How to protect your privacy online: notes for my paranoid friend

I've got a friend who seems to be paralyzed with fear of the tracking happening on the modern Internet. He barely dares turn on a computer. This is someone who was a very early adopter of the Internet, worked for many years building web sites and infrastructure.

This bit of writing will hopefully help my friend assess the risks and take appropriate actions to re-connect with the modern internet safely. It's generally applicable so worth reading to anyone.

How am I the expert?
I've been using the Internet since before the World Wide Web existed and built a career around being an Internet nerd. Building web sites, helping companies get online. Eventually the discipline of web analytics emerged and I got heavily into it. So much so that I started a very successful meetup nearly ten years ago that has grown into a fantastic community of practitioners who run a monthly meetup and an annual unconference.

Tracking peoples' behaviour on the Internet is what I do. I even have a bookmark folder labelled "Evil Tracking" which chronicles mechanisms people have developed to get around security limitations and track in ways you're not supposed to.

Then I got concerned
I never worried too much about all the tracking we were doing. For many years the default for people like me was to track everything you could and worry about how you'd use it later. It wasn't such a huge problem at the time because the technology was too primitive, the data sets too disjointed and no single player really had a thorough enough view of any individual's behaviour to be worrying.

The technology got better, the players consolidated into the now familiar omnipotent FAANGs (Facebook, Apple, Amazon, Netflix and Google) who could see vast portions of your online behaviour. There's a good chance that your behaviour right now is being tracked by some or all of those players. If you're reading this on my site, it's got at least Google Analytics on it.

My friend is right about what's going on: every app you open and web site you visit is tracking you and sending the data to powerful global players. Mostly they do this to target advertising at you with slightly more precision, then measure the impact of that targeting and advertising.

These days I spend a huge amount more time thinking about and taking action on privacy. The last few years I've spent a lot of time with lawyers, privacy experts and ethicists. I've also had a lot to learn about ethics, ethical reasoning, mechanisms to work through the implications of proposals and more general philosophical matters.

Match your action to your level of risk
If you're Edward Snowden, a dissident Uigher, an ambassador or spy, your level of risk is going to be much higher than an ordinary schlub like me. The Snowden leaks of the NSA's Taillored Access Operations show that if you're important enough for the spooks to put in some effort, they can physically intercept your hardware and install basically invisible stuff to monitor everything at the hardware level.

You and I are not those targets. Nobody cares enough to break into our house, open our laptop and solder in an expensive custom minutarized implant to send everything back to Fort Meade, Beijing or Tehran. It's sufficient for us to protect ourselves from the wholesale harvesting of data and not go to the levels of effort you'd need to have to protect yourself from the NSA.

Third-party dragnet tracking is easy to block
I'm not an absolute zealot on this. I run Android. My email and file storage uses Google. I watch a lot of YouTube. I have to be practical. However where I try to keep things under control is the vast range of uncontrolled third-party tracking on the web and in apps. Fortunately it's relatively simple to block the vast majority of this.

What I mean is that if you're visiting and it's sending data to, you can trivially block that and still use without any negative impact to you. Needless to say if you go to's site directly (or Google or Amazon etc), they're going to be able to track you. You have to pick the battles you can take on and the steps I take massively reduce my data exhaust being hoovered up. But I'm not invisible.

Browser and browser settings
The first level of protection is to use a browser that doesn't straight up invade your privacy. Don't use Chrome. Firefox is a good choice, though they're not perfect. They use some mildly dark patterns to trick you into sending telemetry back to their servers by default. Go through the settings and pick the most stringent settings you can work with. Introduce exceptions where you have to and are willing to.

This is your first line of defence.

I don't use Brave, though it's probably not the worst choice. I just don't trust the guy who started it (also responsible for unleashing JavaScript on the world, make of that what you will). The various ways they've been found to do slightly iffy things hasn't filled me with confidence either.

Ad and tracker blocking
Next you want to block ads and tracking pixels. Here we're fortunate that most developers are lazy. The tracking code on the web is loaded from a central location and the tracking data is send to a central location.

Ad blocking extensions in your browser load up blacklists of known tracking endpoints and simply block them. This means faster loading webpages, no ads and importantly no tracking! A better world all around.

Of course there is a cost. Sometimes the ad blocker will interfere with site functionality. If you're willing to tinker, you can often disable just the bits causing problems and continue. In the worst case, you can whitelist a specific site so it runs all its crap. Or open up your browser's Porn Mode, do what you need to do on the offending site, close the window and all the associate cookies and other long-term tracking info is gone.

The best ad blocker is without a doubt UBlock Origin. Just having it loaded with the defaults is a great start. Go through the settings and you can add more stringent blacklists and rules. It also has the cool dropper tool where you can select specific DOM elements in the page to remove. Great for popups and other annoyances.

DNS blocking
Next line of defence is DNS blocking. As most of the trackers and ad crap is centralised, you can block the DNS entries for much of it so it never even loads. This approach captures devices where you can't install your own software, like smart TVs, Internet of Things devices, phones and anything else connected to your local network.

There's a couple of ways to do this:
  • The Pi-hole uses a Raspberry Pi (or other cheap, low power computer) to run a custom DNS server with a range of blacklists on it. It's a great little system and works well, though only on your local network. Apart from the cost of the Raspberry Pi (and you can use one of the older, lower powered ones), it's free.
  • NextDNS is a paid service I use which does much the same but without you having to run a local server. It also allows you to protect your phone and other devices when you're away from your local network. It's really handy and simple to use.

A nice side effect: your ISP's blacklists that block things like The Pirate Bay are avoided because they're also done at the DNS level and you're no longer using their DNS servers.

How about your phone?
Mobile phones are filthy cesspits of tracking. Even if you don't have any apps (which all have tracking software inside), the manufacturers are all tracking you, whether that be Android (Google), iPhone (Apple) or one of the other Android players (Google still gets their data, Samsung, Huawei etc take their own too).

The only option I can offer if you want a phone but are totally uncomfortable with the tracking would be some of the open source options. But they're clunky and you won't have any of the particularly useful apps. Though I suppose you can browse the web and make phone calls.

Some options. I haven't explored this recently.
Of course the browser on your phone should be something like Firefox too, which has some limited ad blocking functionality too.

App telemetry
If you're going to be paranoid, you're going to need to get used to going through any settings on software you're using. The defaults tend to phone home and send telemetry, which you might want to disable.

Avoiding the FAANGs
So you've mostly cleansed your own hardware and software, but what about the services? Well you can still do a lot of things locally the old school way, and there's generally alternatives for any of the particularly problematic applications.

  • Search:
    • DuckDuckGo are a great search engine. Change your browser over to it now. Learn about the shortcuts that will take your search to other search engines for when it doesn't find you what you need. And don't install their apps, you don't need them.
  • Email:
    • Use a local email client and your ISP's mail server
    • Online services Fastmail, Protonmail are probably kosher
  • Maps:
    • It's funny to think how much we've got used to Google Maps. Of course Google's tracking where you go! You could try OpenStreetMap which isn't bad, though their directions routing isn't as good
  • Music:
    • Old school: load mp3s and FLAC files and use a local player
    • BandCamp are a great company, though I bet their apps have third-party tracking
    • The old Logitech Squeezebox music server software is still going strong and now supports a wide range of playback hardware including some cheap devices.
  • Media:
    • Jellyfin is an open source alternative to Plex for playing back video files
0 responses