Simple Practices for Internet Privacy

Locking your front door on the internet.

In 2019, Pew Research put out a report on Americans and their perception of data privacy. Overwhelmingly, U.S. adults do not understand what data is collected, why, and what can be done to prevent it. “Roughly 60% U.S. adults say they do not think it is possible to go through daily life without having data collected about them by companies or the government” (Pew Research).

Hopefully this document can help provide you with some simple best-practices that you can take to help preserve your privacy online. 

Note 1: I’m not paid to say any of this. I just want more privacy in the world.

Note 2: this post is cross-posted to medium

Top recommendations:

1. Use a password manager, like 1Password, Bitwarden, or LastPass (update: do not use LastPass) and make sure all your passwords are different. I tell people that if the only thing you do in the next month, and it’s to create a password manager, it will be a productive month. 

2. Use extensions for ad-blocking and tracker-blocking (like Adnauseam)

3. Use Mine to request the data-deletion of most of your data that’s spread across the internet.

4. Use a VPN when browsing the internet (like Nord VPN, or SurfShark) 

5. When you don’t know if something is private, check PrivacySpy.

Browsers and search engines:

1. Firefox is much better than chrome when it comes to privacy, but I won't advocate too strongly for "don’t use chrome". It scores 7.5/10 on PrivacySpy.

2. Duckduckgo is also much better for privacy than other search engines. So I recommend setting your default-search to DuckDuckGo, and only using Google when DuckDuckGo doesn’t find what you’re looking for. DuckDuckGo scores 10/10 on PrivacySpy (one of 3 applications to do so!).

3. Brave is a browser designed with privacy in mind - it has tracker-blockers built in. It also has Tor (if you don’t know what this is, see below) built into it, so browsing on Tor is made easy. It scores 7.4/10 on PrivacySpy.

Firefox-specific Extensions

Here’s a general guide on privacy and Firefox.

1. Use Firefox containers, to split the work that you do for different things (i.e. work, personal, social media, shopping). Also protect your container tabs with Mozilla VPN, which uses a VPN for the all online actions you do in your containers.   

2. ClearURLs, which automatically removes tracking elements from URLs, to prevent websites from identifying you. 

3. Cookie AutoDelete, which deletes cookies, so that companies can’t track you. (Here’s a description of Cookies)

4.  Firefox Relays, which generates fake emails that forward to your email

Chrome and Firefox Extensions:

1. HTTPS Everywhere, which makes all your websites send messages in encrypted format, using HTTPS, rather than HTTP. 

2. Privacy Badger, which is a general Privacy tool, designed by EFF. It prevents advertisers from being able to track you across different sites.

3. Track Me Not, which goes to random sites in the background, obfuscating what trackers can see.

4. Referer Control, which controls what a site can see about where you are coming from, which minimizes what a site can learn about you.

5. I strongly recommend using a strong ad-blocker. I use AdNauseam. It was banned on google chrome, so you need to install it manually. It works by clicking all the ads and preventing them from opening up on your browser - so it costs advertisers money. I’ve found it to be quite effective.

An important note about extensions and ad-blockers: Most extensions actually are able to view the webpage you are on. So, there are ad blockers that simultaneously block ads and trackers, while also sharing your personal data. Either only use reputable ad blockers, or do your homework on their privacy practices.  

Passwords

This one is really simple. The only reason you haven’t been hacked yet, is that it hasn’t been worth someone’s time yet.  To avoid being hacked: use a password manager, like 1Password, Bitwarden, or LastPass and make sure all your passwords are different. 

Getting a password manager dramatically increases the time required to hack your accounts. If the only thing you do in the next month, and it’s to create a password manager, it will be a productive month. I promise you.

As some fast facts: in 2021, there were nearly 1.4 million reports of identity theft received by the FTC (link). There are ~330 million people in the US, which means that there is about a 0.5% chance of having your identity stolen, per year. The average loss around $4000 (FTC Fraud and ID theft map).

Private Activities

If you want to do a specific thing, and you want it to be as anonymous as possible, the simplest advice is : use a VPN + Tor. Don’t just use a VPN, because the VPN only protects you from people looking at the network, but it’s still vulnerable to the VPN being compromised, or to timing attacks.

VPN

If you’re not using a VPN, ISPs and internet companies can see what websites you are going to (though, if you’re using HTTPs they can’t see what you’re doing, just who you are doing it with).

• A VPN is a Virtual Private Network, and basically works by sending all your internet traffic through another server. This way, what you do on the internet can’t be traced back to you, as all anyone else sees is that you’re communicating with a VPN (which is also dealing with other users). 

• I personally like NordVPN as they have fast servers and a strict “no-log” policy on their servers. However, I’ve heard good things of SurfShark, and you can look for yourself (The Best VPN Services for 2022).

• Note: because we are talking about privacy, you need to get a paid VPN, otherwise, they are almost certainly making money by selling your data.

Tor (The Onion Router)

• Whereas a single VPN server can get hacked, TOR acts as a series of VPNs which protect you in layers. Imagine one VPN that connects to another which connects to a 3rd. It becomes very difficult to track you over time, because each packet is forwarded to the next Tor node, along with other messages that get interleaved. 

• For your data to be hacked, typically all 3 (or more) TOR nodes would need to be compromised. However, a timing attack is possible; for example, if you are the only Tor user on your local network, and the only Tor user at the website.

  • E.g.  if you’re using Tor on your company or university to view banned materials (like homework answers on Chegg), and the server hosting the banned materials observes that there is only 1 Tor user, and shares this data. Your company or university will know that you viewed the banned materials.

• It should be noted that some sites work poorly when viewed on Tor.

Using a trusted VPN and Tor together, can offer a significant amount of trust, because only the VPN can track your Tor usage, so that offers one final layer of protection if the Tor nodes are compromised.

Navigating Privacy Legislation / Exercising Digital Privacy Rights

In recent years, new consumer privacy laws have come into existence. You may have heard of GDPR (General Data Protections Regulation) in the EU or CCPA (California Consumer Protections Act) in California.

While these laws are long and nuanced, there are 3 particularly important privacy-related parts to both of them (and the laws that are derived from them):

1. Right to Knowledge: You have a right to request a company to share all data that they have regarding you. They have roughly 30 days to comply.

2. Right to Deletion: You have a right to request a company delete all data directly relating to you. They have roughly 30 days to comply.

3. Right to be Informed (or Right-to-Notice): You have a right to be informed about the collection and use of your personal data. They have roughly 30 days to comply.

Caveat 1: a data processor does not have to comply with these. In other words, if a company uses Amazon’s servers (AWS) to store their data, you cannot request Amazon to delete/access/inform you about your data, as it would be unreasonable to expect Amazon to view their customer’s data.

Caveat 2: The rights afforded by GDPR and CCPA actually only apply to EU citizens and California citizens. However, because it’s fairly difficult for companies to tell where an individual is from, online, so they often offer these rights to all netizens. (No promises).

So, how do you actually go about utilizing these rights? You can directly email each company, or find a privacy request form on their website. However, relatively recently a fantastic company, Mine, which searches your email for correspondences with internet companies, and then gives you a one-click button to send them a “delete-my-data” request. 

Note: Yes, you have to give them access to your email, however, I have personally spoken with a salesperson, and reviewed their privacy policy - they do not use your email for anything except to search for companies to email, and then also to email them.

When you’re not certain:

First, I recommend looking at PrivacySpy and checking the product’s score. If you’re still not certain, I’m a strong proponent of looking at incentives - ask yourself how the company makes money. It’s not perfect, but it helps understand what you can trust - in general, if a company makes money off of selling data about you, its privacy practices are going to subvert your right to the ownership of data. 

• Facebook makes money off of ads (3.2/10 on Privacy Spy)

• Google primarily makes money off of ads (4.9 on Privacy Spy)

• Apple makes most of its money off of selling physical devices. (7/10 on Privacy Spy)

Again, this isn’t perfect. However this can serve as a reasonable proxy for how much of your data you should expect the company to take. I expect a smart home like Alexa and Google Home to be generally privacy invading, and to hold on to much more of your data than you expect. 

General Resources and Information

1. This is an excellent (fairly comprehensive) resource list of internet Privacy Tools.

2. EFF’s (Electronic Frontier Foundation) self-defense guides and a Starter Pack.

3. I don’t know much about location privacy, but given Google’s reputation - here’s a list of Google Maps Alternatives. I use Omsand Maps, and will then use Apple maps if Omsand Maps doesn’t find it (Apple Maps is good now!).

4. Outside of Mine (which I’ve personally used), there is Delete Me, Revoke, and Privacy Bee, which I haven’t used, but offer similar products (i.e. search the internet for your personal data and automate requesting the deletion of that data). 

5. Please remember - blockchains are not private by default. Do not assume that anything you do on the blockchain is private, unless you’re explicitly making it so, using a coin like ZCash or Monero, or an Ethereum tumbler like Tornado Cash.

6. Data Brokers currently own and are selling your data! Yes - yours. Here’s some advice on how to remove yourself completely from these brokers. (I’d like to write up a post on data-brokers, later -  please message me if you’re interested).

Thank you to the people who read this post and gave comments, like Anna Bot and Miranda Christ.