Privacy is a basic human right, often protected and ensured in the physical world, which has been a reality for the entirety of human existence. However, in the new digital world, privacy is seldom secured, and companies, governments, and other people often overextend their powers to the detriment of individual rights which get left behind as the differences between physical and online privacy encourage illegitimate data harvesting.
In the previous article, you learned about the importance of privacy. This document discusses actions you can take to regain some of your online privacy. It highlights steps you can take today to diminish the footprint you leave online and reduce the overall risk of falling victim to online doxxing, stalking, coercion, and other undesirable consequences of carelessly browsing the internet.
It is important to note that perfect privacy is not practical. Aiming for the perfect setup, one that would allow you to be a true ghost on the internet and unreachable by global, skillful entities with unlimited resources, would require an incredible amount of daily work, effort, and time to achieve –– if it's possible at all. Additionally, striving for the perfect setup will most likely freeze you or lead you to despair once you realize you haven't reached it after countless dedication. So, remember: perfection is the enemy of good.
You have plenty of options regarding what to use for your online activities, but perhaps the most important aspect is how you use it. Details of specific hardware and software you will need to use for your new identity are discussed in 3.1: Technical Choices for a New Identity, but here we will focus on what behavioral changes you can start performing right away.
For every problem or issue you face, you also face decisions. Often, those decisions are enacted by taking into consideration the tradeoffs between ease of use and the consequences. In digital systems, people often turn to the most convenient solution possible, pushed by the "technology was created to make our lives easier" narrative whilst completely ignoring the unintended side effects and the risks associated with each technological choice.
Here, we propose best practices that will allow you to regain some of your online privacy. Some of these will require you to lose some convenience, but the benefits gained as a result should be worth the extra effort. Remember that these aren't a one-time thing; rather, you'll need to make these a habit.
The tips shared in this document should be practiced and done by everyone who uses the internet, regardless or their threat model. In that sense, a more advanced setup and specific habits will be discussed in Section Three, for your new identity. Until then, take note of and perform the below to start reclaiming your online privacy now.
Every time you choose to sign up for an online service or company or to download an app, you should think about the potential consequences of that decision. For instance, you should consider what the data collection policies of such app or service is, how hard it is to delete your account and its information, and whether you have other alternatives.
Generally, opt for free and open source software whenever possible. Although such tools will often not be as easy to use as proprietary software, you often gain in privacy.
Proprietary software is literally a black box, and so you don't actually know what it is doing with your data when you use it. They do have privacy policies and terms and conditions, however, you will need to believe them. With FOSS, you can check for yourself.
- This wiki privacy guide provides a nice list of alternative solutions for "de-Googling" you life. (One easy thing you can do right off the bat is to use DuckDuckGo instead of Google.)
- Be sure to reference privacytools.io whenever you need a new software solution for a certain use case (they also have an onion website).
Small choices can go a long way!
Technology is great, and it can indeed improve your life for the better. However, it is important you keep only the apps you truly need on a regular basis on your devices. Unused apps, which you most likely don't update as often as the ones you use regularly, can introduce an attack vector to your tech gear that you'd want to avoid. In this sense, digital minimalism, a term I first heard from Techlore is a low-effort, high-benefit standard to live by. Here are two techniques you can use to practice and achieve that standard.
Every new device, including a computer or smartphone, comes with default software already installed out of the box. Evaluating which ones you must keep versus the ones you can safely delete without compromising the functioning of the system can go a long way. Bloatware can compromise the performance, security, and privacy of that system –– and thus yours too.
Perform a deliberate scan of all the default apps and programs installed in each of your devices (computer, smartphone, TV, smartwatch, etc.), asking yourself, for each app, "Do I really need this installed? Would the functioning of my device be impaired if I uninstalled it?". For the most part, you will be able to delete just fine. As a rule of thumb, especially for smartphones, if the device truly needs a certain default app installed to function properly, it won't allow you to uninstall it. In any case, if you're in doubt, you can search it online and see if a given app can be removed safely.
The idea is similar to the bloatware case, but here you are the one keeping unnecessary apps and programs you don't really use anymore. Make a habit of regularly evaluating the many applications you have installed in your system and see if you still need them installed. The greater the number of applications, the greater the attack surface and the bigger the system's vulnerability. You are better off uninstalling a certain app and installing it again when you need it than just keeping it around. Only keep the bare minimum of applications that you need. And while you're at it, you can also remove unused files.
The process is the same as above; scan your devices entirely and ask yourself if you truly need a given app. Do that for all the applications and programs installed in your devices. You'll most likely want to repeat this a few times over the course of a week or more, spacing them out, in case you forget some apps or just get tired. In any case, make this a habit!
Although not a complete and flawless solution that fits every circumstance, resetting your devices can be a good idea if they have become too bloated, or if you think they have been compromised by software, or if you just want to start anew. Doing it regularly can be even better. Just don't assume that if you're doing this you don't need to perform the other steps in this section; they complement each other.
Although privacy and security aren't the same thing, they complement each other. Having a basic mindset in technological security can go a long way in preserving your privacy (by helping safeguard your information) and protecting your assets. Here are a few basic but essential habits for increasing your digital security.
You should always be skeptical of any link you receive online. Of course, the level of skepticism will depend on the medium that link is sent through, for instance, a link received in an email from an account you don't recognize should ring all the alarm bells, but one received from a close friend in your regular messaging app most likely shouldn't.
However, a good rule of thumb is: if a link includes a sense or urgency, do not click on it. Moreover, if a link promises or advertises something that seems too good to be true, it most probably is, so do not click on it. Similarly, don't click on links offering free products or services.
The importance of scrutinizing links and thinking carefully before clicking on them is because they are an attack vector easy to be used and leveraged by nefarious entities. Hackers can email you a link that, if clicked on, would give them full access to your device – and you wouldn't even realize it. One link received in WhatsApp was all it took for an attacker to obtain full access to Jeff Bezos' smartphone, for instance.
Everytime you receive a message with a link, be aware. The following best practices will help you safeguard from becoming a victim of an attack:
- Check the website without clicking on the link. Type it out on a web browser and see if the website is legit. Scrutinize the link to make sure it is pointing to where it should be. Some phishing sites use similarly-looking characters to fool you into thinking it's a legit site, so also check for those by reading the link thoroughly and carefully.
- If the link is a shortened URL, such as bit.ly, use a URL expander service such as URL Expander or Expand URL to see what the full link looks like.
- If the link came from someone you know but it looks suspicious (free services, sense or urgency, or too good to be true), consider giving that person a call to confirm veracity.
Most importantly - if in doubt, don't click!
Some think Virtual Private Networks (VPNs) are the holy grail of privacy or anonymity, but that is not the case. VPNs are better for security when using public Wi-Fi networks, because they make sure all your network traffic gets tunneled through encrypted channels. You also get a new public-facing IP address, so that would give you some privacy from your internet service provider (ISP). Apart from that, a VPN will also let you circumvent blocked content in your location and access content that can only be reached from other places. Just don't expect using a VPN will make you anonymous!
Overall, there are some advantages to using a good VPN. However, there are also negative aspects. By using a VPN you're trusting that company not to snoop on your traffic or keep logs of it, and a bad VPN would do just that –– spy on your network traffic and keep logs to sell it out or hand it over at a whim. For that reason, never use a VPN that keeps logs, and choose one that has been audited by a third party.
Additionally, it might be helpful to use a VPN service that does not require extensive information for account setup and that you can pay for with Bitcoin. This would grant you some anonymity - or at least pseudoanonymity. Mullvad is a good choice for all the above reasons, and they have an onion website too.
The proper steps you need to take to subscribe to a good VPN securely and privately will be discussed in Section Three, so you might want to wait until you get there to get it sorted out. But you might want to have a VPN for your real-world identity too, in which case you can start getting right away. Just be sure to use a different option than Mullvad, because that will be used for the identity you'll be creating later on. (A good alternate VPN is ProtonVPN. Check it out and see if it fits your real-world identity needs.)
Your internet browser is your bridge to the online world. It can reveal a great deal of information about you and can easily become an attack vector if it's used on the default configurations and you're careless. So you should carefuly consider which one to use, how to use it, and when to use it.
"Hardening" is a process of increasing the security of your internet browser by tweaking some configurations. There are plenty of hardening guides online and different people prefer different browsers. I like Firefox because it is open-source and flexible for great customization.
Here's a good Firefox hardening guide, and here's another one.
Proceed with caution though and just harden it as much as you need; things can break otherwise. If some websites you visit frequently stopped working as intended after hardening your browser, consider using separate browsers for different types of tasks. Again, you might need to determine how far you want to go.
Your threat model, which you will develop in Section Two, will help you think how much you'll need to harden your browser. Well, you might even need to use a different browser altogether! In any case, feel free to experiment with hardening a Firefox browser from scratch now, because you might use it for your real-world identity, increasing its security.
The Tor Browser is a hardened version of the Firefox Browser that also connects to the Tor network for increased privacy and anonymity. It enforces good best practices as a default, and is a great option for increasing your level of security and privacy online.
The Tor Browser is a good, easy solution you can embark on right away, but it is not a fix-everything solution. It. As you progress in your journey to online anonymity or privacy, the Tor Browser may become the smallest part of your setup, but until then, it can be a significant step up in your current habits.
Dedicate Tor Browser usage to sensitive online searches, advocacy use cases, or other activities that require greater privacy and security from your end. That alone can provide a compartmentalization that you can start performing right now, with zero time and effort requirements and without needing to purchase additional hardware. But beware that your Internet Service Provider (ISP) will be able to know that you're using the Tor anonymity network, and that alone can be undesired in many places: it is often looked at as suspicious even if no bad acting is being done. So, for greater privacy benefits, connect to your VPN first, then Tor. If you face Tor censorship instead, you might need to use Tor Bridges.
Software updates exist for a reason. Yes, they do often introduce nice and cool new features, but more importantly, they fix bugs. Every software has some kind of a bug, and updates fix them; this is how it works. So make sure you're keeping up with your devices' software updates. Some will give you the option to enable autoupdates, turn that on where possible.
This one might be a bit harder, but there are some steps you can take to diminish the risk of having your device be compromised through physical access. You can, for instance, make sure you don't lose sight of it when on risky environments. That is to say that maybe losing sight of your phone while at home likely won't incur high risk, but leaving it in your hotel room while you go for a jog could pose a more serious threat.
So analyze and think what would consist threatening situations and hug that phone if you need to. One note on physical access, which is something this guide will cover in the next section: if you ever find yourself walking into risky places or situations, either don't bring your phone with you (you can take a burner phone instead) or turn it off. When you turn your phone off, its encryption keys are evicted from memory, increasing the security of your data (at least marginally). And when leaving your device unattended, you can put it in a temper bag, or a Faraday bag, or both. Again, analyze and think how far you need to go in your specific case.
Compartmentalization is a low-effort practice that can go a long way in helping you increase your online privacy. People using the Tor network, for instance, can get de-anonymized by an observer entity through behavioral patterns and cross-links between different activities. Always strive to achieve the highest level of compartmentalization in your digital life, based on use case.
You can ramp up your privacy from online companies and data centers through email compartmentalization. It will separate your behavior, allowing you to use a different email address for every service you sign up to or every activity you conduct. Simple Login is one such provider. But note that for an advanced threat model, you would be better off not trusting a third party company and using the Tor Browser to manually create new email addresses for each use case. That would require greater effort and time, but would also yield greater privacy.
Similar to email addresses, you also can (and should) use one phone number with each activity, identity, or use case you conduct. For a simpler threat model, a service such as the one provided by MySudo can go a long way. For a riskier set of threats in a more advanced threat model, you would need greater time and dedication; you would need to physically purchase a new SIM card, with cash and without revealing your identity if possible, for each identity or use case. A middle ground would be to use VoIP numbers.
Another piece of information about you that you can compartmentalize online is credit/debit card information. You can use a company like Privacy.com to generate card aliases for each purchase, store, service, or use case. Again, doing it by yourself is always better, although in this case slightly more complicated.
It can be unrealistic in most places and countries to open a bank account or get a payment card with your pseudonymous identity, for example. Even though you can purchase prepaid debit cards in a local pharmacy in places like the U.S., personably identifiable information (PII) is more often than not required, undermining your privacy. A realistic alternative to the third party service here is to use "clean" bitcoin for purchases; and if the store itself doesn't support it, you can use a platform such as Bitrefill to buy gift cards with BTC.
Software separation is good, but physical separation is better. If you have two identities, or two different roles or jobs which you wouldn't like getting mixed or doxxed, consider having separate devices for each. If you also keep them physically separate themselves, that's a bonus, because if one phone gets compromised and becomes a wiretap and tracking device, information in the other device will likely be safe. Evaluate if you could benefit from having multiple devices and go down that route if so. And just so that doesn't incur a high investment, you don't need a flagship device most of the times. Also –– if you end up using two separate phones for two different uses, get two different VPNs, one for each; compartmentalize that as well.
Privacy is a rare commodity these days, but you can start reclaiming yours with the habits and tips shared in this document.
For dissidents, human rights activists under totalitarian regimes, or other people on critical situations: the above tools might just not suffice. With that threat model, you would need to go at greater lengths for increasing your privacy or even strive for complete anonymity. Nonetheless, everyone can benefit from even the smallest steps; how far you go will depend on your threat model.
In the next sections you'll be figuring out what your threat model looks like, as well as taking actions to enforce it. But if you're curious and would like to research a bit more, some good resources, complementary to this guide, for determining digital security and privacy needs and actionable steps are the EFF Surveillance Self-Defense and Front Line Defenders: Security-in-a-Box guides.
Now that you have taken basic steps to start reclaiming your online privacy, move on to Define Your Threat Model.