- Joined
- May 12, 2017
What this thread isn't
This isn't a guide on how to anonymise yourself on the internet. Simply put, "true" anonymity on the internet is a nigh-impossible feat to accomplish. Even if you exclusively use Tor to connect to the internet, use Monero to pay for goods/services online, and don't own any type of phone or "smart" device, you still need to be mindful of a myriad of other factors that can be used to identify you. For example, JavaScript can easily identify your exact hardware configuration (if I'm not mistaken). Furthermore, your "written" voice (i.e. your mannerisms, use of punctuation, recurring phrases/misspellings, the dialect of whatever language you're writing in, etc) on the internet can easily be used to identify you (look at how many Onision sock accounts got outed because Greg was too stupid to change up his speech patterns).
What this thread is
This thread is meant to be a general purpose guide/discussion on best practices for managing your online privacy and/or security. It's an incredibly broad topic that spans a whole bunch of different categories, which can make it daunting for the average user on the internet who wants to get their feet wet. In other words: if you're someone who's concerned about the sheer amount of overreach that Big Tech and other such entities have over our digital lives, this thread is for you! We might not have all the answers you're looking for, but it's still a good place to start. I'll periodically update the OP of this thread with various recommendations from other users but for now, here's my assessment of the subject at hand.
***
What is privacy/security?
Privacy, in the context of your online life, refers to how much (or how little) information can be tied back to your real-world identity. Similarly, security refers to how safe your data and other such digital assets are from internet attacks, breaches, leaks, malware, and so on. It's important to note that despite sharing some degree of overlap, these two terms are completely distinct entities. You can have a whole bunch of pseudonyms online to mask who you are on the internet, but none of that matters if you're the type of person who opens up your banking app while connecting over a public wifi network. Conversely, you might be the type of person who stays on top of all their security updates on mobile, PC, and such in order to avoid potential vulnerabilities/exploits but that still doesn't guarantee you privacy (especially if you're the type of person who uses the same name everywhere).
What is a threat model?
Threat modelling refers to how much convenience you're willing to sacrifice for the sake of preserving your online privacy and/or security. Big Tech has made it their MO to introduce us to countless convenient things that slowly make us relinquish more and more of our personal data over to them. Naturally, taking control of our privacy/security online means that we have to relinquish some of that convenience. However, this doesn't mean that you'll be more private/secure if you're using the most inconvenient things possible; online privacy and security are subject to the metaphorical law of diminishing returns. Because of this, it's important for you to decide where to draw the line on how much inconvenience you're willing to put up with for the sake of your own privacy/security online. Remember: everyone's needs are different, so your threat model will undoubtedly be different from mine or anyone else's (and that's okay!).
What are the 5/9/14 Eyes?
To make a long and incredibly complicated story short, the 5/9/14 Eyes are a group of countries that have comprehensive intelligence sharing agreements Techlore has a great video explaining what they are specifically, along with why it's important to know where your services are based out of.
It's important to understand that this is an extremely complicated issue, and that the recommendation to avoid providers within the 5/9/14 Eyes isn't 100% infallible. Lolcow.email and Startpage.com are based within the Netherlands (9 Eyes). DuckDuckGo, the most popular private search engine, is based out of the USA (5 Eyes). Conversely, you have Yandex which isn't in the 14 Eyes but is run by the biggest Russian tech giant. PrivateInternetAccess had their no-logs policy verified in court a few times (if I'm not mistaken), and they exist within US jurisdiction.
While it is generally advisable to avoid 14 Eyes countries, you must also remember that every country within these alliances have reasons why you could potentially trust a company that operates out of them. The USA, for example, is draconian in its practices involving gag orders, but Section 230 along with the First Amendment literally provide the strongest protections for free speech in the entire world. Similarly, the Netherlands has strong data and personal privacy protection laws that rank among the highest in the world. Remember: your threat model is what determines the sorts of services that you're willing to trust. A little bit of research can go a long way in making sure your data doesn't fall into the wrong hands.
Is a VPN necessary?
The answer depends entirely on what your threat model is like. If you're a journalist, an activist from an autocratic regime, or have some other risk of being directly targeted by private/state actors, a VPN is an important tool in your arsenal and you probably don't need me telling you that. However, the vast majority of users who are reading this post will most likely have a fairly lax threat model. In that case, using a VPN won't necessarily help you unless you use a VPN for the right reasons (listed below):
What is browser fingerprinting?
Without going into excruciating amounts of detail, your browser fingerprint refers to the bits of data from your browser that every website's able to read. This includes, but is by no means limited to: your browser's user agent string, language, time zone, screen resolution, system fonts, or even your use of an ad blocker. Each bit of information on its own isn't necessarily special, but they paint a horrifyingly accurate picture of what your browser and even your hardware looks like when combined together. What makes matters worse is that this type of fingerprinting is pretty hard to circumvent because so many of the methods that are used to gather such information in the first place are baked into web standards (i.e. Canvas, WebGL, JavaScript, etc). You can check out the EFF's CoverYourTracks tool, which shows you how web trackers view your browser data along with how unique it is.
What are some best practices for maximising my online privacy/security?
Techlore has an entire course on the subject of best practices, along with general recommendations for software to use. If you don't feel like going through the whole course, here are some of my recommendations:
If there's anything I missed, please let me know!
This isn't a guide on how to anonymise yourself on the internet. Simply put, "true" anonymity on the internet is a nigh-impossible feat to accomplish. Even if you exclusively use Tor to connect to the internet, use Monero to pay for goods/services online, and don't own any type of phone or "smart" device, you still need to be mindful of a myriad of other factors that can be used to identify you. For example, JavaScript can easily identify your exact hardware configuration (if I'm not mistaken). Furthermore, your "written" voice (i.e. your mannerisms, use of punctuation, recurring phrases/misspellings, the dialect of whatever language you're writing in, etc) on the internet can easily be used to identify you (look at how many Onision sock accounts got outed because Greg was too stupid to change up his speech patterns).
What this thread is
This thread is meant to be a general purpose guide/discussion on best practices for managing your online privacy and/or security. It's an incredibly broad topic that spans a whole bunch of different categories, which can make it daunting for the average user on the internet who wants to get their feet wet. In other words: if you're someone who's concerned about the sheer amount of overreach that Big Tech and other such entities have over our digital lives, this thread is for you! We might not have all the answers you're looking for, but it's still a good place to start. I'll periodically update the OP of this thread with various recommendations from other users but for now, here's my assessment of the subject at hand.
***
What is privacy/security?
Privacy, in the context of your online life, refers to how much (or how little) information can be tied back to your real-world identity. Similarly, security refers to how safe your data and other such digital assets are from internet attacks, breaches, leaks, malware, and so on. It's important to note that despite sharing some degree of overlap, these two terms are completely distinct entities. You can have a whole bunch of pseudonyms online to mask who you are on the internet, but none of that matters if you're the type of person who opens up your banking app while connecting over a public wifi network. Conversely, you might be the type of person who stays on top of all their security updates on mobile, PC, and such in order to avoid potential vulnerabilities/exploits but that still doesn't guarantee you privacy (especially if you're the type of person who uses the same name everywhere).
What is a threat model?
Threat modelling refers to how much convenience you're willing to sacrifice for the sake of preserving your online privacy and/or security. Big Tech has made it their MO to introduce us to countless convenient things that slowly make us relinquish more and more of our personal data over to them. Naturally, taking control of our privacy/security online means that we have to relinquish some of that convenience. However, this doesn't mean that you'll be more private/secure if you're using the most inconvenient things possible; online privacy and security are subject to the metaphorical law of diminishing returns. Because of this, it's important for you to decide where to draw the line on how much inconvenience you're willing to put up with for the sake of your own privacy/security online. Remember: everyone's needs are different, so your threat model will undoubtedly be different from mine or anyone else's (and that's okay!).
What are the 5/9/14 Eyes?
To make a long and incredibly complicated story short, the 5/9/14 Eyes are a group of countries that have comprehensive intelligence sharing agreements Techlore has a great video explaining what they are specifically, along with why it's important to know where your services are based out of.
- The Five Eyes consist of the USA, Canada, the UK, Australia, and New Zealand.
- The Nine Eyes consist of the Five Eyes countries, plus Denmark, France, the Netherlands, and Norway
- The Fourteen Eyes consist of both aforementioned groups, plus Germany, Belgium, Sweden, Spain, and Italy.
It's important to understand that this is an extremely complicated issue, and that the recommendation to avoid providers within the 5/9/14 Eyes isn't 100% infallible. Lolcow.email and Startpage.com are based within the Netherlands (9 Eyes). DuckDuckGo, the most popular private search engine, is based out of the USA (5 Eyes). Conversely, you have Yandex which isn't in the 14 Eyes but is run by the biggest Russian tech giant. PrivateInternetAccess had their no-logs policy verified in court a few times (if I'm not mistaken), and they exist within US jurisdiction.
While it is generally advisable to avoid 14 Eyes countries, you must also remember that every country within these alliances have reasons why you could potentially trust a company that operates out of them. The USA, for example, is draconian in its practices involving gag orders, but Section 230 along with the First Amendment literally provide the strongest protections for free speech in the entire world. Similarly, the Netherlands has strong data and personal privacy protection laws that rank among the highest in the world. Remember: your threat model is what determines the sorts of services that you're willing to trust. A little bit of research can go a long way in making sure your data doesn't fall into the wrong hands.
Is a VPN necessary?
The answer depends entirely on what your threat model is like. If you're a journalist, an activist from an autocratic regime, or have some other risk of being directly targeted by private/state actors, a VPN is an important tool in your arsenal and you probably don't need me telling you that. However, the vast majority of users who are reading this post will most likely have a fairly lax threat model. In that case, using a VPN won't necessarily help you unless you use a VPN for the right reasons (listed below):
- You have a specific need to hide your web traffic from your ISP. If you're into torrenting or other such P2P activities, a VPN comes in handy.
- You're on a network that you don't trust and you want to protect yourself. Again, a VPN is always nice to have on public wifi networks.
- You're trying to bypass censorship or geographical blocks. Speaking as someone who comes from a third-world hellhole, VPNs are basically a must-have.
What is browser fingerprinting?
Without going into excruciating amounts of detail, your browser fingerprint refers to the bits of data from your browser that every website's able to read. This includes, but is by no means limited to: your browser's user agent string, language, time zone, screen resolution, system fonts, or even your use of an ad blocker. Each bit of information on its own isn't necessarily special, but they paint a horrifyingly accurate picture of what your browser and even your hardware looks like when combined together. What makes matters worse is that this type of fingerprinting is pretty hard to circumvent because so many of the methods that are used to gather such information in the first place are baked into web standards (i.e. Canvas, WebGL, JavaScript, etc). You can check out the EFF's CoverYourTracks tool, which shows you how web trackers view your browser data along with how unique it is.
What are some best practices for maximising my online privacy/security?
Techlore has an entire course on the subject of best practices, along with general recommendations for software to use. If you don't feel like going through the whole course, here are some of my recommendations:
- Never use the same identity twice. If you can't be fucked to come up with an original pseudonym, you don't need to be on that website in the first place.
- Branching off the first point, pseudonyms are your best friend. You don't need to sign up for everything with your primary email address and your IRL name; Reputable email services like Tutanota and ProtonMail exist, as do email providers for weirdos on the internet like Cock.li and Lolcow.email. Remember, it's okay to go on the internet and tell lies.
- Never use your IRL credit card information online, unless you absolutely have to. If you're lucky enough to live in the USA, Privacy.com exists for you to create virtual debit/gift cards with specified limits so you can pay for your Netflix, Hulu, or other such online purchases. If you're willing and able to, prioritise crypto transactions for things that allow you to use crypto like certain VPNs.
- If you don't mind dealing with broken web pages (or are used to dynamic web filtering), disable third-party scripts and frames. uBlock Origin Medium Mode is the perfect tool to use for this purpose. In fact, The Hated One has an excellent video tutorial recommended by Raymond Hill on the exact subject I'm talking about.
- For general purpose software recommendations, I'd suggest checking out privacytools.io. You'd be surprised as to what kinds of excellent, open-source alternatives exist to the software that you currently use.
If there's anything I missed, please let me know!
Last edited:
