A Beginner's Guide to Online Security

Interest in digital privacy and security has surged in recent years following whistleblower Edward Snowden’s disclosure that the United States’ National Security Agency (NSA) has been spying on every call, email, SMS message, video chat, instant message and website visited by most of the world. While it’s not the easiest and security is never 100 percent guaranteed, there are relatively simple measures that even non-experts can take to help combat major threats that we all face every day.

Caveats

When we say that security and privacy on the internet are not easy, we mean it.

While the measures outlined in this guide will almost certainly lower your profile and increase your resistance to attacks, our adversaries are invariably very well-funded, have a long reach, and are technically highly competent. You should therefore never be complacent. 

It's not enough to just use a VPN and a few plugins anymore, as nothing is completely secure and adversaries are always developing new ways to get what they want. The methods we outline won't be able to protect you from a targeted attack by a determined third-party, but they are necessary to keep you private and secure.

 

A word on Linux

To keep this guide simple and beginner-focused, we have opted to restrict recommendations here to the most popular computer platforms. If you are serious about privacy, though, you should strongly consider using Linux  instead, as this open source platform is built from the ground-up to respect your privacy.

We purposefully avoid dumbing the guide down as this can potentially be dangerous, but this is still intended for beginners. We will try to explain the threats, suggest ways to combat them, and discuss the shortcomings of these in as clear and non-techy a way as possible. There's no escaping that things can sometimes border on the complex, but we endeavor to walk you through things step by step.

 

Threats and adversaries

The main threats to security and privacy this guide will deal with are:

Criminals - these include WiFi hackers, phishers, malware merchants, account hackers, and other low-lives who mainly want to steal your bank account details.

Government surveillance - it seems that just about every government is mad-keen on spying on absolutely everything every one of its (and everyone else’s) citizens are up to on the internet.

Advertising - in their drive to deliver ever more highly targeted advertising so they can sell more stuff, companies track users and website visitors across the internet in order to learn their interests, spending habits, who they associate with (and their interests, spending habits, etc.). This represents one of the biggest threats to privacy faced by the modern internet user.

Some word on open-source software

Most software is written and developed by commercial companies. Understandably, these companies are keen not to have others steal their hard work or trade secrets, so they hide the code away from prying eyes using encryption. As we say, this is all quite understandable, but when it comes to security, it presents a major problem. If no-one can ‘see’ the details of what a program does, how can we know that it is not doing something malicious? Basically, we can’t, so we simply have to trust the company involved, which is something us paranoid security types are loath to do (with good reason).

The best answer to this problem lies in ‘open-source’ software - community-developed software, where the code is freely available for other programmers to look at, modify or use for their own purposes.

Powered by haveibeenpwned.com

Considering the complex nature of open-source programs and the lack of experts with the time to audit the software (usually for free), the fact that any programmer can examine the code to check nothing untoward is going on is the only guarantee we have that a program is ‘safe’. Unfortunately, because open-source software is usually developed by enthusiasts in their spare time, it is often much less user-friendly than its commercial rivals, which leaves us in something of a quandary when writing this beginner's guide.

At ProPrivacy, we invariably and strongly recommend using open-source software whenever possible, but we also concede that it is often better for someone to use a commercial security product than none at all, due to their inability to get to grips with the open-source alternative.

There are therefore times when we will recommend both open-source and commercial (closed-source) options. If you opt for the closed-source alternative, then we ask that you be aware of the security implications this brings (i.e. that you are trusting your security to that commercial company) and always advise giving the open-source option a try first.

Mozilla Firefox

On a related note, we strongly recommend using the Firefox web browser by the Mozilla Foundation, both because it is the only fully-featured mainstream browser to be open-source, and it accepts a huge range of plugins that can improve your internet security. Microsoft Internet Explorer is notoriously insecure, and both it and Google Chrome track your internet usage for commercial purposes (something this guide is specifically about trying to prevent).

In this guide, we will, therefore, assume that you are accessing the internet using the Firefox browser, and will make recommendations based on this assumption.

We should also note that Firefox has somewhat controversially introduced limited non-invasive advertising to its ‘new tab’ page. This can/should be turned off by clicking on the ‘gear’ settings icon on the top right of the page and deselecting ‘Include suggested sites’ under the ‘Show your top sites’ option.

The Power of Encryption

In order to protect your data, it must first be encrypted, transforming it from plaintext to ciphertext. Without confusing things, encryption translates your data into a code by substituting each part of the original message with something else according to a formula. Anyone who knows the exact algorithm used to decrypt the message is said to have the ‘key’ and can unlock the message. 

If someone wants to read the message but does not have the key, then they must try to ‘crack’ the cipher. When the cipher is a simple letter substitution, then ‘cracking’ it is easy, but the encryption can be made more secure by making the mathematical algorithm (the cipher) used more complex, for example by also substituting every third letter of the message with a number corresponding to the letter.

Modern ciphers use very complex algorithms, and even with the help of supercomputers are very difficult (if not impossible for all practical purposes) to crack.

Encryption is the one thing that prevents just anyone from being able to read (or track you through) your digital data and is the absolute cornerstone of all internet security. It is therefore worth taking a little time to understand what we mean by it.

End-to-end encryption

Once you have digested the above information, another important concept to understand is ‘end-to-end’ encryption. This basically boils down to who is doing the encrypting and decrypting. Many services offer to encrypt your data, but this also means that those companies can subsequently decrypt the very same information. Unless you encrypt your data on your own computer, which can then only be decrypted by the intended recipient on their computer (end-to end) no matter whose services the data passes through, it cannot be considered secure. 

Whenever you send a file to Dropbox, for example, the provider will encrypt it before uploading and storing it (encrypted) on its servers, only to be decrypted when you download it. While this suggests that your files are mostly safe from outside attacks, Dropbox still holds the keys meaning it can access your files whenever it wants and potentially hand them to intrusive government agencies like the NSA. The same is true for all non-end-to-end encrypted cloud services. 

Another kink here is that many commercial products and services proudly advertise that they offer ‘end-to-end encryption’, but we have only their word for what is going on, meaning they could be sending duplicate keys to the parent company. As always, open-source is the only meaningful guarantee of security.

Passwords

The single most important thing that anyone can do to improve their online security is to improve the strength of their passwords. Criminals and other malicious parties prey upon: 

Weak passwords - ‘123456’ and ‘password’ consistently remain the most commonly used passwords, while a list of 100 or so passwords are so popular that any hacker will simply type them in before first trying something else. This includes guessable passwords involving the names of family members, hobbies and other personal details.

Reusing passwords - Using the same password across multiple accounts means a leak or attack on one website can compromise your information across all accounts that share the same password.

Default passwords - Keeping default passwords assigned by websites means that a third-party already has access to your account, let alone hackers that can see your password in plaintext if they get into your emails. 

A strong password involves a long string of random characters, including a mix of numerals, mixed caps, and symbols. Of course, memorizing just one such password is far too much for most of us, let alone one for each important account!

In our Ultimate Guide, we suggest ways to pick memorable passwords that are more secure than the ones you are probably using right now. Diceware is well regarded by security experts in helping random password generation and there are plenty of password managers that can both create and store strong passwords for you, not to mention auto-fill online forms.

 

Recommendations

KeePass is a free open source password manager available on most platforms. The basic program is simple enough to use, but for syncing across devices, files must be stored using a cloud service such as Dropbox or our personal choice, Nextcloud.

Browser integration is available through the PassIFox Firefox plugin. We have guides to using KeePass in Windows and on Android devices.

Sticky Password is a good cross-platform commercial solution which is easier to use than KeePass, but which uses closed code.

Antivirus Software

This advice is now so obvious and so old that we will not waste too much digital ink on it here. Viruses can really screw up your system and introduce all sorts of security nightmares (such as keyloggers that record your every key press and send these back to whoever is listening), so when it comes to using and updating antivirus software - just do it!

Recommendations

The basic antivirus software that ships with all modern versions of Windows and OSX is pretty good these days. ClamWin (Windows) and ClamXav (Mac) are open source alternatives, but neither are as good as their commercial rivals.

Although it is not open source, Malwarebytes Free for Windows provides very effective post-infection virus detection and cleanup.  It does not provide real-time protection, however, so will not identify and prevent infections from happening in the first place.

We, therefore, recommend that Windows users use the built-in Defender for real-time protection, plus run weekly manual virus checks using the free version of Malwarebytes. Alternatively, the paid-for version of Malwarebytes does this automatically, plus provides real-time protection.

There are no open source antivirus apps for Android, but we think the practical benefits of using the free Malwarebytes Anti-Malware app outweigh any ‘closed source’ concerns.

Firewalls

A personal firewall monitors internet traffic entering (and sometimes leaving) your computer, blocking or flagging up traffic it does not recognize or it considers may be harmful.

Recommendations

Both Windows and Mac OSX come with built-in firewalls, although these only monitor incoming traffic (and are thus referred to as ‘one-way’ firewalls). They do, however, provide a great deal of protection while also being fairly transparent in operation, which is a lot more than can be said for most third party ‘two-way’ alternatives. These can be a pain to maintain and require a fair degree of technical understanding to make the correct decisions about what traffic is and is not allowed through the firewall. We therefore think that beginners should stick with the built-in firewalls, although you should check that they are turned on. To do this:

In Windows - go to Control Panel -> Windows Firewall -> Turn Windows Firewall on or off

In Mac OSX - go to System Preferences -> Security -> Firewall tab

Social networks

Again, we feel this is a well-covered topic that basically requires using common sense, and therefore do not wish to dwell on it. However, it is also very important, as the likes of Facebook (in particular) are among the biggest privacy liabilities we face.

For brevity’s sake, the rest of this section will focus on Facebook, as it is the world’s most popular social network, as well as being among the worst in terms of privacy violation. Do please note, however, that almost all the points made here apply equally well to all other social networks (such as Twitter, LinkedIn, Google Plus+, and so on.)

What is wrong with Facebook?

Facebook’s business model is simple - it finds out everything it can about you, not just from what you do while logged into the Facebook webpage - what you Like, who you talk to, what groups you belong to, what adverts you click on, etc. - but will also tracks you across the internet to find out what purchases you make, what websites you visit, etc., etc.

If you have the Facebook app installed on your mobile phone, then the situation is even worse, as Facebook uses the phone’s built-in geo-tracking features to follow you every physical move (and proposals are even afoot to use your phone’s microphone to listen in on your surroundings!)

Facebook then uses this vast treasure-trove of personal information it has gathered to build up a detailed and scarily accurate profile of you, and has made billions of dollars using this information to deliver highly targeted and personalized advertising. Of course, it is also not shy about handing over this information to the authorities too…

So what can you do about it?

The best answer to this is, obviously, to delete your Facebook account, although you should bear in mind that even if you do this, Facebook will retain every post, photo, and scrap of information it has already collected, and assert ownership of it.

More realistically for most of us, Facebook is popular for good reasons - it is where we chat, share photos and otherwise interact with our friends. It plays a central role in many of our social lives and is often our primary reason for using internet. In short, most of us are not willing to give it up. Below then, are some ideas for trying to keep a modicum of privacy when using Facebook.

  • Nail down your privacy settings - Facebook has introduced ‘Privacy Basics’, supposedly to make managing your privacy settings easier. However, it has a nasty habit of changing its privacy settings without notifying users, so it is worth checking back every now and again to make sure they are as tight as you want them. Remember - Facebook is not your friend, and its business model relies on abusing your privacy
  • Don’t over share - not only is everything you say, every photo you post, every post you ‘Like’ etc., viewable by all your ‘Friends’, but it is also used by Facebook to a profile you, cannot be deleted or retracted, and can be accessed by the police (and the NSA). If you must post on Facebook, at least use the ‘Message’ or ‘ ‘Who should see this?’ features to target the actual friends you want to see the message (etc.)
  • Isolate Facebook - Facebook does not just monitor everything you do on its website, but it tracks you across the web. We discuss general anti-tracking measures in more detail later in this guide, but the most effective thing you can do is to logout of Facebook each time you finish a session with it (simply closing your Facebook tab is not enough).

If you keep forgetting to do this, then consider running Facebook in its own browser which you use exclusively for accessing Facebook, as Facebook cannot track what you do in a completely separate browser.

If isolation is important on the desktop, it is ten times more so on your phone! As we have noted, the Facebook app has real-time access to your physical location - it can also access all your text messages, contacts, photos, calendar entries, and more! Basically, if you care even slightly about concerned your privacy, uninstall the Facebook and Messenger apps NOW!

You can continue to access Facebook through your device’s browser (remembering the advice given for desktop browsers above), or through the TinFoil for Facebook app (which is basically just a wrapper for the mobile website, and isolates Facebook away from the rest of your phone’s data and functions.)

Unfortunately, there are always thieves, and the internet has provided a wealth of new ways for unscrupulous criminals to steal your data. Fortunately, even technically competent criminals invariably have limited resources, so while they may represent the most pervasive and immediately damaging threat to your security, criminals are also the easiest threat to protect against.

Cyber-criminals are basically after one thing - your passwords and bank or credit card details. The two most common ways they use to get these can also be most effectively countered using the basic internet security measures already discussed in chapter 2. In this chapter, we’ll describe the most common cyber threats and what measures you can take to protect yourself.

Malware (viruses)

While some viruses and other malware seem to have no real purpose other than to make our lives miserable, the most dangerous ones try to steal information and send it back to the hacker who created them (or more likely modified them - ‘off the shelf’ white label viruses are readily available on hacker community forums).

Malware was by far the biggest cyber threat in 2015

While many kinds of viruses exist, one of the most common, dangerous, and illustrative dangers that viruses present, is the keylogger, which hides in the background and records every keystroke you make (hoping that you will type in your credit card details etc.)

Up-to-date anti-virus software is of course the main way to combat the malware problem, although a good two-way firewall (not the default one-way firewall that comes with your OS) can stop a virus transmitting your data, even if it succeeds in infecting your computer undetected.

Recommendations

GlassWire is a beautifully designed two-way firewall with an easy-to-use interface, that shows you which programs and apps are using your internet connection, who is using your WiFi or Network at any given time and if anyone is using your webcam or microphone to spy on you.

Other common-sense advice such as not opening email attachments from unknown sources and clicking on webpage po-ups is also good. One of the most dangerous kinds of webpage pop-up are ones that warn you that you have virus and urgently recommend downloading software to fix the problem.

Of course, doing any such thing will, in fact, infect your computer with a virus! If you don’t know what you are doing, then it is easy to be confused by these warnings, so you should always take the time to investigate whether the warning is coming from legitimate virus software that you have running.

If in doubt, close all programs, restart your computer, and then run your antivirus software.

Account hacking

Another common tactic used cyber criminals is to hack less secure accounts such as Facebook, your email, or eBay accounts, in the hope of finding out information about you that can be used to hack more lucrative accounts. E-mail hacking is particularly dangerous, as many financial institutions send account login information via plaintext email.

Using strong passwords (and a different one for each important account) is the most effective counter to this form of attack, although two-factor authentication provides additional protection, and should be turned on when available (which it increasingly commonly is).

Two Factor Authentication (2FA)

Most online accounts are protected by one-factor authentication, i.e. your password (it is assumed that potential hackers already have your username, so this doesn’t count). 2FA provides extra security by requiring a second proof of your identity. The typical formula is:

  1. Something you know (e.g. your password)
  2. Something you have.

This ‘Something you have’ is most commonly your phone (where a company such as Google will text a code to your registered phone number), but can also be a USB key or other physical way of proving your identity.

Public WiFi hotspots

Using a VPN service is one of the best things you can do to improve your general internet security and privacy, and should be considered a must whenever you connect to a public WiFi hotspot.

Exploiting public WiFi hotspots (including those in cafés and airport lounges etc.) is a favorite tactic of hackers, made all the more dangerous by the fact that many devices will automatically connect to unknown open hotspots unless this ‘feature’ is turned off in the devices’ settings.

While various devious form of attack are possible, the simplest and most effective (and therefore most common) are:

  • Fake hotspots - almost any internet-enabled device can be easily turned into a WiFi hotspot (most phones have this as a feature, allowing users to ‘tether’ their laptops etc. when no other internet connection is available). It is a common tactic for crooks to hang around areas where public WiFi is available and set up a ‘fake’ hotspot’ that masquerades as legitimate sounding ones with names such as ‘Free airport internet,’ in order to lure people into connecting to them. Once you connect to a bogus WiFi network, the owner of the hotspot can spy on all your internet traffic, collecting passwords and other valuable or damaging information.
  • Wireless packet sniffing - to access the internet using a WiFi hotspot, your phone connects to a public router using radio waves. This connection is normally secured, so that any data transmitted is encrypted (which is why this problem rarely occurs on home networks). However, either to make life easier (no passwords required,) or due to lack of technical understanding, it is not uncommon for WiFi networks to have this encryption turned off, making it easy for anyone with a WiFi-enabled device and the correct software (known as packet sniffing’ software) to intercept and ‘read’ your WiFi data.

Using VPN defeats pretty much all forms of public WiFi attack by connecting your computer (including your mobile phone or tablet) to another computer located elsewhere (referred to as a VPN server) using an encrypted connection (often referred to as a VPN tunnel).

Data passing between the two computers is encrypted, so anyone that intercepts it between your computer and the VPN server will only be able to ‘see’ useless junk data (unless they are somehow able to decrypt it, which even if using very weak encryption by today’s standards, is unlikely to the point of being impossible for ordinary criminal hackers).

Therefore, even if you do accidentally connect to a fake hotspot, your data is safe.

Free VPN services do exist, although we do not generally recommend them because this begs the question of how a provider can afford to run (never make mind make a profit out of) what is an expensive service to provide, if they do not charge for it (the answer usually involves by selling your privacy to the highest bidder). However, if you simply want occasional protection while checking your email and surfing the internet in public, then CyberGhost offers a great free service, which it funds transparently through its commercial offering.

As we discuss throughout this Guide, using VPN religiously is one of the most effective things you can do to help protect your security and privacy (and honestly, we are not saying this just because we are a VPN review company). We therefore strongly suggest that you lay down the price of a beer or two it costs each month to purchase a good no logs VPN service (which we will discuss in greater detail in the next chapter).

Thanks to Edward Snowden, the public is now much more fully aware of the extent to which our governments are spying on just about everything everybody does online, and thanks to Mr Snowden’s personal background, the spotlight has been shone particularly harshly on the sinister and ridiculously powerful United States National Security Agency (NSA).

It should be understood, however, that even within the US, other government agencies such as the FBI and CIA are also spying on their own citizens, and that in many other countries, governments are performing similar blanket surveillance of their own citizens. Furthermore, organizations such as the NSA and its Five Eyes spying partners (most notably its UK sidekick GCHQ), have such power, global reach, and hubris, that their powers of blanket and targeted surveillance are truly global in scale.

Against such an adversary an individual stands no chance of protecting their privacy if targeted (let alone anyone who is using this beginner’s guide!) However, there are things you can do to lower your profile, prevent all your data and everything you do online being hovered up, and generally make life difficult for the NSA*.)

*For brevity’s sake we will often refer in this guide to ‘the NSA’, but please understand this to generally be shorthand referring to all forms of surveillance by a ‘global’ adversary, including GCHQ, the FSK (formerly the KGB), Mossad, or even the mafia.

Users in repressive countries

The focus of this chapter is on how to prevent blanket surveillance from a global adversary such as the NSA, and even most governments, who have diplomatic relations with most other countries, and can request data, ask for cooperation and issue warrants that other countries will respect. Among those who need privacy the most, however, are those in live either in countries with repressive governments, or who live among societies where a breach of privacy can have severe social and/or legal consequences (for example atheists living in strict Moslem countries, or homosexuals in many communities). The good news is that although the consequences of getting caught may be worse, achieving privacy (at least as far as evading any major threats is concerned) is in some ways much easier in these situations, because the adversary’s power is relatively limited in scope (good luck, for example, to the Iranian government in forcing a European VPN provider to hand over any logs on its users, even should such logs exist!)

A bigger problem comes from the fact that privacy technologies such as VPN and Tor are usually detectable by a user’s ISP (or government). Throughout most of the world using such technologies is perfectly legal (in fact banking and other businesses rely on them), but in places where it is not, users should be careful, and try to understand the risks involved.

Catch-22

The key to defeating the NSA and its ilk is, as we discussed at the beginning of the guide, encryption. Although the NSA’s sustained attack on global encryption standards shocked many experts, and has thrown a big question mark over what exactly the NSA can and cannot do (no-one outside the NSA knows for sure), it is generally agreed that it can still be thwarted by strong encryption. As world-renowned cryptographer Bruce Schneier says,

Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.

Edward Snowden confirms this view, observing that although encryption will not protect you from the NSA if you are a target, using it will foil the broad collection of data, and requires a targeted attack to disrupt.

The NSA collects 1,826 petabytes of data every day, which comes down to 2.1 million gigabytes per hour. This includes phone calls, e-mails, social media posts, private messages and internet activities.

The catch-22, however, is that using encryption is more likely to make you a target. When the NSA collects encrypted data that it cannot decrypt (or which it would find too time consuming to decrypt), it simply stores it until such time that it can (or that doing so is practical).

However… a lot of people use encryption (and many businesses rely on it in order to operate effectively,) and if the encryption is strong, then decrypting it will be an expensive and time consuming process for the foreseeable future (although this could change quickly if the NSA successfully develops a quantum computer).

Therefore, the more people who use encryption on a regular basis, the more safe everyone is, as users who encrypt will stand out less, and the NSA will have to waste huge resources decrypting millions of Game of Thrones downloads! We therefore advocate that as many people as possible use encryption for everything all the time, as this provides much needed protection for those who need it most.

It is also worth remembering that it is only the NSA (and possibly its partners) that even potentially has the ability to crack good encryption, and that the NSA is only interested in high value targets - it does not care about what kind of dodgy porn you like, whether you ‘pirate’ books, games, movies etc., or even if you are engaged in many forms of low level criminal activity (not that we advocate such!)

Breaking encryption protocols requires brainy employees. That explains why the NSA is widely thought to be the world’s largest single employer of mathematicians.

VPN

We have looked at VPN before, but it is something of a Swiss army knife when it comes to security and privacy, so let’s take a look again at how it works (we have taken the router out of the equation, as the connection to private routers is almost always secured with encryption, and anyway, the ‘computer’ could just as well be a mobile phone accessing the internet using a mobile connection):

As long as the encryption remains secure (we will discuss this a little more in at the end of this chapter,) then all data between your computer and the VPN server is safe from prying eyes. This includes from your ISP or anyone else such as the NSA who might be trying to intercept it.

It also means that your ‘real’ internet (IP) address is hidden from anyone trying to identify you from the internet, as your traffic will appear to come from the IP address of the VPN server, rather than your own computer.

If you think about this for a minute, it should become clear that this setup has two key points of weakness:

  • Your computer - if an adversary knows who you are, then they can raid your house to take away your computer, or can secretly install ‘bugs’ such as software or hardware keyloggers to monitor what you get up to. Encrypting your data (see later) may provide some protection in the event of your disks (or phone) being seized, but basically, if you have been targeted in this way then you are in deep trouble. On the other hand, any such attack does mean that you have been specifically identified as being of interest to an adversary who is willing to spend considerable time and resources monitoring you…
  • The VPN server /provider - which is of more practical concern to most of us. A VPN provider can monitor all traffic that goes through its servers, and can connect internet activity with an individual. Since it can do this, it can be forced to hand over any records it has to an adversary (usually this means complying with a legally binding court order or subpoena, but other methods, including blackmail and torture are not impossible if the stakes are high enough). In order to address this problem, more privacy-minded VPN providers promise to keep no logs, because if no logs exist then it is simply impossible to hand them over, no matter how strong the compulsion.

Empty promises

While many providers promise to protect users’ privacy, such promises are not worth the digital ink they are printed on if they keep logs. No matter what they say, no VPN provider’s staff will go to jail (or ruin their business) to protect a customer. If the data exists, any VPN provider can be compelled to hand it over. Period.

Trust

If you want to use VPN to provide privacy, then only a ‘no logs’ provider will do. Unfortunately, when a provider claims to be ‘logless’, we just have to take their word for it (which is why the Edward Snowden’s of this world prefer to use Tor).

Choosing a VPN provider therefore comes down to a matter of trust… so how do you know a provider can be trusted? Well… privacy orientated VPN providers have built their business models on promising privacy, and if it becomes known that they failed to do this (for example by keeping logs even when they promised not to, and then being compelled to hand these over to the authorities), their businesses would be worthless (and they might find themselves liable for legal action by any compromised individuals). It should be stressed, however, that there are no cast-iron guarantees here.

74% of Americans say it is “very important” to them that they be in control of who can get information about them, and 65% say it is “very important” to them to control what information is collected about them.

Real-time tracking

It should also be understood that even when a provider keeps no logs, it can monitor users’ internet activity in real-time (this is essential for troubleshooting etc. – all the more so when no logs are kept).

Most no logs providers promise not to monitor users’ activity in real-time (unless necessary for technical reasons), but most countries can legally demand a provider to start keeping logs on an individual (and issue a gag order to prevent the company alerting its customers about this). This is, however, a specifically targeted demand or request (which most providers will happily cooperate when it comes to catching pedophiles, for example), so only if you are a specific individual already identified by the authorities should you be concerned.

Shared IPs

In addition to keeping no logs, any company that cares about protecting their users’ privacy also uses shared IPs. This means that many users are assigned the same internet (IP) address, so matching identified internet behavior with a specific individual is very difficult to do, even if a provider should wish (or is compelled) to do so. This goes a long way towards addressing the privacy issue outlined above.

What does ‘no logs’ actually mean – usage logs vs. connection logs

When many providers claim to keep no logs, what they really mean is that they keep no (what we term) ‘usage logs’. They do however keep ‘connection logs’

  • Usage logs – details of what you get up to on the internet, such as which websites you visit etc. These are the most important (and potentially damaging logs)
  • Connection logs (also known as metadata logs) – many ‘no logs’ providers keep metadata about users’ connections, but not usage logs. Exactly what is logged varies by provider, but typically includes things like when you connected, how long for, how often etc. Providers usually justify this as necessary for dealing with technical issues and instances of abuse. In general we are not too bothered by this level log keeping, but the truly paranoid should be aware that, at least in theory, such logs could be used to identify an individual with known internet behavior through an ‘end to end timing attack’.

Some providers claim to keep no logs of any kind, and it is these that are generally considered best for protecting privacy. It should be noted that some critics argue it is impossible to run a VPN service without keeping logs, and that those who claim to do so are being disingenuous. However, as mentioned above, with a VPN provider everything comes down to trust, and if a provider claims to keep no logs at all, we have to trust in its ability to run to run the service in this way…

86% of internet users in the US have taken steps online (such as using a VPN) to remove or mask their digital footprints.

Mandatory data retention

Something to be aware of when choosing a privacy-friendly VPN provider is where it is based (that is, under which country’s laws it operates). Many countries require communications companies to keep logs for a certain amount of time, which used to be particularly true of most European countries. Changes in EU law have muddied the picture, but countries such as the UK and France are moving in the opposite direction, and have widened their surveillance powers.

If a VPN provider is based in a country which requires it to keep logs, then it will do so, no matter what other impression it tries to give.

IP Leaks

Even when connected to a VPN it is sometimes possible for websites to detect your true IP address. There are a number possible reasons for this, which we discuss in detail in our Complete Guide to IP Leaks.

When Using a VPN you should therefore always check for IP leaks. Check out IP Leak test tool to ensure that your real IP address is kept private. Our tool covers all bases, checking for IPv4, IPv6, WEBRTC, and DNS leaks.

Recommendations

While VPN does rely on a certain level of trust, and can therefore never be considered anonymous, ia no logs service can provide a meaningful level of privacy, while also being much faster than Tor (see below.)

It also has the side-benefits of protecting P2P downloaders from copyright enforcers, being great for evading censorship (as it is easy to select a VPN server located in a different country with more relaxed censorship laws), is great for ‘spoofing’ you geographic location (as you can choose to connect to a VPN server in another country), and of course, it protects you when using public WiFi.

We therefore recommend using a no logs VPN service religiously (including on your smartphone and other devices). Any provider from our best VPN no logs list is a great choice.

The Tor anonymity network

The Tor anonymity project attempts to address the problem of trust by being constructed in such a way that you do not need to trust anybody.

The Tor project’s mission is to advance human rights and freedoms by creating and deploying free and open anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding.

When you surf the internet using the Tor Browser (a modified version of Firefox,) you connect to a random ‘Tor node’ run by a volunteer, which then connects to another Tor node, which then connects to another Tor node (the chain is always at least three nodes long,) with the data being re-encrypted each time it passes through a node. The final Tor node in the chain is known as an ‘exit node’, and connects to the internet.

What this means is that while each node can ‘see’ the computers it is connected to (on either side of it if a ‘middle relay node’), no user can follow the entire path and associate internet activity with an individual (at least in theory.)

There is therefore no need to trust anyone with your data, which is why Tor is generally considered the most secure and anonymous means of accessing the internet available.

The main downsides are that it is slow, is not suitable for ‘torrenting’ (for various reasons), apparent geolocation is random, and that, because the list of public ‘exit nodes’ is openly published, they are easy for governments and banks etc. to blacklist (new ones open all the time, so with persistence you can keep on reconnecting until you find an unblocked exit node, but this can be a real pain).

Successful closures of illegal ‘hidden’ Tor markets such as the Silk Road 2.0 (accompanied by some arrests) have led to concerns that Tor is no longer secure, but the general consensus is that the core Tor structure remains sound, and that Tor remains the best option for those seeking true anonymity.

If anonymity is absolutely critical for you, though, you might want to investigate connecting to a no logs VPN (paid for using anonymously mixed Bitcoins) through Tor, for additional security. This is well beyond the scope of this guide, but if the subject interest you then we suggest checking out this article.

Recommendations

Unless you need true anonymity, then VPN is much faster and more generally useful than Tor. If you do need anonymity then download and use the Tor Browser, but please do read through the documentation to understand Tor’s limitations and potential dangers before trusting your life or freedom to it.

Tor also makes a very handy free anti-censorship tool if the exit nodes are not blocked. The Tor Browser is available for Windows, OSX Mac, and Android.

Encrypted

While VPN and Tor are very good at protecting your data while it is in transit, if you are serious about security then you will also want to protect it while stored. The main places that data is usually stored are:

  • Local drives - these days this generally means computer hard disks (both internet and external), solid state drives (SSDs), and USB ‘thumb’ drives
  • Cloud storage (such as Dropbox, Google Drive, or iCloud)
  • Smartphones and other mobile devices (plus any external SD memory cards plugged into these)

Local Drives

The different types of local drive are all treated more or less identically by your desktop operating system.

AES Crypt is a free and open source program that integrates with your OS, providing simple file encryption for individual files using the right-click menu button (Windows,) or drag and drop (Mac OSX.) File decryption is performed by simply double-clicking the encrypted .aes file, and entering the password you supplied when creating it. Folders can be encrypted by turning them into zip files first.

VeraCrypt - is the successor to TrueCrypt (which has now been fully independently audited and given the thumbs up). With this FOSS program you can:

  • Create a virtual encrypted disk (volume) which you can mount and use just like a real disk (and which can be made into a Hidden Volume)
  • Encrypt an entire partition or storage device (e.g. a hard drive or USB stick)
  • Create a partition or storage drive containing an entire operating system (which can be hidden)

All encryption is performed on-the-fly in real-time, making VeraCrypt transparent in operation. Hidden Volumes creates a second encrypted volume inside the first, which it is impossible to prove exists (even if its existence is suspected.)

In situations where the rule of law applies this is great, as it provides “plausible deniability” (as it is impossible to prove encrypted data exists,) but this feature could be a liability in situations where you might be tortured or imprisoned based on a belief that you are concealing data (as it is equally impossible to prove a hidden volume does not exist!)

A workaround to this problem is to create a second hidden volume even if you do not need it, which you can reveal if need be in order to demonstrate that you are not hiding anything

Cloud Storage

In addition to storing our data in the traditional way (for example on local drives and disks etc.), we are increasingly backing up and sharing data using ‘the cloud.’

The problem is that data stored ‘in the cloud’ is actually simply stored at huge server farms (banks of hard disks attached to computers) run by large tech firms. Although this data is usually encrypted for transfer and storage, it is the tech company doing the encrypting, so it (and by extension law enforcement and the NSA) can readily decrypt and access your data.

If you wish to properly secure data stored in the cloud then you need to use end-to-end encryption, and there are two ways of going about this:

  • Encrypt it yourself using VeracCrypt - If you store the VeraCrypt container in your ‘cloud folder’, then you can mount it and sync data across all your devices. The beauty of this approach is that it allows you to use your favorite low cost(but non-secure) cloud provider in a secure way. Android users can open and sync VeraCrypt containers using the (only partially open source ) EDS app.
  • Use a secure ‘end-to-end’ cloud service - an arguably easier alternative is to use a cloud service specifically designed for security. Unfortunately, the only completely open source solution, Cyphertite, recently shut down. This leaves proprietary solutions such as SpiderOak and Wuala, with Wuala with probably being the most secure and the best all-round closed source option available.

Mobile devices

After a couple of false starts, Google has followed Apple in announcing that new Android (Marshmallow) devices will be encrypted by default. As with Apple’s iOS 8 & 9 encryption, this encryption (and decryption) is performed on your phone (that is, it is ‘client-side’,) with only you, the user, keeping the encryption keys.

This means that Google and Apple cannot decrypt your data, even if legally required to do so (something that has caused law enforcement authorities a great deal of alarm.)

This is a great move by these companies, and demonstrates how growing public concern over privacy is forcing a concrete positive response from the tech industry, despite official opposition. If you have a mobile device running iOS 8 or Android 6.0+, then using full device encryption is a no-brainer (you don’t even have to turn it on!).

According to a recent study by Backblaze.com, 39% of internet users back up their data once a year, 19% back up monthly and 8% even back up every day

Now, iOS is most definitely not open source, but Android (technically) is, and Google has gone with using open source dm-crypt , the standard for Linux hard disk encryption. Users running older versions of Android (3+) can turn on phone encryption in the Security section of the phone’s Settings, and can also choose to encrypt any SD cards plugged into the phone (do it!)

You should be aware, however, that this is basically a one-way process (although you can factory reset your phone to remove if need-be), and that it may cause older or low-end phones to slow down a little, as encrypting and decrypting data does take a bit of processing power.

Photo auto-backup

One of the most useful things services such as Dropbox, Google Drive, iCloud, and Microsoft SkyDrive, etc. do is to automatically backup photos to ‘the cloud.’ As last year’s ‘celebrity nudes’ scandal amply demonstrates, however, this is wildly insecure for a whole range of reasons (not least that Dropbox et. al. have complete access to your private pics).

Advanced Android users might be able to figure out how to combine VeraCrypt folders and Dropscync to securely backup their photos to the cloud*, but most users should just turn off cloud photo backup. If this is a feature that you really cannot live without, then at least use a more secure backup service (such as SpiderOak.)

*(By creating a VeraCrypt volume inside the Dropbox folder, and using a photo app that allows snaps to be saved to a custom folder on the mounted VeraCrypt volume.)

A note on encryption strength

Because this is a beginners guide, we have opted not to dwell on how good the encryption used by the various programs, apps, and services discussed is. For all intents and purposes, any form of modern encryption will defeat just about any attempt to crack it by most adversaries (including most national police forces).

However, when we are considering an adversary such as the NSA, all bets are off. The NSA has spent the last 15 years systematically trying to crack existing encryption standards and subvert or weaken new ones, and no-one is really sure of exactly what it is cable of. It goes without saying that closed source proprietary encryption should never be trusted, but experts do generally agree that good open encryption standards still give even the NSA headaches.

256-bit AES (AES-256) encryption is generally considered the gold standard these days, and is the main thing you should look out for when considering how secure an encrypted service is. It is of course considerably more complicated than this.

Smart phones

It is critical to understand that smartphones are not secure (and even ‘dumb’ phones give away a huge amount of information about us):

  • All traditional phone conversations, SMS messages and MMS messages can (and most likely are) monitored and stored by your phone provider, and will be handed over to the police etc., if requested
  • Your phone provider can (and almost certainly does) track your physical location to a scary degree of accuracy, and logs of this can be used to provide police etc. with detailed information on your physical movements
  • iOS feeds a lot of information back to Apple through its various apps. Android does as well, but this can be largely prevented by avoiding Google apps (Gmail, Calendar, Play Store etc.)
  • Third party apps (arguably even most of them) typically access far more information than they require to do their job, and send this information back to their parent company (apps typically access GPS data, contact lists, photos, and more).

So what can I do about it?

The most important thing you can do (assuming you are not prepared to just ditch your phone) is to realize that your phone is not secure, and behave accordingly. Below, however, are some tips on ameliorating the problems outlined above.

  • Probably the best tactic is a degree of self-censorship, and blending into the background by using understood code words during conversations to convey meanings which the person you are talking to understands, but which sounds like idle chatter to any automated monitoring systems (and which provide plausible deniability if an actual person should take too much interest).
  • A more high-tech solution (but note our comments on ‘Catch-22’ above) is to use encrypted VoIP (Voice over Internet) instead of talking on the phone, and encrypted chat instead of messaging using SMS.

When it comes to being physically tracked, smart phones are obviously a liability thanks to their advanced GPS features, but even dumb phones (or smart phones with GPS turned off) allow ISPs, commercial apps, and anyone else who is spying, to access very detailed geo-location data thanks to network- based cell phone triangulation.

You might think that simply turning off your phone when you want privacy would solve this problem, but unfortunately this is not the case - on most phones (including all iPhones) turning a phone off effectively puts it in ‘standby mode’, rather than actually turning it off completely.

If the user has been deliberately targeted by malware (for example by the NSA), this means they can continue to be tracked, and it is even possible for the microphone to be used as an eavesdropping tool in this state.

Recommendations

  • If you don’t want to be tracked then leave your phone at home
  • If your phone has a removable battery, then taking it out should work instead
  • You can put your phone inside a Faraday Cage, which prevents all electronic communication into and out of the ‘cage’. Faraday cages for phones are commercially available, although we cannot vouch for how effective they are.

Email - Is it secure?

Email is very insecure, and is a big problem for those worried about government surveillance. For most users, however, an even bigger problem is commercial surveillance of email for financial gain, so we will discuss the subject in the next chapter.

Recommendations

Signal - this free and open source app (Android and iOS,) replaces your default text app with one that encrypts texts to other Signal users (or can send unencrypted text to non-users,) and encrypts all local messages so that if your phone is stolen they will remain secure. It can also be used for encrypted VoIP chat to other Signal users.

Jitsi (Windows, OSX, Android (experimental)) - we also recommend avoiding proprietary video chat apps such as Skype (which is owned by Microsoft and probably hands over information to the NSA.) Jitsi is free and open source software that offers all the functionality of Skype, including voice calls, video conferencing, file transfer and Chat, but which encrypts it all. The first time you connect to someone it can take a minute or two to set up the encrypted connection (designated by a padlock), but it is afterwards transparent. As a straight Skype replacement, Jitsi is difficult to beat

Although it is in some ways less directed than government spying, advertising represents arguably the single largest threat to our privacy today. Not only do the likes of Google and Facebook scan all your emails, messages, posts, Likes/+1’s, geolocation check-ins, searches made, etc. in order to build up a scarily accurate picture of you (including your ‘personality type’, political views, sexual preferences, and most importantly all, of course, what you like to buy!), but they and a host of smaller advertising and analytics companies use a variety of deeply underhand technologies to uniquely identify you and track you across websites as you surf the internet.

Be afraid.

Protect your browser

Advertisers exploit features of your browser so that they can identify and track you across the internet (something they do in order to build-up a detailed profile of you, which can then be used to deliver highly targeted advertising).

The important takeaway is that unless you take measures to protect your browser, you can and will be tracked by websites you visit (and which pass this information on to advertising analytics companies.

As noted near the beginning of this Guide, we strongly recommend using Mozilla Firefox, as Google Chrome, Apple Safari, and Microsoft Internet Explorer are designed to feed information back to their parent companies.

Aside from being open source and made by an independent, non-profit, privacy-minded organization, Firefox allows you to increase its functionality using a huge variety of independently developed free add-ons (also slightly confusingly referred to as extensions). To install them, simply click the ‘+ Add to Firefox button.’

Recommendations

There are several privacy enhancing Firefox add-ons, but the most important ones you should install are:

uBlock Origin - an all-purpose ‘blocker’, uBlock origin works as an ad-blocker, a tracking blocker, and will even prevent WebRTC leaks. For maximum security you should probably add all available blocklists, but even with these, uBlock Origin uses up very few resources. Note that this replaces the need for both Adblock Edge and Disconnect.

HTTPS Everywhere – an essential tool, HTTPS
Everywhere was developed by the Electronic Frontier Foundation, and tries to ensure that you always connect to a website using a secure HTTPS connection, if one is available. This is fantastic, but just but aware that we have reservations about how SSL is commonly implanted, and it has almost certainly been cracked by the NSAonline security HTTPS everywhere

The brave among you might also want to consider trying:

[[post-object type="gotolink" provider="noscript"]]

We also recommend that Android users ditch Chrome or the built-in Android browser, and use Firefox Browser for Android. All of the above add-ons are compatible with Firefox for Android.

It is possible to disable cookies entirely (see ‘private browsing’), but because this breaks many websites we generally recommend only disabling third party cookies (so you accept cookies from the websites you actually visit, but not from associate advertisers). In Firefox go to Menu -> Options -> Privacy -> and check ‘Accept cookies from sites’, but ensure ‘Accept third-party cookies’ is set to ‘never’, and ‘Keep until’ is set to ‘I close Firefox’. While you are at it, you may as well ask websites not to track you (this is often ignored, but it can’t hurt to turn it on).

One thing that none of these measures can prevent is browser fingerprinting, but as there is no very practical solution to this problem (at least for now), we will just ignore it. The CanvasBlocker Firefox Add-on, however, can be quite effective against Canvas Fingerprinting.

Choose the right search engine

As we note above, Google, Microsoft, Apple etc. all make money from knowing as much as they can about you, so simply handing over every internet search you make to them is utterly bonkers! But fear not, there are alternatives out there that respect your privacy.

Recommendations

Change your default search engine to a more privacy oriented service. Either:

DuckDuckGo - the more polished of the two offering presented here, DuckDuckGo anonymizes your searches and promises not to collect data on users. Results are pulled from the Bing! Search engine by default, but ‘bangs’ can be used to make sophisticated anonymous searches using any search engine. The fact that DuckDuckGo is a US company and uses largely closed code does worry some, however.
Start Page - is based in Europe and complies with European privacy laws, and returns anonymous Google results. Start Page is generally considered better for privacy than DuckDuckGo, but is much rougher around the edges.

To change the default search engine in desktop versions of Firefox, click in the magnifying glass icon to the left of the search search (not URL) bar -> Change Search Settings -> change the Default Search Engine.

In Firefox for Android: Visit DuckDuckGo or StartPage ->Long-Press inside the search bar until ‘add search’ icon appears -> Click ‘add search’ icon and once the search has been added, tick icon to the left -> Go to Menu/ Settings/ Customize/ Search/ Select your chosen search engine/ Set as default.

How to secure your Email

There are three main problems with email:

  1. It is a 20+ (depending on how you count these things) year old technology that was never built to be secure. Emails sent in ‘plaintext’ (i.e. normal emails) are unencrypted and can be read not just by your email provider, but (unless additional encryption is used) be readily intercepted by hackers at WiFi hotspots, or anyone else who can otherwise gain access to your email account. Companies such as Google pioneered the use of encrypted SSL connections for email services, but…
  2. Most people these days use ‘free’ webmail services such as Gmail or Hotmail. These are very convenient, but we pay for them with our privacy, as Google et al. scan every email and use the information gleaned to deliver targeted advertising. As we also know, these tech companies are (or at least in the past have been) happy to let the NSA perform bulk surveillance on their customers’ emails, and to hand over the emails of specific users when requested.
  3. Convincing others to join in on your ‘paranoia’ - the only really ‘secure’ way to send emails is to use a technology called PGP (Pretty Good Privacy), but using this involves complex and difficult-to-grasp concepts, and is not easy to implement properly (the reason Edward Snowden approached Laura Poitras to release his documents was because experienced reporter Glen Greenwald was unable to get to grips with PGP).

Perhaps the biggest problem, though, is that even if you are willing learn to use and implement PGP, convincing friends, family, and colleagues to join you is likely to be difficult in the extreme!

Recommendations

Use an email service that cares about privacy. Email should never be considered secure, but at least some services do not scan every email and use them to sell you stuff, and some may even put up some resistance to official demands for data. Secure email services are great, but do remember that no matter how secure these services, if you are sending an email to, or receiving one from, someone with a Gmail account (for example,) then Google will read it… Basically, never send any emails... period.


We found ProtonMail and Tutanota to be as easy to use as Gmail, but will also encrypt email sent between users, and can send encrypted messages to non-users. Such services should never be considered anywhere like secure against the NSA, but can provide a meaningful level of privacy.online security protonmail

If you need to communicate or send files securely, use Signal or Jitsi (discussed under the Smartphones section of the last chapter.) This does, of course, requires convincing others to join you!

Protect your phone

This section is really a carry-on from the Smartphone notes in the previous chapter (where points 1 and 2 are covered). As we have already observed, smartphones are ridiculously insecure, and most of the information leaked is harvested by advertisers…

Android

Android users can prevent a lot of information from being fed back to Google by migrating away from Google apps on their Android devices. Some suggested replacements for popular Google services and apps are:

  • Gmail - K-9 Mail app a secure webmail service. (Aqua Mail is an easier to use commercial alternative to K9-Mail)
  • Chrome/Android stock browser - Firefox with DuckDuckGo or StartPage set as the default search engine (settings -> Customise -> Search)
  • Google Maps - MapQuest (not open source)
  • Play store - AppBrain
  • Hangouts - TextSecure
  • Calendar - SolCalendar (not open source)
  • Play Music - Subsonic (allows you to stream from your own computer)

It should, however, be noted that while cutting Google out of the Android experience is great in principle, in reality many users will likely not find the Android experience as enjoyable without it.

Because this is a beginners guide, we have therefore assumed that most readers will not be willing to remove the Google Play Store (possibly the biggest spyware on your device!), which is why we link to apps in the Play Store for convenience.

If you do feel adventurous, then a good place to start is F-Droid, an alternative to the Play Store that only lists, installs, and updates open source apps.

Very determined users can instead root their device and install an alternative open source operating system (known as a ROM), such as CyanogenMod, which comes with all Google-branded apps removed (although they can be installed later by the user).

Using VPN masks your real IP from websites, and we have already discussed ways to try to minimize the damage caused by using social networks. The biggest threat to your privacy posed by advertisers, however, come from your apps....

App permissions

Apps have a very nasty tendency of grabbing as much information as they can - rifling through your contact list, emails, geolocation data, installed apps, and much more (why do so many apps need access to your camera?!!), most of it completely irrelevant to the purpose or function of the app.

The standard advice is to pay careful attention to the apps permissions, but this advice is largely useless because:

  •  It is usually not clear which of the broadly defined permission categories an app needs to operate
  • Because those permissions are so broadly defined, even if it needs permission, it will likely exploit this to grab far more information than is required for it to work as advertised
  • Since nearly all apps are to some extent at fault, the option of not installing an app because you are unhappy about the permissions it asks is largely unrealistic (you would not be able to install any app!)
  • Even if an app’s permissions seem ok when you install it, it can fairly easily sneak in less good ones later.

As we have noted, this is one area where iOS users may be better served privacy-wise than Android users, as iOS users must consent whenever an app wishes to access a certain permission category. They also have access to the free MyPermissions app, which allows fine-grained control of which permissions to grant an app.

91% of US citizens agree or strongly agree that consumers have lost control of how personal information is collected and used by companies.

This kind of fine-grained control is possible with Android, but usually only if the device is rooted (and will ‘break’ many apps). Rooting an Android device does, however, bring a raft of new security problems, as it can give malware unrestricted access to the device’s core workings.

An exception to this is the latest version of Android, 6.0 Marshmallow, which goes a long way towards addressing the problem by giving users fine-grained per-app control over permissions, without the need for root access. At the time of writing, however, the vast majority of Android devices not use Marshmallow.

The long and the short of all this is that there is very little most users can really do about overly-nosy apps. The only silver lining to this very dark cloud is that the information is collected by disparate and largely unconnected commercial entities, and is not being shared with (or is particularly accessible to) the likes of the NSA (probably).

The following issues fall somewhat awkwardly outside the structure of this guide, but are worth being aware of. We therefore discuss them here in no particular order…

SSL websites

Some websites have taken measure to secure their sites using SSL encryption (for our purposes this also refers to the more modern TLSencryption). You can tell these from insecure unencrypted websites by the fact that their web address starts with ‘https://’ and when you visit them you will see a closed padlock to the left of the URL (no matter which browser you are using)

When you are connected to an SSL protected website, outside observers can see that you are connected to the website’s external web address, but cannot see what internal pages you visit or anything else that you do on that website.

Because your connection to the website is encrypted using SSL, you should be safe against most adversaries, even if using a public WiFi hotspot. The fact that many websites do not employ SSL is, in our opinion, disgraceful.

It should be noted, however, that it seems that the NSA can intercept SSL connections.

BitTorrent downloading

The entertainment industry is with ever more success putting pressure on ISPs to take measures against customers who download copyrighted material, or even to hand over their details so that direct legal action can be taken against those accused of copyright piracy.

A big problem with BitTorrent is that it is a peer-to-peer (P2P) file sharing network - this is great for decentralized distribution of content, but terrible for privacy, as every person who is sharing a file can see the IP address of every other person who is sharing the same file. This makes it very easy for copyright holders to identify the IP addresses of offenders, and collect them as evidence of wrongdoing.

The simple solution (again!) is to use a VPN for torrenting (many, but not all, do). This both hides your internet activity from your ISP (as your internet activity is encrypted) and hides your real IP address from other downloaders (who will see only the IP address of the VPN server.)

As always, choosing a provider that keeps no logs is a great idea, as it cannot hand over what it does not have. Also, a good idea is using a ‘VPN kill switch’, which prevents downloading in the event the VPN service disconnecting. Some providers include a VPN kill switch in their software, but third-party and DIY solutions are also available.

‘Private mode’

Pretty near all modern browsers offer a ‘private’ or ‘incognito’ mode. Often referred to as ‘porn mode’, private mode is mainly useful for hiding what you get up to on the internet from family members and others who use your computer, as it does not record searches, browsing history, or cache visited pages.

You should be aware, however, that private mode does little to hide what you get up to on the internet from an outside observer. For this you use a VPN or Tor.

Privacy advocates often recommend the use of private mode browsing all the time, as it also disables cookies and flash cookies. This is good for privacy, but can ‘break’ many websites which rely on cookies to function, and reduce the functionality of others.

Recommendations

Give using private mode all the time a try, and see if it works for you. In Firefox, private mode can be entered by selecting Menu -> New Private Window, or can be turned on all the time by going to Menu -> Options -> Privacy -> and ticking ‘Always use private browsing mode’. Android users go to Menu -> New Private Tab.

Conclusion

Whew! We did say at the beginning that maintaining privacy and security on the internet was not easy! However, if you have read through this guide then you should have a good idea of not only the scale of the challenge we face, but the necessity of rising to meet that challenge - not just for our own sake, but as part of a united effort make the internet the free, open and democratic hub of innovation and exchange ideas that it has the potential to be.

By following the advice in the guide, by thinking about the issues raised, and then acting appropriately, we cannot guarantee our privacy or security on the internet, but we can greatly improve it, and make the lives of those who threaten these basic human and civil rights much more difficult.

TL: DR recommendations summary

  • Use Firefox with third-party cookies disabled, and the uBlock Origin and HTTPS Everywhere add-ons (or just NoScript)
  • Use a no logs VPN service religiously (and check for IP leaks)
  • Open-source software is almost more trustworthy than closed source
  • Use a password manager, and 2FA where possible
  • Keep anti-virus software up-to-date
  • Don’t overshare on Facebook (etc.), and log out when you have finished a session (or run in a separate browser). Uninstall the Facebook mobile app now!
  • Encrypt files before storing in the cloud (or use a secure cloud storage provider)
  • Never trust your phone, and leave it at home if don’t want to be tracked
  • Turn off auto-backup of photos
  • Use DuckDuckGo or Start Page instead of Google for web searches
  • Use a privacy-oriented email service, but never trust email for sensitive communications - use encrypted IM or VoIP instead.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

20 Comments

Snowden
on February 7, 2020
Reply
How on Earth in an article about "Online Security", is not mentioned even once the problems of using Windows?... and doesn't mention Linux not only as a completely viable Operating System, but is not mentioned even once as a supported platform for a lot of the software you recommend!... It would be a competent article, but given such unbelievable omissions (which, honestly, are so obvious, that I can only imagine there's either complete ignorance or apathy about Linux from the author... or there's some hidden agenda or money involved about promoting Windows/Mac... Hopefully is the former). In the current form, it's impossible for me to recommend such incomplete and biased article to anyone.
https://cdn.proprivacy.com/storage/images/2020/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-default.png
Douglas Crawford replied to Snowden
on February 10, 2020
Reply
Hi Snowden. So... the reasoning went this. This is very specifically a guide for _beginners_. And my feeling was that overwhelmingly most "beginners" will be using Windows or macOS. So the keep this guide focused I decided to limit its remit to those two desktop operating systems. If you read through this website you will see that I have written a huge amount of material either specifically bout Linux, or which includes Linux. Please check out our more detailed/advanced Ultimate Online Privacy Guide Ultimate Online Privacy Guide, which includes Linux.
Snowden replied to Douglas Crawford
on February 11, 2020
Reply
Thank you for responding. After reading this article I took the time to check other articles in this site to decide if it was worth my time or not and I have to admit other articles are more competent, reasonable and unbiased... But I have to strongly disagree with your argument about Linux not being suitable for this "beginners guide". This might have been a valid argument in 2010, maybe even in 2015... But today, in 2020, Linux is much more "beginners friendly", so much so that I have installed it on a bunch of absolute tech-clueless friends and even on my mother's computer (she's 69) and they all are pretty happy and comfortable with it. And more important, most of the advises and procedures you explain here in this guide, are pretty much the same on Linux. you would have a valid argument if everything in this guide would have to be done through the Terminal on Linux or some other complicated procedure, but that's not the case for at least 75% of the content here... And finally, if this is a "pro privacy" site, and I think we both can agree that Linux is a better privacy option than Windows or Mac, is only logical to at least mention it here and there so even the beginners gather that information and consider it when making decisions. Probably 0% of them will really switch from Windows/Mac to Linux just by reading this Internet article, but, 1st, if somebody takes the time to read this long article, I can assure you they know enough about computers to understand what Linux is and 2nd, at least they will be reading a truly unbiased and "pro privacy" guide.
https://cdn.proprivacy.com/storage/images/2020/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-default.png
Douglas Crawford replied to Snowden
on February 12, 2020
Reply
Hi Snowden. I use Ubuntu as my daily driver, and now that it is properly set up, it works well. But even a techie like myself experienced a sharp learning curve when first switching to Linux, and there are still things I can't do in Linux that I can do without a thought in Windows (such as quickly adding arrows to a screenshot - which is something I need to do every day. Recommendations welcome). Everyone's mileage will vary, but I would simply not recommend to my technophobic elderly mother that she switch from Windows to any version of Linux. When it comes to privacy, though, Linux is the only choice.
Snowden replied to Douglas Crawford
on February 12, 2020
Reply
I don't consider myself an "expert" on Linux by any means, I switched to Linux in 2014 precisely after seeing how different Windows 8 looked in comparison to Win 7... I said "if I have to learn a bunch of new paradigms, I will do it learning Linux!"... I started with Ubuntu (like probably 90% of the people that switches to Linux)... but after about 1 year, I experimented with a few other distros and landed on what is my favorite distro since 2016, Manjaro. That to me is by far, the best Linux distro. Even being based on Arch (which might sound intimidating), is much easier to maintain once you understand the differences from Ubuntu. For screen capturing and annotations I use "Flameshot" ( https://github.com/lupoDharkael/flameshot )... Take a look at it, I think it's pretty nice! And again, I'm not suggesting that you remove everything from this article and just put "for privacy, Linux is the only choice"... But not one single comment mentioning Linux as an option, is just too lopsided in my opinion. At least a few lines encouraging people to keep striving for privacy and maybe, just maybe taking a look at Linux, would be a nice touch. (and again, several of the applications you recommend in this article, are compatible with Linux, adding that to the compatibility list of those app, won't hurt anybody). P.S.: I'm starting to think I might have a few "valuable" things to contribute to this site... Should I "apply" to be a writer here?
https://cdn.proprivacy.com/storage/images/2020/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-default.png
Douglas Crawford replied to Snowden
on February 12, 2020
Reply
Hi Snowden. I also use Flameshot sometimes, but I do not find it up to my day-to-day screenshot needs. YMMV. I continue to use Ubuntu because it is the most useful Linux distro for writing accessible how-guides and the like, thanks mainly to its popularity. You have a good point about Linux, and I will add a section to this article recommending that anyone who cares about privacy should use it. We are always interested in talented writers for this site. If you would like to drop an email to [email protected] with some info about yourself, some examples of your work, and some ideas you would like to contribute to ProPrivacy, then we will be very happy to review your application.
BillR
on October 9, 2016
Reply
Douglas Crawford, Three more AV comments. Malwarebytes has a limited feature (free), good quality (free/paid) anti-exploit tool which can be a nice browser protection addition for home users. I recommend it for free (or HitmanPro with .Alert for paid) although other AV vendors are beginning to incorporate similar features. I still trip over your description of MBAM as "best" AV "protection". Please look at the very limited available comparisons and the description of the product itself. Try PC Mag comments on and reanalysis (still poor) of 2014 Dennis Labs test or AV-Test 2015 Android test (2.5 from 6 for "protection"; last of 31). If "best" has anything to do with initially identifying malware and preventing infection, it just isn't. It does do well remediating infections (1st in AV-Test 2014 repair test; and well in PC Mag's very limited annual testing). As for your cloud antipathy, I understand. That approach has advantages and disads including the one you note. Cloud access is integral to almost all AVs now (at least for consumers and smaller businesses). Many products (including some free ones) have an option that determines whether an unknown (no matching signature) file is uploaded for additional testing/analysis or not (although, like the premium option of running a private AV cloud, that is more of a business feature). Failing to upload unknown files certainly reduces effectiveness but increases privacy. You also might be interested in two other tools. Process Explorer from Sysinternals for your advanced user notes for what to do if you suspect an infection. PE has an option to check processes and associated .dll and other files against VirusTotal with the _option_ to upload unrecognized files. Metadefender includes that option for accessing its (also named Metadefender) cloud. The full installed tool (central monitor; daily endpoint scans) might be a bit much (although it is great for a family if one person is interested, disciplined, and technical). Just the scanner is a great on-request scanner that can be manually scheduled daily or on startup or used in initial "am I infected?" analysis. Free AV licensing varies. Sophos has made more and more of its business software free for home use over the last several years. HitmanPro screening is free (_don't!_ activate license and choose either run daily or on startup) but remediation and anti-exploit .Alert is limited to 30 days (activate license once ever). SurfRight HMP was also recently bought by Sophos. Several AVs are free for a variety of business users with widely variety of restrictions/permissions [charitable NGOs, (non)public/private/collegiate schools, (non)gov'ts, maximum of 2/5/10/25 users/devices, ...] and rules change every few years.
https://cdn.proprivacy.com/storage/images/2020/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-default.png
Douglas Crawford replied to BillR
on October 12, 2016
Reply
Hi BillR, Thank you for your recommendations. The subject of Anti-virus/malware is a big (albeit very important) one, and in this beginners guide to general internet security, I was trying to not to get too bogged down in it. - I do recommend using Windows defender to provide realtime protection, but are are right that I have not properly flagged up that this is not provided by Malwarebytes Free. I have corrected this now. - I have been testing HitmanPro since your last recommendation of the software. It certainly seems to work, but so far it has detected nothing that Defender did not block. Do you know of any evaluations that show that HitmanPro is more effective at preventing malware than Defender? - I am always looking to improve my articles, and when time permits will research the software you recommend. Many thanks.
BillR
on September 18, 2016
Reply
Great start. You'll never please everyone, starting with me: I think AV section is wrong. Regarding soft recommendation of ClamAV and "Malwarebytes provides probably the best antivirus protection available for Windows": these are either wrong or poorly written. MBAM is good at removing malware but even ClamAV may be better at finding it -- and nobody should rely on ClamAV. (Simple search will verify: start with PCMag, AV-Comparatives, and AV-Test.) Pick a free real-time/always-on/on-access AV from a major vendor (Avira, Panda, Avast, AVG, etc. -- refer to AV-Comparatives, etc.). For Win10, turn on Msft Windows Defender "Limited Periodic Scanning". Now add free versions of HitmanPro (will scan on start-up or daily) and Malwarebytes (as prep for disinfection). Nervous or risk-prone users should add HerdProtect or OPSWAT's MetaDefender. They both must be run manually (or manually added to Windows scheduler) but will do a _limited_ check using dozens(!) of AV products (essentially equivalent to checking VirusTotal.com and MetaDefender.com respectively). Note these are especially prone to false positives: generally ignore 3 or fewer detections -- or better, wait a week and retest directly on both websites. Commercial/institutional users have more limited software choices (e.g., 5-10-25 or fewer users, or only non-profit or only charitable orgs.) but a few products allow commercial use. Review text carefully as business use changes periodically and may have odd restrictions. If nothing else, use Windows Defender for real-time and maybe _supplement_ with ClamAV (not real-time). Defender is much improved circa 2015 and surpassed at least a few commercial vendors in detection (including MBAM), and maybe even surpassed almost all vendors depending upon the malware selection and weighting methodology (see PCMag for brief discussion and link to study). PS: This is hard. Good luck and thanks.
https://cdn.proprivacy.com/storage/images/2020/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-default.png
Douglas Crawford replied to BillR
on September 19, 2016
Reply
Hi BillR, Constructive criticism is always welcome. No two people are ever likely to agree on pretty much anything, but a healthy debate brings us closer to the truth :). - I think I make it clear that although open source, Clam AV is not a great anti-virus solution. - Yes. I use Windows Defender for real-time protection, and also run regular manual scans with Malwarebytes. I did say "and so we recommend also running weekly manual virus checks using the free version." I agree, however, that this could be clearer/more prominent, and have made changes to this effect. - I was not aware of Hitman Pro, but have downloaded and will put it through its paces. I may update this article with my conclusions. - I am very wary of cloud-based virus scanning services. They seems very intrusive to me, and provide a lot of services (including the cloud provider) deep access to your system. I may be over-paranoid here, and am open to debate on the subject, but but will require some convincing before I recommend them. - I agree that Windows Defender is pretty good these days, and have modified the text (which did say "not bad") to better reflect this. Thank you for your input. I feel this section is stronger now (better worded rather than a change in substance), but welcome any feedback.
Thomas Smith
on August 18, 2016
Reply
If I am using Windows 10, with all of its built in, helpful watch what I am doing features to direct advertising my way, then how valuable is a VPN to protecting me?
https://cdn.proprivacy.com/storage/images/2020/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-default.png
Douglas Crawford replied to Thomas Smith
on August 22, 2016
Reply
Hi Thomas, Using a VPN with Windows 10 will provide all the benefits discussed in this article. What it will not do is provide much protection against Microsoft itself. By default Windows 10 is basically spyware for Microsoft. You can manually disable many of Windows's worse spyware features, although Microsoft has apparently removed the ability to disable Cortana (the biggest offender) in its latest Anniversary Update.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

Large brand with very good value, and a budget price

The fastest VPN we test, unblocks everything, with amazing service all round

Longtime top ranked VPN, with great price and speeds

One of the cheapest VPNs out there, but still a good service