Step 1: Think
The first step to privacy is not doing or downloading anything, but actually thinking about what is important to you. What do you want to protect? What does modesty mean to you? Who are you trying to avoid? How do you want to be seen?
The answer to these questions in a privacy aspect lies in the concept of a threat model. A thread model is a line of thought that asks these questions among others:
What are you protecting?
How sought after is your valuable thing?
Who are you protecting it from?
How are you gonna protect it?
The first question is answered by what you hold dear. Family, money, love, and reputation are some thoughts that might come to mind. How are you going to protect these things? Who are you protecting them from? Let’s roll with the answer of money, because it’s pretty straightforward. Protecting a small amount of money is pretty easy. No one is gonna hunt you down and track you for $20. Thus a threat model for $20 would look like avoiding shady areas of town, using a secure bank, or hiding it in a safe. But what if you had $2,000,000? That would attract some attention. You would then have to think about where to store such an amount, how to keep thieves out of it, and how to avoid robbers who would seek to extort you for it. Things just got a whole lot more complicated. The scope of what you want to protect directly influences how much effort it takes to protect such an asset.
Modesty is another concept to consider. How do you feel about others knowing something about you? This one really comes down to personality. Some extroverts are perfectly fine with every detail about them being public. Some might expertly craft a front for their person, making it seem like they’re perfect. Others however, are made very uncomfortable by being known, through a strong sense of modesty. This doesn’t come from a source of shame or lawlessness, but rather a personal moral code, or even defensive complex. And neither are wrong; they are simply different.
And next comes the old saying, “If you have nothing to hide, why be private?” People who don’t want to be known are not hiding something just because they are private. Curtains are a good example of this. Most residential houses have them, so that they can be opened and closed at the residents leisure. Imagine if your neighbor, upon closing your curtains, said those words. “Why are you closing your curtains? What do you have to hide?” Nothing but modesty. The curtains are there for the comfort and control of the resident, not the neighbor. Privacy is the same; and even though some don’t care to be shown to the world, others care deeply. And when it comes to personal devices, homes, biometric data and the like, the people that own those things should be in control of their right to be known and their sphere of control. Privacy is about taking back that control in a world of eyes, ears, and grabbing hands.
Step 2: Research and Security
Now that you know what you want to protect and who wants to take it from you, it’s time to hit the books. How are you gonna protect these things? How strong and willful is your adversary? This is where security comes in. There are two major areas to think about in this regard: physical and digital security. Physical privacy is usually much easier than digital security; things like curtains, sunglasses, and trees can obfuscate peoples attention to you. Measures like safes, personal arms, and habits like locking your doors are simple means of security. Again the scope of what your protecting plays a part. A corporation guarding a vault of gold bars is obviously gonna have best in class protections. Contrasted to a minimum wage paycheck, no one is gonna try to steal it unless it is convenient to do so. Research best practices on physical security based on what you are protecting.
Now for digital security, which is a little more complicated but still pretty easy for the average person. Here are some general tips on how to stay safe online through security
Never download anything unless you trust the source, especially with executable programs like .exes and .dlls. Same goes for mobile, never download untrusted apps, even from google play or the apple store.
If using Windows, always keep Windows defender or another antivirus running. Do monthly virus scans of your machine.
Never hand out any info to strangers, especially if they contact you. If it’s a serious inquiry, terminate communication and contact them yourself through official contacts you find through research.
Never visit websites you don’t know, unless you disable Javascript and have a blocker running.
Never connect to public networks unless you have a VPN.
Always use 2FA for accounts and make sure passwords are 8 characters or more and contain letters, numbers, capitals, and symbols.
If you practice these principles of computer hygiene, you will be sufficiently secure enough to move on to actual privacy measures. While security is a great foundation for privacy, it is not comprehensive. We will have to take more measures to combat corporate, government, and unlawful violations of your privacy.
Step 3: Privacy (Finally)
Now it’s time to address the holes in your privacy. Many are content with security being their only divider between what they care about and those who would seek to destroy it. But there are some holes to address, mainly stemming from corporate data harvesting, government overreach, and bad actors. These three threats are the repeat actors due to their unprecedented scale of reach. With bad actors, security will pretty much take care of them, but governments and corporations are much more sly. They take measures behind the scenes to backdoor their way into what you care about.
“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”
Some such examples of this behavior include the US Congres’ attempt to destroy free speech under the guise of protecting children, China’s Great Firewall which cuts off the flow of free opinions and promotes interior propaganda, The European Unions bill on chat control, which seeks a backdoor into every thing everyone says in online messengers, and all of those countries incessant attempt to ban encryption in general, putting everyone at risk of malware. It is clear that governments not only seek to erode digital rights, but also do not know a single thing when it comes to online safety and security. Without encryption for example, all of your finances would be open to bad actors and thieves, your address would be even more public than what it is, and a lot of important parts of your life would now be exposed to dangerous people. Obviously protecting against this level of ignorance should be in everyone’s threat model.
On the corporate side, you have events like Meta basically ignoring EU law, google removing don’t be evil from their code of conduct, phone companies constantly tracking your location and selling it to advertisers, Adobe quietly changing their privacy policy (and getting a lot of backlash for it) to give them the right to train AI with your content, Microsoft attempting and failing to put Recall into Windows, which would “see” everything you do and constantly monitor your activity, and a mountain of other infractions which are basically just operation fees for businesses with that much money. Personal data is extremely valuable, so much so that major corporations forgo their seemingly lucrative main projects like Facebook and Windows, to eagerly trade in personal data. The only way to stop this massive machine is by jamming the cog you operate.
Step 4: Applicable Measures
Most people have 2 devices that they use (not counting consoles, smart tvs or the like) that consist of the majority of their privacy concern. Their PC and their phone. Here are my setups for good security and privacy on your devices without sacrificing too much convenience or ease of use
Mobile:
Foundation/OS:
If you happen to be getting a new phone, grab a Fairphone or Google Pixel and install Calyx OS on it. If you use a different phone make, install E OS or Lineage OS (see supported devices E OS, Lineage OS), which are not as comprehensive, but still offer better safeguards than stock Android. This prevents Android from sending mounds of personal info like your location, conversations, pictures, and app activity to Google. You can still use Google services and apps through MicroG.
Calyx Hardening:
Firewall: CalayxOS comes with a firewall called Datura; set it to auto deny internet access and only grant access to apps you trust.
VPN: Turn on CalyxVPN when connecting to a network and then install either Proton VPN (free) or Mulvad VPN (best). In Settings>Network&Internet, enable global VPN, always-on VPN, and force all connections through VPN. That way all of your internet traffic is routed through your VPN, even in your work profile and other users.
DNS: In Settings>Network & Internet>Private DNS, switch to a privacy friendly DNS provider like base.dns.mullvad.net
App Permissions: In Settings>Apps>AllApps, turn off permissions that apps don’t need on a case-by-case bassis. E.g. photos does not need location access. in Settings>Special App Access, do the same, paying close attention to Device admin apps and All files access. Only trusted apps should have these permissions.
Location: consider not using location at all, but if you do, manage it via MicroG and app permissions.
Camera & Microphone: Put buttons in your main nav menu to toggle Microphone and Camera access. Only enable it when you need it and remember to disable it after.
Password: In Settings>Security set a password with at least 5 if not more characters
Settings: Have a look at Settings>Privacy & Security for settings relevant to your setup and threat model. Make sure to turn on Auto Reboot, which prevents hackers from unlocking your phone if it is ever stolen. Also turn off USB access, which disables USB connections to your phone for the same reason.
LTE and Phone Service: Calyx works with any phone service, but the most privacy friendly is going to be JMP.chat. Phone service is $5/mo and data service is $5/GB pay as you use. JMP integrates with XMPP messengers, meaning that if your recipient also uses XMPP, you can encrypt your message traffic. JMP also allows for SMS texting, calling, and connection to SIP accounts. JMP also protects you from phone company’s data harvesting, with the exception that they can still triangulate your location via cell tower connection. Choose from the variety of XMPP messengers for your chat app, I use Cheogram for mobile and Gajim for desktop. Follow their guide here.
Other Apps
CalyxOS has a suite of utilities already installed and ready to go,but there are a few more I would personally add for a good experience.
Once your VPN is set up, go to FDroid, which comes preinstalled with Calyx. I have a list of good apps on my Android page, but essentials are listed here:
Aurora Store: Allows you to install apps from Google Play without going to Google.
Cheogram or another XMPP client: for chatting and JMP integration.
DroidFS: for storing and encrypting personal files like pictures or documents
Iceraven or Fennec: for browsing the web
Organic Maps: for navigation
Proton Mail: for emails
Sentry: for phone security if it ever lands in a bad actors hands or you lose it.
SimpleX Chat: for secure and anonymous conversations
Ublock Origin, Privacy Badger, and Noscript: for extra browser security and privacy
Note: If installing privacy hostile programs, Iceraven, Fennec, and Firefox have an “add to homepage” feature that allows you to add a webpage to your app drawer that looks and behaves just like an app. If you make a copy of your browser with work profile, you can isolate a website, Instagram for example, in the work profile and browser, rather than having the native app running and taking your data that way.
To do so, find the work profile app, press manage Content and App Access, and turn on Iceraven or Fennec. A new instance of Iceraven or Fennec will appear in your app drawer with a suitcase icon below it. This is the isolated work profile browser. Open it and visit the website you want to use. press settings and add to homescreen. Voila! You now have a privacy friendly version of said app, without the need for the actual app.
Desktop
Now for your desktop or laptop computer. While there are ways to debloat and harden Windows, Linux is a much more privacy-friendly environment. MacOS is also out of the picture, because while marketing themselves as privacy friendly and boundary respecting, they are just as bad as Google and Microsoft and sit behind an uncustomizable walled garden.
For the purposes of simplicity and security, I reccomend Linux Mint Debian Edition. While other distros are more security oriented like Qubes or Kali, I think Mint does enough without sacrificing quality of life features or ease of use. If your threat model demands more security, then upgrade to Qubes, but for the average person LMDE works just fine.
First step is to install LMDE. If you’re not ready to part with Windows, try dual-booting and slowly migrate to Linux, rather than just jumping in the deep end and drowning right off the bat. There are plenty of guides on how to install Linux, but I wont get into those details here.
LMDE is already pretty great with privacy to start with, so there won’t be much to do here once you get over the initial hurdle of installing.
VPN: Use Proton or Mullvad and turn on quantum resistence, DAITA, and also multihop if you want extra security at the cost of speed. Also enable lockdown mode to prevent connections without a VPN.
Flatpak: Always try to use flatpaks if possible. They are sandboxed from the start, and you can also install Flatseal to fine tune each application’s permissions. Generally, applications on Flathub are open source and privacy respecting (but not always).
Passwords: Use Keepass or Keepass XC to encrypt and store all your passwords, instead of keeping them in an unencrypted text file or forgetting them 24/7.
Browsers: Use Mullvad Browser or Librewolf to have an enhanced and fingerprint free browsing experience.
Addons: Use Ublock Origin, Privacy Badger, and Noscript to further enhance your browsers malware blocking ability.
Use other FOSS software from my list of the best Linux Applications