Why Privacy and Security matters

Digital privacy matters because it affects your human rights, your personal and professional relationships, and your well-being. Your privacy is essential in a digital world where your data can be exploited, but many people think it is too late to protect it. It is not. Your privacy is at stake, and you should care about it. Privacy is about power, and it is very important that this power is in the right hands.

Privacy is about information that relates to human beings, and this matters because we know that information can give power over people. If we want to be true, happy, and free humans, we have to care about the rules that govern our information. So much of our modern life depends on information. When you buy something online, read the news, search for something, vote, get directions, or anything else, you are using information. If we live in an information society, our information counts, and so does privacy.

• Digital privacy protects your freedom of expression and access to information. You have the right to express yourself online without fear of censorship, surveillance, or retaliation. You also have the right to access information that is relevant to your interests, needs, and opinions. Without digital privacy, you may be subject to manipulation, discrimination, or persecution based on your online activity.
• Digital privacy protects your identity and reputation. You have the right to control how your personal information is collected, used, and shared online. You also have the right to maintain your online reputation and prevent others from misusing or damaging it. Without digital privacy, you may be exposed to identity theft, fraud, cyberbullying, or defamation based on your online data.
• Digital privacy protects your personal and professional relationships. You have the right to communicate with others online without interference or intrusion. You also have the right to keep your online interactions private and confidential. Without digital privacy, you may be subject to eavesdropping, hacking, or blackmail based on your online communications.
• Digital privacy protects your well-being and security. You have the right to enjoy online services and platforms without compromising your safety or health. You also have the right to protect yourself from online threats and harms. Without digital privacy, you may be subject to malware, ransomware, phishing, or cyberattacks based on your online behaviour.

These are some reasons why digital privacy matters. Digital privacy is not only about data, but also about dignity, autonomy, and democracy. By protecting your digital privacy, you are protecting yourself and others from online risks and violations. This is part of the problem with the current and modern world, or “trusting trust” as one could say.

Trusting trust is a concept that refers to the problem of verifying the integrity and reliability of software and hardware. It is based on the idea that any system can be compromised by malicious code or backdoors that are hidden in its components. For example, a compiler can be modified to insert malicious code into the programs it compiles, or a hardware chip can be designed to perform unauthorized actions. The concern is that it is very difficult to detect such compromises, since they can affect the tools and methods that are used to check them. Therefore, trusting trust poses a serious challenge for digital security and privacy, as it undermines the confidence and trust that users have in their systems and devices.

So, what exactly is Privacy?

Privacy, security, and anonymity are often confused with each other. You’ll see people say that some products are “not private” when they really mean they don’t offer anonymity, for example. This is a loaded topic, but we will try to cover everything we can, but it is important you know the difference between them, and when you need each one.

Privacy means that your data is only accessible to the parties you want to share it with. For example, when you use an instant messenger with end-to-end encryption, you have privacy because only you and the recipient can see your message. Though this topic can get broader based off permissions of that app, the OS the user is using, what else is running, etc.

Security means that you can trust the applications you use (also remember, trusting trust)—that the parties involved are who they claim to be—and keep those applications safe (and do what they say they do). For example, when you browse the web with HTTPS certificates, you have security because they prove that you are connecting directly to the website you’re visiting (kinda). These do help prevent attackers on your network from reading or changing the data you send or receive though, which is great for online transactions.

Anonymity is the state of being unidentifiable or untraceable on the internet (telling you right now, this is impossible). It means that your online actions and communications cannot be linked to your real identity, location, or device. It means that you can act without a persistent identifier to follow and track you. You might achieve this partially online with Tor (though this isn’t good for the average user), privacy respecting front-ends and other apps that don’t log anything, VPNS (kinda), proxies (how some front-ends work), encryption, etc.

Pseudonymity is a similar idea, but it lets you have a persistent identifier without linking it to your real identity. If everyone knows you online as @GamerGuy12, but no one knows your real name, that is your pseudonym, though that does not mean the people that host that online name for you are unaware of your IP, name, etc.

These concepts overlap, of course,, but you can have any combination of them. The best situation for most people is when all four of these concepts overlap. However, it’s harder to achieve than many think. Sometimes, you have to give up some of these, and that’s okay too. This is where threat modelling helps you make informed choices about the software and services you use.

Privacy vs Secrecy

A common argument against pro-privacy movements is the idea that you don’t need privacy if you have “nothing to hide.” This is a harmful misunderstanding, because it creates a sense that people who want privacy must be doing something illegal, deviant, criminal, shameful, or wrong.

You shouldn’t mix up privacy with secrecy. We know what happens in the bathroom, but you still shut the door. That’s because you value privacy, not secrecy. There are always some things about us—like personal health information, or sexual behaviour—that we wouldn’t want everyone to know, and that’s fine. The desire for privacy is valid, and that’s what makes us human. Privacy is about giving you control over your own information, not about keeping secrets.

Touching on the “nothing to hide” argument

One of the arguments that people use to dismiss the importance of privacy is that they have “nothing to hide.” This is a flawed and dangerous assumption, because it implies that privacy is only for those who are guilty or ashamed of something, as touched on above.
This is not true. Privacy is a fundamental human right and a necessary condition for a free and democratic society. Here are some reasons why you should care about your privacy, even if you have “nothing to hide”:

• Privacy protects your dignity and autonomy. You have the right to decide what information you want to share with others, and how you want to present yourself online and in person. You also have the right to keep some aspects of your life private, without having to justify or explain them to anyone (like going to the bathroom and having a door closed behind you). Privacy allows you to be yourself, without being judged, manipulated, or exploited by others.
• Privacy protects your security and safety. You have the right to keep your personal and financial information secure from hackers, scammers, identity thieves, and any one or thing in general. You also have the right to protect yourself from physical harm or harassment by people who may use your online data to track you down, stalk you, or harm you. Privacy helps you avoid these risks and dangers. (see: swatting)
• Privacy protects your freedom and democracy. You have the right to express your opinions, beliefs, and preferences online without fear of censorship, surveillance, or retaliation. You also have the right to access information and resources that are relevant to your interests, needs, and opinions. Privacy enables you to participate in online activities and communities that enrich your life and society.

These are some of the reasons why privacy matters (and why Rynue exists), even if you have “nothing to hide.” Privacy is not about hiding secrets, but about protecting rights. By caring about your privacy, you are caring about yourself and others. Everyone deserves to be able to access and use the internet without giving everything about them away.

To illustrate the importance of privacy, here are some examples of real-world privacy violations that have affected millions of people:

• In 2020, a cyberattack on the Canadian government exposed the personal information of more than 144,000 people who applied for COVID-19 benefits. The attackers used stolen credentials to access the accounts and change the banking information of the applicants. The breach affected the Canada Revenue Agency, Service Canada, and other federal departments.
• In 2020, a ransomware attack on Deloitte Canada compromised the data of some of its clients, including confidential emails, contracts, and financial information. The attackers demanded a ransom of $14 million to decrypt the data and not leak it online. Deloitte refused to pay and notified its clients of the breach.
• In 2019, a hacker gained access to the personal data of more than 100 million Capital One customers in the United States and Canada. The data included names, addresses, phone numbers, credit scores, bank account numbers, and Social Security numbers. The hacker was arrested and charged with computer fraud and abuse.
• In 2018, a security breach at Facebook exposed the data of 87 million users to Cambridge Analytica, a political consulting firm that used the data to influence elections around the world. The data included likes, interests, friends, and political views. The breach sparked a global outcry and led to investigations, lawsuits, and regulatory actions against Facebook.

These examples show that privacy violations can happen to anyone and any organization, regardless of their size or industry. They also show that privacy violations can have far-reaching impacts on individuals’ dignity, security, freedom, and democracy. Therefore, it is essential to take measures to protect your privacy online, such as using strong passwords, encrypting your data, updating your software, avoiding phishing emails, and choosing trustworthy online services. Do not even get us started on what’s included in a lot of pirated software, we will help you replace everything with free and auditable software.

Is it about control?

A common way of thinking about privacy is that it is the ability to choose who can see your data. This is a tempting trap to fall into, it sounds good, and it appeals to many people, but in practice it just doesn’t work.

Take cookie consent forms, for example. You may see these many times a day on the different websites you visit, with a nice selection of checkboxes and sliders that let you “customize” your preferences to suit your needs. In the end, we just click the “I Agree” button, because we just want to read the article or buy something. Nobody wants to do a personal privacy check on every single website they visit. This is an exercise in choice design, meant to make you take the easy way out instead of going into a labyrinth of configuration options that don’t need to exist in the first place, and part of how they still manage to find you.

Even if you do everything you can to protect your privacy, sending a photo of yourself at home to your father or friends can expose you to unwanted tracking and profiling. That’s because they may not have the same privacy concerns as you, and they may use services like Google Photos, which can recognize you and add your name to the metadata of the image. This metadata can then link to your contact information on their phone, such as your address, number, or email. This information can then be scraped by other services from these providers and used to create a profile of you. When someone visits your house, they bring all that tracking with them. When you let them connect to your Wi-Fi, you add some spyware to your network, etc.

Control over your privacy inside most apps is an illusion. It’s a shiny dashboard with all sorts of choices you can make about your data, but rarely the choices you’re looking for, like “only use my data to help me.” This type of control is meant to make you feel guilty about your choices, that you “had the choice” to make the apps you use more private, and you chose not to.

Privacy is something we need to have built into the software and services we use by default, you can’t make most apps into being private on your own. But we’ll help you.

To include some relevant Canadian examples, here are some facts and statistics about cookie consent forms in Canada:

• According to the Office of the Privacy Commissioner of Canada (OPC), cookies are small files that websites place on your device to store information about you or your online activity. Cookies can be used for various purposes, such as remembering your preferences, tracking your behavior, or delivering targeted ads.
• The OPC states that under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, organizations are required to obtain meaningful consent for the collection, use and disclosure of personal information. This includes cookies that collect personal information or affect user privacy.
• The OPC also provides guidance on how organizations can obtain meaningful consent for cookies, such as providing clear and prominent information about their cookie practices, offering easy and effective opt-out mechanisms, and respecting user choices and preferences.
• However, according to a study by Comparitech, only 12% of Canadian websites have cookie consent forms that comply with PIPEDA’s requirements. The study analyzed 100 popular Canadian websites and found that 88% of them either had no cookie consent form at all, or had one that was inadequate or misleading.
• The study also found that 76% of Canadian websites had third-party cookies that could track users across multiple websites and services. The most common third-party cookies were from Google (68%), Facebook (36%), and Amazon (16%). These cookies could collect personal information or affect user privacy without their knowledge or consent.

What can you do about it?

We’ve built this guide with the intention to help teach you how to set up and protect yourself from beginner to advanced using real-world examples; us. We’ll show you how to mimic what we have, or how to connect to some hosted services Rynue provides as part of one of the memberships.

Threat Modelling

One of the first and most challenging tasks you’ll face on your privacy journey is the backlash and comments you’ll get from friends and family. It’s okay, we’re a real community and will help and support you. The second is finding the right balance between security, privacy, and usability. Everything is a trade-off: The more secure something is, the more limiting or inconvenient it usually is.
Let’s be real; People find that the problem with the tools they see recommended is that they’re just too hard to start using. That may be from lack of documentation, no clear message on what something does, how to set up hosting, etc. This is a deterrent to many.

This is where we come in. Part of Rynue’s goals and vision is to provide many of these services to our users to help bridge the gap, but we’ve also been through this journey. We’ll share with you the tools we use, the setup we have, etc. We rely heavily on and love Open Source Software. Furthermore, we stand by the community Ethos and vision and run our company with this in mind. We wouldn’t be here without that community, and we want everyone to know.

To understand all this, you need to understand a new world

We have all grown up corporatized, even those outside of cities. Google, Microsoft, Meta, Apple, etc. All large names, and all make things we use, but did you know most of these products are made using already free and available data and code?
Richard Stallman and Linus Torvalds are two of the most influential figures in the history and development of free and open source software. They have different personalities, philosophies, and approaches, but they share a common vision of empowering users and developers with software that respects their freedom and collaboration. Most people in this tech community have beliefs built in between these two men.

Richard Stallman is the founder of the GNU Project and the Free Software Foundation (FSF). He is also the creator of the GNU General Public License (GPL), the most widely used free software license. Stallman is a staunch advocate of free software, which he defines as software that gives users the freedom to run, study, share, and modify the software for any purpose. He believes that free software is a matter of social justice and human rights, and that proprietary software is unethical and oppressive. He also coined the term “copyleft”, which is a legal mechanism that uses copyright law to ensure that software remains free for all users.

Stallman started the GNU Project in 1983 to create a complete operating system (Mac, Windows, Android, iOS, etc) that would be entirely free software. He developed many essential components of the GNU system, such as GNU Emacs, GNU Compiler Collection, and GNU Debugger. He also initiated the development of the GNU Hurd kernel, which is still in progress. However, in 1991, another kernel called Linux, developed by Linus Torvalds, became available and was combined with the GNU system to form a complete operating system. Stallman insists on calling this system GNU/Linux, rather than just Linux, to acknowledge the contribution of the GNU Project and to promote the ideals of free software.

Stallman has been recognized for his work with many awards and honours, such as the MacArthur Fellowship, the ACM Grace Murray Hopper Award, the EFF Pioneer Award, and the Internet Hall of Fame. He has also written many essays and books on free software and related topics, such as Free Software, Free Society and Free as in Freedom.

Linus Torvalds is the creator and maintainer of Linux, the kernel that powers millions of devices around the world. He is also the founder and coordinator of the Linux Foundation, a nonprofit organization that supports and promotes Linux and other open source projects. Torvalds is a pragmatic and practical programmer who values efficiency, reliability, and performance over ideology. He prefers to use the term “open source” rather than “free software”, as he believes that it conveys a more positive and realistic message about the benefits of collaborative software development.

Torvalds started Linux in 1991 as a hobby project while he was a student at the University of Helsinki. He posted his code online and invited other programmers to join him in improving it. He adopted the GPL as the license for Linux, which allowed it to be freely distributed and modified by anyone. He also established a decentralized and meritocratic model of development, where he acts as the final arbiter of what goes into the official version of Linux, but also encourages contributions from thousands of developers around the world.

Torvalds has been recognized for his work with many awards and honours as well, such as the Millennium Technology Prize, the IEEE Computer Society Computer Pioneer Award, the Takeda Award, and the C&C Prize. He has also written an autobiography called Just for Fun: The Story of an Accidental Revolutionary.

GNU and Linux Foundation are two organizations that support and promote free and open source software. They have different missions and goals, but they also collaborate on some projects and initiatives.

Well now you have that short history lesson, we can explain that most of the software that we will push and use here is written with the above in mind and are often licensed very similarly. Free, open source software (FOSS) is a movement and a philosophy that aims to empower users and developers with software that respects their freedom and collaboration. FOSS is software that is licensed to be free to use, modify, and distribute for any purpose. FOSS also means that the source code, or the human-readable instructions that make up the software, is available for anyone to view and improve. FOSS is not only about software, but also about values and principles that promote social justice and human rights.

Why it’s important to embrace Free, Open Source Software

Most of what we’ll use is FOSS. It is developed by a community of volunteers who share their code and collaborate to improve the software, part of Rynue’s profits goes to the developers of the software we use. FOSS is not only a technical choice, but also a philosophical and ethical one (hence the donations).

The Vision of FOSS

The vision of FOSS is to create software that respects the freedom and autonomy of its users (ie: features you have come to rely on don’t just disappear, you can version lock, and MUCH more). FOSS advocates believe that software should be a public good that anyone can access, learn from, and contribute to. They also believe that software should empower users to control their own computing and data, rather than being controlled by proprietary vendors or platforms.

FOSS is inspired by the ideals of the free software movement, which was founded by Richard Stallman in the 1980s. Stallman defined four essential freedoms that every user should have when using software:

• The freedom to run the program as you wish, for any purpose.
• The freedom to study how the program works, and change it so it does your computing as you wish.
• The freedom to redistribute copies so you can help others.
• The freedom to distribute copies of your modified versions to others.

These freedoms are encoded in various FOSS licenses, such as the GNU General Public License (GPL), which ensure that the software remains free and open for everyone.

The Ethos of FOSS

The ethos of FOSS is based on collaboration, transparency, and meritocracy. FOSS developers work together across borders, cultures, and backgrounds to create software that meets the needs and expectations of their users. They use online platforms such as GitHub, GitLab, or SourceForge to host their code repositories, issue trackers, documentation, and communication channels. They welcome feedback, suggestions, bug reports, and patches from anyone who wants to participate in the development process.

FOSS developers also value transparency in their work. They make their source code available for anyone to inspect, audit, or modify. They document their design decisions, coding standards, testing procedures, and release notes. They follow open standards and protocols that facilitate interoperability and compatibility with other software. They also respect the privacy and security of their users by avoiding spyware, malware, or backdoors in their software.

FOSS developers also adhere to a meritocratic culture, where the quality of one’s work determines one’s reputation and influence in the community. FOSS developers are motivated by intrinsic factors such as curiosity, creativity, learning, recognition, or altruism. They compete with each other in a friendly and constructive way, striving to produce the best software possible.

All of this sounds great and rather familiar, yes? That’s because a lot of these values are tied into and shared amongst other communities, like homesteading and Rynue. We practice what we preach, might as well adopt this in both physical and digital.

The Ethics of FOSS

The ethics of FOSS are rooted in the principles of social justice, human rights, and democracy. FOSS advocates believe that (not just) software should serve the common good of humanity, rather than the private interests of a few corporations or governments (much like our food and resources). They also believe that software should respect the dignity and autonomy of its users, rather than exploiting or manipulating them (land and government 😉 ).

FOSS advocates promote the following ethical values in their software:

• Accessibility: FOSS software should be accessible to everyone regardless of their location, income, language, disability, or device.
• Diversity: FOSS software should reflect the diversity of its users and developers in terms of culture, gender, race, ethnicity, religion, or sexual orientation.
• Inclusion: FOSS software should foster a culture of inclusion where everyone feels welcome, respected, and valued in the community.
• Education: FOSS software should enable users and developers to learn from each other and share their knowledge and skills.
• Innovation: FOSS software should encourage innovation by allowing users and developers to experiment with new ideas and technologies.
• Sustainability: FOSS software should be sustainable in terms of environmental impact, economic viability, and social responsibility.

The Benefits of FOSS

FOSS offers many benefits for free and open computing and code, as well as privacy and security. Here are some examples:

• Free and open computing: FOSS enables users to choose the software that best suits their needs and preferences. Users can customize or modify the software according to their own requirements. Users can also switch between different FOSS applications or platforms without losing their data or functionality.
• Free and open code: FOSS enables developers to learn from each other’s code and improve their own skills. Developers can reuse or adapt existing code for new purposes or projects. Developers can also collaborate with other developers across different domains or disciplines.
• Privacy: FOSS enables users to protect their personal data from unauthorized access or misuse by third parties. Users can control what data they share with the software or the online services. Users can also audit the source code of the software to verify that it does not contain any spyware, malware, or backdoors.
• Security: FOSS enables users to enhance their security against cyberattacks or malicious software. Users can update the software regularly with the latest patches and fixes from the community. Users can also report any vulnerabilities or bugs to the developers and get them fixed quickly. Users can also use encryption, authentication, or verification tools that are built on FOSS standards and protocols.

So, what are these threat models, anyway?

A threat model is a list of the most likely threats to your security and privacy goals. Since it’s impossible to protect yourself against every attack(er), you should focus on the most likely threats. In computer security, a threat is an event that could harm your efforts to stay private and secure.

Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job.

Creating Your Threat Model to identify what could happen to the things you value and determine who you need to protect them from, you should answer these five questions:

• What do I want to protect?
• Who do I want to protect it from?
• How likely is it that I will need to protect it?
• How bad are the consequences if I fail?
• How much trouble am I willing to go through to try to prevent potential consequences?

How to Identify Your Digital Assets and Adversaries

When you want to protect your digital security, you need to know what you are protecting and who you are protecting it from. We will help to define your digital assets and adversaries, and why this is important for your security planning.

What are your digital assets?

A digital asset is any information that you value and want to keep safe. For example, some of your digital assets may be:

• Your emails, chats, and social media posts
• Your contacts, calendars, and notes
• Your location, photos, and videos
• Your files, documents, and passwords
• Your devices, such as your phone, laptop, or tablet

You should make a list of your digital assets and answer these questions for each one:

• Where is it stored? Is it on your device, on a cloud service, on a removable media, all three?
• Who can access it? Is it only you, or do you share it with others? Do you use encryption, passwords, or biometrics to protect it? If it’s stored somewhere you don’t control (cloud), do you know where it’s stored and how? What if it’s an unencrypted drive in someone’s home server with no security?
• What prevents others from accessing it? Is it hidden, locked, or backed up? Do you use firewalls, antivirus, or VPNs to secure it? What countries and what data centres is it stored in? Can someone just walk in with a USB key and copy it?

Who are your adversaries?

An adversary is anyone who might want to target you or your information for malicious purposes. For example, some of your adversaries may be:

• Your employer, your ex-partner, your rival, or your stalker
• Your government, your ISP, or your network provider
• A hacker, a spy, or a thief

You should make a list of your adversaries and answer these questions for each one:

• What are their motives? Do they want to spy on you, blackmail you, harass you, or steal from you?
• What are their capabilities? Do they have technical skills, legal authority, or physical access to target you or your information?
• What are their opportunities? Do they have the time, resources, or connections to carry out their attacks?
• What will happen to you if anything captured leaks?

Why is this important?

Identifying your digital assets and adversaries is important because it helps you to:

• Assess your risks: You can evaluate how likely and how severe an attack on your information might be.
• Prioritize your actions: You can decide which assets are most important to protect and which adversaries are most dangerous to avoid.
• Choose your tools: You can select the appropriate security measures and tools that match your needs and threats.

A word of caution

Depending on who your adversaries are, making a list of them might be risky in itself. If someone finds out that you consider them an adversary, they might become more hostile or suspicious of you. Therefore, you should be careful about how you create and store this list. You might want to:

• Use a secure device and connection: Use a device that only you control and trust. Use encryption and passwords (DO NOT USE BIOMETRICS) to lock it. Use a VPN or Tor to help hide your online activity.
• Use a pseudonym or code: Don’t use real names or identifiers for your adversaries. Use aliases or codes that only you understand, and don’t make a legend of what’s what in the same folder/document.
• Destroy the list when done: Don’t keep the list longer than necessary. Delete it from your device and any backups. Shred any paper copies.

How to Evaluate Your Risks and Consequences

When you want to protect your digital security, you need to know how likely and how severe an attack on your information might be (there are millions of blanketed attacks).

What are your risks?

A risk is the probability that a specific threat against a specific asset will actually happen. It depends on the capability and opportunity of your adversary. For example, your mobile phone provider has the capability to access all of your data, but the risk of them posting your private data online to harm your reputation is low. A hacker on a public Wi-Fi network has the opportunity to access your unencrypted communications, but the risk of them stealing your identity is high.

It is important to distinguish between what might happen and what is likely to happen, while also keeping in mind things like weak passwords and many online accounts, etc. Add to your risk of blanketed attacks that aren’t geared to you; but everyone. For instance, there is a threat that your building might collapse, but the risk of this happening is much higher in San Francisco (where earthquakes are common) than in Nova Scotia (where they are not).

Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter how low the probability they will occur, because they value their privacy and security highly (or are responsible for other people’s data/money). In other cases, people ignore high risks because they don’t think the threat is a problem, or they don’t have the resources to deal with it.

You should make a list of your threats and rate them according to their likelihood and impact. You can use a scale from 1 (low) to 5 (high) or use words such as rare, unlikely, possible, likely, or certain. You can also use colors such as green, yellow, orange, or red to indicate the level of risk.

What are your consequences?

A consequence is the outcome or impact of an attack on your information. It depends on the motive and action of your adversary. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data.

The motives of adversaries vary widely, as do their actions. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may want to gain access to secret content and publish that content without you knowing.

Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the action and impact of your adversary. For example, an adversary can:

• Spy on you: They can monitor your online activity, track your location, or intercept your communications.
• Blackmail you: They can threaten to expose your secrets, extort money from you, or coerce you into doing something.
• Harass you: They can send you unwanted messages, spam you with ads, or flood you with requests.
• Steal from you: They can access your accounts, transfer your funds, or use your identity.
• Sabotage you: They can delete your data, corrupt your files, or infect your devices.

You should make a list of your assets and rate them according to their sensitivity and importance. You can use a scale from 1 (low) to 5 (high) or use words such as trivial, minor, moderate, major, or critical. You can also use colors such as green, yellow, orange, or red to indicate the level of consequence.

Why is this important?

Evaluating your risks and consequences is important because it helps you to:

• Prioritize your actions: You can focus on protecting the assets that are most sensitive and important from the threats that are most likely and severe.
• Choose your tools: You can select the appropriate security measures and tools that match your risks and consequences.
• Balance your trade-offs: You can weigh the costs and benefits of different security options and find the optimal level of security for you.

How to Make a Security Plan for Your Home and Possessions

When you want to protect your home and possessions, you need to know what you have, who might want it, and how to prevent them from getting it.

What do you have that is worth protecting?

The first step in making a security plan is to identify your assets. These are the things that you value and want to keep safe. For example, some of your assets may be:

• Jewelry, watches, or other valuables
• Electronics, such as laptops, tablets, or phones
• Important documents, such as passports, birth certificates, or contracts
• Photos, videos, or other memories

You should make a list of your assets and answer these questions for each one:

• Where is it stored? Is it in your house, in your car, or in another location? Are there photos of these all over the internet?
• Who can access it? Is it only you, or do you share it with others? Do you use locks, safes, or passwords to protect it? Is it at home while you posted to social media that you were going on vacation?
• What prevents others from accessing it? Is it hidden, secured, or insured? Do you use alarms, cameras, or guards to deter intruders?

Who might want to take your assets?

The second step in making a security plan is to identify your adversaries. These are the people or entities who might want to target you or your assets for malicious purposes. For example, some of your adversaries may be:

• Burglars, robbers, or thieves
• Roommates, guests, or visitors
• Scammers, hackers, or identity thieves
• Police or other Government officials

You should make a list of your adversaries and answer these questions for each one:

• What are their motives? Do they want to steal your assets, damage them, or use them against you?
• What are their capabilities? Do they have the skills, tools, or resources to target you or your assets?
• What are their opportunities? Do they have the time, access, or information to carry out their attacks?

How likely and how severe are the attacks?

The third step in making a security plan is to evaluate your risks and consequences. These are the probability and impact of an attack on your assets. They depend on the capability and opportunity of your adversary and the sensitivity and importance of your asset. For example:

• The risk of a burglar breaking into your house is higher if you live in a high-crime area or if you leave your doors unlocked.
• The consequence of a roommate taking your laptop is higher if you have sensitive data on it or if you need it for work.
• Doing online searches for murder, hiding bodies, etc. may increase your chance of a Police visit/seizure of assets.

You should make a list of your risks and consequences and rate them according to their likelihood and severity. You can use a scale from 1 (low) to 5 (high) or use words such as rare, unlikely, possible, likely, or certain. You can also use colors such as green, yellow, orange, or red to indicate the level of risk and consequence.

How much effort are you willing to put into preventing the attacks?

The fourth step in making a security plan is to choose your actions and tools. These are the measures and devices that you use to protect your assets from your adversaries. They depend on the risks and consequences that you face and the trade-offs that you are willing to make. For example:

• If your possessions are valuable but the risk of a break-in is low, you may not want to invest too much money in a lock.
• If the risk of a break-in is high, you may want to get the best lock on the market and consider adding a security system.

You should make a list of your actions and tools and answer these questions for each one:

• How effective is it? Does it reduce the likelihood or severity of an attack?
• How convenient is it? Does it require a lot of time or effort to use?
• How affordable is it? Does it fit within your budget?

Why is this important?

Making a security plan is important because it helps you to:

• Understand your threats: You can identify who might want to harm you or your assets and why.
• Prioritize your assets: You can decide which assets are most valuable and vulnerable and need more protection.
• Choose your actions: You can select the best security measures and tools that suit your needs and threats.
• Balance your trade-offs: You can weigh the costs and benefits of different security options and find the optimal level of security for you.

How to Trust and When Not to Trust Digital Trust in a Digital and Modern World

Digital trust is the confidence users have in the ability of people, technology, and processes to create a secure digital world. Digital trust is given to companies who have shown their users they can provide safety, privacy, security, reliability, and data ethics with their online programs or devices. Digital trust is also the backbone for security in the connected world, securing users, software, servers, devices, digital content, documents, digital rights, identity, and more. In the context of digitalization, trust is the individual’s confidence in an organization that data will be handled securely and responsibly in the digital environment. Digital trust is an essential factor in an organization’s sustainable and long-term successful digitalization.

You wouldn’t buy a lock from Home Depot for your house that doesn’t work, and you wouldn’t buy a house sight unseen on the owner’s word that it’s up to code. Also, have you moved into a house? Nothing is up to code, stuff is hidden and broken, etc. You’re angry at that for being lied to, do you really think companies are any different? (we’re trying to be)

How to Trust Digital Trust

To trust digital trust means that you are willing to use and rely on the digital systems and services that are designed and provided by others (Rynue). To trust digital trust also means that you are willing to share your personal information and data with those who offer you value and convenience. To trust digital trust also means that you are willing to give them the benefit of the doubt, to assume that they have good intentions and motives, and to forgive them for their mistakes. Most people don’t do this in their day to day life, why is it so different online?

To trust digital trust, you need to:

• Communicate openly and honestly: Communication is the key to building trust. You need to express your needs, expectations, and boundaries clearly and respectfully. You also need to listen actively and empathetically to what the other party has to say. You need to avoid lying, hiding, or withholding information from the other party.
• Verify their identity and credibility: Verification is the basis of trust. You need to check the identity and credibility of the other party before you use or rely on their digital systems or services. You can use various methods such as passwords, biometrics, encryption, certificates, reviews, ratings, or references.
• Protect your privacy and security: Protection is the guarantee of trust. You need to protect your privacy and security when you use or rely on the other party’s digital systems or services. You can use various tools such as firewalls, antivirus, VPNs, backups, or recovery options.
• Show respect and appreciation: Respect and appreciation are the expressions of trust. You need to treat the other party with kindness and courtesy, and acknowledge their strengths and contributions. You also need to value their opinions and perspectives, and support their goals and dreams.
• Be loyal and faithful: Loyalty and fidelity are the tests of trust. You need to honor the other party’s trust by not betraying them or hurting them intentionally. You also need to respect their privacy and boundaries, and not share their secrets or personal information with others.

When Not to Trust Digital Trust

To trust digital trust does not mean that you are naive or gullible. It does not mean that you blindly believe everything they say or do. It does not mean that you ignore the signs or evidence that they are lying or cheating on you. It does not mean that you let them take advantage of you or abuse you.

To trust digital trust also does not mean that you trust everyone equally or indiscriminately. It does not mean that you trust strangers or acquaintances as much as you trust friends or family. It does not mean that you trust people who have proven themselves untrustworthy or unreliable in the past. It does not mean that you trust people who have different values or goals than you.

To trust someone wisely in a digital and modern world, you need to:

• Assess the situation: Not every situation requires the same level of trust. You need to consider the context, the stakes, the risks, and the consequences of trusting or not trusting someone. For example, trusting an online retailer with your credit card information is different from trusting a social media platform with your personal data.
• Evaluate the person: Not every person deserves the same level of trust. You need to consider their character, their history, their behavior, and their motives for trusting or not trusting them. For example, trusting a reputable company with a strong track record of digital security is different from trusting a startup with no reputation or transparency.
• Listen to your intuition: Not every trust decision can be made rationally or logically. You need to listen to your gut feeling, your inner voice, your instinct for trusting or not trusting someone. For example, trusting a website with a secure HTTPS connection may feel right even if it has a poor design or content.
• Seek feedback: Not every trust issue can be resolved by yourself. You may need to seek feedback from others who know the person or the situation better than you do. For example, trusting an app with access to your camera or microphone may require consulting with online reviews or forums first.

Common Threats

How to Choose the Right Tools and Services for Your Security Goals

When you want to protect your digital security, you need to know what your security goals are. Your security goals are the threats that you want to prevent or the outcomes that you want to achieve. Different tools and services can help you with different security goals, but none of them can protect you from everything. You may be concerned with none, one, a few, or all of these possibilities, and the tools and services you use depend on what your goals are.

What are your security goals?

Your security goals depend on your personal situation, preferences, and needs. You may have one or more of these common security goals, or you may have other specific ones, or you have no idea and that’s why you’re reading this:

• Privacy: You want to keep your personal information and data from being accessed or misused by others.
• Security: You want to protect your devices and accounts from being hacked or infected by malicious software.
• Anonymity: You want to hide your identity and location from others when you use the internet.
• Censorship resistance: You want to access or share information that is blocked or restricted by others.
• Whistleblowing: You want to expose wrongdoing or corruption by others without being traced or retaliated against.

You should make a list of your security goals and answer these questions for each one:

• Why is it important to you? What are the benefits or consequences of achieving or failing this goal?
• How realistic is it? What are the challenges or obstacles that you face in achieving this goal?
• How urgent is it? How soon do you need to achieve this goal?

How to choose the right tools and services?

Well, that’s where we come in. We may not recommend the most robust offering. We may not say things that fall in line with other sites or “professionals”. However, we are also professionals and we do use what we recommend and have done a lot of the work and research for you. We are also trying to help you with setting up what we use and bring what we can to the masses to help promote a real Internet.
The way we see it, common threats can be broken down to the following:

•  Anonymity – Shielding your online activity from your real identity, protecting you from people who are trying to uncover your identity specifically.
•  Targeted Attacks – Being protected from hackers or other malicious actors who are trying to gain access to your data or devices specifically.
•  Passive/Blanketed Attacks – Being protected from things like malware, data breaches, and other attacks that are made against many people at once.
•  Service Providers – Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server, changing DNS from your ISPs to something different, etc).
•  Mass Surveillance – Protection from government agencies, organizations, websites, and services which work together to track your activities.
•  Surveillance Capitalism – Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors.
•  Public Exposure – Limiting the information about you that is accessible online—to search engines or the general public.
•  Censorship – Avoiding censored access to information or being censored yourself when speaking online.

Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with  Targeted Attacks, but they probably still want to protect their personal data from being swept up in  Mass Surveillance programs. Similarly, many people may be primarily concerned with  Public Exposure of their personal data, but they should still be wary of security-focused issues, such as  Passive Attacks—like malware affecting their devices.

Anonymity

Anonymity means hiding your real identity from your online activity, protecting you from people who are trying to find out who you are or what you do online. Anonymity can help you avoid harassment, discrimination, or retaliation from those who disagree with you or want to harm you. Anonymity can also help you access or share information that is censored, restricted, or controversial.

To achieve anonymity, in part, you need to:

• Use pseudonyms or aliases: Don’t use your real name or any personal information that can identify you online. Use different pseudonyms or aliases for different platforms or purposes.
• Use encryption or obfuscation: Don’t let your online activity be traced back to your device or location. Use encryption or obfuscation tools such as VPNs, Tor, or proxies to hide your IP address and traffic.
• Use disposable or anonymous accounts: Don’t use your regular email or social media accounts for sensitive or risky online activity. Use disposable or anonymous accounts that don’t require any personal information or verification.

Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That’s not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don’t need to go so far.

Targeted Attacks

Targeted attacks mean being protected from hackers or other malicious actors who are trying to gain access to your data or devices specifically. Targeted attacks against a specific person are more problematic to deal with. Common attacks include (but not limited to) sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and various physical attacks. Targeted attacks can compromise your privacy, security, or integrity by stealing, deleting, or altering your data or devices. Targeted attacks can also harm your reputation, finances, or relationships by exposing, blackmailing, or impersonating you.

To prevent targeted attacks, you need to:

• Use strong passwords and authentication: Don’t use weak or predictable passwords for your accounts or devices. Use strong passwords that are long, complex, and unique. Use authentication methods such as tokens or codes to verify your identity.
• Forget the above. Use a strong password manager to help hide these even from you. Rynue offers its members a hosted Bit Warden instance to help with this.
• Use antivirus and firewall: Don’t let your devices be infected by malicious software such as viruses, worms, trojans, or ransomware. Use antivirus and firewall software to scan, detect, and remove any malware from your devices.
• Use backups and recovery: Don’t lose your data or devices due to accidental deletion, corruption, or theft. Use backups and recovery tools to save copies of your data or devices in a secure location and restore them if needed.

By design, web browsers, email clients, and office applications typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. If you are concerned about physical attacks you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or Windows (with TPM). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure Enclave or Element to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don’t trust, because most desktop operating systems don’t encrypt data separately per-user. Keep reading, we’ll help you set up something as a perfect middle ground.

Passive Attacks

Passive attacks mean being protected from things like malware, data breaches, and other attacks that are made against many people at once. Passive attacks can expose your personal information and data to unauthorized parties who may use it for malicious purposes. Passive attacks can also damage your devices or services by disrupting their functionality or performance.

Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they’re private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn’t necessarily true: The most secure service in the world isn’t necessarily private. The best example of this is trusting data to Microsoft who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Microsoft provides very secure services, very few people would consider their data private in Microsoft’s free consumer products (OneDrive, outlook, Windows for some, etc).

When it comes to application security, we generally don’t (and sometimes can’t) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there’s mostly no guarantee that their software doesn’t have a serious vulnerability that could later be exploited, or that some external actor has put on pressure for a backdoor, etc.

To minimize the damage that a malicious piece of software could do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs. Or using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control.

To avoid passive attacks, you need to:

• Use encryption and privacy: Don’t let your personal information and data be accessed or misused by others. Use encryption and privacy tools such as E2EE (end-to-end encryption), HTTPS (Hypertext Transfer Protocol Secure), or PGP (Pretty Good Privacy) to make your data unreadable to anyone except the intended recipient.
• Use updates and patches: Don’t let your devices or services be vulnerable to known exploits or bugs. Use updates and patches to fix any security issues or improve any features in your devices or services.
• Use secure networks and platforms: Don’t let your online activity be intercepted or manipulated by others. Use secure networks and platforms that offer safety, privacy, security, reliability, and data ethics with their online programs or devices.

Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can’t obtain root access, and require permission for access to system resources. Desktop operating systems typically lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers.

Service Providers

Service providers actually means protecting your data from your service providers (e.g. with E2EE, which renders your data unreadable to the server). Service providers are the companies or organizations that provide you with online programs or devices, such as email, social media, cloud storage, Cell service, Internet (ISP), or messaging apps. Service providers may access or misuse your data for various reasons, such as advertising, profiling, or complying with legal requests.

We live in a world where almost everything is connected to the internet. Our “private” messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it’s stored on a server, and when your friend wants to read the message the server will show it to them.

The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. 

To protect your data from service providers, you need to:

• Use a custom DNS provider (Rynue provides one).
• Use End-to-End Encryption: E2EE means end-to-end encryption, which encrypts your data on your device before sending it to the server, and decrypts it on the recipient’s device after receiving it from the server. E2EE prevents anyone, including the service provider, from reading or modifying your data in transit or at rest (unless they can unlock it or have a key). Even with E2EE though, service providers can still profile you based on metadata, which typically isn’t protected.
• Use zero-knowledge services: Zero-knowledge services are services that do not store or process any of your data on their servers. Zero-knowledge services use techniques such as hashing, salting, or homomorphic encryption to ensure that only you have access to your data. Bear in mind if a VPN provider tells you they’re zero knowledge but also only provide 5 active connections; they’re lying to you.
• Use self-hosted services: Self-hosted services are services that you run or control on your own server or device, rather than relying on a third-party service provider. Self-hosted services give you more freedom, privacy, and security over your data. However, they also require more technical skills, resources, and responsibility to maintain and secure them. Rynue will help you with this and even provide some options to you that are already available.

Mass Surveillance

Mass surveillance means protection from government agencies, organizations, websites, and services that work together to track your activities. Mass surveillance can violate your privacy, security, or human rights by collecting, analyzing, or sharing your personal information and data without your consent or knowledge. Mass surveillance can also influence your behavior, choices, or opinions by manipulating, censoring, or coercing you. Generally when you think of mass surveillance, it often refers to government programs, such as the ones disclosed by Edward Snowden in 2013. However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative.

To resist mass surveillance, you need to:

• Use encryption and anonymity: Don’t let your online activity be monitored or traced by others. Use encryption and anonymity tools such as VPNs, Tor, or proxies to hide your IP address and traffic. Use E2EE, HTTPS, or PGP to make your data unreadable to anyone except the intended recipient.
• Use privacy and security settings: Don’t let your online platforms or services collect or share your personal information and data without your consent or knowledge. Use privacy and security settings to limit or disable the data collection or sharing features of your online platforms or services. Use tools such as Privacy Badger, uBlock Origin, or DuckDuckGo to block or avoid trackers, cookies, or ads.
• Use alternative platforms or services: Don’t let your online platforms or services influence your behavior, choices, or opinions by manipulating, censoring, or coercing you. Don’t compromise your own ethics just because you want to use something. Use alternative platforms or services that respect your freedom, privacy, and security. Use tools such as Rynue, ProtonMail, or Mastodon to communicate, email, or socialize online.

Surveillance Capitalism

Surveillance capitalism means protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. Surveillance capitalism can exploit your personal information and data for profit by creating detailed profiles of you and selling them to advertisers or other parties. Surveillance capitalism can also affect your behavior, choices, or opinions by showing you targeted ads or content that influence your preferences or decisions.

To avoid surveillance capitalism, you need to:

• Use encryption and privacy: Don’t let your personal information and data be accessed or misused by others. Use encryption and privacy tools such as E2EE (end-to-end encryption), HTTPS (Hypertext Transfer Protocol Secure), or PGP (Pretty Good Privacy) to make your data unreadable to anyone except the intended recipient.
• Use ad blockers and anti-trackers: Don’t let your online activity be tracked or analyzed by others. Use ad blockers and anti-trackers to block or avoid trackers, cookies, or ads that collect or share your data. Use tools such as uBlock Origin, Privacy Badger, or DuckDuckGo to block or avoid trackers, cookies, or ads.
• Use alternative platforms or services: Don’t let your online platforms or services exploit your data for profit by creating detailed profiles of you and selling them to advertisers or other parties. Use alternative platforms or services that respect your privacy and security. Use tools such as Signal, ProtonMail, or Mastodon to communicate, email, or socialize online.

Some other examples of this are:

• In 2014, it was revealed that the NSA and its British counterpart, the GCHQ, had secretly tapped into the internal networks of Yahoo and Google, collecting millions of records every day from their data centers. This program, codenamed MUSCULAR, bypassed the legal process of requesting data from the companies through court orders or national security letters
• In 2015, it was reported that the NSA had been collecting and storing billions of phone records from countries around the world, including allies such as France, Germany, Brazil, Mexico, and Spain. This program, known as MYSTIC, allowed the NSA to access the content and metadata of phone calls for up to 30 days. In some countries, such as the Bahamas and Afghanistan, the NSA had access to virtually every phone call made or received
• In 2016, it was exposed that the FBI had been using a secret rule to obtain journalists’ phone records without their knowledge or consent. The rule, known as the National Security Letter (NSL) exception, allowed the FBI to bypass judicial oversight and issue NSLs to phone companies demanding information about journalists’ sources and contacts. The NSLs also came with gag orders that prevented the phone companies from disclosing the requests to anyone
• In 2017, it was disclosed that the CIA had developed a series of hacking tools and techniques to infiltrate smartphones, computers, smart TVs, and other devices. These tools, collectively known as Vault 7, enabled the CIA to spy on users’ activities, communications, locations, and even turn on their cameras and microphones remotely. Some of the tools were also designed to evade detection by antivirus software and forensic analysis
• In 2018, it was revealed that Facebook had been sharing user data with at least 60 device makers, including Apple, Samsung, Microsoft, and Amazon. The data included users’ names, email addresses, friends lists, interests, locations, and private messages. Some of the device makers also had access to data from users’ friends who had not consented to share their information. This practice violated Facebook’s own privacy policies and a 2011 consent decree with the Federal Trade Commission.
• In 2019, it was reported that China had been using a massive network of cameras equipped with facial recognition technology to monitor and track millions of Uyghurs , a Muslim minority group in Xinjiang province. The system, known as the Integrated Joint Operations Platform (IJOP), collected data from various sources, such as checkpoints, ID cards, vehicle registrations, and DNA samples, and used artificial intelligence to flag suspicious behavior and alert authorities. The system also enabled mass detentions of Uyghurs in internment camps , where they faced abuse and indoctrination.
• In 2020, it was exposed that Clearview AI , a startup company based in New York, had scraped billions of photos from social media platforms such as Facebook , Twitter , Instagram , and YouTube , and created a facial recognition app that could identify anyone with a single photo. The app was sold to law enforcement agencies , corporations , and wealthy individuals , who could use it to search for people’s identities , locations , and online activities without their consent or knowledge . The app also raised concerns about accuracy , bias , security , and accountability .

These are just some examples of mass surveillance that have occurred or been uncovered since Snowden’s bombshell in 2013.

Public Exposure

Public exposure means limiting the information about you that is accessible online—to search engines or the general public. Public exposure can harm your privacy, security, or reputation by revealing your personal information and data to others who may use it for malicious purposes. Public exposure can also affect your behavior, choices, or opinions by exposing you to unwanted attention, criticism, or pressure.

To reduce public exposure, you need to:

• Use encryption and privacy: Don’t let your personal information and data be accessed or misused by others. Use encryption and privacy tools such as E2EE (end-to-end encryption), HTTPS (Hypertext Transfer Protocol Secure), or PGP (Pretty Good Privacy) to make your data unreadable to anyone except the intended recipient.
• Use privacy and security settings: Don’t let your online platforms or services collect or share your personal information and data without your consent or knowledge. Use privacy and security settings to limit or disable the data collection or sharing features of your online platforms or services. Use tools such as Privacy Badger, uBlock Origin, or DuckDuckGo to block or avoid trackers, cookies, or ads.
• Use pseudonyms or aliases: Don’t use your real name or any personal information that can identify you online. Use different pseudonyms or aliases for different platforms or purposes.
• Use self-censorship and discretion: Don’t share too much information about yourself or others online. Use self-censorship and discretion to decide what to post, comment, or like online. Think twice before you share anything that might be sensitive, controversial, or harmful.

Censorship

Censorship means avoiding censored access to information or being censored yourself when speaking online. Censorship can violate your freedom, privacy, or security by blocking, filtering, or deleting your access to information that is relevant, accurate, or important. Censorship can also influence your behavior, choices, or opinions by limiting, distorting, or controlling what you see, hear, or say online.

To overcome censorship, you need to:

• Use encryption and anonymity: Don’t let your online activity be monitored or traced by others. Use encryption and anonymity tools such as VPNs, Tor, or proxies to hide your IP address and traffic. Use E2EE, HTTPS, or PGP to make your data unreadable to anyone except the intended recipient.
• Use circumvention and bypassing: Don’t let your online access be blocked or filtered by others. Use circumvention and bypassing tools such as Psiphon, Lantern, or Ultrasurf to access censored websites or services. Use tools such as Tor Browser, Brave Browser, or OnionShare to access the dark web or peer-to-peer networks.
• Use alternative platforms or services: Don’t let your online speech be deleted or controlled by others. Use alternative platforms or services that respect your freedom, privacy, and security. Use tools such as Signal, ProtonMail, or Mastodon to communicate, email, or socialize online.

Why you shouldn’t use Biometrics

How to Choose Between Passwords and Biometrics for Your Digital Security

Passwords and biometrics are two common methods of authenticating your identity when you use online services or devices. Passwords are secret codes that you create and remember, while biometrics are physical or behavioural characteristics that you possess and show. Both methods have advantages and disadvantages for your digital security, depending on your specific concerns.

What are the advantages and disadvantages of passwords?

Passwords are easy to use and widely supported by most online services and devices. You can create and change your passwords as often as you like, and you can use different passwords for different purposes. Passwords are also protected by intellectual property laws, which means that you own your passwords and can sue anyone who infringes them. If someone were to get my password, I can change it. I can’t change my fingerprint.

However, passwords also have some drawbacks for your digital security. Passwords can be forgotten, lost, or stolen, which can lock you out of your accounts or devices or expose them to unauthorized access. Passwords can also be guessed, cracked, or hacked by malicious actors who use various techniques such as brute force, phishing, or keylogging. Passwords can also be compelled by law enforcement or courts who can order you to reveal your passwords or unlock your devices.

What are the advantages and disadvantages of biometrics?

Biometrics are convenient and secure methods of authenticating your identity. You don’t need to remember or type anything, you just need to show your face, fingerprint, iris, voice, or other biometrics feature. Biometrics are also hard to forge, copy, or share, which makes them more resistant to fraud or theft. Biometrics are also more user-friendly and accessible than passwords, especially for people with disabilities or low literacy. But again, if it is cracked, you can’t get a new eye.

However, biometrics also have some drawbacks for your digital security. Biometrics can be inaccurate, unreliable, or inconsistent, which can result in false positives or negatives. Biometrics can also be spoofed, altered, or hacked by malicious actors who use various techniques such as masks, prosthetics, or malware. Biometrics can also be violated by law enforcement or courts who can force you to show your biometrics or unlock your devices. For example, with faceID a cop or TSA person can grab your phone, show it to you (which scans your face and logs you in) and then has access to everything. Biometrics are also not protected by intellectual property laws, which means that you don’t own your biometrics, thus can be used without your consent.

Common Misconceptions

Open-source software is always secure” or “Proprietary software is more secure

These beliefs stem from various prejudices, but the availability of source code and software licensing does not necessarily impact the security of the software in any way. Open-source software may be more secure than proprietary software, but there is no guarantee of this. When evaluating software, it is important to consider the reputation and security of each tool separately.

Open-source software can be audited by third-parties, and often has a more transparent approach to potential vulnerabilities compared to proprietary software. However, this is not a guarantee, especially for smaller software projects. The open development process can also be exploited to introduce vulnerabilities into even large projects.

On the other hand, proprietary software is less transparent, but it does not mean it is not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities using techniques like reverse engineering.

To make unbiased decisions, it is important to evaluate the privacy and security standards of the software you use.

Shifting trust can increase privacy

When discussing solutions like VPNs, we often talk about “shifting trust” from your ISP to the VPN provider. While this protects your browsing data from your ISP, it does not necessarily secure your data from all parties. This means that:

• You must be cautious when choosing a provider to shift your trust to.
• You should still use other techniques, such as end-to-end encryption (E2EE), to protect your data completely. Simply distrusting one provider and trusting another is not a secure way to protect your data.

Privacy-focused solutions are inherently trustworthy

It’s important to remember that relying solely on a provider’s privacy policies and marketing is not enough to ensure your privacy. Instead, you should focus on finding technical solutions to the underlying privacy issues. For example, if you’re looking to avoid giving Google access to all your data, you should make sure that the provider you choose has end-to-end encryption (E2EE) implemented, or use a tool like Cryptomator that provides E2EE on any cloud provider. Simply switching to a “privacy-focused” provider that doesn’t implement E2EE doesn’t solve your problem; it just shifts your trust from Google to that provider.

While the privacy policies and business practices of the providers you choose are important, they should be considered secondary to technical guarantees of your privacy. You should not blindly trust another provider when trust is not a requirement in the first place.

Complicated is better

We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to “What is the best way to do X?”

Finding the “best” solution for yourself doesn’t necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips:

1. Actions need to serve a particular purpose: think about how to do what you want with the fewest actions.
2. Remove human failure points: We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember.
3. Use the right level of protection for what you intend. We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren’t what people want. There’s no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight.

So, how might this look?

One of the clearest threat models is one where people know who you are and one where they do not. There will always be situations where you must declare your legal name and there are others where you don’t need to.

1. Known identity – A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses.We don’t suggest using a VPN or Tor for any of these things, as your identity is already known through other means.TipWhen shopping online, the use of a parcel locker can help keep your physical address private.
2. Unknown identity – An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn’t change. If you’re part of an online community, you may wish to retain a persona that others know. This pseudonym isn’t anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc.You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as Monero. Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they’ll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC.
3. Anonymous identity – Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly.Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.)

Account Creation

Often people sign up for services without thinking. Maybe it’s a streaming service so you can watch that new show everyone’s talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line.

There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don’t recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer.

It can also be difficult to delete the accounts on some services. Sometimes overwriting data associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account.

Terms of Service & Privacy Policy

The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn’t always successful. This would be one of the reasons why we wouldn’t suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for.

The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect.

We recommend looking for particular terms such as “data collection”, “data analysis”, “cookies”, “ads” or “3rd-party” services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start.

Keep in mind you’re also placing your trust in the company or organization and that they will comply with their own privacy policy.

Authentication methods

There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks.

Email and password

The most common way to create a new account is by an email address and password. When using this method, you should use a password manager .

Tip

You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key.

You will be responsible for managing your login credentials. For added security, you can set up MFA on your accounts.

Email aliases

If you don’t want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to.

Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked.

“Sign in with…” (OAuth)

OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of “Sign in with provider name” on a registration form, it’s typically using OAuth.

When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won’t be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account.

The main advantages are:

• Security: no risk of being involved in a data breach because the website does not store your credentials.
• Ease of use: multiple accounts are managed by a single login.

But there are disadvantages:

• Privacy: the OAuth provider you log in with will know the services you use.
• Centralization: if the account you use for OAuth is compromised or you aren’t able to login to it, all other accounts connected to it are affected.

OAuth authentication can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with MFA.

All the services that use OAuth will be as secure as your underlying provider’s account. For example, if you want to secure an account with a hardware key, but that service doesn’t support hardware keys, you can secure the account you use with OAuth with a hardware key instead, and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your OAuth provider account means that any account tied to that login will also be weak.

Phone number

We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often not encrypted.

You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don’t recommend that for important accounts.

In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It’s common for services to use your number as a verification method; don’t let yourself get locked out of an important account because you wanted to be clever and give a fake number!

Username and password

Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be no way to recover your account in the event you forget your username or password.

Account Deletion

Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service’s security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all too common these days, and so practising good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by deceptive design, for the betterment of your online presence.

Finding Old Accounts

Password Manager

If you have a password manager that you’ve used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden’s Data Breach Report.

Even if you haven’t explicitly used a password manager before, there’s a chance you’ve used the one in your browser or your phone without even realizing it. For example: Firefox Password Manager, Google Password Manager and Edge Password Manager. These suck compared to something like Bitwarden, and we offer an instance to our users.

Desktop platforms also often have a password manager which may help you recover passwords you’ve forgotten about:

• Windows Credential Manager
• macOS Passwords
• iOS Passwords
• Linux, Gnome Keyring, which can be accessed through Seahorse or KDE Wallet Manager

Email

If you didn’t use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as “verify” or “welcome.” Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts.

Deleting Old Accounts

Log In

In order to delete your old accounts, you’ll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a “forgot password” link on the login page. It may also be possible that accounts you’ve abandoned have already been deleted—sometimes services prune all old accounts.

When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can’t figure out which email address you used, or you no longer have access to that email, you can try contacting the service’s customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account.

GDPR (EEA residents only)

Residents of the EEA have additional rights regarding data erasure specified in Article 17 of the GDPR. If it’s applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a “Delete Account” option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do not overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national Data Protection Authority and you may be entitled to monetary compensation.

Overwriting Account information

In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you’ve made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won’t be backups with the prior information.

For the account email, either create a new alternate email account via your provider of choice. You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails.

Delete

You can check JustDeleteMe for instructions on deleting the account for a specific service. Some sites will graciously have a “Delete Account” option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some.

For services that don’t allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable MFA and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size.

If you’re satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password.

Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It’s mostly out of your control what happens to your data when it comes to websites and cloud services.

Avoid New Accounts

As the old saying goes, “an ounce of prevention is worth a pound of cure.” Whenever you feel tempted to sign up for a new account, ask yourself, “Do I really need this? Can I accomplish what I need to without an account?” It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the Internet Archive. Avoid the temptation when you’re able to—your future self will thank you!

Introduction to passwords

*Rynue offers a membership plan that includes a hosted version of BitWarden called Vaultwarden. vaultwarden is implemented in Rust, which offers several advantages over the original BitWarden implementation. Rust is known for its performance and security benefits, making it an ideal choice for the security cautious. Additionally, Rust’s focus on safety and concurrency makes it well-suited for building high-performance, concurrent systems. By leveraging Rust’s capabilities, vaultwarden is able to provide a secure and efficient solution that we have inplemented for users.

We rely on passwords to safeguard our online accounts, devices, and secrets. However, we often neglect to choose them carefully, which makes them vulnerable to attackers who want to access our private information. Passwords are sometimes the only barrier between us and our enemies, so we should pay more attention to them.

Best Practices

Use different passwords for each service. Think about this; you already register for various services, sites, and subscriptions likely using the same email, why use the same password too? Now someone may have access to everything about you by breaching one thing. But this isn’t just about a malicious actor; If any of those service providers is dishonest, or their service suffers a data breach, all an attacker has to do is try that e-mail and password combination on many popular services until they find a match. It doesn’t matter how strong that one password is, because they already have it.

This is known as credential stuffing, and it is one of the most common ways that your accounts can be hacked by attackers. To prevent this, make sure that you always use unique passwords.

Don’t trust yourself to create a strong password. The best way to secure your accounts and devices is to use passwords or diceware passphrases that are random and have enough entropy.

Imagine you have a big book with lots of words in it. Each word has a number next to it, like this:

Now, imagine you have five dice that you can roll. Each die has six sides with numbers from 1 to 6 on them. When you roll the dice, you get a five-digit number, like this:

You can use this number to find a word in the book. For example, if you roll 43146, you can look up the word that has the number 43146 next to it. In this case, it is curry.

You can repeat this process four more times to get four more words. For example, you might get these words:

These five words make up your diceware passphrase. It is a long and random password that is hard for bad people to guess, but easy for you to remember. You can use it to protect your secrets online, should you choose not to use a password manager (or the password for the manager).

A quality password is important because it protects your personal information, your money, your identity, and your privacy. If someone guesses or steals your password, they can access your email, your bank account, your social media and various other online services that you use. They can also pretend to be you and do bad things in your name.

A passphrase is better than a password because it is longer and more random. A longer password is harder to crack by guessing or using a computer program. A random password is harder to crack by using common words or patterns that people often use. For example, a password like ilovecats123 is easy to crack because it uses common words and numbers that hackers can try quickly. A passphrase like curry lunchtime exhaust blinking vigorous is hard to crack because it uses uncommon words and combinations that hackers cannot guess easily, with no relation to you and no words tying you to your secret/recovery questions. Spaces also count as special characters, making it infinitely harder for a program or computer to figure out.

You should never use the same password for multiple services because if one service gets hacked or breached, all your other services are at risk too. For example, if you use the same password for your email and your online shopping account, and the online shopping website gets hacked, the hackers can use your email and password to log into your email account too. They can then read your emails, send spam or phishing messages to your contacts, or reset your passwords for other services.

You should get into the habit of checking for breaches because breaches are very common and can expose your passwords and other personal information to hackers. A breach is when a website or a service gets hacked, and the hackers steal the data of the users. You can check if your email or password has been involved in a breach by using a website like https://haveibeenpwned.com/. If you find out that your email or password has been breached, you should change it immediately and use a different one for each service.

You should always keep backups of your vault in case something happens. If you lose the password or our server dies, it’s gone.

Email Security

Email is not a secure form of communication by default. You can enhance your email security with tools like OpenPGP, which encrypts your messages end-to-end, but OpenPGP has some limitations compared to encryption in other messaging apps, and some email data is inherently unencrypted due to how email works.

Therefore, email is better suited for receiving transactional emails (such as notifications, verification emails, password resets, etc.) from the online services you use, rather than for communicating with other people. This is also why we have a support portal and not emails.

Email Encryption Overview

The standard way to encrypt emails end-to-end between different email providers is by using OpenPGP. There are different versions of the OpenPGP standard, the most common being GnuPG and OpenPGP.js.

There is another standard that is popular with businesses called S/MIME, but it requires a certificate from a Certificate Authority (not all of them issue S/MIME certificates). It is supported by Google Workplace and Outlook for Web or Exchange Server 2016, 2019.

However, even if you use OpenPGP, it does not have forward secrecy, which means if you or the recipient’s private key is ever compromised, all previous messages encrypted with it will be exposed. This is why we suggest instant messengers that have forward secrecy over email for personal communications whenever possible.

What Email Clients Support E2EE?

Email providers that allow you to use standard access protocols like IMAP and SMTP can work with any of the email clients we recommend. Depending on the authentication method, this may reduce security if either the provider or the email client does not support OATH or a bridge application as multi-factor authentication is not possible with plain password authentication.

How Do I Protect My Private Keys? A smartcard (such as a YubiKey or Nitrokey) works by receiving an encrypted email message from a device (phone, tablet, computer, etc.) running an email/webmail client. The smartcard then decrypts the message and sends the decrypted content back to the device.

It is better for the decryption to happen on the smartcard so as to avoid potentially exposing your private key to a hacked device, but this is generally overkill for most users.

Email Metadata Overview

Email metadata is stored in the message header of the email message and includes some visible headers that you may have seen such as: To, From, Cc, Date, Subject. There are also some hidden headers added by many email clients and providers that can reveal information about your account.

Client software may use email metadata to show who a message is from and when it was received. Servers may use it to determine where an email message has to go, among other purposes that are not always clear.

Who Can View Email Metadata?

Email metadata is protected from outside observers with Opportunistic TLS protecting it from outside observers, but it can still be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which usually also have access to your messages.

Why Can’t Metadata be E2EE?

Email metadata is essential for the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring additional software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see a lot of information about your messages, such as who you’re emailing, the subject lines, when you’re emailing, etc.

VPN Overview

Virtual Private Networks (VPNs) are a way of creating a secure connection between your device and another server on the internet. Your Internet Service Provider (ISP) can see the amount and direction of internet traffic entering and exiting your network device (i.e. modem).

Encryption protocols such as HTTPS are widely used on the internet, so they may not be able to see exactly what you’re posting or reading, but they can get an idea of the domains you request.

A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you’re passing into it.

Should I use a VPN?

Yes, unless you are already using Tor. A VPN does two things: shifting the risks from your ISP to itself and hiding your IP address from a third-party service, though note: you must now trust the vpn.

VPNs cannot encrypt data outside the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider’s “no logging” policies in any way. Do note: if you’re paying for a no log VPN service with a limit to concurrent connections; they’re logging you.

However, they do hide your actual IP address from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking.

When shouldn’t I use a VPN?

Using a VPN in cases where you’re using your known identity is unlikely to be useful. Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank’s website.

If you’re looking to be anonymous or are researching something possibly illegal, more than a VPN could be needed as well.

What about encryption?

Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies, where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption.

In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling “HTTPS everywhere” in your browser to mitigate downgrade attacks like SSL Strip.

Should I use encrypted DNS with a VPN?

Unless your VPN provider hosts the encrypted DNS servers, no. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does nothing to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider.

A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for TLS certificates with HTTPS and warn you about it. If you are not using HTTPS, then an adversary can still just modify anything other than your DNS queries and the end result will be little different.

Needless to say, you shouldn’t use encrypted DNS with Tor. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you.

Should I use Tor and a VPN?

By using a VPN with Tor, you’re creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. Read more about Tor bridges and why using a VPN is not necessary.

What if I need anonymity?

VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a payment record that can be traced back to you. You cannot depend on “no logging” policies to protect your data. Use Tor instead, even though that’s not perfect either.

What about VPN providers that offer Tor nodes?

Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently, Tor only supports the TCP protocol. UDP (used in WebRTC for voice and video sharing, the new HTTP3/QUIC protocol, etc.), ICMP and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with ProtonVPN. Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as Isolated Destination Address (using a different Tor circuit for every domain you visit).

The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway likely with TailsOS.

When are VPNs useful?

A VPN may still be useful to you in some scenarios, such as:

Hiding your traffic from only your ISP. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. Hiding your IP address from third-party websites and services, preventing IP based tracking. For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you’re trusting the provider. In almost any other scenario you should be using a secure-by-design tool such as Tor.

DNS Overview

*Rynue recommends these free DNS Servers from ControlD:
IPv4: 76.76.2.32 | 76.76.10.32
IPv6: 2606:1a40::32 | 2606:1a40:1::32

DNS stands for Domain Name System. It is a system that translates domain names, like example.com, into numerical IP addresses, like 192.168.0.1, that computers use to communicate with each other on the internet. DNS is like a phone book of the internet that helps you find the right server for the website you want to visit.

How DNS Works

When you type a domain name into your web browser, your computer sends a query to a DNS server to ask for the IP address of that domain name. A DNS server is a computer that stores a database of domain names and their corresponding IP addresses.

There are two types of DNS servers: recursive and authoritative. A recursive DNS server is the one that your computer contacts first. It acts like a librarian who tries to find the IP address for the domain name you requested. If it doesn’t have the answer in its cache (a temporary storage of recent queries and responses), it will ask other DNS servers until it finds the answer or gives up.

An authoritative DNS server is the one that has the final and definitive answer for a domain name. It acts like a dictionary that defines what each domain name means. An authoritative DNS server is usually managed by the owner of the domain name, such as a web hosting company or a domain registrar.

The process of finding the IP address for a domain name involves several steps and may involve multiple DNS servers. For example, if you want to visit example.com, your computer may contact a recursive DNS server provided by your internet service provider (ISP). The recursive DNS server will then contact a root nameserver, which is one of the 13 servers that store information about the top-level domains (TLDs), such as .com, .net, .org, etc. The root nameserver will tell the recursive DNS server which TLD nameserver to contact for .com domains. The TLD nameserver will then tell the recursive DNS server which authoritative nameserver to contact for example.com. The authoritative nameserver will then provide the IP address for example.com to the recursive DNS server, which will relay it back to your computer. Your computer will then use that IP address to connect to the web server that hosts example.com.

Why DNS Security Is Important

DNS is an essential part of the internet, but it also has some security risks. Hackers can exploit DNS vulnerabilities to launch various types of attacks, such as:

• DNS spoofing/cache poisoning: This is an attack where a hacker inserts fake or malicious data into a DNS server’s cache, making it return an incorrect IP address for a domain name. For example, if a hacker spoofs the DNS cache of your ISP’s recursive DNS server and makes it return an IP address of a malicious website instead of example.com, you may end up visiting a fake website that looks like example.com but tries to steal your personal information or infect your computer with malware.
• DNS tunneling: This is an attack where a hacker uses DNS queries and responses to send or receive data that is not related to DNS, such as malware or stolen information. For example, if a hacker wants to bypass a firewall or evade detection, they may use DNS tunneling to communicate with their command-and-control server using encrypted data hidden inside DNS packets.
• DNS hijacking: This is an attack where a hacker redirects DNS queries to a different DNS server that they control. For example, if a hacker hijacks your router’s settings and changes its default DNS server to their own malicious one, they can intercept all your DNS queries and redirect them to fake or harmful websites.
• NXDOMAIN attack: This is an attack where a hacker floods a DNS server with requests for non-existent domain names, trying to overload it and cause a denial-of-service (DoS) for legitimate traffic. For example, if a hacker wants to take down example.com’s website, they may send thousands of requests for random subdomains of example.com (such as abc.example.com, xyz.example.com, etc.) to its authoritative nameserver, hoping to exhaust its resources and make it unavailable.
• Phantom domain attack: This is an attack where a hacker sets up fake or malicious domain names that either respond very slowly or not at all to DNS queries, trying to fill up a DNS server’s cache with junk data and cause a DoS for legitimate traffic. For example, if a hacker wants to slow down your ISP’s recursive DNS server, they may register a bunch of phantom domains (such as bad1.com, bad2.com, etc.) and configure their authoritative nameservers to delay or ignore DNS queries for those domains.

To protect yourself and your network from these DNS attacks, you need to implement DNS security measures, such as:

• Using redundant DNS servers: Having multiple DNS servers can help you avoid downtime or performance issues caused by DNS attacks or failures. You can use different DNS servers from different providers or locations, and switch between them as needed. For example, you can use Quad9s public DNS servers (9.9.9.9 and 149.112.112.112) instead of what is built into your router/modem, this also provides you with more security and freedom by not letting your ISP collect and serve your internet requests.
• Applying security protocols like DNSSEC: DNSSEC stands for Domain Name System Security Extensions. It is a set of standards that add cryptographic signatures to DNS data, making it possible to verify its authenticity and integrity. DNSSEC can prevent DNS spoofing and cache poisoning attacks by ensuring that the DNS responses you receive are from the legitimate source and have not been tampered with. To use DNSSEC, you need to enable it on both your DNS server and your client device.
• Requiring rigorous DNS logging: Keeping track of all the DNS queries and responses that pass through your network can help you detect and analyze any suspicious or malicious activity. You can use tools like Wireshark or tcpdump to capture and inspect DNS packets, or use specialized software like Splunk or ELK Stack to collect and visualize DNS logs.

Why Use Custom DNS Servers

Custom DNS servers are DNS servers that you choose to use instead of the ones provided by your ISP or router. Custom DNS servers can offer you several benefits, such as:

• Faster browsing experience: Custom DNS servers may have better performance, reliability, or availability than your default ones, resulting in faster DNS resolution and web page loading. For example, some custom DNS servers use advanced technologies like Anycast or GeoDNS to route your queries to the nearest or best server for you.
• Improved security: Custom DNS servers may have better security features, such as encryption, filtering, or blocking, than your default ones, resulting in safer browsing and protection from malicious websites. For example, some custom DNS servers use protocols like DoH (DNS over HTTPS) or DoT (DNS over TLS) to encrypt your DNS traffic and prevent eavesdropping or tampering by third parties.
• Accurate results without redirects: Custom DNS servers may have more accurate or up-to-date data than your default ones, resulting in correct IP addresses and fewer errors or redirects. For example, some custom DNS servers use real-time data sources or artificial intelligence to provide the most relevant results for your queries.
• Extra functionality like hostname routing: Custom DNS servers may have additional features that allow you to customize your network settings or access special services. For example, some custom DNS servers let you create hostname routes for your local devices, such as web-server to 192.168.0.101, so that you can access them easily using human-friendly names instead of IP addresses.

How to Use Custom DNS Servers

To use custom DNS servers, you need to change the settings on your router or device that specify which DNS servers to use. The exact steps may vary depending on your router or device model, but here is a general guide:

• On your router: Log in to your router’s web interface using its IP address (usually 192.168.0.1 or 192.168.1.1) and username and password (usually admin/admin). Find the section that lets you configure the WAN (Wide Area Network) settings or the DHCP (Dynamic Host Configuration Protocol) settings. Look for the fields that let you enter the primary and secondary DNS servers. Enter the IP addresses of the custom DNS servers that you want to use (for example, 9.9.9.9 and 149.112.112.112 for Quad9’s public DNS servers). Save the changes and restart your router if necessary.
• On your device: Go to the network settings of your device (such as Windows Settings > Network & Internet > Ethernet/Wi-Fi > Change adapter options > Properties > Internet Protocol Version 4/6). Find the option that lets you specify the preferred and alternate DNS servers. Enter the IP addresses of the custom DNS servers that you want to use (for example, 76.76.2.32 and 76.76.10.32 for Quad9s’ public DNS servers). Save the changes and restart your device if necessary.

Note that changing the settings on your router will affect all the devices connected to it, while changing the settings on your device will only affect that device.

What Outside Parties Can See

When you use plain text DNS, anyone who can intercept your network traffic can see the domain names and IP addresses that you are requesting and receiving. This includes your ISP, your network administrator, your government, hackers, advertisers, or anyone else who has access to your network or the networks between you and the DNS server. This is also why hosting your own DNS server is so important and we will help you do this.

This means that outside parties can:

• Monitor your online activity: They can see which websites you are visiting, how often, and when. They can also see which apps or services you are using that rely on DNS, such as email, messaging, streaming, gaming, etc.
• Infer your personal information: They can deduce your location, interests, preferences, habits, behavior, and identity based on the domain names and IP addresses that you are accessing. They can also link your DNS queries to other data sources, such as cookies, browser fingerprints, or device identifiers.
• Manipulate your DNS traffic: They can modify or redirect your DNS queries or responses to serve their own purposes. They can send you to fake or malicious websites that may try to scam you, steal your information, or infect your device with malware. They can also block or censor your access to certain websites or services that they don’t want you to see.

Why You Should or Shouldn’t Use Encrypted DNS

Using encrypted DNS can help you protect your privacy and security online by preventing outside parties from seeing or tampering with your DNS traffic. However, using encrypted DNS also has some drawbacks and limitations that you should be aware of before deciding whether to use it or not.

Some of the pros of using encrypted DNS are:

• You can browse the web more privately: Encrypted DNS hides your domain names and IP addresses from anyone who might be snooping on your network traffic. This means that they won’t be able to monitor your online activity or infer your personal information based on your DNS queries.
• You can access the web more securely: Encrypted DNS ensures that you get the correct and authentic IP address for the domain name that you requested. This means that you won’t be redirected to fake or malicious websites that might try to harm you or your device.
• You can bypass network restrictions or censorship: Encrypted DNS can help you access websites or services that might be blocked or censored by your ISP, your network administrator, your government, or other intermediaries. This is because encrypted DNS uses standard ports (443 for HTTPS and 853 for TLS) that are usually open on most networks, unlike other ports that might be blocked by firewalls or ISPs.

Some of the cons of using encrypted DNS are:

• You still need to trust a third party: Encrypted DNS only protects your communication with the DNS server that you choose to use. It doesn’t protect your communication with the website or service that you are accessing. This means that you still need to trust the DNS server provider that they won’t log, share, or misuse your DNS data. You also need to trust the website or service provider that they won’t track, collect, or exploit your personal information.
• You may experience slower performance: Encrypted DNS may add some overhead and latency to your DNS queries and responses due to the encryption and decryption process. This may affect your browsing speed and reliability depending on the quality and location of the DNS server that you use.
• You may encounter compatibility issues: Encrypted DNS may not work well with some devices, applications, or networks that don’t support it or have conflicting settings. For example, some routers may block encrypted DNS traffic by default or require manual configuration to allow it. Some apps may use their own hardcoded DNS servers instead of the ones that you set on your device. Some networks may have policies or regulations that prohibit encrypted DNS traffic.

Control D Free DNS IPs to Use

Control D is a custom DNS service that offers free and premium plans with different features and benefits. Control D lets you choose from four different types of free DNS servers based on your needs and preferences:

• Default: This is the basic free plan that provides fast and secure DNS resolution without any filtering or blocking. It supports DoH (DNS over HTTPS) encryption and has IPv4 and IPv6 addresses.
  • IPv4: 76.76.2.0
  • IPv6: 2604:2d80:4000::2
• Family: This is the free plan that provides DNS resolution with family-friendly filtering and blocking. It blocks adult, gambling, and malware websites and supports DoH encryption and IPv4 and IPv6 addresses.
  • IPv4: 76.76.2.3
  • IPv6: 2604:2d80:4000::3
• Security: This is the free plan that provides DNS resolution with security-focused filtering and blocking. It blocks malware, phishing, and scam websites and supports DoH encryption and IPv4 and IPv6 addresses.
  • IPv4: 76.76.2.2
  • IPv6: 2604:2d80:4000::4
• Custom: This is the free plan that lets you customize your own DNS resolution with your own filtering and blocking rules. You can choose which categories of websites to block or allow and create your own whitelists and blacklists. It supports DoH encryption and IPv4 and IPv6 addresses.
  • IPv4: 76.76.10.0
  • IPv6: 2604:2d80:4000::10

What IPv4 and IPv6 Are

IPv4 and IPv6 are two versions of the Internet Protocol (IP), which is the set of rules that define how devices communicate on the internet. IP assigns a unique numerical address to each device on the internet, called an IP address, which is used to identify and locate the device.

IPv4 is the older version of IP that was developed in the early 1980s. It uses 32-bit addresses, which can support up to 4.3 billion devices on the internet. However, due to the rapid growth of the internet, IPv4 addresses have become scarce and insufficient to meet the demand for new devices.

IPv6 is the newer version of IP that was developed in the late 1990s. It uses 128-bit addresses, which can support up to 340 undecillion (a number with 36 zeros) devices on the internet. This means that IPv6 can provide virtually unlimited addresses for the current and future needs of the internet.

IPv6 also has some other advantages over IPv4, such as:

• Improved security: IPv6 supports mandatory encryption and authentication for all communications, making it more secure than IPv4, which relies on optional security protocols.
• Improved efficiency: IPv6 simplifies the packet header structure and eliminates the need for network address translation (NAT), making it more efficient than IPv4, which has a complex header structure and requires NAT to conserve addresses.
• Improved mobility: IPv6 supports seamless mobility and roaming for devices, making it more suitable than IPv4 for wireless networks and mobile devices.

What SNI Is

SNI stands for Server Name Indication. It is an extension of the TLS (Transport Layer Security) protocol, which is used to encrypt and secure communications between a client (such as a web browser) and a server (such as a web server).

SNI allows a client to indicate which hostname (such as example.com) it wants to connect to during the TLS handshake process, which is the initial exchange of messages that establishes a secure connection between the client and the server.

SNI is useful when a server hosts multiple websites or services using a single IP address, which is common in shared hosting environments or cloud platforms. Without SNI, a client would only send the IP address of the server during the TLS handshake, which would not be enough to identify which website or service it wants to access. The server would then have to guess or use a default certificate, which could result in errors or security issues.

With SNI, a client can send the hostname of the website or service it wants to access during the TLS handshake, which allows the server to select and present the appropriate certificate for that hostname. This ensures that the client can verify the identity of the server and establish a secure connection with it.

What OCSP Is

OCSP stands for Online Certificate Status Protocol. It is a protocol that allows a client (such as a web browser) to check the validity of a certificate presented by a server (such as a web server) during a TLS (Transport Layer Security) connection.

A certificate is a digital document that proves the identity of a server and enables encrypted communication between a client and a server. A certificate is issued by a trusted authority called a certificate authority (CA), which also maintains a list of revoked certificates that are no longer valid due to expiration, compromise, or other reasons.

OCSP allows a client to query a CA or an OCSP responder (a server that handles OCSP requests) about the status of a certificate presented by a server during a TLS connection. The OCSP responder will reply with one of three possible responses:

• Good: The certificate is valid and has not been revoked.
• Revoked: The certificate has been revoked and should not be trusted.
• Unknown: The status of the certificate is unknown or not available.

The unknown response means that the OCSP responder does not have enough information to determine whether the certificate is valid or revoked. This could happen for various reasons, such as:

• The certificate is not issued by the CA that operates the OCSP responder: The OCSP responder can only provide status information for certificates that belong to its own CA. If the client queries an OCSP responder that does not match the CA of the certificate, it will receive an unknown response.
• The certificate is too new or too old: The OCSP responder may not have updated information for certificates that are recently issued or expired. If the client queries an OCSP responder with a certificate that falls outside its range of validity, it will receive an unknown response.
• The OCSP responder is offline or overloaded: The OCSP responder may not be able to process requests due to network issues, maintenance, or high demand. If the client queries an OCSP responder that is unavailable or busy, it will receive an unknown response.

How to Handle Unknown Responses

An unknown response from an OCSP responder does not necessarily mean that the certificate is invalid or revoked. However, it also does not guarantee that the certificate is valid and trustworthy. Therefore, different clients may handle unknown responses differently depending on their security policies and preferences.

Some possible ways to handle unknown responses are:

• Reject: The client treats an unknown response as equivalent to a revoked response and rejects the connection with the server. This is the most secure option, but it may also cause false positives and prevent legitimate connections.
• Accept: The client treats an unknown response as equivalent to a good response and accepts the connection with the server. This is the most lenient option, but it may also cause false negatives and allow malicious connections.
• Fallback: The client tries another method to verify the status of the certificate, such as downloading and checking its CRL (Certificate Revocation List), which is another way of keeping track of revoked certificates. This is a more balanced option, but it may also incur additional overhead and delay.
• Warn: The client warns the user about the unknown response and lets the user decide whether to accept or reject the connection with the server. This is a more interactive option, but it may also confuse or annoy the user.

What DNSSEC Is

DNSSEC stands for Domain Name System Security Extensions. It is a set of standards that add cryptographic signatures to DNS data, making it possible to verify its authenticity and integrity. DNSSEC can prevent DNS spoofing and cache poisoning attacks by ensuring that the DNS responses you receive are from the legitimate source and have not been tampered with.

To use DNSSEC, you need to enable it on both your DNS server and your client device. The process of enabling DNSSEC involves four steps:

• Signing: The authoritative DNS server signs its DNS records with a private key, creating digital signatures that can be verified with a public key.
• Publishing: The authoritative DNS server publishes its public key and its signed DNS records to the DNS system, making them available for queries.
• Validating: The client device queries the DNS system for the public key and the signed DNS records of the domain name it wants to resolve.
• Verifying: The client device uses the public key to verify the digital signatures of the DNS records, ensuring that they are authentic and have not been modified.

What QNAME Minimization Is

QNAME minimization is a technique that reduces the amount of information disclosed in DNS queries. It does so by splitting a domain name into smaller parts and querying each part separately, starting from the top-level domain (TLD) and going down to the subdomains.

For example, if you want to resolve www.example.com, a normal DNS query would send the whole domain name (www.example.com) to a root nameserver, which would then direct you to a TLD nameserver for .com domains. The TLD nameserver would then direct you to an authoritative nameserver for example.com domains, which would finally provide you with the IP address for www.example.com.

However, with QNAME minimization, a DNS query would send only the TLD (.com) to a root nameserver, which would then direct you to a TLD nameserver for .com domains. The DNS query would then send only the second-level domain (example) to the TLD nameserver, which would then direct you to an authoritative nameserver for example.com domains. The DNS query would then send only the subdomain (www) to the authoritative nameserver, which would finally provide you with the IP address for www.example.com.

The advantage of QNAME minimization is that it reduces the exposure of your domain name to third parties, such as root or TLD nameservers, that may not need to know it or may use it for malicious purposes. It also reduces the size of your DNS queries and responses, which may improve performance and efficiency.

What EDNS Client Subnet Is

EDNS Client Subnet is an extension of the EDNS0 (Extension Mechanisms for DNS 0) protocol, which is used to add additional information or functionality to DNS queries and responses. EDNS Client Subnet allows a client device to include its subnet information (such as its IP address prefix) in its DNS queries, which can help improve the accuracy and relevance of the DNS responses.

For example, if you want to visit example.com, which is hosted by a content delivery network (CDN) that has multiple servers around the world, a normal DNS query would only return one IP address for example.com, which may not be the closest or best server for you. However, with EDNS Client Subnet, a DNS query would also include your subnet information, which would allow the CDN to return an IP address for example.com that is geographically closer or better suited for you.

The advantage of EDNS Client Subnet is that it can improve your browsing speed and reliability by reducing latency and packet loss. It can also improve your user experience by providing more relevant content or services based on your location. However, it also has some drawbacks and limitations, such as:

• Privacy concerns: EDNS Client Subnet reveals your subnet information to third parties, such as authoritative or recursive DNS servers, that may not need to know it or may use it for malicious purposes. It also makes your DNS queries more identifiable and traceable.
• Security risks: EDNS Client Subnet may expose your subnet information to attackers who may use it to target or compromise your network or device. It may also interfere with security mechanisms that rely on IP addresses, such as firewalls or VPNs.
• Compatibility issues: EDNS Client Subnet may not work well with some devices, applications, or networks that don’t support it or have conflicting settings. For example, some routers may strip or modify EDNS Client Subnet information from DNS queries or responses. Some apps may use their own hardcoded IP addresses instead of relying on DNS resolution.

What the OSI Model Is (bonus as it’s networking)

The OSI model is a conceptual framework that describes how different network functions are organized into seven layers, each with a specific role and responsibility. The OSI model was developed in the late 1970s and early 1980s by the International Organization for Standardization (ISO) to provide a common basis for the coordination of standards development for the purpose of systems interconnection.

The OSI model is not a protocol or a technology, but rather a reference model that helps understand and communicate how networks operate, and how different protocols and technologies can work together. The OSI model also helps isolate and troubleshoot networking problems by identifying which layer is causing or experiencing an issue.

The seven layers of the OSI model are:

• Physical layer: The lowest layer of the OSI model, responsible for transmitting and receiving raw bits over a physical medium, such as a cable or a wireless channel. The physical layer defines the characteristics of the medium, such as voltage levels, modulation schemes, connectors, and pinouts.
• Data link layer: The second-lowest layer of the OSI model, responsible for organizing bits into frames and ensuring reliable and error-free transmission between adjacent nodes on a network. The data link layer defines the rules for accessing the medium, such as collision detection and avoidance, and provides addressing and error detection mechanisms.
• Network layer: The third-lowest layer of the OSI model, responsible for routing packets across networks and subnetworks. The network layer defines logical addresses (such as IP addresses) that identify devices on a network, and determines the best path for each packet based on network conditions and topology.
• Transport layer: The fourth-lowest layer of the OSI model, responsible for establishing end-to-end connections between applications and ensuring reliable and ordered delivery of data. The transport layer defines protocols (such as TCP and UDP) that segment data into smaller units (such as segments or datagrams) and provide flow control, error control, and congestion control mechanisms.
• Session layer: The fifth-lowest layer of the OSI model, responsible for managing communication sessions between applications. The session layer defines protocols (such as RPC and NFS) that create, maintain, and terminate sessions, and provide synchronization, authentication, and authorization functions.
• Presentation layer: The sixth-lowest layer of the OSI model, responsible for transforming data into a format that can be understood by applications. The presentation layer defines protocols (such as SSL and MIME) that perform data encryption, decryption, compression, decompression, translation, and conversion functions.
• Application layer: The highest layer of the OSI model, responsible for providing services to end-user applications. The application layer defines protocols (such as HTTP and FTP) that enable applications to communicate with each other and exchange data over a network.

Tor Overview

What are clearview websites?

Before you know what tor is, you need to know what Clearview is. Clearview websites are websites that can be easily accessed by anyone using a normal web browser, such as Google Chrome or Firefox. They are also known as the surface web or the visible web. Most of the websites that you use every day are clearview websites, such as Facebook, YouTube, Twitter, Instagram, etc.

However, clearview websites have a downside: they can track your online activity and collect your personal information. For example, a company called Clearview AI has created a facial recognition app that can identify anyone by their face using a database of billions of photos scraped from clearview websites. This app has been used by law enforcement agencies and private companies to find people’s identities, locations, and online profiles without their consent. This can pose a serious threat to your privacy and security.

What is Tor?

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features.

Tor works by directing your internet traffic through a free, worldwide, volunteer overlay network that consists of more than seven thousand relays. Each relay adds a layer of encryption to your data, like the layer of an onion. The first relay (or guard) receives your data and peels off the first layer of encryption, then passes it to the next relay. The second relay peels off the second layer of encryption, then passes it to the third relay. The third relay (or exit) peels off the final layer of encryption and sends your data to its destination on the internet.

By using Tor, you can prevent anyone from watching your connection from knowing what websites you visit or where you are located. You can also access sites that are blocked or censored by your home network or government. For example, you can use Tor to read news from different countries, communicate with activists or journalists, or access hidden services that are only available on the Tor network.

To use Tor, you need to download the Tor Browser, which is a modified version of Firefox that connects to the Tor network automatically. You can also use other applications that are compatible with Tor, such as chat clients, email clients, or file-sharing programs.

Why is Tor important for privacy?

Tor is significant for privacy because it helps you defend yourself against tracking, surveillance, and censorship on the internet. Many websites and online services collect information about you and your online activities, such as your IP address, your browsing history, your preferences, your location, and more. They can use this information to target you with ads, manipulate your behaviour, sell your data to third parties, or cooperate with law enforcement or intelligence agencies.

By using Tor, you can block these trackers and ads from following you around the web. You can also make it difficult for anyone to fingerprint you based on your browser and device information. Fingerprinting is a technique that identifies you by analyzing the unique characteristics of your browser and device, such as your screen resolution, fonts installed, plugins enabled, etc. Tor Browser aims to make all users look the same by disabling or modifying these features.

By using Tor, you can also prevent someone from monitoring your internet connection from knowing what websites you visit or where you are located. This can protect you from hackers, internet service providers (ISPs), employers, schools, governments, or anyone else who might want to spy on you or censor you. For example, if you live in a country where certain websites are banned or restricted by the government, you can use Tor to access them without being detected or blocked.

By using Tor, you can also access hidden services that are only available on the Tor network. These are websites that have a special address ending in .onion and do not reveal their IP address or location. Some hidden services offer useful or interesting content that is not available on the regular internet, such as whistleblower platforms, social networks, forums, blogs, etc. Some hidden services also offer illegal or harmful content that is not recommended or endorsed by the Tor Project.

Is Tor not actually anonymous?

Tor is not actually anonymous because it has some limitations and risks that can compromise your privacy and security. Some of these are:

• Tor does not encrypt your data end-to-end. This means that if you visit a website that does not use HTTPS (a secure protocol), the final relay in the circuit (or the exit node) can see your data in plain text. This can include your passwords, messages, credit card numbers, etc. To avoid this risk, you should always use HTTPS websites when using Tor.
• Tor does not protect you from malicious websites or software. If you visit a website that contains malware or spyware, it can infect your device and steal your information or harm your system. To avoid this risk, you should always use antivirus software and update your system regularly when using Tor.
• Tor does not protect you from human errors. While Tor provides technical tools to enhance your privacy and security, it does not protect you from making mistakes that can reveal your identity or compromise your safety. For example, if you use Tor to log in to a website that knows your real name or email address, you are linking your Tor identity to your real identity. If you use Tor to download or upload files that contain personal information or metadata, you are exposing your data to anyone who can access them. If you use Tor to communicate with someone who is not using Tor or encryption, you are risking your conversation being intercepted or recorded. To avoid these risks, you should always use common sense and good practices when using Tor, such as using pseudonyms, deleting cookies and history, avoiding downloads and uploads, using end-to-end encryption, etc.
• Tor does not protect you from powerful adversaries or attacks. If someone has enough resources and motivation to target you specifically, they can try to break Tor’s anonymity by using various techniques, such as traffic analysis, correlation attacks, timing attacks, etc. To avoid this risk, you should always use additional security measures when using Tor.
• Tor does not protect you from traffic analysis. While Tor hides your IP address and location, it does not hide the fact that you are using Tor. This means that anyone who can observe your internet connection, such as your ISP, employer, school, government, etc., can see that you are using Tor and how much data you are sending or receiving. They can also use traffic analysis techniques to infer some information about your online activities, such as when you are online, how often you use Tor, what websites you visit, etc. To avoid this risk, you should use bridges or pluggable transports to disguise your Tor traffic as regular internet traffic, or use other obfuscation tools such as VPNs or proxies.
• or does not protect you from malicious exit relays. While most exit relays are run by honest volunteers, some of them may be run by malicious actors who want to spy on or harm Tor users. They can do this by logging your traffic, injecting ads or malware, redirecting you to fake websites, or stealing your passwords or personal information. To avoid this risk, you should always verify the identity and authenticity of the websites you visit, or use other authentication tools such as certificates or signatures.

What are some cool tor sites to check out?

If you are curious about what kind of hidden services are available on the Tor network, here are some examples of cool Tor sites to check out:

• The Hidden Wiki: A directory of hidden services that provides links to various categories of websites, such as news, media, social networks, forums, etc. The Hidden Wiki is one of the oldest and most popular hidden services on the Tor network. However, it also contains links to illegal or harmful content that should be avoided. The Hidden Wiki’s address is http://zqktlwiuavvvqqt4ybvgvi7tyo4hjl5xgfuvpdf6otjiycgwqbym2qad.onion/
• ProPublica: A non-profit news organization that produces investigative journalism in the public interest. ProPublica is one of the first major media outlets to launch a hidden service on the Tor network. It offers its readers a more secure and anonymous way to access its content and to contact its journalists. ProPublica’s address is https://www.propub3r6espa33w.onion/
• DuckDuckGo: A search engine that respects your privacy and does not track you or show you ads. DuckDuckGo is one of the most popular search engines on the regular internet and also on the Tor network. It offers its users a fast and easy way to find information without compromising their privacy. DuckDuckGo’s address is https://3g2upl4pq6kufc4m.onion/
• SecureDrop: A platform that allows whistleblowers and sources to anonymously submit documents or information to journalists or organizations. SecureDrop is used by many reputable media outlets and organizations around the world to receive sensitive information from people who want to expose corruption, abuse, or wrongdoing. SecureDrop’s address is https://secrdrop5wyphb5x.onion/

What is Tails OS?

Tails OS is a special operating system that uses Tor to protect your privacy and anonymity online. It stands for “The Amnesic Incognito Live System” because it leaves no trace on the computer you use it on and it makes you look like someone else on the internet.

Tails OS is a live system that runs from a USB stick or a DVD that you can use on any computer without installing anything. It comes with a set of pre-installed applications that are configured to use Tor by default. These include a web browser, an email client, a chat client, a word processor, a file manager, and more.

Tails OS also has some special features that enhance your security and privacy. For example, it encrypts your USB stick or DVD with a passphrase so no one can access your data if you lose it or it gets stolen. It also wipes out all the memory when you shut down the system, so no one can recover any traces of your activities. It also has a panic button that you can press to immediately erase the memory and shut down the system in case of emergency.

Tails OS is a great option for anyone who wants to use Tor in a more secure and convenient way. It can help you protect your privacy and anonymity online, as well as your data and devices. You can download Tails OS from its official website: https://tails.boum.org/

Why is Tails OS important for privacy?

Tails OS is important for privacy because it helps you avoid surveillance, censorship, advertising, and viruses that can threaten your online freedom and safety. Many people and organizations use Tails OS for different purposes, such as:

• Activists use Tails OS to hide their identities, avoid censorship, and communicate securely with other activists or journalists. For example, Tails OS was used by Edward Snowden to expose the NSA’s mass surveillance programs .
• Journalists and their sources use Tails OS to publish sensitive information and access the internet from unsafe places. For example, Tails OS was used by Laura Poitras and Glenn Greenwald to work on the Snowden documents .
• Domestic violence survivors use Tails OS to escape surveillance at home. For example, Tails OS was used by a woman who was stalked by her abusive ex-husband who had installed spyware on her computer.
• Whistleblowers and sources use Tails OS to anonymously submit documents or information to journalists or organizations. For example, Tails OS was used by SecureDrop, a platform that allows whistleblowers and sources to securely contact media outlets such as The Guardian, The New York Times, The Washington Post, etc…

These are just some examples of how Tails OS can help you protect your privacy and anonymity online. You can also use Tails OS for other purposes, such as browsing the web without leaving any traces, accessing blocked or censored websites, creating and storing strong passwords, removing metadata from files, etc.