Cybersecurity Tips

Share this post

🔒 Online privacy: how to protect it for normal people

cyb3rsecurity.tips

🔒 Online privacy: how to protect it for normal people

Part II - Four levels of measures you can apply that doesn't make you sound like a paranoid

Nuno
Jun 24, 2022
5
3
Share this post

🔒 Online privacy: how to protect it for normal people

cyb3rsecurity.tips

After a much discussed Part I where I presented some arguments about why you should protect your online privacy, this week we will go through some practical recommendations.

But before the list, it’s important to address a fair criticism I got from Part I: the lack of actionable items. In the previous article the idea was to expand on the why - do we understand the risks? can we explain to our relatives why they should care? I believe that for the majority of the people the response is no. That’s why I keep my statement that it really depends on different factors and there is no simple answer.

private signage door
Photo by Dayne Topkin on Unsplash

But allow me to be even more specific, and cite Article 32 of the GDPR::

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Two things worth retaining: the need to consider the costs of the implementation (money and time) and the measures that must be appropriate. This is an example why it’s so hard to give you a magic bullet that will solve all the privacy issues. To the question of how much you should do it I always respond: yes, as much as you can.

Who are you hiding from?

To start, defining who you are hiding from is important. Some examples:

  • Government / Mass surveillance

  • Scammers & Hackers (phishing attacks, data leaks, etc) - either targeted or passive attacks

  • Big Tech

  • Abusive partner

All of these require different approaches on how to protect your privacy: you would try to use a VPN to hide traffic from your Government but that would be less important against an abusive partner, where having strong passwords would matter more. On the same note, if you don’t shop online or don’t have a Credit Card, the risk of being scammed is significant lower. I also bet a lot of journalists know how to use Tor to keep anonymity.

How sensitive is the data inside?

This is where the “appropriate measures” gain importance. You need to decide how important is the data to protect and this will define how deep you must go. The cloud system where you store documents might be very valuable for you, but your search navigation might not have that much impact on your life, if someone gains access to it.

At the end of the day, you need to respond to the question: how serious would it be if other people had access to this data?


Thanks for reading Cybersecurity Tips! Subscribe for free to receive new posts and support my work.


The 80/20 rule - a leveled approach

Because this article doesn’t want to be exhaustive, the idea is to share four levels of your online privacy path. If manage to follow the first two, you are already better than the majority.

This is a non-exhaustive list, so feel free to Tweet at me and suggest changes.

Level 1: Website, service or App Hardening

The idea is to make it harder for other people to access your information.

  • Technical difficulty: low

  • Mitigates: targeted attacks, passive attacks, oversharing

Measures:

  • Unique password per website / service

  • Decent password complexity

  • Use a password manager, preferably a self-hosted one such as Bitwarden

  • Activate multi-factor authentication, at least in websites where you have your Credit Card stored

  • Use a second phone for MFA related with banking. Don’t give this phone number to anyone

  • Web hygiene: close old accounts, unsubscribe from newsletters (except this one, this one is great), etc.

  • Use disposable emails instead of creating accounts wherever possible

  • Every account, service or App should have the least amount of data to complete it’s function

  • Backup your belongings

  • Keep all your devices updated - Laptop, smartphone, fridge, camera, etc.

  • Review the permissions on your phone AND Social Media accounts

  • Be very careful of the browser extensions you use and install an Ad Blocker

  • Check all your emails in services like haveibeenpwned.com (it will tell you if your email is in a data leak)

Tools:

  • https://justdeleteme.xyz/

  • https://temp-mail.org/en/

Level 2: Privacy-friendly alternatives

This level is about replacing services you already use for others that take your online privacy more seriously.

  • Technical difficulty: low-medium

  • Mitigates: Mass surveillance, Big Tech surveillance, Censorship

Measures:

  • Stop using companies like Google. If you still want to search on it, logout of your account and/or use it in private mode. On a smartphone, you can use Firefox Focus

  • Use Firefox as a browser. If you like Chrome, there’s an “un-googled” version of Chromium you can use

  • Move your email to a privacy-friendly service such as Proton Mail or your own mail server (might be harder to do)

  • For Cloud storage, you can also use the Proton service or Mega. If you buy your own personal storage (NAS), you can also have your own personal cloud instance. It’s not that hard.

  • For messaging, use Signal or Telegram and leave Whats’App

Tools:

  • https://github.com/ungoogled-software/ungoogled-chromium


Source: /r/privacymemes

Level 3: Hide traffic

This one should be higher in the list if you’re hiding from government.

  • Technical difficulty: medium

  • Mitigates: Mass surveillance, Big Tech surveillance, Censorship

Measures:

  • Encrypt your DNS request (DNS over HTTPS)

  • Use a VPN

  • Activate HTTPS Only in your browser

Tools:

  • https://support.mozilla.org/en-US/kb/https-only-prefs

Level 4: Anonymity

Without going full Edward Snowden, having a fake identity can be useful if you want to acquire products or access special information. It’s not about having things to hide, but hiding your identity can be useful for journalists in countries where censorship is a problem.

  • Technical difficulty: medium

  • Mitigates: Mass surveillance, Big Tech surveillance, Censorship

Measures:

  • Don’t use your real email address

  • Use anonymous paying systems such as Monero

  • Use Tor

  • Use virtual credit cards such as Entropay

  • Ditch your iOS and Android and go PinePhone

Tools:

  • https://www.fakenamegenerator.com/

  • https://www.torproject.org/download/


Privacy-friendly options are growing in popularity

The graph below shows the amount of daily searches made per year in DuckDuckGo, a Google competitor. It current represents around 2.5% of overall market share and is still growing.

Source: Backlinko

Not the red pill, just purple

If you want to protect yourself from the increasing amount of security incidents, these four phases should get you covered. From what I read around, this guide cover a good part of what a normal person can do and improve your online privacy in 80%. Some other recommendations that can contribute to the cause are:

  • Check the /r/privacy

  • subscribe to this newsletter 😎

Thank you for reading Cybersecurity Tips. This post is public so feel free to share it.

Share

3
Share this post

🔒 Online privacy: how to protect it for normal people

cyb3rsecurity.tips
Previous
Next
3 Comments
User
Jun 25, 2022·edited Jun 25, 2022Liked by Nuno

- Whenever practical, devices should just be kept offline (e.g. fridge).

- Using a self-hosted mail server can significantly reduce anonymity (all emails are tied to a single domain).

- All files stored in the cloud should be encrypted offline by third-party software before uploading. Yes, this even applies to Proton Drive and MEGA.

- Telegram is NOT PRIVATE and probably a WORSE choice than WhatsApp. Signal, Session, Matrix, XMPP, Briar, and a few more are all good choices, Signal being the easiest to adopt.

- Encrypted DNS offers zero privacy benefit. The domains you access are leaked in plain text to your ISP via SNI.

- Using a VPN as a blanket recommendation is very questionable; see the excellent guidance on Privacy Guides instead: https://www.privacyguides.org/vpn/

- The PinePhone and other Linux phones in their current state are significantly less secure than Android (and probably iOS too). GrapheneOS and DivestOS are much better recommendations to maximize privacy, security, and usability.

Expand full comment
Reply
2 replies by Nuno and others
2 more comments

TopNewCommunity

No posts

Ready for more?

© 2023 Nuno Batista
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing