Unfortunately, making yourself more private digitally is thought to be an inconvenient pain, requiring the user to modify their online habits. However, that’s not the case. I’m here to tell you with this Beginner’s Guide To Online Privacy, that you can reclaim a degree of privacy without sacrificing too much convenience, or having to relearn browsing and using habits.
Things To Keep In Mind
Before getting into the thick of it, it’s important to keep a few things in mind. It is totally possible to go completely neurotic and mental when it comes to giving yourself online privacy. This “guide” aims to consolidate information and provide a good start for people who want to reclaim a bit of lost privacy from this point forward. There are plenty of options to go beyond this guide, but those rabbit holes are deep.
Furthermore, unless you’re starting from scratch, there exists a digital profile for you. Some place, somewhere, a company or two has information regarding you. Whether it be your online habits, name, etc. It exists somewhere. Perhaps with upcoming legislation people will be able to retroactively start from scratch, but until that comes to fruition, this guide is written as the world exists in early 2021.
Starting off with the quintessential tool for web use: the internet browser. After all, you’re using one right now to read this, and plenty of other articles. Google Chrome remains the most utilized browser in the world, and for arguably good reason. Very fast, lots of extension support, extensive mobile and ecosystem integration, the list goes on.
Unfortunately, Chrome doesn’t offer much in the name of privacy, and has even taken away some functionality from plugins like adblockers with their “Manifest v3” update. While you can read more about that here, Chrome is by no means an online privacy oriented browser. Furthermore, “Chromium”, the engine that drives not only Chrome, but plenty of other browsers, doesn’t offer much in the way of privacy either. So other Chromium based browsers like Vivaldi, Opera, Brave, and even Edge (eventually) are off the list of recommendations. So what’s out there?
Well, it’d be an egregious error to not mention Tor. Tor is by far the most anonymized, online privacy preserving browser out there. However, there are a few caveats. Certain countries block Tor, some websites just straight up won’t work with Tor, and your use habits will have to change. Furthermore, a lot of the mobile convenience is lost.
Hence, the browser best suited to not only preserve privacy but preserve convenience as well is Firefox. Firefox is not Chromium based, yet just as fast and (sometimes) not as resource intensive as Chrome is. It offers a similar range of extension support, as well as many of the convenient features you’re used to like tab and bookmark sync.
While Firefox is already a good start, there are a few browser addons to recommend to go just a little bit further, and 99% of the time won’t negatively impact the browsing experience. The recommended extensions are:
uBlock Origin: uBlock Origin is a lightweight, plug and play ad blocker that does its job extremely well, and is even customizable for those needing additional functionality. This is also a familiar face if you’re switching from Chrome, as the extension is currently available to not only Firefox users, but Chromium users as well. uBlock Origin is possibly the best ad blocker out there right now, and is an absolute need to have to improve your browsing experience.
Privacy Possum: Companies track you online. There. I said it. While this may or not be news to you, the practice is done to better target ads to your preferences. I.E why you may see ads for shampoo after googling hair care products. For those who are privacy oriented, this may make you uncomfortable. This is where Privacy Possum comes in. Privacy Possum not only reduces the data collected by companies, but also falsifies information sent to them.
HTTPS Everywhere: Most sites now days support HTTPS, a method of encrypting communications between you and the website you’re accessing. However, not all sites automatically use it, with the proper practice being to have to type “https://” into your address bar before visiting every site you want to go to. Gets tedious after a while. HTTPS Everywhere fixes this by automatically redirecting your urls to use their https variant.
Decentraleyes: Another plug and play extension to supplement uBlock Origin or whatever other ad blocker you’re running. It’s common for websites have you load essential parts by having you request said parts through third party services like Google Hosted Libraries. Decentraleyes bundles the most commonly used files and allows you to load them locally, instead of having to request a third party service to load whatever files are needed.
Cookie AutoDelete: More of a house keeping extension than anything, Cookie AutoDelete simply deletes any unused cookies when you close your browser tab. If the deletion of a certain cookie is annoying you (i.e having to keep signing into Google every time you open your browser) then the extension offers whitelist functionality so you can still keep whatever cookies you want on your plate.
Bitwarden: I’ll talk more about password managers later, but while we’re in the realm of browser extensions, Bitwarden is a password manager that has you create one master password to sign in to your “vault” where you can access stored passwords for various other sites. Perhaps one of the most useful features of Bitwarden is the auto-password generator, where it will create a totally random password that meets certain specifications. Having your password not contain a competent word or series of characters significantly reduces your chances of having an account breached. So use Bitwarden to generate and store passwords for various websites, and either directly copy the password into the sign in field, or have Bitwarden fill in the field for you. Bitwarden is also available on iOS and Android, so you can access your passwords while on mobile.
Past extensions, there’s the mobile browser experience to think about as well. Firefox offers the robust features like tab and bookmark sync across devices, and of course offers both iOS and Android apps to accomplish such. While just the generic, default browser is offered on iOS, one thing worth mentioning for the Android users out there is the “Firefox Preview Nightly for Developers (Early Access)” app available on the Play Store. This is a preview build of the Firefox browser on mobile that is updated on a daily basis, and as of late, features support for the previously mentioned uBlock Origin extension, so now your mobile browser blocks ads. But disclaimer, this is essentially a developmental build, so it may not be as stable as the normal releases of the app.
Lastly, there are a couple of other features offered by Mozilla (the developers of Firefox) that are integrated well into the Firefox browser, but aren’t necessarily exclusive to the browser. First up, is Firefox Send. Send allows you share files that when uploaded are encrypted, and allow you to provide a link to others to download said file. You can also set the link/file to expire and delete after a certain period of time, or after a set amount of downloads. Send works in browsers, or there is currently a dedicated Android app available on the Play Store. iOS users will have to use the functionality built into the Firefox iOS app.
Whew, information dump I know. Honestly just getting a browser setup is half the battle right there. But of course, there are still a few more things you can do.
Email is of course still widely used today. Unfortunately some of the most popular email services like Gmail and Outlook (noticing a trend or two yet?) don’t offer much in the way of privacy or encryption. But luckily, there is at least one recommended provider for email that is also free, but also features encryption and privacy. Enter: ProtonMail. ProtonMail is an email service based out of Switzerland, and founded by a pair of CERN scientists(!).
ProtonMail has several privacy centric features that are just straight up missing from services like Gmail and Outlook. The first of which being the encryption of the content of emails end to end, and ProtonMail’s “zero acess” design. Furthermore, it allows nonusers to benefit from the encryption offered by ProtonMail as well. However, despite being leagues better in terms of security and privacy than say Gmail, subject lines of emails remain unencrypted, and of course, ProtonMail will comply with Swiss authorities and court orders. So pretty much unless you’re of concern to the legal authorities of Switzerland, you don’t have much to worry about. And of course, iOS and Android apps are available, as well as web client access.
Brief justification, as there is a chance this choice will spark some debate. Kolab Now, another Swiss based private email service, offers strong encryption, even going so far as to strip identifying info from email headers, but costs money. But it is worth keeping in mind if you’re willing to pay some coin for extra security.
Also in the realm of emails is Tutanota, however, they do not get recommended due to being German based. While Germany has decently strong data privacy laws, they are part of the European Union as well as having operational US NSA facilities. In my opinion, the services based in Switzerland offer a better guarantee of user protection than Tutanota.
This is where things get a little bit muddy. VPN services are somewhat in a rough spot when it comes to having a totally clean track record. I’ll present three choices I believe have a reasonably clean track record, good performance, and ease of use.
The first up to bat is NordVPN. NordVPN offers plenty of network performance, plenty of servers to access, and comprehensive support with a desktop application and iOS and Android apps so you can put a VPN on all of your devices. NordVPN is also based in Panama, something of merit as Panama doesn’t have any sort of data retention laws, and is not a participant in any international intelligence gathering programs like “14 Eyes”.
Where NordVPN runs into trouble is that late 2019, the company announced that it had been “hacked”. In all honesty, the extent of the breach seems somewhat minimal, in the sense of actually compromising user security and data. What happened is that a nefarious individual was able to setup, using a compromised data center account, a server that users of NordVPN could connect to, that posed as a legitimate NordVPN server. According to NordVPN, the server was only up for about two months: late January, to mid March 2018. When announcing the breach, NordVPN was hyper confident that no user data was compromised, but the idea is still troubling.
Furthermore, to NordVPN’s credit, this issue launched a massive security and systems audit internally, examining all of their internal infrastructure. NordVPN has also begun a third party audit of all of their systems that will reach well into 2020. Which, by far, would be the most rigorous security testing any VPN will have undergone. Proof so far of an audits success is when NordVPN announced in late 2019 that VerSpite, the digital security company they’re partnering with to perform the large scale audit, had audited their mobile apps and had reported 17 bugs that were briefly fixed. So giving NordVPN the benefit of the doubt, it does seem as though they are actively taking steps to make sure a breach doesn’t occur, or, when one inevitably does, the scope of the breach is minimized.
VPN/Private Internet Access
Next up on the plate, is “Private Internet Access” (PIA). PIA offers arguably the best network performance of the mainstream VPNs, and of course has desktop and mobile applications for both iOS and Android. Speaking from experience, all of their apps are simple to use, and the service has been reliable during my time using it.
Unfortunately things are not all sunshine and rainbows for PIA. While no hacks have been reported regarding PIA, PIA is based in the United States. A participant in multiple international data collection and intelligence agreements, including the OG “5 Eyes” intelligence program, and the US allows for the retention of user data. All of these aspects might be of concern to certain users.
Furthermore, in November 2019, PIA was acquired by Kape Technologies. Kape, previously known as Crossrider, was/is known for distributing browser toolbars as well as potentially unwanted programs. Kape, as its existed as Kape, has had a fairly clean track record so far, and also operates two other (technically competing) VPNs to PIA.
It’s no doubt that the userbase of PIA was quite upset when the acquisition by Kape was announced. And, to give PIA the benefit of the doubt, as I did above with NordVPN, PIA has been working on providing transparency in order to win the trust of its userbase back. The best example of which is outlined in their blogpost here, but the TL;DR of which is they are taking steps so that the userbase can verifiably see all that’s going with PIA, as well as opening up to third party audits, much like NordVPN.
While I could go on for pages and pages about the various other VPN services out there, for sake of scope this guide is limited to just three. The last (but certainly not least) of which is Mullvad.
Mullvad offers desktop clients, and has options for loading it onto iOS and Android. There is no dedicated app for iOS, so you have use WireGuard or OpenVPN and boot up Mullvad’s custom configuration for each of those apps in order to benefit form Mullvad’s service. Furthermore, from the getgo Mullvad is committed to anonymity, not requiring email to sign up, and even allowing users to physically mail in cash payments for their subscription, so you don’t have to give Mullvad your card details.
Mullvad has comparatively lower server counts than both NordVPN and PIA, and network performance isn’t quite as slick as the previous two options. And in general, that’s kind of the worst thing going for it. Things just aren’t as smooth to use with Mullvad as with the previous VPNs mentioned. Furthermore, while Mullvad doesn’t have “baggage” like the previously mentioned VPNs, Mullvad is based in Sweden, a member of the EU, as well as the “14 Eyes” Intelligence Alliance.
Make of all these VPNs what you will. The only thing I’ll tell you to do here is to stay away from the free VPNs out there that you might see. No VPN, even paid, is without sin. Each has their own drawbacks and advantages, and which one you choose will be up to your personal evaluation.
Briefly mentioned in the “Browser” section of the guide, password managers are convenient programs you can use to store and fill in your passwords for various websites. Yes, we’re probably all guilty of having a “Life Password” at some point, but thanks to password managers that can change. Perhaps the best feature of these password managers is the random password generator available. Having a password of: “[email protected]#V#U” is a lot more secure than say “iHeartRainbows44”.
While the original draft of this article included two recommended options for this section; LastPass and Bitwarden, the former recently announced changes to their free account options, locking free users to just one “type” of device they can use their LastPass account on. For example, with the changes coming on March 16th 2021, a free user will only be able to use LastPass on devices running desktop operating systems, and not additionally on mobile as well. Vice versa as well, so a free user could only use LastPass on their iOS or Android devices. Quite a disappointing change to say the least.
Which unfortunately leaves us with just one recommendation for this section: Bitwarden. Bitwarden is functionally similar to LastPass, in that it can generate, save, and fill passwords and other account information, but lacks a lot of the ease of use polish that LastPass has. Furthermore, Bitwarden is just as, if not more secure than LastPass, and is open source, which has allowed thousands of independent security auditors to review its code and security for extra piece of mind. Bitwarden of course, has browser extensions for Chrome and Firefox, and mobile apps as well, with (currently) no limits on their usability for free users, like LastPass.
Password managers do have one full vulnerability, in that the “Master Password” used to access your password manager account is obviously breach-able through classic methods like phishing, but with a robust enough master password, good browsing habits, and the ability to use 2FA methods to further secure account, the possibility of a breach gets lower and lower.
This section however, wouldn’t be complete without mentioning KeePassXC. KeePass is a desktop localized password manager that is also open source, and features the same level of encryption as the aforementioned password managers. Its “localization” to desktop makes it technically more secure than LastPass and Bitwarden, but sacrifices a key function of mobile device use. While KeePass cross-syncs across desktop devices, including ones running Linux, it lacks support for mobile. As this guide is primarily focused on balancing privacy with convenience and usability, KeePass’s lack of mobile options void it getting an explicit recommendation, but is definitely an option to be aware of.
It would be all for naught to write a guide like this without talking about Signal. Signal is a privacy centric messaging app for both mobile and desktop, meant to replace apps like the Facebook owned WhatsApp, or the beholden to the Chinese Communist Party WeChat. Signal features end to end encryption of its messaging, and is open source, having been reviewed by experts extensively to prove its security. Even the developers of Signal can’t see your messages due to its encryption protocols. While some websites/guides talking about privacy will attempt to typecast Signal as being a viable replacement for things like Discord also, that’s just simply not the case. There will almost always be a need for a more robust server-style messaging app like Discord. The real ticket would be an encrypted version of a service like Discord, but I digress.
Signal fits in really well with replacing your mobile messaging. For example, if you and your family/friends all communicate through Facebook Messenger (yikes), WeChat, or WhatsApp, Signal is a viable alternative to try and get everyone to move over to, and start using.
As previously mentioned, it is possible to go completely crazy when it comes to privacy, but that comes with the sacrifice of quality of life. There are plenty of more advanced options beyond the scope of this guide, but they aren’t nearly as beginner friendly or lack some balance of convenience. If you’re interested in learning more, I would recommend researching things like “Un-Googled Chromium”, “Graphene OS”, and various Linux Distros.
I hope this guide provided you a good start with making your online life more secure.
“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden.