Below are a few tools, materials, and settings for people interested in practicing their digital privacy and security, based on my hobbyist web interests. Hopefully they can be useful in the everyday for a human like yourself. If you’re interested in learning a bit more, consult the General Resources below (and search beyond!).

While reading about digital privacy and security tips, it’s important to remember that the single best way to protect your digital privacy is by limiting your use of digital technology. First, consider whether or not you need it; then, be critical about why and how you use it. Think carefully about what you sign up for and what kinds of data traces might be left behind.

A note on using these tools and services: consider donating to the makers if you’re able! Maintaining technologies like these take time and dedicated work. Giving a little to use these robust tools keeps them up and running.

(Last updated: December 7, 2019)


General Resources


Tools

Keep in mind that few digital self-defense tools matter without strong passwords.

Web Browsing Tools

  • DuckDuckGo — search engine that doesn’t track you or keep your search history. Alternatively, there’s Startpage, which bases its searches off of Google’s results.

  • HTTPS Everywhere — when possible, the browser plugin automatically establishes secure encrypted HTTPS connections (https://) rather than using unencrypted HTTP (Note that the plugin is useless for websites that haven’t enabled HTTPS).

  • uBlock Origin * — ad-block browser plugin for Firefox and Chrome.

  • Privacy Badger * — browser plugin that blocks tracking by advertisers and other third-parties when visiting websites.

  • Disconnect * — browser plugin that blocks other kinds of invisible third-party trackers on the web. A good pair with Privacy Badger. Download for Firefox or Chrome.

  • NoScript * — Firefox browser plugin that blocks unauthorized JavaScript, Java, Flash, other plugins, and other site vulnerabilities as you browse.

* Note: Blocker plugins like uBlock Origin, Privacy Badger, Disconnect, and NoScript may break some content in webpages. You can temporarily disable them and/or whitelist sites in the plugins’ settings.

  • Firefox – privacy oriented, open source nonprofit web browser maintained by the Mozilla Foundation
    • Firefox Focus — simple, privacy-oriented browser for iOS and Android
  • Tor Browser — as part of the Tor Project, this browser is pre-configured to anonymize your internet connection. It runs your web traffic through the Tor Network, bouncing it through multiple volunteer-run servers around the world to mask your identity and location information. Consequently, it is somewhat slower than most connections, and requires conscious internet behavior to be protect your privacy to the greatest extent (e.g. if you log into Facebook via the Tor Browser, you’re associating your personal login info with your Tor Browser session IP address, negating Tor’s work to anonymize your web traffic during that session). There is also a significant difference between anonymizing and encrypting data, though both can and should be done together. EFF has a good graphic on what the Tor Network does (anonymize data) and what HTTPS, SSL/TLS, and end-to-end encryption do (encrypt data). Tor Browser attempts to do both of these as well as it can in any situation. Tor is one of the most secure digital privacy tools out there, but that doesn’t mean that it’s the right tool for all uses.

  • Virtual Private Network (VPN) — VPNs route your traffic via networked servers located in various parts of the country/world. They can prevent your location-based IP address from being disclosed, encrypt your internet traffic in transit, circumvent internet censorship, and prevent your internet use from being logged and analyzed by your internet service provider company (ISP). Look for a VPN provider that does not log your traffic (read their Privacy Policy to be sure), has good encryption and security features, and is rated well by other legitimate websites. Private Internet Access is a well-known, secure, fairly trusty and affordable option. (With 5 devices able to connect simultaneously, you can share one account with a few friends.)

Messaging & Email Tools

  • Signal — end-to-end encryption for messages and internet voice calls, open-source. Fabulous on all accounts. Available for Android, iPhone, and desktop (Mac, Windows, and Debian-based Linux).

  • WhatsApp — end-to-end encryption for messages and internet video/voice calls, but not open-source. WhatsApp is owned by Facebook, and Facebook has been pushing to link WhatsApp and Facebook user data (and message metadata) for advertising, analytics, and who knows what else.

  • Email PGP encryption — Email PGP (Pretty Good Privacy) can be a pain to setup and use (and you can only use it with others using PGP), but it secures your email content (but not metadata—subject line, sender, location, time sent, etc.) like nothing else could. Plus, it can be fun to learn! EFF has a great introduction to public key cryptography and setup guides for Mac, Windows, and Linux users. For Gmail/Google-hosted mail, there’s Mailvelope. Also of note:

Device camera tape

Cover up your computer’s webcam when not in use. Why? Because it’s easy, and government officials, Edward Snowden, IT people, cryptography experts, and cybersecurity writers support it. Activating webcams remotely isn’t unheard of, and similar kinds of surveillance now happens on a mass scale. While your webcam getting compromised may not seem likely, it doesn’t hurt to take a simple (and removable) precaution.


iPhone Settings

You can control a handful of settings to control the collection and use of some of your cellular device data. When updating your phone’s software, some of these settings may be reset to their defaults. (These are instructions for iPhones, but the principles on other devices are similar.)

Use a 6-digit passcode, not your fingerprint

(Settings → Touch ID & Passcode)

It’s generally a good rule of thumb to limit sharing personal identifying information (like a fingerprint) with a corporation when possible. There may be additional concerns about this for arrested demonstrators, whose device may be unlawfully unlocked with their finger without a warrant.

As a bonus, when you set a passcode on newer iPhones (or a fingerprint), the data on your device is automatically encrypted.

Limit Ad Tracking

(Settings → Privacy → Advertising)

Apple, like many companies, collects and can sell your data to third-parties. You can opt out of some targeted advertising by turning on “Limit Ad Tracking” and resetting your advertising identifier.

Limit Ad Tracking

Limit Location Services

(Settings → Privacy → Location Services)

You can manually change which apps can access your location data and when. Most apps shouldn’t need your exact location, so you can switch their access level to “Never”. When you do need your location to be used in an app (for GPS navigation, for example), switch the setting to “While Using”. Switch the Camera app setting to “Never”—most people don’t need their exact location geocoded into the photos they take. This data gets passed along to other applications and platforms (e.g. Instagram) who share your information to advertising companies and others.

At the bottom of the app list, make sure that the location services options in the System Services panel are all turned off (except if you use Find My iPhone, or want your Time Zone automatically set by location). This will decrease some of the location data sent to your cellular provider and Apple, though it will not negatively affect your phone’s performance. If anything, less data is good.

Location Services

In the System Services panel, turn off “Frequent Locations” and clear your frequent location history. Otherwise, your phone will continue to track places you visit often, which is potentially useful for Apple to share with advertisers, data brokers, and the like.

Location Services

Location Services

Limit Background App Refresh

(Settings → General → Backaground App Refresh)

Some apps continue to fetch data (including your location), which can use up battery and transmit unnecessary information while you are not directly using an app.

Background app refresh


Account Settings

It’s good every so often to look through your privacy settings for all medias of digital tech—email accounts, social media accounts, posts, browsers, phones, etc. If desired, you might enable two-factor authentication on accounts (especially email accounts) when possible.

Facebook Account Settings

Comb through the various sections of your account settings and read the wording closely, particularly in the “Privacy”, “Apps”, and “Ads” sections. A handful of personal account settings you can control on Facebook:

  • Default audience post (Public, Friends, or otherwise)
  • Who can look you up by your email/phone number
  • Whether your Facebook profile can show up on search engines
  • Autofill facial recognition settings for photos/videos
  • Your information accessed by third-party apps, and your information accessed by your Facebook friends’ apps (be very strict about information accessed by apps, and turn off the “Apps, Websites, and Games” setting altogether if possible)
  • Some information accessed by advertisers

When posting something, pay attention to the audience the post will be visible to: if you don’t want a post Public (visible to any user on or off Facebook), change the audience to “Friends.” Facebook has guides on how to change who can see individual posts, who can see info on your timeline, and who can see Facebook group information.

When creating public events, you can select whether or not you want the guest list to be visible to attendees and the public (people on and off Facebook).

Facebook event guest list visibility
Facebook event guest list visibility

Google Account Settings

Access account settings by clicking your account icon in the top right corner and going to “My Account.” There, you can adjust “Ads Settings” (allowing you to opt out of some data collection) and “Manage your Google activity” (allowing you to pause and remove stored web and app activity, search histories, device information, and voice/audio activity).

Google Account Settings
Google account settings


Other stuff

Practices

  • Encrypt your phone—and computer, too. Newer iPhones are automatically encrypted if you use a passcode. Mac users can use FileVault—found in System Preferences → Security & Privacy—to easily encrypt the computer’s internal hard drive with your login password.
  • Periodically delete web browser cache, cookies, and browsing history.
  • Avoid making transactions or accessing sensitive information on public WiFi. Public WiFi networks are usually not secure and can easily reveal user information and passwords on the network. Software that enables data theft over public wifi, while sometimes illegal to use, is quite easy to to get. When you do use public WiFi, make sure your Internet connection is encrypted whenever possible (see the HTTPS Everywhere plugin above). Or, look into using a Virtual Personal Network (VPN).
  • Avoid using digital “cloud” services. When you do, don’t rely too much on them—for privacy and security reasons, as well as environmental ones. Cloud services, like the undersea cables that connect servers across the world, are made of infrastructure that can be surveilled, sold, or sabotaged. However, there are alternatives out there, such as the “no knowledge” encrypted cloud storage service provided by SpiderOak.

Website managers

  • Encrypt user connections to your website by enabling HTTPS by default. Let’s Encrypt is a free certificate authority that makes this pretty easy to do. It is readily accessible through website dashboard managers like cPanel. Once you have issued a certificate for your domain, you may need to manually replace any linked files on old posts/pages with the prefix “https://…” (instead of “http://…”). Or find a trustworthy plugin to do it for you. Additionally, you may need to edit your website’s .htaccess file in the root directory to redirect all HTTP requests to HTTPS.