Shoot the Cookie Monster

Before anything, ditch Google Search as much as you can. Start using something like DuckDuckGo, or do some searching to find other privacy-respecting search engines. If you're looking for the indie web, you can also just use wiby, it's really nice. But yeah, anything but Google and Bing is better than what you're doing right now.

That aside, any website can gather so much data you may not even be aware of. The first type is cookies - most of the websites you go to make your browser keep and return a file so that the website can remember you. If you go to a website and don't have to log in every time you turn on your computer, that's a cookie. Pre-cached website data, login tokens, website setting preferences, et cetera - they are all cookies. Cookies by themselves are useful and convenient, but unfortunately not all websites use them well.

For instance, some websites and vendors embed cookies in images that other websites would then use, and some make contracts with websites to read and collect data from certain cookies to then form a profile on you. These are all what is called "third-party cookies", and since the EU's policies forced websites' hands, websites are now required to let you know what cookies they use and what data is collected on you - in the form of a Privacy Policy.

This is why you always get those annoying pop-ups that you most likely clicked "accept all" for every website that you connect to. You'd do well in rejecting all the cookies that you can, some of which can be automatically rejected by your browser, some can be rejected by your adblocker, and some can only be rejected by you. Be sure to also read the privacy policies of the websites you want to start using.

Any website can also see a lot of (sometimes intrusive) information that your browser just gives so websites can work better. I will talk about this more in the browser section later on, but even the ones of you that won't do any of this should still be warned.

Make a threat model

What are you hiding from? Advertisers? A crazy ex? Random people on the internet? A hacker group? The U.S. government? All of these will require different levels of privacy, with each allowing or prohibiting certain tools. For instance, if you're hiding from the U.S. government you may want to stop using a phone - after all, they can triangulate your location through the cell tower response times. However, that's not the kind of info advertisers are looking for, and your crazy ex will (hopefully) not have access to cell towers. Then again, if your crazy ex works for the police you may want to stop driving a car.

No one can realistically make a threat model for you. You know your situation better than anyone else, and so you will have to consider what is and isn't "too much".

Recognize that you are not a ghost

This is not a guide on how to disappear online. Chances are you aren't looking to live in a cabin in the woods made entirely by you with your bare hands so the feds can't follow the money trail. (...man now that I think about it that would be awesome)

No, this is moreso a guide on how to be more private online. There are certain things that you know are technically a breach in security but that you also rely on. The obvious example being YouTube if you make videos (technically there are alternatives, but no one really goes there). I do not trust WhatsApp (especially since they are owned by Facebook), but way too many friends and family use it for me to afford not being there. I still make a push for people to talk to me through Signal instead, but WhatsApp isn't going away any time soon.

This does not, however, defeat the purpose of looking for more privacy in your daily life. First, you become aware of the problems with the things you still decide to use, and can begin to attempt to mitigate them. Second, you start recognizing why you need them, and when they stop serving that purpose you will remember to delete them instead of letting them spy on you passively. The third thing is that just because you don't delete some things doesn't mean that you can't delete others - less outgoing data to less places is a significant improvement over being an open book. Lastly, the mere use of some of these should give you a better experience online (less load times and no ads, for instance).

Reject Convenience on YouTube (who also has a cool website) made a wonderful video on the compromises and concessions one has to make depending on their situation, I suggest you give it a watch.

Get a better browser

The things I wrote under this section are technically easier, but you will likely use your browser more than anything else. As such, might as well put it first. Like I said in the cookies section (you NEED to read it), this is where we talk about fingerprinting.

There are many websites out there to reveal to you as much information as possible from your browser, like CoverYourTracks and DeviceInfo. Generally, websites will not be using most of this data, but this is the sort of data you're already allowing random websites to see, and it can be used to identify you.

Some browsers have a strong protection against some of these metrics, but you must also consider that not a lot of people use the same setup you use, even if your setup is intended to give as little data as possible. This is your "fingerprint". Once again, whether you care or not mostly comes down to your threat model, but even when you're just protecting against advertisers, these websites can sell the data related to the user with your browser characteristics and that alone can be used to identify you.

The Mullvad Browser seems to be the one of the best when it comes to fingerprinting. Almost all Mullvad users have similar fingerprints, so the more people that use it, the better it is. Librewolf is also an honorable mention, with their general tracking protection.

Nuke ads out of your life

Want a break from the ads?

The ad experience on most websites sucks. If your web browser doesn't block them by default, however, you should - no, you MUST! - install an adblocker extension, especially because they by themselves also block ad tracking cookies. uBlock Origin is by far the most popular of this kind, but chromium browsers may have some problems with it, considering Google actively hates adblockers.

Alternatively, you can choose to poison (and then block) ads. adNauseam is a project that does just that, but it's only really useful if your threat model is ad companies (or brokers that buy profiles from those ad companies). The idea here is that they can't build a profile on you if you lie about your interests - this extension clicks every ad (and then blocks it so you don't have to deal with them) in an attempt to poison these profiles. Apparently this works good enough, but I don't blame you if you're weary of an extension that "clicks every ad".

Start using better app stores

I use Android (up until recently it was just straight up the correct choice), so I don't know anything about AltStore, but if it's anything like F-Droid, it's an alternative app store that mainly serves open-source apps for you to install. Always have a preference for alternative app stores and open-source software and only use the pre-installed app stores when/if there are no apps that actually do what you want. However, even if F-Droid doesn't have your app, downloading it from Aurora instead of Google Play is still a step in the right direction. There are some apps that demand being installed from Play Store, but there are probably workarounds for those (this is not a tutorial on installing apps from outside the Play Store).

Now you may notice that these app stores - especially F-Droid - are all worried about Google preventing you from installing unauthorized apps. This is all true and beyond sharing the word and signing the petition (which, as you know, does not tend to be a reliable source of change), there is not much that can be done other than starting now.

Don't leave these things for tomorrow. Star working on your privacy today because tomorrow the bridge that takes you there may not be there anymore.

Murder Spotify with a chainsaw (and better alternatives to other apps)

I wanted to go through things from least extreme change to most extreme. Considering you're reading someone's personal website, chances are you already know this, but unlike an email (which sucks to replace) or YouTube (which you might be uploading videos to), there is literally no reason to ever use Spotify. Not a single one ever.

Music? Easiest way is to download YouTube music uploads with a tool like yt-dlp for PC and NewPipe (which uses yt-dlp under the hood) for Android. Apple users may use yattee. Now you listen to music in your music app (personally I go with Metro). Podcasts? Hundreds of podcast apps out there, I settled with AntennaPod. Music recommendations? Ask people like in the old days, it's a good conversation starter! (or alternatively hop on Wolp.World and ask cammy for music recommendations lololololol)

Just in general, replacing apps and services that don't respect you with ones that do is always a good move forward. Here's a list:

• Gmail? ProtonMail
• Whatsapp? Signal
• Notes apps? Obsidian (or any completely offline app from F-Droid)
• Google Maps? Organic Maps (or your own recon missions)
• Google Docs/Google Sheets/Microslop Office? LibreOffice, Proton Docs (there's also LaTeX if you're extra based)
• Google Calendar? Literally any calendar app you find on F-Droid
• Google Drive (includes Photos)? Keep an external hard drive on you. Proton Drive is a close second, but keeping things locally is always best
• uTorrent? qBitTorrent, preferably with a VPN (uTorrent was notoriously caught spying on users)

I probably forgot something, but search around - chances are there's an app on F-Droid that is just what you need, and a repository on GitHub with everything you need.

I mentioned Proton and their suite quite a bit. They are well known and relatively trusted by privacy conscious people, but don't put all your eggs into one basket. I personally started using their email service myself, but I'm not touching their other apps just because I don't want to give them that trust. You can do whatever you want, though.

Delete accounts you don't need

I've been thinking a lot about bowls and stuff I don't need. Especially when it comes to the internet, there are things I don't need (to various extents), but that I still have accounts for. Some of these accounts have a lot of sensitive stuff.

Jokes aside, I was using discord for some things, but the really important one was friends, which I got some to contact me through my new email, and some to contact me through signal. There are some things and groups I will miss, but not as much as I hate discord right now.

If you want to delete all of your messages, it will take a while but there is a browser extension - discrub - that allows you to archive and mass delete your messages on both servers and DMs. I'd recommend scrubbing these messages, but in reality I don't know to what extent these deleted messages aren't still stored on discord's servers for their own nefarious ends. I also do not care to find out.

Forget your passwords, all of them

Have you ever looked up your email on haveibeenpwned? Chances are, if you use your email for long enough it will show up there, and so will your passwords if you have a tendency to use the same ones. Even if it isn't there, you should at least consider that l33t_h4x0r420 might have this sensitive data on their computer and just not have sold it yet.

There has been a lot of advice on password safety over the years, everyone knows you should change letters to numbers and symbols to introduce entropy and whatnot but really, that sucks to remember, even with a mnemonic. And even if you have a different password for every website, if it is <password>_youtube, <password>_instagram, et cetera, a hacker only needs to crack one password to know them all. This is still better than just <password> because of entropy, but once they know that's what you do it's over.

The trick? Use passwords you will never be able to remember. Use an open-source password manager like KeePassXC, BitWarden, or another one you keep in hand to generate random passwords and keep them encrypted. Of course, to decrypt them you will need to use a password of your own, but if that one is also random and you keep typing it for some time, you can rely on muscle memory.

The best password is one not even you know.

(Don't) get yourself a VPN

The web is just a bunch of computers using each other to get and deliver data. When you connected to this page, you asked a DNS server what computer had the website "lurkbeforepost.win", then connected to my hosting service's computer and asked it for the data at location "/home/public/tutorials/privacy". Every computer you connected to knows you connected to it (after all, they have to know who to respond to). But what if you didn't have to do that?

Back when we were kids and you were ashamed to ask someone out, you'd ask a close friend to exchange the communication for you. A VPN does the exact same thing: you ask another computer to do all the searches you need, and all those other computers think they are talking to that computer instead of yours. This is great if you want to access materials banned from your country and keeping your IP address hidden from the websites you're connecting to, but since you're trusting the VPN to handle communication, you have to trust the VPN itself. Not completely - HTTPS encrypts the data you're exchanging with the websites you're connecting to, so the VPN only knows that you're connecting to a website, but it still knows what websites you connect to. This also does not prevent fingerprinting - only your connection is different, you're not suddenly using a different machine.

The appeal of a VPN, of course, depends on your threat model. If you're just trying to pirate things off the internet, any VPN will work, but if you're hiding from advertisers, you have to get a VPN that won't sell the data they're gathering. If you're hiding from the government, you have to make sure they keep no logs. Or better yet, use the dark web.

You do NOT need a VPN, however, for most things - especially for the things that VPNs market themselves for. If your threat model does not require you to obfuscate your IP address, you absolutely do not need a VPN. Don't spend money on a product that you don't need. If you want to know more about VPNs (and especially about their most common marketing lies), Reject Convenience did a deep dive that you should check out (really, this guy is a gem). Alternatively, Tom Scott made a video focusing especially on those lies (old but still accurate).

Word on the street is Mullvad VPN is the cool kid on the block. It looks pretty good on Techlore's metrics, Mullvad in general has great reputation among the tech community for their privacy-conscious browser and their practically clean subpoenas. This does not mean you should trust them - like Biggie said, "never trust nobody" - but it seems like this is your safest bet when it comes to VPNs.

That said, if you really want to become a ghost, consider using the dark web.

Switch to Linux, it's actually not that hard

Your computer is spying on you. You already know this, everyone does. Microslop and Apple are both hungry for your personal data, and they will take it no matter how many settings you try to turn off.

If you're coming from Windows you might be thinking Linux is hard to learn, and you fear the terminal with your life. If you're a developer you may be reluctantly familiar with the shell (heck, you may even be using linux for compiling open source code without knowing!), but it feels really scary to be messing with that stuff if you don't know what you're doing.

Linux Mint makes this generally seamless for most people. My family has been using Mint for several months beyond screencasting to the TV to watch movies (the solution for which was only a search away).

Now, you may have a bit of a holdup when it comes to software. It's true, some software doesn't work on Linux without workarounds. However, to this there are usually two answers: translation layers (like Wine and Proton) and open source software that actually respects your privacy. Sticking to these two options works most of the time. If your computer is good enough (it probably is) you can also use a virtual machine to still use Windows but not in a way that matters to them.

Learn to use PGP encryption

A while back I made a tutorial on PGP signing and encryption. While encryption is good for sending correspondence without being understood (imagine a fed that somehow gets access to your emails but can't read anything because you encrypted everything manually lolololol), signing is important if you ever want to fight impersonators. Not useful for people who don't want to be recognized, but really useful for establishing trust without needing to meet the person behind the screen.

Start using the dark web (and specifically Tor)

There we go, Lurk finally said the spooky words.

Back in the section about VPNs, I explained that in that case you're asking another computer to do the searches for you. That computer will know what websites you connected to, so you have to trust that it won't log information. But what if you wanted to stay actually anonymous?

The answer to that is simple - more "VPN"s! Ask a computer to connect to another one to connect to another one and that one finally connects to your website. The website will only see the final computer, you only see the first computer, and those only see the middle computer, all the while the message itself is encrypted with HTTPS so the only useful information (what websites you visited) is something only the exit node will know without knowing who you are.

There is, of course, more than this - like everything else in this page, you can do the deep dive yourself - but that's basically how Tor works. In practice, Tor is an (often very slow) open-source decentralized anonymous VPN! However, there's more than that.

Tor and I2P aren't called "the dark web" just because they are anonymous. The actual reason is much simpler: there are loads of beautiful websites that only live in the Tor Network or the I2P Network. They can't be catalogued by DNS servers because these websites don't connect to the clearnet, so that alone should be a reason to try them out and go explore. I mean, you're reading some random guy's personal website on the clearnet, the dark web is full of those.

Now you may be thinking the dark web and the websites within it are only for criminals. In truth, this isn't the case. Sure, people there talk a lot more openly about drugs and whatnot, but the truth is the dark web is just like the normal internet, with maybe a few more journalists, activists and whistleblowers. There are a lot of markets for drugs and whatnot - it's true - but the truly heinous stuff like "red rooms" and "rent a hitman" sites are feds trying to catch gullible criminals. Most websites are personal websites like this one or forums about privacy.

SomeOrdinaryGamers would often lurk around these websites looking for cool things. Now you can too!

De-Google your phone

Android is a Google property and as such comes preloaded with proprietary Google apps you can't normally delete. Worse yet, very soon Google will start locking down Android in such a way that users won't have the freedom to install whatever apps they want. While there are some things that can be done, along with some expected workarounds, your best bet for both security, privacy and freedom seems to be GrapheneOS. They have all sorts of privacy features and are by far the hardest to crack, according to law enforcement. Unfortunately it is still a Google Pixel exclusive, but that is about to change.

In relatively recent news, Motorola will start complying with GrapheneOS's strict hardware requirements. This means you won't have to pay Google to get GrapheneOS, but we still don't know what this means for the price floor of GrapheneOS-compatible phones. It's overall a win, though.

If you've got the money, get a phone that can support GrapheneOS. If you can't, try LineageOS or /e/. If your phone is incompatible with either, try to debloat your phone as much as possible. Both of these options are for the more technically savvy readers, hence why it's down here at the bottom, but if you've already made the switch to Linux, you should be okay. I'm still not responsible if you brick your phone though, do it at your own risk.

Encrypt your drives!

This will admittedly require you to consider if your threat model calls for it, but if you're defending against anyone that can physically steal or otherwise access your computer, you need to keep your files safe (and most importantly, unreadable). Of course, the best way to do it is by encrypting the whole drive.

The specification most people use is LUKS, but like the "L" implies, it relies on Linux (which admittedly you should already be using). If you still want to use Windows, however, you will need to use the terminal. There are others, and there are likely some compatible with other OS's, but that's for you to figure out.

TailsOS in your pocket right NOW!

This one if for when you're on the run and no computer is safe, but really you should always keep this as a plan-B.

TailsOS is an operating system that you cannot install. Instead, it is a version of linux that runs off your USB stick and does not store anything in the host computer. All internet traffic goes through the Tor Network for anonymity and once you take off the USB stick there will be no trace that you were ever there. This tool is perfect for activists, journalists, whistleblowers that have to stay on the run and can't afford to stay too long at any one computer or leave behind any evidence that they were ever online, and abuse victims that have to mask their presence online during the short amounts of time away from their abusers.

Even if you never use TailsOS, you should always keep an USB with you just in case.

Obfuscating the money trail

Every time you use your credit card, your bank (and whoever else runs your account, like an abuser) knows what money you're spending and in what. If you want privacy from that too, your usual choice is cash. It's practically untraceable, but the problem is that it can only buy the things that you can find physically around you. So what do you do about online money?

I'm going to lose half of the people reading this when I mention the dreaded word - "cryptocurrency" - but the truth is that before it was an asset to be traded like a stock, cryptocurrencies were meant to be anonymous ways of trading money for goods and services without requiring a central authority (like a central bank or government to control it). Essentially if no one knows your wallet is yours, no one will know you have the crypto you have.

Most cryptocurrencies lost their anonymity when stock trading services started including them. After all, these apps often require your ID and whatnot, and while these cryptocurrencies were meant to be anonymous, they were also meant to be transparent, showing all the times and wallets that have done any transaction of any one coin.

Monero, however, is different and has stayed true to its purpose and also being unable to determine past transactions while still being trustworthy in its validity. Now if you've been actually reading what I've written, this may sound like a cool idea if you want to pay for a service but want no one to know you paid for it. As you may imagine, this is also why Mullvad VPN (as well as a lot of other privacy-oriented serivces) accepts Monero as a form of payment.

If you're interested in knowing more about it, Mental Outlaw made a great introductory video that you should check out.

Don't do crimes, they land you in jail.

This should go without saying, but a lot of the reason our privacy is under attack is the lie that only criminals need privacy. When they call it "criminal's choice", you should either hear "honeypot" or "gold standard".

Now, if you were to join the userbase of each of these projects it sends one of two messages. If you're a normal citizen, it send the message that the will for privacy is not dead, that normal people still understand they need to escape mass surveillance. If you're a criminal, you're giving credibility to the myth.

If you do crime regardless, your bad OpSec will still catch up to you. The question isn't if you'll get caught, it's about when you'll get caught. Your gadgets will not save you if you can't follow the Ten Crack Commandments.

You are not as intelligent as you think you are.

Stay paranoid, contact your congressmen

A lot of the things I'm about to say are particularly important so you keep your sanity and keep remembering why life is worth living. Having that said, you can never let yourself become complacent. Our right to privacy is constantly under attack from all sorts of companies and politicians, and even when we have a win (which are rare these days), we can't forget that we're still treated as criminals for simply using tools that respect our rights.

Find your congressmen and representatives' contacts and send them letters and emails on how worried you are for the future of privacy. Give feedback to the people that actually have some way of changing things. Spread the word, get the people in your life to also be more private in their lives.

I personally have a list of songs that keep me on edge so I don't forget to stay paranoid. I find that listening to them while already on edge makes me focus as well. Maybe try that too?

Go outside. I actually mean it.

A lot of privacy concerns are all about the data you put out there. You are human, with human interests and human relationships. You will stare at things you're interested in, you will talk about things you care about, you will overshare when you talk to your online friends. This is all normal and honestly this is also your weakest link in OpSec (a.k.a. operational security, behaving in a way that will be harder for your enemy to track).

There are three ways to deal with data tracking. You can block it (i.e. adblockers like uBlock Origin), you can poison it (i.e. adNauseam), or you can obfuscate it (i.e. using a VPN). These tools should not simply be used alone, it's generally best to use all of them when you can.

However (and I guess this falls on "blocking") the one that will do you best is just producing less data in the first place (though usually more if you make sure your phone is not listening in). This is both a good strategy for not being spied on as much (companies can't spy on your messages if you're talking face to face instead), but also a way to unplug and just generally live better.

Spend more time IRL, talk to friends, grow in your prayer life, eat well, learn a hobby, read a book, go work out. You were never meant to be connected to the rest of the world 24/7, and that seems to be a reason for the mental health crisis these days. They can't control you if you don't let them control your mind or your body.

Burn some fat, run like the wind

Admittedly, this is something I have been lacking on, but it's genuinely important.

The word "gymnasium" comes to us from the Greek. It meant to describe an institution dedicated to both study and physical training, for a man was not complete if he disregarded one or the other. In our modern culture we have come to idolize mental prowess and disregard physical ability, partly because of a strong focus on non-violence. The Greeks (and then the Romans, "Mens sana in corpore sano."), however, knew that a healthy mind requires a healthy body. You must not neglect your body.

The founding fathers of the United States of America recognized (hence the need for the second amendament) that no matter what rights a country grants its citizens, they can only exist if the citizens themselves can defend them if their government betrays them. You cannot defend your right to privacy or free speech if you can't defend yourself or run away from dangerous situations.

Specifically when it comes to running, a good way of protecting your privacy is having an escape route/plan if things go wrong. How well do you know your city? If dropped at any given point, do you know how to get anywhere else? Do you have a sense of scale of how far/close things are? What about your stamina, can you run away from a threat? These are questions that you'll generally only find the answers to by doing a little jog every once in a while. Stop driving your car, stop using public transport - go running throughout your city and make a mental map of the area, then next time go through a different path. Explore every nook and cranny, and challenge yourself to go faster than other times.

As for strength training, personally I go to a gym. There's all sorts of machines that make exercise easier, and I still lack the discipline to know when to stop and continue if I was left unattended. I hope to fix that step by step and eventually move out of the gym, but right now I'm alright where I am. However, if you don't want a gym to track you (they, of course, almost certainly keep logs of when any given person entered and left the building, et cetera), you can delve into the world of calisthenics.

Calisthenics is a technique that for the most part uses only your body and its weight for strength training. I like to think it applies to any training without material, but the definition is a bit more strict than that. Either way, if you find monkey bars at the local park be sure to use them.

Learn a craft that will be useful in the apocalypse

Come to think of it, apocalyptic scenarios kind of require privacy, right? The society that created mass surveillance is no longer something you can rely on, so now you must live from what little you can make. Even in the real world of today, they can't track what you make from scratch. But what can you make?

Can you make a fire without matches? Can you make pottery from dirt? If your shirt gets ripped, can you sew it back together? In fact, do you know how to make clothes in general? Can you make paper if you stop having access to it? Can you make rope? Can you cook in the great outdoors? These are all things I often think about when I think of living privately. If the world collapses, what can you bring to the table?

Learn a craft and keep working at it. If anything, you may find you like what you chose even beyond your original intent, or alternatively you may find you can do things few people around you can. If you learn how to sew, you can mend your clothes or even make new ones, but even in the normal world you can still make plushies you can gift your kid or your niece. This is, again, why I love Hairpin Mamire, a VTuber that does all sorts of arts and crafts.

Maybe living off grid in a cabin in the woods made entirely by your own hand really is the privacy-paranoid man's dream.

Get a library card

Few people ever talk about the power of the library. It's a place where you can read just about anything for free, rent movies for free, you likely have computers in which you can connect to the internet with your TailsOS USB drive, and (and this depends on the library, of course) you may get extra perks. Either way, simply being able to bring physical paper books with you anywhere is a good enough perk for me, books on a digital screen are always a slog to get through compared to physical ones.

Of course, all the books and movies you take out of the library will be tracked, but not only is the library itself a public place that won't be associated with your home network traffic, but it's also a good place to meet up with people and hang out without raising suspicion. You know, aside from the obvious - everything you could ever want to learn about anything, both technical knowledge and what it means to be human, chances are you will find it in a book.

Do yourself a favor, start going to your library from time to time, even if you don't end up getting a card.

Lawyer. Passport. Locksmith. Gun.

One of the best videos on YouTube in my opinion is DeviantOllam's talk "Lawyer. Passport. Locksmith. Gun.". It's all about preparedness, just like we've been talking about this whole post. Being prepared for legal trouble, because that will always happen someday, even when you're not a criminal. Being prepared for moving to a different country if things get too bad. Being prepared to get back home, in case you lose your keys. Being prepared to defend yourself and the people that you care about most.

I do not think there is anything I can add to this video that wouldn't be redundant. Please watch it.