A practical guide to increasing online privacy and security

Introduction

The year is 2020 and it is impossible to imagine a day without using a mobile phone, computer, smartwatch or internet in any shape or form. We are so dependent on information in every aspect of our lives and there is certainly a great number of products and services we may choose from in order to communicate, browse, search… Today, a lot of these products are free, as in, you don’t have to spend a cent on them and still be able to use them, but there is really no such thing as free in a capitalist world. You may not be spending your money, but you are “paying”, with your personal information. And that is what all of us must be aware of each time we enter the digital world.

To some people, this is not new. Some do not care. Some go with a point “yeah, like someone out there cares what I eat for breakfast”. All somewhat valid points, until a data breach happens and suddenly, your information is no longer in a hand of a “trustful” company, but it is sold on a dark web, no one knows to whom or what will someone do with it. Or simply, your email address and password are exposed, and you were previously too lazy to set up all your accounts with different passwords, so now, someone can access your other accounts, those who were never in danger to begin with. Or, even worse, your email gets compromised, and now someone can access almost everything you do on the internet. Pretty scary, right?

Of course, not every scenario plays like this. What is described is among the worst case scenarios, but it is important to understand what can happen. Fortunately, there are easy ways to protect yourself and the world itself is making progress in forms of General Data Protection Regulation (GDPR) [1] in European Union and California Consumer Privacy Act (CCPA) [2] in the United States.

Despite, caution shouldn’t lack.

In this text, I’ll try to help you point out possible weaknesses in your way of using information technology and suggest ways how security and privacy can be increased. I will not go into details on everything, but rather leave links for everyone to explore more.

Before we dive into the issues directly, I’d like to point out that most of my recommendations will be free and open source software –  I will provide a link to a repository where code is hosted. I believe that it is important for software to be open source, since that ensures a possibility of everyone with the right skills to examine the code and point out flaws, maybe even suggest fixes.

General security

Most systems today use username and password as a main way of identifying and authenticating users.

For an end user, it is important to make a clear distinction between weak and strong passwords. A password is considered weak if it is only one known word, if it contains names (family members) or dates (friends’ birthday) it is short (less than 8 characters) or it is too simple (like pass1234). Such a password is an easy target for many hacking techniques.

Considering bad practices, like repeatedly using the same password on different services, or putting sticky notes on a monitor with a written password, it becomes way too easy to be a target, intentionally or by accident.

By contrast, a strong password has nothing of what is mentioned. It is not a known word, it is lengthy (between 8 and 16 characters, even more for some special cases), it is unique, it contains upper and lower case letters, numbers, special characters – in general, it makes no sense to anyone. Such passwords are hard to crack due to lack of any predictable pattern, behavior or emotion tied to it, meaning only brute force can crack it and such method is time and resource consuming.

In short, a strong password will make you a less attractive target. Also, it is only the first step.

Two factor authentication (2FA)

A common suggestion is to use a second factor (combined with password), which nowadays usually means 6 or 8 digit code that expires after 30 seconds, called OTC (one time code). Sites you’re using the most will likely have an option to add a second factor, however, only a small number will enforce it. It is very likely that your favorite site already has 2FA support, you just have to activate it. Feel free to check on the site of your choice or use the following link.

Due to the architecture of OTC, it is worth noting that it is not an unbeatable system. Feel free to read more about it here. Regardless, using one most certainly increases the security of your account.

Recommendation: Authy – it will allow you to encrypt your secrets with a phrase of your choosing and it has a very useful option of keeping sync between devices, meaning changing devices will be easy without needing to set up your accounts again.

Password management

There is no need to mention how troublesome keeping strong passwords for each account can be. People have a hard time to remember one strong password, let alone dozens. Fortunately, there are a number of solutions that offer password management and generation.

In short, this is how it works: a password manager will generate a strong password for you and remember it. Depending on your software and subscription plan (if any), there should be an option to check if the suggested, generated password was in any known breaches. You can always check that manually here.

You will have to set up a master password to unlock all others. Adding 2FA to the password manager is mandatory.

Recommendation: BitWarden as it is a free and open source. It has a small yearly fee for extra tools that many won’t need and it works both as a standalone software and browser extension. It has 2FA support.

Notable mentions: LastPass, 1Password, Dashlane

Followup steps

Setting up 2FA and password manager is a great step in increasing your security. However, as a saying goes, don’t put all your eggs in the same basket. Whatever solutions you choose in the end, make sure they are not from the same vendor. That way, should the unthinkable happen and the security company has a security breach, only half of your information will be compromised leaving you with enough time to react and change the information.

In setting up all of this, you will be asked to save backup codes for 2FA and there will be an option to export all your passwords from password manager. Now, let’s not undo all the good work, by keeping those exported information insecure. A suggestion would be to use an encrypted USB drive. There are numerous solutions, most are OS specific, but one that stands out is VeraCrypt, as it is free and open source, and multiplatform, meaning you can unlock your USB on any system.

It is recommended to update your passwords and keys on your USB periodically, so your backup won’t be outdated.

Internet security

If I were to make a guess on which browser you are reading this article, I’d be 66% sure that it is Google Chrome. How did I know? Well, simply that is a market share for Google Chrome and it is not undeserved. It is most certainly one of the best browsers currently in the market and it excels in almost everything, except privacy. While Google is offering so many of its products and services for free, they make up in revenue by selling ads. Targeted, personalized and well placed ads all over the web. They manage to do so by collecting all sorts of information on its users, their behaviors, searching patterns, phone usage etc.

This is not paranoid thinking nor conspiracy theory, it is written in their Privacy Policy. Here’s an excerpt, but I encourage you to read the whole document [3].

An excerpt from Google’s Privacy Policy taken on May 15th, 2020.

If you aren’t comfortable with it, there are ways of distancing yourself from Google’s tracking without sacrificing much of your daily routines.

Web Browsers

First and foremost, replacing Google Chrome, should you not agree with Google’s Privacy Policy [3]. Fortunately, Google Chrome is built on Chromium, a free and open source project. It is sponsored by Google and it does not have some of Google’s proprietary features, read more about it here.

This is important to mention because a lot of browsers in the market (and some of our recommended browsers) are built on Chromium and enhanced. This will also make a possible transition to a new browser a lot easier.

Firefox Privacy Settings

Recommendation 1: Firefox browser – it is free and open source and the only major browser on the market that is not built on Chromium (if we exclude Safari which is Mac-only nowadays). It works on any system and it has a healthy ecosystem of extensions. Almost every popular extension for Chrome exists for Firefox as well. Firefox and Chrome are similar in performance and in visual design. Firefox is a bit more customizable, but the reason I am recommending it is the privacy settings and built-in blockers. It is possible to completely turn off history and cookies and browse the web without any fear of leaving any data behind. It would take a few minutes to set up everything properly and after that if you turn on a cloud sync, all your settings will be saved in case of using multiple computers or reinstalling the system.

Recommendation 2: Chromium browser – if you cannot leave Chrome that easily, then Chromium is the solution for you. It looks and feels almost the same as Chrome. Sync is available, although it will use Google service for that. Linux users can install it directly from their respective software managers. Windows users will have a bit of trouble in installing it, as it is not as simple as clicking an .exe file. If you are on Windows, following browsers might be more suitable for you.

Notable mentions: Brave browser, Opera browser, Vivaldi browser

Sidenote: If you are using Internet Explorer, you might want to consider switching to Edge or use some of the recommended browsers above.

Final thoughts: Considering everything that is mentioned in this article, changing a browser should be, by far, the most challenging step. While it is not mandatory to do so, it is recommended. The very least anyone can do is install another browser alongside Chrome and try it out. Finally, the next chapter can be applied to Chrome as well.

Browser Extensions

Browsers alone can protect you from most harmful situations on the web, but with browser extensions the experience can be enhanced.

Before reading the rest, please do yourself a favor and test your browser for privacy on the following link. I expect that you will be negatively surprised by the result.

I will recommend a series of extensions that will increase your privacy. They can work with one another, so feel free to experiment and combine them. 

A word of caution: too many of these extensions can lead to some sites breaking or displaying badly. It can mean either of two things – settings on extensions are too extreme and/or the site is tracking you way more than it is reasonable.

Avoid using: Adblock, Adblock Plus as they have a bad history with privacy.

Search Engine

This is a difficult topic as most people are so dependent on Google that most are completely unaware of the existence of the alternatives. I would not recommend not using Google,  but rather suggest trying DuckDuckGo and switching back to Google if you cannot find what you are looking for. DuckDuckGo advertises as a completely private search engine, and it will not record any of your queries. [4]

Device Fingerprint

One thing that we need to discuss is called Device Fingerprint. It is a collection of information regarding your operating system, monitor resolution, color depth, browser, installed extensions and the list goes on. 

The reason for mentioning Device Fingerprint is simple: even if you manage to depersonalize usage of your internet service, your device will still give away your fingerprint and companies can use that to track you, even if you are not logged in anywhere. Now, taking certain precautions, as we mentioned earlier, will reduce the chance of successful identification, however, that is the best you can do. The only truly safe way is not using the internet at all, and we can all agree that it is impossible to do so.

Secure Communication

Mail Service

If you are skeptical about your mails being read by your provider, there is a solution for you. ProtonMail is an encrypted mail service, supports 2FA and each mail is individually encrypted before storing, so the provider has no way to open the mail and read it.

Considering this, using Proton is only useful if all correspondents in the conversation are using Proton as well.

ProtonMail was created by CERN scientists in the wake of Edward Snowden’s revelations. It is based in Switzerland, therefore outside the jurisdiction of all major players in shaping the Internet’s practices.

It is worth noting that ProtonMail is not the only encrypted mail service in the market, but it is the mostly used and most famous one, thus I chose to present it. There are others and I encourage you to look them up.

Messaging Applications

When it comes to messaging, specifically on your phone, SMS is still the most reliable way to send a message, as it does not require the internet for message transmission. However, it is not a very secure way of sending messages, since it is not encrypted, meaning telecom providers and government officials could have access to messages if needed. In the past decade a number of messaging apps have been developed and they share very similar features but, when it comes to privacy, some are better than others.

Recommendation 1: Telegram – it is an open source application, with end-to-end encryption and currently the most popular secure messaging platform. It has mobile applications, web and desktop clients and even some unofficial builds for use from the command line.

Recommendation 2: Signal – while it’s less popular then Telegram, Signal is an open source application. It also has end-to-end encryption and a bunch of neat features, like self-destructing messages. It can also serve as a default SMS application.

Notable mention: Session – decentralized messaging application built on blockchain that does not require a phone number.

Conclusion

In this article I tried to raise an awareness of privacy issues and provide simple solutions for minimizing the risk of tracking and misusing private information.

Note: presented here is merely the beginning. I could not go into depth of every issue, as it would beat the purpose of the article, but I hope that you will continue to research these topics and solutions. I didn’t mention more advanced things like using VPN, rooting the phone, changing operating systems etc as those carry certain risks (like legal, technical etc) beyond the scope of this article.

Now, you may take the red pill and let’s find out how deep the rabbit hole is!

References

[1] https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

[2] https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act

[3] https://policies.google.com/

[4] https://duckduckgo.com/privacy

Source code repositories for mentioned software

Bitwarden – https://github.com/bitwarden

LastPass – https://github.com/lastpass

1Password – https://github.com/1Password/1password-teams-open-source

Dashlane – https://github.com/Dashlane

VeraCrypt – https://www.veracrypt.fr/

Firefox – https://github.com/mozilla/gecko-dev

Chromium – https://source.chromium.org/

Ghostery – https://github.com/ghostery

Privacy Badger and HTTPS Everywhere – https://github.com/EFForg

uBlock Origin – https://github.com/gorhill/uBlock

Privacy Possum – https://github.com/cowlicks/privacypossum

Decentraleyes – https://git.synz.io/Synzvato/decentraleyes

DuckDuckGo Privacy Essentials – https://github.com/duckduckgo/duckduckgo-privacy-extension

ProtonMail – https://github.com/ProtonMail

Telegram – https://telegram.org/apps

Signal – https://github.com/signalapp

Session – https://github.com/Loki-project