If a site asks security questions (such as place of birth, mother's maiden name or first car etc), don't provide
real answers. It is a trivial task for hackers to find out this information online or through social engineering.
Instead, create a fictitious answer, and store it inside your password manager. Using real-words is better than
random characters, [explained here](https://news.ycombinator.com/item?id=29244870)
- point:Don’t use a 4-digit PIN
priority:Optional
details:>-
Don’t use a short PIN to access your smartphone or computer. Instead, use a text password or much longer pin.
Numeric passphrases are easy crack, (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a
4-character alpha-numeric code)
- point:Avoid using SMS for 2FA
priority:Optional
details:>-
When enabling multi-factor authentication, opt for app-based codes or a hardware token, if supported. SMS is
susceptible to a number of common threats, such as [SIM-swapping](https://www.maketecheasier.com/sim-card-hijacking)
and [interception](https://secure-voice.com/ss7_attacks). There's also no guarantee of how securely your phone
number will be stored, or what else it will be used for. From a practical point of view, SMS will only work when
you have signal, and can be slow. If a website or service requires the usage of a SMS number for recovery consider
purchasing a second pre-paid phone number only used for account recovery for these instances.
- point:Avoid using your PM to Generate OTPs
priority:Advanced
details:>-
Many password managers are also able to generate 2FA codes. It is best not to use your primary password manager
as your 2FA authenticator as well, since it would become a single point of failure if compromised. Instead use a
dedicated [authenticator app](https://github.com/Lissy93/awesome-privacy#2-factor-authentication) on your phone or laptop
- point:Avoid Face Unlock
priority:Advanced
details:>-
Most phones and laptops offer a facial recognition authentication feature, using the camera to compare a snapshot
of your face with a stored hash. It may be very convenient, but there are numerous ways to [fool it](https://www.forbes.com/sites/jvchamary/2017/09/18/security-apple-face-id-iphone-x/)
and gain access to the device, through digital photos and reconstructions from CCTV footage. Unlike your password-
there are likely photos of your face on the internet, and videos recorded by surveillance cameras
- point:Watch out for Keyloggers
priority:Advanced
details:>-
A hardware [keylogger](https://en.wikipedia.org/wiki/Hardware_keylogger) is a physical device planted between
your keyboard and the USB port, which intercepts all key strokes, and sometimes relays data to a remote server.
It gives a hacker access to everything typed, including passwords. The best way to stay protected, is just by
checking your USB connection after your PC has been unattended. It is also possible for keyloggers to be planted
inside the keyboard housing, so look for any signs that the case has been tampered with, and consider bringing your
own keyboard to work. Data typed on a virtual keyboard, pasted from the clipboard or auto-filled by a password
manager can not be intercepted by a hardware keylogger.
- point:Consider a Hardware Token
priority:Advanced
details:>-
A U2F/ FIDO2 security key is a USB (or NFC) device that you insert while logging in to an online service, in to
verify your identity, instead of entering a OTP from your authenticator. [SoloKey](https://solokeys.com) and
[NitroKey](https://www.nitrokey.com) are examples of such keys. They bring with them several security benefits,
since the browser communicates directly with the device and cannot be fooled as to which host is requesting
authentication, because the TLS certificate is checked. [This post](https://security.stackexchange.com/a/71704) is
a good explanation of the security of using FIDO U2F tokens. Of course it is important to store the physical key
somewhere safe, or keep it on your person. Some online accounts allow for several methods of 2FA to be enabled
- point:Consider Offline Password Manager
priority:Advanced
details:>-
For increased security, an encrypted offline password manager will give you full control over your data.
[KeePass](https://keepass.info) is a popular choice, with lots of [plugins](https://keepass.info/plugins.html) and
community forks with additional compatibility and functionality. Popular clients include:[KeePassXC](https://keepassxc.org)
(desktop), [KeePassDX](https://www.keepassdx.com) (Android) and [StrongBox](https://apps.apple.com/us/app/strongbox-password-safe/id897283731)
(iOS). The drawback being that it may be slightly less convenient for some, and it will be up to you to back it up,
and store it securely
- point:Consider Unique Usernames
priority:Advanced
details:>-
Having different passwords for each account is a good first step, but if you also use a unique username, email or
phone number to log in, then it will be significantly harder for anyone trying to gain unauthorised access. The easiest
method for multiple emails, is using auto-generated aliases for anonymous mail forwarding. This is where
[anything]@yourdomain.com will arrive in your inbox, allowing you to use a different email for each account (see
[Mail Alias Providers](https://github.com/Lissy93/awesome-privacy#anonymous-mail-forwarding)). Usernames are easier,
since you can use your password manager to generate, store and auto-fill these. Virtual phone numbers can be generated
Your system or browser can be compromised by spyware, miners, browser hijackers, malicious redirects,
adware etc. You can usually stay protected, just by:ignoring pop-ups, be wary of what your clicking,
don't proceed to a website if your browser warns you it may be malicious. Common signs of browser malware
include:default search engine or homepage has been modified, toolbars, unfamiliar extensions or icons,
significantly more ads, errors and pages loading much slower than usual. These articles from Heimdal
explain [signs of browser malware](https://heimdalsecurity.com/blog/warning-signs-operating-system-infected-malware),
[how browsers get infected](https://heimdalsecurity.com/blog/practical-online-protection-where-malware-hides)
and [how to remove browser malware](https://heimdalsecurity.com/blog/malware-removal).
- point:Use a Privacy-Respecting Browser
priority:Recommended
details:>-
[Firefox](https://www.mozilla.org/en-US/firefox/new) (with a few tweaks) and [Brave](https://brave.com)
are secure, private-respecting browsers. Both are fast, open source, user-friendly and available on all
major operating systems. Your browser has access to everything that you do online, so if possible, avoid
Google Chrome, Edge and Safari as (without correct configuration) all three of them, collect usage data,
call home and allow for invasive tracking. Firefox requires a few changes to achieve optimal security,
for example - [arkenfox](https://github.com/arkenfox/user.js/wiki) or [12byte](https://12bytes.org/articles/tech/firefox/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs/)'s
user.js configs. See more:[Privacy Browsers](https://github.com/Lissy93/awesome-privacy#browsers).
- point:Use a Private Search Engine
priority:Recommended
details:>-
Using a privacy-preserving, non-tracking search engine, will reduce risk that your search terms are not
logged, or used against you. Consider [DuckDuckGo](https://duckduckgo.com), [Qwant](https://www.qwant.com),
or [SearX](https://searx.me) (self-hosted). Google implements some [incredibly invasive](https://hackernoon.com/data-privacy-concerns-with-google-b946f2b7afea)
tracking policies, and have a history of displaying [biased search results](https://www.businessinsider.com/evidence-that-google-search-results-are-biased-2014-10).
Therefore Google, along with Bing, Baidu, Yahoo and Yandex are incompatible with anyone looking to protect
their privacy. It is recommended to update your [browsers default search](https://duckduckgo.com/install)
to a privacy-respecting search engine.
- point:Remove Unnecessary Browser Addons
priority:Recommended
details:>-
Extensions are able to see, log or modify anything you do in the browser, and some innocent looking
browser apps, have malicious intentions. Websites can see which extensions you have installed, and may
use this to enhance your fingerprint, to more accurately identify/ track you. Both Firefox and Chrome
web stores allow you to check what permissions/access rights an extension requires before you install it.
Check the reviews. Only install extensions you really need, and removed those which you haven't used in a while.
- point:Keep Browser Up-to-date
priority:Recommended
details:>-
Browser vulnerabilities are constantly being [discovered](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=browser)
and patched, so it’s important to keep it up to date, to avoid a zero-day exploit. You can [see which browser
version you're using here](https://www.whatismybrowser.com/), or follow [this guide](https://www.whatismybrowser.com/guides/how-to-update-your-browser/)
for instructions on how to update. Some browsers will auto-update to the latest stable version.
- point:Check for HTTPS
priority:Recommended
details:>-
If you enter information on a non-HTTPS website, this data is transported unencrypted and can therefore
be read by anyone who intercepts it. Do not enter any data on a non-HTTPS website, but also do not let
the green padlock give you a false sense of security, just because a website has SSL certificate, does
not mean that it is legitimate or trustworthy. [HTTPS-Everywhere](https://www.eff.org/https-everywhere)
(developed by the [EFF](https://www.eff.org/)) used to be a browser extension/addon that automatically
enabled HTTPS on websites, but as of 2022 is now deprecated. In their [accouncement article](https://www.eff.org/)
the EFF explains that most browsers now integrate such protections. Additionally, it provides instructions
for Firefox, Chrome, Edge and Safari browsers on how to enable their HTTPS secure protections.
- point:Use DNS-over-HTTPS
priority:Recommended
details:>-
Traditional DNS makes requests in plain text for everyone to see. It allows for eavesdropping and
manipulation of DNS data through man-in-the-middle attacks. Whereas DNS-over-HTTPS performs DNS
resolution via the HTTPS protocol, meaning data between you and your DNS resolver is encrypted.
A popular option is Cloudflare's 1.1.1.1, or compare providers- it is simple to enable in-browser.
Note that DoH comes with its own issues, mostly preventing web filtering.
- point:Multi-Session Containers
priority:Recommended
details:>-
Compartmentalisation is really important to keep different aspects of your browsing separate. For
example, using different profiles for work, general browsing, social media, online shopping etc
will reduce the number associations that data brokers can link back to you. One option is to make
use of Firefox Containers which is designed exactly for this purpose. Alternatively, you could
use different browsers for different tasks (Brave, Firefox, Tor etc).
- point:Use Incognito
priority:Recommended
details:>-
When using someone else's machine, ensure that you're in a private/ incognito session. This will
prevent browser history, cookies and some data being saved, but is not fool-proof- you can still
be tracked.
- point:Understand Your Browser Fingerprint
priority:Recommended
details:>-
Browser Fingerprinting is an incredibly accurate method of tracking, where a website identifies you
based on your device information. You can view your fingerprint at amiunique.org- The aim is to be
as un-unique as possible.
- point:Manage Cookies
priority:Recommended
details:>-
Clearing cookies regularly is one step you can take to help reduce websites from tracking you.
Cookies may also store your session token, which if captured, would allow someone to access your
accounts without credentials. To mitigate this you should clear cookies often.
- point:Block Third-Party Cookies
priority:Recommended
details:>-
Third-party cookies placed on your device by a website other than the one you’re visiting. This
poses a privacy risk, as a 3rd entity can collect data from your current session. This guide explains
how you can disable 3rd-party cookies, and you can check here ensure this worked.
- point:Block Third-Party Trackers
priority:Recommended
details:>-
Blocking trackers will help to stop websites, advertisers, analytics and more from tracking you in
the background. Privacy Badger, DuckDuckGo Privacy Essentials, uBlock Origin and uMatrix (advanced)
are all very effective, open source tracker-blockers available for all major browsers.
- point:Beware of Redirects
priority:Optional
details:>-
While some redirects are harmless, others, such as Unvalidated redirects are used in phishing attacks,
it can make a malicious link seem legitimate. If you are unsure about a redirect URL, you can check
where it forwards to with a tool like RedirectDetective.
- point:Do Not Sign Into Your Browser
priority:Optional
details:>-
Many browsers allow you to sign in, in order to sync history, bookmarks and other browsing data across
devices. However this not only allows for further data collection, but also increases attack surface
through providing another avenue for a malicious actor to get hold of personal information.
- point:Disallow Prediction Services
priority:Optional
details:>-
Some browsers allow for prediction services, where you receive real-time search results or URL auto-fill.
If this is enabled then data is sent to Google (or your default search engine) with every keypress,
rather than when you hit enter.
- point:Avoid G Translate for Webpages
priority:Optional
details:>-
When you visit a web page written in a foreign language, you may be prompted to install the Google Translate
extension. Be aware that Google collects all data (including input fields), along with details of the current
user. Instead use a translation service that is not linked to your browser.
- point:Disable Web Notifications
priority:Optional
details:>-
Browser push notifications are a common method for criminals to encourage you to click their link, since
it is easy to spoof the source. Be aware of this, and for instructions on disabling browser notifications,
see this article.
- point:Disable Automatic Downloads
priority:Optional
details:>-
Drive-by downloads is a common method of getting harmful files onto a users device. This can be mitigated
by disabling auto file downloads, and be cautious of websites which prompt you to download files unexpectedly.
- point:Disallow Access to Sensors
priority:Optional
details:>-
Mobile websites can tap into your device sensors without asking. If you grant these permissions to your
browser once, then all websites are able to use these capabilities, without permission or notification.
- point:Disallow Location
priority:Optional
details:>-
Location Services lets sites ask for your physical location to improve your experience. This should be
disabled in settings. Note that there are still other methods of determining your approximate location.
- point:Disallow Camera/ Microphone access
priority:Optional
details:>-
Check browser settings to ensure that no websites are granted access to webcam or microphone. It may also
be beneficial to use physical protection such as a webcam cover and microphone blocker.
- point:Disable Browser Password Saves
priority:Optional
details:>-
Do not allow your browser to store usernames and passwords. These can be easily viewed or accessed.
Instead use a password manager.
- point:Disable Browser Autofill
priority:Optional
details:>-
Turn off autofill for any confidential or personal details. This feature can be harmful if your browser
is compromised in any way. Instead, consider using your password manager's Notes feature.
- point:Protect from Exfil Attack
priority:Optional
details:>-
The CSS Exfiltrate attack is a method where credentials and other sensitive details can be snagged with
just pure CSS. You can stay protected, with the CSS Exfil Protection plugin.
- point:Deactivate ActiveX
priority:Optional
details:>-
ActiveX is a browser extension API that built into Microsoft IE, and enabled by default. It's not commonly
used anymore, but since it gives plugins intimate access rights, and can be dangerous, therefore you should
disable it.
- point:Disable WebRTC
priority:Optional
details:>-
WebRTC allows high-quality audio/video communication and peer-to-peer file-sharing straight from the
browser. However it can pose as a privacy leak. To learn more, check out this guide.
- point:Spoof HTML5 Canvas Sig
priority:Optional
details:>-
Canvas Fingerprinting allows websites to identify and track users very accurately. You can use the
Canvas-Fingerprint-Blocker extension to spoof your fingerprint or use Tor.
- point:Spoof User Agent
priority:Optional
details:>-
The user agent tells the website what device, browser and version you are using. Switching user agent
periodically is one small step you can take to become less unique.
- point:Disregard DNT
priority:Optional
details:>-
Enabling Do Not Track has very limited impact, since many websites do not respect or follow this. Since
it is rarely used, it may also add to your signature, making you more unique.
- point:Prevent HSTS Tracking
priority:Optional
details:>-
HSTS was designed to help secure websites, but privacy concerns have been raised as it allowed site
operators to plant super-cookies. It can be disabled by visiting chrome://net-internals/#hsts in
Chromium-based browsers.
- point:Prevent Automatic Browser Connections
priority:Optional
details:>-
Even when you are not using your browser, it may call home to report on usage activity, analytics and
diagnostics. You may wish to disable some of this, which can be done through the settings.
- point:Enable 1st-Party Isolation
priority:Optional
details:>-
First party isolation means that all identifier sources and browser state are scoped using the URL bar
domain, this can greatly reduce tracking.
- point:Strip Tracking Params from URLs
priority:Advanced
details:>-
Websites often append additional GET parameters to URLs that you click, to identify information like
source/referrer. You can sanitize manually, or use an extension like ClearUrls to strip tracking data
from URLs automatically.
- point:First Launch Security
priority:Advanced
details:>-
After installing a web browser, the first time you launch it (prior to configuring its privacy settings),
most browsers will call home. Therefore, after installing a browser, you should first disable your internet
connection, then configure privacy options before reenabling your internet connectivity.
- point:Use The Tor Browser
priority:Advanced
details:>-
The Tor Project provides a browser that encrypts and routes your traffic through multiple nodes, keeping
users safe from interception and tracking. The main drawbacks are speed and user experience.
- point:Disable JavaScript
priority:Advanced
details:>-
Many modern web apps are JavaScript-based, so disabling it will greatly decrease your browsing experience.
But if you really want to go all out, then it will really reduce your attack surface.
to Yahoo and AOL users messages to “identify and segment potential customers by picking up on contextual buying signals, and past purchases.”
checklist:
- point:Have more than one email address
priority:Recommended
details:>-
Consider using a different email address for security-critical communications from trivial mail such
as newsletters. This compartmentalization could reduce the amount of damage caused by a data breach,
and also make it easier to recover a compromised account.
- point:Keep Email Address Private
priority:Recommended
details:>-
Do not share your primary email publicly, as mail addresses are often the starting point for most
phishing attacks.
- point:Keep your Account Secure
priority:Recommended
details:>-
Use a long and unique password, enable 2FA and be careful while logging in. Your email account
provides an easy entry point to all your other online accounts for an attacker.
- point:Disable Automatic Loading of Remote Content
priority:Recommended
details:>-
Email messages can contain remote content such as images or stylesheets, often automatically loaded
from the server. You should disable this, as it exposes your IP address and device information, and
is often used for tracking. For more info, see [this article](https://www.theverge.com/2019/7/3/20680903/email-pixel-trackers-how-to-stop-images-automatic-download).
- point:Use Plaintext
priority:Optional
details:>-
There are two main types of emails on the internet:plaintext and HTML. The former is strongly preferred
for privacy & security as HTML messages often include identifiers in links and inline images, which can
collect usage and personal data. There's also numerous risks of remote code execution targeting the HTML
parser of your mail client, which cannot be exploited if you are using plaintext. For more info, as well
as setup instructions for your mail provider, see [UsePlaintext.email](https://useplaintext.email/).
- point:Don’t connect third-party apps to your email account
priority:Optional
details:>-
If you give a third-party app or plug-in full access to your inbox, they effectively have full unhindered
access to all your emails and their contents, which poses significant security and privacy risks.
- point:Don't Share Sensitive Data via Email
priority:Optional
details:>-
Emails are very easily intercepted. Furthermore, you can’t be sure of how secure your recipient's
environment is. Therefore, emails cannot be considered safe for exchanging confidential information,
unless it is encrypted.
- point:Consider Switching to a Secure Mail Provider
priority:Optional
details:>-
Secure and reputable email providers such as Forward Email, ProtonMail, and Tutanota allow for end-to-end
encryption, full privacy as well as more security-focused features. Unlike typical email providers, your
mailbox cannot be read by anyone but you, since all messages are encrypted.
- point:Use Smart Key
priority:Advanced
details:>-
OpenPGP does not support Forward secrecy, which means if either your or the recipient's private key is
ever stolen, all previous messages encrypted with it will be exposed. Therefore, you should take great
care to keep your private keys safe. One method of doing so, is to use a USB Smart Key to sign or decrypt
messages, allowing you to do so without your private key leaving the USB device.
- point:Use Aliasing / Anonymous Forwarding
priority:Advanced
details:>-
Email aliasing allows messages to be sent to [anything]@my-domain.com and still land in your primary inbox.
Effectively allowing you to use a different, unique email address for each service you sign up for. This means
if you start receiving spam, you can block that alias and determine which company leaked your email address.
- point:Subaddressing
priority:Optional
details:>-
An alternative to aliasing is subaddressing, where anything after the `+` symbol is omitted during mail delivery.
This enables you to keep track of who shared/ leaked your email address, but unlike aliasing, it will not protect
against your real address being revealed.
- point:Use a Custom Domain
priority:Advanced
details:>-
Using a custom domain means that you are not dependent on the address assigned by your mail provider. So you can
easily switch providers in the future and do not need to worry about a service being discontinued.
- point:Sync with a client for backup
priority:Advanced
details:>-
To avoid losing temporary or permanent access to your emails during an unplanned event (such as an outage or
account lock), Thunderbird can sync/ backup messages from multiple accounts via IMAP and store locally on your
primary device.
- point:Be Careful with Mail Signatures
priority:Advanced
details:>-
You do not know how secure of an email environment the recipient of your message may have. There are several
extensions that automatically crawl messages, and create a detailed database of contact information based upon
email signatures.
- point:Be Careful with Auto-Replies
priority:Advanced
details:>-
Out-of-office automatic replies are very useful for informing people there will be a delay in replying, but all
too often people reveal too much information- which can be used in social engineering and targeted attacks.
- point:Choose the Right Mail Protocol
priority:Advanced
details:>-
Do not use outdated protocols (below IMAPv4 or POPv3), both have known vulnerabilities and out-dated security.
- point:Self-Hosting
priority:Advanced
details:>-
Self-hosting your own mail server is not recommended for non-advanced users, since correctly securing it is
description:Reduce invasive tracking for cells, smartphones and tablets
icon:mobile
intro:>
Smart phones have revolutionized so many aspects of life and brought the world
to our fingertips. For many of us, smart phones are our primary means of communication,
entertainment and access to knowledge. But while they've brought convenience
to whole new level, there's some ugly things going on behind the screen.
Geo-tracking is used to trace our every move, and we have little control over
who has this data- your phone is even able to
[track your location without GPS](https://gizmodo.com/how-to-track-a-cellphone-without-gps-or-consent-1821125371).
Over the years numerous reports that surfaced, outlining ways in which your
phone's [mic can eavesdrop](https://www.independent.co.uk/life-style/gadgets-and-tech/news/smartphone-apps-listening-privacy-alphonso-shazam-advertising-pool-3d-honey-quest-a8139451.html),
and the [camera can watch you](https://www.businessinsider.com/hackers-governments-smartphone-iphone-camera-wikileaks-cybersecurity-hack-privacy-webcam-2017-6)- all without your knowledge or consent.
And then there's the malicious apps, lack of security patches and potential/ likely backdoors.
Using a smart phone generates a lot of data about you- from information you
intentionally share, to data silently generated from your actions.
It can be scary to see what Google, Microsoft, Apple and Facebook know about
us- sometimes they know more than our closest family. It's hard to comprehend
what your data will reveal, especially in conjunction with other data.
This data is used for
[far more than just advertising](https://internethealthreport.org/2018/the-good-the-bad-and-the-ugly-sides-of-data-tracking/) -
more often it's used to rate people for finance, insurance and employment.
Targeted ads can even be used for fine-grained surveillance (see [ADINT](https://adint.cs.washington.edu))
More of us are concerned about how
[governments use collect and use our smart phone data](https://www.statista.com/statistics/373916/global-opinion-online-monitoring-government/),
and rightly so, federal agencies often
[request our data from Google](https://www.statista.com/statistics/273501/global-data-requests-from-google-by-federal-agencies-and-governments/),
description:Using IoT devices without compromising your privacy
icon:home
intro:>-
Home assistants (such as Google Home, Alexa and Siri) and other internet connected
devices collect large amounts of personal data (including voice samples, location data,
home details and logs of all interactions). Since you have limited control on what is
being collected, how it's stored, and what it will be used for, this makes it hard to
recommend any consumer smart-home products to anyone who cares about privacy and security.
Security vs Privacy:There are many smart devices on the market that claim to increase
the security of your home while being easy and convenient to use (Such as Smart Burglar
Alarms, Internet Security Cameras, Smart Locks and Remote access Doorbells to name a few).
These devices may appear to make security easier, but there is a trade-off in terms of
privacy:as they collect large amounts of personal data, and leave you without control
over how this is stored or used. The security of these devices is also questionable,
since many of them can be (and are being) hacked, allowing an intruder to bypass
detection with minimum effort.
The most privacy-respecting option, would be to not use "smart" internet-connected
devices in your home, and not to rely on a security device that requires an internet
connection. But if you do, it is important to fully understand the risks of any given
product, before buying it. Then adjust settings to increase privacy and security.
The following checklist will help mitigate the risks associated with
internet-connected home devices.
checklist:
- point:Rename devices to not specify brand/model
priority:Recommended
details:>-
Change default device names to something generic to prevent targeted attacks by obscuring brand or model information.
- point:Disable microphone and camera when not in use
priority:Recommended
details:>-
Use hardware switches to turn off microphones and cameras on smart devices to protect against accidental recordings or targeted access.
- point:Understand what data is collected, stored and transmitted
priority:Recommended
details:>-
Research and ensure comfort with the data handling practices of smart home devices before purchase, avoiding devices that share data with third parties.
- point:Set privacy settings, and opt out of sharing data with third parties
priority:Recommended
details:>-
Adjust app settings for strictest privacy controls and opt-out of data sharing with third parties wherever possible.
- point:Don't link your smart home devices to your real identity
priority:Recommended
details:>-
Use anonymous usernames and passwords, avoiding sign-up/log-in via social media or other third-party services to maintain privacy.
- point:Keep firmware up-to-date
priority:Recommended
details:>-
Regularly update smart device firmware to apply security patches and enhancements.
- point:Protect your Network
priority:Recommended
details:>-
Secure your home WiFi and network to prevent unauthorized access to smart devices.
- point:Be wary of wearables
priority:Optional
details:>-
Consider the extensive data collection capabilities of wearable devices and their implications for privacy.
- point:Don't connect your home's critical infrastructure to the Internet
priority:Optional
details:>-
Evaluate the risks of internet-connected thermostats, alarms, and detectors due to potential remote access by hackers.
- point:Mitigate Alexa/ Google Home Risks
priority:Optional
details:>-
Consider privacy-focused alternatives like Mycroft or use Project Alias to prevent idle listening by voice-activated assistants.
- point:Monitor your home network closely
priority:Optional
details:>-
Use tools like FingBox or router features to monitor for unusual network activity.
- point:Deny Internet access where possible
priority:Advanced
details:>-
Use firewalls to block internet access for devices that don't need it, limiting operation to local network use.
- point:Assess risks
priority:Advanced
details:>-
Consider the privacy implications for all household members and adjust device settings for security and privacy, such as disabling devices at certain times.
description:Protecting your funds, financial accounts and transactions
icon:finance
intro:>-
Credit card fraud is the most common form of identity theft (with [133,015 reports in the
US in 2017 alone](https://www.experian.com/blogs/ask-experian/identity-theft-statistics/)),
and a total loss of $905 million, which was a 26% increase from the previous year.
The with a median amount lost per person was $429 in 2017.
It's more important than ever to take basic steps to protect yourself from falling victim
Note about credit cards:Credit cards have technological methods in place to
detect and stop some fraudulent transactions. Major payment processors implement
this, by mining huge amounts of data from their card holders, in order to know
a great deal about each persons spending habits. This data is used to identify
fraud, but is also sold onto other data brokers. Credit cards are therefore good
for security, but terrible for data privacy.
checklist:
- point:Sign up for Fraud Alerts and Credit Monitoring
priority:Recommended
details:>-
Enable fraud alerts and credit monitoring through Experian, TransUnion, or Equifax to be alerted of suspicious activity.
- point:Apply a Credit Freeze
priority:Recommended
details:>-
Prevent unauthorized credit inquiries by freezing your credit through Experian, TransUnion, and Equifax.
- point:Use Virtual Cards
priority:Optional
details:>-
Utilize virtual card numbers for online transactions to protect your real banking details. Services like Privacy.com and MySudo offer such features.
- point:Use Cash for Local Transactions
priority:Optional
details:>-
Pay with cash for local and everyday purchases to avoid financial profiling by institutions.
- point:Use Cryptocurrency for Online Transactions
priority:Optional
details:>-
Opt for privacy-focused cryptocurrencies like Monero for online transactions to maintain anonymity. Use cryptocurrencies wisely to ensure privacy.
- point:Store Crypto Securely
priority:Advanced
details:>-
Securely store cryptocurrencies using offline wallet generation, hardware wallets like Trezor or ColdCard, or consider long-term storage solutions like CryptoSteel.
- point:Buy Crypto Anonymously
priority:Advanced
details:>-
Purchase cryptocurrencies without linking to your identity through services like LocalBitcoins, Bisq, or Bitcoin ATMs.
- point:Tumble/ Mix Coins
priority:Advanced
details:>-
Use a bitcoin mixer or CoinJoin before converting Bitcoin to currency to obscure transaction trails.
- point:Use an Alias Details for Online Shopping
priority:Advanced
details:>-
For online purchases, consider using alias details, forwarding email addresses, VOIP numbers, and secure delivery methods to protect your identity.
- point:Use alternate delivery address
priority:Advanced
details:>-
Opt for deliveries to non-personal addresses such as PO Boxes, forwarding addresses, or local pickup locations to avoid linking purchases directly to you.
description:Avoiding social engineering security risks
icon:human
intro:>-
Many data breaches, hacks and attacks are caused by human error.
The following list contains steps you should take, to reduce the risk of this
happening to you. Many of them are common sense, but it's worth takin note of.
checklist:
- point:Verify Recipients
priority:Recommended
details:>-
Emails can be easily spoofed. Verify the sender's authenticity, especially for sensitive actions, and prefer entering URLs manually rather than clicking links in emails.
- point:Don't Trust Your Popup Notifications
priority:Recommended
details:>-
Fake pop-ups can be deployed by malicious actors. Always check the URL before entering any information on a popup.
- point:Never Leave Device Unattended
priority:Recommended
details:>-
Unattended devices can be compromised even with strong passwords. Use encryption and remote erase features like Find My Phone for lost devices.
- point:Prevent Camfecting
priority:Recommended
details:>-
Protect against camfecting by using webcam covers and microphone blockers. Mute home assistants when not in use or discussing sensitive matters.
- point:Stay protected from shoulder surfers
priority:Recommended
details:>-
Use privacy screens on laptops and mobiles to prevent others from reading your screen in public spaces.
- point:Educate yourself about phishing attacks
priority:Recommended
details:>-
Be cautious of phishing attempts. Verify URLs, context of received messages, and employ good security practices like using 2FA and not reusing passwords.
- point:Watch out for Stalkerware
priority:Recommended
details:>-
Be aware of stalkerware installed by acquaintances for spying. Look out for signs like unusual battery usage and perform factory resets if suspected.
- point:Install Reputable Software from Trusted Sources
priority:Recommended
details:>-
Only download software from legitimate sources and check files with tools like Virus Total before installation.
- point:Store personal data securely
priority:Recommended
details:>-
Ensure all personal data on devices or in the cloud is encrypted to protect against unauthorized access.
- point:Obscure Personal Details from Documents
priority:Recommended
details:>-
When sharing documents, obscure personal details with opaque rectangles to prevent information leakage.
- point:Do not assume a site is secure, just because it is `HTTPS`
priority:Recommended
details:>-
HTTPS does not guarantee a website's legitimacy. Verify URLs and exercise caution with personal data.
- point:Use Virtual Cards when paying online
priority:Optional
details:>-
Use virtual cards for online payments to protect your banking details and limit transaction risks.
- point:Review application permissions
priority:Optional
details:>-
Regularly review and manage app permissions to ensure no unnecessary access to sensitive device features.
- point:Opt-out of public lists
priority:Optional
details:>-
Remove yourself from public databases and marketing lists to reduce unwanted contacts and potential risks.
- point:Never Provide Additional PII When Opting-Out
priority:Optional
details:>-
Do not provide additional personal information when opting out of data services to avoid further data collection.
- point:Opt-out of data sharing
priority:Optional
details:>-
Many apps and services default to data sharing settings. Opt out to protect your data from being shared with third parties.
- point:Review and update social media privacy
priority:Optional
details:>-
Regularly check and update your social media settings due to frequent terms updates that may affect your privacy settings.
- point:Compartmentalize
priority:Advanced
details:>-
Keep different areas of digital activity separate to limit data exposure in case of a breach.
- point:WhoIs Privacy Guard
priority:Advanced
details:>-
Use WhoIs Privacy Guard for domain registrations to protect your personal information from public searches.
- point:Use a forwarding address
priority:Advanced
details:>-
Use a PO Box or forwarding address for mail to prevent companies from knowing your real address, adding a layer of privacy protection.
- point:Use anonymous payment methods
priority:Advanced
details:>-
Opt for anonymous payment methods like cryptocurrencies to avoid entering identifiable information online.
color:indigo
- title:Physical Security
slug:physical-security
description:Taking measures to prevent IRL security incidents
icon:physical
intro:>-
Public records often include sensitive personal data (full name, date of birth,
phone number, email, address, ethnicity etc), and are gathered from a range of
sources (census records, birth/ death/ marriage certificates, voter registrants,
marketing information, customer databases, motor vehicle records, professional/
business licenses and all court files in full detail). This sensitive personal
information is
[easy and legal to access](https://www.consumerreports.org/consumerist/its-creepy-but-not-illegal-for-this-website-to-provide-all-your-public-info-to-anyone/),
which raises some [serious privacy concerns](https://privacyrights.org/resources/public-records-internet-privacy-dilemma)
(identity theft, personal safety risks/ stalkers, destruction of reputations, dossier society)
CCTV is one of the major ways that the corporations, individuals and the government
tracks your movements. In London, UK the average person is caught on camera about
500times per day. This network is continuing to grow, and in many cities around
the world, facial recognition is being rolled out, meaning the state can know
the identity of residents on the footage in real-time.
Strong authentication, encrypted devices, patched software and anonymous web
browsing may be of little use if someone is able to physically compromise you,
your devices and your data. This section outlines some basic methods for physical security
checklist:
- point:Destroy Sensitive Documents
priority:Recommended
details:Shred or redact sensitive documents before disposal to protect against identity theft and maintain confidentiality.
- point:Opt-Out of Public Records
priority:Recommended
details:Contact people search websites to opt-out from listings that show personal information, using guides like Michael Bazzell's Personal Data Removal Workbook.
- point:Watermark Documents
priority:Recommended
details:Add a watermark with the recipient's name and date to digital copies of personal documents to trace the source of a breach.
- point:Don't Reveal Info on Inbound Calls
priority:Recommended
details:Only share personal data on calls you initiate and verify the recipient's phone number.
- point:Stay Alert
priority:Recommended
details:Be aware of your surroundings and assess potential risks in new environments.
- point:Secure Perimeter
priority:Recommended
details:Ensure physical security of locations storing personal info devices, minimizing external access and using intrusion detection systems.
- point:Physically Secure Devices
priority:Recommended
details:Use physical security measures like Kensington locks, webcam covers, and privacy screens for devices.
- point:Keep Devices Out of Direct Sight
priority:Recommended
details:Prevent devices from being visible from outside to mitigate risks from lasers and theft.
- point:Protect your PIN
priority:Recommended
details:Shield your PIN entry from onlookers and cameras, and clean touchscreens after use.
- point:Check for Skimmers
priority:Recommended
details:Inspect ATMs and public devices for skimming devices and tampering signs before use.
- point:Protect your Home Address
priority:Optional
details:Use alternative locations, forwarding addresses, and anonymous payment methods to protect your home address.
- point:Use a PIN, Not Biometrics
priority:Advanced
details:Prefer PINs over biometrics for device security in situations where legal coercion to unlock devices may occur.
- point:Reduce exposure to CCTV
priority:Advanced
details:Wear disguises and choose routes with fewer cameras to avoid surveillance.
- point:Anti-Facial Recognition Clothing
priority:Advanced
details:Wear clothing with patterns that trick facial-recognition technology.
- point:Reduce Night Vision Exposure
priority:Advanced
details:Use IR light sources or reflective glasses to obstruct night vision cameras.
- point:Protect your DNA
priority:Advanced
details:Avoid sharing DNA with heritage websites and be cautious about leaving DNA traces.
