Somewhere between the legalization of ISPs selling customer browsing history and the Equifax hack, I finally got angry enough to change my behavior. The bargains for my data that I agreed to were no longer worth keeping, and the ones that were beyond my control were worth thwarting. I read the same websites and Electronic Frontier Foundation warnings that you did, so I will avoid the preaching. This is a practical list of actions you can take now to stop letting Facebook, Google, your ISP, and anyone else track your browsing data and read your documents. If you have a free afternoon or weekend and want to start eating your privacy vegetables, try following as many of these recommendations as you can handle.
1. Seriously, Get a VPN
Get all your devices connected to a VPN that doesn’t log and isn’t based in any of the 14-Eyes countries. This makes all the traffic appear to your ISP to be encrypted nonsense going only to the VPN service. I use the Swiss ProtonVPN and have no complaints. If you want to force an always-on VPN policy on iOS, you’ll need a VPN that supports IPSEC IKEv2 tunnels.
2. Switch to a Secure Browser
Scripts and tracking beacons are what allow companies like Facebook to track your browsing on other websites. These trackers are present both in mobile apps and on websites, so when possible, prefer mobile web in a hardened browser over a native app.
Brave is a Chromium-based browser that features built-in script and tracker blocking for both mobile and desktop. The classic desktop option is still Firefox with recommended about:config tweaks and extensions Privacy Badger, uBlock Origin, HTTPS Everywhere, Decentraleyes, and Cookie AutoDelete. Whatever browser you settle on, test how well you have avoided fingerprinting by visiting the EFF’s Panopticlick.
Tor browser is a great additional layer for the very dedicated, but the Tor network is still pretty slow, despite continued improvements. In addition to thwarting traffic analysis with onion routing, the browser standardizes many characteristics that can be used for fingerprinting (e.g. available fonts) and comes standard with privacy tools that block scripts. I personally found this maddeningly slow, so I don’t leverage the Tor network.
3. De-Google
Use a search engine that doesn’t track you — StartPage proxies and caches Google searches and results, similar to the Google web cache feature.
In addition to everything you search, Google tracks a lot of things about you. If you have a Google account and want to stop all data collection and delete what they have now, visit myaccount.google.com and click My Activity under “Personal info & privacy.”
4. Use Encrypted Chat Apps
End-to-end encryption (E2EE) is a feature that allows an app to store and transport your data as an encrypted blob wherever it is, so it can’t be read by the server storing it or anyone who sees it move across the network. Any app that you choose to store or send data (emails, documents, password managers, etc.) should support this technology.
You don’t have to be an activist or a drug dealer to want E2EE for your texts and calls. Signal is popular and cross-platform. If your threat model doesn’t require encrypting all communication, just be sure that other messenger apps don’t have permissions to collect data like your location while you aren’t using them.
5. Delete Unencrypted Emails
Emails over 180 days old are readable without a warrant, so delete any emails older than that. Ideally, delete all of your unencrypted emails (backing up the truly important). New messages can easily be turned into inscrutable encrypted blobs using PGP with the browser extension Mailvelope. Virtru does this a bit flashier and supports mobile via an app. I wanted a mail provider that supports end-to-end encryption natively, so I opted for ProtonMail, but currently it does not have calendaring and contacts sync for phones. I chose to export my contacts and calendar from Google and imported them to Fruux.
6. Encrypt Your Files and Photos
Cryptomator is a free desktop-only app that encrypts folders on your computer, so it works both for local hard drives and adding E2EE to desktop cloud sync services like Dropbox and Google Drive. For automatically backing up my files and photos on mobile, I use Tresorit.
7. Use an Encrypted Note-Taking App
For something similar to Keep or Pinterest, Turtl is available for Android and desktop. Standard Notes is fully cross-platform for desktop and mobile and resembles a theme-able Evernote.
8. Be Aware of Location Data Collection
Location data are hardly anonymous and make a juicy target for hackers, so in general make sure you are disabling apps from accessing any type of data in the background, and location data in-app only if you really use it. Hopefully you paused Google location tracking in step 5. Sign out of the app, if you are signed in. If you use a cab app like Uber or Lyft, be aware of the type of location history with which you are entrusting them.
Replacing Google Maps can be quite painful, because nowhere else has an equivalent point-of-interest address database (the FOSS version is OpenPOI and it is lacking for my city). That means every other navigation session must begin with a web search at least for the address, then likely adding the address to a local favorites list in the map app. After scouring the OSM wiki, I discovered Magic Earth was reasonable for driving and walking directions to street addresses, and Transit offered public transportation-specific directions. However, the routes they suggested were often less direct and efficient than those given by Google Maps. If you feel ok creating and exporting a map of locations in Google, Magic Earth can also import Points of Interest.
9. Opt Out of Purchase Tracking
“Identity resolution” and “data onboarding” companies are now offering to combine all the tracking data available about you online with your offline purchase data and loyalty card usage that a business may already have about you. Many ask you to keep a special cookie to opt out, but a few big ones have forms. Acxiom is one of the largest data collectors and dealers, along with Oracle’s Datalogix, LexisNexis, and Intelius. If you want to stop generating credit card purchase data in the first place, shop locally in cash, which may make you more happy and thrifty as a side effect. Cryptocurrencies can provide some separation between you and your online purchases, especially if you pick one of the flavors build specifically for anonymity, like Monero, and deliver it to a Post Office box. If you are near a cryptocurrency ATM, exchange cash for bits and consider using a secure hardware wallet.
10. Erase Your Social
If you’re set on having an InstaFaceTwitter, I won’t argue with you. You know that they track you and you’re trying to avoid it with the above steps. If you don’t get your privacy settings right, though, data brokers can mine data about you from your social media feeds, in addition to scraping it from public records. Not many have opt-out forms, and they are generally not permanent. I chose to take it farther than many and deleted all my social media accounts, then opted out of several brokers. They will mine for my data again, but there won’t be content left for them to find. Additionally, I chose to clean up forgotten accounts with Deseat.me, a cool service that searches many sites for your email address and links to instructions to delete those accounts.
11. Advanced Alternative: Self-Hosting Everything
Hosting one’s own infrastructure is not only tedious, it can be dangerous if internet-facing boxes aren’t given enough protection and attention. Additionally, I think hosting one’s own mail server is a particularly bad option for most people because of the additional pain points that come with handling incoming email. However, for those determined to host backups themselves, I found NextCloud a one-stop cloud shop for file storage, password management, and more. While it was very easy to get running with Snap and had a full-featured mobile app, I wanted a completely SaaS solution, so I tore my instance down.
I do choose to self-host my music and listen to my offline tracks on an MP3 player that doesn’t require any software to sync. After reading the privacy policies of Spotify, Apple Music, Pandora, and Tidal, I try to stick to SomaFM for streaming radio.
Are You Ready?
I hope you have been convinced that there are a few steps for privacy that are easy to take and good value for the time invested (VPN, deleting old email, opting out of tracking). There are others that are slightly inconvenient but don’t have to be used all the time (email, chat, Cryptomator) and a few that require life changes (cash or cryptocurrencies, no social media). Act according to your threat model and budget. Make good choices out there.
