Good Practices Guide

In italiano »

This is an online privacy guide for the general public. It’s comprised of a list of widely recognised good practices everyone should consider adopting in order to better protect their privacy and security online.

Page last edited → 7 December 2021
Page last reviewed → 7 August 2021

Index

1. Software updates

2. Device password

3. Device encryption

4. Find my device

5. Password management

6. Multi-Factor Authentication

7. Secure communication

8. HTTPS

9. Secure DNS

10. Web browser

11. Privacy settings and policies

12. Web and app tracking

13. Cloud services

14. Data breaches

15. Data protection and minimization

16. Data backups

17. Social engineering

18. Anti-malware software

19. Webcam and microphone security

20. VPN

21. Tor

22. Personal risk assessment

23. Bring other people in

24. Conclusion

Software updates

2 min read

Software is complex, flawed, and ever evolving.

One of the most important things you can do to protect your information is to keep your software (like your apps and your various operating systems) always up-to-date, making sure at the same time it is recent enough to still be supported by its developer (it being an indie developer, or a big company like Apple, Google, Microsoft, or Samsung). By doing so you’ll not only make sure that you have access to the latest features and fixes, but that you’ll also be running the most secure version of any given software product, at any given time.

Keep in mind that it’s not just phones, tablets, laptops, and desktop computers that rely on regular and timely software updates to function securely, improve over time, and introduce new features. Routers (which are at the heart of any local area network like your home network) and IoT devices such as smart speakers, lights, fridges, doorbells, TVs, and TV remotes also rely on those updates for the very same reasons.

In the words of Gennie Gebhart from the Electronic Frontier Foundation (which I edited for clarity):

“All code is sketchy, some code is just less sketchy than other. Running on your devices there’s a lot of code and it has problems in it. It is written by humans and humans make mistakes at some point. You have (ideally) teams of engineers constantly working behind these OSes and apps to find the mistakes and fix them. All they need you to do is click “Update” and maybe restart. If you don’t do that, that means there is a way out there to exploit your device or your software that the world kind of knows about. Until you click “Update” you are easier and cheaper to hack.”

Go to Index ⇾

Device password

3 min read

You can help avoid other people gaining access to your personal data (as well as the personal data the people in your life are sharing with you) by setting up a strong and unique password (sometimes referred to as a passcode or a PIN) on each of your devices.

Think about all the personal and sensitive information about you and the people you care about you’re storing on your phone, laptop, or other device (things like notes, contact info, chats, photos and videos, browsing history, health data such as your Covid certificate info or your period tracking info, etc.), as well as the personal and sensitive information accessible through them (things like documents and photos uploaded to the cloud, emails, bank and payment info, shopping info, etc.). You probably wouldn’t want all of this to be left unprotected every time you leave one of your devices unattended, or in the event you lose one of them altogether. The people sharing personal information with you probably wouldn’t want this either.

Once you’ve set up a password, it might be possible (based on the device you’re using) to enable some form of biometric authentication. In this case you’ll also be able to unlock your devices by way of scanning parts of your body such as your fingerprints, your face, or your iris.

This can help you make the action of unlocking your devices quicker and easier, while at the same time empower you to use passwords that are stronger and to reduce the time window between when you lock your devices and when a password or biometric factor is required to unlock them (since the friction of having to frequently type your way into your devices will no longer be there). It can also help you keep your passwords private when using your devices in front of other people (such as in public venues) or in places employing video surveillance.

Note that not all forms and implementations of biometric authentication are created equal (e.g. some can be fooled by a simple printout or video of your face). This means that you should probably do a bit of research beforehand to make sure you’re comfortable with the level of security a given biometric system is able to provide. If you’re not comfortable with what you find (or if for any reason biometric authentication is not an option for you) just stick to a strong and unique password.

A good way to go about creating strong, unique, and memorable passwords is through the Diceware method. Take a look at the Password management chapter for more info on the matter.

A note: You should not (in most cases) share your passwords or passphrases with other people. If you have the suspicion (or you know) that one of your passwords is compromised, change it as soon as possible.

Go to Index ⇾

Device encryption

4 min read

You can turn on device encryption on both your devices’ internal storage and on any external drives you may be using (such as USB flash drives, Hard Disk Drives, Solid State Drives, and SD cards) to make it harder for anyone to extract any data from them.

Data stored on iPhone and iPad devices can be easily encrypted by setting up a passcode (optionally coupled with Touch ID or Face ID).

Recent Android devices are usually encrypted automatically once screen lock is enabled. You can make sure this is the case by visiting the Security section of the Settings app and looking for the encryption status of your device. Older Android devices should still provide encryption, but as an optional feature available from the Security (or Security & Location) section of their Settings app.

Mac computers running OS X Yosemite (10.10) or later are encrypted by default during initial setup via FileVault, unless the user decides to manually disable the feature – that is. You can check if your device is encrypted by opening System Preferences, clicking Security & Privacy, and checking whether FileVault is turned on or off from the FileVault tab. When enabling device encryption either during initial setup or later on, you’ll be asked if you want to be able to unlock your disk and reset your device password via your iCloud account. While this might sound convenient it also means entrusting someone else (Apple in this case) with your device password, which likely means they would have the ability to reset your password and unlock your device if they wanted to or if they were compelled to do so. If you’d rather be the only person able to unlock your computer and choose to not allow your iCloud account to do this a recovery key will be generated for you, make sure to save it in a safe place. Please note that if you’re setting this up during initial setup, you’ll need to manually uncheck the “Allow my iCloud account to unlock my disk” option to not have your device password stored in the cloud.

Recent Windows devices should automatically enable device encryption (sometimes referred to as BitLocker Device Encryption) upon initial setup if the user decides to log in with their Microsoft account. This means that people who choose not to login with their Microsoft account (and use a local user account instead) will not be able to use the feature while people who do decide to log in with their Microsoft account will not be able to opt-out from having their recovery key automatically uploaded to OneDrive. This is not ideal because it means entrusting someone else (Microsoft in this case) with your recovery key, which likely means they would have the ability to reset your password and unlock your device if they wanted to or if they were compelled to do so. You can check if this feature is available on your device and if it’s turned on or off by opening Settings, clicking Update & Security, and then Device encryption. Given the limitations of this option I would suggest you take a look at more complete alternatives such as BitLocker (which comes built-in with Windows 10 Pro, Enterprise, and Education but is not available on Windows 10 Home), or a free and open-source third-party tool such as VeraCrypt.

Popular Linux distributions such as Ubuntu and Linux Mint provide the option to enable device encryption during the installation process.

If you want to encrypt external drives (such as USB flash drives, Hard Disk Drives, etc.) or create encrypted file containers that you can store anywhere you want, then you should take a look at the aforementioned VeraCrypt.

If you’re looking for a solution that is a bit easier to use, than you should take a look at Cryptomator. Cryptomator works by encrypting files individually, rather than by creating a single encrypted container like VeraCrypt does. This means that information about the number and size of your files will be accessible even once your data is encrypted (which could not be ideal in some circumstances), but it also allows you to easily sync your encrypted data with non-end-to-end encrypted cloud services like iCloud Drive, Dropbox, OneDrive, or Google Drive.

Keep in mind that encrypted devices might need to be powered down and encrypted containers and vaults need to be dismounted or locked for the data to be fully encrypted.

Here are a few additional resources you might find useful:

Go to Index ⇾

Find my device

1 min read

You can enable features such as Find My Device (available on Windows and Android devices) and Find My (available on iOS, iPadOS, and macOS devices) to have remote access to some of the following actions and information:

  • Locate your device on a map.
  • Have your device play a sound.
  • Lock your device and have it display a custom message.
  • Erase all the data stored on your device.

In addition to this, Apple’s Activation Lock and Google’s phone protection features go a step forward and help prevent unauthorized parties from using your lost or stolen devices even after being remotely erased.

Note that by enabling all of this you will be regularly sending your location information to a company such as Apple, Microsoft, or Google (depending on the device in question). You should therefore balance the benefits of remotely locating, securing, and erasing your devices with your willingness to disclose such personal information to a third-party.

Keep in mind that this is not the only way your devices may be broadcasting your location info to third-parties. More on this in the Privacy settings and policies chapter.

Go to Index ⇾

Password management

4 min read

You can use a password manager (which is a digital encrypted vault) to drastically improve the security of your accounts and make the whole process of managing such sensitive information easier.

Well-regarded options when it comes to choosing one are:

Using a password manager means being able to rely on a random password generator that can create robust and unique passwords for your accounts, while at the same time not having to worry about remembering them. It means creating a well enough organized list of all your accounts’ information (as well as any other information you might want to keep safe and handy) and saving it in an encrypted form so that only the person that knows your password manager’s password is able to access the data. It also means you can avoid using existing accounts (such as a Google, Facebook, Microsoft, or Apple account) to login to other services, which can have negative implications for both privacy and security.

Picture a string of 30+ characters made up of randomly generated letters, numbers, and symbols: That’s a password! 123456, single dictionary words, movie titles, dates, given names, pet names or other personal information are not passwords.

You can approximate the strength of your passwords using Bitwarden’s Password Strength Testing Tool. You can also jump to the Data breaches chapter for more info about how to check if your accounts have been exposed in a known data breach and what to do about it.

Most password managers come with the ability to auto-fill things like usernames and passwords directly in the web pages and apps you use. On mobile devices people can turn this on after installing their password manager’s app, while on laptop and desktop computers this is usually available in the browser after installing a given password manager’s browser extension.

While setting up a password manager you’ll be asked to create a primary or “master” password. This is the password that will grant you access to everything that’s stored in your password manager, and is one of the few passwords (alongside your personal devices’ passwords and maybe a couple others) that you will need to commit to memory.

A good way to go about creating strong, unique, and memorable passwords is using passphrases created with the help of the Diceware method.

Most password managers include a password generator able to generate those for you. (If you’re still setting up your password manager and don’t have access to that yet, you can use a web-based option such as the 1Password Strong Password Generator or the Bitwarden Strong Password Generator). This is the easy way.

Alternatively you can get five dice (one will also do) and a Diceware word list like this one from the Electronic Frontier Foundation or this one from Arnold G. Reinhold. As you’ve probably noticed every word on those lists is identified by a unique string of five numbers each. What you need to do is roll the dice until you get the first five numbers: The corresponding word will be the first one in your passphrase! Keep throwing the dice until you feel your passphrase is strong enough.

It is generally recommended people create passphrases that are at least five to seven words long.

Here are a few resources on the topic:

Even though a password manager is the best solution for most people, there will be cases in which (for whatever reason) a software solution is just not viable. If this is you, keep in mind that managing your credentials with a physical password book that you keep some place safe might still be better than not managing them at all.

Once you’ve set up strong and unique passwords (or passphrases) for your accounts, you’re pretty much done with them. Companies and services that follow modern security practices should only require a password change upon indication or suspicion of compromise.

A note: You should not (in most cases) share your passwords and passphrases with other people.

Go to Index ⇾

Multi-Factor Authentication

4 min read

You can enable Multi-Factor Authentication (Two-Factor Authentication, 2-Step Verification, etc. are all forms of MFA) to add an extra step to sign-in processes that would otherwise require you to provide only a single factor (like a password) to be logged in, thereby significantly increasing the security of your accounts.

You’ve probably already used some form of MFA before. If you own a credit card and go to an ATM to withdraw cash you’re asked to put in your card and provide a PIN: That’s MFA!

These additional factors can be something you know (like a password or a PIN), something you have (like a credit card, a phone, or a security key), or something you are (via a fingerprint, face, or iris scan). When paired together they make it much more difficult for bad people to try and steal your information.

In the case of the online companies and services that support MFA, second factors are usually implemented as one-time verification codes delivered to your phone (something you have) via SMS, cellular phone call, or email, or generated by an authenticator app installed on your phone (again, something you have). In some cases MFA can also come in the form of a push notifications delivered to your phone with a simple Yes/No question, or the ability to set up a security key, a small physical device able to provide a higher level of protection against common online attacks such as phishing.

Keep in mind that even though MFA is an overall improvement to your accounts’ security and any kind of MFA is better than no MFA at all, not all MFA methods are created equal.

SMS-based MFA is indeed better than nothing (unless codes sent to your phone via SMS are also used as a single-factor authentication method for account recovery), but it also involves verification codes being sent over a communication channel that is inherently insecure, frequently non-verifiable, and easily prone to social engineering and spoofing attacks.

App-based MFA is both more convenient (it doesn’t require Internet or cellular connectivity to work) and significantly more secure than SMS-based MFA.

Security key-based MFA, on the other hand, is widely considered to be the most secure MFA option currently available.

Also keep in mind that the “flavours” of MFA available (as well as how they’re referred to) can vary quite a bit from one service to the other. This means that sometimes your preferred MFA method might not be available and that some other times you might need to check extra carefully to find the MFA option a company has decided to call in some not-very-straight-forward way. Here’s some help: 2FA Directory (2FactorAuth).

When enabling MFA, you’ll likely be prompted to save one or more recovery codes or backup codes. These will allow you to get back into your accounts in case you lose access to your MFA device. Make sure you keep them safe in your password manager, or somewhere else that is safe.

Password managers such as 1Password, Bitwarden, KeePassXC, Strongbox, and KeePassDX all include the option to manage your MFA info directly alongside your other sensitive data.

If you’d rather keep your MFA info separate, a few of the stand-alone authenticator apps you might want to take a look at are Tofu Authenticator, Aegis Authenticator, OTP Auth, and andOTP. These could also come in handy to save your password manager’s MFA info, which (for obvious reasons) shouldn’t be saved inside of your password manager alone.

When it comes to security keys, YubiKeysSoloKeys, and Nitrokeys are some of the best ones currently available.

Here are a few resources that can help you choose the MFA method that’s best for you:

No matter how layered your security approach is, your accounts’ security are only as strong as your “I forgot my password” settings are. That is to say that you might want to check those out as well, as part of your MFA All The Things journey.

PS: Apps like Signal and WhatsApp offer MFA features as well. Consider enabling them!

Go to Index ⇾

Secure communication

7 min read

You can prioritize the use of end-to-end encrypted messaging apps like Signal (here’s a beginner’s guide) and email services like ProtonMail and Tutanota over unencrypted options such as cellular phone calls and SMS or options that don’t provide end-to-end encryption (or don’t do so by default) such as Facebook Messenger, Instagram Direct, Telegram, Twitter’s Direct Messages, Skype, WeChat, Gmail, and Outlook.com.

By doing this you’ll help ensure that only you and the people you choose to communicate with have access to the content of your conversations. No third-parties such as malicious actors, governments, rogue employees, or even the company operating the service (it being Facebook, Google, Microsoft, Twitter, or another company) will be easily able to access, misuse, or exploit your private information.

End-to-end encrypted communication services usually rely on a technology called public-key cryptography, where a public and a private key are assigned to every user.

When someone sends a message to someone else (or a voice message, or an attachment, or a voice/video call, and so on) that data is encrypted locally on the sender’s device using the recipient’s public key and is then sent over the Internet to the recipient, where it’s decrypted locally on their device using their private key (which, as the name suggests, is never shared). VoilĂ !

Public key fingerprints (which are relatively short sequences of characters that uniquely identify a public key) can be used to make sure your conversations are end-to-end encrypted and to verify that the people on the other end of your chats are really who they say they are. Various services refer to these in different ways: Signal calls them Safety Numbers, WhatsApp calls them Security Codes, while ProtonMail refers to them simply as fingerprints. Tutanota doesn’t currently offer the ability to see them or compare them.

Please note that even though WhatsApp (which is owned by Facebook) and other popular messengers do protect the content of your conversations with end-to-end encryption by default, that doesn’t necessarily mean they also protect information about your identity and your activity as well. This kind of information (which is still personal information and might in some cases be as sensitive or more sensitive than the actual content of a given conversation) is commonly known as metadata, and can include information about you such as your name, your profile picture, your status message, who you communicate with as well as when and with what frequency, the name, icon and participants list of all your groups, your location, info about everyone that’s in your contact list (even about people that don’t use that particular messaging app), how and when you use the app, etc.

Compared to WhatsApp, Signal is a nonprofit funded by donations, comes with strong privacy and metadata-protecting features, has a much clearer and stricter privacy policy, and is open source software. This means the app is developed with the only goal of providing a service to the public (not making a profit), that the company behind it knows almost nothing about its users, and that everyone with the right technical knowledge can inspect its code and see if it works as advertised.

In case you need or have chosen to rely on WhatsApp, then you should consider changing a few settings to better protect your privacy. You should disable cloud backups (which are not end-to-end encrypted and therefore defeat the entire purpose of providing end-to-end encryption in the first place), enable security notifications to make sure you’re notified if a contact’s Security Code changes, disable the Save to Camera Roll feature on iOS or the Media visibility feature on Android so that images and videos you receive are not saved to your phone’s camera roll or gallery, and maybe even consider denying WhatsApp access to things like your contact list and your location. If you’re using disappearing messages know that if cloud backups are enabled all messages (including disappearing messages) will be backed up to the cloud, and that if the Save to Camera Roll/Media visibility feature is enabled media messages (unless they’re sent using the view once option) will be deleted from the chat after 7 days, but will not be deleted from your phone’s camera roll or gallery unless you manually do so.

If you’re looking for a messaging app that you can use without providing a phone number, take a look at Threema or Wire.

ProtonMail and Tutanota are open source and while they can also provide end-to-end encryption, the availability in this case depends on the email services used by the people involved in a conversation. The easiest way to make sure your emails are end-to-end encrypted is making sure the people you’re in touch with are using ProtonMail (if you’re also using ProtonMail) or Tutanota (if you’re using Tutanota yourself). The alternative, if you’re sending an email to someone that uses a different email provider, is end-to-end encrypting it using ProtonMail’s Encrypt for non-ProtonMail users feature or Tutanota’s Encrypted email to external recipient feature.

Since ProtonMail and Tutanota store your emails in the cloud (as opposed to locally on your device like Signal and other messaging apps do) they also provide end-to-end encryption for your inbox, which means your inbox is encrypted in a way that ensures you’re the only one able to access it. It’s important to note that while all emails are encrypted once they’re in your inbox, non-end-to-end encrypted emails you receive are only encrypted once they reach your email provider’s servers and non-end-to-end encrypted emails you send are decrypted before they leave your inbox in order to allow the recipient to read them. This means that ProtonMail or Tutanota can briefly access your non-end-to-end encrypted incoming and outgoing emails, and in some cases be compelled to turn them over.

When it comes to group calls and video conferences Signal allows up to 16 people to join in at the same time. In cases where that is not enough you might need to resort to using end-to-end encrypted but less privacy-preserving options such as FaceTime (which has set its limit to 32 people) or options that are not end-to-end encrypted by default such as privacy-oriented Jitsi Meet (which allows meetings of up to 100 people, but only provides end-to-end encryption as an optional experimental feature available if everyone joins the call using a Chromium-based browser such as Brave or Google Chrome).

It should be noted that even though Apple’s FaceTime is end-to-end encrypted it doesn’t currently provide (unlike Signal, WhatsApp, and other messaging apps) the ability to compare public key fingerprints to check if calls are really end-to-end encrypted. On top of this FaceTime calls can only be initiated on an Apple device.

Here are some additional resources and articles you might want to take a look at:

Go to Index ⇾

HTTPS

4 min read

HTTPS is the secure version of the Hypertext Transfer Protocol (or HTTP) and is currently used on about 90% of the web pages people visit globally.

When connecting to a secure website (one that uses HTTPS) you get three very important things. First you get proof of identity, this means that you can trust that a given website is really who it says it is, not some other website you’ve been redirected to without your knowledge or consent. Second you get confidentiality, this means that you can trust that the exchange of information between you and a given website is protected from eavesdropping. Third you get data integrity, this means that you can trust that the data flowing to and from a given website is not modified in any way.

This highlights how much the relatively few HTTP websites (or non-secure websites) still out there are vulnerable and how they simply cannot be trusted.

Unsecured webpages can and are used by malicious actors, governments, and ISPs around the world to:

Gain access to the data flowing between users and the webpages they’re visiting
Be careful not to type login credentials, credit card information, or any other kind of personal information into a page that is not secure. Keep also in mind that any unsecured webpage you visit can represent valuable information for ISPs able to use or sell personal information for advertising or other purposes, or for governments engaged in mass surveillance.

Manipulate webpages in all sorts of ways and for all sorts of purposes
This malicious behaviour can range in scope from altering the content of a webpage (with the purpose of injecting ads, malicious links, or whole sets of UI controls), to completely replacing the content of a webpage (essentially blocking it), to redirecting traffic to a different webpage altogether (something ISPs, given the chance, seem to love doing).

Do targeted censorship
In the case of secure webpages everything that comes after the forward slash you see in the URL next to the top-level domain (.com, .org, etc.) is encrypted. This means that if you visit a Wikipedia page such as https://en.wikipedia.org/wiki/Privacy all a potentially malicious actor monitoring your Internet traffic can see is https://en.wikipedia.org. This also means that a repressive government (or an unregulated ISP) has to choose between blocking Wikipedia entirely, or not blocking Wikipedia at all.

HTTPS is at the very heart of a lot of the things that we rely on as we go about our daily lives. It is a website administrator’s duty to secure their website with HTTPS and it is a user’s right to request administrators upgrade their website to HTTPS if they still haven’t done so.

You can make sure you’re not visiting an unsecured website by keeping an eye out for the address bar: If you see some kind of warning (such as a crossed-out lock icon, an exclamation mark icon, or a “Not Secure” message) then the website you’re visiting is served over a connection that is not secure. If this is the case you should avoid entering any private information on that website and, if possible, try not to use it in the future as well.

Some websites may be available both via unsecured HTTP and secure HTTPS. Browser settings like Firefox’s HTTPS-Only Mode and Brave’s and Google Chrome’s HTTPS-First mode (which guarantee that all of your connections to websites are upgraded to use HTTPS) can help here.

Keep in mind that in some circumstances the act of visiting a webpage could be in itself considered very personal information and that just because you deleted your info from a search box, an online form, or any other type of input field before submitting it doesn’t necessarily mean the website in question has not logged what you entered anyway.

Please note: The fact that a page is secure doesn’t necessarily mean it is also safe. As HTTPS adoption has grown worldwide, the number of malicious websites using it has also increased.

Here are a few additional resources you might want to check out:

Go to Index ⇾

Secure DNS

3 min read

Anything that’s connected to the Internet (websites included) is identified by a string of characters known as an IP address. This means that when you type your favourite website’s address (lets say that’s Wikipedia) into your address bar there needs to be a service your browser can contact to have “wikipedia.org” translated into an IP address it can actually locate and connect to. Entering the Internet’s directory: the Domain Name System, or DNS for short.

DNS is what enables you to deal with website addresses that make sense, rather than the random strings of characters that make up IP addresses.

DNS services are usually provided by your ISP by default, but there are a number of alternative DNS providers you can switch your devices to if the default option is not what you’re looking for.

Just like it was the case with connections to a lot of websites not being secured with HTTPS until relatively recent times, DNS services are (to this day) still usually provided over anachronistic unsecured connections. This means that even though websites such as Wikipedia.org are made available over HTTPS, the DNS requests your devices make in order to connect to those websites are frequently unencrypted and therefore prone to eavesdropping, tampering, and blocking by other people in your local network, your ISP, or other malicious parties able to intercept them.

A secure DNS protocol such as DNS over HTTPS (DoH) fixes this by allowing companies and organizations operating DNS servers to deliver DNS requests over HTTPS connections, in turn allowing people to access DNS services securely.

Web browsers such as Firefox, Brave and Google Chrome include the option to enable secure DNS right within the browser. Note that by doing this you’ll only be protecting your browser’s DNS requests, your other apps will not be affected by the change.

If you’d like to take advantage of secure DNS across all of your apps, you can install apps such as Cloudflare’s 1.1.1.1. In Cloudflare’s case you’ll want to use the app in “1.1.1.1” mode, as “WARP” mode enables their VPN service.

If you’re using a VPN (more info on this is available in the VPN chapter) your DNS requests should be already protected, meaning you shouldn’t need to take additional action to secure them. You can make sure this is the case by doing a DNS leak test using a website such as this one: DNS leak test (IVPN).

After doing a standard or extended test check your VPN app to make sure the IP address and geographical location listed on dnsleaktest.com match the IP address and geographical location of the VPN server you’re currently connected to. If they do, then your DNS queries are protected.

If they don’t match, then you should contact your VPN support team as soon as possible and consider switching to a more trustworthy VPN service if the problem persists. You don’t need a VPN that is not able to do its one job: protect your Internet traffic.

DNS queries are also protected if you’re connecting to the Internet via the Tor network (more info on Tor are available in the relevant chapter). Note that if you’re using the Tor Browser only DNS requests generated by the Tor Browser will be protected.

Go to Index ⇾

Web browser

3 min read

When it comes to protecting yourself while you browse the web, picking a good web browser (one that is both easy to use and able to protect your security and privacy as you do so) is very important.

In this regard, consider trying out Firefox. It comes with a strong set of security and privacy-oriented features and capabilities and is not controlled by a data-hungry company like Google but rather by Mozilla, a not-for-profit organization focused on providing privacy-protecting products and making the Internet a better place for everybody.

Here are some of Firefox’s most interesting security and privacy features:

On top of this Firefox let’s you install powerful extensions such as Facebook Container, which automatically isolates your web activity from Facebook in order to prevent them from tracking you around the web, and Firefox Multi-Account Containers, which provides similar functionality but allows you to manually create different containers and manually assign different websites to them.

Here’s some help switching, if you need it: Switching from Chrome to Firefox (Mozilla)

If you need a Chromium-based web browser (Chromium is the open source project on which Google Chrome is based) then consider trying out Brave. Just like Google Chrome, Brave has access to the extensions available in the Chrome Web Store, but unlike Google Chrome comes with a good set of privacy-preserving features as well as a stronger overall commitment to user privacy and security.

A note: Whichever browser you choose, keep in mind that private browsing (sometime referred to as incognito or in-private browsing) is NOT an anonymity tool.

If you’re looking for a tool to browse the web anonymously, avoid tracking, fingerprinting and surveillance, as well as circumvent censorship, than the Tor Browser (or the Onion Browser if you’re on iOS or iPadOS) is probably what you’re looking for. You can find more info about this in the Tor chapter.

Go to Index ⇾

Privacy settings and policies

4 min read

The apps and services you use come with (among other things) privacy policies and a set number of default privacy settings. Those can include policies and settings that let companies like Facebook and Google use your personal data to analyse and influence your behaviour, as well as permissions that grant the apps you use access to things like your camera, microphone, geographic location, contacts, calendar, photos, etc.

Since in many cases security and privacy do not come as the default, consider carefully reviewing these privacy policies and settings to make sure you’re comfortable with the amount of data about you any given app or service is able to access, collect, store, use, or share. Doing this could mean:

Reading privacy policies and terms of service
When you sign up for a service, or open an app for the first time you are also agreeing to policies and terms that will govern your relationship with that app or service as well as what you and the company behind it can and cannot do. Consider reading them.

Checking your app permissions
How many of your apps really need access to your location, microphone, camera, or contact list in order to work properly?

Checking your apps’ and services’ privacy settings
Maybe you want to protect your WhatsApp app with a PIN? Maybe you’re not OK with iOS automatically backing up your unencrypted messages to the cloud? Have you ever done a Privacy Checkup, or visited the Privacy, Apps and websites, Ad settings, and Your Off-Facebook Activity pages on Facebook? Have you ever browsed the Privacy Checkup and My Google Activity pages of your Google account? Have you ever visited the Privacy and safety and the Your Twitter data pages of your Twitter account? Did you know that Amazon with Alexa, Google with the Google Assistant, and Microsoft with Cortana may be storing a copy of every voice interaction you’ve ever had with your phone, laptop, smart speaker or other Internet-enabled device (including the conversations they may have picked up accidentally) on their servers and that you can listen to them and delete them? Did you know that Apple only stores transcripts of your Siri interactions and that you can delete those as well?

Checking your browser extensions permissions
Browser extensions can do a lot of things, beside being useful: They can have the ability to access your browsing history, replace content on the pages you visit, access the data you input into any web page (including sensitive data like financial data, usernames and passwords, and private messages), access and/or modify your bookmarks, etc. If you’re not okay with some of the permissions a given browser extension requires, consider removing it and maybe find a replacement. If an extension doesn’t come from a trusted publisher, it could cause damage.

Quitting some apps and services by deleting the account and/or uninstalling the app
If you make this decision but want to keep your data remember that most services allow you to download a copy of your data.

When it comes to the disclosure of your location information keep in mind that there are different ways in which such data can be accessed and collected by third-parties.

Apps are able to access and track your location using data from global navigation satellite systems such as GPS and Galileo. In most cases you’ll be able to control this by visiting your device’s privacy settings.

Apps are also able to track your whereabouts using Bluetooth and Wi-Fi connectivity. Few OSes currently provide controls around this.

Your IP address can be used by the websites, apps, and services you use to determine the rough location you’re accessing the Internet from. More on how you can control this in the VPN and Tor chapters.

Mobile network operators are able to detect and track your location because they know to which of their cell sites you’re connected to, making location disclosure a matter of course. You can avoid this by disabling all cellular connectivity via settings such as Airplane Mode or by leaving your phone at home.

Go to Index ⇾

Web and app tracking

3 min read

Big tracking networks like the ones put in place by Google, Facebook, Amazon, Twitter and others are always trying to follow you around with the goal of collecting as much data about you and your behaviour as possible. Data that can then be used to try and influence your thoughts and actions like which brand of shoes you should buy, where you should go for your next trip, which news articles you see, what political party you should vote, etc.

Ads can not only be privacy-invasive, they can also be exploited for malicious purposes (like prompting you to install malware, or giving up personal information) and can negatively impact your browsing experience, your bandwidth usage, and your device’s battery life.

To minimize this kind of behaviour you can use tools, products and services that respect your privacy and help protect you from tracking.

While using a web browser you can try out browser extensions able to block ads and/or protect you from tracking such as uBlock Origin, Privacy Badger, Ghostery, or DuckDuckGo Privacy Essentials and consider switching to a search engine that doesn’t track you, like DuckDuckGo.

If you’re using Firefox you should also check out the Enhanced Tracking Protection feature (available across desktop, iOS, and Android) as well as additional tracking protection extensions like Facebook Container and Firefox Multi-Account Containers. You can find more info about Firefox and its privacy-protecting features in the Web browser chapter.

For maps and navigation, check out OsmAnd (or OpenStreetMap if you’re using the browser) as an alternative to Google Maps. If you’re looking for a machine translation service that is less privacy-invasive than Google Translate, give Apple’s Translate or DeepL Translator a try. If you’re searching for a creative suite that is free, open source and more privacy-focused than Adobe’s Creative Cloud, check out apps such as the GNU Image Manipulation Program (G*MP), Inkscape, Kdenlive, Audacity, and Scribus.

If you own an iPhone or an iPad you may have noticed that when opening certain apps you’re asked if you want to allow that app to track your activity across other companies’ apps and websites. If you tap “Ask App Not to Track”, then the app in question will not be able to track you. If you want to prevent any app from tracking you or even being able to ask if you want to be tracked, you can go to “Settings” > “Privacy” > “Tracking” and make sure “Allow Apps to Request to Track” is turned off.

Keep in mind that behind the donation-supported (or ad-supported) websites and apps you use every day there’s people and their hard work. If you can (and they offer the option), consider financially supporting the ones you rely upon the most, so they can continue doing what they’re doing.

Go to Index ⇾

Cloud services

1 min read

Cloud services can be amazing tools, but they can also bring some important security and privacy trade-offs with them.

Companies operating mainstream services such as Google Drive, OneDrive, Dropbox, OneNote, Evernote, Google Docs, Microsoft Office, WeTransfer and so on cannot guarantee that their users will be the only ones able to access their own data. This is because (for various reasons) they’ve decided to maintain access to users’ data as well.

This can be fine in some scenarios, but there will probably be times when (maybe even at the cost of losing out in terms of functionality) you might actually want to have control over who has access to your data, and how your data is handled.

This is where end-to-end encrypted services like Sync and Tresorit for cloud storage, Standard Notes for note-taking, Tutanota for calendar, CryptPad for collaborative document editing, calendar, and creating surveys and polls, and Tresorit Send, FileSend, and OnionShare for file sharing could come in handy. They all encrypt and decrypt your data locally, so as to provide a service in which you can be sure (to a reasonable degree) that only you and the people you share your data with will be able to access such data.

PS: If you’re looking for an offline alternative to the Microsoft Office suite of apps, then you might want to check out LibreOffice from The Document Foundation on desktop and Collabora Office from Collabora on mobile.

Go to Index ⇾

Data breaches

3 min read

Data breaches have become very frequent in recent years, and every breach adds to an ever growing pool of data about us that is publicly available (compromised).

Think about the 2017 Equifax disaster that exposed personal data such as Social Security Numbers and dates of birth of over 140 million US citizens, or the 2017 Yahoo! data breach that exposed personal info of all of Yahoo’s 3 billion registered accounts, or the 2018 Aadhaar data leak that exposed the personal info of 1.1 billion people, or the 2018 Twitter “bug” which prompted the company to recommend 330 million of its users change their password, or the 2020 Microsoft data breach that exposed 250 million customer records, or the 2021 Facebook data leak that exposed personal data such as date of birth, employer, gender, geographic location, phone number, and relationship status of more than 533 million people, and these are just some of the high profile ones.

Here’s a visualization that can help you understand how big the problem is: World’s Biggest Data Breaches & Hacks (Information is Beautiful)

All of this compromised data will never go back under the control of the people who lost it, and in cases such as SSNs and dates of birth there’s not much one can do. Those are things that just cannot be changed.

In a world that’s increasingly reliant on digital means to collect, store, use, and share all sorts of data (including personal data and sensitive personal data), in a world in which personal information is frequently compromised in data breaches and/or voluntarily disclosed on social media or over other semi-public or unsecure channels (and yet still widely used to identify and authenticate people) malicious parties can do real damage.

A very useful tool both when it comes to knowledge about data breaches and security awareness in general is the Firefox Monitor service. The easy to use website (which is based on Troy Hunt‘s Have I Been Pwned? project) lets you check if your data was ever part of a known data breach via a publicly searchable database, as well as add the email addresses you want to keep monitored (a free Firefox Account is required in this case) to be notified when new information about data breaches impacting your accounts surfaces.

Two interesting Have I Been Pwned? features (that Firefox Monitor currently lacks) are the ability to check if you were impacted by a data breach by inputting your phone number and Pwned Passwords, a page where anyone can type their passwords and instantly know if they previously appeared in a known data breach. This is done without your passwords ever leaving your device or being disclosed to anyone by taking advantage of a mathematical property called k-anonymity.

A number of other companies have been incorporating Have I Been Pwned? data into their products and services as well. Two I would like to mention here are 1Password and Bitwarden, two password manager apps that have implemented this via their respective Watchtower and Vault Health Reports features.

Go to Index ⇾

Data protection and minimization

4 min read

Try to be mindful about which data you digitize and where and how you store it, but also about which data you share about yourself and with whom, where, and how you share it.

This data can range from personal info such as your name and surname, date of birth, home address, and identification card number to sensitive information like health-related data, genetic data, and data that could be used to reveal your racial or ethnic origin, political opinions, sex life, religious and philosophical beliefs, as well as your gender identity and sexual orientation.

Keep in mind that you’re not just dealing with your personal data, but with the personal data other people have shared, are sharing, and will share with you as well.

Personal info such as name, surname, and date of birth are still used in many cases as only info required to authenticate people (looking at you telecommunication companies…) and could be used to impersonate you and gain unauthorized access to all sorts of services you use. Moreover once such data becomes public there might not be a way for you to do much of anything about it. You may be able to change your passwords, but changing things such as your date of birth, your name and surname, or your home address is much, much less feasible (if not impossible).

When signing up to a service try to get a sense of how the company behind it will store your data and if they’ll do so in a matter that’s secure and respects your privacy. Try to also think about what data any given service needs versus the data it asks for, and try to find a way to only give up what’s strictly necessary.

Does that random website or app really needs your real name, date of birth and email address (as opposed to a random name and date of birth generated with DuckDuckGo and a random email address generated using Firefox Relay)? Should you really trust that random shopping site with your credit card info, or should you maybe consider using a different payment method (like PayPal, if available) instead?

Always try to understand how much personal data you are willing to share with third-parties. If you’re not comfortable with the amount of information a given service is asking you to provide, consider not using it (if you can).

Try to encrypt as much of your data as possible, while at the same time deleting the data you don’t need or use anymore. This could mean deleting old social media posts that don’t reflect you anymore, pictures and videos in shared folders you don’t need, accounts you never or only rarely use (the Just Delete Me website can help you here), as well as old files that are just taking up valuable space. It could also mean completely wiping old devices such as unused phones, laptops, tablets, Hard Disk Drives, USB flash drives, SD cards, etc.

Keep in mind that aside from employing a trusted disk wiping tool, the best option to wipe devices like old Hard Disk Drives is usually that of physically destroying them.

Taking good care of your data also means deciding what will happen to your accounts and the data they hold after your death. Would you prefer your data be deleted? Would you prefer to designate a person (or a group of people) that will be in charge of handling your data for you? A digital death plan is probably not something people generally think about, but it’s also the only way you’ll be able to retain some control over your data once you’re not around anymore.

Not many services currently offer features and policies around this yet, but some do. Maybe check them out sometime?

Here’s some help navigating the topic, if you need it: Death Online: Planning your digital afterlife (The Verge)

If you need to protect yourself from online harassment, then you might want to check out the Speak Up & Stay Safe(r) guide from Jaclyn Friedman, Anita Sarkeesian, and Renee Bracey Sherman. (Please note: This guide was last updated in 2018 and parts of it might now be outdated).

Go to Index ⇾

Data backups

3 min read

A good step you can take to try and prevent losing your data if your phone, laptop, external storage device, or any other device is lost, stolen, or stops working for any reason is backups.

Devices like the iPhone, the iPad, any Mac computer, and the various Android phones and tablets available on the market usually offer some sort of cloud backup feature. This makes maintaining a copy of your device data always at the ready very easy, but it also usually means giving up control of that data to the extent that it will no longer be accessible to you exclusively, but also (at least in part) to the company operating the cloud service as well.

Apple doesn’t currently provide the option to protect your iCloud backups with end-to-end encryption and unfortunately it’s unlikely this is going to change soon. What it does provide is the option to save encrypted iPhone and iPad backups to your computer using iTunes or the Finder and the option to save encrypted Mac backups to an external storage device using Time Machine. Consider sticking with local backups (as opposed to iCloud backups) if you own one or more Apple devices.

Google does seem to be using some form of end-to-end encryption to protect some of your data if you decide to back your Android device up to Google’s cloud, but it looks like they’re not providing info about exactly which data that is. The feature should be available on devices running Android 9 or later where a screen lock PIN, pattern, or password is enabled. A first-party option to backup an Android device to a computer or an external storage device doesn’t seem to be available at this time.

When it comes to Windows devices Microsoft doesn’t offer a comprehensive cloud backup feature like Apple and Google do (just a non end-to-end encrypted sync settings option) and only offers a pretty limited local backup option called File History.

Popular Linux distributions such as Ubuntu and Linux Mint come with basic backup utilities out of the box, look for them in your operating system’s app menu.

People looking for cross-platform solutions to backup their desktop, laptop, or any external storage device (such as a Hard Disk Drive, SD card, USB drive, etc.) should take a look at backup tools such as FreeFileSync for local backups (used in conjunction with a data encryption tool like VeraCrypt or Cryptomator) and at end-to-end encrypted cloud storage providers such as Sync and Tresorit for cloud backups.

There is always the option of choosing a service that doesn’t provide end-to-end encryption if your data is already encrypted with tools such as VeraCrypt or Cryptomator, or if no personal data is involved (meaning the disclosure of such data to third-parties wouldn’t be a cause of concern for you or other people).

You can read more about data encryption in the Device encryption chapter.

While choosing the option (or combination of options) that best fits your needs take into account the sensitivity of the data in question, as well as (particularly in the case of non-end-to-end encrypted providers) the trust you’re willing to place in the company operating the service.

Go to Index ⇾

Social engineering

3 min read

Contemporary hacking usually involves the unwitting participation of the people or organizations being hacked. This is because it is way easier (and cheaper) for an attacker to trick someone by placing a phone call or sending a malicious link or attachment and have the victim do the work for them, than having to make their way through technical safeguards themselves (which could be feasible too, just generally more expensive and time-consuming).

Even though popular email services do a decent job at filtering out spam messages from your inbox, popular web browsers have the capability of warning you when you’re about to visit a potentially malicious webpage, operating systems have both proactive and reactive capabilities in place to protect users from malicious files, and various other software products and services come with some level of protection enabled by default, keep in mind that such safeguards will not protect you against everything, and (even more crucially) will not always protect you against yourself.

Here are a few things you can look out for to better protect yourself against phishing, spear phishing, baiting, impersonation, and other types of social engineering attacks:

Things that are too good to be true
Such communications may involve giveaways, large sums of money, or something along those lines.

Messages that convey a sense of urgency and ask you to act promptly
Such messages may involve communications about your accounts being compromised, and may ask you to put your info into a page that looks just like the original one but in fact is not.

Email addresses that don’t look quite right
This may involve very long, apparently random email addresses as well as addresses similar to ones you trust but different in some little, less apparent way.

Messages from and about services you don’t use
Such as an email about a bank account from a bank you don’t bank with, or from a service you never signed up for, or about a package you never ordered.

Suspicious links
Such as strange-looking links or shortened links (like bit.ly’s) delivered to you via email, instant messaging, SMS or found on social media.

Unknown or suspicious files
Like an .exe or PDF file you downloaded from a random or unsecured website rather than from a trusted HTTPS website, or a similar file that was sent to you via email, instant messaging, or SMS.

Unknown or suspicious devices
This could involve inputting personal data on devices that you do not have direct control over (like a computer at the library or even a friend’s computer) or plugging unknown devices (like USB flash drives or Hard Disk Drives that belong to other people or that you have found somewhere) to your laptop or other trusted device.

Suspicious phone calls
Such phone calls could involve someone asking you to provide weirdly personal information after having proactively called you claiming to be from Microsoft’s, Apple’s, or another company’s customer service or tech support team.

You can test your phish spotting skills using Jigsaw’s cleverly designed Can you spot when you’re being phished? quiz. You can also use tools such as WhereGoes to check where shortened URLs lead to before actually opening them in your browser.

Go to Index ⇾

Anti-malware software

3 min read

Malware is any kind of malicious or harmful software. Adware, ransomware, spyware (such as stalkerware), worms, viruses, and trojans are some of the most common types of malware. Anti-malware software is software designed to help prevent, detect and remove these threats from a given device.

In order to work correctly anti-malware software needs to have deep access into a system, and that level of access (particularly in the case of third-party solutions), has been proved very problematic over the years. This is because third-party security companies usually need to hack their way into a system in order to make their product work, and bugs in their software can therefore add serious vulnerabilities to a computer, instead of helping securing it. Not to mention the privacy-busting “features” some of them thought it was OK to implement.

Most operating systems come with built in security mechanisms and tools that can help minimize threats related to malware. Consider sticking with those instead of installing third-party software (either paid or free).

Windows comes with Windows Security as part of the operating system, this includes tools for virus and threat protection, ransomware protection, and firewall and network protection, among others.

macOS comes with several built-in security protections and safeguards, such as a mandatory app signing process, app sandboxing and virus detection and removal.

Mobile operating systems like iOS, iPadOS, and Android also come with strong build-in protections such as app sandboxing, the ability to only install apps from official app stores (this can be disabled on Android), and others.

If you own an iOS or iPadOS device, take a look at the iVerify app from Trail of Bits. While it is not a conventional anti-virus product, it can help you keep your device secure by regularly looking for signs of compromise (including those left behind by NSO Group’s Pegasus spyware) and providing you with other useful features and resources, such as the ability to go through several step-by-step guides on how to quickly improve the security of your device.

Here are some more information on the topic:

Always try to be careful and mindful about what you’re doing with your devices and in which context you’re doing it. Anti-malware software or similar software can indeed help you, but it can’t and it shouldn’t be relied upon if you ignore common sense security practices such as the ones mentioned on this guide.

Also, just in case you were wondering: Yes! Everybody has software vulnerabilities. And: Yes! There’s malware for everybody. No system is immune and there is no such thing as a hack-proof or a 100% secure system.

Go to Index ⇾

Webcam and microphone security

1 min read

Webcams are a piece of hardware that is generally easy and cheap to hack. Consider putting some tape (or a cool sticker) over yours when you’re not using them.

If you use a virtual assistant such as Apple’s Siri, the Google Assistant, or Amazon’s Alexa on your personal or smart home devices, consider disabling the wake word feature (“Hey Siri”, “Ok Google” or “Alexa”) to make it so you have to manually press a button to activate it. You could do this permanently or only when you’d like to be sure no device is able to listen in on your conversations.

This will make the experience a little less convenient, but it will also prevent the device from passively listening to the environment around it at all times, and potentially recording your personal conversations when something other than the wake word accidentally triggers it.

These precautions will not make you surveillance-proof, since there are probably other cameras and microphones around you a lot of the times over which you have less or no control over, but it will nevertheless reduce your attack surface, as well as help you create spaces around you that are more private. Spaces where people can be more comfortable being themselves, vulnerable, and human.

If you decide to keep your virtual assistant’s wake word feature enabled, consider that people might want to know if what they say while they’re with you could be recorded and sent to a third party like Apple, Google, or Amazon.

Go to Index ⇾

VPN

4 min read

A Virtual Private Network is a tool used by different people in different parts of the world to do different things. Someone could be using a trusted VPN (the keyword here being “trusted”) to access geo-blocked content, prevent their ISP from having access to (and maybe making money off of) their Internet activity, or to simply browse securely and privately on public Wi-Fi; while someone else could be using one to protect themselves from mass surveillance and mandatory data retention laws or to get around pervasive state censorship and fully exercise their human rights.

Using a VPN means all your Internet traffic is sent to one of your VPN’s servers (VPNs usually have hundreds or even thousands of servers spread across the world) via an encrypted tunnel, and it then goes out to the Internet from there. This has two main positive implications:

Traffic encryption
Anyone positioned between you and the VPN’s servers (it being a bad actor, an unregulated ISP, or an intelligence agency) will only be able to see that you’re connected to a VPN, preventing them from having any kind of access to your Internet activity.

IP address obfuscation
Anything you connect to on the Internet will only see the IP address of your VPN’s server, effectively masking your devices’ IP addresses. This means that your traffic will look to the services you’re using as if it was coming from the VPN’s servers instead of your actual physical location.

Keep in mind: A VPN only protects the connection between you and the services you’re using, it doesn’t prevent you from visiting malicious websites or from voluntarily or involuntarily disclosing personal information to the services you use. Because your data is encrypted locally on your devices and is then decrypted once it reaches your VPN’s servers, using a VPN also means shifting trust from your ISP to the VPN provider. You’ll want to find a VPN that you can really trust.

Not all VPN services are created equal. Things you might want to check when looking for the VPN that’s right for you are their general privacy and security practices (such as the ones outlined in their privacy policy), who is the company that is operating the service, whether their code is open-source (and regularly audited by third-parties), and if they employ strong technology and security protocols to protect your information.

Free VPNs are usually not recommended as many of them profit off of selling the very same data customers wanted them to protect.

Two VPN providers I feel comfortable mentioning here are Mullvad VPN and IVPN.

Both companies offer good signs of trustworthiness by providing strong guarantees in their privacy policies and by making available apps that are open source, regularly undergo third-party security audits, and use well-regarded VPN protocols such as WireGuard and OpenVPN.

When it comes to functionality both Mullvad VPN’s and IVPN’s apps come with features to block your Internet connection if the VPN is disconnected or is not running (take a look at Mullvad VPN’s kill switch and Always require VPN features, and at IVPN’s Firewall feature), as well as options around blocking ads and trackers (Block ads and Block trackers in Mullvad VPN’s case and AntiTracker in IVPN’s case).

Here are a few related resources you might want to check out:

A trustworthy VPN service should be protecting all of your Internet traffic, including your DNS queries. For more info on this take a look at the DNS over HTTPS chapter.

If what you’re looking for is an anonymity tool, then I recommend you check out the Tor chapter that follows.

Go to Index ⇾

Tor

5 min read

Tor is a network run by volunteers all around the world that allows people to use the Internet while protecting their anonymity. It is also an essential tool to avoid tracking, fingerprinting and surveillance and to circumvent censorship.

The easiest way to use it is via web browsers like the Tor Browser (if you’re using Windows, macOS, Linux, or Android) or the Onion Browser (if you’re using iOS or iPadOS), which force all connections between your web browser and the Internet to go through the Tor network.

Each connection initiated via the Tor network is protected with three different layers of encryption and is bounced between three randomly selected nodes in the Tor network (known as relays), before reaching its destination. Those three relays are known together as a Tor Circuit.

The first relay in a circuit is known as the entry guard and remains the same for 2-3 months in order to protect against a known anonymity-breaking attack, the remaining two (the middle relay and the exit relay) change with every new website you visit. This configuration makes it so that not only (similarly to a VPN) the products and services you use over the Internet will not be able to know who you are and where you’re from (unless you actively disclose that information to them), but that no single entity within the Tor network itself will have a way of knowing at the same time where your traffic is coming from, what your traffic is about (if the website isn’t served over HTTPS), and what its final destination is.

Let’s say you want to visit Wikipedia using the Tor Browser or the Onion Browser. Once a Tor Circuit is established the data will be encrypted first using the exit relay’s public key, then using the middle relay’s public key, then one last time using the entry guard’s public key and it’ll be then sent to the entry guard. The entry guard will decrypt the first layer of encryption in order to know the middle relay it needs to send it to. The entry guard will therefore only know where that data is coming from (you, via your IP address) and the middle relay it needs to send it to; it will have no access to the data itself, nor what its final destination will be once it exits the Tor network. The middle relay will decrypt the second layer of encryption in order to access instructions about which exit relay it needs to sent the data to, but at this point it’ll only know the data came from a given entry guard and will be going to a given exit relay, it will still have no access to the data, its final destination outside the Tor network, nor will it know that the data originated from you. Once it reaches the exit relay the last layer of the Tor-provided encryption will be decrypted in order to allow the relay to connect to Wikipedia. The exit relay will therefore know someone is connecting to Wikipedia, but will have no way of knowing who is. Wikipedia on the other hand will only see your traffic is coming from a given Tor exit node, not your real location or identity.

When it comes to browser settings the Tor Browser as well as the Onion Browser come with strong privacy and anonymity-protecting defaults right out of the box, it is recommended users change as little of them as possible. In the case of the Tor Browser it is also recommended users do not change the window size (which could allow websites to determine the size of their screen and in turn expose them to tracking) and do not install browser extensions beyond the ones that are already included (because those could bypass the Tor network or otherwise harm their privacy and anonymity).

Keep in mind that some websites might block or restrict traffic coming from the Tor network, and in some cases you might be prompted to prove “you’re not a robot” more often than usual. Also remember that Tor can’t protect your anonymity if you willingly authenticate with a service (such as Facebook) over the Tor network. In those cases only other protections such as location obfuscation will be provided to you.

In addition to the Internet services you normally access using your regular browser and Internet connection, connecting to the Internet via Tor enables you to access Onion Services as well. These are services that function entireley within the Tor network and allow people to protect their identity, their security, and their privacy in a variety of different circumstances. Websites made available as Onion Services are called Onionsites; a few examples include DuckDuckGo, ProtonMail, Facebook, The New York Times and the BBC. Other types of Onion Services include OnionShare, a tools that lets people share files, host websites, and chat with friends securely and anonymously, Ricochet Refresh, a project that provides private and anonymous instant messaging, and whistleblower submission systems SecureDrop and GlobalLeaks.

Another very interesting way of taking advantage of the Tor network is using the Tails portable operating system. This is an OS that can be installed on a USB flash drive and run on any computer you connect it to. Tails is built so that all Internet connections (not only the ones generated from the Tor Browser) go through the Tor network. It is also cleverly engineered so as to leave no trace on the computer you use it with and to reset all of its settings and delete all generated data when powered off (unless you very specifically tell it otherwise).

Here are a few resources you might find useful:

Go to Index ⇾

Personal risk assessment

2 min read

A good way to go about implementing the measures and suggestions mentioned in the chapters above is by doing a personal risk assessment, a practice also known as threat modeling. This will help you understand what are the security and privacy practices that are right for you and how you should approach their implementation. You can kick things off by asking yourself a series of questions similar to the ones listed below, which are based on the Your Security Plan resource from the Electronic Frontier Foundation’s Surveillance Self-Defense guide (CC BY 3.0 US).

What are you trying to protect?
What is it you consider personal/sensitive enough that you’re willing to take extra steps in order to avoid it falling into the wrong hands, or going public?

From whom are you trying to protect it?
Are you worried about police surveillance, corporate surveillance, surveillance from your parents, threats from people with physical access to your devices and systems such as spouses, roommates, and employers, or what you’re interested about is adopting general security measures to avoid losing your information to hackers?

If that person or entity were to come after what you’re trying to protect, how would they do it?
Would they just need to grab your device? Would they need to guess a PIN? Would they need to gain remote access to your devices using malware? Would they need to guess the password you keep reusing? Would they be willing to force you into unlocking your data for them?

If they were to succeed, how bad would the consequences be?
What could be the worst case scenario? How would you handle such a situation, if you were confronted with it?

How likely is it that someone will come after what you’re trying to protect?
How valuable do you think your information is for the person or entity in question?

What resources are you willing to invest to secure what you’re trying to protect?
These can include time, but also money.

While going through these questions keep in mind that figuring out who and what you trust, as well as realizing the fact that if there is someone targeting you their capabilities will likely grow over time, can be very important.

Go to Index ⇾

Bring other people in

1 min read

What we’ve seen so far are some of the most important personal actions anyone can take to better protect their data and the data other people are sharing with them.

But here’s the thing: Security and privacy are only as strong as their weakest link, and can therefore only be really tackled if you approach them as a team sport.

Once you start thinking about data protection as both a journey you and the people in your life can embark on together and a public good, ask yourself: Do these people (the ones I share personal, private, and/or sensitive information with) protect their data and the data I share with them as well? Would it make sense for me to suggest, ask, or even demand they follow good practices similar to the ones highlighted on this page?

Go to Index ⇾

Conclusion

2 min read

Personal security and privacy are about us, both as individuals and as a society. They are something we should think and talk about because (whether we realize it or not) they are at the heart of everything we do online and off, and as such they touch our lives (directly or otherwise) every single day.

As Edward Snowden once said:

“One of the most important things I think we all have a duty collectively in society to think about is when we’re directed to think a certain way and accept a certain argument reflexively without actually tackling it.

The common argument we have — if you have nothing to hide, you have nothing to fear — the origins of that are literally Nazi propaganda. This is not to equate the actions of our current government to the Nazis, but that is the literal origin of that quote. It’s from the Minister of Propaganda Joseph Goebbels.

So when we hear modern politicians, modern people repeating that reflexively without confronting its origins, what it really stands for, I think that’s harmful.

And if we actually think about it, it doesn’t make sense. Because privacy isn’t about something to hide. Privacy is about something to protect. That’s who you are. That’s what you believe in. Privacy is the right to a self. Privacy is what gives you the ability to share with the world who you are on your own terms. For them to understand what you’re trying to be and to protect for yourself the parts of you you’re not sure about, that you’re still experimenting with.

If we don’t have privacy, what we’re losing is the ability to make mistakes, we’re losing the ability to be ourselves. Privacy is the fountainhead of all other rights. Freedom of speech doesn’t have a lot of meaning if you can’t have a quiet space, a space within yourself, your mind, your community, your friends, your family, to decide what it is you actually want to say.

Freedom of religion doesn’t mean that much if you can’t figure out what you actually believe without being influenced by the criticisms of outside direction and peer pressure. And it goes on and on.

Privacy is baked into our language, our core concepts of government and self in every way. It’s why we call it ‘private property.’ Without privacy you don’t have anything for yourself.

So when people say that to me I say back, arguing that you don’t care about privacy because you have nothing to hide is like arguing that you don’t care about free speech because you have nothing to say.”

Go ahead. Take care 🌱

Go to Index ⇾

Illustrations by Katerina Limpitsouni/unDraw / License
Trash icon in the illustration for the Data protection and minimization chapter by Freepik/Flaticon / License