I’ve been improving my personal privacy and security habits over the last couple of months. Although I have a strong background in computer science, and I’ve always had a fascination with computer security, I’ve had extremely poor personal privacy and security practices.
However, with the increasing threats of doxxing, mass data collection and analysis, automated and artificial intelligence-based hacking, and other omnipresent hazards such as Big Data, Big Tech, and Big Government, I’ve decided to considerably tighten things up.
If you too are concerned about personal privacy and security for any or all of the above reasons, here’s a short list of immediate actions I’ve taken in my life. Before I begin, I want to credit several people who have been impactful to me, and who I would highly recommend if you’d like to step further into the world of personal privacy:
- Michael Bazzell, host of Privacy, Security, and Osint Podcast, and author of Extreme Privacy
- Craig Peterson, host of the Craig Peterson Podcast
- Kevin Mitnick, author of many books including The Art of Invisibility
And now, the list of actions I’ve taken in my own life. These are basic first steps, but provide the groundwork for further steps toward privacy.
1. Password Manager
The number one security and privacy mistake made today is the use of recycled or weak passwords.
Password breaches are common, and it’s very likely that at some point, passwords of yours have been stolen. Once a single password is breached, hackers can use that password on all of your known accounts, whether email, social media, or other platforms. Automated scripts let hackers make these attempts on millions of people and all their different accounts within very short periods of time. Even if you think you’re “uninteresting,” you’re not safe.
Tools like Have I Been Pwned can tell you if you’ve been a part of a large breach, but smaller breaches occur regularly and can go unnoticed.
Secure passwords are, at a minimum, 12 characters long and incorporate uppercase and lowercase letters, numbers, and symbols. It is, in other words, quite difficult to remember. One good way to generate a password is to come up with a phrase and shorten it by removing letters and spaces and adding symbols. (“Don’t hide hornets in your neighbor’s mailbox” becomes “!H1deH0rnets>Neighbor’sMailbox,” or similar.)
If you have scores of unique and well-constructed passwords, remembering them can be a problem. If you don’t have trouble remembering them, they’re probably not very good passwords! Fortunately, several services can keep track of all of these passwords for you. I recommend LastPass, which integrates well with web browsers and works on the iPhone and Android. Most importantly, it allows you to automatically create highly complex, unique passwords on every site you visit, without needing to generate them manually. Another popular option is 1Password.
It might seem counterintuitive to use a centralized password manager, but they dramatically lower your overall risk. Make sure to enable two-factor authentication and use the strongest password you reasonably can for your password manager. Remember, if you’re using a password manager, you only need one really excellent password, and you don’t need to type it often, so you can afford some length and complexity.
Two-factor authentication (or 2FA) means that, in addition to logging in to your account with your username and password, you also need a password randomly generated on a separate device. You encounter these most often in the form of text messages with random strings of letters and numbers, but the authentication app is a considerably safer, more private, and less clumsy tool. Using 2FA means that, should a hacker successfully obtain your password, they’ll still be unable to access your account without your secondary device.
LastPass Authenticator is an app which integrates well with LastPass and can be used for this purpose. Another popular choice is Authy. Both Google and Microsoft offer authentication apps, but if you’re researching personal privacy, these likely aren’t your first choice.
2. End-to-end Encrypted Email
End-to-end encrypted (or E2EE) email is a must. That means even your provider can’t read your email messages, even if they’re under subpoena. Unencrypted email should essentially be viewed as public information: The emails can be read by anyone between you and your receiver—it’s essentially like mailing a postcard. Some providers, such as Gmail, do encrypt, but it’s generally a simple process for them to unlock your emails and read them.
I’ve been using ProtonMail, which does use E2EE. The service is slick, and includes apps for the iPhone and Android. It’s also based in Switzerland, which has exceptional privacy laws. I’ve been using it for a couple of months now for my primary business domains, in addition to my personal email, and highly recommend the service. You can also send emails with expiration times, a useful tool for sending particularly private emails.
Finally, it works with two-factor authentication, including the LastPass authenticator. If you’d prefer not to use ProtonMail, another popular E2EE option is TutaNota.
3. End-to-end Encrypted Text Messages
Text messages are a ubiquitous part of daily life, but their contents can be easily read both by the phone company. If you use regular SMS text messages, which most Android users do, the messages can be read by anyone who knows how, and police and law enforcement routinely intercept messages outside of public protests and similar events.
Hackers can read your text messages (and intercept any pictures you might be sending) with simple, inexpensive, and inconspicuous setups, which is especially hazardous in hotels or public gatherings.
There are several text messaging apps that help resolve this problem. My preferred app is Signal, which uses E2EE and works well on iPhone and Android.
As a further precaution, private messages should be deleted and personal pictures saved in a more protected space.
3. Googling / Removal from Data Collection Sites
There are several websites on the internet, such as WhitePages.com, PeopleFinder, MyLife, and Spokeo, that collect your name, age, address, and contact information. These websites don’t have any easy ways for you to request your data be removed. I found the quickest technique was to contact each of these websites individually by email. Michael Bazzell has a very long list of websites to check in his Extreme Privacy Workbook.
I Googled my name repeatedly, making sure to use nicknames, phone numbers, email addresses, user accounts, and callsigns that might be associated with me. Keep searching and searching. Remember that if somebody does want to get your personal information, this is the first thing they’ll do, and if you’re not at least as aggressive and persistent as they are you’re potentially in trouble.
And after you’ve deleted the undesirable search results and old accounts, make sure to request deletion of Google caches wherever possible.
Whenever I found a collection website, I contacted the site and requested removal. I have several anonymous email accounts for doing this, although some sites will request verification. Although you can use DMCA takedowns if there’s any actual content of yours on the site, this works better as a threat than in practice, as every DMCA takedown request leaves a permanent record.
5. Privacy Oriented Web Browser
My web browser is my primary interaction with the internet, and it’s either helping me protect my information or helping websites obtain it. Web browsers are complicit in much of the data tracking done on the Internet today. Changing the tool with which you navigate the internet can radically alter what information websites can gather.
On my phone, I use DuckDuckGo Privacy Browser. This app exists for both Android and iPhone and has worked excellently for me. The browser has built in privacy features including ad blocking. The user interface is snappy, and it features a “Burn” feature that deletes all local browsing data whenever you click it. It’s a little bit self-congratulatory when it blocks trackers, but you might find that endearing.
On your computer, Brave is a privacy-oriented web browser, but Firefox loaded with Privacy Badger, DuckDuckGo Privacy Essentials, and HTTPS Everywhere is a good choice. There’s a tremendous amount of depth here, but either of the above options is an excellent start. Check out your current privacy settings with the Electronic Frontier Foundation‘s Cover Your Tracks tool.
Incidentally, the difference between HTTP and HTTPS, for most practical purposes, is that HTTPS uses signatures to verify the website you’re connected with is actually the website they say they are, and it also encrypts the traffic between you and the website. An HTTPS connection is preferred to HTTP wherever it’s available, and is vital if personal information is being shared.
6. My radical step: Deleting Facebook, Twitter, and Google products
Perhaps this won’t work for everyone. But once Facebook, Twitter, and Google began censoring content in early- to mid-2020, I decided I’d had enough of them. I deleted my Facebook, Instagram, and Twitter accounts, and removed all the Google products from my phone that it was possible to remove.
If you need convincing, let’s start with this: Google tracks your location everywhere you go. Want to know where you were at 4:00PM on December 10th of 2018? Just look it up. Facebook is able to guess just about everything about your personal life, including your political predilections. And in the case of both Google and Facebook, algorithms analyze and decide precisely what to show you personally, which can radically alter your perception of reality.
Search engine: An alternative search engine worth checking out is DuckDuckGo, although many privacy oriented search engines exist. Check out both SwissCows and Searx. SwissCows is especially appealing if you have children, as its adult content and violence filtration is superb.
GPS: I switched to an old-fashioned Garmin GPS in my car. This allowed me to turn off all location services on my phone, including Wifi scanning. My location can still be triangulated by cell tower by my provider, but this risk is considerably lower, and the only way around it is an anonymous cellphone.
7. Virtual Private Networks (VPNs)
VPNs, such as those offered by ExpressVPN or GhostVPN, hide your IP address from your Internet provider and encrypt all the data coming from your device. All of your web traffic is routed through another computer somewhere else in the world before traveling to the webpage or service you’re using, and all return communications also travel through that computer. Websites cannot easily tell who you are or where you are, and therefore harvesting your information is considerably more difficult.
They can be an important part of your personal security, but they do come with drawbacks: Many websites will find you suspicious, and you might find yourself filling out many more CAPTCHAs than you used to. Some services will recognize that you’re using a VPN and won’t allow you to use them. With some VPNs, there are special servers you have to use in order to access streaming services, for instance.
Additionally, the VPNs themselves vary, and there are many considerations. You should research whether the VPN logs and stores your communications and could therefore possibly yield it under subpoena, just for instance. No free VPN service is worth considering; expect to pay for a truly private service that does not have data limits.
I personally use GhostVPN, which does not store data about your communications beyond the time it’s necessary for those communications to be made. Private Internet Access and ProtonVPN are also excellent.
Some security experts recommend using fully anonymous devices instead of attempting to anonymize your device with a VPN, but whether this is practical or reasonable for you depends on your particular sets of risks.
It’s important to mention that VPNs do not provide you unlimited anonymity. They often get treated as a cure-all, but if you’re logging into your personal accounts with them, then they can never be truly anonymous.
8. Anonymous Emails
You can use FastMail and set up unique email aliases whenever a website requires you to input an email. Creating a new alias is fast, and you’ll be able to receive that obnoxious confirmation email without revealing your identity.
This technique mostly hides your information for laypeople, simple hackers, and advertisers, but FastMail doesn’t provide the same extraordinary level of security that ProtonMail does, nor is it impossible for these accounts to be linked to you if you’re concerned about government agencies.
If you’d like to take this a step further, read on:
I’ve recently purchased a wide variety of old domain names. You can use ExpiredDomains.net to find recently deleted domains with long histories (ideally registered for the first time more than a decade ago). You can then run the domain name through Have I Been Pwned to check if it’s been involved in any data breaches. Such breaches give your new email addresses reputation and history.
Register the domain with your provider (I use Register4Less), and then you can set up an email alias to send and receive from your new domain name. In FastMail, this is relative quick, and you can do this with a nearly unlimited number of domains.
Also helpful, of course, is using LastPass to keep track of your many accounts and unique passwords.
This is just a short list of tools I’ve found useful for digital privacy and security. I’ll continue working on it, but I hope it’s of service to you!