π Online privacy: how to protect it for normal people
Discover more from Cybersecurity Tips
π Online privacy: how to protect it for normal people
Part II - Four levels of measures you can apply that doesn't make you sound like a paranoid
After a much discussed Part I where I presented some arguments about why you should protect your online privacy, this week we will go through some practical recommendations.
But before the list, itβs important to address a fair criticism I got from Part I: the lack of actionable items. In the previous article the idea was to expand on the why - do we understand the risks? can we explain to our relatives why they should care? I believe that for the majority of the people the response is no. Thatβs why I keep my statement that it really depends on different factors and there is no simple answer.
But allow me to be even more specific, and cite Article 32 of the GDPR::
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Two things worth retaining: the need to consider the costs of the implementation (money and time) and the measures that must be appropriate. This is an example why itβs so hard to give you a magic bullet that will solve all the privacy issues. To the question of how much you should do it I always respond: yes, as much as you can.
Who are you hiding from?
To start, defining who you are hiding from is important. Some examples:
Government / Mass surveillance
Scammers & Hackers (phishing attacks, data leaks, etc) - either targeted or passive attacks
Big Tech
Abusive partner
All of these require different approaches on how to protect your privacy: you would try to use a VPN to hide traffic from your Government but that would be less important against an abusive partner, where having strong passwords would matter more. On the same note, if you donβt shop online or donβt have a Credit Card, the risk of being scammed is significant lower. I also bet a lot of journalists know how to use Tor to keep anonymity.
How sensitive is the data inside?
This is where the βappropriate measuresβ gain importance. You need to decide how important is the data to protect and this will define how deep you must go. The cloud system where you store documents might be very valuable for you, but your search navigation might not have that much impact on your life, if someone gains access to it.
At the end of the day, you need to respond to the question: how serious would it be if other people had access to this data?
The 80/20 rule - a leveled approach
Because this article doesnβt want to be exhaustive, the idea is to share four levels of your online privacy path. If manage to follow the first two, you are already better than the majority.
This is a non-exhaustive list, so feel free to Tweet at me and suggest changes.
Level 1: Website, service or App Hardening
The idea is to make it harder for other people to access your information.
Technical difficulty: low
Mitigates: targeted attacks, passive attacks, oversharing
Measures:
Unique password per website / service
Decent password complexity
Use a password manager, preferably a self-hosted one such as Bitwarden
Activate multi-factor authentication, at least in websites where you have your Credit Card stored
Use a second phone for MFA related with banking. Donβt give this phone number to anyone
Web hygiene: close old accounts, unsubscribe from newsletters (except this one, this one is great), etc.
Use disposable emails instead of creating accounts wherever possible
Every account, service or App should have the least amount of data to complete itβs function
Backup your belongings
Keep all your devices updated - Laptop, smartphone, fridge, camera, etc.
Review the permissions on your phone AND Social Media accounts
Be very careful of the browser extensions you use and install an Ad Blocker
Check all your emails in services like haveibeenpwned.com (it will tell you if your email is in a data leak)
Tools:
https://justdeleteme.xyz/
https://temp-mail.org/en/
Level 2: Privacy-friendly alternatives
This level is about replacing services you already use for others that take your online privacy more seriously.
Technical difficulty: low-medium
Mitigates: Mass surveillance, Big Tech surveillance, Censorship
Measures:
Stop using companies like Google. If you still want to search on it, logout of your account and/or use it in private mode. On a smartphone, you can use Firefox Focus
Use Firefox as a browser. If you like Chrome, thereβs an βun-googledβ version of Chromium you can use
Move your email to a privacy-friendly service such as Proton Mail or your own mail server (might be harder to do)
For Cloud storage, you can also use the Proton service or Mega. If you buy your own personal storage (NAS), you can also have your own personal cloud instance. Itβs not that hard.
For messaging, use Signal or Telegram and leave WhatsβApp
Tools:
https://github.com/ungoogled-software/ungoogled-chromium
Level 3: Hide traffic
This one should be higher in the list if youβre hiding from government.
Technical difficulty: medium
Mitigates: Mass surveillance, Big Tech surveillance, Censorship
Measures:
Encrypt your DNS request (DNS over HTTPS)
Use a VPN
Activate HTTPS Only in your browser
Tools:
https://support.mozilla.org/en-US/kb/https-only-prefs
Level 4: Anonymity
Without going full Edward Snowden, having a fake identity can be useful if you want to acquire products or access special information. Itβs not about having things to hide, but hiding your identity can be useful for journalists in countries where censorship is a problem.
Technical difficulty: medium
Mitigates: Mass surveillance, Big Tech surveillance, Censorship
Measures:
Donβt use your real email address
Use anonymous paying systems such as Monero
Use Tor
Use virtual credit cards such as Entropay
Ditch your iOS and Android and go PinePhone
Tools:
https://www.fakenamegenerator.com/
https://www.torproject.org/download/
Privacy-friendly options are growing in popularity
The graph below shows the amount of daily searches made per year in DuckDuckGo, a Google competitor. It current represents around 2.5% of overall market share and is still growing.
Not the red pill, just purple
If you want to protect yourself from the increasing amount of security incidents, these four phases should get you covered. From what I read around, this guide cover a good part of what a normal person can do and improve your online privacy in 80%. Some other recommendations that can contribute to the cause are:
Check the /r/privacy
subscribe to this newsletter π
π Online privacy: how to protect it for normal people
- Whenever practical, devices should just be kept offline (e.g. fridge).
- Using a self-hosted mail server can significantly reduce anonymity (all emails are tied to a single domain).
- All files stored in the cloud should be encrypted offline by third-party software before uploading. Yes, this even applies to Proton Drive and MEGA.
- Telegram is NOT PRIVATE and probably a WORSE choice than WhatsApp. Signal, Session, Matrix, XMPP, Briar, and a few more are all good choices, Signal being the easiest to adopt.
- Encrypted DNS offers zero privacy benefit. The domains you access are leaked in plain text to your ISP via SNI.
- Using a VPN as a blanket recommendation is very questionable; see the excellent guidance on Privacy Guides instead: https://www.privacyguides.org/vpn/
- The PinePhone and other Linux phones in their current state are significantly less secure than Android (and probably iOS too). GrapheneOS and DivestOS are much better recommendations to maximize privacy, security, and usability.