Digital Privacy and Safety: A Basic Guide

Introduction

Digital safety and privacy is a broad topic and depends widely on how tech-savvy you are. This guide assumes you aren’t tech-savvy and may not be familiar with the threats to your safety and privacy. There are resources available if you are more familiar with technology, such as Wired’s Guide and EFF’s Surveillance Self-Defense.

Before we get into specifics, we need to acknowledge something. Everyone’s journey to better privacy and safety is just that – it’s a journey. It starts somewhere. For some, it starts with already knowing about password managers, or knowing about some of the things in this guide. That’s okay. Maybe you don’t know about the basic tools. That’s okay too! The important thing is improving the areas you can control, one step at a time. 

Current Risks and Threats

The current risks and threats to your privacy and safety are both inside and outside your control. Many of them are inside your control, and that’s what this guide is about. We’ll also mention the ones outside your control. We’ll go from most common to least common risks. 

Phishing, Quishing, Smishing, and Social Engineering

This is someone who sends you a malicious link, or sends your friend/family member a malicious link via email, QR code, text message, or tricks someone on a phone call into compromising themselves or the security of their device. Typically, these messages will do one of two things: Trick you into believing they’re a legitimate service when they’re not (and they can be very convincing), or playing on your emotions such as fear and sympathy into doing something you wouldn’t do otherwise. 

Data Brokers

Data brokers are entities that collect data and sell it to third parties – private companies, the government, whoever is willing to buy it. How do they collect that data? It varies, but advertising and location tracking are two main methods with cookies and account data being the other main method. In other words, your smartphone’s advertising tracking and location tracking, and the collection of data by the websites you are logged into correlated to your browsing activity. 

Data Breaches

Data breaches are when companies that store data belonging to you or related to you are breached – such as the United Healthcare breach, or the Experian breach to name a few. Typically, breached data includes information like names, addresses, phone numbers, emails, sometimes social security numbers or other personal information, passwords, and usernames. It depends on the breach and what the malicious actor was able to gather. 

Government Agencies and Nations

A recent example of this is the Salt Typhoon or Chinese telecom provider hack, or the disclosures from Edward Snowden. A government agency is responsible, on a widespread scale, the compromise and disruption of privacy, security, and sanctity of information and communication. 

Vulnerabilities and Hacking

This is at the forefront of most people’s minds. This is a single entity exploiting a vulnerability to hack into your device using a backdoor, getting through your network firewall, or in other words, hacking into your devices to compromise them and cause mayhem. 

Basic Safety Techniques

These are techniques and tools that will protect you from some of the most common threats to your privacy and security. 

Password Managers and MFA

By now you may have heard about password managers or MFA, multi-factor authentication. A password manager is an app that can generate passwords for you and encrypt them in a secure vault. Many apps are moving towards passkeys which means that you don’t need a password to login – the device you’re using to login is the password. This is a great step, but it also has risk if you ever lose access to the device or devices that have passkeys, so it’s something to be aware of – passwords are still needed. 

Not every password manager is created equal and like any tool, you need to use it correctly. If you set an insecure master password to lock your password manager, and don’t setup MFA to protect it – or your choice of password manager doesn’t let you protect it with MFA – it’s just like not having a password manager. 

A password manager will protect you against some forms of phishing, smishing, quishing, data breaches, and hacking, depending on how you use them. 

Good Password Manager and MFA Apps

This website is a great overview of fantastic apps you can use as a password manager, and for MFA. Honorable mentions are Bitwarden and, even though it’s not on the list, Proton Pass, which are both free and cross-platform – you can login with an app or a web browser – as well as 2FAS and Ente Auth for MFA – encrypted cloud backup and cross-device sync of your MFA codes. 

Apps to avoid are insecure apps – LastPass is a notable mention for being breached multiple times and the way it’s setup – and paying for features you don’t need. Most people, unless they’re high-profile or advocates, won’t need real-time monitoring and nobody needs their password manager to also host their MFA codes. You want your MFA and your passwords to be separate – having MFA on your accounts is to protect them in case your password is compromised. 

Setting A Password Manager Password

Setting a great password means following some basic steps to make it secure. Yes, there are websites and apps that let you check the strength of your password, but you really need to know that many of them are a scam. About the only one I would recommend is this one, available for Android. If you want to, you can install Android as a VM, install IYPS, disconnect the networking, and check your password that way. 

However, here are some basic tips for making a solid password manager password:

  1. Use uppercase, lowercase, numbers, and symbols. When you use a password that uses all 4 types, it’s harder to crack. 
  2. Use 20 characters at minimum – the longer and more complex the better. That sounds like a lot but we’ll get to that in a moment. 
  3. Avoid dictionary words – use memorable phrases and create acronyms out of them.
    1. As an example – don’t use this as your password – you could start with the core phrase, “Is this the real life? It this just fantasy? Caught in a landslide, no escape from reality” would become 1tTh3rlL!oF@nt$yC@ghtialsldn3sc@frre@ty – a 40-character password based on the opening two lines of Bohemian Rhapsody.
  4. Avoid personal information – dates, places associated with you, names, pet names, credit card/identification numbers, favorite colors, anything that can be looked up on social media or online.
  5. Use a passphrase generator to help you generate some of the words to help randomize parts of it.  

Overall, this should be unique enough to you that you can remember it, but not so shallow that it can be found by looking you up on Facebook, LinkedIn, etc. You could use preferences that you’ve maybe told one or two people, or people that don’t talk to each other as part of the phrase, as pieces of the puzzle. 

After you have your solid password, physically write this (and nothing else – it shouldn’t say ‘password manager password’ so nobody knows how to use it) down on a piece of paper and keep it somewhere safe until you have it memorized. If your password manager has a setting to remember you or use biometrics – turn it off for now. 

After you know you’ve got it memorized, shred or burn that piece of paper. 

Password Manager Settings

If this is the first time you’re using a password manager, and you’re among the people still using the same password for everything, or if you’re switching password managers, start by using your password manager to change the passwords of your most high-profile accounts – your email(s), anything finance or healthcare related. 

Make sure your settings have the following in mind and note that they may be called different things on different apps:

  1. Turn auto-fill in any browser plugins off – if you go to a malicious website or click a link in a phishing email or text, you’re less likely to automatically fill your username/password by accident. 
  2. Always enter the website URL associated with the login you have created.
    1. This guards you against phishing, smishing, and quishing – if you need to visit the site to access your account, you can use your password manager to go to the site. 
    2. If you receive an email, text, or QR code telling you that you need to check your account, rather than clicking anything or scanning the QR code, you can use the link in your password manager – likely to find out that everything is just fine. 
  3. Set your password manager to auto-lock when you’re not using it, especially if your device isn’t in a safe location, and make sure to lock your devices when you’re not using them too. 
  4. Your password manager will have an option to clear the clipboard after a certain period of time.
    1. For most people, 30 seconds is plenty of time to copy/paste information even on a mobile device. 
  5. Setup MFA codes and any recovery options on your password manager. Note: The best password manager apps, like Proton Pass and Bitwarden, are end-to-end encrypted.
    1. This means that if you lock yourself out with no recovery method, all your information is not accessible, even to their staff. That’s by design. If they had that information, it’d be a security risk to you. Set that up now. 

Privacy-Focused Tools, Devices, and Operating Systems

Your privacy and security is only as strong as the tools you use. If you’re using a tool that isn’t secure or private, the information you send through it won’t be secure or private either. That data can be correlated with other information on that device and used in ways you may not think of. 

Microphones and Cameras

Regardless of whether it’s a mobile device or a computer or an IoT (internet of things/smart home) device, if it has a microphone and camera, and it’s connected to the internet, it’s vulnerable to attack or people spying on you. Unplug or turn off microphones, cover cameras when not in use. Yes, there’s a light on many of these to tell you when they’re in use. It can still record you and not turn that light on, depending on the device. Cover it, even if it’s just tape and paper.

Mobile Devices

Mobile devices are not created equally. In terms of security, most Android systems may get one or two security updates, and then they’re obsolete with a few exceptions which are generally very expensive, while iOS  (Apple) products often come with years of security updates until they are obsolete. This means that if your device hasn’t gotten security updates in awhile, it’s a good idea to switch devices as soon as it becomes possible – do good research ahead of time. 

That being said, every mobile device – Android, iOS, or an open-source operating system – will have tracking, advertising, location, and precise location settings. On iOS, you also have Settings > Privacy & Security > App Privacy Report and Lockdown Mode as options. You want to turn precise location settings off for almost all apps except ones that absolutely need them – most apps don’t need it. Advertising and tracking should also be turned off. 

Computer Devices

In general, computer devices should avoid the Android operating system. Google is a privacy nightmare. There are entire guides that can get very technical over what makes for a private and secure device. In general, devices with TPM and up-to-date Wi-Fi standards are a bare minimum. 

Automobiles

Automobiles are not exempt from privacy and security issues and pose very real risks when it comes to your safety. While they are not the focus of this article, you are encouraged to do your research into the settings and systems you can alter in any vehicle you have or are considering to make them more secure. 

Routers/Internet

If you’ve never logged into your Wi-Fi router, and you own or rent it from your Internet Service Provider, you need to look on the bottom of that device, login, and change the password. Then search “how to secure a router”. In general, make sure you have a guest Wi-Fi network setup, make sure WPS is turned off, check the devices connected to your network, and make sure your Wi-Fi name doesn’t identify the brand of your router to the world. That’s asking for trouble. Every interface is different, and learning what secures it varies. This is a good basic overview. 

Smart Devices/IoT/Cameras/Etc

There are a lot of home automation devices out there, and a lot of them aren’t private and aren’t secure. Even the secure ones aren’t secure. 

If you want to have cameras, the best way to set that up is going to be a power over ethernet setup with a locally stored hub that uses your local network to connect to apps. There are other secure solutions if you’re more technically inclined, but the ‘smart cameras’ that connect directly to Wi-Fi are best avoided – including doorbell cameras like Ring. 

If you must have other home automation devices, set them up on their own, independent guest Wi-Fi network and identify and restrict the MAC addresses. If you’re not sure how to do this, or you’ve never logged into your Wi-Fi router, now’s a good time to learn. 

Browsers

Browsers are how you access the internet – think Edge, Chrome, Firefox, etc. Edge and Chrome are neither private nor secure – they are constantly being updated and their privacy defaults are to store passwords and sensitive information, prompting you to log into the browser and using data to track you for advertising purposes. 

Firefox is more private and more secure, but does require some setup to make it more private and more secure on first installation. 

The Tor browser is the most private and most secure browser and while it is slow, that slowness means it’s doing its job. You can go into more depth with Tor, but to use Tor most effectively, don’t install any other add-ons and look up a basic guide in how to use Tor

Operating Systems

There are many operating systems to consider on a computer. In general, Windows and Android are not private and less than secure. Because this is a basic guide, we’ll leave you to investigate why that is if you’d like. 

In general, more secure operating systems are those based on Linux. You can be extra-careful and use one of these, but even something like Linux Mint is private and secure for most people in many situations and allows for the use of Tor in situations where extra privacy is needed.  

Virtual Private Networks (VPN)

VPN’s are worth their own section because many treat them as an end-all privacy or security solution when they aren’t. VPN’s have limitations that you need to understand and acknowledge. 

  1. Logs – Some VPN providers – like NordVPN – keep logs even while saying that they don’t keep logs. This is important because if the VPN provider keeps logs or operates servers in a jurisdiction required to keep logs, they can be forced to provide those logs to authorities, even without informing you. 
  2. How you browse – If you do personally-associated browsing on your VPN connection that keeps logs and then do something you want private… that’s going to be associated with you. It’s not private. If you do the same thing on a VPN connection that doesn’t keep logs – same thing. It’s not necessarily private. If you’re separating each browsing session on a VPN that you know doesn’t keep logs and have a separate connection each browsing session, and each session doesn’t involve something that’s associated with you, it might be private and might not be associated with you. Maybe. 
  3. There are legality implications and anonymity issues – browser fingerprinting, tracking cookies, network traffic, and other methods can be used to identify you. 
  4. They won’t stop phishing, malware, and viruses. 

What a VPN will do is hide your activity from your Internet Service Provider, in some cases. It depends on the VPN. 

Data That’s Already Out There

Everyone’s journey to better privacy and security starts somewhere, and all of us have data that’s already out there. It’s okay. That doesn’t mean it’s pointless to start. Many data brokers have opt-out pages and there are guides to getting your data removed and how to opt out, though some aren’t great at actually opting you out. With that said, there are also services that will help do this for you. While many are useless, one is not

Many accounts you’ve already made will also allow you the ability to delete your data or submit a data removal request – this is usually at the bottom of the page in their privacy policy or terms of service. 

Conclusion

There are many other tips out there if you’re more technically inclined or want to know more, and EFF’s guide is probably one of the best out there. But this should give you enough basic information to get started on becoming aware of what you should be paying attention to. 

For most people, you don’t need to protect yourself from vulnerabilities, hacking, or nation-state hackers – nor should you try. But learning how to stay more private and more secure can help lock down the data that’s out there and help prevent that information from getting out there in the first place.