I wrote a blog post about basic steps to digital privacy. Techlore regulars may not find much new here, but feel free to share it to someone who will. I hope people find it useful, I’m also open to feedback on the post if you have any.
(Mirrored below at @Jonah’s request)
Though digital privacy is complex and achieving “complete” or “100%” privacy is virtually impossible, that doesn’t mean there aren’t simple steps you can take to improve. Most people’s digital privacy practices are pretty poor, which may be disheartening, but it also means that there is a lot of low-hanging fruit to be picked from the metaphorical digital privacy tree. Even if you have already put all of the steps I’m about to list into practice, consider sending this blog post to a friend or family member who may not have. And perhaps even digital privacy veterans will find one or two new ideas here. The following steps will go in order of those I consider to be relatively easy to actualize to ones I consider to be relatively difficult, but they should all be accessible to the technological layman. Additionally, this list focuses more on digital privacy than digital security and while the two often go hand-in-hand, your threat model may require you to focus more on security than privacy. Make sure to take your personal needs into account and fact check the information here before blindly following it. That said, I hope you find it useful!
If you’re like most people, statistically, you are using Google Chrome as your primary web browser. On top of the open-source Chromium browser base, Google adds a variety of what can only be described as spyware to track your every move on the web. Every website you visit and likely much more is meticulously logged and recorded by Google so they can use the data to target or “personalize” ads toward you. The good news is that there are plenty of privacy-respecting alternatives to Google Chrome. The two easiest desktop browsers to recommend are the Brave Browser and Mozilla Firefox. Both are miles ahead of Google Chrome in terms of privacy and also very user-friendly. Brave is the more private by default and includes a built-in ad and tracker blocker. However, it also includes the somewhat annoying integration of its BAT cryptocurrency, though this can be disabled. If you want a browser that can just be downloaded and used relatively privately as-is, Brave is not a bad choice. If you’re willing to play with the settings, however, Firefox can become a powerfully private browser (using Arkenfox is a great way to achieve this). There are other private browsers out there as well, though Brave and Firefox are the simplest to recommend as drop-in Chrome alternatives. If you want to look into other options a bit more deeply, this article is not a bad place to start. The mobile browser landscape is a bit more complex than desktop browsers’, but I would still continue to recommend Firefox and Brave as solid, private options for both iOS and Android (they are both certainly a step up from Chrome).
Even though you’ve changed your web browser, you are still, statistically, using Google as your search engine and this needs to change. Google of course records every search you make regardless of whether or not you use their browser. While Chrome’s more private competitors are just as good as (if not better) than Chrome, the same can’t quite be said for private Google search alternatives. While many of them are quite good, none of them are quite as feature-rich and intuitive as Google is, and their search results are often lower quality. Nonetheless, the drop in usability is relatively minor and a worthwhile price to pay for the privacy to be gained. The most commonly recommended private alternative to Google Search is DuckDuckGo, which is not a bad search engine by any means, though its results (mostly sourced from Microsoft’s Bing), are often not quite as good as Google’s. If you want privately proxied Google results, then StartPage is a great option, since they simply pull from Google’s results and pass them on to you without Google’s personalization and tracking, but also without some of Google’s fancier features. Brave Search is also notable for having its own search index (rather than pulling from Google or Bing as Startpage and DuckDuckGo do) and its search results aren’t half-bad, though not quite on par with Google’s. There are other private alternatives as well (the self-hostable Searx certainly deserves a mention), but any of the initial 3 I mentioned should serve just fine as a private Google search alternative. Feel free to try a few and use the one you like most.
Using the same, easy-to-remember password for every online account you have is easy, but it’s also a terrible idea. It’s not a matter of if a service you use will get breached, but when (check haveibeenpwned.com to see if your information was already leaked). The most viable solution to this is to use a strong (preferably randomized) and unique password for each of your accounts. The only way to have access to all these different passwords while storing them securely is to use a password manager. A dedicated password manager is far more secure than writing the password down or storing them in a spreadsheet and is even more secure than using the in-browser password manager. There are a lot of password managers out there and using almost any of the well-known ones is better than using the same password everywhere, but the two generally best options are Bitwarden and KeePassXC. Bitwarden is a cloud-based solution and is probably more convenient for most people, while KeePassXC will store your passwords encrypted on your desktop. Both of these password managers also have the ability to generate strong, random passwords for you as well as browser extensions which automatically fill those passwords into the login pages of each website you visit. While transitioning to using a password manager can be difficult at first, it will make your life much easier once you get used to it, and make your online accounts much safer as well! To further secure your online accounts, you may also want to consider adding two-factor authentication to the accounts that support it.
Messages between our friends and family contain some of the most sensitive information about our personal lives, so it is important to choose a private and secure tool for sending and receiving those messages. SMS in an unencrypted protocol and your SMS messages can easily be read by your cell service provider or by a intercepted by a bad actor. Some proprietary messengers, such as WhatsApp and iMessage are end-to-end encrypted by default, which means that only the sender and receiver of a message can read its contents. However, these services can use the metadata of your conversations (such as who you message and when) to build your advertising profile. Additionally, both WhatsApp and iMessage back up all your messages unencrypted to the cloud (either Google Drive or iCloud) by default, undermining much of the privacy provided by their end-to-end encryption. While there are a few options out there for private and secure messengers, the easiest to recommend by far is Signal. Signal’s features are on par with competing messenger apps and its privacy and security are top-notch as well. It’s also free to use. While Signal may not be perfect (it requires a phone number to register and is a centralized service), it is extremely well-vetted in terms of its security and in addition to being end-to-end encrypted by default, stores close to zero metadata on its users. While there are other private messaging options out there like Session and Threema, Signal strikes the best balance between privacy, security, and usability. Usability is far more important for a messenger than it is for a browser or search engine, since not only do you have to be convinced that the privacy and security gains are worth any usability losses, but you have to convince your friends and family too or you won’t have anyone to message with!
Every program you install on your computer, every app you install on your phone, and every extension you install in your browser is a potential security and privacy risk. These programs, apps, and extensions all have privileged access to your device and a compromised device can undo any progress you have made in your digital privacy by sending your personal data directly to bad actors. Even if the app or extension is not inherently malicious, it can provide an attack surface that can be exploited by malware. A simple step you can take to greatly mitigate this risk is to be very selective when installing computer programs, apps, and extensions. The fewer you have, the lower the chances that one of them will be turned into a backdoor into your device. Many mobile apps and PC programs can be replaced with a progressive web application, which is essentially a browser shortcut icon on your phone or desktop homescreen that can provide much of the same functionality as a fully-fledged application with significantly less of a security risk since it runs through your browser rather than as an independent program. While many browser extensions can be deleted without losing much, you should strongly consider using a tracker-blocking extension like uBlock Origin. For the remaining programs and apps that you do need, consider looking for an open-source alternative to the more likely more popular proprietary options. While open source software isn’t necessarily guaranteed to be any more private and secure, developers who make privacy-friendly software tend to make that software open source so that the source code can be reviewed and shown to be as privacy-friendly as its developers claim. All of the programs that have been suggested in this guide so far, like Firefox and Signal, are open source software!
The email protocol is relatively old and not very secure or private by design, but virtually everyone nowadays needs an email address. So while all of your personal and sensitive communications should go through a private and secure messenger like Signal, using a privacy-friendly email provider is still an important step toward digital privacy. Email providers like Gmail can and do read your emails and use their metadata to build your advertising profile. If you’re looking for an in-depth discussion of different privacy-respecting email providers, you should check out my review. In short however, the easiest free, drop-in replacement for Gmail I can recommend is ProtonMail.
The “internet of things” describes the growing number of household devices that can be connected to the internet. Once upon a time, only desktop computers were able to connect. Then, our cell phones graduated to “smart phones” with internet connectivity. Nowadays, almost every personal and household device has a “smart” version. Smart TVs, smart thermostats, smart watches, smart vacuums, smart beds, smart doorbells, and smart refrigerators, in addition to home media centers, video game consoles, and ebooks, just to name a few. But the internet of things is not good for your privacy. It is an open secret that companies use these devices to spy on their users, gathering more personal data for their advertising profiles. IoT devices often have weak security and can be prime targets for cybercriminals looking to build botnets or gain a foothold in your home network. To top it off, many of these “smart” devices don’t even provide much utility beyond the device’s basic, offline functions anyway. Consider buying devices and gadgets that do not connect to the internet and if you do buy a smart device, consider leaving it offline. If you do require an IoT device, make sure to change any default security credentials and to opt out of any analytics and tracking that you can in the device or account settings.
Social media is a ubiquitous part of modern life, but in addition to its deleterious effects on mental health, it is also bad for privacy. Social media companies are some of the most privacy-violating and Facebook (which also owns Instagram), is particularly infamous for its invasive data collection from its users. But even if social media companies didn’t so nakedly violate their users’ privacy, most social media sites center around posting your personal information on the public internet and trying to get as many people to see and interact with it as possible! The best advice to prevent this is to simply delete your social media profiles altogether, though this is impractical for many of us for either social or professional reasons. If you do decide to keep your social media accounts, make sure you’re not leaking any more private information than you need to. Consider deleting social media apps from your phone and only accessing the services via your browser (this is good for preventing late-night doomscrolling as well). Go through your accounts’ privacy settings and make sure your information isn’t being shared more widely than it needs to be (checking your account privacy settings is also a good idea for your other privacy-invasive services you may have as well, like Google). Finally, think carefully before posting information or adding information to your social media profiles. Make sure the information really needs to be there and check whether it contains any personal details you would prefer to not be public knowledge. You may also want to consider using social media pseudonymously where possible. While keeping your real-life identity and a social media pseudonym completely disconnected can be quite difficult, that’s no reason to add more personal information about yourself that will show up with a simple internet search of your real name. The Fediverse can also be a good alternative to proprietary social media services since many instances of fediverse platforms are open source and relatively privacy-respecting, but even these upsides don’t change the need to be cautious with what information you post!
Believe it or not, your ISP is another company that is likely mining your internet activity to sell to data brokers. However, there are some simple steps you can take to mitigate this risk. Firstly, you can change your DNS provider. DNS is the protocol by which domain names (like example.com) are translated to IP addresses, which computers use to connect to other servers. By default, you are likely using your ISP’s default DNS resolver, but you can do better. Go into your internet router’s settings and change the DNS resolver servers to a more private provider like Quad9 or AdGuard. Both of these DNS resolvers block domains associated with malware and AdGuard blocks domains associated with advertisements and tracking as well. In addition to changing your DNS resolver in your router settings, you can also change it in your PC or phone device settings or in your browser settings. This has the advantage of working even when not connected to your home network and can take advantage of encrypted DNS lookup protocols. If you’d like to set up a custom ruleset for your DNS resolver to block any domain you’d like, Adguard can do that for you and so can NextDNS. Of course, hiding your DNS queries from your ISP still allows them to see every IP address you connect to. This can be prevented by using a trustworthy VPN provider. Many VPN providers will claim a variety of benefits that come from using a VPN but these are often exaggerated and the main privacy benefits are (1) hiding the servers you connect to from your ISP and (2) hiding your own IP address from the servers you connect to. Of course, by using a VPN service to achieve these goals, you are simply shifting your trust from your ISP to the VPN provider, so make sure the VPN provider you use is trustworthy! Almost all free VPNs, and even many paid VPNs, are collecting and selling your data. The most-trusted VPN services as of this writing are ProtonVPN, MullVad, and IVPN. There are a few free and trustworthy VPN options, such as ProtonVPN’s free tier, RiseUp VPN, and CalyxVPN, but these often have throttled speeds and as a general rule you should expect to pay for a trustworthy VPN service. Another free option that provides the privacy benefits of a VPN (and a lot more as well) is the Tor Browser. Unlike VPNs, the Tor Browser distributes trust amongst multiple third parties and does its best to allow you to browse the web anonymously. However, your browsing speeds using Tor will be quite slow compared to using a standard web browser with a quality VPN, so it may not always be the best solution.
Believe it or not, there are many sites out there which are designed just to collect information about you and sell it to anyone interested. Creepy, right? Well, luckily many of these sites have the option to opt-out and remove your data from the site, but this is a slow and arduous process by design. The potential upside of removing this (sometimes very invasive) data about yourself from the web is high, but will require significant amounts of either your time or money to achieve, which is why it is the last step on this list. If you’d like to request removal of your information from each of these sites manually, you can find a pretty good guide for doing that here. There are also paid services which will do this grueling task for you like DeleteMe (some other paid services are reviewed in this video).
This is hardly an exhaustive list of steps that can be taken to improve your digital privacy, but the steps that are listed should be relatively accessible to a wide audience and have a large positive impact in proportion to how much effort they require. If you’d like to learn more about how to improve your digital privacy, Privacy Guides is probably the best online resource currently out there, but it’s certainly not the only one! I hope the steps I have listed here will help at least a few people start working toward making their digital lives a bit more private as big tech companies work tirelessly to make sure they are anything but.