Skip to content

billfitzgerald/personal-privacy-security

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
README.md
README.md
 
 
content_keywords.md
content_keywords.md
 
 

Repository files navigation

Version 1.1, November 9, 2024.

Introduction

Conversations about privacy and security often focus on technology and give scant attention to the human, non-technological factors that affect personal privacy and security. This post covers a range of concrete steps we can all take to regain control over what, when, and with whom we share. Some of the things we discuss will involve technology, and some of them won't. The majority of the suggestions we make involve tools or practices that are freely available. The vast majority of things we suggest are also designed to be accessible without a large amount of technical knowledge. The steps we outline here are intended as a solid starting point, and not a comprehensive solution, but with that said, the steps we define here minimize or eliminate many common issues.

Also, the steps in this guide are about minimizing risk, exposure, and the potential harm that comes from risk and exposure. These steps can reduce risk, which is great, but it's not the same as eliminating risk. Do what works for you, and do it as consistently as possible. The best steps you take are the ones you take. Start small, build up gradually, and make informed choices.

Table of Contents

Assessing Risk

When we think about protecting our privacy, we generally start with these questions:

  • What are you trying to keep private?
  • From whom are you trying to keep it private?
  • What are the consequences if the protections fail?
  • Do the consequences change or shift over time (short-, medium-, long-term)?
  • How much effort are we willing to put into making any needed changes?

These factors can help determine our priorities: What information is most important to protect? Why? How much effort should be put into protecting something? Should we prioritize easy changes over things that might be more important, yet more complicated? The right path will vary person by person, and that's normal. It's also normal to start down one path and change. Do what feels right, do what's possible, and be flexible in your implementation.

Use the questions listed above to structure decisions. In the conversations below, we will highlight how easy or hard some changes are to make.

This specific guide is designed to provide a range of options for people who want to proactively minimize their exposure in a range of ways. It is not designed for people in a crisis. It is designed for people who distrust the companies that profit from our data, and for people who have concerns that the details of their private life could be used against them.

Quick List - Getting Started

When we discuss privacy and security, we often become too focused on the tools rather than on the behavioral shifts required to use the tools well. At the same time, when discussing how to improve privacy and security, we often get stuck in the details and fail to acknowledge that we all can do simple things to increase the control we have over our privacy. Each of these steps, and additional options, are discussed in more detail in this post.

Easy, free steps to protect our privacy start with blocking trackers when browsing the web:

When using your phone or tablet, these free steps can increase your control over your privacy:

  • Use Signal to send texts and make voice calls.
  • Turn off wireless, Bluetooth, and location services when you leave your home. Only turn them on when you need them.
  • Use DuckDuckGo's mobile app to minimize tracking - iOS and Android versions.
  • Disable Push Notifications.

Take these steps that are slightly more complex and still free:

  • Use Tor when browsing for sensitive information.
  • Delete cookies from your browser - this recommendation applies both to phones and laptop/desktop computers.

Try these additional options that add privacy protection but are not free:

  • If you choose to use a virtual private network, or VPN, do not make this decision lightly. VPN use is a surprisingly complex choice. Many (most?) VPNs expose you to additional risk. More details are in the section on VPNs.
  • Use a privacy screen. This will help prevent people from reading over your shoulder.

A final step we all can take involves cleaning up the old files we have in our online file storage and deleting old emails we have stored online. No one needs to be a data hoarder. Setting up a time each month to delete emails and files we no longer need, and to archive items we don't have an immediate need for, helps minimize the risk of old information becoming compromised.

In Person/Face-to-Face

There are a range of ways people can access information if they're physically close to you. In this section, we will highlight ways to minimize the risk of people seeing information they don't need to see.

At the outset, I want to highlight that going into a public space means you will be caught up in some form of observation. This can be as benign and accidental as being in the background of someone's photo in a public place, getting captured in a person's connected doorbell (ie, Ring, etc), or it could be as focused as having your license plate scanned as part of data collection by law enforcement. It's also worth remembering that many public places (most stores, malls, supermarkets, gas stations, public transit, and the like) are covered by closed-circuit television cameras. Increasingly, stores are using video surveillance on both staff and customers. Expect this to get worse in the near future as stores and other public and semi-public spaces use AI-based products of dubious value.

If you are accessing or working in a public space, one of the most common ways that people can get information about you is by watching your screen as you work. This hallmark of the perpetually nosy -- also known as "shoulder surfing" -- can range from simply annoying to potentially dangerous, depending on what you're doing. It's not difficult to imagine web searches where we wouldn't want some stranger, sibling, uncle, or other person reading over our shoulder.

Fortunately, a privacy screen will block shoulder surfing. For other people who work in public spaces -- from coffee shops to offices and libraries -- the following steps can minimize your risk:

  • If you're working and you leave your computer, lock your screen with your password or power it down. If you leave a computer when you're still logged in, anyone can sit down and access your computer and use all the information it has. Better yet, if working in a public space, don't leave your computer or phone unattended. The hassle from carrying your tech with you when you step into the bathroom is dwarfed by the hassle of having your stuff stolen, or your information compromised. Note: locking your desktop when you leave your desk/workspace applies for working in an office as well.
  • Encrypt your hard drive on your computer. Instructions for Mac, instructions for Windows, instructions for Ubuntu linux. If your computer is lost or stolen, having an encrypted hard drive will prevent unauthorized access to any information on it. It's worth noting that encrypting your hard drive will not mean much if you have a weak password for your login.
  • If you're using a newer iPhone or iPad or a newer Android device, then your device is likely already encrypted by default. If you use an iPhone and are at higher risk, or if you want to experiment with a more secure setup, try Lockdown mode. Encrypting your phone or tablet prevents access to information stored on the device in case of loss or theft. It's worth noting that encrypting your phone will not mean much if you use fingerprint unlock or a weak password. It's also worth noting that protections on the device can be undermined by backing up to cloud based storage, or by installing apps with overly broad permissions. We talk about additional protections available on phones later in this writeup.
  • If you use external storage (ie, any USB storage), encrypt the drive and use a strong passphrase to protect it. Windows instructions, Mac instructions, Linux instructions.
  • Be careful with -- to the point of never using -- external USB storage where you do not know the source of the drive. This especially applies to any drive you find, but also to drives that vendors "helpfully" give out as swag at conferences. If you haven't bought the drive yourself from a vendor you trust, don't connect it to your computer. This also can apply to situations where someone asks you to print a file for them off a USB key. It can be awkward to say "no", but we are often only as secure as our least secure friend or relative. External drives can be used to deliver a range of malware. If you avoid using drives where you do not explicitly trust the source, you can eliminate this risk.
  • Use a password manager. At first blush, this doesn't seem to make a lot of sense for inclusion in a section on potential risks from someone being in the same physical space as you, but using password managers solves one common problem: writing usernames and passwords on paper where they can be read, photographed, or used by unauthorized people. (Fact: I have seen usernames and passwords written on a whiteboard get included in promotional videos.) Password managers are covered in more detail later in this blog series. An open source option like KeePassXC does not cost money; 1Password costs $3/month for a personal account, and Bitwarden costs $10/year for a personal account (prices checked June 2024).

There are other steps you can take to minimize risks that arise from physical access, but using a privacy screen, encrypting devices, not leaving devices logged in while they're unattended, and being careful with external storage devices can eliminate many common issues. As we stated at the outset, eliminating all risk is impossible, but these steps can reduce risks to which we're all commonly exposed.

Going Next Level On Your Phone

Phones are tricky. One way of thinking about phones is that we all pay money to carry a GPS tracking device, a microphone, and a video surveillance tool that can also make phone calls. Arguably, phones are the most intrusive risk to our privacy and security, and the phone operating system market can feel like a duopoly: Android or iOS.

Fortunately, other options exist.

CalyxOS is a solid option for a more privacy-conscious phone. They support a large number of phones, and you can also buy a phone with CalyxOS pre-installed. The install process for Calyx is well documented and complete, and it requires some familiarity with the command line. With that said, because the documentation is thorough, it looks more complex than it is.

GrapheneOS is another great option for people looking for a private and secure phone. Like Calyx, Graphene has well documented installation instructions that are both detailed, and potentially intimidating for people who aren't familiar with setting up hardware. Graphene recommends a recent Pixel phone.

Both Graphene and Calyx are based off Android, and both pull the Google-reliant bits from the operating system. There are long and heated discussions about which system is better, and getting into that conversation is outside the scope of this post. Either option is more private that stock Android or iOS. Having used both systems, the one thing I will say is that Organic Maps is a good replacement option for Google Maps, which is the only Google service I truly miss. If and when I have needed Google Maps (maybe once every 4-6 months?) I'll either piggyback off a friends phone (because I'm a freeloader like that) or load Google Maps in the phone's web browser.

Moving off Android or iOS can be a tall order. The instally process is not simple, and in some cases a botched install can brick your phone. Fortunately, the NSA (I know - ironic, right?) has a good guide on steps to take when using Android and iOS devices. This guidance came out in October 2020, and it still holds up.

One piece of advice buried in ths guidance: turn your phone off at least once a week. There are some types of attacks that run without impacting the underlying operating system, and powering your phone off will stop these attacks from working. While this won't stop every type of attack that targets phones, giving the relative simplicity of the defense (turn off, wait 60 seconds, turn on) it's an easy, accessible step we can all take.

Avoiding Scams

Scammers congregate where people have a need or want something. That makes job boards, dating sites, ticket sales, charitable donations, and ecommerce very attractive vectors for criminals. Scammers exploit need, in the many different ways that needs appear for different people.

And: scammers often work to exploit our better impulses. We want to believe people. We want to believe that a romantic connection is real. We want to believe that we have finally stumbled across a great deal.

Scammers also rely on our inherent politeness. A good many people will stay in an awkward interaction rather than leave it in a way that feels rude. Scammers know this, and they exploit it. It's okay to set boundaries, and it's okay to leave a situation, for any reason -- this is true for scams, and it's true for life. No one has a right to your time or attention, and people who pretend otherwise are showing that they should not be trusted.

Describing every different type of scam is outside the scope of this post. In this post, I'll highlight the behaviors scammers are looking to exploit, using a subset of scams as examples. The technology used to deliver the scams is often secondary to the behaviors exploited in the scam.

Never give out a password, or a secondary authentication code, even to someone who claims to be a company representative. If someone online is being very helpful, they are often trying to rip you off.

Be very hesitant to screen share with any tech support staff. While this can be a legitimate troubleshooting tool, it is often used as part of an attack to gather login information or other personal informatio.

Avoid doing anything quickly, and be suspicious about manufactured urgency. Contrived urgency is designed to short-circuit our caution and our critical thinking. It's always okay to slow down, and anyone who tells you otherwise probably doesn't have your best interests at heart.

Artificial Intelligence has been incredibly useful to criminals executing fraud and scams, and the companies creating these tools continue to fail at building guardrails that protect innocent people. Examples of AI-powered scams include situations where people get a call from family members -- often a child -- demanding help or a ransom quickly.

If you are working with someone online that you are getting to know and something works the first time, that doesn't mean it's okay. That means the scam will happen later. Some investment and romance scams work this way: an initial investment for a small amount of money pays out a real return, and then the second or third investment -- for more money -- results in the money being stolen.

Never forward money from a check sent to you. This scam works because scammers exploit the way banks "work". When a check is deposited or transferred, the money shows up in the account, and some of the money can even be accessed. If you trasnsfer money out of your account to a different account, you are liable for that money. However, when the check deposited turns out to be from an account that is overdrawn, you -- not the bank -- are liable for the loss.

If someone contacts you out of the blue with a service or offer that sounds amazing, it's probably not real. I don't mean to sound like a dick here, but reality can be very cruel to blind optimism.

A specific type of scam where the criminals truly deserve a special place in hell: romance scams. These scams prey on people -- often women -- and are cruel on multiple levels. Older people who have lost a partner are often targeted.

The best way to not get scammed is to not respond. If you want to try and verify the offer, respond out of band. If they call, ask for a web site and email contact. If they email, ask for a web site and phone number. Ask for a physical address where you can contact them via mail (and watch their head spin as they understand the request).

For example: "This sounds like a great offer. What is your name, what is the web site where I can learn more information, and what is the physical address where your business is located?" A legitimate business will be able to answer these questions quickly.

In the space of a single conversation, a legitimate business can give you most or all of these pieces of information:

  • Employee name
  • Business name
  • Business physical address and/or
  • Business mailing address - some legitimate businesses are virtual and don't maintain a physical address
  • Phone number
  • Web site
  • Email addresses

This information can then be used to do more research about the business.

But, and I can't stress this enough: be VERY skeptical of offers and opportunities that come unbidden, both online and in real life. You know what you need better than anyone, and one key way to avoid scams is to be intentional about the opportunities you seek, research them thoroughly, and act on them on your terms.

General Maintenance When Using a Machine that Connects to the Internet

Part of maintaining the security of our devices -- and our privacy -- involves making sure that our device or computer software is up to date.

On any device -- a phone, laptop, desktop, or tablet -- every installed app or service is (theoretically, potentially) an attack vector. Because of this, make sure that you only retain the apps and services you need and want on your device. If you tried out an app but didn't continue using it? Delete the app. You can't be compromised via a service that isn't installed.

The first time you run through the Great Deletion, it might take a while, but once you make a first pass and delete unused apps, maintaining a cleaner device will be easier. It's similar to cleaning your kitchen -- not necessarily fun, but necessary, and you feel good afterwards.

One additional note: deleting apps from your device does not delete any accounts associated with the service. You can delete an app while still retaining the account. I do this with travel apps from airlines; I delete them when I'm not flying for privacy reasons, and re-install them when I'm going to be travelling for work.

Opinions vary widely on the protections offered by malware and anti-virus software. The distrust and ambiguity has been exacerbated by the industry itself -- for example, Avast sharing user data collected via their antivirus product with an adtech company, Norton Lifelock accounts being compromised via credential stuffing, and nation state actors compromising antirus by hijacking updates. Because anti-virus and anti-malware needs to see nearly everything happening on a device, it's an attractive target.

Because of these issues, I do not have any specific recommendations for antivirus or anti-malware software. For some people -- especially people on Windows machines -- it can make sense. For others, it might not. The one thing I will say, which is less of a recommendation and more general advice: if you are running Windows, look at the options that are packaged with the operating system. Because you are already running Windows, you are effectively trusting Microsoft, and therefore, enabling any anti-virus and anti-malware that comes with Windows doesn't not substantially alter the reality that by virtue of using Windows you have no real option but to trust Microsoft.

Install operating system and software updates in a timely way.

Choosing a Browser

Choosing a browser is becoming increasingly difficult. Firefox used to be a reliable choice, but with Mozilla's push into AI, the wisdom of using Firefox for the indefinite future is open for debate.

I don't recommend using Chrome. Google has been threatening/promising to remove cookies for years, which sounds like a win for privacy, but will generally be a win for Google.

I recommend splitting browser selection into two types of use: the Everyday browser, and the Research browser.

For the Everyday browser, I still recommend Firefox. I wrote a post a few years back that still holds up on how to configure Firefox post-install. Mozilla -- the organization that develops Firefox, is slowly going up in flames, but until a legitimate organization forks Firefox or a legitimate organization releases a browser that is fully featured and accessible to regular people, Firefox is the best choice we have.

For the Research browser, use Tor and/or the Mullvad browser (which is a collaboration between Mullvad and Tor.)

Ad Blocking

Adtech is malware. We see this repeatedly; a recent example of what this looks like comes from Meta, who allowed their adtech to play a key role in delivering an infostealer.

In addition, adtech companies sell, and resell, our data repeatedly, and the end result invariably ends up getting invisibly weaponized against us.

Ad blocking options:

  • Browser extension: Install uBlock Origin
  • Network option: Block via DNS using a service like Quad9
  • Network option: use a Pi-Hole.
  • Phone: Use DuckDuckGo's mobile app to minimize tracking - iOS and Android versions.

The device-specific ad blocking options, while offering some protection, are not as comprehensive as the network options. The network options can require more setup, but offer protection to all devices using the network.

DNS-based ad blocking can also be set on different devices. Documenting the steps for different devices is outside the scope of this post, but you can find information for different devices and operating systems using the following general search formula:

change dns server OS_NAME

Safe(r) Browsing

Going online exposes us to the wonderfulness of the internet, but that wonderfulness also brings the fetid practice of tracking and behavioral-advertising technology. Due to the ongoing and well-documented overlap between malware and adtech, we document protections against tracking as an effective defense against exposure to various forms of malware. The connections betwee social media and malware continue to evolve, as Meta continues to fail to protect their users from malware attacks.

And even if adtech wasn't commonly used to deliver malware, it should still be blocked for one core reason: unnamed companies, who we don't know, who haven't asked our consent, who don't have our best interests at heart, have no right to know what I'm doing online. I don't go online so The Trade Desk can exist. The data broker and adtech industries justify their ever-expanding quest to collect and retain more information about us with the disingenuous question of "where is the harm?"

When you hear this question, know that you are conversing with someone who -- either intentionally or unintentionally -- is parroting industry talking points. The better questions are "what is the need?" and "who benefits?" and "why is it necessary?" The answers to these questions help center the conversation in a way that values people over corporations, and exposes the surveillance embedded in many of the business models supporting adtech and data brokers.

Using Sites Where You Have an Account

When we visit any website, we generally are tracked by various methods. In this post, we lump different tracking methods and technologies into a blob that we will call "trackers." Technical differences exist between different types of trackers, but a thorough description of them all is outside the scope of this post.

It's also worth noting that when we go to a site where we have an account (or use an app on our phone that connects us to an account), our use of the service is generally tracked because we willingly identify ourselves to the site. Choosing to log into a site generally means that we are agreeing to be tracked by that site. The privacy policies of these sites describe how they use the data they collect from you. (Note: Most commercial sites can use and share your information with few restrictions, including sharing it with unnamed "partners" and combining it with data from other sources to create detailed tracking profiles.) It is possible to minimize tracking by browsing these sites without logging in whenever possible and only logging in when absolutely necessary.

When using social media, clicking on things such as quizzes can expose huge amounts of personal data to trackers or provide answers to your password-reset security questions. In some cases, the companies behind the quizzes use the data to compile personality profiles that are used in political campaigns. Even seemingly simple things like the "like" button or responding via emoji can allow for fairly precise tracking. Fortunately, avoiding this form of tracking is simple: Stop taking the quizzes, and stop using emoji-based reactions (people have experimented along these lines in the past).

Criminals continue to exploit bugs or flaws on social media sites. While the patterns of different attacks may vary, many attacks can be thwarted by not opening files that you haven't explicitly downloaded from a trusted source.

But in general, when we create an account on any site, that site will track our behavior or how we use that site to some extent. The best way to avoid this type of tracking is to use sites without logging in whenever possible and to clear your cookies and browser cache frequently. Later in this post, we will cover how to clear cookies and other methods of minimizing tracking.

Clearing your cookies, cache, and browsing history regularly minimizes the amount of data available to trackers (read our instructions for Chrome and Firefox).

In addition to these steps, disabling and removing unused browser plug-ins is strongly recommended. In some instances, advertising companies or criminals have bought moderately popular extensions and used them to push trackers and malware. Disabling and deleting unused browser extensions minimizes this risk (read our instructions for Chrome and Firefox).

A final note here involves the use of so-called "private" or incognito browsing. Avoid it. If you want private browsing for everyday activities, use the steps outlined in this section. If you want truly private browsing, use Tor, as described in the next section.

Search

With the increased use of AI to create content, and the increased use of AI to deliver search results, search is becoming increasingly useless.

For many of us, if we have Gmail accounts (either a personal or work account, or both) and we use Google for search, we almost always search when we are logged in to Google. This gives Google a very complete view of what we search for, which allows them to "personalize" searches to what Google thinks we want to see (if you want to see a small subset of what Google knows about you, visit https://myactivity.google.com/myactivity when logged into a Google account. While this is only a fraction of what Google knows about you, a quick scan through your search history is often illustrative and petrifying). "Personalization" ensures that two people searching for the same topic won't get the same results. However, when results are invisibly tailored "for" us, bias appears in the results. There have also been substantial charges that Google has abused its position as a leader in search.

When searching for sensitive information that you don't want shared, the best approach is to use Tor/Mullvad browser and search via Duck Duck Go. Using this strategy helps protect you from having your personal data collected by data brokers while searching for information.

Email (and text, and social media)

This section was originally focused on email, but the bulk of this advice applies to text messages and social media use as well.

Email, text messages, and social media messages are all convenient ways for bad things to happen to good people. While the steps in this section won't solve all problems, they can help address some of the more common issues.

Be wary of links and downloads, even if they appear to come from friends. When you're sending links or files via email, describe what you're sending, and why. This helps the recipients of anything you send know why you're sending it. When you receive a file or a link, look for that context. If all the message says is, "Hey! You gotta check this out!," you should definitely not check this out.

To avoid a potentially malicious link, review the base URL and verify that it makes sense (mouse over any links before you click on them so you can review the URL that's displayed). People trying to steal your information will create website domains that look "right" but are actually fake. Using a tool like VirusTotal will help verify any potentially risky links.

Expand shortened links before you click on them. People trying to steal your information will often use shortened URLs to obscure where they're sending you.

Use extreme caution when downloading files, especially files that are compressed (for example, they end with ".zip," ".gz," ".7z," and the like). Bad downloads are a common way of spreading malware and ransomware. Also, avoid files sent via email that are executable, meaning they can install software on your computer (for example, they end with ".exe" for Windows or ".dmg" or ".app" for Mac OS X).

The advice about using links and being suspicious of file downloads applies directly to using social media as well. Be very wary about expanding links sent via direct or private messages from acquaintances you follow. This is a common attack strategy: Compromise one account, then send malware to all the "friends" of that account.

One additional detail: it is very difficult to verify links when working on a small screen. Use a laptop or a desktop to verify a url if you have doubts. If you are concerned about taking the extra time, please remember that the time required to clean up your system after you are compromised is exponentially longer than the amount of time required to verify a url.

Set your email client to strip or not display images. Marketers will often embed tracking technology called a "tracking pixel" in emails; by stripping or not displaying images, you can prevent the effectiveness of this tracking method. Some email services

Don't hesitate to ask for confirmation from someone about whether or not a message is legitimate. It's better to send a quick email response asking for confirmation than for your system to get compromised. While there are situations where a power dynamic can make this request uncomfortable, erring on the side of caution can save you time and hassle after the fact.

If you want an encrypted email account, use a service like Protonmail. However, when using an encrypted email account, keep in mind that both the sender and receiver of the email need to use an encrypted email service. If you send an email from a Protonmail account to a Yahoo or Gmail account, your email and information will be accessible to the ad scanning in those services.

One of the advantages of a large email provider such as Gmail is they provide solid spam, phishing, and malware protection as a part of their service. For regular consumer accounts with Gmail (not educational accounts), you pay for that protection by allowing Google to scan all your email message content, and you allow Google to use that information to create an advertising profile and market services to you; but if your main concern is avoiding malware and phishing scams, then Gmail offers some benefits.

One "advantage" of both email and cloud-based file storage (discussed below) is that they offer a large amount of "invisible" storage. The more data we retain, the more data that can be compromised or accessed by people for whom that information was never intended. If you have important emails that you need to retain over time, archive them and store them offline and then delete the original emails from your email provider. Deleting old emails minimizes the risk to us and to the people we communicate with. It's good data hygiene.

On a practical level, in some instances email can be used in criminal cases or civil lawsuits. Deleting unneeded emails, and deleting older emails, provides a level of protection against frivolous legal action.

A final note about email: It is only as secure as the person you're sending it to, and the "security" of the message should be assessed against the sensitivity and value of the message. If you're using an encrypted email service and you're sending messages to a person using a personal Gmail account, that email is getting scanned by Google. We generally advise people to consider email an insecure service. Accordingly, sending information about a surprise party is probably pretty safe, whereas sending information about a Dark Family Secret is something you might want to save for an in-person conversation.

Clear Data From Google

For people who use Google, you can control (to an extent) what Google retains, or what Google shows you they retain.

While using the options Google provides is better than doing nothing, it's best to think about this as a mitigation strategy that needs to be verified periodically (every 3-6 months) to make sure that Google doesn't change any settings in an "update". If time is an issue, other steps can provide more return for the time required.

Adjust Privacy Settings (Really, Visibility Settings)

Many social media services talk about their privacy settings. This is cute, because they are lying to us. They don't have privacy settings; they have visibility settings. Our information is always visible to them, which means it will be shared with governments and in response to a legal request.

And with that, adjusting visibility settings offers protection from online harassment, stalking, and other forms of abuse, so understanding what these settings obscure and share is critical to staying safe online.

There are many posts that show how to lock down accounts. These steps are critical protection against stalkers, abusive partners, scammers, and other predatory and abusive behaviors that are furthered when bad actors access social media and other online accounts.

I'm not linking to any specific guides because the mechanisms change regularly, and any link I shared would be obsolete within weeks, days, or hours. Rather, use this search for the services you want to lock down:

  • SERVICE_NAME "privacy" "setting"

The top results will generally highlight some guides, and a link to where you can access the privacy/visibility settings on the service.

For people going through a breakup, there are other factors to consider. I wrote about this a while back, and Yael Grauer wrote a thorough piece on this.

And, while adjusting privacy settings is necessary to protect ourselves from the prying eyes of the general public, "privacy" settings are better understood as visibility settings. They largely govern what people can see, but they have little to no impact on what the company can see. There is no such thing as a privacy setting from Google, Facebook, Instagram, X, Tiktok, LinkedIn, etc. These companies can see information you mark as private, as seen when Facebook shared private messages that were used for prosecuting people who needed to access medical care.

Secure Online File Storage

TBD

Virtual Private Networks (VPNs)

Understanding what VPNs protect, and what they don't protect, is an important factor in determining if and when to use one. This section is not comprehensive, but at a high level, VPNs do three things in most cases:

  • hide your actual IP address from places you go online; and
  • make it more difficult for an attacker to see where you are going on the internet; and
  • make it more difficult for an attacker to sniff any details about network traffic that is routed through the VPN.

However, VPNs do not:

  • hide your traffic from sites you visit. When you visit a site, and especially when you log into a site, everything you do on that site can be seen by the people running the site;
  • block malware or tracking. Some VPNs offer this as a feature, but it is not a default benefit of using a VPN.

Additionally, some sites will not work if you are using a VPN. Breakage can range from blocking any traffic coming from a VPN, to not allowing e-commerce or credit card transactions.

Finally, because VPNs route traffic through a single connection that is controlled by a single company, that organization can see -- and theoretically alter -- all of your internet traffic. Many companies that offer VPNs are not trustworthy -- and this is especially true of companies that only offer a free VPN service.

NEVER USE A FREE VPN. Never trust anyone who recommends a free VPN. VPNs are very difficult to maintain securely, and the expertise required to do this costs time and money. A trustworthy VPN -- one that does not snoop on your data, does not log your usage of the service, and one that won't sell to hostile governments or frivolous legal action -- is both very hard to find, and worth paying for.

This section covers two types of VPNs: the work-provided VPN, and personal VPNs.

Work VPN

The work VPN protects the resources of your company. This makes sense. It protects the company from IP theft, and improves the security of your organization, and the integrity of work-provided tools and services.

Work-provided VPNs also see everything you do when you are online. They do not offer you any greater level of privacy. In general, you do not have any expectation of privacy when using any work-provided hardware, and your work-provided VPN is part of that picture.

If your company provides you a VPN, use it, and be aware that your boss can likely access anything you do, and when you do it.

Personal VPNs

For people who access the internet from outside their home or office, using a virtual private network (or VPN) can provide different levels of protection from a nosy kid playing at hacker on the coffee shop Wi-Fi network or from a person trying to steal private information as part of an attempt at identity theft. VPNs can also obscure which sites a person visits, thus hiding their browsing histories from people who might attempt to access it. Additionally, VPNs hide your IP address, which can make it appear as if you're in a different geographic location, which blocks location-based targeting.

I used to not recommend specific VPNs, because the choice of a VPN involves a range of factors. However, because the VPN space is a mess, and using an unscrupulous VPN can cause real harm, I now recommend Mullvad VPN. There are a few reasons for this, but the shortest version is that in April 2023, Mullvad was served with a search warrant requesting customer data. The police showed up demanding information, and left with nothing: no data, no equipment, nothing, because Mullvad as a matter of policy didn't have it. Mullvad followed up by requesting more information from the authorities that issued the warrant, and then published that correspondence as well.

While there are free VPN options, I do not recommend using them, as many of the free VPNs actually track and share your online behavior. A free VPN can cause more harm than good. One clear and obvious example of this is when Facebook used a VPN they controlled to spy on people between the ages of 13-35. In 2016, researchers showed that multiple vulnerabities existed in free VPNs. These problems in free VPNs continue to exist and evolve.

Many companies provide VPNs for their employees. While these VPNs protect against people outside the company seeing traffic, people using a company-provided VPN should know and expect that their company's IT department can see all their online browsing activity and that in many cases that activity is logged.

NOTE: when you are using the internet from your home, your internet service provider (ISP) can see where you go online. They log this information. Using a VPN at home prevents your ISP from collecting this information. ISPs, like all companies, can be compelled to share data with governments, law enforcement, and in response to a valid legal request.

Increased Anonymity and Tracking Protection

Tails

For people who work from multiple computers, or who for whatever reason don't want to use their computer or phone to browse privately, Tails allows you to boot from a USB key and use Tor to browse the web without leaving any trace of your activity on your host computer.

Because Tails can be treated as a throwaway operating system, it offers a level of flexibility other options might not have. Tails can also be useful as a tool to access the internet securely when connecting from places where we might not trust the security of the internet connection.

Tails is a specialized tool that isn't needed by everyone, but it can be useful for people who need to communicate privately from a system that will be difficult to trace, and its preconfigured privacy protections allow people to get started quickly.

Raspberry Pi

Another option for people who want a private, segmented way to access the internet is to use a Raspberry Pi. The Pi 5 is a very solid machine, and you can set it up as a standalone device to use for specialized work. Using a Pi for specialized work where you don't want to expose your main device can provide a level of safety and flexibility. Getting a Pi 5 (the latest as of June 2024) costs around $100-150 US, depending on the setup of the Pi you get.

Creating "Good" Passwords

Password advice has evolved. Complexity is out. Forced password changes are out. Both of these practices contribute to less secure passwords, and password reuse. Passphrases -- multiple random words -- are more effective. Both NIST and XKCD agree, which is as close as we can ever hope to get to consensus.

Passphrases consist of multiple words, often with capitalization, often with numbers or special characters. To illustrate the point with two examples:

  • Password one: Qevglm&%nGhkjkwjgf9p2479p24hcodh08qehcueh8q
  • Password two: Table-Connection-Enigmatic-Squirrel-Manbun5

Both of these passwords are the same length - 43 characters, which is plenty long. One of these passwords is easier to remember, and to type into forms. Password two is a passphrase - basically a password that is just as hard for a computer to crack, but much easier for a human to remember. Choose words that make sense to you -- even made up words.

Passphrases allow us to have longer passwords, which helps them be more secure.

Password Managers

Our advice on password managers is straightforward: Use one. I generally recommend 1Password for sharing between multiple people or devices, and KeepassXC for local use.

I also do not recommend using LastPass.

While no single solution is perfect, password managers eliminate the problems of reusing the same password across multiple sites and using passwords that are too short or too simple. Password managers also generate passwords that are truly random and un-guessable. Additionally, many password managers have a mechanism wherein you can create secure notes to save important information.

To state the obvious, putting all this information in a single location is also a risk; this is why the password manager must also be protected by a strong password and two factor authentication. While writing passwords down is almost never a good idea, writing down only the password to your password manager and your primary device (i.e., computer or mobile phone), and then storing these passwords in a safe location, allows you to have a suitably strong password protecting these key services while eliminating the risk that you will forget the passwords. This post contains tips on creating both secure and memorable passwords.

Two-Factor Authentication

Two-factor authentication -- also called 2FA, or MFA (multi-factor authentication) -- is based on the idea that we can be more secure if we expand authentication to include two (or more) of the following criteria:

  • something we know (such as a username and password or a security question);
  • something we have (such as a phone, access to an email account, or a USB key); or
  • something we are (such as a fingerprint, an iris scan, a typing pattern on a keyboard, or other biometric indicators).

The most commonly used form of two-factor authentication involves the provider sending a text message to our mobile phone, in a process that works like this:

  • We log into a web site with our username and password;
  • a successful login forwards us to a screen that asks us for a second confirmation code;
  • we receive a text message with a one-time use code; and
  • we enter that code on the screen, and we are fully logged in.

However, there are three main issues with using a text message to support two-factor authentication. First, if one of our concerns is tracking by corporations, this form of two-factor authentication provides a direct connection among us, a mobile phone number, and our account - in other words, when we give Facebook or Twitter our mobile phone number to support two factor authentication, we have told them a phone number that we rely on, which can then be used to track us further.

Third, hackers have started to use a technique called SIM hijacking to actually take over a phone and have texts forwarded to a different phone. While this technique is more complicated and requires a reasonably skilled and determined person to pull off, SIM hijacking appears to be occurring more frequently.

Services such as Authy address some of these issues but still involve sharing data with a third-party company. However, if our primary risk is getting hacked, and corporate or ad tracking is secondary, two-factor authentication via text or via a service provides an additional level of protection.

An additional option that has some advantages over using text or a service is to use a special USB key, such as the one offered by Yubico. These keys don't have the same privacy risks from tracking as other forms of two-factor authentication, which makes them an effective protection against hackers without them compromising other privacy concerns. Yubico keys can also be used to provide two-factor authentication when you're logging into a computer, which is most effective when the hard drive is encrypted. Keys sold by Yubico currently cost between $18 and $50 for individuals.

But to summarize, any form of two-factor authentication adds a level of protection against unauthorized access. Using a USB key also protects against hackers and doesn't leak information to the other companies that will use personal information -- such as a phone number tied to an email address and other personal information -- to track us.

Passkeys versus Passwords

Passkeys have been promoted as a way to replace passwords, and all of the security concerns related to passwords.

Passkeys have been under development for years, and the initiative to adopt them took on extra steam in 2022 when Google, Apple, and Microsoft announced support for the standard.

If you use software or services from the major tech companies, Passkeys can have security benefits. Not every web site or service supports passkeys, however, which makes a complete switch for most people impossible.

Additionally, the usability of passkeys -- like any new-ish technology that aims to replace a legacy technology that we are all familiar with -- suffers in comparison with passwords. Some of the problems are related to user experience issues, and some of the problems are related to the simple reality that passkeys are less familiar than passwords, and that for passkeys to truly work they need to be broadly adopted. Passkeys are a new metaphor for what it means to authenticate and how we authenticate, while passwords are the devil that we know.

One core issue with passkeys is directly tied to how they are implemented. Passkeys are defined by a web standard, but the standard can be implemented differently. We see this in the education space all the time: the same standard is implemented in non-standard ways, which is why interoperability remains a marketing claim rather than a lived reality.

The big tech implementation of passkeys has received criticism as another way for big tech companies to lock people into their closed systems. Because of the past and current behavior of large tech companies, they don't make the most trustworthy partners, especially when it comes to handing them a central, controlling role in allowing access to all corners of our online life.

Technically, passkeys look promising. The reality of that promise remains to seen (and I'm old enough to remember when SXIP and OpenID were going to solve related problems).

1Password maintains a searchable list of sites that support Passkeys. As of this writing, it shows 168 sites and services.

Phone/Tablet and Apps

To start, using a mobile phone is both unavoidable, and a significant privacy and security risk. If our phone is on -- even if location services, bluetooth, and wireless are all off -- it still tracks your location via pings to cell phone towers. ISPs can be compelled to share this data with government, law enforcement, and in response to valid legal requests. ISPs are currently making the case that they can sell location data,which creates an additional layer of risk (ie, if you live in a state with restrictions on accessing reproductive care, location data can be used as evidence).

Evaluating apps before you install them is possible, but it requires a significant amount of time and expertise to do well. For the purposes of this guide, we will assume that you have checked the permissions of apps you install before you install them and that the listed permissions more or less make sense with what the app is supposed to do (ie, an email app might need access to contacts, where a flashlight app shouldn't need this permission). In general, be watchful for apps that request access to your camera, microphone, bluetooth, call activity, contacts, location, and bluetooth. These permissions all have valid uses, and they can be abused to compromise your privacy and security.

Three free steps we can all take reduce risk from apps with sloppy and overly broad permissions.

First: Review the privacy settings of the apps you have installed. For Android-based systems, you can review the permissions of apps in the Play store or on your phone. For iOS-based systems, you need to review the privacy settings on your phone, which allow you to control which apps can use tools such as location, contacts, and so on.

Second: Turning off your phone's location services, Bluetooth connection, and wireless connection when you are outside your home, work, etc. If you turn these services off -- and then enable them only when you need them -- you minimize the amount of data you share and when you share it. Credit card companies have been using the locations where we shop as a means to adjust our credit scores for years. The next frontier of this type of tracking appears to be our location as we move throughout our day. Minimizing the amount of location data we share, and with whom we share it, allows us a degree of control over this aspect of our privacy.

Third: review the apps on your phone periodically and delete apps you are not using. An app that is not installed on your phone can't track you. As you delete apps, remember that deleting an app does not also delete your account with the service.

In addition to these three steps, one of the easiest things you can do to protect your privacy when using your phone is to install Signal. Signal is an encrypted text and voice app, and it's currently best of class. Other alternatives generally have weaknesses that make them, at best, less secure options. Signal also has a desktop version.

Using Signal on your phone also protects you from having the information in your texts logged and stored by your mobile phone carriers. As with email and file storage, deleting old text threads can protect against these threads being accessed.

In the past, I have seen (and yes, made) recommendations for using a Faraday Bag to block wireless signals and any potential tracking. Faraday Bags work, but/and they are often not practical for most people in everyday situations. If you want to get a Faraday bag, by all means get one (or hey - I'll sell you my old one, cheap!), but for most of us they end up being the thing we either use for security cosplay or never use at all.

Disable Push Notifications

Push notifications -- the messages that pop up on screen from apps even when your phone is locked -- often contain information about the app, the sender, and even the message itself. These messages create a privacy risk that companies and law enforcement can exploit.

This issue impacts both Android and iOS. Fortunately, this issue has an easy fix: disable push notifications. This has the added benefit of making our phones less intrusive. The nagging tones of incoming notifications can be a distraction on the best of days. Disabling push notifications is both better for privacy and better for our ability to stay present in our physical space - so what's not to love!

QR Codes

QR codes are increasingly used in consumer applications by companies and governments. Some restaurants use QR codes to share their menus; and many organizations, including governmental entities, use QR codes to direct people to locations of apps where people can learn more.

The increased use of QR codes creates a new opportunity for scammers and criminals. QR codes are the functional equivalent of a url or file arriving in a text or email, with one big difference: with a QR code, it's even more difficult to verify the url. For example, in the UK, scammers used fake QR codes to scam people trying to pay for parking. QR codes are being observed in phishing scams, and the both the FBI and the FTC are warning people about increased criminal activity using QR codes.

The advice many people give about QR codes is to verify the link the QR code directs you too. This is not good advice because redirecting a link is drop dead simple; it's why delivering malware via email and text is so easy to do. My advice and my personal practice at present is to never scan QR codes. When we see a QR code, we need to start thinking the same way we do when we see a link: avoid clicking on it unless we have complete, 100% confidence both that we trust the organization sharing it, and that the QR code itself hasn't been tampered with.

A better solution would be a QR scanning service that read the url, and then tested the url to detect the number of redirects triggered by url, and verified whether or not -- using a service like VirusTotal -- any of the urls in the redirect chain had ever been used in malicious activity. Until then, I will continue avoiding QR codes.

Wireless

Wireless internet is widely offered in many public places. As with anything that is free, the offers often come with strings. Be selective with free wireless. It is generally a tracking tool. The risks of using publicly available wireless can be mitigated by using a virtual private network (VPN) and/or Tor.

Free wireless internet with no password is the highest level of risk for wireless. If you're using a wireless connection that has no password, know that any random person can access the same network as you. In many cases, stores that offer free wireless can use the information they collect about you when you're using their free wireless connection to track and target advertising to you, even while you're still in the store. Free wireless with a password is better, but not by much, and quality and safety will vary widely.

Institutional or organizational wireless is theoretically easier to secure, but the actual security will vary widely. In very general terms, the security within an organizational network will be set up to protect organizational assets first, personal privacy second. Institutional wireless often incorporates tracking, which is an appropriate security measure for the organization, but that can interfere with personal privacy. Additionally, if an organization leaves its wireless passwords unchanged for a significant amount of time, this erodes the value of security protections in place on this network. This is also true for organizations that put wireless passcodes in publicly visible places.

Traveling

It's also worth remembering that our devices will automatically connect to "recognized" wireless connections unless we explicitly disable this setting. This can be exploited by hackers who can create illicit networks in public places. Common names such as "attwifi," "xfinity," or "linksys" can easily be spoofed -- and once you connect to a wireless access point, the person who controls that access point has the ability to see and control your online activity. A VPN mitigates this risk, as does turning off wireless on your phone when you go out. You can also minimize risk by deleting wireless networks that are outside your regular locations. This is especially true for people who travel.

Home Networks

A full writeup on home network security is outside the scope of this post, but the advice listed below can reduce some of the more pervasive risks on home networks.

Home wireless networks are as secure as the wireless encryption protocol and the passwords used to access the settings on the routers and the passwords or security on any connected devices. Two steps anyone running a home network are:

  1. Disable remote access over the web to your router. This step will protect your router from many different types of attacks; and
  2. Make sure that security/firmware updates are enabled to take place automatically.

No one wants their router conscripted into a destructive botnet. Disabling remote access and enabling automatic security updates reduces risk.

Kill AI

Microsoft, Google, Apple, Meta, Mozilla are all running headlong into the ethical and privacy morass that is data collection from their customers to support developing AI tools that they promise and pinky swear will be really helpful for us, and will only require that they get access to all of our data.

This section is not complete as of this writing. In the upcoming weeks and months, I will update this section, but at this writing (Nov 8, 2024) I want to publish the other areas of this guide rather than hold up sharing the entire guide because this section is incomplete.

Conclusion

It's easy to feel powerless when it comes to protecting our privacy. Companies, political organizations, and governments have a head start, and the fight to regain our privacy is often marked by distinct information asymmetry, where the organizations collecting, sharing, and storing our data know more about us than we know about them. However, as the Five Days of Privacy demonstrate, we have options. There are a broad range of concrete steps we can take now, and most of these steps are free and pretty low-tech.

As we continue to reclaim our rights to privacy, part of our work is normalizing behavior that protects privacy. If one person out of a thousand uses a VPN, that individual will stand out. If 200 people out of a thousand use a VPN, we begin to get some safety in numbers. Additionally, as more people use more privacy-protecting behaviors, we reduce the value of the data that is collected. If we pair privacy-protecting behavior with studying the companies that want to collect and use our information, we reduce the current state of information asymmetry. Reclaiming privacy is a choice. Sometimes it's not a convenient choice, but flossing, exercise, and eating well aren't always easy either. But when we make protecting our privacy a choice as an individual, we make it easier to protect ourselves and our communities.

Version and Updates

Version 1.1. November 9, 2024.

Note, 9 November 2024 - I allowed this guide to languish after I initially published it. Based on the events of the last few days I wanted to get it updated. This later version will likely be more opinionated than the earlier version. End Note

10 November 2024 - added section on Push Notifications from a suggestion received from Chris Ferguson.

Licensing Information

This work is licensed under a Creative Commons Attribution Share-Alike License. The lead authors of the original work are Bill Fitzgerald and Audrey Watters.

Updates to this work by Bill Fitzgerald

About

Accessible tips for people to protect their privacy

Resources

Readme
Activity

Stars

25 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published