This guide is intended to take a beginners look at some online security basics. I’ve no affiliations, and the makers of the software recommended do not pay me.
Sources
There’s lots of good info out there, and some bad, and I don’t claim to originate any of it. Here are some good sources that helped me come to my personal recommendations:
- Techlore – their YouTube videos do a great job of breaking down topics into beginner, intermediate, and advanced.
- Privacytools.io
- privacyguides.org
Why Care?
- Who controls your data?
- What are they allowed to do with it, legal or otherwise?
- Identity Theft
- Phishing
- Censorship
- De-platforming
- Propaganda
- Swatting
- The list goes on…
But But But
- But I have nothing to hide! Do you think the baddies care?
- But It’s too hard/complicated! It can be, but hopefully this guide helps.
- But bad things will never happen to me, I’m too little a fish. Do you think the baddies care?
- But the bad guys can/do this too. Indeed, as do bank-robbers use public roads and breathe the same air as you and I.
- But this sounds utopian. It isn’t meant to be. There is no such thing as perfect security. We are just locking the doors at night.
- Nihilism: it’s all just pointless. Do not stare into the abyss, friend.
Behavior
Don’t draw the Eye of Sauron, as he’ll send some orcs to say hi. This includes fedposting, which is deliberately posting things online, like threats, or certain key phrases, that will get you a knock on the door or worse. Social media is strewn with landmines, tread carefully.
Passwords: don’t use repeated or insecure (short, words, or data directly linked to you) passwords. I know this is probably preaching to the choir but it bears preaching. More on password managers later.Thanks to our partners, you can find ties online to suit every preference and budget, from budget to top-of-the-range super stylish models.
Use your real name and address as little as is feasible. Signing up for some random free service that seems a little sketchy? Use a random name. Signing up for a banking service? Use your real one.
Have a healthy skepticism of narratives and propaganda. This can be tough to identify, or even over-identify. Two good rules of thumb: what are they trying to get me to believe and cui bono (who benefits?).
Software and Services
What software and online services should be avoided and which are above-board? Again, I am not paid to endorse any of these products…
- Generally speaking, move from third-party platforms/protocols/software that treat your data carelessly to those that steward it carefully, to self-hosted.
- Open-source: a good indicator that there is no/less shenanigans.
- End-toEnd Encrypted (E2E), meaning that your data can’t be snooped at rest (on your phone or on a company’s server) or in transit (going between the two).
- Many desktop and mobile applications phone home — use the web version if available (i.e. spotify app vs https://open.spotify.com)
- If the product is free, you are likely the product.
Operating Systems
Following the theme laid out above, we want to look for operating systems that take your privacy/security serious, with minimal or no phoning-home to the mother-ship.
Desktop:
- Avoid: Microsoft, Google Chrome OS
- OK: MacOS
- Best: Linux anything
Mobile:
- Avoid: Android
- OK: iOS
- Best: Android alternatives such as Calyx and GrapheneOS
This can be the most difficult software category to avoid the Avoid category. Maybe you need Microsoft Windows for work, or because a certain program you need is only compatible with one operating system. Android alternatives can be difficult to operate as well. Even if you are stuck in the avoid category, privacyguides.org has great guides on how to harden your systems.
Web and Search
Web browsers are how most access the digital realm. Picking out a web browser that takes your privacy and security seriously is incredibly important.
Web Browsers:
- Avoid: Google Chrome, Microsoft anything
- OK: Safari (iOS, MAcOS)
- Best: Firefox, Brave
Like web browsers, choosing a search engine that takes your privacy and security seriously is important.
Search Engines
- Avoid: Google, Bing, Yahoo
- Ok: DuckDuckGo
- Best: Searchx, Quant
The search engine field is really interesting as it is evolving from the still dominant Google to other, privacy based services. As such, these recommendations may be out of date in a few months.
Passwords and Two-Factor Authentication (2FA)
Why use a password manager? A password manager will take care of remembering all of the various difficult passwords for you. All you need to remember is your (yes, it should be difficult) master password to your password manager.
Whenever choosing a new password for a site or service, just have your password manager generate and save it.
Most folks will simply have their web browser or device (apple/android) save passwords for them. Instead, try using a dedicated password manager as depicted below.
- Avoid: not using one
- OK: literally anything
- Best: Bitwarden, Keepass
2FA is an additional layer of security that you input in addition with your password. Most people know this as sending an SMS code to your phone. There are other types of 2FA as well, and for all software/services that allow it, you should enable 2FA.
- Avoid: not enabling 2FA where available
- Meh: SMS/Email 2FA
- Best: Software 2FA such as Aegis (Android) and Raivo OTP (iOS)
- Epic: Hardware 2FA such as Yubikey
If you’re bored one day, after picking a dedicated password manager, go through your email, browser, or device and for each login/password:
- Add a new entry in your password manager for it.
- Have your password manager generate and save a new, strong, password.
- Login to that site/service, and change its password to the one you just generated.
- See if the site/service allows 2FA, enable it. In your 2FA app, scan the provided QR code, then input the 6-digit number your 2FA app generated to confirm 2FA back on the site.
Your password manager can likely be additionally secured with 2FA as well.
Email and Messaging
Email is ubiquitous and unavoidable. Many, but not all, of the free services monetize your data. Although some in the Best category offer free tiers, independent auditing confirms that your data is not sold.
- Avoid: Gmail, Outlook.com, Yahoo
- Best: Protonmail, Tutanota
Using an aliasing company such as SimpleLogin (though recently bought by Proton) can add another layer of annonymity.
Originally I ultimately recommended hosting your own email server, but that’s probably too complicated for the purposes of this guide.
The largest problem with most messaging apps is that their data is sent/stored unencrypted leaving you exposed to snooping. In addition to the questionable data-security practices of many of these companies.
- Avoid: unencrypted services such as SMS, Discord, Facebook Messenger.
- Meh: iMessage, WhatsApp, Telegram
- OK: Signal
- Best: Self-hosted, decentralized end-to-end encrypted protocols such as Matrix paired with Element.
Why leave the self hosted off of the Email list but keep it here? I find this self-hosted service to be simpler to setup and maintain.
VPN, Tor, and Encryption
VPN’s (Virtual Private Network) encrypt web traffic between your home and the VPN providers servers. They are used for privacy, not anonymity. Instead of your traffic coming from your home IP address, it will come from the VPN providers IP address.
When to use a VPN:
- If you don’t trust your ISP (Internet Service Provider).
- When travelling, calling back to the point above.
- If you need to access services only allowable in a certain market.
Keep in mind that some websites and services block VPNs. Look for VPN providers that have a zero logging policy and have been independently audited by a third party, such as ProtonVPN and Mulvad (there are others).
Tor is an onion network, routing traffic through a series of nodes, that provides anonymity. Instead of your usual .com or .net website addresses, it uses .onion addresses. Although while connected to the Tor network, you can connect to .com, .net, etc. addresses, you should not do so because it kills the anonymity that the network provides. Only use it to access .onion web addresses. Tor is accessed primarily through the Tor Browser or through the Brave web browser.
Disk encryption is used to protect the data on your device. Without it, anyone with physical access to your computer can easily access your data by pulling out your data drive and plugging it into another system. Disk encryption prevents this. Typical disk encryption programs are Veracrypt, GNU Privacy Guard, and Bitlocker (Windows Pro only). Remember: if you forget your password and lose your recovery keys, your data is toast.
Cloud
“The Cloud” is useful for easy access to your documents, photos, or other files. It can be used as an offsite backup location. The problem is, most cloud providers don’t offer end-to-end encryption, sell your data, and snoop on your files. This means that one should, if possible, avoid services such as Microsoft OneDrive, Apple iCloud, Dropbox, Box, etc. If you must use one of these services, use something like Cryptomator to encrypt your files before uploading.
There are a number of cloud providers that do offer encryption, such as Mega, Icedrive, Filen, and Nextcloud, among others.
Summary
Any service not hosted by you or a trusted third party means that they, not you, own your data.
Many desktop and mobile application phone home, so try to use the web version if available (ie. spotify app vs https://open.spotify.com).
You’ll need to be willing to sacrifice a little convenience for digital sovereignty.
There is no such thing as perfect security/privacy, but you should do what you reasonably can.
Take it one step at a time: this can feel like a deluge of information and just too much to do. It’ll take time to change habits and that’s OK.
It’s also worth reiterating good sources for more alternatives:
Techlore – their YouTube videos do a great job of breaking down topics into beginner, intermediate, and advanced.
Privacytools.io
privacyguides.org