10 Basic Steps to Digital Privacy

I wrote a blog post about basic steps to digital privacy. Techlore regulars may not find much new here, but feel free to share it to someone who will. I hope people find it useful, I’m also open to feedback on the post if you have any.

(Mirrored below at @Jonah’s request)

10 Basic Steps to Digital Privacy

Introduction

Though digital privacy is complex and achieving “complete” or “100%” privacy is virtually impossible, that doesn’t mean there aren’t simple steps you can take to improve. Most people’s digital privacy practices are pretty poor, which may be disheartening, but it also means that there is a lot of low-hanging fruit to be picked from the metaphorical digital privacy tree. Even if you have already put all of the steps I’m about to list into practice, consider sending this blog post to a friend or family member who may not have. And perhaps even digital privacy veterans will find one or two new ideas here. The following steps will go in order of those I consider to be relatively easy to actualize to ones I consider to be relatively difficult, but they should all be accessible to the technological layman. Additionally, this list focuses more on digital privacy than digital security and while the two often go hand-in-hand, your threat model may require you to focus more on security than privacy. Make sure to take your personal needs into account and fact check the information here before blindly following it. That said, I hope you find it useful!

1. Change Your Web Browser

If you’re like most people, statistically, you are using Google Chrome as your primary web browser. On top of the open-source Chromium browser base, Google adds a variety of what can only be described as spyware to track your every move on the web. Every website you visit and likely much more is meticulously logged and recorded by Google so they can use the data to target or “personalize” ads toward you. The good news is that there are plenty of privacy-respecting alternatives to Google Chrome. The two easiest desktop browsers to recommend are the Brave Browser and Mozilla Firefox. Both are miles ahead of Google Chrome in terms of privacy and also very user-friendly. Brave is the more private by default and includes a built-in ad and tracker blocker. However, it also includes the somewhat annoying integration of its BAT cryptocurrency, though this can be disabled. If you want a browser that can just be downloaded and used relatively privately as-is, Brave is not a bad choice. If you’re willing to play with the settings, however, Firefox can become a powerfully private browser (using Arkenfox is a great way to achieve this). There are other private browsers out there as well, though Brave and Firefox are the simplest to recommend as drop-in Chrome alternatives. If you want to look into other options a bit more deeply, this article is not a bad place to start. The mobile browser landscape is a bit more complex than desktop browsers’, but I would still continue to recommend Firefox and Brave as solid, private options for both iOS and Android (they are both certainly a step up from Chrome).

2. Switch Up Your Search Engine

Even though you’ve changed your web browser, you are still, statistically, using Google as your search engine and this needs to change. Google of course records every search you make regardless of whether or not you use their browser. While Chrome’s more private competitors are just as good as (if not better) than Chrome, the same can’t quite be said for private Google search alternatives. While many of them are quite good, none of them are quite as feature-rich and intuitive as Google is, and their search results are often lower quality. Nonetheless, the drop in usability is relatively minor and a worthwhile price to pay for the privacy to be gained. The most commonly recommended private alternative to Google Search is DuckDuckGo, which is not a bad search engine by any means, though its results (mostly sourced from Microsoft’s Bing), are often not quite as good as Google’s. If you want privately proxied Google results, then StartPage is a great option, since they simply pull from Google’s results and pass them on to you without Google’s personalization and tracking, but also without some of Google’s fancier features. Brave Search is also notable for having its own search index (rather than pulling from Google or Bing as Startpage and DuckDuckGo do) and its search results aren’t half-bad, though not quite on par with Google’s. There are other private alternatives as well (the self-hostable Searx certainly deserves a mention), but any of the initial 3 I mentioned should serve just fine as a private Google search alternative. Feel free to try a few and use the one you like most.

3. Use a Password Manager

Using the same, easy-to-remember password for every online account you have is easy, but it’s also a terrible idea. It’s not a matter of if a service you use will get breached, but when (check haveibeenpwned.com to see if your information was already leaked). The most viable solution to this is to use a strong (preferably randomized) and unique password for each of your accounts. The only way to have access to all these different passwords while storing them securely is to use a password manager. A dedicated password manager is far more secure than writing the password down or storing them in a spreadsheet and is even more secure than using the in-browser password manager. There are a lot of password managers out there and using almost any of the well-known ones is better than using the same password everywhere, but the two generally best options are Bitwarden and KeePassXC. Bitwarden is a cloud-based solution and is probably more convenient for most people, while KeePassXC will store your passwords encrypted on your desktop. Both of these password managers also have the ability to generate strong, random passwords for you as well as browser extensions which automatically fill those passwords into the login pages of each website you visit. While transitioning to using a password manager can be difficult at first, it will make your life much easier once you get used to it, and make your online accounts much safer as well! To further secure your online accounts, you may also want to consider adding two-factor authentication to the accounts that support it.

4. Get a Better Messenger

Messages between our friends and family contain some of the most sensitive information about our personal lives, so it is important to choose a private and secure tool for sending and receiving those messages. SMS in an unencrypted protocol and your SMS messages can easily be read by your cell service provider or by a intercepted by a bad actor. Some proprietary messengers, such as WhatsApp and iMessage are end-to-end encrypted by default, which means that only the sender and receiver of a message can read its contents. However, these services can use the metadata of your conversations (such as who you message and when) to build your advertising profile. Additionally, both WhatsApp and iMessage back up all your messages unencrypted to the cloud (either Google Drive or iCloud) by default, undermining much of the privacy provided by their end-to-end encryption. While there are a few options out there for private and secure messengers, the easiest to recommend by far is Signal. Signal’s features are on par with competing messenger apps and its privacy and security are top-notch as well. It’s also free to use. While Signal may not be perfect (it requires a phone number to register and is a centralized service), it is extremely well-vetted in terms of its security and in addition to being end-to-end encrypted by default, stores close to zero metadata on its users. While there are other private messaging options out there like Session and Threema, Signal strikes the best balance between privacy, security, and usability. Usability is far more important for a messenger than it is for a browser or search engine, since not only do you have to be convinced that the privacy and security gains are worth any usability losses, but you have to convince your friends and family too or you won’t have anyone to message with!

5. Minimize and Scrutinize Apps and Browser Extensions

Every program you install on your computer, every app you install on your phone, and every extension you install in your browser is a potential security and privacy risk. These programs, apps, and extensions all have privileged access to your device and a compromised device can undo any progress you have made in your digital privacy by sending your personal data directly to bad actors. Even if the app or extension is not inherently malicious, it can provide an attack surface that can be exploited by malware. A simple step you can take to greatly mitigate this risk is to be very selective when installing computer programs, apps, and extensions. The fewer you have, the lower the chances that one of them will be turned into a backdoor into your device. Many mobile apps and PC programs can be replaced with a progressive web application, which is essentially a browser shortcut icon on your phone or desktop homescreen that can provide much of the same functionality as a fully-fledged application with significantly less of a security risk since it runs through your browser rather than as an independent program. While many browser extensions can be deleted without losing much, you should strongly consider using a tracker-blocking extension like uBlock Origin. For the remaining programs and apps that you do need, consider looking for an open-source alternative to the more likely more popular proprietary options. While open source software isn’t necessarily guaranteed to be any more private and secure, developers who make privacy-friendly software tend to make that software open source so that the source code can be reviewed and shown to be as privacy-friendly as its developers claim. All of the programs that have been suggested in this guide so far, like Firefox and Signal, are open source software!

6. Sign Up for a Privacy-Respecting Email Service

The email protocol is relatively old and not very secure or private by design, but virtually everyone nowadays needs an email address. So while all of your personal and sensitive communications should go through a private and secure messenger like Signal, using a privacy-friendly email provider is still an important step toward digital privacy. Email providers like Gmail can and do read your emails and use their metadata to build your advertising profile. If you’re looking for an in-depth discussion of different privacy-respecting email providers, you should check out my review. In short however, the easiest free, drop-in replacement for Gmail I can recommend is ProtonMail.

7. Eschew IoT Devices

The “internet of things” describes the growing number of household devices that can be connected to the internet. Once upon a time, only desktop computers were able to connect. Then, our cell phones graduated to “smart phones” with internet connectivity. Nowadays, almost every personal and household device has a “smart” version. Smart TVs, smart thermostats, smart watches, smart vacuums, smart beds, smart doorbells, and smart refrigerators, in addition to home media centers, video game consoles, and ebooks, just to name a few. But the internet of things is not good for your privacy. It is an open secret that companies use these devices to spy on their users, gathering more personal data for their advertising profiles. IoT devices often have weak security and can be prime targets for cybercriminals looking to build botnets or gain a foothold in your home network. To top it off, many of these “smart” devices don’t even provide much utility beyond the device’s basic, offline functions anyway. Consider buying devices and gadgets that do not connect to the internet and if you do buy a smart device, consider leaving it offline. If you do require an IoT device, make sure to change any default security credentials and to opt out of any analytics and tracking that you can in the device or account settings.

8. Limit Social Media Usage

Social media is a ubiquitous part of modern life, but in addition to its deleterious effects on mental health, it is also bad for privacy. Social media companies are some of the most privacy-violating and Facebook (which also owns Instagram), is particularly infamous for its invasive data collection from its users. But even if social media companies didn’t so nakedly violate their users’ privacy, most social media sites center around posting your personal information on the public internet and trying to get as many people to see and interact with it as possible! The best advice to prevent this is to simply delete your social media profiles altogether, though this is impractical for many of us for either social or professional reasons. If you do decide to keep your social media accounts, make sure you’re not leaking any more private information than you need to. Consider deleting social media apps from your phone and only accessing the services via your browser (this is good for preventing late-night doomscrolling as well). Go through your accounts’ privacy settings and make sure your information isn’t being shared more widely than it needs to be (checking your account privacy settings is also a good idea for your other privacy-invasive services you may have as well, like Google). Finally, think carefully before posting information or adding information to your social media profiles. Make sure the information really needs to be there and check whether it contains any personal details you would prefer to not be public knowledge. You may also want to consider using social media pseudonymously where possible. While keeping your real-life identity and a social media pseudonym completely disconnected can be quite difficult, that’s no reason to add more personal information about yourself that will show up with a simple internet search of your real name. The Fediverse can also be a good alternative to proprietary social media services since many instances of fediverse platforms are open source and relatively privacy-respecting, but even these upsides don’t change the need to be cautious with what information you post!

9. Change Your DNS Provider and/or Use a VPN

Believe it or not, your ISP is another company that is likely mining your internet activity to sell to data brokers. However, there are some simple steps you can take to mitigate this risk. Firstly, you can change your DNS provider. DNS is the protocol by which domain names (like example.com) are translated to IP addresses, which computers use to connect to other servers. By default, you are likely using your ISP’s default DNS resolver, but you can do better. Go into your internet router’s settings and change the DNS resolver servers to a more private provider like Quad9 or AdGuard. Both of these DNS resolvers block domains associated with malware and AdGuard blocks domains associated with advertisements and tracking as well. In addition to changing your DNS resolver in your router settings, you can also change it in your PC or phone device settings or in your browser settings. This has the advantage of working even when not connected to your home network and can take advantage of encrypted DNS lookup protocols. If you’d like to set up a custom ruleset for your DNS resolver to block any domain you’d like, Adguard can do that for you and so can NextDNS. Of course, hiding your DNS queries from your ISP still allows them to see every IP address you connect to. This can be prevented by using a trustworthy VPN provider. Many VPN providers will claim a variety of benefits that come from using a VPN but these are often exaggerated and the main privacy benefits are (1) hiding the servers you connect to from your ISP and (2) hiding your own IP address from the servers you connect to. Of course, by using a VPN service to achieve these goals, you are simply shifting your trust from your ISP to the VPN provider, so make sure the VPN provider you use is trustworthy! Almost all free VPNs, and even many paid VPNs, are collecting and selling your data. The most-trusted VPN services as of this writing are ProtonVPN, MullVad, and IVPN. There are a few free and trustworthy VPN options, such as ProtonVPN’s free tier, RiseUp VPN, and CalyxVPN, but these often have throttled speeds and as a general rule you should expect to pay for a trustworthy VPN service. Another free option that provides the privacy benefits of a VPN (and a lot more as well) is the Tor Browser. Unlike VPNs, the Tor Browser distributes trust amongst multiple third parties and does its best to allow you to browse the web anonymously. However, your browsing speeds using Tor will be quite slow compared to using a standard web browser with a quality VPN, so it may not always be the best solution.

10. Remove Your Data from People-Search Sites

Believe it or not, there are many sites out there which are designed just to collect information about you and sell it to anyone interested. Creepy, right? Well, luckily many of these sites have the option to opt-out and remove your data from the site, but this is a slow and arduous process by design. The potential upside of removing this (sometimes very invasive) data about yourself from the web is high, but will require significant amounts of either your time or money to achieve, which is why it is the last step on this list. If you’d like to request removal of your information from each of these sites manually, you can find a pretty good guide for doing that here. There are also paid services which will do this grueling task for you like DeleteMe (some other paid services are reviewed in this video).

Conclusion

This is hardly an exhaustive list of steps that can be taken to improve your digital privacy, but the steps that are listed should be relatively accessible to a wide audience and have a large positive impact in proportion to how much effort they require. If you’d like to learn more about how to improve your digital privacy, Privacy Guides is probably the best online resource currently out there, but it’s certainly not the only one! I hope the steps I have listed here will help at least a few people start working toward making their digital lives a bit more private as big tech companies work tirelessly to make sure they are anything but.

6 Likes

6. Sign Up for a Privacy-Respecting Email Service

Add “using simplelogin.io”, as you get that for free with Protonmail. Having a unique mail address for every service is great for privacy as well!
Unless they want your phone number. Fuck every service that wants a phone number.

Other than that, a good (enough) guide. There are a couple of recommendations I disagree with, but generally a good guide.

1 Like

Thanks for the feedback! I was considering making a follow-up post that would include email aliases, but maybe you’re right that it would fit better as part of the email step.

Feel free to share your disagreements as well, I doubt I’ll change anything significant, but I’m still interested in others’ opinions on it.

2 Likes

You’re welcome! I think this is something that doesn’t really impact someone (especially if you use the simplelogin add-on), but adds a lot of privacy.

Oh boy there is a lot.

Browsers: Firefox sadly is not something I would recommend due to missing security (you can read a bit about it here Firefox and Chromium | Madaidan's Insecurities). While Firefox can be used privately and securely, it is much harder than with other browser. I would go so far and say that even some closed source browsers like https://www.epicbrowser.com/ are a better option for your privacy.
You also could add TOR with a usability warning. TOR is not usable for everyone, but can be a decent option.

2. Switch Up Your Search Engine

SearXNG · GitHub based on searx, but with better functionality. Take a look at searxng, might be interesting for you.

3. Use a Password Manager

Cloud based password managers can still be really bad, only use them if you are unable to have any kind of backup.

4. Get a Better Messenger

Really good recommendations.

5. Minimize and Scrutinize Apps and Browser Extensions

Add FOSS alternatives as you mention them below. For example Free office suite for Windows, Linux and macOS | ONLYOFFICE as a replacement for Microsoft Office.

6. Sign Up for a Privacy-Respecting Email Service

Protonmail is a good choice. Also mention the other benefits paid Protonmail has (simplelogin, protondrive, protonVPN).

7. Eschew IoT Devices

Just yes

8. Limit Social Media Usage

Just yes, but add some more private alternatives like Mastodon. Also add replacement applications for e.g. YouTube and in general ways to still access social media, but from an alternative frontend (invidious, nitter and so on)

9. Change Your DNS Provider and/or Use a VPN

Mention that ProtonVPN is included in the monthly $12 proton tier.

10. Remove Your Data from People-Search Sites

Just yes

I would add something like “If you want to discuss this topic more, you can join privacy and security focused forums like https://discuss.techlore.tech

1 Like

Thanks for the in-depth feedback! I won’t be responding to each of your points right now (Firefox v. Chromium has already been discussed quite a bit on this forum lol), but I do appreciate them!

1 Like

Sure, I don’t expect that (especially Chromium vs FF). Feel free to implement whatever you want, or to just ignore them.

1 Like

Thanks for posting this! This looks like good advice for beginners at a first read through.

Would you consider pasting the post below the link in the OP to mirror it here by any chance? Not against linking to your site, but we prefer posts written on here over (or in addition to) external links in terms of long-term preservation :slight_smile:

1 Like

Sure, I’ll edit the post shortly.

2 Likes

Now this is something that can help beginners big time.
Thanks for making this, I’m sure they will atleast be able to understand this rather than being left in the dark or feeling overwhelmed and just giving up :grin:

2 Likes

Are there any downsides to using a DNS Provider? And changing the DNS Provider in our router settings? Thank you for this guide!!

1 Like

You have to trust the DNS resolver, since they can see all of your DNS requests. But if they are trustworthy, I can’t think of any downsides to changing the provider in your router settings. It just depends on who the default DNS provider is vs. who you’re changing to. Different DNS resolvers can have different lookup speeds as well based on a variety of factors, but for most people the speed difference between major DNS services should be negligible. You can find more info on different resolvers here: DNS Resolvers - Privacy Guides

1 Like

It says on their website

Encrypted DNS with third-party servers should only be used to get around basic DNS blocking when you can be sure there won’t be any consequences. Encrypted DNS will not help you hide any of your browsing activity.

I don’t need to get around DNS blocking. Is it still worth it to use encrypted DNS?

1 Like

I found that disclaimer a bit confusing, but I believe all they’re saying is that you shouldn’t rely on encrypted DNS to circumvent content restrictions implemented by DNS blocking. The concern wouldn’t apply to home networks in countries without heavy censorship. Regardless, changing the IP addresses of the DNS resolvers in your router settings isn’t encrypted DNS.

1 Like

I think it says the opposite actually, that using encrypted DNS alone is only useful for circumventing content restrictions implemented by DNS blocking.

This is because even if you use encrypted DNS, your ISP still sees the IP of the website you are visiting (as you noted), and they still see the domain of the website you are visiting even with HTTPS because of SNI (encrypted SNI fixes this, but it is not widely used yet, and it still doesn’t fix the IP issue of course).

Therefore, the disclaimer is saying that if you want privacy from your ISP, you must use a VPN (or Tor, etc.), you cannot use encrypted DNS alone.

1 Like

Suggestion: Warn users against using E2EE services as a webapp or in a web browser.

Session does not support PFS so the issues that come with using something insecure like OpenPGP applies to it so I would recommend removing it altogether as users have a general tendency to be “extremists” (no ph. no. requirement) without analyzing a lot of underlying stuff.

Recommend users against turning on too many filter lists as this may be a security concern.

Overall a good blog! Keep up the good work!

1 Like

I’m glad you like the blog and thanks for the feedback!

I think the warning about e2ee in PWAs is worth adding. Apps come with some other security advantages too assuming you trust the app publisher. I was more suggesting them for privacy-invasive services, but I didn’t really make that clear enough.

Since I suggest Signal over Session anyway I don’t think I need to delve into PFS and such. I was more just trying to highlight the fact that Signal isn’t the only option out there.

The uBlock Origin recommendation was a one-liner, so I don’t think I’ll delve into how to best use it, though maybe that could be its own post.

1 Like

Because SimpleLogin only gives you 15 aliases in the free plan, if you don’t have the money, (or don’t want them storing it in case of a data breach, etc.) an option would be to create aliases in relation to categories.

For example, one alias could be used as your social media category for companies like Facebook, Twitter, Instagram, etc., and another alias could be your shopping category for companies like Amazon, Target, Best Buy, etc., and so on. You can also use different aliases for multiple identities if you wanted.

Basically, get creative with your aliases! :tada:

1 Like

Doesnt Bing get its results from google nowdays? I swear I read that somewhere

Great read thank you…

Thank you, this post help me a lot as a beginner. :grinning:

1 Like

It’s important to highlight that all of this can be quite overwhelming and you should take a small steps.

What helped me was reading (and start practicing) Digital Minimalism. It goes really nicely hand to hand with privacy.

1 Like