Privacy and Security Tips for the Average Person
My friend recently asked me for recommendations on improving their privacy and security online - particularly relating to the current U.S. administration and its frequent abuse of powers. I started writing up my recommendations, but it got so long that I decided it deserves its own blog post.
In this, I cover tips and tricks for a wide range of threat models (that's fancy speak for who or what you're trying to protect yourself from). While not every strategy is as effective for every individual's threat model, they are all worthwhile. Do not let perfection be the enemy of progress. Privacy is not a binary thing you do or do not have - it is a nuanced spectrum and an ongoing battle.
Note: I am working on a cleaner, less overwhelming, and more thorough resource for this kind of information. I will update this post and make another one when I feel that it is in a presentable enough spot for people to use it.
This post is rather long, with a lot of information and recommendations. You do not need to change all of these things at once. In fact, you shouldn't, as that could lead to feeling overwhelmed, burning out, and giving up. Instead, take it slow. Maybe pick one or two things, read them, and try them out for a week or two. If it sticks, great. If not, no worries! You can come back, pick another one or two, and try those. The crucial thing is to go at your own pace and your own comfort level. I am also available at phil at phunky dot cafe, and am happy to answer questions!
Note that I do recommend several products and services here. I am in no way affiliated with any of them. I am simply a security nerd with strong opinions on software and privacy.
A note to the tech-savvy and already privacy-conscious: This blog post is primarily meant as a collection of tips for those who are looking for quick, easy ways to improve the privacy of their digital life. There are absolutely more alternatives to every option I mention here. My goal is to give the reader a good place to start from. They can continue their own privacy/security journey from there. By all means, please email me at phil at phunky dot cafe if you are a turbo-nerd like me and have further suggestions, comments, or thoughts. I'm always happy to talk!
In short: If you know how to exit Vim (or even what Vim is), this is probably not the advice for you ;).
Low Effort Changes
These are changes that should be somewhat easy to wrap your brain around, take from a few minutes up to a half hour to do, and won't interrupt your day-to-day workflow too much.
Say No to Cookie Popups
Low Effort
You know how websites nowadays always give that "agree to cookies" popup? Most of us don't think twice about it, just selecting the prominent "I agree" button and moving on with our day. Don't do that. At risk of sounding like a tinfoil hat weirdo, that's what they want you to do!
You've likely heard a lot about cookies, but what actually are they? Cookies are small pieces of text stored by a website in your browser. They are invaluable tools for web developers, allowing them to store things like your settings and preferences for a website, such as whether you have dark or light mode enabled and validation that you are logged into your account. However, they also allow websites to track you and your activity across the web. They can store a unique, randomly-generated piece of text as a cookie on your device, making it easy to identify you when you revisit their website. Additionally, a lot of websites use third-party services from Google and Facebook like ads and analytics, allowing them to store cookies of their own in your browser. Google Analytics was used by 73.7% of the top 10,000 most visited websites in 2022, making it trivial for them to track your activity across the internet, even if you think you're avoiding Google.
It is worth the effort to disagree with cookie pop-ups. Instead of immediately clicking "accept", select "reject all", "customize", or "more information". They make the "agree" button large and easy to select on purpose, while the "reject" options will often be in smaller text or hidden under submenus, in hopes that you don't see it. A lot of these opt-outs also opt you out of the sale of your personal information, as well as interaction and browsing data. Some of them even tell you how many third parties they share your browsing data with. The highest number I've seen was over 800 third parties. Yikes.
Be sure to read the wording too, as websites will oftentimes change the wording to flip what the checkbox does. For example "I agree to the sale of my personal data" would mean that a disabled checkbox keeps your data private, but "Opt out of the sale of my personal data" would means that an enabled checkbox keeps your data private. They do everything they can to trick you, so always think twice about the phrasing, and let that scummy, disrespectful behavior fuel your fire.
Remember: If a site has a popup that is easy to accept, but challenging to refuse, always remember that it was a choice on their end. Say it with me now: corporations do not care about consent. If informed user consent is a threat to your business model, your business should not exist. "We take your privacy seriously" is marketing B.S. 9 times out of 10.
Pro tip: While websites have other methods of identifying and tracking you, it doesn't hurt to clear your cookies from time to time, doing at least some damage to Google, Facebook, and other companies' profile on you. Here is how to do it in Vivaldi, the browser recommended later in this blog post, and here is how to do it in Chrome.
Tell Data Brokers to Screw Off
Low Effort
Recommendation: Easy Opt Outs
Quick definition: Data brokers are companies who exist solely to track your every move and sell it to the highest bidder. "Data" incredibly broad, so some tangible examples include your name, current and previous home address, employment history, social security number, who your friends and family are, your interests, even your exact location history to name a small subset of the information they can collect about you.
They acquire this information from public records like deeds and marriage certificates, but also by buying it from social media companies, mobile games, banks, and pretty much anyone else that will sell it to them. Quite literally anyone can buy this data - including potential stalkers. The U.S. government frequently buys personal information from data brokers as a loophole to spy on U.S. citizens, bypassing our fourth amendment rights.
Use a data removal service like Easy Opt Outs to remove you from data broker websites. It's only $20/yr and remove your information from more sites on a regular basis than DeleteMe (and likely Incogni) claim in their marketing.
DeleteMe boasts "850+ Data Brokers", but the standard plan only regularly removes you from 85. Easy Opt Outs, on the other hand, regularly removes you from 136 data brokers for a fraction of the price.
Incogni appears better on the surface with 428 data brokers supported in the U.S.. However, their over-hyped marketing and scammy "sales" give the vibe that they wouldn't be above counting duplicate sites for the same data sources (something Easy Opt Outs specifically mentions that they don't do).
Easy Opt Outs is also run by 2 friends instead of a corporation or a startup with outside investment, meaning more incentive to do right by their customers and less pressure to continue "making line go up".
These services have the added benefit of removing your phone number from people search sites, meaning far fewer spam calls!
Think Before You App
Low Effort
Companies offer rewards and coupons for installing their app because you are significantly more likely to spend extra money on them that you wouldn't otherwise spend. Plus, they can show you ads in the app that are harder to block than ads on the web. They can track your activity in the background, sending well-timed notifications when they think you're hungry, or making some extra cash by selling access to your information to the highest bidder.
The next time you go to install a new app or find a fun mobile game to keep you busy, take a look at their privacy practices beforehand. Scrolling down on the app's listing in the App Store or Google Play store will show a short, easy to comprehend cheat sheet of the app's privacy practices. Try to use apps with shorter lists of permissions and data usage, as that minimizes your digital footprint.
For example, the location-sharing app Life360 - popular with parents keeping tabs on their children - was caught selling precise location data on its users. Yikes!
In the same vein, if an app has a website you can use instead, try that first. A lot of banking apps are essentially the same as their website, just in app form. Similarly, a lot of restaurant rewards apps have web versions you can use instead too. If they try to redirect you to download their app instead, try using the "request desktop site" option in your web browser.
App Clutter
Low Effort
Uninstall apps that you don’t really need and apps that have a website alternative that you can use just as easily. Many of them are phoning home to entirely unregulated data brokers, as mentioned above. For example, accessing your bank accounts through the website on mobile can give your credit card company less insight into your day-to-day life, as the app won't be installed and running in the background. Using YouTube and Instagram via the web browser instead of the app can also reduce mindless scrolling and data collection.
Messaging
Low Effort
Recommendation: Signal
See the glossary entry for definitions of encryption and open source at the bottom of this page.
Signal is a free, open source, non-profit-backed messaging and calling app. It is entirely end-to-end encrypted and is very similar to Whatsapp (fun fact, Whatsapp was originally based on Signal!), except with none of Zuckerberg's creepy data collection. It is the gold standard in the cybersecurity community and collects zero information on its users by design. All messages, contacts, and metadata is end to end encrypted so that even Signal themselves cannot see it.
Use Signal for as much of your communication as you can, whether you feel like the conversation demands it or not. If you establish a pattern of using it like a normal messaging app, then it would become less suspicious when you do have to have a conversation that demands that level of privacy and security.
The people you message will also need to be using Signal. Ask your friends and family if they'd be willing to move their conversations with you over to Signal. Especially given everything going on in the U.S. right now, it's a great tool to have.
Be Mindful
Low Effort
Be mindful of incentives and sustainability. Actions speak louder than words, so ignore what an app, service, or company tells you, and focus instead on what they do - or what they are incentivized to do. Always remember: if something is free, you are the product. Or, in the case of startups with VC funding, you will become the product eventually. Selling user data is always an option for them. Once you give your personal information and activity to a company, it's extremely challenging (or flat out impossible) to take it away from them.
A good example of this is BeReal. They were a startup taking millions in VC funding with no clear path to monetization. When the investors come looking to get their money back, BeReal is heavily incentivized to use your contacts list, location, and photos for ad personalization, or selling it to the highest bidder. And if it's not BeReal, it could be whoever acquires them in the future.
Use a Pseudonym
Low Effort
The next time you're ordering food for pickup, or making a reservation for dinner, why not use a fake name? It's fun (you can feel like a spy!), takes no extra time or effort, and makes it that much more annoying for data brokers and invasive ad agencies to keep track of your activity.
Enable Advanced Data Protection for iCloud
Low Effort
By default, Apple does not encrypt your iCloud data, meaning they can see everything you store in iCloud. This includes phone backups, photos, message history, and so on. Advanced Data Protection enabled end to end encryption for your iCloud data, meaning even Apple themselves cannot see it.
Warning: Because ADP end-to-end encrypts your data (see the glossary definition below for a refresh on what that means), you are the only one who can access it. If you lose or forget your Apple account password, Apple cannot help you recover your iCloud data (pictures, messages, etc.).
To recover in such a case, you can set up a recovery key; you can think of it like a backup password in case of emergency. This should be stored securely, ideally in your password manager and written on a physical piece of paper stored somewhere safe. You can also set up recovery contacts. These are friends or family whom you trust that can also help you get access to your account if you lose or forget your password and cannot use your recovery key.
Medium Effort Changes
These are changes that can take more time to set up (roughly 30-60 minutes), or may require an adjustment period in your day-to-day workflow.
Use a Password Manager
Medium Effort
Recommended product or service: Bitwarden
Use a password manager! I use and recommend Bitwarden to everyone. They have a generous free tier, and pro is only $10/yr. Set a strong master password, then use their password generator so each site is unique and strong. Your password is far more likely to be stolen from an individual website than a properly-secured password manager. Plus, Bitwarden is open source, meaning its code can be validated by anyone as safe and secure.
All major password managers also allow you to export your password vault to a spreadsheet file (a .csv file). I would recommend exporting your password vault every once in a while and storing it on a flash drive somewhere safe. If the password manager service ever disappears overnight, you'll be able to upload your passwords to a new provider and continue on your merry way.
Note: Ensure that your password manager is secured with a strong master password and MFA (as described in the following section). Your master password and MFA codes should be stored safely elsewhere, preferably on a piece of paper or a flash drive in a fireproof safe. Password managers are the keys to your entire digital life. Treat them as such. You cannot be too careful.
Use Two-Factor Authentication
Medium Effort
Passwords get stolen all the time, meaning hackers can login to your account simply knowing your username and password. Two-factor authentication (also known as 2FA or MFA for Multi-Factor Authentication) adds a second layer of security in case your password gets stolen. You have probably encountered this by having a six digit code texted or emailed to you before you are able to login somewhere. This is why.
You've probably also seen those six digit codes before that change every thirty seconds, likely using an app like Google or Microsoft Authenticator. This is a protocol called TOTP (Time-based One Time Password). These codes are generated on your phone, meaning hackers cannot intercept an email or a text to steal the code from you, making it even more secure.
You should use MFA everywhere that offers it. It vastly improves your security, as a leaked password alone is no longer enough. App-based MFA (this is almost always a reference to TOTP, as described above) should be used first and foremost. If a site or service does not offer it, email is the next most secure option. Text or SMS-based MFA, while better than no MFA, is much easier for hackers to steal than the other options.
As for apps, Bitwarden - the password manager recommended above - also allows you to store TOTP codes. This makes it incredibly convenient, as your credentials are all stored in one place, synced across your devices, and can be easily autofilled. Other trusted options include 2FAS and Ente Auth, all of which have end-to-end encrypted cloud syncing in one way or another. This is important, as it ensures that you keep access to your online accounts, even if your phone gets thrown into a lake. They all also have the ability to easily export your TOTP codes, ensuring that you can migrate to a different app with as little effort as possible if the need arises.
Note: A lot of people recommend against storing your MFA codes in your password manager for reasons beyond the scope of this blog post. In my opinion however, as long as your password manager is properly secured (via a strong master password and MFA), then I firmly believe that the risk is minimal.
The Difference Between a Browser and a Search Engine
Medium Effort
This section is purely providing an educational basis for the next two sections. If you already know the difference, feel free to skip ahead.
Most people use Google Chrome - you probably do too. When you open up Chrome and type something in up top to search for something, you are still just in Chrome. It is not until you hit enter or search that you are sent to Google Search, where you see the results of your search.
Chrome is a web browser, the piece of software that allows you to browse and visit websites. It handles your multiple tabs, your bookmarks, and can even store and sync your passwords. Other web browsers you may know include Microsoft Edge, Firefox, and Safari. Google Search, on the other hand, is a search engine. A search engine is a website that keeps track of other websites and makes it easy to find one based on your search term. Think of it kind of like a librarian helping you find a book you are looking for. Other search engines you may know include Bing and DuckDuckGo.
For example, if you search for "cute cat videos", the search engine will go through its entire log of websites that it thinks may contain cute cat videos, ranks them from most to least likely to match your search, and shows you the top results. The web browser will then receive said results and display them on the page in a manner that makes sense to you, the human.
If you've ever taken an "intro to programming" or "intro to computers" class where they discussed HTML, CSS, or Javascript, then you are likely already familiar with this concept. In short, the search engine is simply a website made up of a bunch of code (HTML, CSS, and Javascript), while the web browser is what takes the code and turns it into something that you can easily understand as a human.
Ditch Google Search
Medium Effort
Recommendations: DuckDuckGo, Startpage, Kagi, Leta
Google search provides a clear insight for Google to see into your life, thoughts, and habits. Unfortunately, most other providers are simply middlemen between you and Google or Bing; and the providers with their own index usually don't have very good search results.
For those looking for free or more anonymous options that don't require an account, DuckDuckGo, Leta, and Startpage are good options. They all just show you results from the other, bigger search engines (Bing, Google/Brave, and Google respectively), but they obscure you - the searcher - from the big search engines. This means that they make it really hard for Google, Bing, and Brave to know that it was you who made that search.
I personally use Kagi and am quite happy with it. It does still source results from Google, Bing, and others, but it is also building an index of its own. However, the big caveat here is that it is a paid service, which sounds like a deal-breaker at first. And for most people, that's totally fine. However, this means that Kagi does not run ads, and therefore can focus solely on making its search results the best they can be for you the user, not the advertisers. Plus, they have pretty solid privacy practices and a butt-load of other useful features. For me, my job, and my interests, it is well worth the costs. This is not going to be the case for everyone though, and that is completely fine.
Note: While Brave search (and their browser) has been gaining a lot of traction recently, and is pretty solid, their CEO, Brendan Eich, is anti-LGBTQ and a Trump supporter. The company has additionally come under fire for inserting their own affiliate links without user consent, among other issues. One of my personal reasons for de-Googling my life is to actively use more ethical tech, and tech whose maintainers I can trust to have the best interests in mind of myself and those in my life who use their products. I won't tell you not to use them, as their products are solid, but I cannot confidently recommend them.
Browser
Medium Effort
For your browser, my blanket recommendation is Vivaldi. It has a decent built in ad blocker (even on iOS!), good privacy, tons of cool features, and a sustainable, privacy-friendly business model. It also has apps on every platform, with end-to-end encrypted sync built in, making it safe and convenient!
Others to consider: Zen, Librewolf, Firefox, Orion (this one is Apple-only). Keep an eye out for future blog posts for my thoughts on these options, or shoot me an email at phil@phunky.tech and I will be more than happy to go in-depth on other browsers! I just feel that it is outside the scope of this blog post.
If you absolutely must use Chrome or another browser without a built-in ad blocker, uBlock Origin Lite is the way to go. If you are using Firefox, or a browser based on it (like Zen and Librewolf), then you can use the full version of uBlock Origin instead.
This is because Google (the developers of Chrome and the Chromium browser engine it is based on) restricted ad blockers abilities "in the name of security". It's just awfully convenient that they also happen to be the largest digital advertising company who stands to benefit the most from kneecapped ad blockers...
Mask Your Email
Medium Effort
Recommendations: Fastmail, SimpleLogin, addy.io
Apps, websites, and data brokers are able to track you across the web in part thanks to the same email being reused for every site and service. Instead, for social media sites, food delivery and rewards apps, and miscellaneous one-off services, why not use a unique email address? So for example, instead of using your email bobbelcher@gmail.com to sign up for Netflix, you could use a random email like nd9k2h0@addy.io instead. Then, any emails that Netflix sends to that random email address will be forwarded along to bobbelcher@gmail.com like normal.
Data brokers now have harder time linking your online activity across websites. If one of the services you use gets breached, or they sell your contact information to spam agencies, then you not only know exactly who the offending company is (remember, they were the only ones who knew that email address), but you can simply delete the email address to avoid any incoming phishing or spam emails.
Fastmail - one of the email providers discussed later in this post - has a masked email service built in that I personally use for several accounts. It even has native integration with Bitwarden, allowing you to easily generate and masked emails on the fly! Third party offerings like SimpleLogin and addy.io offer a provider-agnostic service, functioning the same no matter who your email provider is. Bitwarden also has native integrations with both SimpleLogin and addy.io.
Protect Your Phone Notifications
Medium Effort
Apple shares your notifications with law enforcement, as does Google. You can disable notification content for Signal, better-hiding your messaging history from prying eyes. Other apps make this possible as well, such as iMessage and Google Messages.
VPN
Medium Effort
Recommendation: Mullvad
I will start this section with some caveats on VPNs. Most people probably don't need a VPN, or at least not all the time. VPN companies make a ton of money, and spend a lot of it on fear mongering marketing to create more customers.
Contrary to their marketing, they do not magically make you more secure or anonymous online. The only times you should use one are:
- You don't want the site or service you're visiting to know your IP address.
- You trust your internet provider or current network less than you trust your VPN provider.
- You're trying to access geo-restricted content (i.e. Japanese Netflix catalog).
If you still fall into one of these categories, then the answer is Mullvad. Mullvad is the option. It’s cheap, trustworthy, reliable, and doesn’t play games. Plus, they don't run expensive, over-the-top, scary ad campaigns like other providers.
High Effort Changes
These are changes that can take 1 hour or more to set up, require a more significant adjustment to your day-to-day workflow, or may require some technical knowledge to properly use.
Change Your DNS Provider
High Effort
Note: This portion gets a little bit technical. If you find it too overwhelming, feel free to skip it! You can choose to revisit it at a later date if you choose. Don't let perfection be the enemy of progress.
If you don't know, DNS (Domain Name Resolution) is the protocol that allows your computer to figure out what the IP address of a website is (i.e. going from something that you can understand, like google.com, to something that the computer can understand, like 142.250.73.78). Think of it like the phone book of the internet - finding your friend's phone number by looking up their name.
You are probably using Google's DNS servers right now, giving them invaluable insight into exactly which websites, services, and apps you are using, how often you are using them, and your rough geographical location. ControlD has their own DNS servers that are not only free, but have the ability to block known ads and malware before it even reaches your device! Their website has detailed instructions to manually set it up on each of your devices, but they also have an app that will do it for you.
This can help prevent your personal information and online activity from reaching data brokers and ad agencies, block ads in apps and websites across your devices, and protect you from accidentally downloading malware!
Ditch Gmail
High Effort
Don’t use Gmail. Google tracks everything you send and receive to be used for ad personalization, LLM training, and sharing with the U.S. government. It is about as clear of an insight into your life (both physical and digital) as you can give.
For alternative providers, I wouldn’t worry too much about end-to-end encrypted email, as the person on the other end is almost certainly using Gmail or is keeping logs with a mail sending service like Mailgun. The key here is using a provider that doesn’t actively track and share data about your email with third parties. Bonus points if they are not U.S.-based.
I use Fastmail (tons of genuinely useful features, based in Australia), but Proton, Tuta, Posteo, Mailbox.org, and Migadu are also good options (not necessarily in that order).
Migrating email providers can feel overwhelming, but keep in mind that this is a marathon, not a sprint. Set up a rule to forward email from your Gmail to your new email, then put said forwarded mail into its own folder. When you get an email in that folder, go change the address associated with that account to your new one. After a week or two, you'll likely have covered most of your accounts. I recommend keeping the old email account around for at least a year, just in case you forgot anything.
Leave Google Photos
High Effort
Recommendation: Ente
Google Photos scans your photos and videos to learn more about you for ad personalization and AI model training. Not only can they see everything you upload, but they will ban your entire Google account with no recourse if they think you are doing something illegal - even when they're wrong. Losing your entire family photo library would be a disaster for most people, so using a service that not only end-to-end encrypts your photos, but also has real humans that you can talk to is a must.
Ente photos is end-to-end encrypted, open source, and has real people you can ask for help; it checks all the boxes. And it still has useful features, like on-device image search, photo editing, album sharing, and so on. It is absolutely worth a look.
This is only in the "high effort" category because it can be a major pain in the ass to transfer your photos out of Google Photos and iCloud Photos. They do that by design, you know; making it hard to leave, incentivizing you to stay and keep paying them with both money and data. That's reason enough to leave in and of itself in my opinion.
Glossary
Encryption
In simple terms, encryption is an operation that scrambles a piece of information using a secret code to hide it from prying eyes. End-to-end encryption scrambles the information in such a way that only the sender and receiver(s) can see the information - hiding it from even the middlemen (the people running the site or service).
Open Source
An app or service being "open source" or "FOSS" means that its source code is freely available for people to examine, audit, and generally do what they please with. It may sound counter-intuitive, as it could make it easier for hackers to find vulnerabilities in the apps. However, in practice, it actually means that there is a huge community of nerds keeping tabs on new changes to the code, ensuring that it is safe and secure for people to use.