Below are a few tools, materials, and settings for people interested in practicing their digital privacy and security, based on my hobbyist web interests. Hopefully they can be useful in the everyday for a human like yourself. If you’re interested in learning a bit more, consult the General Resources below (and search beyond!).
While reading about digital privacy and security tips, it’s important to remember that the single best way to protect your digital privacy is by limiting your use of digital technology. First, consider whether or not you need it; then, be critical about why and how you use it. Think carefully about what you sign up for and what kinds of data traces might be left behind.
A note on using these tools and services: consider donating to the makers if you’re able! Maintaining technologies like these take time and dedicated work. Giving a little to use these robust tools keeps them up and running.
(Last updated: December 7, 2019)
Surveillance Self-Defense guide by the Electronic Frontier Foundation (EFF)
- EFF’s glossary of privacy and security terms
Keep in mind that few digital self-defense tools matter without strong passwords.
Web Browsing Tools
HTTPS Everywhere — when possible, the browser plugin automatically establishes secure encrypted HTTPS connections (https://) rather than using unencrypted HTTP (Note that the plugin is useless for websites that haven’t enabled HTTPS).
Privacy Badger * — browser plugin that blocks tracking by advertisers and other third-parties when visiting websites.
* Note: Blocker plugins like uBlock Origin, Privacy Badger, Disconnect, and NoScript may break some content in webpages. You can temporarily disable them and/or whitelist sites in the plugins’ settings.
- Firefox – privacy oriented, open source nonprofit web browser maintained by the Mozilla Foundation
- Firefox Focus — simple, privacy-oriented browser for iOS and Android
Tor Browser — as part of the Tor Project, this browser is pre-configured to anonymize your internet connection. It runs your web traffic through the Tor Network, bouncing it through multiple volunteer-run servers around the world to mask your identity and location information. Consequently, it is somewhat slower than most connections, and requires conscious internet behavior to be protect your privacy to the greatest extent (e.g. if you log into Facebook via the Tor Browser, you’re associating your personal login info with your Tor Browser session IP address, negating Tor’s work to anonymize your web traffic during that session). There is also a significant difference between anonymizing and encrypting data, though both can and should be done together. EFF has a good graphic on what the Tor Network does (anonymize data) and what HTTPS, SSL/TLS, and end-to-end encryption do (encrypt data). Tor Browser attempts to do both of these as well as it can in any situation. Tor is one of the most secure digital privacy tools out there, but that doesn’t mean that it’s the right tool for all uses.
Messaging & Email Tools
Signal — end-to-end encryption for messages and internet voice calls, open-source. Fabulous on all accounts. Available for Android, iPhone, and desktop (Mac, Windows, and Debian-based Linux).
WhatsApp — end-to-end encryption for messages and internet video/voice calls, but not open-source. WhatsApp is owned by Facebook, and Facebook has been pushing to link WhatsApp and Facebook user data (and message metadata) for advertising, analytics, and who knows what else.
Email PGP encryption — Email PGP (Pretty Good Privacy) can be a pain to setup and use (and you can only use it with others using PGP), but it secures your email content (but not metadata—subject line, sender, location, time sent, etc.) like nothing else could. Plus, it can be fun to learn! EFF has a great introduction to public key cryptography and setup guides for Mac, Windows, and Linux users. For Gmail/Google-hosted mail, there’s Mailvelope. Also of note:
- International Center for Journalists: “Six Encryption Tools Every Journalist Should Use” — useful document for weighing pros and cons of various email encryption tools
- Freedom of the Press Foundation: “Anti-Phishing and Email Hygiene”
Device camera tape
Cover up your computer’s webcam when not in use. Why? Because it’s easy, and government officials, Edward Snowden, IT people, cryptography experts, and cybersecurity writers support it. Activating webcams remotely isn’t unheard of, and similar kinds of surveillance now happens on a mass scale. While your webcam getting compromised may not seem likely, it doesn’t hurt to take a simple (and removable) precaution.
- Zeit and Malte Spitz: “Tell-all telephone” — In 2009, a German politician sued to see what information his cellular provider tracked and retained
- EFF: “The Problem with Mobile Phones”
- DuckDuckGo Blog: “How To Protect Your Privacy on iPhone/Android”
You can control a handful of settings to control the collection and use of some of your cellular device data. When updating your phone’s software, some of these settings may be reset to their defaults. (These are instructions for iPhones, but the principles on other devices are similar.)
Use a 6-digit passcode, not your fingerprint
(Settings → Touch ID & Passcode)
It’s generally a good rule of thumb to limit sharing personal identifying information (like a fingerprint) with a corporation when possible. There may be additional concerns about this for arrested demonstrators, whose device may be unlawfully unlocked with their finger without a warrant.
As a bonus, when you set a passcode on newer iPhones (or a fingerprint), the data on your device is automatically encrypted.
Limit Ad Tracking
(Settings → Privacy → Advertising)
Apple, like many companies, collects and can sell your data to third-parties. You can opt out of some targeted advertising by turning on “Limit Ad Tracking” and resetting your advertising identifier.
Limit Location Services
(Settings → Privacy → Location Services)
You can manually change which apps can access your location data and when. Most apps shouldn’t need your exact location, so you can switch their access level to “Never”. When you do need your location to be used in an app (for GPS navigation, for example), switch the setting to “While Using”. Switch the Camera app setting to “Never”—most people don’t need their exact location geocoded into the photos they take. This data gets passed along to other applications and platforms (e.g. Instagram) who share your information to advertising companies and others.
At the bottom of the app list, make sure that the location services options in the System Services panel are all turned off (except if you use Find My iPhone, or want your Time Zone automatically set by location). This will decrease some of the location data sent to your cellular provider and Apple, though it will not negatively affect your phone’s performance. If anything, less data is good.
In the System Services panel, turn off “Frequent Locations” and clear your frequent location history. Otherwise, your phone will continue to track places you visit often, which is potentially useful for Apple to share with advertisers, data brokers, and the like.
Limit Background App Refresh
(Settings → General → Backaground App Refresh)
Some apps continue to fetch data (including your location), which can use up battery and transmit unnecessary information while you are not directly using an app.
It’s good every so often to look through your privacy settings for all medias of digital tech—email accounts, social media accounts, posts, browsers, phones, etc. If desired, you might enable two-factor authentication on accounts (especially email accounts) when possible.
Facebook Account Settings
Comb through the various sections of your account settings and read the wording closely, particularly in the “Privacy”, “Apps”, and “Ads” sections. A handful of personal account settings you can control on Facebook:
- Default audience post (Public, Friends, or otherwise)
- Who can look you up by your email/phone number
- Whether your Facebook profile can show up on search engines
- Autofill facial recognition settings for photos/videos
- Your information accessed by third-party apps, and your information accessed by your Facebook friends’ apps (be very strict about information accessed by apps, and turn off the “Apps, Websites, and Games” setting altogether if possible)
- Some information accessed by advertisers
When posting something, pay attention to the audience the post will be visible to: if you don’t want a post Public (visible to any user on or off Facebook), change the audience to “Friends.” Facebook has guides on how to change who can see individual posts, who can see info on your timeline, and who can see Facebook group information.
When creating public events, you can select whether or not you want the guest list to be visible to attendees and the public (people on and off Facebook).
Facebook event guest list visibility
Google Account Settings
Access account settings by clicking your account icon in the top right corner and going to “My Account.” There, you can adjust “Ads Settings” (allowing you to opt out of some data collection) and “Manage your Google activity” (allowing you to pause and remove stored web and app activity, search histories, device information, and voice/audio activity).
Google account settings
- Encrypt your phone—and computer, too. Newer iPhones are automatically encrypted if you use a passcode. Mac users can use FileVault—found in System Preferences → Security & Privacy—to easily encrypt the computer’s internal hard drive with your login password.
- Periodically delete web browser cache, cookies, and browsing history.
- Avoid making transactions or accessing sensitive information on public WiFi. Public WiFi networks are usually not secure and can easily reveal user information and passwords on the network. Software that enables data theft over public wifi, while sometimes illegal to use, is quite easy to to get. When you do use public WiFi, make sure your Internet connection is encrypted whenever possible (see the HTTPS Everywhere plugin above). Or, look into using a Virtual Personal Network (VPN).
- Avoid using digital “cloud” services. When you do, don’t rely too much on them—for privacy and security reasons, as well as environmental ones. Cloud services, like the undersea cables that connect servers across the world, are made of infrastructure that can be surveilled, sold, or sabotaged. However, there are alternatives out there, such as the “no knowledge” encrypted cloud storage service provided by SpiderOak.
- Encrypt user connections to your website by enabling HTTPS by default. Let’s Encrypt is a free certificate authority that makes this pretty easy to do. It is readily accessible through website dashboard managers like cPanel. Once you have issued a certificate for your domain, you may need to manually replace any linked files on old posts/pages with the prefix “https://…” (instead of “http://…”). Or find a trustworthy plugin to do it for you. Additionally, you may need to edit your website’s .htaccess file in the root directory to redirect all HTTP requests to HTTPS.