General Online Habits
This section is a collection of general advice and miscellaneous tips that don’t really make sense on any other pages.
Phishing & Clicking Links
Phishing has been and remains one of the top ways to gain unauthorized access to a specific machine, account, or network. Phishing occurs when a person clicks on a link and either enters information or downloads a payload that gives a malicious actor access to an account or device. In the case of malware, the attacker can access the data on that machine or the network the machine is connected to. Typically this link-clicking occurs in the form of an email that appears to be legitimate, such as an email that appears to be from your bank asking you to confirm account details or to see an enclosed attachment. Phishing could also come in the form of malicious, fake ads (called “malvertising”) which has become so prevalent that even the FBI now recommends that you use an ad-blocker. This is why ad-blockers are so important. The final common phishing technique is when an attacker contacts you claiming to be in a position of authority or expertise and asks you for sensitive information about yourself (for example, a phone call from someone claiming to be an IRS agent who needs to verify your information for tax purposes or the IT guy who needs to remote into your work device for some reason).
The best way to avoid phishing is to be overly cautious. If something seems out of character, contact the person and ask about it. For example, if your bank sends an email requiring confirmation of something, ignore the email and go straight to their website. If it’s legitimate, the same warning will pop up when you log in or be waiting in your messages. If you’re still not sure, contact their support team and ask.
Think carefully about what information you share and what it reveals. Back in the early days of social media, it was common that people would publicly share that they were going on vacation for a week, so criminals in the area would find the house and rob it while they were gone. That exact crime may or may not live on, but the principle still does. One woman had a stalker find her because she took a selfie where the street sign was visible. I’m not saying don’t share anything online, simply to be mindful of what information is visible in the photo, such as a company logo on your shirt or financial information in your screenshot.
Additionally, this extends into non-public internet spaces. For example, next time you sign up for a website or pay for something online, try submitting no information at all. It will likely relaod the page and mark the mandatory fields, but you might be surprised what information is optional. You should view every website as a data breach waiting to happen, and anything that isn’t a password or card number is probably not encrypted (and sometimes even those aren’t), so the less personal information you hand over the better. If you are required to hand over information but the requesting site or service doesn’t actually need it, consider using disinformation.
If you are simply a “lurker,” - someone who likes to view content but not comment - there are a lot of really great front-ends available that allow you to view content while reducing or eliminating the number of trackers on a website, almost like a proxy. For Twitter, there’s numerous Nitter instances. For YouTube, there’s a host of Invidious instances and the NewPipe app for Android users. For Reddit, there’s Libreddit and Teddit. For Instagram, there’s Bibliogram. For TikTok, ProxiTalk has recently entered the scene. Sadly there are no web-based Facebook or Snapchat front-ends that I’m aware of. If you’d like, there’s an extension called LibRedirect that you can use to automatically redirect any links you click to the front-end of your choice. (Note that with the rise of services such as ChatGPT, many companies are now requiring a login or “rate-limiting” the number of posts you can see without an account. This may affect front-ends and make them difficult to use in some cases.)
If you feel the need to have social media, try checking out the decentralized and more privacy-respecting Fediverse. This is a volunteer run, peer-to-peer social networking system, and one of the coolest things about it (in my opinion) is the “federation” for which it’s named. Imagine if you had a Twitter account but wanted to follow someone on Instagram. In mainstream social media, you have to sign up for Instagram. On the Fediverse, you can follow them from your own platform even without creating a new account. For Twitter fans I recommend Mastodon. For Instagram fans, PixelFed. Facebook users might feel more comfortable on Friendica and YouTube users might find new content on PeerTube.
While I discourage mainstream social media services for a number of reasons, I understand that sometimes you have no choice in using them. My recommendation would be to not use the apps, post as little as possible, and make your profile as private as possible.
Whether you stick with mainstream social media or use a privacy-focused alternative, I discourage using the same username or handle across all your social media accounts unless you’re building a professional brand. I suggest using your password manager to generate a two or three random word passphrase and then use that as your handle. Also be sure to use a unique alias email for each account. Repeat as needed for every site and account. If somebody decides to cyberstalk you, this can make it harder for them to find all of your accounts. This also protects against credential stuffing.
Change your default search engine. Google tracks all of your searches and records them, and these are all added to your profile to create a more complete picture of you as a person. There are no perfect solutions in this space, but there are many options. Most privacy respecting search engines are actually “metasearch” engines, meaning that they don’t actually pull their own results but rather proxy the results of other search engines like Google, Bing, or Yandex. This can present problems if the engine these services pull from decide to censor content. Below I have listed some of the options out there along with what service they pull results from. Again, there are no perfect solutions here. Each service has drawbacks or controversies. Please do your research and select the one that best fits your threat model and priorities.
Veteran privacy enthusiasts may notice that two of the most popular metasearch enginges, DuckDuckGo and Startpage, are not listed on this site. Both of these search engines have lost my trust in spectacular fashion, and I cannot in good conscience recommend them to my audience. DuckDuckGo lost my trust when they were caught red-handed allowlisting Microsoft trackers in their browser, with no disclosure to their users. They then tried to downplay the incident. This incident makes me very suspicious of what else they may be hiding that we simply haven’t caught them doing yet and therefore they haven’t owned up to.
Startpage lost my trust after announcing they had entered into a partnership with System1, an advertising company, and offering absolutely no further explanation around the nature of this relationship, how they promised to continue to ensure user privacy, or anything else. When the privacy community understandably asked for more information surrounding this partnership, Startpage was silent, ignoring all questions or delivering canned PR responses. The entire incident was handled poorly when it should’ve been obvious that they would’ve faced such questions. This mistrust was only exacerbated for me personally when they were interviewed on OptOut Podcast where the representative referenced that their CEO had a “special agreement” with Google which allowed them to operate, but failed to give any more insight into the nature of that agreement. Startpage is also notorious for blocking VPN and Tor IP addresses, despite billing themselves as a privacy-friendly company. All this to say, Startpage’s extreme lack of transparency and contradictory policies has failed to inspire any modicum of trust in me and I do not recommend them.
Before readers contact me about these last two paragraphs, I encourage you to reference our About page and remember that you are welcome to use whatever you like, I am merely offering my suggestions.
Listed in alphabetical order, not order of recommendation
Depends on the instance
Delete any and all unused accounts. This includes old social media accounts, library accounts, work accounts, services you signed up for once and never used again, etc. If you can’t delete them for whatever reason, change it to a secure password and hold onto it somewhere safe. The exceptions to this is that I recommend holding onto old email accounts, and I recommend ”planting your flag” on important accounts that are prone to fraud, such as unemployment. For the email accounts, you never know what you once used them for and when you might need them again for that purpose.