Tips for increasing online privacy (without going insane)?
I've been researching internet privacy and fell down the rabbit hole of...well, internet privacy. I started with deleting Facebook/Instagram and switching to fire fox + plugins. I would like to make more improvements but I really have no idea how, it started with deleting socials and next thing you know I'm looking at LineageOS and de-googling.
If anyone has any suggestions on where to go next while staying realistic/not going crazy, i would love to hear them. I am not really sure where to set my expectations, basically I would like to have more control of my data. The other day Google photos gave me a memory recap which kind of creeped me out! I am suddenly not fond of whatever is going on under the surface of Google photos that's making collages and trying to sell my photo books. Also g-board giving me a pop up in the text prediction row asking me to rate the app??? Ew.
I am a fan of self hosting and run a small NAS (open media vault) but this too quickly turns into the privacy spiral and leaves me thinking I should throw my phone into a river and live in the forest. Would love to hear your thoughts/advice/opinions!
You sound like you're well past this, but for other folks who step into this thread, I always recommend going into the settings for any new application (and just occasionally in general for any application that holds highly sensitive or private data) and seeing what you can turn off or opt out of.
Great suggestion! I need to remember to do this when I download new apps.
You should have a threat model in mind and justify on what is possible vs. the cost of doing so.
For example, a smartphone will have built-in spywares and it's really hard to block this. With more vendors you add, the more spying. This means that using a Pixel or iPhone remove one vendor from the list (any Android phone will have Google Play Services regardless of vendors, but you can avoid Samsung or Xiaomi spying on you)
Unlike webapps, every apps you install may spy on you. I prefer to not install apps if possible and use the web apps.
I try to only implement protections that cover a lot of areas:
I like what PagerDuty wrote on their security training - "Be secure, but usable". Most people don't put ten locks on their front door, but not zero either. My university course teach me that you should not invest in protection more than the cost of the harm itself. My bike cost $70. I'm not buying $100 bike lock to protect it (although for some people the cost of having to walk/taxi home may also make that investment worthwhile)
Well, natively. You can use a degoogled alternative distro or a Pixel with GrapheneOS, which banishes google play services into a sandbox and doesn't let it talk to anything without permission.
That's a really good reminder, I tend to catastrophize. Really no reason I need to throw away my devices and become a nomad haha.
Also, you make a really good point with the web apps, I'll keep that in mind.
I currently have my router set to use Adguard's public DNS (option 2 on that page). What are the benefits of switching to NextDNS? Why would I want to install either of their apps instead of simply pointing to the DNS IPs?
One benefit of NextDNS is that you can fairly extensively configure your settings, to choose exactly what is filtered. There are plenty of settings to fiddle with, though I haven’t been back to that panel in a while.
I think the only benefit of using the app is that you can quickly toggle NextDNS off if you want to fallback on your default DNS for whatever reason. Since I have a very strict filtering setup, I use this to quickly circumvent my rules, if I need to.
Also just learned Adguard is a Russian company. That's a no for me. https://www.reddit.com/r/nextdns/comments/15almtw/nextdns_vs_adguard_private_dns/juxzm85/
Ah very interesting, I wasn’t aware. I still use AdGuard on Safari (since there’s no uBlock), so I may need to reconsider that…
If you use AdGuard on Safari and only use the content blockers and don't enable the one that requests extra permissions, there's zero risk. The content blockers (the one that doesn't require any permissions) is just a text file telling Safari what to block and doesn't share any info back.
EDIT: Well if AdGuard wanted to not block Russian trackers, they could omit that from the content blockers I guess. Almost* no risk. I like Wipr as my Safari Adblock if you're down to drop a few dollars.
Edit: I made it 20 minutes into my comment and realized you weren't really talking about online information security, but I spent too much work on this so I'm going to post it anyway :p
I've been doxxed, witch hunted, and even swatted once: here's what I've done to help.
Google/Bing/whatever your name, your address, your phone number; any identifiable information you can think of that could be publicly available. Check multiple pages of results. Find every website that has your information on it and submit opt-out requests (99.9% of the sites should have this function, some don't) there are a lot of websites out there like peekyou, the Whitepages, etc which will just post your straight up name, address, number, etc for anyone to find. It's criminal.
Do the same for your immediate family members, especially your parents. Parents are the number one targets for psychos online and they usually don't have the wherewithal to do this kind of thing themselves. If you have the patience you can do it for inlaws as well, I once had someone call my sister in laws phone number dozens of times saying that I caused someone to kill themselves and I should be in jail. It really stressed her out and I felt terrible that she was targeted because of her relation to me.
Once you've done everything you can to remove your information from the people finder websites, do some digging into specific popular databases. You may find that you're still showing up in them despite them not appearing on searches.
For any public online information that you can't easily remove, submit a takedown request via Google. I believe they'll remove it from the search results if you give them a good enough reason, so feel free to get creative. This isn't foolproof obviously but it does a lot to slow down the lazier creeps online.
Consider trying out a paid service like incogni to go through a purge other records. It's usually not very expensive and can save you a lot of time and effort. I don't know how well they work, but for a few bucks it's probably worth it.
You can go even deeper and start planting fake information out there associated with your personal identity. Not really sure the best way to do this, but I believe you can submit corrections for online people searches and change things like addresses and phone numbers. You could also make fake social media accounts associated with your name or username and have false info planted there too. I personally haven't but it's worth a shot if you're desperate to have some barriers up.
Call your local PD and warn them that someone may attempt to SWAT you or your family. They usually are pretty clueless but sometimes you'll find someone helpful and they'll be able to make a note about it and maybe prevent a disaster.
Recognize that you will probably never be able to get all traces of your info off the web and don't stress out about it too much. You can only do so much, and it's not worth beating yourself up too much over it. Do your best and hope for the best, don't let the trolls win.
I can personally vouch for easyoptouts.com for removing personal data from public websites. They charge $20 a year and the service seems to be very effective.
Hahaha not what I am looking for but good advice regardless!!
Check out https://privacyguides.org, it's probably the best privacy-related resource online! The website's co-founder is also on Tildes @freddy
I'll happily recommend the FUTO keyboard for Android, if you are uncomfortable with your search engine reading every keystroke. The speech-to-text feature is the best one that I've found. Good luck!
Great suggestion!
omg thank you! I can't live without glide/swipe/slide/whatever typing on a phone, and the FOSS implementations are few and far between. I've been waiting for a very long time for FlorisBoard to get to the point where they could reimplement that, but that project is moving very slow. I will try FUTO immediately.
EDIT: Eeeehhhhh on second thought, FUTO is funded by Eron Wolf who's a bit nutty in his belief that capitalism will save us from the technoligarchy...... I'm getting strong elon vibes from him and his twitter feed and expect a heel turn if he ever got big enough. Why can't we have nice things?
My standards have fallen far. I no longer consider the moral failings of the people who make the things that I buy. I just like having a thing that isn't actively, obviously, constantly, maliciously spying on me.
I have Fastmail with my own domains and am gradually switching over as logins come up since all at once is overwhelming.
Slowly moving off of the big platforms as well Google (only for services that require it), Twitter to Bluesky and Mastodon, Discord to IRC, Facebook remains for people who I can’t contact otherwise. Instagram still has a few amusing accounts.
I try to self host as much as possible using Photoprism and Immich with backups to my NAS and an S3 bucket as well.
I find that disabling notifications unless they no-shit need to be there (medication reminders) has been extremely helpful as well and helps you clean up your phone.
Device: Pixel 8 or above.
OS: GrapheneOS (there is no competitor)
GooglePhotos: Ente Photo
Authenticator: Aegis Or Ente Auth
Internet Traffic Management: Rethink
File Manager: Mixplorer
Password Manager: Bitwarden
App store: Accrescent/Obtanium (Fdroid is not recommended for security)
Mail: ProtonMail, Tuta Mail, Infomaniac (Also use Aliases)
Cloud storage: Filen.io (or use whatever but encrypt before uploading before uploading)
ReadLater: Wallabag(self hostable)(RIP Omnivore)
Notes App: Notesnook/Obsidian/logseQ
Gallery: Fossify Gallery
Message App: QUIK SMS
Music App: RiMusic/Innertube/Spotube
Rss Reader: Feeder
Birthday Reminder: Birday
Smartwatch/Earbud Manager: GadgetBridge
ExpenseManager: MyExpenses
VPN: ProtonVPN/Mullvad
Browser: Chromium based are better from Firefox from security perspective Read here
WeatherApp: Breezy Weather
Maps: Organic Maps
Messaging: Signal.org(<3)/Molly
HackerNews: Harmonic
Come Hangout here: https://discuss.grapheneos.org/
Please ask If you have any specific question, I'll be happy to help to the best of my capability and remember this is a process.
edit: Keyboard: FlorisBoard/Heliboard
edit2: read this post on OpSec
What's wrong with F-Droid from a security perspective? Maybe the single-point-of-failure build system?
FairMail is treating me really well as an email client; I didn't love any of the ones you suggest above.
While I understand your perspective on Firefox, IMO full-fat uBlock Origin beats Chromium security every day of the week. My privacy is threatened much more by creepy companies than actual exploits, at which Firefox is at least reasonable, AFAIK. Fennec and Mullvad help keep Mozilla from creeping, too.
Overall a damn excellent list, though.
One somewhat out-of-scope consideration: your ISP and your cell phone provider! You may not be able to change ISPs, but you should at least poke around in your account settings to disable personalised advertising and tracking from the ISP, if possible. If you do have choice, compare! Cell phone providers are easier. Personally I use Google Fi, which I know seems crazy, but as far as I can tell they protect my call, text, and location information better than any other cell phone provider. AT&T and Verizon sell all of it, even down to your location data, these days. MVNOs can sometimes act a bit like unions, contracting special user data protections. Worth looking into if you really care!
Fdroid uses its own signing key, introducing another party in your trust system. It also is not following native installer and Android15 detects it as side loading, which leads to restriction of many permission for the installed app. Most of the apps on Fdroid can be directly sourced from github and Obtanium makes it very easy. Read more here
Of course creepy companies are not to be trusted. I kind of took it for granted in my comment because hardened Chromium from Graphene is much better, Although from plain security, not privacy, up-to-date Chromium still beats Firefox on Android.
Completely agree on using GoogleFi over traditional ISPs. I am planning on switching.
Dang this is extensive, thanks for putting this together!!
I use several things without fully de-goggling.
Listed all out like this it seems like a lot, but none of it is a real impediment to my daily activities so once setup, it's mostly unnoticeable. I just have to remember to whitelist new apps through NetGuard if they need the internet.
Privacy Badger is redundant if you have uBO set up correctly and actually adds more information to your fingerprint, making you more identifiable.
https://www.reddit.com/r/firefox/comments/o28yi4/ghostery_on_firefox/h26mguk/
https://www.reddit.com/r/privacytoolsIO/comments/l2dges/why_isnt_privacy_badger_recommended/
https://www.reddit.com/r/uBlockOrigin/comments/t2ojvg/ublock_origins_vs_privacy_badger_vs_disconnect/
Thanks for the info. I was running on old data.
Any chance you have trusted resources for configuring uBO to take the place of privacy badger? I see a lot of "it can" but not much by the way of "here's how."
If you have a couple lists selected in uBO (by default you do, unless you unselected some), you've probably already got what PB blocks covered.
https://github.com/gorhill/uBlock/wiki/uBlock-and-others:-Blocking-ads,-trackers,-malwares
https://github.com/gorhill/uBlock/wiki/About-%22This-other-extension-reports-more-stuff-blocked!%22
Nice, Thanks! I've got every single built-in list selected, so I think I'm good then haha.
If you're blocking most cookies, don't share unnecessary data with apps, and have deleted your AdID, you're 90% of the way there. Internet privacy boards are tough places because the people who lurk there tend to be absolutely nuts - and often believe a lot of stuff that's just not substantiated by the facts. ("Your phone is constantly listening to your conversations to sell you ads!")
The bottom line is you've got to understand your actual threat model. Are you trying to sell drugs on the darknet or blow the whistle on an oppressive regime? Okay, let's talk about tails or whonix or whatever. You just want to limit the amount of data that could potentially identify you? Delete your AdID and keep location services off when you don't need it and you're pretty much good.
Hi @willopillo, the first thing i would say is that: you are not alone! From catastrophizing (as you noted elsewhere in this post), to finding that right balance of privacy and dare i say convenience, there are plenty of people in a similar place to where you find yourself. As others noted, get an understanding of your threat model, level of comfort, etc...would be good idea to re-assess (I say "re-assess because you aren't starting from scratch here). And the privacy guides that another person posted is pretty good too! I guess the other aspect i would suggest is not to let this negatively impact your mental health. I say this from experience! I'm quite sensitive about my privacy, but then also need to maintain a balance to not let that desire for privacy and data sovereignty overtake my actual, real life. Stay safe, but do take care of yourself! :-)
Yes!! I have already taken some advice from this thread; I am going to take it slow to avoid overloading myself. thanks for sharing your input, this is really great advice.
I have used exclusively FOSS OS and apps on nearly all my devices for a very long time, for privacy reasons. One thing that has recently-ish made my life a bit less insane was setting up a secondary user on my phone and using it to install any proprietary apps I need (essential stuff like like banking apps, etc) in that environment (via aurora store).
It keeps them niftily sandboxed away from any of my day-to-day data, gives them their own settings profile for things like GPS, and I have a little shortcut on my main home screen that kills the entire user session - making sure there are no sneaky background processes running when I'm not actively using that 'workspace'. Obviously it would be better to have a dedicated phone for this purpose, but this is an acceptable balance between secure and convenient for me. I originally had a whole bunch of different user profiles for different tasks but I found it to be overkill for my needs and reduced it to just a couple. YMMV.
Tl;Dr: my tip is to use multiple user sessions on your phone to segregate less trusted apps from your 'clean' main environment (and maybe from each other).
Edits: mostly just tidying and clarifying
Ooooo that's smart, I'll have to try that out
All great suggestions by many here, but one I haven’t seen is to use Firefox Focus for general browsing. It deletes cookies, history, and local storage after each session. Alternatively you can just start a new session at any time. Removing the ability for any site to track you longitudinally is just another method of covering your tracks when you can’t ensure privacy blockers will work for 100% of trackers.
Side benefit is a decluttered browsing experience. On my other browsers I have and endless growth of tabs I keep forgetting to clear out. Firefox Focus removes the need to think about maintaining data hygiene.
Occasionally I do need to switch to Chrome (ugh) or Vanilla Firefox because I need to persist my browser state (signing into services or online shopping), but it’s nice to force me to be more thoughtful when I do need to switch to a different context. It’s similar to having to use a !bang operator in DuckDuckGo/Kagi when I want to switch to Google Search (thankfully less and less common these days).
If you have an Android, check out TrackerControl (TC) from the F-droid app store.
It allows you to control where apps are allowed to send data to, and disable them from sending your information to ad/tracker companies.
It's very granular and can also prevent apps from working if you disable too much, but it's categorised well and you just unstick restrictions until the app works again
Sadly TrackerControl requires that you don't use a VPN or custom DNS.
I’ve been focusing on all smart home stuff lately. I was always very much against connecting appliances to the internet, but I really needed to control the heating remotely. Also got solar installed recently and I wanted to monitor production. For both I ended up writing Home Assistant connectors, because the available stuff still required the devices to connect to the lan. It took me quite some effort, but it’s running well now.
For TV I started using Kodi. This was triggered when I received an Android TV device, that thing was a privacy nightmare.
I've been debating switching Android phones and iPhones every 5-6 years just to create darkzones in my history with corporations like that but. Maybe better to get some of your opinions on that first :P
Are you thinking about switching from Android to iPhone and back every 5-6 years?
Otherwise you also have to use a new Google / Apple account every time you're switching phones, otherwise at least Google / Apple can trivially connect your phones.
Well, if they want to see identification with each new sign-up/registration they can just as easily link you back together. The idea was that they just have blindspots in their data for a couple of years. Unless they trade their info back and forth to fill in gaps for profiling, which is another perfect dystopian thought to have.
Want to know how far you'd have to go?
New SIM, new number, change the WiFi SSID at home and disable your Bluetooth. However, first scan of neighbouring SSIDs, a GPS hit and an active Bluetooth scan, you're known again.
Big corp gathers everything and can identify you in a moment. From WiFi connections, to other devices around you based on Bluetooth scanning. Oh, don't forget that your SIM with your mobile provider hands them a perfect link. That social you logged into - got your ID instantly.
People keep telling me that they want more privacy and to not be tracked and traced. The only way to truly stop it is to stop using your phone. It's such a convenience though, but we're the product and always will be.
On a computer, it's far easier to protect your identity. Mobile phones though, not so much.
Since Google seems a primary issue for you, have you considered switching to the Apple ecosystem and disabling the services you find creepy on that? It has a lot of the same features of the Google ecosystem but they can be disabled.
The only main difference between Apple and Google is Apple doesn't sell any data to third party vendor currently. Otherwise all of the tracking and manipulation is same. Apple's privacy promise is marketing and it's working.
If providing privacy generates revenue then it is in Apples best interest to support it. If I asked you to rank these three companies on privacy which would you place at the top? Microsoft, Apple, Google?
Some people don’t want to run a custom degoogled rom/os plus Linux. If you’d like a more managed solution then then the best option is Apple.
Sometimes it isn't a perfect choice, but it is the "least bad" choice.