Why Privacy and Security matters
Digital privacy matters because it affects your human rights, your personal and professional relationships, and your well-being. Your privacy is essential in a digital world where your data can be exploited, but many people think it is too late to protect it. It is not. Your privacy is at stake, and you should care about it. Privacy is about power, and it is very important that this power is in the right hands.
Privacy is about information that relates to human beings, and this matters because we know that information can give power over people. If we want to be true, happy, and free humans, we have to care about the rules that govern our information. So much of our modern life depends on information. When you buy something online, read the news, search for something, vote, get directions, or anything else, you are using information. If we live in an information society, our information counts, and so does privacy.
- Digital privacy protects your freedom of expression and access to information. You have the right to express yourself online without fear of censorship, surveillance, or retaliation. You also have the right to access information that is relevant to your interests, needs, and opinions. Without digital privacy, you may be subject to manipulation, discrimination, or persecution based on your online activity.
- Digital privacy protects your identity and reputation. You have the right to control how your personal information is collected, used, and shared online. You also have the right to maintain your online reputation and prevent others from misusing or damaging it. Without digital privacy, you may be exposed to identity theft, fraud, cyberbullying, or defamation based on your online data.
- Digital privacy protects your personal and professional relationships. You have the right to communicate with others online without interference or intrusion. You also have the right to keep your online interactions private and confidential. Without digital privacy, you may be subject to eavesdropping, hacking, or blackmail based on your online communications.
- Digital privacy protects your well-being and security. You have the right to enjoy online services and platforms without compromising your safety or health. You also have the right to protect yourself from online threats and harms. Without digital privacy, you may be subject to malware, ransomware, phishing, or cyberattacks based on your online behaviour.
These are some reasons why digital privacy matters. Digital privacy is not only about data, but also about dignity, autonomy, and democracy. By protecting your digital privacy, you are protecting yourself and others from online risks and violations. This is part of the problem with the current and modern world, or “trusting trust” as one could say.
Trusting trust is a concept that refers to the problem of verifying the integrity and reliability of software and hardware. It is based on the idea that any system can be compromised by malicious code or backdoors that are hidden in its components. For example, a compiler can be modified to insert malicious code into the programs it compiles, or a hardware chip can be designed to perform unauthorized actions. The concern is that it is very difficult to detect such compromises, since they can affect the tools and methods that are used to check them. Therefore, trusting trust poses a serious challenge for digital security and privacy, as it undermines the confidence and trust that users have in their systems and devices.
So, what exactly is Privacy?
Privacy, security, and anonymity are often confused with each other. You’ll see people say that some products are “not private” when they really mean they don’t offer anonymity, for example. This is a loaded topic, but we will try to cover everything we can, but it is important you know the difference between them, and when you need each one.
Privacy means that your data is only accessible to the parties you want to share it with. For example, when you use an instant messenger with end-to-end encryption, you have privacy because only you and the recipient can see your message. Though this topic can get broader based off permissions of that app, the OS the user is using, what else is running, etc.
Security means that you can trust the applications you use (also remember, trusting trust)—that the parties involved are who they claim to be—and keep those applications safe (and do what they say they do). For example, when you browse the web with HTTPS certificates, you have security because they prove that you are connecting directly to the website you’re visiting (kinda). These do help prevent attackers on your network from reading or changing the data you send or receive though, which is great for online transactions.
Anonymity is the state of being unidentifiable or untraceable on the internet (telling you right now, this is impossible). It means that your online actions and communications cannot be linked to your real identity, location, or device. It means that you can act without a persistent identifier to follow and track you. You might achieve this partially online with Tor (though this isn’t good for the average user), privacy respecting front-ends and other apps that don’t log anything, VPNS (kinda), proxies (how some front-ends work), encryption, etc.
Pseudonymity is a similar idea, but it lets you have a persistent identifier without linking it to your real identity. If everyone knows you online as @GamerGuy12, but no one knows your real name, that is your pseudonym, though that does not mean the people that host that online name for you are unaware of your IP, name, etc.
These concepts overlap, of course,, but you can have any combination of them. The best situation for most people is when all four of these concepts overlap. However, it’s harder to achieve than many think. Sometimes, you have to give up some of these, and that’s okay too. This is where threat modelling helps you make informed choices about the software and services you use.
Privacy vs Secrecy
A common argument against pro-privacy movements is the idea that you don’t need privacy if you have “nothing to hide.” This is a harmful misunderstanding, because it creates a sense that people who want privacy must be doing something illegal, deviant, criminal, shameful, or wrong.
You shouldn’t mix up privacy with secrecy. We know what happens in the bathroom, but you still shut the door. That’s because you value privacy, not secrecy. There are always some things about us—like personal health information, or sexual behaviour—that we wouldn’t want everyone to know, and that’s fine. The desire for privacy is valid, and that’s what makes us human. Privacy is about giving you control over your own information, not about keeping secrets.
Touching on the “nothing to hide” argument
One of the arguments that people use to dismiss the importance of privacy is that they have “nothing to hide.” This is a flawed and dangerous assumption, because it implies that privacy is only for those who are guilty or ashamed of something, as touched on above.
This is not true. Privacy is a fundamental human right and a necessary condition for a free and democratic society. Here are some reasons why you should care about your privacy, even if you have “nothing to hide”:
- Privacy protects your dignity and autonomy. You have the right to decide what information you want to share with others, and how you want to present yourself online and in person. You also have the right to keep some aspects of your life private, without having to justify or explain them to anyone (like going to the bathroom and having a door closed behind you). Privacy allows you to be yourself, without being judged, manipulated, or exploited by others.
- Privacy protects your security and safety. You have the right to keep your personal and financial information secure from hackers, scammers, identity thieves, and any one or thing in general. You also have the right to protect yourself from physical harm or harassment by people who may use your online data to track you down, stalk you, or harm you. Privacy helps you avoid these risks and dangers. (see: swatting)
- Privacy protects your freedom and democracy. You have the right to express your opinions, beliefs, and preferences online without fear of censorship, surveillance, or retaliation. You also have the right to access information and resources that are relevant to your interests, needs, and opinions. Privacy enables you to participate in online activities and communities that enrich your life and society.
These are some of the reasons why privacy matters (and why Rynue exists), even if you have “nothing to hide.” Privacy is not about hiding secrets, but about protecting rights. By caring about your privacy, you are caring about yourself and others. Everyone deserves to be able to access and use the internet without giving everything about them away.
To illustrate the importance of privacy, here are some examples of real-world privacy violations that have affected millions of people:
- In 2020, a cyberattack on the Canadian government exposed the personal information of more than 144,000 people who applied for COVID-19 benefits. The attackers used stolen credentials to access the accounts and change the banking information of the applicants. The breach affected the Canada Revenue Agency, Service Canada, and other federal departments.
- In 2020, a ransomware attack on Deloitte Canada compromised the data of some of its clients, including confidential emails, contracts, and financial information. The attackers demanded a ransom of $14 million to decrypt the data and not leak it online. Deloitte refused to pay and notified its clients of the breach.
- In 2019, a hacker gained access to the personal data of more than 100 million Capital One customers in the United States and Canada. The data included names, addresses, phone numbers, credit scores, bank account numbers, and Social Security numbers. The hacker was arrested and charged with computer fraud and abuse.
- In 2018, a security breach at Facebook exposed the data of 87 million users to Cambridge Analytica, a political consulting firm that used the data to influence elections around the world. The data included likes, interests, friends, and political views. The breach sparked a global outcry and led to investigations, lawsuits, and regulatory actions against Facebook.
These examples show that privacy violations can happen to anyone and any organization, regardless of their size or industry. They also show that privacy violations can have far-reaching impacts on individuals’ dignity, security, freedom, and democracy. Therefore, it is essential to take measures to protect your privacy online, such as using strong passwords, encrypting your data, updating your software, avoiding phishing emails, and choosing trustworthy online services. Do not even get us started on what’s included in a lot of pirated software, we will help you replace everything with free and auditable software.
Is it about control?
A common way of thinking about privacy is that it is the ability to choose who can see your data. This is a tempting trap to fall into, it sounds good, and it appeals to many people, but in practice it just doesn’t work.
Take cookie consent forms, for example. You may see these many times a day on the different websites you visit, with a nice selection of checkboxes and sliders that let you “customize” your preferences to suit your needs. In the end, we just click the “I Agree” button, because we just want to read the article or buy something. Nobody wants to do a personal privacy check on every single website they visit. This is an exercise in choice design, meant to make you take the easy way out instead of going into a labyrinth of configuration options that don’t need to exist in the first place, and part of how they still manage to find you.
Even if you do everything you can to protect your privacy, sending a photo of yourself at home to your father or friends can expose you to unwanted tracking and profiling. That’s because they may not have the same privacy concerns as you, and they may use services like Google Photos, which can recognize you and add your name to the metadata of the image. This metadata can then link to your contact information on their phone, such as your address, number, or email. This information can then be scraped by other services from these providers and used to create a profile of you. When someone visits your house, they bring all that tracking with them. When you let them connect to your Wi-Fi, you add some spyware to your network, etc.
Control over your privacy inside most apps is an illusion. It’s a shiny dashboard with all sorts of choices you can make about your data, but rarely the choices you’re looking for, like “only use my data to help me.” This type of control is meant to make you feel guilty about your choices, that you “had the choice” to make the apps you use more private, and you chose not to.
Privacy is something we need to have built into the software and services we use by default, you can’t make most apps into being private on your own. But we’ll help you.
To include some relevant Canadian examples, here are some facts and statistics about cookie consent forms in Canada:
- According to the Office of the Privacy Commissioner of Canada (OPC), cookies are small files that websites place on your device to store information about you or your online activity. Cookies can be used for various purposes, such as remembering your preferences, tracking your behavior, or delivering targeted ads.
- The OPC states that under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, organizations are required to obtain meaningful consent for the collection, use and disclosure of personal information. This includes cookies that collect personal information or affect user privacy.
- The OPC also provides guidance on how organizations can obtain meaningful consent for cookies, such as providing clear and prominent information about their cookie practices, offering easy and effective opt-out mechanisms, and respecting user choices and preferences.
- However, according to a study by Comparitech, only 12% of Canadian websites have cookie consent forms that comply with PIPEDA’s requirements. The study analyzed 100 popular Canadian websites and found that 88% of them either had no cookie consent form at all, or had one that was inadequate or misleading.
- The study also found that 76% of Canadian websites had third-party cookies that could track users across multiple websites and services. The most common third-party cookies were from Google (68%), Facebook (36%), and Amazon (16%). These cookies could collect personal information or affect user privacy without their knowledge or consent.
What can you do about it?
We’ve built this guide with the intention to help teach you how to set up and protect yourself from beginner to advanced using real-world examples; us. We’ll show you how to mimic what we have, or how to connect to some hosted services Rynue provides as part of one of the memberships.
Threat Modelling
One of the first and most challenging tasks you’ll face on your privacy journey is the backlash and comments you’ll get from friends and family. It’s okay, we’re a real community and will help and support you. The second is finding the right balance between security, privacy, and usability. Everything is a trade-off: The more secure something is, the more limiting or inconvenient it usually is.
Let’s be real; People find that the problem with the tools they see recommended is that they’re just too hard to start using. That may be from lack of documentation, no clear message on what something does, how to set up hosting, etc. This is a deterrent to many.
This is where we come in. Part of Rynue’s goals and vision is to provide many of these services to our users to help bridge the gap, but we’ve also been through this journey. We’ll share with you the tools we use, the setup we have, etc. We rely heavily on and love Open Source Software. Furthermore, we stand by the community Ethos and vision and run our company with this in mind. We wouldn’t be here without that community, and we want everyone to know.
To understand all this, you need to understand a new world
We have all grown up corporatized, even those outside of cities. Google, Microsoft, Meta, Apple, etc. All large names, and all make things we use, but did you know most of these products are made using already free and available data and code?
Richard Stallman and Linus Torvalds are two of the most influential figures in the history and development of free and open source software. They have different personalities, philosophies, and approaches, but they share a common vision of empowering users and developers with software that respects their freedom and collaboration. Most people in this tech community have beliefs built in between these two men.
Richard Stallman is the founder of the GNU Project and the Free Software Foundation (FSF). He is also the creator of the GNU General Public License (GPL), the most widely used free software license. Stallman is a staunch advocate of free software, which he defines as software that gives users the freedom to run, study, share, and modify the software for any purpose. He believes that free software is a matter of social justice and human rights, and that proprietary software is unethical and oppressive. He also coined the term “copyleft”, which is a legal mechanism that uses copyright law to ensure that software remains free for all users.
Stallman started the GNU Project in 1983 to create a complete operating system (Mac, Windows, Android, iOS, etc) that would be entirely free software. He developed many essential components of the GNU system, such as GNU Emacs, GNU Compiler Collection, and GNU Debugger. He also initiated the development of the GNU Hurd kernel, which is still in progress. However, in 1991, another kernel called Linux, developed by Linus Torvalds, became available and was combined with the GNU system to form a complete operating system. Stallman insists on calling this system GNU/Linux, rather than just Linux, to acknowledge the contribution of the GNU Project and to promote the ideals of free software.
Stallman has been recognized for his work with many awards and honours, such as the MacArthur Fellowship, the ACM Grace Murray Hopper Award, the EFF Pioneer Award, and the Internet Hall of Fame. He has also written many essays and books on free software and related topics, such as Free Software, Free Society and Free as in Freedom.
Linus Torvalds is the creator and maintainer of Linux, the kernel that powers millions of devices around the world. He is also the founder and coordinator of the Linux Foundation, a nonprofit organization that supports and promotes Linux and other open source projects. Torvalds is a pragmatic and practical programmer who values efficiency, reliability, and performance over ideology. He prefers to use the term “open source” rather than “free software”, as he believes that it conveys a more positive and realistic message about the benefits of collaborative software development.
Torvalds started Linux in 1991 as a hobby project while he was a student at the University of Helsinki. He posted his code online and invited other programmers to join him in improving it. He adopted the GPL as the license for Linux, which allowed it to be freely distributed and modified by anyone. He also established a decentralized and meritocratic model of development, where he acts as the final arbiter of what goes into the official version of Linux, but also encourages contributions from thousands of developers around the world.
Torvalds has been recognized for his work with many awards and honours as well, such as the Millennium Technology Prize, the IEEE Computer Society Computer Pioneer Award, the Takeda Award, and the C&C Prize. He has also written an autobiography called Just for Fun: The Story of an Accidental Revolutionary.
GNU and Linux Foundation are two organizations that support and promote free and open source software. They have different missions and goals, but they also collaborate on some projects and initiatives.
Well now you have that short history lesson, we can explain that most of the software that we will push and use here is written with the above in mind and are often licensed very similarly. Free, open source software (FOSS) is a movement and a philosophy that aims to empower users and developers with software that respects their freedom and collaboration. FOSS is software that is licensed to be free to use, modify, and distribute for any purpose. FOSS also means that the source code, or the human-readable instructions that make up the software, is available for anyone to view and improve. FOSS is not only about software, but also about values and principles that promote social justice and human rights.
Why it’s important to embrace Free, Open Source Software
Most of what we’ll use is FOSS. It is developed by a community of volunteers who share their code and collaborate to improve the software, part of Rynue’s profits goes to the developers of the software we use. FOSS is not only a technical choice, but also a philosophical and ethical one (hence the donations).
The Vision of FOSS
The vision of FOSS is to create software that respects the freedom and autonomy of its users (ie: features you have come to rely on don’t just disappear, you can version lock, and MUCH more). FOSS advocates believe that software should be a public good that anyone can access, learn from, and contribute to. They also believe that software should empower users to control their own computing and data, rather than being controlled by proprietary vendors or platforms.
FOSS is inspired by the ideals of the free software movement, which was founded by Richard Stallman in the 1980s. Stallman defined four essential freedoms that every user should have when using software:
- The freedom to run the program as you wish, for any purpose.
- The freedom to study how the program works, and change it so it does your computing as you wish.
- The freedom to redistribute copies so you can help others.
- The freedom to distribute copies of your modified versions to others.
These freedoms are encoded in various FOSS licenses, such as the GNU General Public License (GPL), which ensure that the software remains free and open for everyone.
The Ethos of FOSS
The ethos of FOSS is based on collaboration, transparency, and meritocracy. FOSS developers work together across borders, cultures, and backgrounds to create software that meets the needs and expectations of their users. They use online platforms such as GitHub, GitLab, or SourceForge to host their code repositories, issue trackers, documentation, and communication channels. They welcome feedback, suggestions, bug reports, and patches from anyone who wants to participate in the development process.
FOSS developers also value transparency in their work. They make their source code available for anyone to inspect, audit, or modify. They document their design decisions, coding standards, testing procedures, and release notes. They follow open standards and protocols that facilitate interoperability and compatibility with other software. They also respect the privacy and security of their users by avoiding spyware, malware, or backdoors in their software.
FOSS developers also adhere to a meritocratic culture, where the quality of one’s work determines one’s reputation and influence in the community. FOSS developers are motivated by intrinsic factors such as curiosity, creativity, learning, recognition, or altruism. They compete with each other in a friendly and constructive way, striving to produce the best software possible.
All of this sounds great and rather familiar, yes? That’s because a lot of these values are tied into and shared amongst other communities, like homesteading and Rynue. We practice what we preach, might as well adopt this in both physical and digital.
The Ethics of FOSS
The ethics of FOSS are rooted in the principles of social justice, human rights, and democracy. FOSS advocates believe that (not just) software should serve the common good of humanity, rather than the private interests of a few corporations or governments (much like our food and resources). They also believe that software should respect the dignity and autonomy of its users, rather than exploiting or manipulating them (land and government 😉 ).
FOSS advocates promote the following ethical values in their software:
- Accessibility: FOSS software should be accessible to everyone regardless of their location, income, language, disability, or device.
- Diversity: FOSS software should reflect the diversity of its users and developers in terms of culture, gender, race, ethnicity, religion, or sexual orientation.
- Inclusion: FOSS software should foster a culture of inclusion where everyone feels welcome, respected, and valued in the community.
- Education: FOSS software should enable users and developers to learn from each other and share their knowledge and skills.
- Innovation: FOSS software should encourage innovation by allowing users and developers to experiment with new ideas and technologies.
- Sustainability: FOSS software should be sustainable in terms of environmental impact, economic viability, and social responsibility.
The Benefits of FOSS
FOSS offers many benefits for free and open computing and code, as well as privacy and security. Here are some examples:
- Free and open computing: FOSS enables users to choose the software that best suits their needs and preferences. Users can customize or modify the software according to their own requirements. Users can also switch between different FOSS applications or platforms without losing their data or functionality.
- Free and open code: FOSS enables developers to learn from each other’s code and improve their own skills. Developers can reuse or adapt existing code for new purposes or projects. Developers can also collaborate with other developers across different domains or disciplines.
- Privacy: FOSS enables users to protect their personal data from unauthorized access or misuse by third parties. Users can control what data they share with the software or the online services. Users can also audit the source code of the software to verify that it does not contain any spyware, malware, or backdoors.
- Security: FOSS enables users to enhance their security against cyberattacks or malicious software. Users can update the software regularly with the latest patches and fixes from the community. Users can also report any vulnerabilities or bugs to the developers and get them fixed quickly. Users can also use encryption, authentication, or verification tools that are built on FOSS standards and protocols.
So, what are these threat models, anyway?
A threat model is a list of the most likely threats to your security and privacy goals. Since it’s impossible to protect yourself against every attack(er), you should focus on the most likely threats. In computer security, a threat is an event that could harm your efforts to stay private and secure.
Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job.
Creating Your Threat Model to identify what could happen to the things you value and determine who you need to protect them from, you should answer these five questions:
- What do I want to protect?
- Who do I want to protect it from?
- How likely is it that I will need to protect it?
- How bad are the consequences if I fail?
- How much trouble am I willing to go through to try to prevent potential consequences?
How to Identify Your Digital Assets and Adversaries
When you want to protect your digital security, you need to know what you are protecting and who you are protecting it from. We will help to define your digital assets and adversaries, and why this is important for your security planning.
What are your digital assets?
A digital asset is any information that you value and want to keep safe. For example, some of your digital assets may be:
- Your emails, chats, and social media posts
- Your contacts, calendars, and notes
- Your location, photos, and videos
- Your files, documents, and passwords
- Your devices, such as your phone, laptop, or tablet
You should make a list of your digital assets and answer these questions for each one:
- Where is it stored? Is it on your device, on a cloud service, on a removable media, all three?
- Who can access it? Is it only you, or do you share it with others? Do you use encryption, passwords, or biometrics to protect it? If it’s stored somewhere you don’t control (cloud), do you know where it’s stored and how? What if it’s an unencrypted drive in someone’s home server with no security?
- What prevents others from accessing it? Is it hidden, locked, or backed up? Do you use firewalls, antivirus, or VPNs to secure it? What countries and what data centres is it stored in? Can someone just walk in with a USB key and copy it?
Who are your adversaries?
An adversary is anyone who might want to target you or your information for malicious purposes. For example, some of your adversaries may be:
- Your employer, your ex-partner, your rival, or your stalker
- Your government, your ISP, or your network provider
- A hacker, a spy, or a thief
You should make a list of your adversaries and answer these questions for each one:
- What are their motives? Do they want to spy on you, blackmail you, harass you, or steal from you?
- What are their capabilities? Do they have technical skills, legal authority, or physical access to target you or your information?
- What are their opportunities? Do they have the time, resources, or connections to carry out their attacks?
- What will happen to you if anything captured leaks?
Why is this important?
Identifying your digital assets and adversaries is important because it helps you to:
- Assess your risks: You can evaluate how likely and how severe an attack on your information might be.
- Prioritize your actions: You can decide which assets are most important to protect and which adversaries are most dangerous to avoid.
- Choose your tools: You can select the appropriate security measures and tools that match your needs and threats.
A word of caution
Depending on who your adversaries are, making a list of them might be risky in itself. If someone finds out that you consider them an adversary, they might become more hostile or suspicious of you. Therefore, you should be careful about how you create and store this list. You might want to:
- Use a secure device and connection: Use a device that only you control and trust. Use encryption and passwords (DO NOT USE BIOMETRICS) to lock it. Use a VPN or Tor to help hide your online activity.
- Use a pseudonym or code: Don’t use real names or identifiers for your adversaries. Use aliases or codes that only you understand, and don’t make a legend of what’s what in the same folder/document.
- Destroy the list when done: Don’t keep the list longer than necessary. Delete it from your device and any backups. Shred any paper copies.
How to Evaluate Your Risks and Consequences
When you want to protect your digital security, you need to know how likely and how severe an attack on your information might be (there are millions of blanketed attacks).
What are your risks?
A risk is the probability that a specific threat against a specific asset will actually happen. It depends on the capability and opportunity of your adversary. For example, your mobile phone provider has the capability to access all of your data, but the risk of them posting your private data online to harm your reputation is low. A hacker on a public Wi-Fi network has the opportunity to access your unencrypted communications, but the risk of them stealing your identity is high.
It is important to distinguish between what might happen and what is likely to happen, while also keeping in mind things like weak passwords and many online accounts, etc. Add to your risk of blanketed attacks that aren’t geared to you; but everyone. For instance, there is a threat that your building might collapse, but the risk of this happening is much higher in San Francisco (where earthquakes are common) than in Nova Scotia (where they are not).
Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter how low the probability they will occur, because they value their privacy and security highly (or are responsible for other people’s data/money). In other cases, people ignore high risks because they don’t think the threat is a problem, or they don’t have the resources to deal with it.
You should make a list of your threats and rate them according to their likelihood and impact. You can use a scale from 1 (low) to 5 (high) or use words such as rare, unlikely, possible, likely, or certain. You can also use colors such as green, yellow, orange, or red to indicate the level of risk.
What are your consequences?
A consequence is the outcome or impact of an attack on your information. It depends on the motive and action of your adversary. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data.
The motives of adversaries vary widely, as do their actions. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may want to gain access to secret content and publish that content without you knowing.
Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the action and impact of your adversary. For example, an adversary can:
- Spy on you: They can monitor your online activity, track your location, or intercept your communications.
- Blackmail you: They can threaten to expose your secrets, extort money from you, or coerce you into doing something.
- Harass you: They can send you unwanted messages, spam you with ads, or flood you with requests.
- Steal from you: They can access your accounts, transfer your funds, or use your identity.
- Sabotage you: They can delete your data, corrupt your files, or infect your devices.
You should make a list of your assets and rate them according to their sensitivity and importance. You can use a scale from 1 (low) to 5 (high) or use words such as trivial, minor, moderate, major, or critical. You can also use colors such as green, yellow, orange, or red to indicate the level of consequence.
Why is this important?
Evaluating your risks and consequences is important because it helps you to:
- Prioritize your actions: You can focus on protecting the assets that are most sensitive and important from the threats that are most likely and severe.
- Choose your tools: You can select the appropriate security measures and tools that match your risks and consequences.
- Balance your trade-offs: You can weigh the costs and benefits of different security options and find the optimal level of security for you.
How to Make a Security Plan for Your Home and Possessions
When you want to protect your home and possessions, you need to know what you have, who might want it, and how to prevent them from getting it.
What do you have that is worth protecting?
The first step in making a security plan is to identify your assets. These are the things that you value and want to keep safe. For example, some of your assets may be:
- Jewelry, watches, or other valuables
- Electronics, such as laptops, tablets, or phones
- Important documents, such as passports, birth certificates, or contracts
- Photos, videos, or other memories
You should make a list of your assets and answer these questions for each one:
- Where is it stored? Is it in your house, in your car, or in another location? Are there photos of these all over the internet?
- Who can access it? Is it only you, or do you share it with others? Do you use locks, safes, or passwords to protect it? Is it at home while you posted to social media that you were going on vacation?
- What prevents others from accessing it? Is it hidden, secured, or insured? Do you use alarms, cameras, or guards to deter intruders?
Who might want to take your assets?
The second step in making a security plan is to identify your adversaries. These are the people or entities who might want to target you or your assets for malicious purposes. For example, some of your adversaries may be:
- Burglars, robbers, or thieves
- Roommates, guests, or visitors
- Scammers, hackers, or identity thieves
- Police or other Government officials
You should make a list of your adversaries and answer these questions for each one:
- What are their motives? Do they want to steal your assets, damage them, or use them against you?
- What are their capabilities? Do they have the skills, tools, or resources to target you or your assets?
- What are their opportunities? Do they have the time, access, or information to carry out their attacks?
How likely and how severe are the attacks?
The third step in making a security plan is to evaluate your risks and consequences. These are the probability and impact of an attack on your assets. They depend on the capability and opportunity of your adversary and the sensitivity and importance of your asset. For example:
- The risk of a burglar breaking into your house is higher if you live in a high-crime area or if you leave your doors unlocked.
- The consequence of a roommate taking your laptop is higher if you have sensitive data on it or if you need it for work.
- Doing online searches for murder, hiding bodies, etc. may increase your chance of a Police visit/seizure of assets.
You should make a list of your risks and consequences and rate them according to their likelihood and severity. You can use a scale from 1 (low) to 5 (high) or use words such as rare, unlikely, possible, likely, or certain. You can also use colors such as green, yellow, orange, or red to indicate the level of risk and consequence.
How much effort are you willing to put into preventing the attacks?
The fourth step in making a security plan is to choose your actions and tools. These are the measures and devices that you use to protect your assets from your adversaries. They depend on the risks and consequences that you face and the trade-offs that you are willing to make. For example:
- If your possessions are valuable but the risk of a break-in is low, you may not want to invest too much money in a lock.
- If the risk of a break-in is high, you may want to get the best lock on the market and consider adding a security system.
You should make a list of your actions and tools and answer these questions for each one:
- How effective is it? Does it reduce the likelihood or severity of an attack?
- How convenient is it? Does it require a lot of time or effort to use?
- How affordable is it? Does it fit within your budget?
Why is this important?
Making a security plan is important because it helps you to:
- Understand your threats: You can identify who might want to harm you or your assets and why.
- Prioritize your assets: You can decide which assets are most valuable and vulnerable and need more protection.
- Choose your actions: You can select the best security measures and tools that suit your needs and threats.
- Balance your trade-offs: You can weigh the costs and benefits of different security options and find the optimal level of security for you.
How to Trust and When Not to Trust Digital Trust in a Digital and Modern World
Digital trust is the confidence users have in the ability of people, technology, and processes to create a secure digital world. Digital trust is given to companies who have shown their users they can provide safety, privacy, security, reliability, and data ethics with their online programs or devices. Digital trust is also the backbone for security in the connected world, securing users, software, servers, devices, digital content, documents, digital rights, identity, and more. In the context of digitalization, trust is the individual’s confidence in an organization that data will be handled securely and responsibly in the digital environment. Digital trust is an essential factor in an organization’s sustainable and long-term successful digitalization.
You wouldn’t buy a lock from Home Depot for your house that doesn’t work, and you wouldn’t buy a house sight unseen on the owner’s word that it’s up to code. Also, have you moved into a house? Nothing is up to code, stuff is hidden and broken, etc. You’re angry at that for being lied to, do you really think companies are any different? (we’re trying to be)
How to Trust Digital Trust
To trust digital trust means that you are willing to use and rely on the digital systems and services that are designed and provided by others (Rynue). To trust digital trust also means that you are willing to share your personal information and data with those who offer you value and convenience. To trust digital trust also means that you are willing to give them the benefit of the doubt, to assume that they have good intentions and motives, and to forgive them for their mistakes. Most people don’t do this in their day to day life, why is it so different online?
To trust digital trust, you need to:
- Communicate openly and honestly: Communication is the key to building trust. You need to express your needs, expectations, and boundaries clearly and respectfully. You also need to listen actively and empathetically to what the other party has to say. You need to avoid lying, hiding, or withholding information from the other party.
- Verify their identity and credibility: Verification is the basis of trust. You need to check the identity and credibility of the other party before you use or rely on their digital systems or services. You can use various methods such as passwords, biometrics, encryption, certificates, reviews, ratings, or references.
- Protect your privacy and security: Protection is the guarantee of trust. You need to protect your privacy and security when you use or rely on the other party’s digital systems or services. You can use various tools such as firewalls, antivirus, VPNs, backups, or recovery options.
- Show respect and appreciation: Respect and appreciation are the expressions of trust. You need to treat the other party with kindness and courtesy, and acknowledge their strengths and contributions. You also need to value their opinions and perspectives, and support their goals and dreams.
- Be loyal and faithful: Loyalty and fidelity are the tests of trust. You need to honor the other party’s trust by not betraying them or hurting them intentionally. You also need to respect their privacy and boundaries, and not share their secrets or personal information with others.
When Not to Trust Digital Trust
To trust digital trust does not mean that you are naive or gullible. It does not mean that you blindly believe everything they say or do. It does not mean that you ignore the signs or evidence that they are lying or cheating on you. It does not mean that you let them take advantage of you or abuse you.
To trust digital trust also does not mean that you trust everyone equally or indiscriminately. It does not mean that you trust strangers or acquaintances as much as you trust friends or family. It does not mean that you trust people who have proven themselves untrustworthy or unreliable in the past. It does not mean that you trust people who have different values or goals than you.
To trust someone wisely in a digital and modern world, you need to:
- Assess the situation: Not every situation requires the same level of trust. You need to consider the context, the stakes, the risks, and the consequences of trusting or not trusting someone. For example, trusting an online retailer with your credit card information is different from trusting a social media platform with your personal data.
- Evaluate the person: Not every person deserves the same level of trust. You need to consider their character, their history, their behavior, and their motives for trusting or not trusting them. For example, trusting a reputable company with a strong track record of digital security is different from trusting a startup with no reputation or transparency.
- Listen to your intuition: Not every trust decision can be made rationally or logically. You need to listen to your gut feeling, your inner voice, your instinct for trusting or not trusting someone. For example, trusting a website with a secure HTTPS connection may feel right even if it has a poor design or content.
- Seek feedback: Not every trust issue can be resolved by yourself. You may need to seek feedback from others who know the person or the situation better than you do. For example, trusting an app with access to your camera or microphone may require consulting with online reviews or forums first.
Common Threats
How to Choose the Right Tools and Services for Your Security Goals
When you want to protect your digital security, you need to know what your security goals are. Your security goals are the threats that you want to prevent or the outcomes that you want to achieve. Different tools and services can help you with different security goals, but none of them can protect you from everything. You may be concerned with none, one, a few, or all of these possibilities, and the tools and services you use depend on what your goals are.
What are your security goals?
Your security goals depend on your personal situation, preferences, and needs. You may have one or more of these common security goals, or you may have other specific ones, or you have no idea and that’s why you’re reading this:
- Privacy: You want to keep your personal information and data from being accessed or misused by others.
- Security: You want to protect your devices and accounts from being hacked or infected by malicious software.
- Anonymity: You want to hide your identity and location from others when you use the internet.
- Censorship resistance: You want to access or share information that is blocked or restricted by others.
- Whistleblowing: You want to expose wrongdoing or corruption by others without being traced or retaliated against.
You should make a list of your security goals and answer these questions for each one:
- Why is it important to you? What are the benefits or consequences of achieving or failing this goal?
- How realistic is it? What are the challenges or obstacles that you face in achieving this goal?
- How urgent is it? How soon do you need to achieve this goal?
How to choose the right tools and services?
Well, that’s where we come in. We may not recommend the most robust offering. We may not say things that fall in line with other sites or “professionals”. However, we are also professionals and we do use what we recommend and have done a lot of the work and research for you. We are also trying to help you with setting up what we use and bring what we can to the masses to help promote a real Internet.
The way we see it, common threats can be broken down to the following:
- Anonymity – Shielding your online activity from your real identity, protecting you from people who are trying to uncover your identity specifically.
- Targeted Attacks – Being protected from hackers or other malicious actors who are trying to gain access to your data or devices specifically.
- Passive/Blanketed Attacks – Being protected from things like malware, data breaches, and other attacks that are made against many people at once.
- Service Providers – Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server, changing DNS from your ISPs to something different, etc).
- Mass Surveillance – Protection from government agencies, organizations, websites, and services which work together to track your activities.
- Surveillance Capitalism – Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors.
- Public Exposure – Limiting the information about you that is accessible online—to search engines or the general public.
- Censorship – Avoiding censored access to information or being censored yourself when speaking online.
Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with Targeted Attacks, but they probably still want to protect their personal data from being swept up in Mass Surveillance programs. Similarly, many people may be primarily concerned with Public Exposure of their personal data, but they should still be wary of security-focused issues, such as Passive Attacks—like malware affecting their devices.
Anonymity
Anonymity means hiding your real identity from your online activity, protecting you from people who are trying to find out who you are or what you do online. Anonymity can help you avoid harassment, discrimination, or retaliation from those who disagree with you or want to harm you. Anonymity can also help you access or share information that is censored, restricted, or controversial.
To achieve anonymity, in part, you need to:
- Use pseudonyms or aliases: Don’t use your real name or any personal information that can identify you online. Use different pseudonyms or aliases for different platforms or purposes.
- Use encryption or obfuscation: Don’t let your online activity be traced back to your device or location. Use encryption or obfuscation tools such as VPNs, Tor, or proxies to hide your IP address and traffic.
- Use disposable or anonymous accounts: Don’t use your regular email or social media accounts for sensitive or risky online activity. Use disposable or anonymous accounts that don’t require any personal information or verification.
Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That’s not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don’t need to go so far.
Targeted Attacks
Targeted attacks mean being protected from hackers or other malicious actors who are trying to gain access to your data or devices specifically. Targeted attacks against a specific person are more problematic to deal with. Common attacks include (but not limited to) sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and various physical attacks. Targeted attacks can compromise your privacy, security, or integrity by stealing, deleting, or altering your data or devices. Targeted attacks can also harm your reputation, finances, or relationships by exposing, blackmailing, or impersonating you.
To prevent targeted attacks, you need to:
- Use strong passwords and authentication: Don’t use weak or predictable passwords for your accounts or devices. Use strong passwords that are long, complex, and unique. Use authentication methods such as tokens or codes to verify your identity.
- Forget the above. Use a strong password manager to help hide these even from you. Rynue offers its members a hosted Bit Warden instance to help with this.
- Use antivirus and firewall: Don’t let your devices be infected by malicious software such as viruses, worms, trojans, or ransomware. Use antivirus and firewall software to scan, detect, and remove any malware from your devices.
- Use backups and recovery: Don’t lose your data or devices due to accidental deletion, corruption, or theft. Use backups and recovery tools to save copies of your data or devices in a secure location and restore them if needed.
By design, web browsers, email clients, and office applications typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. If you are concerned about physical attacks you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or Windows (with TPM). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure Enclave or Element to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don’t trust, because most desktop operating systems don’t encrypt data separately per-user. Keep reading, we’ll help you set up something as a perfect middle ground.
Passive Attacks
Passive attacks mean being protected from things like malware, data breaches, and other attacks that are made against many people at once. Passive attacks can expose your personal information and data to unauthorized parties who may use it for malicious purposes. Passive attacks can also damage your devices or services by disrupting their functionality or performance.
Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they’re private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn’t necessarily true: The most secure service in the world isn’t necessarily private. The best example of this is trusting data to Microsoft who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Microsoft provides very secure services, very few people would consider their data private in Microsoft’s free consumer products (OneDrive, outlook, Windows for some, etc).
When it comes to application security, we generally don’t (and sometimes can’t) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there’s mostly no guarantee that their software doesn’t have a serious vulnerability that could later be exploited, or that some external actor has put on pressure for a backdoor, etc.
To minimize the damage that a malicious piece of software could do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs. Or using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control.
To avoid passive attacks, you need to:
- Use encryption and privacy: Don’t let your personal information and data be accessed or misused by others. Use encryption and privacy tools such as E2EE (end-to-end encryption), HTTPS (Hypertext Transfer Protocol Secure), or PGP (Pretty Good Privacy) to make your data unreadable to anyone except the intended recipient.
- Use updates and patches: Don’t let your devices or services be vulnerable to known exploits or bugs. Use updates and patches to fix any security issues or improve any features in your devices or services.
- Use secure networks and platforms: Don’t let your online activity be intercepted or manipulated by others. Use secure networks and platforms that offer safety, privacy, security, reliability, and data ethics with their online programs or devices.
Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can’t obtain root access, and require permission for access to system resources. Desktop operating systems typically lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers.
Service Providers
Service providers actually means protecting your data from your service providers (e.g. with E2EE, which renders your data unreadable to the server). Service providers are the companies or organizations that provide you with online programs or devices, such as email, social media, cloud storage, Cell service, Internet (ISP), or messaging apps. Service providers may access or misuse your data for various reasons, such as advertising, profiling, or complying with legal requests.
We live in a world where almost everything is connected to the internet. Our “private” messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it’s stored on a server, and when your friend wants to read the message the server will show it to them.
The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing.
To protect your data from service providers, you need to:
- Use a custom DNS provider (Rynue provides one).
- Use End-to-End Encryption: E2EE means end-to-end encryption, which encrypts your data on your device before sending it to the server, and decrypts it on the recipient’s device after receiving it from the server. E2EE prevents anyone, including the service provider, from reading or modifying your data in transit or at rest (unless they can unlock it or have a key). Even with E2EE though, service providers can still profile you based on metadata, which typically isn’t protected.
- Use zero-knowledge services: Zero-knowledge services are services that do not store or process any of your data on their servers. Zero-knowledge services use techniques such as hashing, salting, or homomorphic encryption to ensure that only you have access to your data. Bear in mind if a VPN provider tells you they’re zero knowledge but also only provide 5 active connections; they’re lying to you.
- Use self-hosted services: Self-hosted services are services that you run or control on your own server or device, rather than relying on a third-party service provider. Self-hosted services give you more freedom, privacy, and security over your data. However, they also require more technical skills, resources, and responsibility to maintain and secure them. Rynue will help you with this and even provide some options to you that are already available.
Mass Surveillance
Mass surveillance means protection from government agencies, organizations, websites, and services that work together to track your activities. Mass surveillance can violate your privacy, security, or human rights by collecting, analyzing, or sharing your personal information and data without your consent or knowledge. Mass surveillance can also influence your behavior, choices, or opinions by manipulating, censoring, or coercing you. Generally when you think of mass surveillance, it often refers to government programs, such as the ones disclosed by Edward Snowden in 2013. However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative.
To resist mass surveillance, you need to:
- Use encryption and anonymity: Don’t let your online activity be monitored or traced by others. Use encryption and anonymity tools such as VPNs, Tor, or proxies to hide your IP address and traffic. Use E2EE, HTTPS, or PGP to make your data unreadable to anyone except the intended recipient.
- Use privacy and security settings: Don’t let your online platforms or services collect or share your personal information and data without your consent or knowledge. Use privacy and security settings to limit or disable the data collection or sharing features of your online platforms or services. Use tools such as Privacy Badger, uBlock Origin, or DuckDuckGo to block or avoid trackers, cookies, or ads.
- Use alternative platforms or services: Don’t let your online platforms or services influence your behavior, choices, or opinions by manipulating, censoring, or coercing you. Don’t compromise your own ethics just because you want to use something. Use alternative platforms or services that respect your freedom, privacy, and security. Use tools such as Rynue, ProtonMail, or Mastodon to communicate, email, or socialize online.
Surveillance Capitalism
Surveillance capitalism means protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. Surveillance capitalism can exploit your personal information and data for profit by creating detailed profiles of you and selling them to advertisers or other parties. Surveillance capitalism can also affect your behavior, choices, or opinions by showing you targeted ads or content that influence your preferences or decisions.
To avoid surveillance capitalism, you need to:
- Use encryption and privacy: Don’t let your personal information and data be accessed or misused by others. Use encryption and privacy tools such as E2EE (end-to-end encryption), HTTPS (Hypertext Transfer Protocol Secure), or PGP (Pretty Good Privacy) to make your data unreadable to anyone except the intended recipient.
- Use ad blockers and anti-trackers: Don’t let your online activity be tracked or analyzed by others. Use ad blockers and anti-trackers to block or avoid trackers, cookies, or ads that collect or share your data. Use tools such as uBlock Origin, Privacy Badger, or DuckDuckGo to block or avoid trackers, cookies, or ads.
- Use alternative platforms or services: Don’t let your online platforms or services exploit your data for profit by creating detailed profiles of you and selling them to advertisers or other parties. Use alternative platforms or services that respect your privacy and security. Use tools such as Signal, ProtonMail, or Mastodon to communicate, email, or socialize online.
Some other examples of this are:
- In 2014, it was revealed that the NSA and its British counterpart, the GCHQ, had secretly tapped into the internal networks of Yahoo and Google, collecting millions of records every day from their data centers. This program, codenamed MUSCULAR, bypassed the legal process of requesting data from the companies through court orders or national security letters
- In 2015, it was reported that the NSA had been collecting and storing billions of phone records from countries around the world, including allies such as France, Germany, Brazil, Mexico, and Spain. This program, known as MYSTIC, allowed the NSA to access the content and metadata of phone calls for up to 30 days. In some countries, such as the Bahamas and Afghanistan, the NSA had access to virtually every phone call made or received
- In 2016, it was exposed that the FBI had been using a secret rule to obtain journalists’ phone records without their knowledge or consent. The rule, known as the National Security Letter (NSL) exception, allowed the FBI to bypass judicial oversight and issue NSLs to phone companies demanding information about journalists’ sources and contacts. The NSLs also came with gag orders that prevented the phone companies from disclosing the requests to anyone
- In 2017, it was disclosed that the CIA had developed a series of hacking tools and techniques to infiltrate smartphones, computers, smart TVs, and other devices. These tools, collectively known as Vault 7, enabled the CIA to spy on users’ activities, communications, locations, and even turn on their cameras and microphones remotely. Some of the tools were also designed to evade detection by antivirus software and forensic analysis
- In 2018, it was revealed that Facebook had been sharing user data with at least 60 device makers, including Apple, Samsung, Microsoft, and Amazon. The data included users’ names, email addresses, friends lists, interests, locations, and private messages. Some of the device makers also had access to data from users’ friends who had not consented to share their information. This practice violated Facebook’s own privacy policies and a 2011 consent decree with the Federal Trade Commission.
- In 2019, it was reported that China had been using a massive network of cameras equipped with facial recognition technology to monitor and track millions of Uyghurs , a Muslim minority group in Xinjiang province. The system, known as the Integrated Joint Operations Platform (IJOP), collected data from various sources, such as checkpoints, ID cards, vehicle registrations, and DNA samples, and used artificial intelligence to flag suspicious behavior and alert authorities. The system also enabled mass detentions of Uyghurs in internment camps , where they faced abuse and indoctrination.
- In 2020, it was exposed that Clearview AI , a startup company based in New York, had scraped billions of photos from social media platforms such as Facebook , Twitter , Instagram , and YouTube , and created a facial recognition app that could identify anyone with a single photo. The app was sold to law enforcement agencies , corporations , and wealthy individuals , who could use it to search for people’s identities , locations , and online activities without their consent or knowledge . The app also raised concerns about accuracy , bias , security , and accountability .
These are just some examples of mass surveillance that have occurred or been uncovered since Snowden’s bombshell in 2013.
Public Exposure
Public exposure means limiting the information about you that is accessible online—to search engines or the general public. Public exposure can harm your privacy, security, or reputation by revealing your personal information and data to others who may use it for malicious purposes. Public exposure can also affect your behavior, choices, or opinions by exposing you to unwanted attention, criticism, or pressure.
To reduce public exposure, you need to:
- Use encryption and privacy: Don’t let your personal information and data be accessed or misused by others. Use encryption and privacy tools such as E2EE (end-to-end encryption), HTTPS (Hypertext Transfer Protocol Secure), or PGP (Pretty Good Privacy) to make your data unreadable to anyone except the intended recipient.
- Use privacy and security settings: Don’t let your online platforms or services collect or share your personal information and data without your consent or knowledge. Use privacy and security settings to limit or disable the data collection or sharing features of your online platforms or services. Use tools such as Privacy Badger, uBlock Origin, or DuckDuckGo to block or avoid trackers, cookies, or ads.
- Use pseudonyms or aliases: Don’t use your real name or any personal information that can identify you online. Use different pseudonyms or aliases for different platforms or purposes.
- Use self-censorship and discretion: Don’t share too much information about yourself or others online. Use self-censorship and discretion to decide what to post, comment, or like online. Think twice before you share anything that might be sensitive, controversial, or harmful.
Censorship
Censorship means avoiding censored access to information or being censored yourself when speaking online. Censorship can violate your freedom, privacy, or security by blocking, filtering, or deleting your access to information that is relevant, accurate, or important. Censorship can also influence your behavior, choices, or opinions by limiting, distorting, or controlling what you see, hear, or say online.
To overcome censorship, you need to:
- Use encryption and anonymity: Don’t let your online activity be monitored or traced by others. Use encryption and anonymity tools such as VPNs, Tor, or proxies to hide your IP address and traffic. Use E2EE, HTTPS, or PGP to make your data unreadable to anyone except the intended recipient.
- Use circumvention and bypassing: Don’t let your online access be blocked or filtered by others. Use circumvention and bypassing tools such as Psiphon, Lantern, or Ultrasurf to access censored websites or services. Use tools such as Tor Browser, Brave Browser, or OnionShare to access the dark web or peer-to-peer networks.
- Use alternative platforms or services: Don’t let your online speech be deleted or controlled by others. Use alternative platforms or services that respect your freedom, privacy, and security. Use tools such as Signal, ProtonMail, or Mastodon to communicate, email, or socialize online.
Why you shouldn’t use Biometrics
How to Choose Between Passwords and Biometrics for Your Digital Security
Passwords and biometrics are two common methods of authenticating your identity when you use online services or devices. Passwords are secret codes that you create and remember, while biometrics are physical or behavioural characteristics that you possess and show. Both methods have advantages and disadvantages for your digital security, depending on your specific concerns.
What are the advantages and disadvantages of passwords?
Passwords are easy to use and widely supported by most online services and devices. You can create and change your passwords as often as you like, and you can use different passwords for different purposes. Passwords are also protected by intellectual property laws, which means that you own your passwords and can sue anyone who infringes them. If someone were to get my password, I can change it. I can’t change my fingerprint.
However, passwords also have some drawbacks for your digital security. Passwords can be forgotten, lost, or stolen, which can lock you out of your accounts or devices or expose them to unauthorized access. Passwords can also be guessed, cracked, or hacked by malicious actors who use various techniques such as brute force, phishing, or keylogging. Passwords can also be compelled by law enforcement or courts who can order you to reveal your passwords or unlock your devices.
What are the advantages and disadvantages of biometrics?
Biometrics are convenient and secure methods of authenticating your identity. You don’t need to remember or type anything, you just need to show your face, fingerprint, iris, voice, or other biometrics feature. Biometrics are also hard to forge, copy, or share, which makes them more resistant to fraud or theft. Biometrics are also more user-friendly and accessible than passwords, especially for people with disabilities or low literacy. But again, if it is cracked, you can’t get a new eye.
However, biometrics also have some drawbacks for your digital security. Biometrics can be inaccurate, unreliable, or inconsistent, which can result in false positives or negatives. Biometrics can also be spoofed, altered, or hacked by malicious actors who use various techniques such as masks, prosthetics, or malware. Biometrics can also be violated by law enforcement or courts who can force you to show your biometrics or unlock your devices. For example, with faceID a cop or TSA person can grab your phone, show it to you (which scans your face and logs you in) and then has access to everything. Biometrics are also not protected by intellectual property laws, which means that you don’t own your biometrics, thus can be used without your consent.
Common Misconceptions
Open-source software is always secure” or “Proprietary software is more secure
These beliefs stem from various prejudices, but the availability of source code and software licensing does not necessarily impact the security of the software in any way. Open-source software may be more secure than proprietary software, but there is no guarantee of this. When evaluating software, it is important to consider the reputation and security of each tool separately.
Open-source software can be audited by third-parties, and often has a more transparent approach to potential vulnerabilities compared to proprietary software. However, this is not a guarantee, especially for smaller software projects. The open development process can also be exploited to introduce vulnerabilities into even large projects.
On the other hand, proprietary software is less transparent, but it does not mean it is not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities using techniques like reverse engineering.
To make unbiased decisions, it is important to evaluate the privacy and security standards of the software you use.
Shifting trust can increase privacy
When discussing solutions like VPNs, we often talk about “shifting trust” from your ISP to the VPN provider. While this protects your browsing data from your ISP, it does not necessarily secure your data from all parties. This means that:
- You must be cautious when choosing a provider to shift your trust to.
- You should still use other techniques, such as end-to-end encryption (E2EE), to protect your data completely. Simply distrusting one provider and trusting another is not a secure way to protect your data.
Privacy-focused solutions are inherently trustworthy
It’s important to remember that relying solely on a provider’s privacy policies and marketing is not enough to ensure your privacy. Instead, you should focus on finding technical solutions to the underlying privacy issues. For example, if you’re looking to avoid giving Google access to all your data, you should make sure that the provider you choose has end-to-end encryption (E2EE) implemented, or use a tool like Cryptomator that provides E2EE on any cloud provider. Simply switching to a “privacy-focused” provider that doesn’t implement E2EE doesn’t solve your problem; it just shifts your trust from Google to that provider.
While the privacy policies and business practices of the providers you choose are important, they should be considered secondary to technical guarantees of your privacy. You should not blindly trust another provider when trust is not a requirement in the first place.
Complicated is better
We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to “What is the best way to do X?”
Finding the “best” solution for yourself doesn’t necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips:
- Actions need to serve a particular purpose: think about how to do what you want with the fewest actions.
- Remove human failure points: We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember.
- Use the right level of protection for what you intend. We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren’t what people want. There’s no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight.
So, how might this look?
One of the clearest threat models is one where people know who you are and one where they do not. There will always be situations where you must declare your legal name and there are others where you don’t need to.
- Known identity – A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses.We don’t suggest using a VPN or Tor for any of these things, as your identity is already known through other means.TipWhen shopping online, the use of a parcel locker can help keep your physical address private.
- Unknown identity – An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn’t change. If you’re part of an online community, you may wish to retain a persona that others know. This pseudonym isn’t anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc.You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as Monero. Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they’ll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC.
- Anonymous identity – Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly.Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.)
Account Creation
Often people sign up for services without thinking. Maybe it’s a streaming service so you can watch that new show everyone’s talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line.
There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don’t recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer.
It can also be difficult to delete the accounts on some services. Sometimes overwriting data associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account.
Terms of Service & Privacy Policy
The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn’t always successful. This would be one of the reasons why we wouldn’t suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for.
The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect.
We recommend looking for particular terms such as “data collection”, “data analysis”, “cookies”, “ads” or “3rd-party” services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start.
Keep in mind you’re also placing your trust in the company or organization and that they will comply with their own privacy policy.
Authentication methods
There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks.
Email and password
The most common way to create a new account is by an email address and password. When using this method, you should use a password manager .
Tip
You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key.
You will be responsible for managing your login credentials. For added security, you can set up MFA on your accounts.
Email aliases
If you don’t want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to.
Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked.
“Sign in with…” (OAuth)
OAuth is an authentication protocol that allows you to register for a service without sharing much information with the service provider, if any, by using an existing account you have with another service instead. Whenever you see something along the lines of “Sign in with provider name” on a registration form, it’s typically using OAuth.
When you sign in with OAuth, it will open a login page with the provider you choose, and your existing account and new account will be connected. Your password won’t be shared, but some basic information typically will (you can review it during the login request). This process is needed every time you want to log in to the same account.
The main advantages are:
- Security: no risk of being involved in a data breach because the website does not store your credentials.
- Ease of use: multiple accounts are managed by a single login.
But there are disadvantages:
- Privacy: the OAuth provider you log in with will know the services you use.
- Centralization: if the account you use for OAuth is compromised or you aren’t able to login to it, all other accounts connected to it are affected.
OAuth authentication can be especially useful in those situations where you could benefit from deeper integration between services. Our recommendation is to limit using OAuth to only where you need it, and always protect the main account with MFA.
All the services that use OAuth will be as secure as your underlying provider’s account. For example, if you want to secure an account with a hardware key, but that service doesn’t support hardware keys, you can secure the account you use with OAuth with a hardware key instead, and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your OAuth provider account means that any account tied to that login will also be weak.
Phone number
We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often not encrypted.
You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don’t recommend that for important accounts.
In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It’s common for services to use your number as a verification method; don’t let yourself get locked out of an important account because you wanted to be clever and give a fake number!
Username and password
Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be no way to recover your account in the event you forget your username or password.
Account Deletion
Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service’s security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all too common these days, and so practising good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by deceptive design, for the betterment of your online presence.
Finding Old Accounts
Password Manager
If you have a password manager that you’ve used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden’s Data Breach Report.
Even if you haven’t explicitly used a password manager before, there’s a chance you’ve used the one in your browser or your phone without even realizing it. For example: Firefox Password Manager, Google Password Manager and Edge Password Manager. These suck compared to something like Bitwarden, and we offer an instance to our users.
Desktop platforms also often have a password manager which may help you recover passwords you’ve forgotten about:
- Windows Credential Manager
- macOS Passwords
- iOS Passwords
- Linux, Gnome Keyring, which can be accessed through Seahorse or KDE Wallet Manager
If you didn’t use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as “verify” or “welcome.” Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts.
Deleting Old Accounts
Log In
In order to delete your old accounts, you’ll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a “forgot password” link on the login page. It may also be possible that accounts you’ve abandoned have already been deleted—sometimes services prune all old accounts.
When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can’t figure out which email address you used, or you no longer have access to that email, you can try contacting the service’s customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account.
GDPR (EEA residents only)
Residents of the EEA have additional rights regarding data erasure specified in Article 17 of the GDPR. If it’s applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a “Delete Account” option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do not overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national Data Protection Authority and you may be entitled to monetary compensation.
Overwriting Account information
In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you’ve made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. How