Following Edward Snowden’s disclosures in 2013 over how the United States National Security Agency (NSA) is effectively spying on every phone call, email, SMS message,
The good news is that there are some relatively simple measures that even non-experts can take to help combat the major threats an average person faces in regards to their privacy and security.
… And that is what this guide is for!
When we say that security and privacy on the internet are not easy, we mean it.
While the measures outlined in this guide will almost certainly lower your profile and increase your resistance to attacks, our adversaries are invariably very well-funded, have a long reach, and are technically highly competent. You should therefore never be complacent. ‘I use VPN and have installed a couple of Firefox plugins, so I can consider myself secure’ is not the right attitude. Nothing is completely secure, and adversaries are always looking for new ways to get what they want. While they can help lower your profile to would-be adversaries, help prevent blanket untargeted surveillance, and ward off opportunistic attacks, no measures in this article will prevent a specifically targeted attack. If a really determined thief, or the NSA, specifically wants your data, then nothing in this guide (and very possible nothing at all) will stop them.
This guide is intended for beginners, and we will try to explain the threats, suggest ways to combat them, and discuss the shortcomings of these in as clear and non-techy a way as possible. However, there is no getting away from the fact that some of the concepts discussed here are complex, and therefore require complex solutions, no matter how partial these may be. Unfortunately, even fairly basic internet security is likely to be beyond the technical ability of your grandmother…
Threats and adversaries
The main threats to security and privacy this guide will deal with are:
Criminals - these include WiFi hackers, phishers, malware merchants, account hackers, and other low-lives who mainly want to steal your bank account details
Government surveillance - it seems that just about every government is mad-keen on spying on absolutely everything every one of its (and everyone else’s) citizens are up to on the internet
Advertising - in their drive to deliver ever more highly targeted advertising so they can sell more stuff, companies track users and website visitors across the internet in order to learn their interests, spending habits, who they associate with (and their interests, spending habits, etc.). This represents one of the biggest threats to privacy faced by the modern internet user.
On using this guide
In order to make this guide as beginner-friendly as possible, we have had to make a number of design decisions, which we feel it would be helpful to explain before we begin.
- The guide is structured around how to tackle the three threats outlined in the grey box, plus a ‘basic security measures’ and ‘other considerations’ section.
- These categories are, of course, somewhat arbitrary and artificial, and advice for one can also apply to others. In these
situationswe will link back to the original comments, plus expand on how they are useful in the situation being discussed.
- Many problems have a variety of possible solutions - usually each with its own strengths and weaknesses. In order to keep things as simple as possible, we will make concrete recommendations, but please be aware that in almost every case other options exist, and that other people may prefer these for a variety of very good reasons. Our Ultimate Privacy Guide discusses options in more detail, so if you are interested in finding out more, then please consult that
- As this guide is targeted at beginners, we will limit suggestions to Microsoft Windows, Apple Mac OSX, and Android platforms. While iOS devices (iPhones and iPads) are very popular, the closed Apple ecosystem makes it impossible to achieve any meaningful level of security or privacy when using them, although when good options are available we will mention them. If you want more information about a VPN for Mac, see our best VPN for Mac guide.
Pitching the level and tone right for ‘beginners’ is inevitability tricky, so let us make it clear that what we are not aiming for is to provide a ‘simple’ or ‘dumbed down’ guide, which we feel could be potentially dangerous for our readers, and cannot hope to do justice to the task at hand. Our aim is to instead to provide a guide which explains the basics of core security concepts in as easy to understand terms as possible, while at the same time offering some practical advice.
Hopefully, by introducing these complex concepts in an approachable way, the guide will provide a basic platform upon which you can further develop your understanding of this difficult but vitally important subject.
Some word on open source software
Most software is written and developed by commercial companies. Understandably, these companies are keen not to have others steal their hard work or trade secrets, so they hide the code away from prying eyes using encryption. As we say, this is all quite understandable, but when it comes to security it presents a major problem. If no-one can ‘see’ the details of what a program does, how can we know that it is not doing something malicious?
The best answer to this problem lies in ‘open source’ software - community developed software, where the code is freely available for other programmers to look at, modify, or use for their own purposes.
While far from a perfect solution to the above problem (many open source programs are extremely complex, and the number of programmers with the time and expertise to properly audit the software (usually for free) is extremely limited), the fact that other programmers can examine the code to check nothing untoward is going on is the only guarantee we have that a program is ‘safe’. Unfortunately, because open source software is usually developed by enthusiasts in their spare time, it is often much less user-friendly than its commercial rivals, which leaves us in something of a quandary when writing this beginners guide.
At BestVPN we invariably and strongly recommend using open-source software whenever possible, but we also concede that it is often better for someone to use a commercial security product than none at all, due to their inability to get to grips with the open-source alternative.
There are therefore times when we will recommend both open source and commercial (‘closed source’) options. If you opt for the closed source alternative then we ask that you be aware of the security implications this brings (i.e. that you are trusting your security to that commercial company,) and always advise giving the open source option a try first.
On a related note, we strongly recommend using the Firefox web browser by the Mozilla Foundation, both because it is the only fully-featured mainstream browser to be open source, but also because it accepts a huge range of plugins that can improve your internet security. Microsoft Internet Explorer is notoriously insecure, and both it and Google Chrome track your internet usage for commercial purposes (something this guide is specifically about trying to prevent).
We should also note that Firefox has somewhat controversially introduced limited non-invasive advertising to its ‘new tab’ page. This can/should be turned off by clicking on the ‘gear’ settings icon on the top right of the page, and deselecting ‘Include suggested sites’ under the ‘Show your top sites’ option.
When you were a kid you almost certainly played a simple game in which you created a ‘secret message’ by substituting one letter of the message with another, chosen according to a formula picked by you (for example substituting each letter of the original message with one three letters behind it in the alphabet). If anyone else knew what this formula was, or were able to somehow work it out, then they would be able to read the ‘secret message’.
In cryptography jargon, what you were doing was ‘encrypting’ the message (data) according to a very simple mathematical algorithm, which cryptographers refer to as a ‘cipher.’ Anyone who knows the exact algorithm used to decrypt the message is said to have the ‘key’. This is a slightly simplified explanation but is close enough to understand the central ideas without unhelpfully confusing matters. If someone wants to read the message but does not have the key, then they must try to ‘crack’ the cipher. When the cipher is a simple letter substitution, then ‘cracking’ it is easy, but the encryption can be made more secure by making the mathematical algorithm (the cipher) used more complex, for example by also substituting every third letter of the message with a number corresponding to the letter.
Modern ciphers use very complex algorithms, and even with the help of supercomputers are very difficult (if not impossible for all practical purposes) to crack. If you are interested in finding out just how difficult, we have crunched some numbers here.
Encryption is the one thing that prevents just anyone from being able to read (or track you through etc.) your digital
Once you have digested the above information, another important concept to understand is ‘end-to-end’ encryption. This basically boils down to who is doing the encrypting and decrypting. Many programs and services offer/promise to encrypt your data, but unless you are encrypting your own data on your own computer, which can then only be decrypted by the intended recipient on their computer (
This should (hopefully) mean that any outside attacker will be unable to access the file. However… since it is Dropbox that encrypts your file, it is Dropbox who holds the key to it. This means that Dropbox can access your file whenever it wants to (and turn it over to the authorities if required to do so). In fact, it is safe to assume that any file uploaded to Dropbox (and similar non-end-to-end encrypted cloud service) is not only actively monitored by
A further kink here is that many commercial products and services proudly advertise that they offer ‘end-to-end encryption’, but we have only their word for what is going on (so they could
Before we consider the three main adversaries that threaten your privacy, we need to cover the basics. These are the things that you should never even think about going online without considering/implementing, and which present the greatest risks to your privacy and security. Paying attention to the basics is
The single most important thing that anyone can do improve their online security is to improve the strength of their passwords. Although weak passwords (or not changing default passwords) are an absolute gift to criminals and any others who wish to access your data, their use is so common as to be almost laughable.
‘123456’ and ‘password’ consistently remain the most commonly used passwords, while a list of 100 or so passwords are so popular that any hacker will simply type them in before first trying something else.
In addition to weak passwords, common password mistakes regularly exploited by hackers are:
- Using the same password across multiple websites and accounts - if a hacker can obtain your password from any one of these, then he or she has a golden key to all your other accounts that use the same password
- Using easily guessed passwords - a variation on the ‘standard’ weak password problem, but using pet or family names, hobby related names, and other personal details can make it trivially easy for an adversary to guess passwords with only minimal research (this kind of information is often plastered all over places such as Facebook, for all the world to see).
A strong password involves a long string of random characters, including a mix of numerals, mixed caps, and symbols. Of course, memorizing just one such password is far too much for most of us, let alone one for each important account!
In our Ultimate
The practical solution to deploying genuinely strong passwords, however, is to employ technology in the form of a ‘password manager’. These programs (and apps) generate strong passwords, encrypt them all, and hide them behind a single password(which should be memorable, but also as unique as you can choose.) Helpfully, they usually integrate into your browser and sync across your various devices (laptop,
is a free open source password manager available on most platforms. The basic program is simple enough to use, but for syncing across devices, files must be stored using a cloud service such as Dropbox.
Browser integration is available through the PassIFox Firefox plugin. We have guides to using KeePass in Windows and on Android devices.
Sticky Password is a good cross-platform commercial solution which is easier to use than KeePass, but which uses closed code.
This advice is now so obvious and so old that we will not waste too much digital ink on it here. Viruses can really screw up your system and introduce all sorts of security nightmares (such as keyloggers that record your every key press and send these back to whoever is listening), so when it comes to using and updating antivirus software - just do it!
The basic antivirus software that ships with all modern versions of Windows and OSX is pretty good these days. ClamWin (Windows) and ClamXav (Mac) are open source alternatives, but neither are as good as their commercial rivals.
Although it is not open source, Malwarebytes Free for Windows provides very
There are no open source antivirus apps for Android, but we think the practical benefits of using the free Malwarebytes Anti-Malware app outweigh any ‘closed source’ concerns.
A personal firewall monitors internet traffic entering (and sometimes leaving) your computer, blocking or flagging up traffic it does not recognize or it considers may be harmful.
Both Windows and Mac OSX come with built-in firewalls, although these only monitor incoming traffic (and are thus referred to as ‘one-way’ firewalls). They do, however, provide a great deal of protection while also being fairly transparent in operation, which is a lot more than can be said for most third party ‘two-way’ alternatives. These can be a pain to
In Windows - go to Control Panel -> Windows Firewall -> Turn Windows Firewall on or off
In Mac OSX - go to System Preferences -> Security -> Firewall tab
Again, we feel this is a well-covered topic that basically requires using common sense, and therefore
For brevity’s sake, the rest of this section will focus on Facebook, as it is the world’s most popular social network, as well as being among the worst in terms of privacy violation. Do please note, however, that almost all the points made here apply equally well to all other social networks (such as Twitter, LinkedIn, Google Plus+, and so on.)
What is wrong with Facebook?
Facebook’s business model is simple - it finds out everything it can about you, not just from what you do while logged into the Facebook webpage - what you Like, who you talk to, what groups you belong to, what adverts you click on, etc. - but will also tracks you across the internet to find out what purchases you make, what websites you visit, etc., etc.
If you have the Facebook app installed on your mobile phone then the situation is even worse, as Facebook uses the phone’s built-in geo-tracking features to follow you every physical move (and proposals are even afoot to use your phone’s microphone to listen in on your surroundings!)
Facebook then uses this vast treasure-trove of personal information it has gathered to build up a detailed and scarily accurate profile of
So what can you do about it?
The best answer to this is, obviously, to delete your Facebook account, although you should bear in mind that even if you do this, Facebook will retain every post, photo, and
More realistically for most of us, Facebook is popular for good reasons - it is where we chat, share photos and otherwise interact with our friends. It plays a central role in
- Nail down your privacy settings - Facebook has introduced ‘Privacy Basics’, supposedly to make managing your privacy settings easier. However, it has a nasty habit of changing its privacy settings without notifying users, so it is worth checking back every now and again to make sure they are as tight as you want them. Remember - Facebook is not your friend, and
itsbusiness model relies on abusing your privacy
- Don’t overshare - not only is everything you say, every photo you post, every post you ‘Like’ etc., viewable by all your ‘Friends’, but it is also used by Facebook to a profile you, cannot be deleted or
retracted,and can be accessed by the police (and the NSA). If you must post on Facebook, at least use the ‘Message’ or ‘ ‘Who should see this?’ features to target the actual friends you want to see the message (etc.)
- Isolate Facebook - Facebook does not just monitor everything you do on its website, but it tracks you across the web. We discuss general anti-tracking measures in more detail later in this guide, but the most effective thing you can do is to
logoutof Facebook each time you finish a session with it (simply closing your Facebook tab is not enough).
If you keep forgetting to do this, then consider running Facebook in its own browser which you use exclusively for accessing Facebook, as Facebook cannot track what you do in a completely separate browser.
If isolation is important on the desktop, it is ten times more so on your phone! As we have noted, the Facebook app has real-time access to your physical location - it can also access all your text messages, contacts, photos, calendar entries, and more! Basically, if you
You can continue to access Facebook through your device’s browser (remembering the advice given for desktop browsers above), or through the TinFoil for
Cyber-criminals are basically after one thing - your passwords and bank or credit card details. The two most common ways they use to get these can also be most effectively countered using the basic internet security measures already discussed in chapter 2. In this chapter, we’ll describe the most common cyber threats and what measures you can take to protect yourself.
While some viruses and other malware seem to have no real purpose other than to make our lives miserable, the most dangerous ones try to steal information and send it back to the hacker who created them (or more likely modified them - ‘off the shelf’ white label viruses are readily available on hacker community forums).
Malware was by far the biggest cyber threat in 2015
While many kinds of viruses exist, one of the most common, dangerous, and illustrative dangers that viruses
Up-to-date anti-virus software is
GlassWire is a beautifully designed two-way firewall with an easy-to-use interface, that shows you which programs and apps are using your internet connection, who is using your Wifi or Network at any given time and if anyone is using your webcam or microphone to spy on you.
Other common sense advice such as not opening email attachments from unknown sources and clicking on webpage popups is also good. One of the most dangerous
Of course, doing any such thing will
If in doubt, close all programs, restart your computer, and then run your antivirus software.
Another common tactic used
Using strong passwords (and a different one for each important account) is the most effective counter to this form of attack, although two-factor authentication provides additional protection, and should be turned on when available (which
Two Factor Authentication (2FA)
Most online accounts are protected by one-factor authentication, i.e. your password (it is assumed that potential hackers already have your username, so this doesn’t count). 2FA provides extra security by requiring a second proof of your identity. The typical formula is:
- Something you know (e.g. your password)
- Something you have.
This ‘Something you have’ is most commonly your phone (where a company such as Google will text a code to your registered phone number), but can also be a USB key or other physical way of proving your identity.
Public WiFi hotspots
Using a VPN service is one of the best things you can do to improve your general internet security and privacy, and should be considered a must whenever you connect to a public WiFi hotspot.
Exploiting public WiFi hotspots (including those in cafés and airport lounges etc.) is a favorite tactic of hackers, made all the more dangerous by the fact that many devices will automatically connect to unknown open hotspots unless this ‘feature’ is turned off in the devices’ settings.
- Fake hotspots - almost any internet enabled device can be easily turned into a WiFi hotspot (most phones have this as a feature, allowing users to ‘tether’ their laptops etc. when no other internet connection is available). It is a common tactic for crooks to hang around areas where public WiFi is
available,and set up a ‘fake’ hotspot’ that masquerades as legitimate soundingones with names such as ‘Free airport internet,’ in order to lure people into connecting to them. Once you connect to a bogus WiFi network, the owner of the hotspot can spy on all your internet traffic, collecting passwords and other valuable or damaging information.
- Wireless packet sniffing - to access the internet using a WiFi hotspot, your phone connects to a public router using radio waves. This connection is normally
secured,so that any data transmitted is encrypted (which is why this problem rarely occurs on home networks). However, either to make life easier (no passwords required,) or due to lack of technical understanding, it is not uncommon for WiFi networks to have this encryption turned off, making it easy for anyone with a WiFi enableddevice and the correct software (known as packet sniffing’ software) to intercept and ‘read’ your WiFi data.
Using VPN defeats pretty much all forms of public WiFi attack by connecting your computer (including your mobile phone or tablet) to another computer located elsewhere (referred to as a VPN server) using an encrypted connection (often referred to as a VPN tunnel).
Data passing between the two computers is encrypted, so anyone intercepting it between your computer and the VPN server will only be able to ‘see’ useless junk data (unless they are somehow able to decrypt it, which even if using very weak encryption by today’s standards, is unlikely to the point of being impossible for ordinary criminal hackers).
Therefore, even if you do accidentally connect to a fake hotspot, your data is safe.
Free VPN services do exist, although we do not generally recommend them because this begs the question of how a provider can afford to run (never make mind make a profit out of) what is an expensive service to provide, if they do not charge for it (the answer usually involves by selling your privacy to the highest bidder). However, if you simply want occasional protection while checking your email and surfing the internet in public, then offers a great free service, which it funds transparently through its commercial offering.
As we discuss throughout this Guide, using VPN religiously is one of the most effective things you can do to help protect your security and privacy (and honestly, we are not saying this just because we are a VPN review company). We therefore strongly suggest that you lay down the price of a beer or two it costs each month to purchase a good no logs VPN service (which we will discuss in greater detail in the next chapter).
Thanks to Edward Snowden, the public is now much more fully aware of the extent to which our governments are spying on just about everything everybody does online, and thanks to
It should be understood, however, that even within the US, other government agencies such as the FBI and CIA are also spying on their own citizens, and that in many other countries, governments are performing similar blanket surveillance of their own citizens. Furthermore, organizations such as the NSA and its Five Eyes spying partners (most notably its UK sidekick GCHQ), have such power, global reach, and hubris, that their powers of
Against such an adversary an individual stands no chance of protecting their privacy if targeted (let alone anyone who is using this beginner’s guide!) However, there are things you can do to lower your profile, prevent all your data and everything you do online being hovered up, and generally make life difficult for the NSA*.)
*For brevity’s sake we will often refer in this guide to ‘the NSA’, but please understand this to generally be shorthand referring to all forms of surveillance by a ‘global’ adversary, including GCHQ, the FSK (formerly the KGB), Mossad, or even the mafia.
Users in repressive countries
The focus of this chapter is on how to prevent blanket surveillance from a global adversary such as the NSA, and even most governments, who have diplomatic relations with most other countries, and can request data, ask for cooperation and issue warrants that other countries will respect. Among those who need privacy the most, however, are those in
A bigger problem comes from the fact that privacy technologies such as VPN and Tor are usually detectable by a user’s ISP (or government). Throughout most of the world using such technologies is perfectly legal (in fact banking and other businesses rely on them), but in places where it is not, users should be careful, and try to understand the risks involved.
The key to defeating the NSA and its ilk is, as we discussed at the beginning of the guide, encryption. Although the NSA’s sustained attack on global encryption standards shocked many
‘Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.’
Edward Snowden confirms this view, observing that although encryption will not protect you from the NSA if you are a target, using it will foil the broad collection of data, and requires a targeted attack to disrupt.
The NSA collects 1,826 petabytes of data every day, which comes down to 2.1 million gigabytes per hour. This includes phone calls, e-mails, social media posts, private messages and internet activities.
The catch-22, however, is that using encryption is more likely to make you a target. When the NSA collects encrypted data that it cannot decrypt (or which it would find too
However… a lot of people use encryption (and many businesses rely on it in order to operate effectively,) and if the encryption is strong, then decrypting it will be an expensive and
Therefore, the more people who use encryption on a regular basis, the more safe everyone is, as users who encrypt will stand out less, and the NSA will have to waste huge resources decrypting millions of Game of Thrones downloads! We
It is also worth remembering that it is only the NSA (and possibly its partners) that even potentially has the ability to crack good
Breaking encryption protocols requires brainy employees. That explains why the NSA is widely thought to be the world’s largest single employer of mathematicians.
We have looked at
As long as the encryption remains secure (we will discuss this a little more in at the end of this chapter,) then all data between your computer and the VPN server is safe from prying eyes. This includes from your ISP or anyone else such as the NSA who might be trying to intercept it.
It also means that your ‘real’ internet (IP) address is hidden from anyone trying to identify you from the internet, as your traffic will appear to come from the IP address of the VPN server, rather than your own computer.
If you think about this for a minute, it should become clear that this setup has two key points of weakness:
- Your computer - if an adversary knows who you are, then they can raid your house to take away your computer, or can secretly install ‘bugs’ such as software or hardware keyloggers to monitor what you get up to. Encrypting your data (see later) may provide some protection in the event of your disks (or phone) being seized, but basically, if you have been targeted in this way then you are in deep trouble. On the other hand, any such attack does mean that you have been specifically identified as being of interest to an adversary who is willing to spend considerable time and resources monitoring you…
- The VPN server /provider - which is of more practical concern to most of us. A VPN provider can monitor all traffic that goes through its
servers,and can connect internet activity with an individual. Since it can do this, it can be forced to hand over any records it has to an adversary (usually this means complying with a legally binding court order or subpoena, but other methods, including blackmail and tortureare not impossible if the stakes are high enough). In order to address this problem, more privacy-minded VPN providers promise to keep no logs, because if no logs exist then it is simply impossible to hand them over, no matter how strong the compulsion.
While many providers promise to protect users’ privacy, such promises are not worth the digital ink they are printed on if they keep logs. No matter what they say, no VPN provider’s staff will go to jail (or ruin their business) to protect a customer. If the data exists, any VPN provider can be compelled to hand it over. Period.
If you want to use
Choosing a VPN provider
74% of Americans say it is “very important” to them that they be in control of who can get information about them, and 65% say it is “very important” to them to control what information is collected about them.
It should also be understood that even when a provider keeps no logs, it can monitor users’ internet activity in real-time (this is essential for troubleshooting etc. – all the more so when no logs are kept).
Most no logs providers promise not to monitor users’ activity in real-time (unless necessary for technical reasons), but most countries can legally demand a provider to start keeping logs on an individual (and issue a gag order to prevent the company alerting its customers about this). This is, however, a specifically targeted demand or request (which most providers will happily cooperate when it comes to catching pedophiles, for example), so only if you are a specific individual already identified by the authorities should you be concerned.
In addition to keeping no logs, any company that cares about protecting their users’ privacy also uses shared IPs. This means that many users are assigned the same internet (IP) address, so matching identified internet behavior with a specific individual is very difficult to do, even if a provider should wish (or is compelled) to do so. This goes a long way towards addressing the privacy issue outlined above.
What does ‘no logs’ actually mean – usage logs vs. connection logs
When many providers claim to keep no logs, what they really mean is that they keep no (what we term) ‘usage logs’. They do however keep ‘connection logs’
- Usage logs – details of what you get up to on the internet, such as which websites you visit etc. These are the most important (and potentially damaging logs)
- Connection logs (also known as metadata logs) – many ‘no logs’ providers keep metadata about users’ connections, but not usage logs. Exactly what is logged varies by provider, but typically includes things like when you connected, how long for, how often etc. Providers usually justify this as necessary for dealing with technical issues and instances of abuse. In
generalwe are not too bothered by this level log keeping, but the truly paranoid should be aware that, at least in theory, such logs could be used to identify an individual with known internet behavior through an ‘end to end timing attack’.
Some providers claim to keep no logs of any kind, and it is these that are generally considered best for protecting privacy. It should be noted that some critics argue it is impossible to run a VPN service without keeping logs, and that those who claim to do so are being disingenuous. However, as mentioned above, with a VPN provider everything comes down to trust, and if a provider claims to keep no logs at all, we have to trust in its ability to run
86% of internet users in the US have taken steps online (such as using a VPN) to remove or mask their digital footprints.
Mandatory data retention
Something to be aware of when choosing a privacy-friendly VPN provider is where it is based (that is, under which country’s laws it operates). Many countries require communications companies to keep logs for a certain amount of time, which used to be particularly true of most European countries. Changes in EU law have muddied the picture, but countries such as the UK and France are moving in the opposite direction, and have widened their surveillance powers.
If a VPN provider is based in a country which requires it to keep logs, then it will do so, no matter what
For more information about VPN
Even when connected to a VPN it is sometimes possible for websites to detect your true IP address. There are a
When Using a VPN you should therefore always check for IP leaks by visiting ipleak.net. If you are connected to a VPN and you can see your true IP address (or even just your ISP’s name) anywhere on this page then you have an IP leak. Note that ipleak.net does not detect IPv6 leaks, so to test for these you should visit test-ipv6.com (you should see ’No IPv6 address detected.’)
While VPN does rely on a certain level of trust, and can therefore never be considered anonymous,
It also has the side-benefits of protecting P2P downloaders from copyright enforcers, being great for evading censorship (as it is easy to select a VPN server located in a different country with more relaxed censorship laws), is great for ‘spoofing’ you geographic location (as you can choose to connect to a VPN server in another country), and of course, it protects you when using public WiFi.
The Tor anonymity network
The Tor anonymity project attempts to address the problem of trust by being constructed in such a way that you do not need to trust anybody.
The Tor project’s mission is to advance human rights and freedoms by creating and deploying free and open anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding.
When you surf the internet using the Tor Browser (a modified version of Firefox,) you connect to a random ‘Tor node’ run by a volunteer, which then connects to another Tor node, which then connects to another Tor node (the chain is always at least three nodes long,) with the data being re-encrypted each time it passes through a node. The final Tor node in the chain is known as an ‘exit node’, and connects to the internet.
What this means is that while each node can ‘see’ the computers it is connected to (on either side of it if a ‘middle relay node’), no user can follow the entire path and associate internet activity with an individual (at least in theory.)
The main downsides are that it is slow, is not suitable for ‘torrenting’ (for various reasons), apparent geolocation is random, and that, because the list of public ‘exit nodes’ is openly published, they are easy for governments and banks etc. to blacklist (new ones open all the time, so with persistence you can keep on reconnecting until you find an unblocked exit node, but this can be a real pain).
Successful closures of illegal ‘hidden’ Tor markets such as the Silk Road 2.0 (accompanied by some arrests) have led to concerns that Tor is no longer secure, but the general consensus is that the core Tor structure remains
If anonymity is absolutely critical for you, though, you might want to investigate connecting to a no logs VPN (paid for using anonymously mixed Bitcoins) through Tor, for additional security. This is well beyond the scope of this guide, but if the subject interest you then we suggest checking out this article.
Unless you need true anonymity, then VPN is much faster and more generally useful than Tor. If you do need anonymity then download and use the Tor Browser, but please do read through the documentation to understand Tor’s limitations and potential dangers before trusting your life or freedom to it.
Tor also makes a very handy free anti-censorship tool if the exit nodes are not blocked. The Tor Browser is available for Windows, OSX Mac, and Android.
While VPN and Tor are very good at protecting your data while it is in transit, if you are serious about security then you will also want to protect it while stored. The main places that data is usually stored are:
- Local drives - these days this generally means computer hard disks (both internet and external), solid state drives (SSDs), and USB ‘thumb’ drives
- Cloud storage (such as Dropbox, Google Drive, or iCloud)
- Smartphones and other mobile devices (plus any external SD memory cards plugged into these)
The different types of local drive are all treated more or less identically by your desktop operating system.
AES Crypt is a free and open source program that integrates with your OS, providing simple file encryption for individual files using the right-click menu button (Windows,) or drag and drop (Mac OSX.) File decryption is performed by simply double-clicking the encrypted .aes file, and entering the password you supplied when creating it. Folders can be encrypted by turning them into zip files first.
VeraCrypt - is the successor to TrueCrypt (which has now been fully independently audited and given the thumbs up). With this FOSS program you can:
- Create a virtual encrypted disk (volume) which you can mount and use just like a real disk (and which can be made into a Hidden Volume)
- Encrypt an entire partition or storage device (e.g. a hard drive or USB stick)
- Create a partition or storage drive containing an entire operating system (which can be hidden)
All encryption is performed on-the-fly in real-time, making VeraCrypt transparent in operation. Hidden Volumes creates a second encrypted volume inside the first, which it is impossible to prove exists (even if its existence is suspected.)
In situations where the rule of law applies this is great, as it provides “plausible deniability” (as it is impossible to prove encrypted data exists,) but this feature could be a liability in situations where you might be tortured or imprisoned based on a belief that you are concealing data (as it is equally impossible to prove a hidden volume does not exist!)
A workaround to this problem is to create a second hidden volume even if you do not need it, which you can reveal if need be in order to demonstrate that you are not hiding anything. We have a guide to using VeraCrypt here.
In addition to storing our data in the traditional way (for example on local drives and disks etc.), we are increasingly backing up and sharing data using ‘the cloud.’
The problem is that data stored ‘in the cloud’ is actually simply stored at huge server farms (banks of hard disks attached to computers) run by large tech firms. Although this data is usually encrypted for transfer and storage, it is the tech company doing the encrypting, so it (and by extension law enforcement and the NSA) can readily decrypt and access your data.
If you wish to properly secure data stored in the cloud then you need to use end-to-end encryption, and there are two ways of going about this:
- Encrypt it yourself using VeracCrypt - If you store the VeraCrypt container in your ‘cloud folder’, then you can mount it and sync data across all your devices. The beauty of this approach is that it allows you to use your favorite low cost(but non-secure) cloud provider in a secure way. Android users can open and sync VeraCrypt containers using the (only partially open source ) EDS app.
- Use a secure ‘end-to-end’ cloud service - an arguably easier alternative is to use a cloud service specifically designed for security. Unfortunately, the only completely open source solution, Cyphertite, recently shut down. This leaves proprietary solutions such as SpiderOak and Wuala, with Wuala with probably being the most secure and the best
all-roundclosed source option available.
After a couple of false starts, Google has followed Apple in announcing that new Android (Marshmallow) devices will be encrypted by default. As with Apple’s iOS 8 & 9 encryption, this encryption (and decryption) is performed on your phone (that is, it is ‘client-side’,) with only you, the user, keeping the encryption keys.
This means that Google and Apple cannot decrypt your data, even if legally required to do so (something that has caused law enforcement authorities a great deal of alarm.)
This is a great move by these
According to a recent study by Backblaze.com, 39% of internet users back up their data once a year, 19% back up monthly and 8% even back up every day
Now, iOS is most definitely not open source, but Android (technically) is, and Google has gone with using open source
You should be aware, however, that this is basically a one-way process (although you can factory reset your phone to remove if
We discuss the pros and cons of encrypting your Android phone, plus have a detailed guide to actually doing it, here.
One of the most useful things services such as Dropbox, Google Drive, iCloud, and Microsoft SkyDrive, etc. do is to automatically backup photos to ‘the cloud.’ As last year’s ‘celebrity nudes’ scandal amply demonstrates, however, this is wildly insecure for a whole range of reasons (not least that Dropbox et. al. have complete access to your private pics).
Advanced Android users might be able to figure out how to combine VeraCrypt folders and Dropscync to securely backup their photos to the cloud*, but most users should just turn off cloud photo backup. If this is a feature that you really cannot live without, then at least use a more secure backup service (such as SpiderOak.)
*(By creating a VeraCrypt volume inside the Dropbox folder, and using a photo app that allows snaps to be saved to a custom folder on the mounted VeraCrypt volume.)
A note on encryption strength
Because this is a beginners guide, we have opted not to dwell on how good the encryption used by the various programs, apps, and services discussed is. For all intents and purposes, any form of modern encryption will defeat just about any attempt to crack it by most adversaries (including most national police forces).
However, when we are considering an adversary such as the NSA, all bets are off. The NSA has spent the last 15 years systematically trying to crack existing encryption standards and subvert or weaken new ones, and no-one is really sure of exactly what it is cable of. It goes without saying that closed source proprietary encryption should never be trusted, but experts do generally agree that good open encryption standards still give even the NSA headaches.
256-bit AES (AES-256) encryption is generally considered the gold standard these
It is critical to understand that smartphones are not secure (and even ‘dumb’ phones give away a huge amount of information about us):
- All traditional phone conversations, SMS messages
andMMS messages can (and most likely are) monitored and stored by your phone provider, and will be handed over to the police etc.,if requested
- Your phone provider can (and almost certainly does) track your physical location to a scary degree of accuracy, and logs of this can be used to provide police etc. with detailed information on your physical movements
- iOS feeds a lot of information back to Apple through its various apps. Android does as well, but this can be largely prevented by avoiding Google apps (Gmail, Calendar, Play Store etc.)
- Third party apps (arguably even most of them) typically access far more information than they require to do their
job,and send this information back to their parent company (apps typically access GPS data, contact lists, photos, and more).
So what can I do about it?
The most important thing you can do (assuming you are not prepared to just ditch your phone) is to realize that your phone is not
- Probably the best tactic is a degree of self-censorship, and blending into the background by using understood code words during conversations to convey meanings which the person you are talking to understands, but which sounds like idle chatter to any automated monitoring systems (and which provide plausible deniability if an actual person should take too much interest).
- A more high-tech solution (but note our comments on ‘Catch-22’ above) is to use encrypted VoIP (Voice over
Internet) instead of talking on the phone, and encrypted chat instead of messaging using SMS.
When it comes to being physically tracked,
You might think that simply turning off your phone when you want privacy would solve this problem, but
If the user has been deliberately targeted by malware (for example by the NSA), this means they can continue to be tracked, and it is even possible for the microphone to be used as an eavesdropping tool in this state.
- If you don’t want to be tracked then leave your phone at home
- If your phone has a removable battery, then taking it out should work instead
- You can put your phone inside a Faraday Cage, which prevents all electronic communication into and out of the ‘cage’. Faraday cages for phones are commercially available, although we cannot vouch for how effective they are.
Email is very
Signal - this free and open source app (Android and iOS,) replaces your default text app with one that encrypts texts to other Signal users (or can send
Jitsi (Windows, OSX, Android (experimental)) - we also recommend avoiding proprietary video chat apps such as Skype (which is owned by Microsoft and probably hands over information to the NSA.) Jitsi is free and open source software that offers all the functionality of Skype, including voice calls, video conferencing, file transfer and Chat, but which encrypts it all. The first time you connect to someone it can take a minute or two to set up the encrypted connection (designated by a padlock), but it is
Although it is in some ways less directed than government spying, advertising represents arguably the single largest threat to our privacy today. Not only do the likes of Google and Facebook scan all your emails, messages, posts, Likes/+1’s, geolocation check-ins, searches made, etc. in order to build up a scarily accurate picture of you (including your ‘personality type’, political views, sexual preferences, and most importantly all, of course, what you like to buy!), but they and a host of smaller advertising and analytics companies use a variety of deeply underhand technologies to uniquely identify you and track you across websites as you surf the internet.
Protect your browser
We have articles here and here explaining in detail some of the ways that advertisers exploit features of your browser so that they can identify and track you across the internet (something they do in order to
The important takeaway is that unless you take measures to protect your browser, you can and will be tracked by websites you visit (and which pass this information on to advertising analytics companies.
As noted near the beginning of this Guide, we strongly recommend using Mozilla Firefox,
Aside from being open source and made by an independent, non-profit, privacy-minded organization, Firefox allows you to increase its functionality using a huge variety of independently developed free add-ons (also slightly confusingly referred to as extensions). To install them, simply click the ‘+ Add to Firefox button.’
We discuss our favorite privacy enhancing Firefox add-ons in this article, but the most important ones you should install are:
HTTPS Everywhere – an essential tool, HTTPS
Everywhere was developed by the Electronic Frontier
The brave among you might also want to consider trying:
We also recommend that Android users ditch Chrome or the built-in Android browser, and use
It is possible to disable cookies entirely (see ‘private browsing’), but because this breaks many websites we generally recommend only disabling
If you want to improve your Firefox security
One thing that none of these measures can prevent is browser fingerprinting, but as there is no very practical solution to this problem (at least for now), we will just ignore it. The CanvasBlocker Firefox Add-on, however, can be quite effective against Canvas Fingerprinting.
Choose the right search engine
As we note above, Google, Microsoft, Apple etc. all make money from knowing as much as they can about you, so simply handing over every internet search you make to them is utterly bonkers! But fear not, there are alternatives out there that respect your privacy.
Change your default search engine to a more
DuckDuckGo - the more polished of the two offering presented here, DuckDuckGo anonymizes your searches and promises not to collect data on users. Results are pulled from the Bing! Search engine by default, but ‘bangs’ can be used to make sophisticated anonymous searches using any search engine. The fact that DuckDuckGo is a US company and uses largely closed code does worry some, however.
Start Page - is based in Europe and complies with European privacy laws, and returns anonymous Google results. Start Page is generally considered better for privacy than
To change the default search engine in desktop versions of Firefox, click
In Firefox for Android: Visit DuckDuckGo or StartPage ->Long-Press inside the search bar until ‘add search’ icon appears -> Click ‘add search’ icon and once the search has been added, tick icon to the left -> Go to Menu/ Settings/ Customize/ Search/ Select your chosen search engine/ Set as default.
Secure your Email
There are three main problems with email:
- It is a 20+ (depending on how you count these things) year old technology that was never built to be secure. Emails sent in ‘plaintext’ (i.e. normal emails) are unencrypted and can be read not just by your email provider, but (unless additional encryption is used) be readily intercepted by hackers at WiFi
hotspots,or anyone else who can otherwise gain access to your email account. Companies such as Google pioneered the use of encrypted SSL connections for email services, but…
- Most people these days use ‘free’ webmail services such as Gmail or Hotmail. These are very convenient, but we pay for them with our privacy, as Google et al. scan every email and use the information gleaned to deliver targeted advertising. As we also know, these tech companies are (or at least in the past have been) happy to let the NSA perform bulk surveillance on their customers’
emails,and to hand over the emails of specific users when requested.
- Convincing others to join in on your ‘paranoia’ - the only really ‘secure’ way to send emails is to use a technology called PGP (Pretty Good Privacy), but using this involves complex and difficult-to-grasp concepts, and is not easy to implement properly (the reason Edward Snowden approached Laura Poitras to release his documents was because experienced reporter Glen Greenwald was unable to get to grips with PGP).
Perhaps the biggest problem, though, is that even if you are willing
Use an email service that cares about privacy. Email should never be considered secure, but at least some services do not scan every email and use them to sell you stuff, and some may even put up some resistance to official demands for data. The services listed here are all promising, but do remember that no matter how secure these services, if you are sending an email to, or receiving one from, someone with a Gmail account (for example,) then Google will read it… Basically, never send any emails... period.
We found ProtonMail and Tutanota to be as easy to use
If you need to communicate or send files securely, use Signal or Jitsi (discussed under the Smartphones section of the last chapter.) This does, of course, requires convincing others to join you!
Protect your phone
This section is really a carry-on from the Smartphone notes in the previous chapter (where points 1 and 2 are covered). As we have already observed, smartphones are ridiculously insecure, and most of the information leaked is harvested by advertisers…
Android users can prevent a lot of information from being fed back to Google by migrating away from Google apps on their Android devices. Some suggested replacements for popular Google services and apps are:
- Gmail - K-9 Mail app + one of these webmail services (Aqua Mail is an easier to use commercial alternative to K9-Mail)
- Chrome/Android stock browser - Firefox with DuckDuckGo or StartPage set as the default search engine (settings -> Customise -> Search)
- Google Maps - MapQuest (not open source)
- Play store - AppBrain
- Hangouts - TextSecure
- Calendar - SolCalendar (not open source)
- Play Music - Subsonic (allows you to stream from your own computer)
It should, however, be noted that while cutting Google out of the Android experience is great in principle, in
Because this is a beginners guide, we have therefore assumed that most readers will not be willing to remove the Google Play Store (possibly the biggest spyware on your device!), which is why we link to apps in the Play Store for convenience.
If you do feel adventurous, then a good place to start is F-Droid, an alternative to the Play Store that only lists, installs, and updates open source apps.
Very determined users can instead root their device and install an alternative open source operating system (known as a ROM), such as CyanogenMod, which comes with all Google-branded apps removed (although they can be installed later by the user).
Using VPN masks your real IP from websites, and we have already discussed ways to try to minimize the damage caused by using social networks. The biggest threat to your privacy posed by advertisers, however, come from your apps
Apps have a very nasty tendency of grabbing as much information as they can - rifling through your contact list, emails, geolocation data, installed apps, and much more (why do so many apps need access to your camera?!!), most of it completely irrelevant to the purpose or function of the app.
The standard advice is to pay careful attention to the apps permissions, but this advice is largely useless because:
- It is usually not clear which of the broadly defined permission categories an app needs to operate
- Because those permissions are so broadly defined, even if it needs permission, it will likely exploit this to grab far more information than is required for it to work as advertised
- Since nearly all apps are to some extent at fault, the option of not installing an app because you are unhappy about the permissions it asks is largely unrealistic (you would not be able to install any app!)
- Even if an app’s permissions seem ok when you install it, it can fairly easily sneak in less good ones later.
As we have noted, this is one area where iOS users may be better served privacy-wise than Android users, as iOS users must consent whenever an app wishes to access a certain permission category. They also have access to the free MyPermissions app, which allows fine-grained control of which permissions to grant an app.
91% of US citizens agree or strongly agree that consumers have lost control of how personal information is collected and used by companies.
This kind of fine-grained control is possible with Android, but usually only if the device is rooted (and will ‘break’ many apps). Rooting an Android device does, however, bring a raft of new security problems, as it can give malware unrestricted access to the device’s core workings.
An exception to this is the latest version of Android, 6.0 Marshmallow, which goes a long way towards addressing the problem by giving users fine-grained per-app control over permissions, without the need for root access. At the time of writing, however, the vast majority of Android devices not use Marshmallow.
The long and the short of all this is that
The following issues fall somewhat awkwardly outside the structure of this
Some websites have taken measure to secure their sites using SSL encryption (for our purposes this also refers to the more modern TLSencryption). You can tell these from insecure unencrypted websites by the fact that their web address starts with ‘https://’ and when you visit them you will see a closed padlock to the left of the URL (no matter which browser you are using)
When you are connected to an SSL protected website, outside observers can see that you are connected to the website’s external web address, but cannot see what internal pages you visit or anything else that you do on that website.
Because your connection to the website is encrypted using SSL, you should be safe against most adversaries, even if using a public WiFi hotspot. The fact that many websites do not employ SSL is, in our opinion, disgraceful.
It should be noted, however, that it seems that the NSA can intercept SSL connections.
The entertainment industry is with ever more success putting pressure on ISPs to take measures against customers who download copyrighted
A big problem with BitTorrent is that it is a peer-to-peer (P2P) file sharing network - this is great for decentralized distribution of content, but terrible for privacy, as every person who is sharing a file can see the IP address of every other person who is sharing the same file. This makes it very easy for copyright holders to identify the IP addresses of offenders, and collect them as evidence of wrongdoing.
The simple solution (again!) is to use a VPN for torrenting (many, but not all, do). This both hides your internet activity from your ISP (as your internet activity is encrypted) and hides your real IP address from other downloaders (who will see only the IP address of the VPN server.)
As always, choosing a provider that keeps no logs is a great idea, as it cannot hand over what it does not have.
Pretty near all modern browsers offer a ‘private’ or ‘incognito’ mode. Often referred to as ‘porn mode’,
You should be aware, however, that private mode does little to hide what you get up to on the internet from an outside observer. For
Privacy advocates often recommend the use of private mode browsing all the time, as it also disables cookies and flash cookies. This is good for privacy, but can ‘break’ many websites which rely on cookies to
Give using private mode all the time a try, and see if it works for you. In Firefox,
Whew! We did say at the beginning that maintaining privacy and security on the internet was not easy! However, if you have read through this guide then you should have a good idea of not only the scale of the challenge we face, but the necessity of rising to meet that challenge - not just for our own sake, but as part of a united effort make the internet the free, open and democratic hub of innovation and exchange ideas that it has the potential to be.
By following the advice in the guide, by thinking about the issues raised, and then acting appropriately, we cannot guarantee our privacy or security on the internet, but we can greatly improve it, and make the lives of those who threaten these basic human and civil rights much more difficult.
TL: DR recommendations summary
- Use Firefox with
third partycookies disabled, and the uBlockOrigin and HTTPS Everywhere add-ons (or just NoScript)
- Use a no logs VPN service religiously (and check for IP leaks)
- Open source software is almost more trustworthy than closed source
- Use a password manager, and 2FA where possible
- Keep anti-virus software up-to-date
- Don’t overshare on Facebook (etc.), and
logoutwhen you have finished a session (or run in a separate browser). Uninstall the Facebook mobile app now!
- Encrypt files before storing in the cloud (or use a secure cloud storage provider)
- Never trust your phone, and leave it at home if don’t want to be tracked
- Turn off auto-backup of photos
- Use DuckDuckGo or Start Page instead of Google for web searches
- Use a
privacy orientedemail service, but never trust email for sensitive communications - use encrypted IM or VoIP instead.