon saves us the legal work and make things right by paying back in a timely manner, then I will donate the recovered funds to any privacy organization the community chooses to. We will do a poll on r/privacytoolsIO to make this happen. You can quote me on this anytime.

Update July 11, 2022: Last message from Jonah Aragon "Would you be willing to settle for 0.09 BTC? This is all that I have, you can try suing me with your US lawyer if you want, but I quite literally don't have anything else to give you.". Sadly, he never followed up with a settlement and blocked me on Twitter instead.

Censorship Update:

Posts mentioning this article in the Privacy subreddits are being actively deleted and censored by trai_dep and JonahAragon only minutes after they have been posted. On a side note a newly created Twitter Community called “Privacy” is also under full control of Jonah Aragon and PrivacyGuides.

1. https://www.reddit.com/r/PrivacyGuides/comments/ttvpjx/privacyguides_did_you_really_do_what_that_article/
2. https://www.reddit.com/r/privacy/comments/ttxqon/shadiness_in_the_privacy_space_jonah_aragons/
3. Our Twitter profile was removed from the Twitter Privacy Community, moderated by PrivacyGuides and Jonah.
4. https://www.reddit.com/r/privacy/comments/tujdz7/im_leaving_this_sub_and_you_should_too_until_they/

Why is this drama made public?

The number of times I’ve outreached with the responsible parties in private messages on Twitter or Reddit are countless. My pleas to reason and sort things out by talking to each other and find solutions all failed by the fact that all these messages have been ignored. Sadly, the PrivacyGuides team was and is until today quick and active to do public damage control on reddit and Twitter. There was never an interest to sort anything out, just to keep the story/agenda straight: PrivacyTools.io is bad and PrivacyGuides is good. Far too many people swallowed that pill, since they’ve never heard the other side. English is not my first language, so preparing a wall of text like this is challenging and takes far too much time. Plus, I was up against 4 to 5 native English speakers who already had a prepared story to feed the concerned community on what is happening. Instead of defending myself with long discussions and walls of text, I’ve decided to be productive and relaunch the complete website within 10 days and move on. That is what you now know as the minimal and clean version of PrivacyTools.io today.

Why is this statement so delayed?

I’ve taken the time until today to make a proper public statement about the failed takeover attempt of PrivacyTools.io, but I feel like the time is right to set the facts straight. Why now? I am just tired to defend myself constantly with people who are misinformed and didn’t know how things went down. It became too hard to move on with people questioning and making wild assumptions. People deserve an answer.

So far, I’ve dealt with the incident with humor (Remember the famous Rick Roll?), an optimistic outlook by just moving on, starting over and going back to the roots with how I started back in 2015: Alone and with a motivation to spread privacy conciseness on an easy-to-use website. Hell, I’ve even tried to partner up with the PrivacyGuides Team to form a long-term relationship with both websites supporting each other, but it became pretty clear from the get go that they want full control over the privacy space and are hostile towards the original project that was established 7 years ago.

The early days of PrivacyTools.io

The website was started after I’ve followed the revelations of Julian Assange and Edward Snowden. Feeling the need to inform people and hand them proper tools, services, and knowledge on how to fight mass surveillance. Slowly people joined in and wanting to help out with text snippets, tool suggestions and so on. Mostly loose agreements and volunteer helpers, we did things nice and slow. After a few weeks, I’ve decided to open source the website on GitHub to make the website less dependent on my person, nobody was pressured to actively work on it or forced to update it. This way people could enforce “Cunningham's Law”, it states "the best way to get the right answer on the internet is not to ask a question; it's to post the wrong answer.". Basically, the Wikipedia principle. And it worked perfectly fine, the moment wrong information was posted on the website it was corrected within minutes.

Goal and motivation at the time

The project slowly developed, some more ambitious people joined in with big plans for changes and content. I’ve always operated the project under an anonymous nickname “BurungHantu” with 0 interest in gaining any form of internet fame or financial gain. In fact, I was lucky enough to financially retire, so I’ve figured it’s a good thing that the PrivacyTools.io domain will stay under my sole ownership since the core idea can’t be corrupted by individuals who want to become or famous or rich.

The first red flag: Change of website license without approval

The website was initially released under the "DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE Version 2, Free Software License." and used the Kopimi symbol to encourage people to copy the website, translate it, and start their privacy related project or a translation of it. At any given time, any person was able to copy the whole website and host it under a new domain. It was basically asking people to steal it.

           DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
                   Version 2, December 2004

Copyright (C) 2004 Sam Hocevar <[email protected]>

Everyone is permitted to copy and distribute verbatim or modified
copies of this license document, and changing it is allowed as long
as the name is changed.

           DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
  TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

 0. You just DO WHAT THE FUCK YOU WANT TO.

After recruiting Jonah Aragon in the team, he laid his first foundation bricks and removed the “WTFPL V2” License and later on even the “Kopime symbol” without my approval, even though he admitted that at that time 90% of the content was created by me.

Screenshot Source

“If we're being honest, @BurungHantu1605 is probably responsible for 90% of the content from before the license switch anyways. The risk is minimal and easy to resolve at the moment, as far as I'm aware.”

All relevant sources to unauthorized the license change:

• https://github.com/privacytools/privacytools.io/issues/884
• https://github.com/privacytools/privacytools.io/pull/919
• https://github.com/privacytools/privacytools.io/pull/940
• https://github.com/privacytools/privacytools.io/issues/955

At any given time, any person was able to copy the whole website and host it under a new domain. It was basically asking people to steal it, but not actually stealing a subreddit, hijacking a domain, donations, and a GitHub account. Classic case of: "Offer him a finger, and he will bite a hand off up to the elbow". More about that later.

The second red flag: Intend to gain fame, power and control

Up to that point I’ve appreciated that most contributors use an anonymous nickname, nobody request an “about us” page or wanting to get his/her name out there. Nobody wanted to become famous for updating a trivial privacy tools website, understandably. This quickly changed as well after Jonah Aragon joined the project. He created an “about us” page to get his name, website links etc. out there and later even made himself the #1 ranking member on that page, even though he recently joined and was not a founding member or even to be considered as an early bird. I’ve requested several times to delete the “about us” in order for us all to remain anonymous, for protection.

Several newcomers suggested turning PrivacyTools.io into a public Organization and hand out administration rights. I gave in, since contributors were ambitious and active. Doing a great job in keeping PrivacyTools.io alive and adding fresh content regularly. I’ve had mixed feelings, since I’ve noticed that things go in the wrong direction by people not remaining anonymous. Shortly after a reddit “We are the privacytools.io team -- Ask Us Anything!” was initiated to get the word out there about the people involved. I wasn’t actively involved in the project at the time and Jonah took the lead. In my opinion, this lead to unwanted attention to everyone involved in our anonymous project.

Power, Donations and Bureaucracy

To be fair, Jonah did invest at this point a fair amount of time of his day to setup forums, chatrooms and other vital services to create a community for PrivacyTools.io. This took a lot of time, energy, and focus and if I remember correctly, he was looking for a job at the time. The idea was to collect enough donations to be able to afford and support him as a permanent server administrator. The idea was accepted, but also split the team in half. Long discussions ensued on if it's a good idea to start collecting money on OpenCollective.com to sustain a part time server admin job.

We’ve decided to signup for the Brave Rewards program. Website owners get paid by Brave Browser basically. Supposedly these payouts are split and shared, but Jonah never sent any of it to me. Only American citizens can receive payments (A total of 3650 BAT = 3832.5 USD was paid out). Until this day the PrivacyGuides team advocates against the use of Brave Browser, but happily accepts payments from the same company it advocates against.



BurungHantu and Jonah setup a shared multi cryptocurrency wallet on Guarda.com to collect funds for PrivacyTools.io and the agreement was to HODL these fund until they gain in value and use it someday to expand the project or donate ourselves to privacy developers.

GitHub at the time became a bureaucracy hell. Every little change on the website took often times several weeks or months of discussions, like beating a dead horse. Updating the website turned out too complex for me personally, involved endless discussions and made no actual progress on the final product. I’ve lost interest, my little project turned into a bureaucracy nightmare. Here is an example of PrivacyGuides taking almost 10 months to add two tools to a website.

Things turn sour: Stolen cryptocurrency donations

Users appreciated the hosted services and started donating to PrivacyTools.io via OpenCollective and Cryptocurrencies. But funds started to disappear. Upon confrontation, Jonah Aragon confirmed that he withdraw, without any approval, ~3.749.96 USD (0.08252224 BTC). Reason: “Just testing my hardware wallet.”. The hardware wallet turned out be working, but the funds were never returned to PrivacyTools.io.

Transaction: https://bitcoinblockexplorers.com/tx/497d754b3947302de7570d80f30c73b448b14a950b44f2d4ec15e2c8c88a9aee

In this transaction, Jonah Aragon transfers the stolen funds into his publicly known wallet:

• https://bitcoinblockexplorers.com/address/bc1qsx359yppdh6fx67hlcp46d9xs56nvpapzfm86q
• https://web.archive.org/web/20220327163705/https://www.jonaharagon.com/accounts/
• Even years later it's still possible, undoubtedly where these funds went since the Bitcoin address is posted on on jonaharagon.com/accounts. Leading to the trail: "bc1qqtathhjeu0578qfhwe2spnfmc0pjppd7rzcape".

An appropriate reaction at that time would have been to kick him instantly from the project, but I wasn't concerned about money and was happy someone looks after the project. Little did I know that this was just the start of a bigger takeover plan.

The atmosphere turned sour, trust was broken, communication came to an all-time low. Few updates being released on PrivacyTools.io due to the crazy bureaucracy mechanism. What was once fun and exciting turned into a huge machine with slow wheels. A simple privacy tools recommendation website was turned into a shiny rocket science project, that produced self-proclaimed privacy experts. My communication attempts with Jonah turned into one word answers like “yes” and “no”, no discourse and no teamwork. After the trust was broken, it felt like working in a snake pit. I let them be, what could go wrong? Don't want to be near snakes.

Sickness, Sabbatical, Health and BurungHantu Missing in Action

Unfortunatly shortly after the broken trust my health situation worsened and decided to take time off the internet after working behind the screen for over 20y. I took a sabbatical, focused on health, gardening, planting trees and quality family time. Thinking about joining the team chat channel gave me anxiety, and joining pointless GitHub discussions a headache. I’ve stayed away and the gap was filled with power, control, fame hungry individuals. I’ve always wondered why people didn’t take off with the content, ideas and concept I’ve asked them to take with the “ WTFPL V2” Licensing and the Kopimi Symbol.

In fact, Jonah Aragon did attempt this, to quote him: “I wasn’t interested in the direction of privacytools at the time. I was just going to start privacy guides on my own last spring just for fun. the rest of the team asked me to join them again and were a bit more upset about your absence than I’d thought, kind of got this “rebranding” ball rolling. i always just wanted to start fresh, but whatever.“

The Failed Takeover Attempt

Permission was given to copy all my content, the concept, the ideas. It would have not been a fresh start, it was just more convenient to take it all and burn the ground after.

Even though I was absent and still healing, I’ve checked in daily on PrivacyTools.io since I’ve had already mixed feeling and trust was broken. To my surprise, the project was being redirected to a new domain name “privacyguides.org”. My frist thought was: “Oh nice, they’ve finally decided to move on and start something that doesn’t need to involve me. Let me check on reddit what the deal is.” Only to find out that I’ve been removed completely from the moderation team, my user flair “founder” was stripped, removed from the GitHub Organization, removed from the OpenCollective donation platform, the stolen crypto funds came back to mind. Basically barred from everything “PrivacyTools.io” related, even though the team moved onto a new venture and had permission to copy everything. But it was copied and burned.

PrivacyGuides Team Labeled the Takeover a Rebranding

It took me a few hours to realize things are not in order and had to catch up first. Upon entering the chat room I was immediately hit with hostility by a team member, others reacted rather awkward: “Oh, we thought u’ve died of Covid”. Which was a possibility at that time, to be fair. Trying to talk things out and getting to the bottom of why I’ve been completely removed from my own project was met with blaming, shaming, hostility or outright ignoring the issue. At that time I’ve offered to keep even the redirect to the new domain, to support the new venture until I get back up on my feet. That was of course quickly cancelled after realizing that nobody is planning to return any account access back to me that is in any way PrivacyTools.io related. Instead of working out a plan, figuring out how to cooperate in the future etc. The main interest of every PrivacyGuides member was: “Give us more control. We wan’t to buy your domain with the stolen funds. You need to keep the social media services online that we have full control over, but legally run under your domain.”

Still somewhat supportive of my old colleagues I’ve asked for advice on how to configure the subdomains to keep the services alive, how to protect myself from legal threats in case users under my domain using a server I have 0 control over etc. Quickly turned into a political and public relations matter, with a complete prepared storyline and smear campaign. Let me tell you a whole team arguing against a single person is a stressful situation. Without any legal protection and technical support I was forced to shutdown the chat and other social media services, this was later also used to badmouth PrivacyTools.io.

I’ve granted one PrivacyGuides team member access to the @privacytoolsIO Twitter handle in the past that was instantly abused to inform the community that PrivacyTools.io rebranded into a new project PrivacyGuides.

Fabricated Domain Expiration Claim

The main argument at the time was: “We’ve saved the project, since the domain would have expired in a few months and we couldn’t reach you.”. This claim was completely fabricated to create a sense of urgency and make the takeover look like a necessity. But in fact I’ve used the donations to pre pay the hosting account with enough money to renew the domain for at least 20 years. Everything was setup to run without me. GitHub updates were automatically pushed onto the server and team members had full server access, that I didn’t even have. Both server and domain were later used to create a story "how it was impossible to run privacytools.io without BurungHantu" and how they had every right to take everything and burn down to the ground.

Reddit War, Censorship and Public Damage Control

Soon the private communications stopped completely, and the Ministry of Truth on reddit in the user form of “trai_dep” became active and prepared. From this point on it became clear we’re not going to solve anything, now it’s a public blame game, keeping the story straight, staying in power, looking like the good guy even after a hostile takeover. At this point, I am uncertain if trai_dep knew all the dirty little secrets and wrongdoings, but he was hungry to take over a 200,000 user subreddit and succeeded. He used a loophole on reddit, where inactive reddit users can be removed as an admin after 3 months of inactivity. He took the chance. At the same time Jonah Aragon took the chance to make sure PrivacyTools.io can’t recover from the takeover attempt and reserved an additional subreddit that have 0 relations with his new project PrivacyGuides:

https://www.reddit.com/r/privacytools but is being used to redirect traffic.

https://www.reddit.com/r/privacytoolsIO/ is shutdown and purely being used to redirect traffic. All involved parties have refused to return the 200,000 user subreddit to it’s founder who build the community from scratch. This was done to hurt PrivacyTools.io and benefit PrivacyGuides.

I’ve reached out to reddit already, they’re refusing to help out even though the intentions of the actors are clearly flawed. Turns out trai_dep is quiet influential on reddit and moderates several big subreddit, uses English as his first language and is willing to write walls of text for hours for good publicity. Something which I’m unable to do. I've researched new content additions instead.

Eventually, some users realized on their own that things appear to be shady and were confused about the shutdown of the privacytoolsIO subreddit and started to ask questions in this thread:

https://www.reddit.com/r/PrivacyGuides/comments/qk7vn0/a_new_era_why_rptio_is_now_a_restricted_sub_and/

Sadly most comments have been censored by the PrivacyGuides team that didn’t support their version of the story. They were in full control and used every tool available to make this look good. Still worth a read, some are not censored yet.

Takeover of GitHub: Used in Public Relations to Badmouth PrivacyTools

Exact same strategy with the PrivacyTools GitHub Organization: https://github.com/privacytools/privacytools.io

It was taken over, I was completely removed from it. Shutdown to hurt PrivacyTools.io and remarks and redirects set in place to benefit PrivacyGuides. The fact that I’ve lost access to GitHub was later being used by the PrivacyGuides team to badmouth the PrivacyTools.io project. Quote: “You’re not even open source anymore.”. GitHub as well refused to release the account without a legal proceeding.

Removed Project Funding: Used in Public Relations to Badmouth PrivacyTools

PrivacyTools.io was removed from any project funding in benefit of PrivacyGuides.

10,000 USD+ from OpenCollective transferred to PrivacyGuides
3,731 USD Bitcoin Donations (Theft)
3,832 USD Revenue from Brave Browser (Theft)
= 17,563 USD in total

Now my current funding model explained on privacytools.io/donate is being used to revalidate any efforts made for PrivacyTools.io. To give you up a rough idea what amounts we’re talking about: The combined hundreds of hours of work with the current stream of donations and affiliate revenue won’t even come close to a minimum wage. It’s literally for Beer, Coffee and Pizza. And I highly appreciate it, every Pizza PrivacyTools.io buys me, makes me smile and keep going. Now it’s being used to shame me and it’s not working. The narrative is: "We've removed you from your project funding but we're using any attempt to recover from it to discredit your work."

Future Outlook

I am happy. I don’t work in a snake pit anymore. No need for endless discussions. Visitors are at an all time high with daily 10,000 unique visitors. Twitter followers received a huge gain after the relaunch and we’re getting close to 22,000 Followers.

Jonah Aragon should make things right and return accounts and project funding. I am willing to forgive. Fix it and we move on. No more badmouthing of PrivacyTools.io. I am still willing to cooperate and support everyone in the PrivacyGuides Team who was unaware what was going on in the background. The subreddit and GitHub account belongs to PrivacyTools.io and is in absolutely no relation with PrivacyGuides. The privacy community is small enough, we need to stick together, not fuck each other over. Spread the word, spread awareness, keep your heart in the right place. We're doing the right thing.

Believe me when I say I’d have rather used the time to do something more productive for the privacy community, like adding more tools or looking for GitHub Gems, instead of making this post. People deserve to know the truth in the end and hope this was worthwhile. I am just really fed up with having to reply to “I thought PrivacyTools.io rebranded into PrivacyGuides and therefor PrivacyTools.io shouldn’t be trusted anymore.” Here is the full story guys. I am here to stay.

Fuck fame, fuck money, fuck dishonesty. Your BurungHantu, since 2015.

 

Noteworthy User Feedback

"Honestly having come across this multiple times over the last couple months both around reddit and discord this 100% seems like a hostile takeover.