La Guía de privacidad en línea más completa

Douglas Crawford

Douglas Crawford

noviembre 18, 2016


Edward Snowden’s NSA spying revelations highlighted just how much we have sacrificed to the gods of technology and convenience something we used to take for granted, and once considered a basic human right – our privacy.

It is just not just the NSA. Governments the world over are racing to introduce legislation that allows to them to monitor and store every email, phone call and Instant Message, every web page visited, and every VoIP conversation made by every single one of their citizens.

The press have bandied parallels with George Orwell’s dystopian world ruled by an all-seeing Big Brother about a great deal. They are depressingly accurate.

Encryption provides a highly effective way to protect your internet behavior, communications, and data. The main problem with using encryption is that its use flags you up to organizations such as the NSA for closer scrutiny.

Details of the NSA’s data collection rules are here. What it boils down to is that the NSA examines data from US citizens, then discards it if it’s found to be uninteresting. Encrypted data, on the other hand, is stored indefinitely until the NSA can decrypt it.

The NSA can keep all data relating to non-US citizens indefinitely, but practicality suggests that encrypted data gets special attention.

Protect your Privacy Today

We review VPNs to bring you the fastest and best services

Unlock the internet with a VPN today

If a lot more people start to use encryption, then encrypted data will stand out less, and surveillance organizations’ job of invading everyone’s privacy will be much harder. Remember – anonymity is not a crime!

How Secure is Encryption?

Following revelations about the scale of the NSA’s deliberate assault on global encryption standards, confidence in encryption has taken a big dent. So let’s examine the current state of play…

Encryption Key Length

Key length is the crudest way of determining how long a cipher will take to break. It is the raw number of ones and zeros used in a cipher. Similarly, the crudest form of attack on a cipher is known as a brute force attack (or exhaustive key search). This involves trying every possible combination to find the correct one.

If anyone is capable of breaking modern encryption ciphers it is the NSA, but to do so is a considerable challenge. For a brute force attack:

  • A 128-bit key cipher has 3.4 x10(38) possible keys. Going through each of them would thousands of operations or more to break.
  • In 2011 the fastest supercomputer in the word (the Fujitsu K computer located in Kobe, Japan) was capable of an Rmax peak speed of 10.51 petaflops. Based on this figure, it would take Fujitsu K 1.02 x 10(18) (around 1 billion) years to crack a 128-bit AES key by force.
  • In 2016 the most powerful supercomputer in the world is the NUDT Tianhe-2 in Guangzhou, China. Almost 3 times as fast as the Fujitsu K, at 33.86 petaflops, it would “only” take it around a third of a billion years to crack a 128-bit AES key. That’s still a long time, and is the figure for breaking just one key.
  • A 256-bit key would require 2(128) times more computational power to break than a 128-bit one.
  • The number of years required to brute force a 256-bit cipher is 3.31 x 10(56) –  which is about 20000….0000 (total 46 zeros) times the age of Universe (13.5 billion or 1.35 x 10(10) years!

The NUDT Tianhe-2 supercomputer in Guangzhou, China

128-bit Encryption

Until the Edward Snowden revelations, people assumed that 128-bit encryption was in practice uncrackable through brute force. They believed it would be so for around another 100 years (taking Moore’s Law into account).

In theory, this still holds true. However, the scale of resources that the NSA seems willing to throw at cracking encryption has shaken many experts’ faith in these predictions. Consequently, system administrators the world over are scrambling to upgrade cipher key lengths.

If and when quantum computing becomes available, all bets will be off. Quantum computers will be exponentially more powerful than any existing computer, and will make all current encryption ciphers and suites redundant overnight.

In theory, the development of quantum encryption will counter this problem. However, access to quantum computers will initially be the preserve of the most powerful and wealthy governments and corporations only. It is not in the interests of such organizations to democratize encryption.

For the time being, however, strong encryption is your friend.

Note that the US government uses 256-bit encryption to protect ‘sensitive’ data and 128-bit for ‘routine’ encryption needs.

However, the cipher it uses is AES. As I discuss below, this is not without problems.


Encryption key length refers to the amount of raw of numbers involved. Ciphers are the mathematics used to perform the encryption. It is weaknesses in these algorithms, rather than in the key length, that often leads to encryption breaking.

By far the most common ciphers that you will likely encounter are those OpenVPN uses: Blowfish and AES. In addition to this, RSA is used to encrypt and decrypt a cipher’s keys. SHA-1 or SHA-2 are used as hash functions to authenticate the data.

AES is generally considered the most secure cipher for VPN use (and in general). Its adoption by the US government has increased its perceived reliability, and consequently its popularity. However, there is reason to believe this trust may be misplaced.


The United States National Institute of Standards and Technology (NIST) developed and/or certified AES, RSA, SHA-1 and SHA-2. NIST works closely with the NSA in the development of its ciphers.

Given the NSA’s systematic efforts to weaken or build back doors into international encryption standards, there is every reason to question the integrity of NIST algorithms.

NIST has been quick to deny any wrongdoing (“NIST would not deliberately weaken a cryptographic standard”). It has also has invited public participation in a number of upcoming proposed encryption-related standards in a move designed to bolster public confidence.

The New York Times, however, has accused the NSA of introducing undetectable backdoors, or subverting the public development process to weaken the algorithms, thus circumventing NIST-approved encryption standards.

News that a NIST-certified cryptographic standard – the Dual Elliptic Curve algorithm (Dual_EC_DRGB) had been deliberately weakened not just once, but twice, by the NSA destroyed pretty much any existing trust.


That there might be a deliberate backdoor in Dual_EC_DRGB had already been noticed before. In 2006 researchers at the Eindhoven University of Technology in the Netherlands noted that an attack against it was easy enough to launch on ‘an ordinary PC.’  Microsoft engineers also flagged up a suspected backdoor in the algorithm.

Despite these concerns, where NIST leads, industry follows. Microsoft, Cisco, Symantec and RSA all include the algorithm in their products’ cryptographic libraries. This is in large part because compliance with NIST standards is a prerequisite to obtaining US government contracts.

NIST-certified cryptographic standards are pretty much ubiquitous worldwide throughout all areas of industry and business that rely on privacy (including the VPN industry). This is all rather chilling.

Perhaps because so much relies on these standards, cryptography experts have been unwilling to face up to the problem.

Perfect Forward Secrecy

One of the revelations in the  information provided by Edward Snowden is that “another program, code-named Cheesy Name, was aimed at singling out SSL/TLS encryption keys, known as ‘certificates,’ that might be vulnerable to being cracked by GCHQ supercomputers.”

That these certificates can be “singled out” strongly suggests that 1024-bit RSA encryption (commonly used to protect the certificate keys) is weaker than previously thought. The NSA and GCHQ could therefore decrypt it much more quickly than expected.

In addition to this, the SHA-1 algorithm widely used to authenticate SSL/TLS connections is fundamentally broken. In both cases, the industry is scrambling fix the weaknesses as fast as it can. It is doing this by moving onto RSA-2048+, Diffie-Hellman, or  Elliptic Curve Diffie-Hellman (ECDH) key exchanges and SHA-2+ hash authentication.

What these issues (and the 2014 Heartbleed Bug fiasco) clearly highlight is the importance of using perfect forward secrecy (PFS) for all SSL/TLS connections.

This is a system whereby a new and unique (with no additional keys derived from it) private encryption key is generated for each session. For this reason, it is also known as an ephemeral key exchange.

Using PFS, if one SSL key is compromised, this does not matter very much because new keys are generated for each connection. They are also often refreshed during connections. To meaningfully access communications these new keys would also need to be compromised. This makes the task so arduous as to be effectively impossible.

Unfortunately, it is common practice (because it’s easy) for companies to use just one private encryption key. If this key is compromised then the attacker can access all communications encrypted with it.

OpenVPN and PFS

The most widely used VPN protocol is OpenVPN. It is considered very secure. One of the reasons for this is because it allows the use of ephemeral keys.

Sadly this is not implemented by many VPN providers. Without perfect forward secrecy, OpenVPN connections are not considered secure.

It is also worth mentioning here that the HMAC SHA-1 hashes routinely used to authenticate OpenVPN connections are not a weakness. This is because HMAC SHA-1 is much less vulnerable to collision attacks than standard SHA-1 hashes.  Mathematical proof of this is available in this paper.

The Takeaway – So, is Encryption Secure?

To underestimate the NSA’s ambition or ability to compromise all encryption is a mistake. However, encryption remains the best defense we have against it (and others like it).

To the best of anyone’s knowledge, strong ciphers such as AES (despite misgivings about its NIST certification) and OpenVPN (with perfect forward secrecy) remain secure.

As Bruce Schneier, encryption specialist, fellow at Harvard’s Berkman Center for Internet and Society, and privacy advocate famously stated,

Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.”

Remember too that the NSA is not the only potential adversary. However, most criminals and even governments have nowhere near the NSA’s ability to circumvent encryption.

The Importance of End-to-end Encryption

End-to-end (e2e) encryption means that you encrypt data on your own device. Only you hold the encryption keys (unless you share them). Without these keys, an adversary will find it extremely difficult to decrypt your data.


Many services and products do not use e2e encryption. Instead they encrypt your data and hold the keys for you. This can be very convenient, as it allows for easy recovery of lost passwords, syncing across devices, and so forth. It does mean, however, that these third parties could be compelled to hand over your encryption keys.

A case in point is Microsoft. It encrypts all emails and files held in OneDrive (formerly SkyDrive), but it also holds the encryption keys. In 2013 it used these to unlock the emails and files of its 250 million worldwide users for inspection by the NSA.

Strongly avoid services that encrypt your data on their servers, rather than you encrypting your own data on your own machine.


Although strong encryption has recently become trendy, websites have been using strong end-to-end encryption for the last 20 years. After all, if websites were not secure, then online shopping or banking wouldn’t be possible.

The encryption protocol used for this is HTTPS, which stands for HTTP Secure (or HTTP over SSL/TLS). It is used for websites that need to secure users’ communications and is the backbone of internet security.

When you visit a non-secure HTTP website, data is transferred unencrypted. This means anyone watching can see everything you do while visiting that site. This includes your transaction details when making payments. It is even possible to alter the data transferred between you and the web server.

With HTTPS, a cryptographic key exchange occurs when you first connect to the website. All subsequent actions on the website are encrypted, and thus hidden from prying eyes. Anyone watching can see that you have visited a certain website, but cannot see which individual pages you read, or any data transferred.

For example, the website is secured using HTTPS. Unless you are using a VPN while reading this web page, your ISP can see that you have visited, but cannot see that you are reading this particular article. HTTPS uses end-to-end encryption.

Secured website Firefox

It is easy to tell if you visit a website secured by HTTPS – just look for a locked padlock icon to the left of the main URL/search bar.

There are issues relating to HTTPS, but in general it is secure. If it wasn’t, none of the billions of financial transactions and transfers of personal data that happen every day on the internet would be possible. The internet itself (and possibly the world economy!) would collapse overnight.

For a detailed discussion on HTTPS, please see here.


An important limitation to encryption is that it does not necessarily protect users from the collection of metadata.

Even if the contents of emails, voice conversations, or web browsing sessions cannot be readily listened in on, knowing when, where, from whom, to whom, and how regularly such communication takes place can tell an adversary a great deal. This is a powerful tool in the wrong hands.

For example, even if you use a securely encrypted messaging service such as WhatsApp, Facebook will still be able to tell who you are messaging, how often you message, how long you usually chat for, and more. With such information, it would be easy to discover that you were having an affair, for example.

Although the NSA does target individual communications, its primary concern is the collection of metadata. As NSA General Counsel Stewart Baker has openly acknowledged,

“Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.

Technologies such as VPNs and Tor can make the collection of metadata very difficult. For example, an ISP cannot collect metadata relating to the browsing history of customers who use a VPN to hide their online activities.

Note, though, that many VPN providers themselves log some metadata. This should be a consideration when choosing a service to protect your privacy.

Please also note that mobile apps typically bypass any VPN that is running on your device, and connect directly to their publishers’ servers. Using a VPN, for example, will not prevent WhatsApp sending metadata to Facebook.

Identify Your Threat Model

When considering how to protect your privacy and stay secure on the internet, carefully consider who or what worries you most. Defending yourself against everything is almost impossible. And any attempt to do so will likely seriously degrade the usability (and your enjoyment) of the internet.

Identifying to yourself that being caught downloading an illicit copy of Game of Thrones is a bigger worry than being targeted by a crack NSA TAO team for personalised surveillance is a good start. It will leave you less stressed, with a more useable internet and with more effective defences against the threats that really matter to you.

Of course, if your name is Edward Snowden, then TAO teams will be part of your threat model…

I will discuss steps you should take to help identify your threat model in an upcoming article on In the meantime, this article does a good job of introducing the basics.

Use FOSS Software

The terrifying scale of the NSA’s attack on public cryptography, and its deliberate weakening of common international encryption standards, has demonstrated that no proprietary software can be trusted. Even software specifically designed with security in mind.

The NSA has co-opted or coerced hundreds of technology companies into building backdoors into their programs, or otherwise weakening security in order to allow it access. US and UK companies are particularly suspect, although the reports make it clear that companies across the world have acceded to NSA demands.

The problem with proprietary software is that the NSA can fairly easily approach and convince the sole developers and owners to play ball. In addition to this, their source code is kept secret. This makes it easy to add to or modify the code in dodgy ways without anyone noticing.

Open source code

The best answer to this problem is to use free open source software (FOSS). Often jointly developed by disparate and otherwise unconnected individuals, the source code is available to everyone to examine and peer-review. This minimizes the chances that someone has tampered with it.

Ideally, this code should also be compatible with other implementations, in order to minimize the possibility of a backdoor being built in.

It is, of course, possible that NSA agents have infiltrated open source development groups and introduced malicious code without anyone’s knowledge. In addition, the sheer amount of code that many projects involve means that it is often impossible to fully peer-review all of it.

Despite these potential pitfalls, FOSS remains the most reliable and least likely to be tampered with software available. If you truly care about privacy you should try to use it exclusively (up to and including using FOSS operating systems such as Linux).

Steps You Can Take to Improve Your Privacy

With the proviso that nothing is perfect, and if “they” really want to get you “they” probably can, there are steps you can take to improve your privacy.

Pay for Stuff Anonymously

One step to improving your privacy is to pay for things anonymously. When it comes to physical goods delivered to an actual address, this isn’t going to happen. Online services are a different kettle of fish, however.

It is increasingly common to find services that accept payment through Bitcoin and the like. A few, such as VPN service Mullvad, will even accept cash sent anonymously by post.


Bitcoin is a decentralized and open source virtual currency that operates using peer-to-peer technology (much as BitTorrent and Skype do). The concept is particularly revolutionary and exciting because it does not require a middleman to work (for example a state-controlled bank).

Whether or not Bitcoins represent a good investment opportunity remains hotly debated, and is not within the remit of this guide. It is also completely outside of my area of expertise!

As a ‘crypto-currency,’ Bitcoins can be bought, traded, invested, and used to buy goods and services – just like any other form of money. Although nowhere near as widely accepted as “regular” currency yet, this is changing fast. This is especially true in the realm of online services such as VPNs.

One important thing to understand is that Bitcoin is not inherently anonymous. The exciting thing is that with care, you can make it so.

I have written a very detailed five-part guide on Buying Bitcoins to pay for VPN anonymously. Most of the advice in it applies equally well to paying for other online services anonymously. Below is a summary of the main points.

How to Buy Bitcoins Anonymously

Most Bitcoin traders are located in the US, and have US-based bank accounts. This can make buying Bitcoins outside the States a little involved, as well as location-dependent. However, the following methods are common ways to obtain Bitcoins anonymously.

For maximum anonymity:

  • Use anonymous, disposable email addresses.
  • Create a new Bitcoin address (wallet) for each purchase – if you use the same address then one mistake means someone could trace all transactions back to you.
  • Never reveal personal information, such as your real name, address, or phone number.
  • Use a mixer service – even if you use a more anonymous method of purchasing Bitcoins as outlined below, it can’t hurt to launder it further (although this will cost a bit).

There are a number of basic approaches you can take:

1. Buy Bitcoins Anonymously, then ‘clean’ them with a mixer service

Neither the cheapest nor the most anonymous method, this is the most convenient. It does ensure a fairly high degree of anonymity.

Using this method, you do not actually buy the Bitcoins anonymously. You simply purchase them from an automated Bitcoin exchange (such as CoinBase), and then “launder” them using a “mixer” service such as‘s shared send feature, which uses CoinJoin technology.

A mixer service basically anonymizes your Bitcoins by swapping them with multiple other users, making it very difficult (but not impossible for a determined investigator) to follow the chain back to you. Services such as this are, of course, not free ( for example charges a 0.5% fee).

Many automatic exchanges require you to prove your real-world identity. In this case it is easy to determine that you have purchased Bitcoins, but not what happens to them after that, if you mix them.

2. Use pre-paid credit cards

This method is somewhat location-dependent, but in most areas it is possible to buy pre-paid ‘gift’ credit cards over-the-counter in shops. These can then be used to buy Bitcoins anonymously if you perform the transaction through disposable email addresses, etc. Alternatively, you can just use the card to buy online services directly!

3. Buy locally with cash

The website lets you find Bitcoin sellers who live near you. Once you have found a seller you are happy with, you can contact them to arrange a meeting.

Prices are generally higher than those on CoinBase, etc., and you should pay attention to feedback, looking for high scoring sellers. This works much like the feedback system on eBay.

4. Buy from an individual seller online

This can be done on, or in the #bitcoin-otc chatroom on Freenode (otc = over-the -counter).

#bitcoin-otc uses a quite involved feedback system. It is well worth taking the time to understand this, and you will need to hash out the payment method with the seller. A list of IRC clients is here.

Protect your Privacy Today

We review VPNs to bring you the fastest and best services

Unlock the internet with a VPN today

Other Anonymous Payment Methods

In addition to pre-paid credit cards and good old cash, there are plenty of alternative crypto-currencies out there. Bitcoin is by far the most popular and stable crypto-currency, but others are available.

A list of these is here. The pros and cons of the “top 5” are in this article.

Do be sure to check out my extensive guide to buying Bitcoins and paying for VPN services anonymously, starting here.

Anonymize Your Internet Use

Virtual Private Networks (VPNs) and the Tor network are the most popular technologies for achieving privacy while on the internet. They hide what you get up to online from your ISP and therefore the government. They can also hide your true identity from websites you visit and services you use.

On the face of it, these two technologies appear to serve a similar purpose. In reality, they are very different beasts. While there is some overlap, their primary use-cases are very different.


VPNs are a suite of technologies that:

  • Provide privacy by hiding your internet activity from your ISP (and government).
  • Allow you to evade censorship (by school, work, your ISP, or government).
  • Allow you to “geo-spoof” your location to access services denied to you based on your geographical location.
  • Protect you against hackers when using a public Wi-Fi hotspot.
  • Allow you to P2P download in safety.

To use a VPN you must first sign up for a VPN service. These typically cost between $5 and $10 a month (with reductions for buying six months or a year at a time). A contract with a VPN service is required to use a VPN.

I have written an extensive VPNs for Beginners guide aimed at discussing all major issues related to VPN use in detail. Please consult this for further information.

Note, however, that although a VPN can provide a high level of privacy (if a good no-logs service is in place), it does not provide anonymity.

This is because a VPN provider can* always know what you get up to on the internet. If you require true anonymity then you need…

The Tor Network

Tor provides a very high degree of true anonymity, but at the cost of day-to-day internet usability. When using Tor:

  • Your internet connection routes through at least three random “nodes” (volunteer-run servers).
  • These nodes can be anywhere in the world.
  • The data is re-encrypted multiple times (each time it passes through a node).
  • Each node is only aware of the IP addresses “in front” of it, and the IP address of the node “behind” it.
  • This should mean that at no point can anyone know the whole path between your computer and the website you are trying to connect to (even if malicious entities control some nodes along the path).

Tor is free, and the real beauty of the system is that you do not have to trust anyone. Its design means no-one can discover your true identity.


It can also make a handy anti-censorship tool. However, many governments go to great lengths to counter this by blocking access to the network (with varied success).

*Using Tor and VPN together

It is possible to use Tor and VPN together to provide meaningful security benefits. For a discussion about this, and suggested VPNs that support such configurations, please see 5 Best VPNs when using Tor.

Tor Vs. VPN

Tor is a vital tool for internet users who require the maximum possible anonymity. VPNs, however, are a much more practical privacy tool for day-to-day internet use.

For a detailed look at Tor, plus a full discussion on its pros and cons versus using a VPN, please see my Tor Network Review.

Other Ways To Stay Private Online

VPN and Tor are the most popular ways to maintain anonymity and evade censorship online, but there are other options. Proxy servers, in particular, are quite popular. In my opinion, however, they are inferior to using a VPN.

Other services which may be of interest include JonDonym, Lahana, I2P and Psiphon. You can combine many such services with Tor and/or VPN for greater security.

Secure Your Web Browsing

It’s not just the NSA who are out to get you: advertisers are too! They use some very sneaky tactics to follow you around the web and build a profile of you in order to sell you stuff. Or to sell this information to others who want to sell you stuff.

Most people who care are aware of HTTP cookies and how to clear them. Most browsers also have a Private Browsing mode that blocks cookies and prevents the browser from saving your internet history.

It is a good idea always to surf using Private Browsing. But this alone is not enough to stop organizations tracking you across the internet. Your browser leaves many other traces as it goes.

Clear Cached DNS Entries

To speed up internet access, your browser caches the IP address it receives from your default DNS server (see the section on changing your DNS server later).

DNS Cache

In Windows, you can see cached DNS information by typing “ipconfig /displaydns” at the command prompt (cmd.exe).

  • To clear the DNS cache in Windows, open the command prompt window and type: ipconfig /flushdns [enter]
  • Clear the cache in OSX 10.4 and under by opening Terminal and typing: lookupd -flushcache [enter]
  • To clear the cache in OSX 10.5 and above, open Terminal and type: dscacheutil -flushcache [enter]

Clear Flash Cookies

A particularly insidious development is the widespread use of Flash cookies. Disabling cookies in your browser does not always block them, although modern browsers do.

These can track you in a similar manner to regular cookies. They can be located and manually deleted from the following directories:

  • Windows: C:Users[username]AppDataLocal\MacromediaFlash Player #SharedObjects
  • OSX: [User directory] /Library/Preferences/Macromedia/Flash Player/#SharedObjects
    and [User directory] /Library/Preferences/Macromedia/Flash Player/

A better tactic, however, is to use the CCleaner utility (available for Windows and OSX). This cleans out pesky Flash cookies. It also cleans out a host other rubbish that slows your computer down and leaves traces of your activity behind. To do this, you need to properly configure CCleaner.

Thanks to growing awareness of Flash cookies, including so-called “zombie cookies” (bits of persistent Flash code which respawn regular cookies when they are modified or deleted), and the fact that most modern browsers include Flash cookies as part of their regular cookie control features, the use of Flash cookies is declining. They still represent a serious threat, however.

I have a detailed article on Flash cookies, the dangers they pose, and how to prevent them available here.

Other Web Tracking Technologies

Internet companies are making far too much money to take this user backlash against tracking lying down. They are therefore deploying a number of increasingly devious and sophisticated tracking methods.

Browser Fingerprinting

The way in which your browser is configured (especially the browser plugins used), together with details of your Operating System, allows you to be uniquely identified (and tracked) with a worryingly high degree of accuracy.

A particularly insidious (and ironic) aspect of this is that the more measures you take to avoid tracking (for example by using the plugins listed below), the more unique your browser fingerprint becomes.

The best defense against browser fingerprinting is to use as common and plain vanilla an OS and browser as possible. Unfortunately, this leaves you open to other forms of attack. It also reduces the day-to-day functionality of your computer to such an extent that most of us will find the idea impractical.

Browser fingerprinting

The more browser plugins you use, the more unique your browser is. Drat!

Using the Tor browser with Tor disabled is a partial solution to this problem. This will help make your fingerprint look identical to all other Tor users, while still benefiting from the additional hardening built in to the Tor browser.

I discuss browser fingerprinting in detail in this article.

In addition to browser fingerprinting, other forms of fingerprinting are becoming more common. The most prominent of these is canvas fingerprinting, although audio and battery fingerprinting are also possible.

HTML5 Web Storage

Built into HTML5 (the much-vaunted replacement to Flash) is web storage, also known as DOM (Document Object Model) storage. Creepier and much more powerful than cookies, web storage is an analogous way of storing data in a browser.

It is much more persistent, however, and has a much greater storage capacity. It also cannot normally be monitored, read, or selectively removed from your web browser.

All browsers enable web storage by default, but you can turn it off in Firefox and Internet Explorer.

Firefox users can also configure the BetterPrivacy add-on to remove web storage automatically on a regular basis. Chrome users can use the Click&Clean extension.

Remember that using these add-ons will increase you browser fingerprint uniqueness. More details, including instructions on how to turn web storage off in Firefox and IE, are available here.


Part of HTTP, the protocol for the World Wide Web, ETags are markers used by your browser to track resource changes at specific URLs. By comparing changes in these markers with a database, websites can build up a fingerprint, which can be used to track you.

ETags can also be used to respawn (zombie-style) HTTP and HTML5 cookies. And once set on one site, they can be used by associate companies to track you as well.

This kind of cache tracking is virtually undetectable, so reliable prevention is very hard. Clearing your cache between each website you visit should work, as should turning off your cache altogether.

These methods are arduous, however, and will negatively impact your browsing experience. The Firefox add-on Secret Agent prevents tracking by ETags, but, again, will likely increase your browser fingerprint (or because of the way it works, maybe not). For more details see here.

History Stealing

Now we start to get really scary. History stealing (also known as history snooping) exploits the web’s design. It allows a website you visit to discover your past browsing history.

See my article for a fuller explanation of how it works. The bad news is that this information can be combined with social network profiling to identify you. It is also almost impossible to prevent.

The only good news here is that social network fingerprinting, while scarily effective, is not reliable. If you mask your IP address with a VPN (or Tor) then you will be a long way towards disassociating your real identity from your tracked web behavior.

Great Browser Extensions You Should Use

Pioneered by Firefox, all modern browsers now support a host of extensions. Many of these aim to improve your privacy while surfing the internet. Here is a list of my favorites that I don’t think anyone should surf without:

uBlock Origin (Firefox)

A lightweight FOSS ad-blocker that does double duty as an anti-tracking add-on. Chrome and Internet Explorer/Edge users can instead use Ghostery. Many users find this commercial software’s funding model to be somewhat shady, however.

Privacy Badger (Firefox, Chrome)

Developed by the Electronic Frontier Foundation (EFF), this is a great FOSS anti-tracking add-on that does double-duty as an ad-blocker. It is widely recommended to run Privacy Badger and uBlock Origin together for maximum protection.

privacy badger

HTTPS Everywhere (Firefox, Chrome, Opera)

Another essential tool from EFF. HTTPS Everywhere tries to ensure that you always connect to a website using a secure HTTPS connection if one is available.

Self-Destructing Cookies (Firefox)

Automatically deletes cookies when you close the browser tab that set them. This provides a high level of protection from tracking via cookies without “breaking” websites. It also provides protection against Flash/zombie cookies and ETags, and cleans DOM storage.

NoScript (Firefox)

This is an extremely powerful tool that gives you unparalleled control over which scripts you run on your browser. However, many websites will not play game with NoScript, and it requires a fair bit of technical knowledge to configure and tweak it to work the way that you want it to.

It is easy to add exceptions to a whitelist, but even this requires some understanding of the risks that might be involved. Not for the casual user then, but for web-savvy power-users, NoScript is difficult to beat. ScriptSafe for Chrome performs a similar job.

See here for some tips on getting the best out of NoScript. The last one is particularly worth paying attention to. It is worth keeping NoScript installed even if you “Allow Scripts Globally,” as this still protects against nasty things such as cross-site scripting and clickjacking.

uMatrix (Firefox, Chrome, Opera)

Developed by the team behind uBlock Origin, uMatrix is something of a half-way house between that add-on and NoScript. It provides a great deal of customizable protection, but requires a fair bit of work and know-how to set up correctly.


Note that if you use either NoScript or uMatrix then it is not necessary to also use uBlock Origin and Privacy Badger.

In addition to these extensions, most modern browsers (including mobile ones) include a Do Not Track option. This instructs websites to disable tracking and cross-site tracking when you visit them.

It is definitely worth turning this option on. However, implementation is purely voluntary on behalf of website owners, so no is guarantee of privacy.

This is not an exhaustive list of all the great privacy-related browser extensions out there. In fact, I have written articles on my favorite extensions for Firefox and Chrome.

I also have an article on how you make Firefox even more secure by changing settings in about:config.

As noted above, you should be aware that using any browser plugin increases the uniqueness of your browser. This makes you more susceptible to being tracked by browser fingerprinting.

Stay Safe Online with a VPN

We review VPNs to bring you the fastest and best services

Unlock the internet with a VPN today

Block “Reported Attack Sites” and “Web Forgeries” in Firefox

These setting can be very useful for protecting you against malicious attacks, but impact your privacy by sharing your web traffic in order to work. If the tracking issues outweigh the benefits for you, then you might want to disable them.


Mobile Browser Security

The above extension list concentrates on desktop browsers. It is just as important to protect our browsers on smartphones and tablets.

Unfortunately, most mobile browsers have a great deal of catching-up to do in this regard. Many Firefox extensions, however, will work on the mobile version of the browser. These include:

  • uBlock Origin
  • HTTPS Everywhere
  • Self-Destructing Cookies

To install these add-ons in Firefox for Android or Firefox for iOS, visit Options ->Tools -> Add-ons -> Browse all Firefox Add-ons, and search from them.

Thankfully Private Browsing, Do Not Track, and advanced cookie management are becoming increasingly common on all mobile browsers.

Most search engines, including Google (in fact particularly Google), store information about you. This includes:

  • Your IP address.
  • Date and time of query.
  • Query search terms.
  • Cookie ID – this cookie is deposited in your browser’s cookie folder, and uniquely identifies your computer. With it, a search engine provider can trace a search request back to your computer.

Google transparency report September 2016

The search engine usually transmits this information to the requested web page. It also transmits it to the owners of third party advertising banners on that page. As you surf the internet, advertisers build up a (potentially embarrassing and highly inaccurate) profile of you.

This is then used to target adverts tailored to your theoretical needs.

In addition to this, governments and courts around the world regularly request search data from Google and other major search engines. This is usually duly handed over. For more details, see the Google Transparency Report on the number of User Data Requests received, and the number (at least partially) acceded to.

There are some search engines, however, that do not collect users’ data. These include:


The best-known alternative search engine, and one we have examined in some detail here, DuckDuckGo pledges not to track it users. Each search event is anonymous. While in theory an infiltrator could track them, there is no profile attached for them to access.


DuckDuckGo says that it would comply with ordered legal requests, but as it doesn’t track users, “there is nothing useful to give them.” I have found DuckDuckGo to be very good, and through the use of “bangs” (see our article), it can also be made to search most other popular search engines anonymously too.

Unfortunately, many users do not find DDG’s search results to be as good as those returned by Google. The fact that it is a US-based company also concerns some.


Another popular Google alternative is StartPage. It is based in the Netherlands and returns Google search engine results. StartPage anonymises these Google searches and promises not to store or share any personal information or use any identifying cookies.


By the same people who run StartPage, Ixquick returns results from a number of other search engines, but not Google. These searches are as private as those made through StartPage.


The above search engines rely on trusting the search engine providers to maintain your anonymity. If this really worries you, then you might like to consider YaCy. It is a decentralized, distributed search engine, built using P2P technology.

This is a fantastic idea, and one that I really hope takes off. For now, however, it is more of an exciting curiosity than a fully-fledged and useful Google alternative.

Update: Please check out my new Privacy Search Engines 2017 Group Review.

The Filter Bubble

An added benefit of using a search engine that does not track you is that it avoids the “filter bubble” effect. Most search engines use your past search terms (and things you “Like” on social networks) to profile you. They can then return results they think will interest you.

This can result in you only receiving search returns that agree with your point of view. This locks you into a “filter bubble.” You do not get to see alternative viewpoints and opinions because they are downgraded in your search results.

This denies you access to the rich texture and multiplicity of human input. It is also very dangerous, as it can confirm prejudices and prevent you from seeing the “bigger picture.”

Delete Your Google History

You can view the information Google collects about you by signing in to your Google account and visiting My Activity. From here you can also Delete by topic or product. Since you are reading this privacy Guide, you will probably want to Delete -> All time.

Of course, we only have Google’s word that they really delete this data. But it certainly can’t hurt to do this!

In order to prevent Google continuing to collect new information about you, visit Activity Controls. From here you can tell Google to stop collecting information on your use of various Google services.

Delete Google history

These measures won’t stop someone who is deliberately spying on you from harvesting your information (such as the NSA). But it will help stop Google from profiling you.

Even if you plan on changing to one of the “no tracking” services listed above, most of us have built up a substantial Google History already, which anyone reading this article will likely want deleted.

Of course, deleting and disabling your Google history will mean that many Google services which rely on this information to deliver their highly personalised magic will either cease to function, or not function as well. So say goodbye to Google Now!

Secure Your Email

Most email services provide a secure HTTPS connection. Google has even led the way in fixing the main weakness in SSL implementation. They are therefore secure. However, this is no good if the email service simply hands over your information to an adversary, as Google and Microsoft did with the NSA!

The answer lies in end-to-end email encryption. This is where the sender encrypts the email, and only the intended recipient can decrypt it. The biggest problem with using an encrypted email system is that you cannot impose it unilaterally. Your contacts – both recipients and senders –  also need to play ball for the whole thing to work.

Trying to convince your granny to use PGP encryption will likely just lead to bafflement. Meanwhile trying to convince your customers to use it might make many of them very suspicious of you!


Most people regard Pretty Good Privacy (PGP) as the most secure and private way to send and receive emails. Unfortunately, PGP is not easy to use. At all.

This has resulted in a very low number of people willing to use PGP (basically just a few crypto-geeks).

With PGP, only the body of a message is encrypted, but the header, recipient, send time, and so forth, is not. This metadata can still be very valuable to an adversary, even if it can’t read the actual message.


Despite its limitations, PGP remains the only way to send email very securely.

GNU Privacy Guard

PGP was once open source and free, but is now the property of Symantec. The Free Software Foundation has taken up the open source OpenPGP banner, however, and with major funding from the German government has released GNU Privacy Guard (also known as GnuPG or just GPG).

GnuPG is a free and open source alternative to PGP. It follows the OpenPGP standard and is fully compatible with PGP. It is available for Windows, OSX and Linux. When referring to PGP, most people these days (including myself) mean GnuPG.


Generating a PGP key pair in Gpgwin.

Although the basic program uses a simple command line interface, more sophisticated versions are available for Windows (Gpg4win) and Mac (GPGTools). Alternately, EnigMail adds GnuPG functionality to the Thunderbird and SeaMonkey stand-alone email clients.

I have written a full guide to setting up GnuPG in Windows using Gpg4win.

PGP on Mobile Devices

Android users should be pleased to know that an Alpha release GnuPG: Command-Line from the Guardian Project is available.

K-9 Mail is a well-regarded email client for Android with PGP support built in. It can be combined with Android Privacy Guard to provide a more user-friendly PGP experience. A good guide for getting GPG working on Android is available here. iOS users can give iPGMail a try.

Use PGP with Your Existing Webmail Service

PGP is a real pain to use. Such a big pain, in fact, that few people bother. Mailvelope is a browser extension for Firefox and Chrome that allows end-to-end PGP encryption within your browser.

It works with popular browser-based webmail services such as Gmail, Hotmail, Yahoo! and GMX. It makes using PGP about as painless as it gets. However, it is not as secure as using PGP with a dedicated email client.

Use a Dedicated Encrypted Webmail Service

Encrypted webmail services with a privacy focus have proliferated over the last two years or so. The most notable of these are ProtonMail and Tutanota. These are much easier to use than PGP and, unlike PGP, hide emails’ metadata. Both services now also allow non-users to securely reply to encrypted emails sent to them by users.


Protonmail is much more secure than most webmail services.

Unfortunately, to work, both ProtonMail and Tutanota implement encryption within the browser using JavaScript. This is fundamentally insecure.

The bottom line with such services is they are as easy to use as Gmail, while being much more private and secure. They will also not scan your emails to sell you stuff. However, never regard them as being anywhere near as secure as using PGP with a stand-alone email program.

Other Email Privacy Precautions

I discuss encrypting files and folders elsewhere. However, it is worth noting here that if you just wish to protect files, you can encrypt these before sending them by regular email.

It is also possible to encrypt stored emails by encrypting the email storage folder using a program such as VeraCrypt (discussed later). This page explains where Thunderbird stores emails on different platforms (for example).

At the end of the day, emails are an outdated communications system. And when it comes to privacy and security, email is fundamentally broken. End-to-end encrypted VoIP and instant messaging are much more secure ways to communicate online.

Update:  Please check out Secure Privacy Email Options 2017 for a detailed look at this subject.

Secure Your Voice Conversations

Regular phone calls (landline or mobile) are never secure, and you cannot make them so. It’s not the just the NSA and GCHQ; governments everywhere (where they have not already done so) are keen on recording all citizens’ phone calls.

Unlike emails and internet use, which can be obfuscated (as this article tries to show), phone conversations are always wide open.

Even if you buy anonymous and disposable “burner phones” (behavior which marks you out as either worryingly paranoid or engaged in highly criminal activity), a lot of information can be gathered through the collection of metadata.

Burner phones are also totally pointless unless the people you’re calling are equally paranoid and also using burner phones.

VoIP with End-to-end Encryption

If you want to keep your voice conversations completely private, then you need to use VoIP with end-to-end encryption (except, of course, when talking in person).

VoIP (Voice over Internet Protocol) apps allow you to talk over the internet. They often also allow you to make video calls and send Instant Messages.VoIP services allowing cheap or free calls anywhere in the world and have thus become extremely popular. Skype, in particular, has become a household name.

Unfortunately, Skype is now owned by Microsoft. It has perfectly demonstrated the problem with most such services (which is a very similar problem to that with email). VoIP connections to and from a middleman may be secure, but if the middleman just hands over your conversations to the NSA (as happened with Skype) or some other government organization, this security is next to meaningless.

So, as with email, what is needed is end-to-end encryption where an encrypted tunnel is created directly between the participants in a conversation. And no-one else.

Good Skype Alternatives

Signal (Android, iOS) – in addition to being probably the most secure Instant Messaging (IM) app currently available (see below), Signal allows you to make secure VoIP calls.

As with messaging, Signal leverages your regular address book. If a contact also uses Signal then you can start an encrypted VoIP conversation with them. If a contact does not use Signal then you can either invite them to use the app, or talk with them using your regular insecure cellular phone connection.

The encryption Signal uses for VoIP calls is not as strong as the encryption it uses for text messaging. This is probably due to the fact that encrypting and decrypting data uses processing power, so stronger encryption would negatively impact the quality of calls.

For most purposes, this level of encryption should be more than sufficient. But if very high levels of privacy are required then you should probably stick to text messaging instead.

Jitsi (Windows, OSX, Linux, Android (experimental)) – this free and open source software offers all the functionality of Skype. Except everything is encrypted using ZRTP. This includes voice calls, video conferencing, file transfer, and messaging.

The first time you connect to someone it can take a minute or two to set up the encrypted connection (designated by a padlock). But the encryption is afterwards transparent. As a straight Skype replacement for the desktop, Jitsi is difficult to beat.

Secure Your Text Messages

This section has a great deal of cross-over with the previous one on VoIP.  Many VoIP services, including both Signal and Jitsi, also have chat/IM functionality built in.

Signal (Android, iOS) – developed by crypto-legend Moxie Marlinspike, Signal is widely regarded as the most secure text messaging app available. It is not without issues, but Signal is about as good as it currently gets when it comes to having a secure and private conversation (except whispering to someone in person, of course!).

Signal 1

Signal replaces your phone’s default text messaging app, and uses your phone’s regular contact list. If a contact also uses Signal then any messages sent to or received from them are securely end-to-end encrypted.

If a contact does not use Signal then you can invite them to use the app, or just send an unencrypted text message via regular SMS. The beauty of this system is that Signal is almost transparent in use, which should make it easier to convince friends, family and colleagues to use the app!

Please see my Signal Private Messenger Review for a detailed look at this important app.

Jitsi (Windows, OSX, Linux, Android (experimental)) – is a great desktop messenger app, and is very secure. It is almost certainly not quite as secure as Signal, however.

Please also see Secure alternatives to WhatsApp for a look at other decent, secure IM options.

A Note on WhatsApp

The very popular WhatsApp app now uses the same end-to-end encryption developed for Signal. Unlike Signal, however, WhatsApp (owned by Facebook) retains metadata, and has other weaknesses not present in the Signal app.

Despite these issues, most of your contacts likely use WhatsApp, and are unlikely to be convinced to switch to Signal. Given this all-too-common situation, WhatsApp provides vastly improved security and privacy that your contacts might actually use.

Unfortunately, this argument has been badly undermined by a recent announcement that WhatsApp will start sharing users’ address books with parent company Facebook by default. This can be disabled, but the vast majority of users will not bother to do so.

Ditch the Cell Phone!

While we are on the subject of phones, I should also mention that when you carry your phone, your every movement can be tracked. And it’s not just by things such as GPS and Google Now/Siri.

Phone towers can easily track even the most modest cell phone. In addition to this, use of Stingray IMSI-catchers has proliferated among police forces the world over.

These devices mimic cell phone towers. They can not only uniquely identify and track individual cell phones, but can intercept phone calls, SMS messages and unencrypted internet content.

Using an end-to-end encrypted messaging app such as Signal will prevent such interception. However, if you don’t want to be uniquely identified by your phone and tracked, the only real solution is to leave your phone at home. Or possibly to buy one of these.

Secure Your Cloud Storage

As internet speeds increase, server-level storage becomes cheaper, and the different devices we use to access the internet more plentiful, it is becoming increasingly clear that cloud storage is the future.

The problem, of course, is ensuring that files stored in the “the cloud” remain secure and private. And here the big players have proven themselves woefully inadequate. Google, Dropbox, Amazon, Apple and Microsoft have all worked in cahoots with the NSA. They also in their terms and conditions reserve the right to investigate your files and hand them over to the authorities if they receive a court order.

To ensure that your files are secure in the cloud, there are a number of approaches you can take.

Manually Encrypt Your Files Before Uploading Them to the Cloud

The simplest and most secure method is to manually encrypt your files using a program such as VeraCrypt or EncFS. This has the advantage that you can carry on using your favorite cloud storage service, no matter how inherently insecure it is, as you hold all the encryption keys to your files.

As discussed later, mobile apps that can handle VeraCrypt or EncFS files exist, allowing for synchronization across devices and platforms. Features such as file versioning will not work with individual files as the encrypted container hides them, but it is possible to recover past versions of the container.

If you are in the market for a good Dropbox alternative, you may like to check out BestVPN’s sister website BestBackups. It features news and reviews of the best and the rest when it comes to cloud storage services.

Use an Automatically Encrypted Cloud Service

These services automatically encrypt files before uploading them to the cloud. Avoid any service that encrypts files server-side, as these are vulnerable to being decrypted by the service provider.

Any changes to files or folders sync with locally decrypted versions before being secured and sent to the cloud.

All services listed below have iOS and Android apps, so you can easily sync across your computers and mobile devices. This convenience comes at a small security price, as the services briefly store your password on their servers to authenticate you and direct you to your files.

  • TeamDrive – this German cloud backup and file synchronization service is primarily aimed at businesses. It also offers free and low-cost personal accounts. TeamDrive uses proprietary software, but has been certified by the Independent Regional Centre for Data Protection of Schleswig-Holstein.
  • Tresorit – is based in Switzerland, so users benefit from that country’s strong data protection laws. It provides client-side encryption, although a kink is that users’ data is stored on Microsoft Windows Azure servers. Given widespread distrust of all things US, this is an odd choice. But as client-side encryption ensures the cryptographic keys are kept with the user at all times, it shouldn’t be a problem.
  • SpiderOak – available for all major platforms, SpiderOak offers a “zero knowledge,” secure, automatically encrypted cloud service. It uses a combination of 2048 bit RSA and 256 bit AES to encrypt your files.

Note that all of these cloud services are closed source. This means that we just have to trust them to do what they claim to do (although TeamDrive has been independently audited).

Please see 5 most secure backup services for a longer discussion on this subject. Note, however, Ciphertite (which was open source) and Wuala have shut down since I wrote that article.

Use Syncthing for Cloudless Syncing

Syncthing is a secure decentralized peer-to-peer (P2P) file synchronization program that can sync files between devices on a local network or over the internet.

Acting more or less as a Dropbox replacement, Syncthing synchronizes files and folders across devices, but does so without storing them in ‘the cloud.’ In many ways, it is therefore similar to BitTorrent Sync, except that it is completely free and open source (FOSS).

Syncthing 1 PC start

Syncthing allows you to securely backup data without the need to trust a third party cloud provider. Data is backed up to a computer or server that you directly control, and is at no point stored by a third party.

This is referred to in techie circles as a “BYO (cloud) model,” where you provide the hardware, instead of a third party commercial vendor. The encryption used is also fully end-to-end, as you encrypt it on your device, and only you can decrypt it. Nobody else holds the encryption keys.

A limitation of the system is that, as it is not a true cloud service, it cannot be used as an extra drive by portable devices with limited storage. On the plus side, however, you are using your own storage, and so are not tied to cloud providers’ data limits (or charges).

Secure all your devices

We review VPNs to bring you the fastest and best services

Unlock the internet with a VPN today

Please check out my Syncthing review for more details.

Encrypt Your Local Files, Folders, and Drives

While the focus of this document is on internet security and privacy, an important aspect of securing your digital life is to ensure that locally stored files cannot be accessed by unwanted parties.

Of course, it is not just about local storage. You can also encrypt files before emailing them or uploading them to cloud storage.


Windows, Mac OSX, Linux. Mobile support for VeraCrypt containers is available via third party apps.

VeraCrypt is an open source full-disk encryption program. With VeraCrypt you can:

  • Create a virtual encrypted disk (volume) which you can mount and use just like a real disk (and which can be made into a Hidden Volume).
  • Encrypt an entire partition or storage device (for example a hard drive or USB stick).
  • Create a partition or storage drive containing an entire operating system (which can be hidden).

VeraCrypt full disk encryption

All encryption is performed on-the-fly in real-time, making VeraCrypt transparent in operation. The ability to create hidden volumes and hidden operating systems provides plausible deniability, as it should be impossible to prove they exist (as long as all the correct precautions are taken).

Please see here for a full discussion on VeraCrypt. For those who do not trust anything to do with TrueCrypt, EncFS makes a good drop-in alternative.

AES Crypt

Windows, OSX, Linux (Crypt4All Lite for Android is compatible).

This nifty little cross-platform app is very handy for encrypting individual files. Although only individual files can be encrypted, this limitation can be overcome somewhat by creating zip files out of folders, and then encrypting the zip file with AES Crypt.

For more information on AES Crypt, plus a list of other good open source encryption software, please see here.

Full Disk Encryption on Mobile Devices

All new iPhones and iPads now ship with full disk encryption. Some Android devices do as well. If not, you can manually turn it on. Please see How to Encrypt your Android Phone for more details.

Use Antivirus/Anti-malware and Firewall Software

Antivirus software

Note: BestVPN has a sister site dedicated to anti-virus software – If you would like to choose an antivirus package to fit your needs, please take the time to check it out! Now, back to the guide…

It almost goes without saying, but as this is an “ultimate guide”, I’ll say it anyway:

Always use anti-virus software, and make sure that it is up-to-date!

Not only can viruses really screw up your system, but they can let hackers enter it. This gives them access to all your (unencrypted) files and emails, webcam, passwords stored in Firefox (if no master password is set), and much more. Keyloggers are particularly dangerous as they can be used to access bank details and track pretty much everything you do on your computer.

It is also worth remembering that not just criminal hackers use viruses! The Syrian government, for example, launched a virus campaign known as Blackshade aimed at ferreting out and spying on political dissidents.

Most people are aware they should be using anti-virus software on their desktop computers, but many neglect their mobile devices. While there are less viruses targeting mobile devices at present, smartphones and tablets are sophisticated and powerful computers. As such, they are vulnerable to attack by viruses and need to be protected.

Mac users are famously bad for not installing ant-virus software, citing the “fact” that OSX’s Unix architecture makes virus attacks difficult (this is hotly contested by the way), the fact that most hackers concentrate on Windows because most computers use Windows (true), and the anecdotal evidence of many Mac users who have gone for years without using anti-virus software yet never experienced any problems.

This an illusion, however. Macs are not immune to viruses, and anyone serious about their security should always use good anti-virus software.

The generally agreed consensus is that free antivirus software is as good at preventing viruses as paid-for alternatives. But paid-for software provides better support and more comprehensive “suites” of software. These are designed to protect your computer from a range of threats, for example by combining antivirus, anti-phishing, anti-malware and firewall functions.

Similar levels of protection are available for free, but require the use of various different programs. Also, most free software is for personal use only, and businesses are usually required to pay for a license. A bigger concern, however, is how publishers can afford to offer free anti-virus products. AVG, for example, can sell users’ search and browser history data to advertisers in order to “make money” from its free antivirus software.

Although I recommend free products below (as most major anti-virus products have a free version), it may therefore be a very good idea to upgrade to a premium version of the software.

Good Anti-virus Software Options

Windows – the most popular free antivirus programs for Windows are Avast! Free Antivirus and AVG AntriVirus Free Edition (which I recommend avoiding for the reason above). Plenty of others are also available. Personally, I use the built-in Windows Defender for real-time protection, plus run a weekly manual scan using Malwarebytes Free. A paid-for version of Malwarebytes is also available that will do this automatically, plus provide real-time protection.

Malwarebytes Free

OSX – Avast! Free Antivirus for Mac is well regarded, although other decent free options are available. In fact, the free software is better regarded than paid-for options, so I just recommend using one of them!

Android – again, there are a number of options, both free and paid for. I use Malwarebytes because it is nice and lightweight. Avast! is more fully-featured, however, and includes a firewall.

iOS – Apple is still in denial about the fact that iOS is as vulnerable as any other platform to virus attacks. Indeed, in a move that is as alarming as it is bizarre, it seems that Apple has purged the Store of antivirus apps! I, certainly, have been unable to find any iOS antivirus apps.

Linux – the usual suspects: Avast! and Kaspersky are available for Linux. These work very well.


A personal firewall monitors network traffic to and from your computer. It can be configured to allow and disallow traffic based on a set of rules. In use they can be a bit of pain, but they do help ensure that nothing is accessing your computer, and that no program on your computer is accessing the internet when it shouldn’t be.

Both Windows and Mac OSX ship with built-in firewalls. These are, however, only one-way firewalls. They filter incoming traffic, but not outgoing traffic. This makes them much more user-friendly than true two-way firewalls but much less effective, as you cannot monitor or control what programs (including viruses) already installed on your computer are doing.

The biggest problem with using a two-way firewall is determining which programs are ‘ok’ to access the internet and which are potentially malicious. Perfectly legitimate Windows processes can, for instance, appear pretty obscure. Once set up, however, they become fairly transparent in use.

Some Good Two-way Firewall Programs

Windows – Comodo Firewall Free and ZoneAlarm Free Firewall are free and good. Another approach is to use TinyWall. This very lightweight free program is not a firewall per se. It instead adds the ability to monitor outgoing connections to the built-in Windows Firewall.

Glasswire is also not a true Firewall because it does not allow you to create rules or filters, or block specific IP connections. What it does do is present network information in a beautiful and clear manner. This makes it easy to understand what is going on, and therefore easier to make informed decisions about how to deal with it.

Mac OSX – Little Snitch adds the ability to monitor outgoing connections to the built-in OSX firewall. It is great, but is a little pricey at $25.

Android – as noted above, the free Avast! for Android app includes a firewall.

iOS – the only iOS firewall I know of is Firewall iP. It requires a jailbroken device to run.

Linux – there are many Linux firewall programs and dedicated firewall distros available. iptables is bundled with just about every Linux distro. It is an extremely flexible firewall utility for anyone who cares to master it.

Those a little less fearless might prefer a more user-friendly Linux firewall such as Smoothwall Express or pfSense.

Go to Index

Miscellaneous Security Hints, Tips and Tricks

Use Linux Rather Than a Commercial OS

As I noted near the beginning of this guide, no commercial software can be trusted not to have a back-door built into it by the NSA.

A more secure alternative to Windows (especially Windows 10!)  or Mac OSX is Linux. This is a free and open source operating system. Note, though, that some builds incorporate components which are not open source.

It is far less likely that Linux has been compromised by the NSA. Of course that’s not to say that the NSA hasn’t tried. It is a much more stable and generally secure OS than its commercial rivals.

Tails Linux OS

TAILS is a secure Linux distro favored by Edward Snowden. The default browser is IceWeasel, a Firefox spinoff for Debian that has been given the full Tor Browser Bundle treatment.

Despite great strides made in the right direction, Linux unfortunately remains less user-friendly than either Windows or OSX. Less computer-literate users may therefore struggle with it.

If you are serious about privacy, however, Linux is the way forward. One of the best things about it is that you can run the entire OS from a Live CD, without the need to install it. This makes it easy to try out different Linux distros. It also adds an extra layer of security when you access the internet.

This is because the OS exists completely separately from your regular OS. The temporary OS could be compromised, but as it exists only in RAM and disappears when you boot back into your normal OS, this is not a major problem.

Example Linux Distributions

There are hundreds of Linux distros out there. These range from full desktop replacements to niche distributions.

  • Ubuntu – is a very popular Linux distro due to the fact that it is one of the easiest to use. There is a great deal of assistance available for it from an enthusiastic Ubuntu community. It therefore makes a good starting point for those interested in using a much more secure operating system.
  • Mint – is another popular Linux distro aimed at novice users. It is much more Windows-like than Ubuntu, so Windows refugees are often more comfortable using it than Ubuntu. Mint is built on top of Ubuntu, so most Ubuntu-specific tips and programs also work in Mint. This includes VPN clients.
  • Debian – Mint is based on Ubuntu, and Ubuntu is based on Debian. This highly flexible and customizable Linux OS is popular with more experienced users.
  • Tails – is famously is the OS of choice for Edward Snowden. It is very secure, and routes all internet connections through the Tor network. It is, however, a highly specialized privacy tool. As such, it makes a poor general purpose desktop replacement to Windows or Mac OSX.

Ubuntu, Mint and Debian all make great, user-friendly desktop replacements to Windows and Mac OSX. Ubuntu and Mint are widely recommended as good starting points for Linux newbies. A comparison between them is available here.

Use a Virtual Machine (VM)

An additional level of security can be achieved by only accessing the internet (or only accessing it for certain tasks) using a ‘virtual machine.’ These are software programs that emulate a hard drive onto which an operating system such as Windows or Linux is installed. Note that VM-ing OSX is tricky.

This effectively emulates a computer through software, which runs on top your normal OS.

The beauty of this approach is that all files are self-contained within the virtual machine. The “host” computer cannot be infected by viruses caught inside the VM. This is why such a set-up is popular among hardcore P2P downloaders.

The virtual machine can also be entirely encrypted. It can even be “hidden,” using programs such as VeraCrypt (see above).

Virtual machines emulate hardware. They run another whole OS on top of your “standard” OS. Using one therefore requires substantial overheads in terms of processing power and memory use. That said, Linux distros tend to be quite lightweight. This means that many modern computers can handle these overheads with minimal impact on perceived performance.

Popular VM software includes the free VirtualBox and VMWare Player, and the premium ($273.90) enterprise level VMware Workstation. As noted above, VeraCrypt lets you encrypt an entire OS, or even hide its existence.

Give Whonix a Try

Whonix works inside a VirtualBox virtual machine. This ensures that DNS leaks are not possible, and that “not even malware with root privileges can find out the user’s real IP.”


It consists of two parts, the first of which acts as a Tor gateway (known as Whonix Gateway). The second (known as a Whonix Workstation), is on a completely isolated network. This routes all its connections through the Tor gateway.

This isolation of the workstation away from the internet connection (and all isolated from the host OS inside a VM), makes Whonix highly secure.

A Note on Windows 10

More than any other version of Microsoft’s OS, Windows 10 is a privacy nightmare. Even with all its data collection options disabled, Windows 10 continues to send a great deal of telemetry data back to Microsoft.

This situation has become even worse, because the recent Anniversary Update (vers. 1607) removed the option to disable Cortana. This is a service that collects a great deal of information about you in order to provide a highly personalized computing experience. Much like Google Now, it is very useful, but achieves this usefulness by invading your privacy significantly.

The best advice in terms of privacy is to avoid using Windows altogether. Mac OSX is little better. Use Linux instead. You can always set up your system to dual-boot into either Linux or Windows, and only use Windows when absolutely necessary. For example, when playing games, many of which only work in Windows.

If you really must use Windows then a number of third party apps exist to help tighten up security and privacy much more than playing with Windows settings ever can. These typically get under the hood of Windows, adjusting registry settings and introducing firewall rules to prevent telemetry being sent to Microsoft.

They can be very effective. However, you are giving these programs direct access to the deepest workings of your OS. So let’s just hope that their developers are honest! Use of such apps is very much at your own risk.

I use W10 Privacy. It works well, but is not open source. Other options are available.

Password-protect Your BIOS

Full-disk encryption using VeraCrypt is a great way to physically secure your drives. But for this to be properly effective it is essential to set strong passwords in BIOS for both starting up and modifying the BIOS settings. It is also a good idea to prevent boot-up from any device other than your hard drive.

Disable Flash

It has long been widely known that the Flash Player is an incredibly insecure piece of software (see also Flash Cookies). Many major players in the internet industry have made strong efforts to eradicate its use.

Apple products, for example, no longer support Flash (by default). In addition, YouTube videos are now served up using HTML5 rather than Flash.

The best policy is to disable Flash in your browser.

In Firefox, at the very least set Flash to “Ask to Activate,” so you have a choice about whether to load the Flash content.

If you really must view Flash content then I suggest doing so in a separate browser that you do not use for anything else.

Change DNS Servers and Secure Your DNS with DNSCrypt

We are used to typing domain names that are easy to understand and remember into our web browsers. But these domain names are not the “true” addresses of websites. The “true” address, as understood by a computer, is a set of numbers known as an IP address.

To translate domain names to IP addresses, for example to its IP address of, the Domain Name System (DNS) is used.

By default, this translation process is performed on your ISP’s DNS servers. This ensures your ISP has a record of all websites you visit.

turkey dns

Graffiti in Istanbul encouraging the use of Google Public DNS as an anti-censorship tactic during the government’s 2014 crackdown on Twitter and YouTube.

Fortunately, there are a number of free and secure public DNS servers, including OpenDNS and Comodo Secure DNS. I prefer the non-profit, decentralized, open, uncensored and democratic OpenNIC.

I recommend changing your system settings to use one of these instead of your ISP’s servers. See here for a full guide to doing this on all platforms.


What SSL is to HTTP traffic (turning it into encrypted HTTPS traffic), DNSCrypt is to DNS traffic.

DNS was not built with security in mind, and it is vulnerable to a number of attacks. The most important of these is a “man-in-the-middle” attack known as DNS spoofing (or DNS cache poisoning). This is where the attacker intercepts and redirects a DNS request. This could, for example, be used to redirect a legitimate request for a banking service to a spoof website designed to collect victims’ account details and passwords.

The open source DNSCrypt protocol solves this problem by encrypting your DNS requests. It also authenticates communications between your device and the DNS server.

DNSCrypt is available for most platforms (mobile devices must be rooted/jailbroken), but does require support from your chosen DNS server. A list of such servers is available here. This includes many OpenNIC options.

DNS and VPNs

This DNS translation process is usually performed by your ISP. When using a VPN, however, all DNS requests should be sent through your encrypted VPN tunnel. They are then handled by your VPN provider instead.

Using the right scripts, a website can determine which server resolved a DNS request directed to it. This will not allow it to pinpoint your exact real IP address, but will allow it to determine your ISP (unless you have changed DNS servers, as outlined above).

This will foil attempts to geo-spoof your location, and allows police and the like to obtain your details from your ISP. ISPs keep records of these things, while good VPN providers do not.

Most VPN providers run their own dedicated DNS servers in order to perform this DNS translation task themselves. If using a good VPN, therefore, you do not need to change your DNS server or use DNSCrypt, as the DNS requests are encrypted by the VPN.

Unfortunately, DNS requests do not always get sent through the VPN tunnel as they are supposed to. This is known as a DNS leak.

stop ip leaks

To find out how to detect a DNS leak and what to do about it, please see my Complete Guide to IP Leaks. Note that many VPN providers offer “DNS leak protection” as a feature of their custom software. These apps use firewall rules to route all internet traffic through the VPN tunnel, including DNS requests. They are usually very effective.

Use Secure Passwords

We have all been told this often enough to make us want to pull our hair out!  Use long complex passwords, using combinations of standard letters, capitals and numbers. And use a different such password for each service… Argh!

Given that many of us find remembering our own name in the morning a challenge, this kind of advice can be next to useless.

Fortunately, help is at hand!

Low Tech Solutions

Here are some ideas that will vastly improve the security of your passwords, and take almost no effort whatsoever to implement:

  • Insert a random space into your password – this simple measure greatly reduces the chance of anyone cracking your password. Not only does it introduce another mathematical variable into the equation, but most would-be crackers assume that passwords consist of one contiguous word. They therefore concentrate their efforts in that direction.
  • Use a phrase as your password – even better, this method lets you add lots of spaces and use many words in an easy-to-remember manner. Instead of having “pancakes” as your password, you could have ‘I usually like 12 pancakes for breakfast’ instead.
  • Use Diceware – this is a method for creating strong passphrases. Individual words in the passphrase are generated randomly by rolling dice. This introduces a high degree of entropy into the result. Diceware passphrases are therefore well-regarded by cryptographers. The EFF has recently introduced a new expanded Diceware wordlist aimed at further improving Diceware passphrase results.
  • Use more than four numbers in your PIN – where possible, use more than four numbers for your PINs. As with adding an extra space to words, this makes the code mathematically much harder to break. Most crackers work on the assumption that only four numbers are used.

High Tech Solutions

Where mortals fear to tread, software developers jump in with both feet! There are a plethora of password management programs available. My pick of the bunch are:

KeePass (multi-platform) – this popular free and open source (FOSS) password manager will generate complex passwords for you and store them behind strong encryption. A plethora of plugins allow for all sorts of customization and increased capability.


With plugins you can use the Twofish cipher instead of the default AES, for example, while PassIFox and chromeIPass provide full browser integration. KeePass itself is Windows only, but KeepassX is an open source clone for OSX and Linux, as are iKeePass for iOS and Keepass2Android for Android.

Check out my KeePass Review for more details.

Sticky Password (Windows, Mac OSX, Android, iOS) – is a great desktop password solution that impressed me with its ability to sync over Wi-Fi and support for so many browsers.

Its security measures also appear to be very tight. Given these solid foundations, the fact that Sticky Password works brilliantly on mobile devices (especially for Firefox mobile users) may be a compelling reason to choose this over its FOSS rival.

Social Networking

Social networking. Where you are encouraged to share every random though that comes into your head, photos of what you had for dinner, and blow-by-blow accounts of your relationship meltdown.

It is the antithesis of concepts such as privacy and security.

Facebook is “worse” than Twitter in terms of privacy, as it sells every detail of your life to profiling-hungry advertisers. It also hands your private data over to the NSA. But all social networks are inherently about sharing information.

Meanwhile all commercial networks make a profit from harvesting your personal details, likes, dislike, places you visit, things you talk about, people you hang out with (and what they like, dislike etc.), and then selling them.

By far the best way to maintain your privacy on social networks is to avoid them altogether. Delete all your existing accounts!

This can be tricky. It is unlikely, for example, that you will be able to remove all traces of your presence on Facebook. Even worse is that these social networks are increasingly where we chat, share photos and otherwise interact with our friends.

They are a primary reason for using the internet, and play a central role in our social lives. In short, we aren’t willing to give them up.

Below, then, are some ideas for trying to keep a modicum of privacy when social networking.


If there are things you don’t want (or that shouldn’t be) made public, don’t post details about them on Facebook! Once posted, it is very difficult to retract anything you have said. Especially if it has been re-posted (or re-tweeted).

Remember that the authorities monitor social networking sites and services, so planning big illegal raves, or joking about bombing your local airport, are very bad ideas.

Keep private conversations private

It is all too common for people to discuss intimate details of a planned dinner date, or conversely, to have personal rows, using public channels. Make use of Message (Facebook) and DM (Twitter) instead.

This won’t hide your conversations from advertisers, the law, or the NSA, but it will keep potentially embarrassing interactions away from friends and loved ones. They probably really don’t want to hear certain things anyway!

Use aliases

There is little to stop you from using a false name. In fact, given employers almost routinely check their staff’s (and potential staff’s) Facebook pages, using at least two aliases is almost a must. Opt for a sensible one with your real name, which is designed to make you look good to employers, and another where friends can post wildly drunken pictures of you.

Remember that it is not just names that you can lie about. You can also happily fib about your date of birth, interests, gender, where you live, or anything else that will put advertisers and other trackers off the scent.

On a more serious note, bloggers living under repressive regimes should always use aliases (together with IP cloaking measures such as a VPN) when publishing posts that may threaten their life or liberty.

Keep checking your privacy settings

Facebook is notorious for continually changing the way its privacy settings work. It also makes its privacy policies as opaque as possible. It is worth regularly checking the privacy settings on all social networks to make sure they are as tight as possible.

Ensure that posts and photos are only shared with Friends, for example, not Friends of Friends or “Public.” In Facebook, ensure that “Review posts friends tag you in before they appear on your timeline” (under Privacy Settings -> Timeline and Tagging) is set to “On”. This can help limit the damage “friends” are able do to your profile.

Avoid All Five Eyes-based Services

The Five Eyes (FVEY) spying alliance includes Australia, Canada, New Zealand, the United Kingdom, and the United States. Edward Snowden has described it as a “supra-national intelligence organization that doesn’t answer to the known laws of its own countries.”

Intelligence is freely shared between security organizations of member countries, a practice that is used to evade legal restrictions on spying on their own citizens. It is therefore a very good idea to avoid all dealings with FVEY-based companies.


Indeed, there is a strong argument that you should avoid dealings with any company based in a country belonging to the wider Fourteen Eyes alliance.

The US and NSA Spying

The scope of the NSA’s PRISM spying program is staggering. Edward Snowden’s revelations have demonstrated it has the power to co-opt any US-based company. This includes monitoring information relating to non-US citizens and pretty much anybody else in the world. It also includes monitoring all internet traffic that passes through the US’s internet backbone.

Other countries’ governments seem desperate to increase their own control over their citizens’ data. Nothing, however, matches the scale, sophistication, or reach of PRISM. This includes China’s attempts at internet surveillance.

Suggesting that every US-based company may be complicit in handing every user’s personal information over to a secretive and largely unaccountable spying organization might sound the stuff of paranoid science fiction fantasy. As recent events have proved, however, this is terrifyingly close to the truth…

Note also that due to provisions in both the Patriot Act and the Foreign Intelligence Surveillance Act (FISA), US companies must hand over users’ data. This applies even if that user is a non-US citizen, and the data has never been stored in the US.

The UK and GCHQ Spying

The UK’s GCHQ is in bed with the NSA. It also carries out some particularly heinous and ambitious spying projects of its own. According to Edward Snowden, “they [GCHQ] are worse than the US.”

This already bad situation is about to worsen. The impending Investigatory Powers Bill (IPB) “formalises” this covert spying into law. It also expands the UK government’s surveillance capabilities to a terrifying degree with very little in the way of meaningful oversight.

I therefore strongly recommend avoiding all companies and services based in the UK.


Is Privacy Worth it?

This question is worth considering. Almost all the measures outlined above mark you out for special attention by the likes of the NSA. They also add extra layers of complexity and effort to everyday tasks.

Indeed, much of the cool functionality of new web-based services relies on knowing a lot about you! Google Now is an excellent case in point. An “intelligent personal assistant,” this software’s ability to anticipate what information you require is uncanny.

It can, for example, remind you that you need to leave the office to catch the bus “now” if you want to get home at your usual time. It will also provide navigation to the nearest bus-stop, and alternative timetables should you miss the bus.

Some of the most exciting and interesting developments in human-computer interaction rely on a full-scale invasion of privacy. To box yourself in with encryption and other privacy protection methods is to reject the possibilities afforded by these new technologies.

I mainly pose the question ‘is privacy worth it’ as food for thought. Privacy comes with a cost. It is worth thinking about what compromises you are willing to make, and how far you will go, to protect it.

The importance of privacy

In my view, privacy is vitally important. Everyone has a right not to have almost every aspect of their lives recorded, examined and then judged or exploited (depending on who is doing the recording). However, maintaining privacy is not easy, and can never be completely guaranteed in the modern world.

Stop spying on us!

What most of us probably want is the ability to share what we want with our friends and with services that improve our lives, without worrying about this information being shared, dissected and used to profile us.

If more people make efforts to improve their privacy, it will make government agencies’ and advertisers’ jobs more difficult. Perhaps even to the point that it could force a change of approach.

Final Words

It may take a bit of effort, but it is entirely possible, and not too cumbersome, to take steps that greatly improve your privacy while online. Nothing is foolproof, but that is no reason to make things easy for those who would invade aspects of your life that should rightfully be yours and yours alone.

Privacy is a precious but endangered commodity. By implementing at least some of the ideas I have covered in this guide, you not only help to protect your own privacy, but also make a valuable contribution to conserving it for everyone.

After all, if everyone encrypted their online life, where would the NSA be then?

Protect your Privacy Today

We review VPNs to bring you the fastest and best services

Unlock the internet with a VPN today

Douglas Crawford

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

77 respuestas a “La Guía de privacidad en línea más completa

  1. Hi Douglas,

    Right now, I am using Google Chrome and I have been using these extensions together for quite a while:
    – uBlock Origin
    – Privacy Badger
    – HTTPS Everywhere
    – Cookie AutoDelete
    – Decentraleyes
    – ExpressVPN

    What do you think of the extensions I used and please advice if whether I should add anymore recommended extensions or remove any extensions I am using right now? Thanks so much.

  2. which operating system is more privacy,secure and anonymous for everyday use?you are thinking of doing a similar guide with more recent and better programs;

    1. Hi leadeR21,

      Um.. ha ha! This guide is now pretty up-to-date, and the recommendations in it are, imo, the bast currently available. If you actually read it, you will also see which OS I recommend.

  3. For shopping/banking/other, is it better(more secure & private) to use something like BitDefender Safepay or Firefox(inside a sandbox?) with modified configurations+privacy add-ons like NoScript, etc.?

    1. Hi Bran,

      It all depends on your threat model (who and what you are worried about). In general, I would say that simply ensuring the website you visit uses HTTPS is sufficient protection for online banking and shopping.

      – If you really feel a need for extra security then something like Bitdefender Safeplay is probably pretty good, although it does mean trusting a third party to manage your banking details (if for no other reason than the Bitdefender Safeplay software is closed source).

      – Using Firefox with privacy add-ons will increase your privacy (running in a sandbox is overkill for most situations imo), and will help protect you from malicious websites. Its security benefits wen visiting legitimate websites, on the other hand, will be limited (and add-ons such as NoScript are likely to break many websites).

  4. Hi Douglas, Thanks for this Brilliant Article.

    One question still: How does thoses TOR, VPN & personnal data leaks issues affect networking under cellular phone networks (3G/4G)

    I know using TOR or VPN directly, with non-rooted android devices is a no go..

    But what about the IMSI & IMEI identifiers tied to the user trough sim cards ? At which point can they be harmful to OPSEC ?

    – If connected to cellular network with a wifi/bridge ?
    – what about connecting PC to TOR or VPN trough middle box (raspeberry PI) and then this box connected to phone network ?

    Thanks for your enlightments ! Maybe a subject for an article update ?

    Best regards !

    1. Hi Prismatic,

      – Tor and VPNs works the same over mobile networks as they do over regular broadband networks.
      – IMSI & IMEI identifiers can be very damaging to opsec. They can be read and transmitted by apps but not web pages, which is one reason I recommend accessing services via their web portals rather than their apps.
      – “If connected to cellular network with a wifi/bridge ?” – can you please clarify what you mean here?
      – You can indeed use something like a Raspberry Pi as a VPN/Tor router.

    2. Thanks for your answer.

      So IMSI & IMEI are not part of the network protocols identifier ? they can only be leaked by apps, as a content of the TCP frame ?

      I mean :

      If I connect my mobile to 4G network, the operator cell tower will give me a public IP, which will be registered to my Phone IMEI/IMSI.

      Service provider will know that This IP originating from This tower, tied to This phone/sim card has established an https, openVpn or TOR request to a distant server, but is that all that could be traceable ?

      Insuring no IMSI/IMEI leak through apps is possible, by using PC or TOR/VPN relay box, connected to the Phone via wifi .

      What are your advices ?

      Many thanks and keep those writings up !

      1. Hi Prismatic,

        – Yes, your mobile provider will know who you are by your SIM card’s MEI/IMSI, number and that you have established an https, OpenVpn or TOR request to a distant server.
        – No, apps can access IMSI/IMEI numbers and transmit these directly to their developers. Using a VPN or Tor cannot prevent this.

        So my advice is to access services via their mobile web pages instead of via their apps. Browser do not access IMSI/IMEI numbers, and cannot transmit them in HTML headers even if they did.

  5. Congratulations for this very detailed and useful article. I have two questions: 1) Do e-mail providers keep a list of the ip addresses you have used to log in to your account or they just keep the ip address you used to create the account and for how long?
    2) If I create an account and I, by chance, select a username that was previously used by someone else who deleted his account, will my account be linked with the activity of that person?

    Thank you.

    1. Hi Tatania,

      1. Email services generally do keep metadata connection logs, which includes the IPs used for each connection (and an associated timestamp). This even applies to most privacy email services, although with these the actual content of your emails is often end-to-end encrypted.
      2. Probably not (it can hardly be an uncommon situation). And even if it did happen, a cursory investigation would no doubt quickly reveal that there is no connection between you and the other person.

    1. Hi John,

      I have answered to a similar comment you left elsewhere, I discuss just this subject at some length in my article Chaining VPN servers (specifically under the “Chaining VPN servers yourself” section). If you have any further questions please let me know.

  6. The ultimate private communication is traditional mouth-to-mouth communication, without any technologies. The most strongly encrypted information host is the brain of a catholic priest (never hacked throughout all the 2000 years)!

  7. Hello, please help me make a choice, i have a raspberry pi which i could use as a router/hot-spot, also i have paid a VPN in a off-shore country with bitcoin using tails. Now i wounder: should i use my VPN directly on my laptop, or i should use it on my Raspberry PI and use the PI as a VPN router.

    Thank You!

    1. Hi John,

      Both options are good, and provide pretty much the same levels of privacy and security. Your laptop will be much more powerful than the Pi, which might struggle to process the VPN encryption at speed. On the other hand, using the Pi as a hotspot means all your devices will seamlessly benefit from the VPN.

    2. Thank You very much for the fast answer. Although this may sound stupid, i will still ask You one more question… In order to check If we are successfully connected to the VPN service and the VPN has changed our IP, we need to use a service like IPChicken. Still, If we are not successfully connected to the VPN service, we are exposing our real ip to the IPChicken service. How can we check our ip without exposing it, if the VPN fails to “hide” our real ip? (Using OpenVPN on linux without a GUI VPN software).
      Thanks again.

      1. Hi John,

        FWIW, I generally recommend for this as it also checks for IP leaks. Because the new IP comes from an external server, you really need to use a third party service such as Can you maybe explain why such a service seeing your IP might be a problem? The only other way I can think of to test your VPN’s IP address would be to setup a home server and then monitor the IPs that connect to it.

    3. The home server is a good ideea, never thought of that. It is not a problem If any 3d party service can see my IP, i was just contemplating at a bullet-proof privacy solution. Your knowledge in this field never ceases to surprise me.
      Please never stop from the great work you are doing for all of us.

      All the best, John.

  8. Hi Douglas,

    Thank you for your work. After reading this article, I get much knowlegle of protecting privacy and I want to translate this article into Chinese. I am from China, a country having become the first one since Germany under the Nazis to have a Nobel Peace laureate die in custody. Since China was the world’s worst abuser of internet freedom in the 2016 Freedom on the Net survey for the second consecutive year according to the Freedom House, several hundred million internet users of this country are strictly censored every day, especially for the dissidents. But sometimes even the groups who are at high risk of government’s persecution don’t know how to protect their online privacy correctly. Therefore I want to introduce how to do right things to the Chinese people by translating this article. I hope I can get your permission to do that.

    Finally, I wish you all the best for your career.

    1. Mr. Douglas, please allow me to ask, could you please share your email address or any other way of contacting You? I would like to discuss about the same thing Suzuhara asked You. There are so many people who could find all this informations very useful, and would be much appreciated If you would allow as to share the translation of your knowledge.

      All the best, John.

  9. I tend not to leave a comment, however after reading a few of the comments on The Ultimate Online Privacy Guide. I actually do have a couple of questions for you if it’s allright. Could it be simply me or do some of the remarks appear like they are left by brain dead individuals? 😛 And, if you are posting on additional online sites, I’d like to keep up with anything new you have to post. Could you make a list of every one of all your shared sites like your linkedin profile, Facebook page or twitter feed?

    1. Hi Sergio,

      After years of resisting the idea, I have setup a Twitter account (@douglasjcrawf). I will post all new articles that I using that. I now write fairly full-time for, but may setup a webpage at some point listing other articles I have written and article in which I have been quoted.

  10. Yesterday, while I was at work, my sister stole my iPad and tested to see if it can survive a 30 foot drop, just so she can be a youtube sensation. My iPad is now destroyed and she has 83 views. I know this is totally off topic but I had to share it with someone!

  11. Hi Doug,
    Thank you for the great review. I have been reading this review since 2015 and glad to see you are keeping it up-to-date.
    I agree that using linux is safer than other commercial OS, however, in linux world there are also some commercials like redhat, which I have annual subscription and use. But your suggestions concern me using it, because the OS registered with my email to receive updates. However, other linux distros like Mint, CentOS, Ubuntu, are not require registration. So, should I worry on using it? I do not necessarily need to use redhat, I can use CentOS, for example, but because I have subscription, prefer to use it.

    And redhat is US company!


    1. Hi redhat,

      Thanks! It is up to you to assess your own threat model, but as there is nothing even slightly illegal or suspicious about using Linux, I personally would have no problem registering for Red Hat using my email address. Red Hat is a US company, but one the other hand, and despite its commercial model, Red Hat Enterprise Linux is open source software. Nothing can be 100% guaranteed in this crazy world, but my advice is that if you like Red Hat, then carry on using it.

  12. The information you provided in the article is overwhelming. I don’t think that many people will use the majority of the tools to try to create an impeccable privacy fortress, but many people will definitely use some of them for their personal situation. I often browse a site to get some information which is free (so far) and have no idea if they track me (probably they do) because I have an ad blocker in my browser. I don’t want them to know that I visit the site on a regular basis. So, what a minimum set of tools (preferably free) will you recommend to hide my visits and not to make things too complicated or the browsing too slow?

    I use Firefox and Windows 7 on my PC with Intel Core i5 and I have to stick with Win 7 because of an old program that I need. I have Avast Free Antivirus, Malwarebytes Anti-Malware (free version), and Avast Online Security, Avast SafePrice, Adblock Plus with EasyList, EasyPrivacy and my custom filter, and of course Shockwave Flash in the browser. I have now disabled the Shockwave Flash to see if I really need it, long time ago I disabled Java in the browser.

    Also, could you please advise what a set of tools to use for Android tablet as well. Thanks.

    1. Hi Fim,

      I hope readers can dip into this guide, and get what they need out of it as required :). I sounds as if you are pretty much on the case.

      – You should, of course, use a VPN to hide your real IP address. Do check to ensure that you are suffering from no IP leaks.
      – Most ad-blockers will actually also help prevent tracking. I use Privacy Badger and uBlock Origin together. Both these extensions also work in Firefox for Android.

      Be aware that pretty much anything you do to prevent other other forms of tracking makes you more vulnerable to browser fingerprinting. The best way to avoid browser fingerprinting is to use the plain vanilla Tor browser (with Tor turned off), but then you lose the anti-tracking benefits of using add-ons. Catch-22…

      1. Hi Doug,

        Does it make sense to install Privacy Badger and uBlock Origin in addition to Adblock Plus that I currently use or instead of it? Or just add one of these two to Adblock Plus? Also, I have a question about your site that I wouldn’t want to post. So, could you please email me your email address? I am not going to abuse it.

        Thank you.

        1. Hi Fim,

          You do not need Adblock Plus in addition to Privacy Badger and uBlock Origin. I would recommend using these instead. I will email the address you have provided.

          1. Hi Doug,

            The issue of a personal privacy and a right of the government in a modern world of terrorism is complicated. I have nothing to hide if the government agencies want to research my activity, so I don’t need a super privacy fortress, but I do want at least some privacy. Like all calls from telemarketers are very irritable (I immediately hang up) so is spam and ads.
            When I posted my first comment on your website I didn’t have to enter my email address, it was prompted because you already knew it. I don’t think you did a lot of research on me to find my email, it was obviously very easy to find. That’s what I want to prevent when I visit other websites. My email is always open in a tab.

            1. Will it help to always keep that tab closed while many other tabs are open and keep my email open in a separate Firefox window with only one tab for email?
            2. If it won’t work because my email is already stored in the browser is it a way to clean it?
            3. If neither 1 or 2 work will the Privacy Badger and uBlock Origin be enough to hide my email? As far as I understand they do not only block ads but also prevent tracking and delete cookies when browser is closed. Is it correct?
            4. Everyone who wants intentionally find me (like government agencies) can do it, but who will do something intentionally if information about me is not on the surface? It’s only an easy prey becomes a victim. So, if my email is hidden does a website still know about my visits and can start tracking me further?
            5. Can the Privacy Badger and uBlock Origin also hide my visits?
            6. I understand that to hide myself even more I need to use VPN to hide the IP address, but do I really need it if my email is not seen?

            Sorry Doug, instead of one question I detailed it into six, but please answer each of them.

            Thanks a lot.

          2. Hi Fim,

            We do not collect readers’ email addresses, unless you sign-up for our weekly newsletter. We also perform no research or make any other effort to discover the identify or email addresses of our readers. What you saw was almost certainly the result your own browser’s auto-fill feature. Please also note that we do not require readers to enter their real email addresses when leaving a comment (we have no verification process).

            1. Having a tab with your email service open does not allow a website (including us) to know your email details. Websites such as Facebook and any Google service do, however, their own users as they surf the web. Signing out of your account (not just closing the tab) is one of the best ways to help counter this (although should not be considered foolproof, which is why anti-tracking add-ons such as Privacy Badger are important).

            2. Firefox stores usernames (including email addresses used as usernames) and passwords using its Password Manager feature. Please see here for the official documentation on how to manage this (including how to disable it and delete all data saved).

            3. Privacy Badger and uBlock Origin block ads and prevent you being tracked as you surf the internet. They won’t hide your email address, but as I have explained, your email address is not on show anyway. Disabling “Remember logins for sites” in Firefox should fix the problem for you. I hope you understand, though, that although your Firefox auto-filled in your password on our form, we could not see your password until you submitted the comment, and you could have changed or deleted it at any point before hitting the “Post comment” button.

            4. Large sections of this Guide are about just this subject. Your email address is not the concern. Without a VPN, any website can identify you by your unique IP address. So use a VPN. As discussed in the Guide, various sneaky technologies are used to track you and uniquely identify you anyway.

            5. Privacy Badger + uBlock Origin are a good defense against this, as is the more complex uMatrix. Nothing is 100% proof, however, and all such techniques make you more vulnerable to browser fingerprinting.

            6. Yes. As I hope you understand by now, websites cannot see your email. But they can see your IP address.

            It’s my pleasure :).

  13. Thank you. But your guide don’t cover this attack to privacy line of innocent citizens:

    Could you please advise about above matter?

    Also smart letter spying on my house, I don’t have smart meter and want to complain against any department of government that give permission to utility companies to force us to change the our standard meter(old meters) to smart ones, as smart meter spy on hour houses. British man’s home is his castle, don’t spy in my castle!

    Also I want to complain against the whom that give power to GCHQ or relevant investigation/surveillance department of government body to do this and need to advise me how can I get a solicitor that can complain against this, if I was a target by mistake and my privacy line is attached? I need to complain to ask for compensation from government body’s whom maybe affected me and I need advise to give it to a range of solicitors who can take this matter out and claim for compensation for me, if I as an innocent citizen, become a victim of targeted surveillance or blanket policy surveillance?

    May please email and advise me if you can’t answer directly everything here?

    Thank you for your excellent guide. Please update this article in timely manner based on new WikiLeaks and other sources that will inform us about illigal activities of government body that will break into my confidentiality line.

    All the best

    1. Hi Ales,

      I know this is an “Ultimate” privacy guide, but unfortunately it cannot hope to address every potential threat to your privacy out there. There are simply too many of them, and new ones are reported almost every day! This case is particularly frustrating, as TBH, there is not much you can do. As I wrote at the time,

      “Unfortunately there is very little that cellphone users can do about the situation, which (if true) allows the NSA and GCHQ to bypass the encryption built into 3G and 4G networks, and listen in to all calls made by users in the 85 countries and 450 cellphone networks that Gemalto does business with…
      The only solution to the problem would be a complete replacement program for all potentially affected SIM cards, which would be a very expensive logistical nightmare for Gemalto, so it is little wonder that the SIM manufacturer is denying that its keys have been compromised…”

      – You are 100% right. In fact, I am pleased to say that an article highlighting the danger smart meters pose to our privacy is on my shortlist – hopefully to appear on a screen near you soon! I doubt, however, that smart meters will be added to this online privacy guide, as I think they go beyond its remit (which has to end somewhere).

      – The Investigatory Powers Act is now law, and gives the UK government pretty much carte blanche to spy on everything we do. What it basically does is legalise what GCHQ has been doing for years (plus expand those powers in alarming ways). And what did the Great British public (or their elected representatives) do about this assault on our most basic freedoms? Sweet fa.

      – Thanks. I do try to keep this Guide up to date, but need to be selective or else it would need updating on a daily basis!

  14. Free is not always best when it comes to using antivirus software.
    Which is the case with avg.The software may be alright in it’s self to protect
    your computer,but they have admitted to selling everyone’s information
    to other companies or third parties in order to continue offering it for free.

    1. Hi MJ,

      That is a very good point (I missed the thing about AVG, as I was traveling abroad at the time). I have updated the guide to include warning about this. Thanks.

  15. I just jumped to this whole VPN issue yesterday and now I’m here. I was not so informed about what you can do about privacy and lots of things here I dind’t know existed. It’s a long article but it’s very good that you pointed out al of this issues, specially for ‘regular users’ like me, the writing and ideas make it easy to implement.

    I don’t know if you mentioned though, and this is something I do in my most important doc files, that is to set a passaword in order to open these documents. It’s not difficult and it just adds a bit more security.

    1. Hi Jim,

      Thanks! TBH, I don’t now that much about DiskCrypter (a FOSS full-disk encryption program for Windows). Given that VeraCrypt does the same thing, is very robust, and has now been independently audited, I recommend using VeraCrypt instead. But I will put properly researching and reviewing Diskcrypter on my (admittedly rather long) to-do list.

    1. Hi Caityn,

      I put this to our tech department.

      “tbh it’s unthinkable not to use it, it’s at the cornerstone of knowing how the business is performing, I can’t imagine there’s any site or provider not using it. we certainly don’t see individual data and if the user comes to our site through a VPN the country of origin will be based on their VPN connection so they are hidden as far as i know. the only thing that GA tells us is how you interact with the site, where you drop off and where you click through to. the whole idea of analysing this is to get better to give customers a better UX which we monitor through ave pages per session, ave time on page, bounce rate etc…”

      We do, of course, strongly advise customers to use a VPN when visiting this website. If you have specific concerns, we will be happy to try to answer them, as we have nothing to hide.

  16. Hi am Bobby and I want a privacy guide and tools only for Android user, example like, how to root, use TOR or VPN on android devices or how change the ROM or how use PGP, Open Source, Crypthologie, all in Andoid,Thanks you very much!!

    1. Hi Bobbie,

      This is a great idea, and is something that I would like to do. It will take up quite a lot of time, however, so will probably have to wait for a while.

  17. Throughout this article, you keep mentioning massive privacy problems with Windows, but then follow up your statements with something like, “Mac OSX is little better.”
    REALLY? Even Windows users now openly admit that practically any version of Mac OS will be more secure and better for privacy than Windows 10. And if you’re going to get a new computer, and have the choice between Windows 10 or Mac OS Sierra, it should be an easy choice for the non-biased consumer: Windows sucks, and Mac OS sucks a lot less.

    1. Hi Mac User,

      Sorry, but Macs send back vast amounts of information back to Apple, too. And their increased security is mainly due the fact that fewer people use Macs, so they are less of a target to hackers. If you are serious about security then you should use Linux.

    1. Hi lame,

      “Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.” Bruce Schneier.

  18. Great guide for anyone not willing to surrender just about everything to government eyes. And indeed everyone make an effort for your own privacy and we will all benevit from it. Keep up this good work!

      1. Hello Douglas Crawford, sorry for the late answer and Merry Christmas too 🙂

        I deactivated my anti-spam filter, added Peter Zaborszky to my contact lists and made some tests using the same browser and the same add-ons. It seems like I don’t receive an email if I input an address that is currently subscribed or that was subscribed (and then unsubscribed). I do receive an email if I input a completely new address, one that I never used to subscribe.

        I solved by subscribing with a second email address, I got the link, then I unsubscribed from this second address. Then later I used both the first and the second address to try and get the ebook again, but this time I didn’t get the email in any of those two addresses, nor a confirmation of (re-)subscription for the second one.

        Sorry for my english, let me know if something is not clear or where I got it wrong 🙂

        1. Hi Francesco,

          I am sorry that you are experiencing problems. I have forwarded a copy the email you should receive. I hope this solves the issue, but if not, then please let me know.

  19. >I therefore strongly recommend avoiding all companies and services based in the UK.

    when will we have the list of vpn providers that we must avoid ?
    #I do not know if my vpn provider is under the *rules of u.k. This list will help us to make a better choice and will improve the privacy.

    Thx for the ultimate-privacy-guide 2016 updated.

    1. Hi Jason,

      Ha ha! A little while. It was first published almost three years ago, but keeping it updated in these fast-moving world has proven to be a challenge. I have now given it a complete overhaul, and will try my best to keep it updated with the latest developments in the online privacy and security world.

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Exclusive Offer
Get NordVPN for only