Data Privacy

• Disclaimer
• Technologies
• Why be concerned?
• Email
• Internet Browser
• Internet Browser Plugins
• Internet Services
• Search Engine
• Cloud Storage
• Cloud Docs
• Social Media
• Messaging Apps
• Password Managers
• Smartphone / Tablet
• Computer
• VPN
• DNS
• Cryptocurrency
• Closing Notes
• Appendix
  • 5 Eyes (avoid)
  • 9 Eyes (try to avoid)
  • 14 Eyes (try to avoid)
  • Useful Websites

Disclaimer

This document has not been written by an expert, and its contents may change upon discovering new information.

The intention is to:

• Highlight basic data privacy concerns.
• Collate a broad-spectrum of privacy related information.
• Provide a framework of understanding to build upon.

Please do your own research before acting upon these notes.

You’re welcome to copy, distribute, make suggestions, corrections or edits.

Whilst this document can be applied to any platform, some parts target macOS specifically.

Technologies

These technologies may concern your privacy:

Technology
Email
Internet Browser
Search Engine
Cloud Storage
Social Media
Password Management
Software / Apps
Internet Service Provider (ISP)
Virtual Private Network (VPN)
Domain Name Service (DNS)
Media Access Control address (MAC)

These technologies may apply to the following platforms:

Platform
Computer
Tablet
Smartphone
Smart home devices (Internet of things - IoT)

Why be concerned?

The National Security Agency (NSA) was shown to be collecting data on a mass scale by Edward Snowden in 2013, under an operation code-named PRISM. The operation outlines cooperation with major service providers (such as Apple, Facebook and Google), but also with the UK’s Government Communications Headquarters (GCHQ). Further cooperation between intelligence agencies has since been documented as the Five Eyes, Nine Eyes and 14 Eyes.

From 2013, arguably in light of this revelation, the UK took a number of steps towards stricter internet policing. In 2016, the UK passed the Investigatory Powers Act to legalise and legitimise surveillance. Similar actions are being taken elsewhere, such as with the Australian Online Safety Act.

Digital services like Google and Facebook primarily model their business around advertising, exploiting user data to serve highly targeted ads. The more data points deduced, the more targeted the ads. Whilst these models subsidise free services, the seemingly unregulated data access to unsuspicious citizens, and its use by third parties such as Cambridge Analytica, is particularly worrisome.

It’s easy to say: ‘I have nothing to hide...’, but data allows technology to manipulate and polarise, which poses a real threat to society, as seen with the 2021 storming of the United States Capitol. Social technologies may feign innocence, but their algorithms suggest the most engaging (or triggering) content based on your data. The more engaged (or triggered) you are, the longer you’ll stay, and the more ads you’ll potentially interact with.

Therefore, we should take responsibility and do whatever we can to protect our privacy, not just for ourselves, but also for society.

Email

It’s worth reading up on the basics of how email works, and why it’s unsafe.

Encrypted email services posit themselves as the answer, but you’ll most likely still send emails to recipients that don’t use these services. Whilst encrypted email services mitigate the monitoring of your personal account, emails can still be monitored on the recipient’s account. Edward Snowden suggests not using them at all.

The following questions should be asked before using an encrypted email service:

• Are emails encrypted at rest? And which parts are encrypted?
• How strong is the encryption?
• Is the jurisdiction outside of the 14 eyes? And if not, are logs kept?

If you want to switch service, and also maintain your contacts, emails and folders (labels), you could (depending on your current service):

• Export your emails to mbox format, and then import them into your new service. Alternatively you could try moving emails folder by folder (including your sent folder) 50-100 at a time via Thunderbird.
• Once imported, delete everything from the old provider.
• Change any services over to your new email address.
• Then either (slowly transition):
  • Indefinitely setup message forwarding from the old address.
  • Create a message filter to immediately delete the forwarded emails. (Messages may be kept for some time in the trash before being permanently deleted.)
  • Delete the old account after some time.
• Or (immediately transition):
  • Mail merge your old contacts to notify them about your new email address.
  • Delete the old account.

To backup any email, either export it in mbox format from your email provider, or use Thunderbird (which can restore the folder locally later on). To use Thunderbird without any 3rd-party extension:

• Find the email's directory by clicking Tools -> Account Settings -> Server Settings and extracting the value from Local Directory (it may look something like: .../Thunderbird/Profiles/<MY_PROFILE>.default/ImapMail/<MY.IMAP.ACCOUNT.COM>).
• To backup everything:
  • Click on every folder in Thunderbird to ensure they're downloaded.
  • Zip up the entire folder.
  • Store it on an encrypted hard drive / cloud service.
• If you want to backup a specific folder:
  • Zip up the <FOLDER_NAME>.msf file, <FOLDER_NAME>.sbd folder (if it exists) and the empty <FOLDER_NAME> file. If the empty file doesn't exist, create one.
  • Store it on an encrypted hard drive / cloud service.

To access the backup at a later stage in Thunderbird:

• Unzip the file
• Move its contents to: /Thunderbird/Profiles/<MY_PROFILE>.default/Mail/Local Folders/
• Restart Thunderbird and it should appear in the Local Folders section. If you can't see this section, click View -> Layout -> Folder Pane.

You must then decide how to access your email. Whilst web browsers are commonplace, any time spent browsing leaves you more vulnerable to tracking. One solution is to use a software email client, such as Thunderbird which can be configured to prevent web-beacons and tracking pixels (more info). However, web clients store information on your computer, which can be a target for malware, or pose a security risk if your laptop is stolen.

If you want to keep your existing setup with minimal changes (e.g. everything works as before - notes, calendar, emails on your phone, etc), Posteo seems a good option. Whilst it’s a German company (within the 14 eyes), and German law is becoming more worrisome, they don’t keep logs, even if they were almost forced to start logging ip addresses.

If keeping your existing emails isn’t a requirement, Tutona or CTemplar look promising. CounterMail is the most secure option, but you’d need an invite from an existing user.

If you request an invitation, do it from an anonymous account. Once your real name is associated with an invite code, your account becomes identifiable.

Once you choose a provider, use a number of email aliases to hide your main email address (never use the main address to send emails). For example, you could create an alias for friends, online services, and temporary aliases for anonymity. If you ever receive too much spam for a particular alias, you can safely delete it without affecting the main address.

Internet Browser

It’s worth reading the basics of how an internet browser works.

Firefox configured for maximum privacy (see here and here) with some plugins (see below) is probably the fastest option for private browsing, but it won’t stop your Internet Service Provider (ISP) from tracking you. For best privacy, use the Tor Browser (also based on an earlier build of Firefox). Whilst it’s harder for your ISP to track you with the Tor Browser, they’ll still know you’re on the Tor network.

Firefox might seem unsafe, considering Mozilla (its parent company) is a US company. However Firefox is open-source, renowned for privacy advocacy, and has a proven track-record for internet privacy.

Whichever browser you choose, clear its data often (every day, or every session). Alternatively, set the browser's data to clear automatically when it restarts, and restart it often.

Third parties can track you around the web in various ways:

Technology	How?	Ways to mitigate
Internet Protocol (IP) address	The IP address of your router will either be static (assigned by the ISP), or stay the same until you restart the router. The IP can be used as a unique identifier.	Use a VPN to hide your IP address from your ISP, and regularly change its server location to be something outside of the 14 eyes. For best privacy use the Tor Browser over a VPN (i.e. start the VPN first, and then open the Tor Browser), or with a bridge. For some privacy, use Firefox over a trustable VPN.
Accounts	Logging into accounts like Google or Facebook will allow them to track you around the web, even with private browsing on, due to the presence of Google analytics and Facebook like buttons on most web pages.	Log out of all unnecessary online services, clear the browser's data, and then restart the browser.
HTTP Referer	The previous web page address that can be exploited by trackers.	Turn it off
HTTPS	HTTP sends unencrypted web traffic that could be intercepted by an attacker.	Configure your browser to warn against accessing HTTP pages. Take extra care on public Wi-Fi networks (cafes, airports, etc).
Cookies	Cookies are small pieces of information stored on your computer that can be used to identify you.	Block all third party cookies in your browser. Automatically delete cookies when the browser closes. Always send a ‘do not track signal’ from your browser.
Web beacons / Tracking pixels	Hidden pixels that collect data about you.	Block them in all windows
Cryptominers	JavaScript that uses your system resources to mine crypto-currencies.	Block them in your browser.
Fingerprinters	Non-obvious information that can be collected about you that creates a unique identification. To test your browser, visit: Cover Your Tracks, TorZillaPrint, CreepJS, UNIQUEMACHINE, AmIUnique	Block them in your browser. Consider using these plugins.
Pop-up windows	Adverts that pop up without your permission or engagement. Often these can contain cryptominers, web-beacons and fingerprinters. They can also trick you into downloading malware.	Block them in your browser.
Logins / passwords / auto-completions	Browsers make the user experience more fluid with auto-completion, but data gets populated without requiring a password. Even if it's setup to use a password, data gets stored locally. This risks exploitation by malware, and may pose a security risk if your laptop is stolen.	Never save them with your browser. If you need to save passwords or form data, use a separate encrypted password management service.
History	Keeping history on the browser is at risk of exploitation from malware, and may pose a security risk if your laptop is stolen.	Never remember. Clear when the browser restarts.
Search bar	The search bar normally defaults to a search engine, but can also search your bookmarks and history.	Don’t suggest anything in the search bar. Only use private search engines.
Permissions	Permissions determine how the browser should handle requests for your computer’s hardware.	Remove any and all permissions. Never ‘always allow’.
Flash	Flash enables animations and rich content to display in your browser, however it also can be used for supercookies.	Uninstall it. Firefox dropped Flash in version 85.
WebRTC	WebRTC provides real-time communication capabilities (e.g. Google Hangouts), but can also leak your IP over a VPN.	Disable in the settings, or with a plugin like Disable WebRTC.
User Agent	The User Agent helps identify the browser and operating system. It can be exploited to help form a unique identifier.	It’s not always clear what the best option is, as a normal user agent might blend you into the crowd. Nonetheless it can be hidden or spoofed. You can check how it appears here.
Browser plugins	Whilst browser plugins add extra capabilities, plugins from third parties may collect your data, or act as malware.	Less is more with plugins. Beware of plugins that require unexpected (or too many) permissions.
Authentication	Simple website logins are susceptible to keyloggers and password leaks.	Where possible, use two-step authentication with an OTP (one time-password) app like FreeOTP. Don’t use Google’s authenticator app. Always download backup codes in case you lose your phone.
Media Access Control (MAC) address	The hardware address of your network adapter that can be used to identify you.	The MAC address should be spoofed regularly. MAC addresses can no longer be changed on Big Sur.
Domain Name Service (DNS)	The DNS converts human friendly web addresses into IP addresses over HTTP, which can cause IP leaks over a VPN.	Check your VPN prevents DNS leaks, and test their claim. Various tools like dnscrypt (macOS tutorial) can help encrypt DNS traffic. On Firefox you can enable DNS over HTTPS, using an alternative DNS than that provided by your ISP (like LibreDNS).
hosts file	The hosts file acts like a local DNS, and can be a useful way to block urls of known trackers, adwares or malwares.	There’s lots of examples online, like this one.

Internet Browser Plugins

To improve your privacy when using your web browser, it might be worth installing these plugins:

Plugin	Link	Notes
NoScript	https://noscript.net/	If it's too much effort to configure over time, try this simplification
uBlock Origin	https://ublockorigin.com/
Privacy Badger	https://privacybadger.org/
Decentraleyes	https://decentraleyes.org/

Internet Services

The less time you spend on the internet, the better. If you must be online, where possible:

• Limit social media usage. Your time equates to the data social media exploits.
• If no VPN is present:
  • Stay logged out of your accounts.
  • Use a private tab.
  • Use a trusted network (like your home network).
  • Use HTTPS.
  • When finished, clear the browser's history, and then close the browser.
• Only sign up to services you really need. For anything else, consider using a throw-away email address, or a temporary email alias.
• Don’t always use the same username.
• Be sure to delete unused accounts where possible.
• Use a password management service to maintain strong and unique passwords. It’ll also act as a record of any services you’ve signed up to.
• Register important email addresses on haveibeenpwned.

Search Engine

There’s no doubt Google is the best and most intuitive search engine, but it’s at the expense of tracking you, and keeping logs forever. Ideally you’ll want to replace Google with something else, and only it when absolutely necessary.

DuckDuckGo has arguably become the most well-known private search engine. It also returns fairly decent searches. Nonetheless it has a troubling past (see here and here) and may have once tried to secretly fingerprint users. Regardless, it’s still a better choice than Google

There’s a few more alternatives described here, but none of them seem too convincing. For a more broad comparison, this may help.

You’ll definitely want to avoid:

• OneSearch (owned by Verizon Media, USA), as they save your IP address and search queries for 4 days.
• Private.sh as they’re owned by Kape technologies, formally known as Crossrider (who have a track record of including malware in their products).
• Presearch.io as they have too many clauses on how they may share your information.

From further research, here’s an analysis of private search engines that might be worth trying:

Search Engine	Data Tracked / Logged	Potential Issues	Server / Company Location
Metager	Stores IPs for 4 days. Search is cached for a few hours. Tracks language selection, search settings, accept header (for statistics).	Two blocks of the IP address and the user agent are given to advertisers.	Germany
Swisscows	Removes IP and user agent from search terms after 7 days.	Filters adult / abusive content. Some data is transmitted to advertising partners.	Switzerland
Peekier	HTTP Referrer, search queries (temporarily), HTML5 local storage (for settings).	Single session cookie on Cloudflare. Weird layout.	Panama
InfinitySearch	HTTP Referrer	Might leak data to Cloudflare. Poor searches.	Innovare Technologies (USA).
Oscobo	Supposedly nothing.	Uses cookies to encrypt search terms on the browser. Uses proprietary technology. Privacy links in 8. More Information are strange.	UK
Mojeek	Time of visit, page requested, HTTP Referrer, two letter country code.	Not clear.	UK
Disconnect	Imprecise geo-location information, page views, browser type, operating systems, site inks.	Doesn’t respond to ‘do not track’ settings. Stores first-party browser cookie to remember preferences. States it might serve legal requests.	Delaware, USA
Tailcat	Not stated.	No policy. Can it be trusted?	Not clear - hosted by Cloudflare (USA).
Whoogle (github)	Not stated.	No policy. Can the public instance be trusted?	Amsterdam (public instance)
Startpage	Operating system, times accessed, browser type, language, IP address (robots only)	Troubling parent company.	Netherlands

From this list, self-hosting Whoogle (instructions here) seems the safest option that most resembles a Google search. However, when Google updates its code, there may be breaking changes that must be fixed by the owner, and then applied yourself.

Out of the hosted options, Peekier (no longer available) seems the most trustable, with decent searches, and a likeable server location. If the layout is too unusual, either Metager or Mojeek will seem more familiar. Metager has a better server location, but at the expense of sharing (fairly anonymous) data to advertisers.

Whichever search engine you choose, use a VPN (with encrypted DNS) or the Tor Browser to hide searches from your ISP.

Cloud Storage

Google Drive and Dropbox are commonly used for cloud storage, but it’s at the expense of your data.

There are numerous encrypted options on the market (detailed here and here), but they all seem to have drawbacks.

SpiderOak was championed by Edward Snowden, but as it uses proprietary software, and is based in the US, there's always a worry of NSA cooperation. However, as the security looks very convincing, this worry is most likely paranoia.

Koofr (based in Ljubljana) might be a safer alternative. It has a simple privacy pledge, and this review suggests client-side encryption is possible using rclone. If you don't want to use rclone, then you may find the desktop app has issues.

NordLocker might be an option, but it seems more focused on encryption, rather than cloud storage. Nord is best known for their VPN. If you’re already using that, using another Nord product isn’t ideal, as privacy is arguably improved with diversity. There's a few videos on YouTube of the macOS desktop app asking for far too many permissions, which is concerning). NordLocker will also track anonymised app diagnostics.

The most paranoid solution would be to self-host NextCloud, and encrypt files with Boxcryptor (reviewed here) or VeraCrypt (reviewed here). However, if you incorrectly configure the server, it's still riskier than using an existing service. Existing services also have dedicated teams that keep up-to-date with the latest security practises.

Cloud Docs

If you're using Google Drive, before transferring to another service, you'll first need to untangle yourself from Google's placeholder files (.gdoc, .gsheet, etc). Searching for these extensions within your desktop's Google Drive folder will help identify which documents need to be transferred.

Unless you need group collaboration, or future-proofing, the simplest solution would be to export your cloud docs to a native extension (e.g. .odt / .docx) and edit them on your computer using proprietary software (like Pages or Numbers for macOS), or if portability is a requirement, an open-source software (like OpenOffice or LibreOffice). Files can then be synced to the cloud via a folder on your computer.

Unfortunately most privacy-based alternatives seem at the expense of feature compatibility and usability, but if you need a simple replacement that's fairly privacy-savvy, CryptPad is probably your best bet. Whilst based in France (9 eyes), their character seems noble; during the Pandemic CryptPad added this to their home-page:

In the current health crisis linked to the COVID-19 outbreak, CryptPad supports remote working. The storage limit for all registered users is increased to 1GB until further notice. Registration is free with no personal data required.

CryptPad's most lacklustre feature seems to be the presentations (see this review), but the docs / spreadsheets will suffice for simple things. On signup, there's a notice stating links must be shared securely (because they could potentially be guessed), and data-integrity isn't necessarily guaranteed (e.g. regular backups should be made).

For something more feature-rich and user-friendly, Arcane Office is worth a look. However, their Privacy Policy does state the use of Google Ads alongside some minor logging.

A more detailed list of alternatives is available here - section: Google Docs / Sheets / Slides alternative.

Photos

There doesn’t seem to be much information about secure / private photo services, but a few are listed here.

Most solutions are self-hosted, requiring know-how and maintenance.

Cryptee is the only existing solution (and probably the most attractive), as it’s based in Estonia (outside of the 14 eyes), and run by a small team that seem passionate about privacy.

Social Media

The best option is to simply limit, or forego all social media use.

Posting about your life is not just great for friends, but also intelligence agencies. Flippantly posting things can damage your life, your reputation and your job prospects; the internet is forever and unforgiving.

One solution is to use social media for business endeavours only, as professionalism helps to rein in the tongue.

You can deactivate Facebook to keep Messenger (if you need it), but Facebook will still have your data. The best option is to delete Facebook, alongside sending a data removal request email.

Messaging Apps

As WhatsApp is owned by Facebook, and considering the recent changes to their terms and conditions, it’s advisable to use is sparingly, which is difficult due to its popularity. One solution is to find an encrypted messaging app (on Android and iOS), and ask your friends to use that.

There are a number of secure messaging apps detailed here, here and here. There’s a very comprehensive list here.

Signal (endorsed by Edward Snowden) is touted as one of the best encrypted messaging apps. Whilst Signal uses centralised servers based in the US, it’s open-source, and looks the most established, proven and trustable messaging app (review here). As it's the most similar to WhatsApp, it's probably one of the easier alternatives to convince your friends to use.

Session is a fork of Signal that doesn't require any details to register. However, from reading this, there seems to be some concerns regarding the company's location in Australia, and if the product is even stable.

Element uses a decentralised open-source network called Matrix, and doesn't mine data. However, when looking closer at the terms, it seems some data collection and ip logging does actually occur. The UI also seems a bit lacking, but if you prefer pseudo-anonymous sign-ups (no email or phone number), and more decentralisation, this seems a great choice.

There’s a long thread about Element here. In the thread, Syphon is suggested - an open-source app using the same Matrix network. However it’s only maintained by one developer, meaning the implementation might be harder to trust.

Threema (location in Switzerland) looks like an ideal alternative. However, as it’s paid-only, convincing your friends to use it will be very difficult.

Status (reviewed here) is worth a mention because of its pseudo-anonymous account creation. The company is also based in Switzerland. However it seems bloated with a few extra features (a browser and a crypto-currency wallet).

Password Managers

It would be incredibly difficult, if not impossible to remember unique passwords for every service you use. A naive solution might be to write them down on paper, or save them in a text file, but storing passwords in ‘plain-text’ can be easily lost or stolen.

Password managers offer two different solutions to this problem, by saving encrypted passwords on a secure server, or by generating them from a function of inputs (e.g. website address + user name + master password). Deterministic password managers require no data to be stored anywhere, as they’re calculated on the fly.

There are pros and cons to each approach. Storing passwords on a server allows for completely random passwords, and keeps a record of the services you use. However, it’s all at the cost of a) trusting someone with your data, and b) trusting their servers are secure. Many password managers are also based in the US.

Deterministic password solutions seem better because no one is trusted with your data, but if your ‘master password’ is discovered (e.g. via keylogging software), an attacker could potentially crack all your passwords by function of its inputs (e.g. by also finding out your username, and the service's website address). You’d also have to remember different inputs for every service, especially if you use multiple usernames.

There’s a list of password managers outlined here and here.

Self-hosting Bitwarden is probably the best option, as even though Bitwarden is a US company, its software is open-source. However, self-hosting is time-consuming to maintain, and can be configured insecurely. If you don’t want to self-host, Bitwarden is still better than LastPass, as LastPass uses proprietary software, and its parent company LogMeIn was acquired by private US equity firms.

If you have a bit of technical knowledge, Pass (tutorial here) is the simplest (and most elegant) solution using GPG. Whilst Pass is programmed in bash, it’s open-source, well unit-tested and seems to have a nice community.

However, storing encrypted passwords locally is a target for malware, especially as your GPG-key’s passphrase could be caught by key-loggers. Keylogging concerns any service, but services like Bitwarden mitigate it with additional measures, such as preventing log-ins from different IP addresses, and two-step authentication. Two-step authentication seems possible with Pass using a YubiKey, but the setup looks complex (see here, here and here). The GPG key could be kept on a remote server and temporarily downloaded via SSH using two-step authentication, but Pass might need to be modified.

If you use Pass, it would be wise to backup your GPG key, as if it’s lost, your passwords are toast. Using a faux password on the local key would keep any backups safe, as a compromised faux password won't affect the backup.

Hosting encrypted passwords on a private GitHub repo is probably ok, but GitHub is a US company. Hosting your own private GitHub repo might be more secure, but it comes with the same maintainability / configuration issues as explained above.

Smartphone / Tablet

It’s much easier to lock-down your laptop than your smartphone or tablet, as these can be easily identified. This is concerning seeing as mobile devices are becoming evermore ubiquitous.

Phone-calls and messages are normally sent unencrypted, so it’s best to avoid these methods of communication, and only use encrypted apps where possible.

Try to replace any Google-apps with (preferably open-source) alternatives.

A VPN and encrypted DNS can help hide your IP address from your ISP. Changing your DNS server can also help to block ads and trackers. LibreDNS (tutorial here) seems a good example, as it’s open source and based in Germany.

Smartphone browsers aren’t very customisable, so something designed for additional privacy should be used, like Firefox Focus Brave with all the 'privacy shields' activated. The default search engine should be changed to something more private.

It’s worth knowing that your phone can't be made private, because of two unique identifiers: the IMEI (International Mobile Equipment Identity) and IMSI (Individual Manufacturer Subscriber Identity).

The IMSI (burnt into your SIM card) is used by cell phone towers when connecting you to a network, which leaks your location. Cell phone towers keep recrods for a long time, and authorities (or third parties) can use IMSI-capture devices to intercept them.

Turning off your phone (or using airplane mode) won’t solve this. The only solution is to use a burner phone, or nothing at all.

If you use an iPhone, don't jailbreak it. It may remove protections that keep you safe from third-party developers.

It's probably worth getting a phone camera cover.

Computer

Generally you should only download and run programs from verified developers.

Anything downloaded from browser pop-ups (especially Flash installers) are probably malware. Downloading cracked programs from P2P file-sharing services (like BitTorrent) are likely to contain malware.

Malware typically infects and then persists, by either living in plain sight, or by evading detection. If you use macOS, Patrick Wardle provides free tools to help diagnose and remove malware. He outlines the basics of macOS malware at the 2015 Black Hat Conference.

Beware of 'free' virus scanners. They're normally given full-access to your computer, which is concerning as they may sell your data.

To improve macOS security, there’s lots of useful information collected in guides like this and this.

Unless you use Linux, there’s a good chance Microsoft / Apple will collect your data. Regardless, here’s some steps to improve your computer’s privacy:

• Use a private browser (like Firefox or the Tor Browser).
• Use a VPN (that prevents DNS leaks) or the Tor Browser to hide data from your ISP.
• Encrypt outgoing DNS traffic, or at least encrypt outgoing DNS traffic over HTTPS in your browser. (This might not be compatible with your VPN).
• When on a public network, ensure your web traffic only passes through a VPN (i.e. the internet won’t work if the VPN is turned off).
• Update the hosts file to block known adwares, malwares and trackers.

More information on improving macOS security can be found here.

It's probably worth getting a webcam cover.

VPN

It’s worth reading this, this and this to understand why VPNs don’t provide total anonymity.

VPNs help to:

• Ensure traffic is encrypted on a public network.
• Circumvent geo-locking by hiding the content’s IP address (the ISP will only see the VPN server's IP address).
• Add an additional layer of privacy when running Tor over VPN (but bridges might still be a better solution).

VPNs won’t:

• Encrypt HTTP requests after they leave the VPN’s servers.
• Prevent you from being tracked by a service like Google if you login through a VPN.
• Always change your DNS settings. If you use your ISP’s default DNS settings (accessed via HTTP), your ISP will still see the webpages being accessed.
• Always adhere to ‘no log’ policies. It’s very rare to find a VPN that doesn’t log something. If the VPN’s jurisdiction is within the 14 eyes, logs may be handed over to authorities (by force, or through agreement).

It’s worth researching VPNs and their parent companies before purchasing one. For example, Cyberghost and Zenmate were both purchased by Kape Technologies, formerly known as Crossrider, who bundled malware in their products. One of the CEOs (Koby Menachemi) may have been part of Unit 8200 (the Israeli version of the NSA / GCHQ).

Here’s some other VPNs to avoid.

A list of worthy VPN services are listed here and here.

Out of these, Mullvad seems one of the better choices, perhaps validated by Mozilla VPN's decision to use their servers and technology. The Mullvad website also has a Tor address, and allows payment with cryptocurrency. Whilst they tout no-logs, they’re still based in Sweden (part of the 14 eyes), which is concerning considering the Sweedsh Court Surveillance of Data Act came into force on 1st April 2020.

IPVN is based in Gibraltar (questionably outside of the 14 eyes, see here and here) and has been audited for no logs. However, it seems they track some minor analytics on their website (including a redacted IP), so truly anonymous payments might be trickier.

If it’s difficult to decide, both services can be purchased for a single month in succession. Comparison charts are also available here and here.

DNS

If you don't want to use a VPN, it’s worth trying to encrypt outgoing DNS traffic, as it’s normally done over HTTP. There are two things to encrypt - DNS over TLS and DNS over HTTPS.

On macOS, dnscrypt-proxy could be used in conjunction with dnsmasq (see tutorial).

Alternatively, DNS over TLS could be configured with knot-resolver (see tutorial), and DNS over HTTPS by setting your browser to use something from this list. LibreDNS seems a solid choice.

Cryptocurrency

If used properly, cryptocurrencies help to preserve your privacy whilst making a purchase.

Cryptocurrency transactions are chained together in a public, decentralised blockchain. As it's public, every transaction includes information like IP addresses, transaction addresses, and the transaction's value.

Wallets use a private key to access a transaction address' value. Modern hierarchical deterministic (HD) wallets use the same private key for various addresses, rather than creating new keys for each address.

As the identity of transactions and wallets aren't clear, cryptocurrencies are considered pseudonymous. Pseudonymity shouldn't be confused with anonymity, as cryptocurrencies aren't totally anonymous. As regulations become tighter, anonymity becomes harder.

If you're looking to buy some small amounts of bitcoin to make anonymous transactions, you'll first need a privacy focused wallet. Blockstream Green is a good example, as it has an option to use the Tor network built in.

You'll then need to swap fiat money for cryptocurrency, which is very difficult. Never buy cryptocurrency from an exchange with Know Your Customer (KYC), as you'll need to provide identification. A list of exchanges without KYC can be found here, however most of them probably require some level of KYC (email, phone number, etc), and may ask for further identification at any stage.

There exist other options to buy anonymous cryptocurrency, but most of them have significant drawbacks. Depending on your country, swapping cash for cryptocurrency at cryptocurrency ATMs is probably the easiest (and safest) way to avoid KYC (map here), especially for smaller amounts.

If you can't find an ATM without KYC, your best bet is to sign up to a cryptocurrency trading website (like Hodl Hodl, or Paxful). If you do this, use an alias email address, fake username, and if you must provide a phone number, use a discardable SIM. Beware these platforms are prone to scams, and it can take time to find a reputable seller, or complete a transaction.

If this seems too unsafe, whilst unsavoury, it's possible to buy through the KYC process, and then use a mixing service like bitcoinmixer.io (more listed here) to obfuscate transaction relationships with algorithms like CoinJoin.

After purchasing some cryptocurrency, the transaction requires a number of confirmations (through a process of mining) before it can be used. Occasionally transactions get stuck in an 'unconfirmed' state, which can happen if the mining fee is set too low. Miners work by exchanging a small fee for the processing time it takes to confirm a transaction. The lower the fee, the longer the transaction may stay unconfirmed. This can be avoided by checking the fee before purchasing.

Once you’ve bought some cryptocurrency, you can follow this tutorial to pay for things anonymously. At the very least, use the Tor Browser to mask your location whilst making a purchase.

Closing Notes

The NSA revelations suggest it’s probably safer to be over-cautious, rather than too relaxed, as ignorance is easy to exploit. However, as there’s no perfect solution, there’s always a tradeoff to be made between paranoia and practicality.

Nothing beats abstaining from technology, but if you have the time and expertise, hosting open-source solutions on your your own server would be the safest (most private) option.

If you choose third-party solutions, follow them on Twitter, and check their blogs often. Companies (especially smaller ones) often get acquired by larger companies. If the acquisitions seem suspicious, the parent company seems troubling, or the company’s jurisdiction changes, it’s worth finding another provider. If you don't check, these changes might happen invisibly.

Appendix

5 Eyes (avoid)

1. Australia
2. Canada
3. New Zealand
4. United Kingdom
5. United States

9 Eyes (try to avoid)

6. Denmark
7. France
8. Netherlands
9. Norway

14 Eyes (try to avoid)

10. Germany (getting worse)
11. Belgium
12. Italy
13. Sweden
14. Spain

Useful Websites

• 14 eyes
• Privacy Tools
• Restore Privacy
• PRISM Break
• The complete list of alternative to all Google products
• How to restore your privacy huge list
• Alternatives to google and facebook and reclaiming privacy
• List of privacy-conscious email services
• Drop Google
• Privacy Brochure - A Benchmark Study
• εxodus - Android app privacy audit
• Tachtical Tech
• Data Detox Kit
• PrivacyTests.org

The following websites are worth a read, but may not be as accurate:

• Proprivacy
• Privacy Watchdog
• NSA in Germany