Protecting Your Privacy Online
A starter guide to protecting your personal information from creepy tech companies.
Do you know who’s tracking you?
If you’re like most people, you use Google Chrome as your default browser, you use Google as your default search engine, and you don’t often think about online privacy much further than that. Why should huge tech companies make fortunes at the direct expense of their users’ privacy?
There are a lot of ways you can protect yourself and your privacy online, if you care enough to make the effort.
If you use Google Chrome as your default browser, the browser itself is spying on you. Google wants to collect your user data so badly, they won’t even let you use DuckDuckGo as your default search engine in most countries anymore.
Last week, it was uncovered that the browser setting in Chrome to clear site data and cookies on exit was exempting Google and YouTube from these requests. Reportedly, it was a bug, but as a software engineer who works daily with web technologies, I find it extremely hard to believe that it really was a bug, and not just a sneaky, unethical feature that Google got caught on.
If you value your privacy at all, I highly recommend you switch to Mozilla Firefox. Firefox is built with privacy in mind, and the browser code is open source. On top of that, Firefox has better performance than Google Chrome.
Please, stop using Google. Not only does Google track everything you search for and everything you click on in search results, but they also manipulate search results for their own gain and to suppress political opposition. Further, Google tracks what you do after you leave Google, too. Google trackers exist on 75% of the top million websites.
DuckDuckGo is a privacy-focused search engine that never tracks you, never collects or sells user data, and strives to provide unbiased results. DuckDuckGo also offers a browser extension and a mobile browser to help protect yourself everywhere on the web.
My advice: just delete your Facebook account. Facebook is one of the worst offenders, if not the worst offender. Same goes for any Facebook-owned companies, such as Instagram and WhatsApp.
In 2016, Facebook leaked millions of users’ private data to British consulting firm Cambridge Analytica without the users’ consent. This data was personally identifiable, and primarily used for targeted political advertising.
In 2019, Facebook ran a program to trick people into giving up all their data willingly by paying users to install a custom Facebook VPN app called Onavo, which allowed Facebook to just collect all meaningful data passing through the device, whether Facebook-related or not. This was a violation of Apple’s developer rules, so Onavo was quickly removed from the app store.
If you still aren’t ready to give up on Facebook, at least install the Facebook Container extension for Firefox, built by Mozilla. Facebook Container makes Facebook run inside a special sandboxed container, making it hard for Facebook to track you to external websites or use 3rd party cookies.
If you’re looking to take privacy more seriously, there are several browser extensions I use and recommend for blocking trackers, ads, and other malware. All of these extensions are available for both Chrome and Firefox. They’re also all open source, meaning anyone can view or submit patches for the code. Open source is generally considered good for security. In software development, Linus’s Law states:
Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone.
Open source projects of sufficient size and traction have potentially thousands of contributors and testers actively working to find and resolve bugs and vulnerabilities.
DuckDuckGo Privacy Essentials
Tired of being tracked online? We can help. At DuckDuckGo, we believe online privacy should be simple.
- Blocks hidden trackers
- Enforce HTTPS encrypted connections where possible
- Gives each website a “Privacy Grade” (A-F) so you can see how protected you are at a glance
- Option to send standardized Global Privacy Control signal to websites you visit
- Open source
uBlock Origin is not an “ad blocker”, it’s a wide-spectrum content blocker with CPU and memory efficiency as a primary feature.
- Filters and blocks content based on block lists
- Add additional popular community block lists
- Block specific elements on a page manually or automatically
- Open source
Privacy Badger automatically learns to block invisible trackers. Instead of keeping lists of what to block, Privacy Badger automatically discovers trackers based on their behavior.
- Sends standardized Global Privacy Control and Do Not Track signals to websites you visit
- Blocks scripts that do not respect the Global Privacy Control or Do Not Track signals
- Open source
Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.
- Attempts to upgrade insecure HTTP connections to secure HTTPS connections
- If HTTP→HTTPS upgrade is not possible, blocks the insecure HTTP connection by default
- Open source
This extension will automatically remove tracking elements from URLs to help protect your privacy when browsing through the Internet.
- Automatically removes URL tracking parameters like Google Analytics parameters and Amazon tracking parameters
- Uses over 250 URL matching rules, matches a huge set of trackers
- Open source
Real stats from my Technitium DNS server.
If you want to take your privacy one step further, you can prevent your Internet Service Provider (ISP) from detecting every single site you request by running your own custom, encrypted DNS server. I personally use and recommend Technitium DNS, a free and open source DNS server.
Technitium allows you to enforce that all DNS queries are encrypted, either via DNS-over-TLS or DNS-over-HTTPS, which prevents your ISP from being able to see all of your DNS requests unencrypted. Additionally, you can block ads and malware that may have slipped through your other defenses by using a DNS Sinkhole. Basically, if a domain is requested which is in any of your configured block lists, Technitium just resolves the IP of the domain to an invalid IP address, 0.0.0.0.
Top domains blocked over the last one week by my Technitium DNS server.
Always use protection.
If you want to truly be fully anonymous online, you’ll need to use a 3rd party VPN service. However, not all VPNs are created equal; you need to make sure you choose a VPN provider with a strict no-logging policy. I use and can recommend NordVPN.
NordVPN has a strict no-logging policy, and this policy has been verified by independent auditor PricewaterhouseCoopers AG, one of the Big Four auditing firms. NordVPN operates within the jurisdiction of Panama, which has no legislation regarding mandatory data retention, unlike the US and EU; this is a good thing for a VPN provider. Such a strict no-logging policy could not exist legally under US or EU jurisdiction. You can even pay for your NordVPN subscription with cryptocurrency, without ever leaving a trace of your real identity.
The Onion Router (Tor)
If you want to go Edward Snowden level private, NordVPN also has a feature called Onion Over VPN. When connected to an Onion Over VPN server, all your internet traffic gets routed through a VPN server, then through a Tor proxy, and only then reaches the Internet. You can, of course, just use Tor directly via the Tor Browser without a VPN at all, but this still opens you up to some vulnerabilities.
If you use Tor without a VPN, your ISP will know you are using Tor to access the internet, though this alone doesn’t compromise the actual data being sent and received over Tor. However, your IP address can still be compromised if there is a snooper, or multiple snoopers, in the network.
Tor node servers are volunteer-operated; anyone, including authorities or other bad actors, can set up and operate a Tor node. While no single node is able to see the full network request or response, someone operating multiple servers which your request/response is routed through — especially entry or exist nodes — can discover your real IP address with a little work. For this reason, I still recommend using a VPN provider with Tor. That way, if your IP address is compromised, it’s just a VPN IP address and no real identifying information is compromised.
“I have nothing to hide. Why should I care?”
If you’re asking this, Edward Snowden is disappointed.
Privacy Is Your Right
Privacy is a right, but it’s not one we’ve always had; in fact, people in several authoritarian nations around the world, people still don’t have the right to privacy. And it’s one of the most important rights, right behind the right to free speech. Those who came before us fought so that we could enjoy the right to privacy, and dismissing that is grossly ignorant of history and its importance.
Your Data Has Value
Google is among the top 5 richest companies in the world when ranked by market cap. But the lion’s share of Google products are free; Gmail, Google Calendar, Google Drive, Google Photos, Google Meet, YouTube, etc. So how does Google make so much money? Simple. They sell your personal user data to third parties. Why should a global mega-corporation be allowed to profit freely and massively from your personal user data?
You Have No Idea How Much Is Out There
Most of the time, apathy about online privacy is actually a symptom of ignorance. Studies show that even those who are initially unbothered by online privacy issues become concerned when confronted with the amount and nature of data collection.
If a stranger asked you to to fill out a 150 question form regarding personal information, with the express intention to sell that data to 3rd parties, would you consent?
There are several other privacy tools that I haven’t covered here, but are definitely worth an honorable mention.
Everyone should be using a password manager. Reusing a password for multiple accounts is a security risk. A decent password manager can automatically detect signup forms in your browser and offer to generate a secure, strong password for you, sync your passwords between devices, and warn you if you have any weak, compromised, or reused passwords. I personally use a 1Password family account at home and a team account at work, and I can confidently recommend 1Password, but Dashlane is another great option. If you’re looking for a free and completely offline solution, you can check out KeePassXC.
- Privacy-respecting search engine to find more privacy tools
- Privacy-focused services and software
- Non-profit and open source
- Automatically opt-out of the sale of your personal information by over 40 of the biggest data brokers
- Provides DIY guides to manually opt-out for free
- Historical records of data breaches
- Check if any accounts associated with your email address have been compromised