- title: Authentication slug: authentication description: Securing your online account login credentials icon: password color: yellow intro: >- Most reported data breaches are caused by the use of weak, default or stolen passwords (according to [this Verizon report](http://www.verizonenterprise.com/resources/reports/rp_dbir-2016-executive-summary_xg_en.pdf)). Use long, strong and unique passwords, manage them in a secure password manager, enable 2-factor authentication, keep on top of breaches and take care while logging into your accounts. checklist: - point: Use a Strong Password priority: Recommended details: >- If your password is too short, or contains dictionary words, places or names- then it can be easily cracked through brute force, or guessed by someone. The easiest way to make a strong password, is by making it long (12+ characters)- consider using a 'passphrase', made up of many words. Alternatively, use a password generator to create a long, strong random password. Have a play with [HowSecureIsMyPassword.net](https://howsecureismypassword.net), to get an idea of how quickly common passwords can be cracked. Read more about creating strong passwords: [securityinabox.org](https://securityinabox.org/en/passwords/passwords-and-2fa/) - point: Don't reuse Passwords priority: Recommended details: >- If someone was to reuse a password, and one site they had an account with suffered a leak, then a criminal could easily gain unauthorized access to their other accounts. This is usually done through large-scale automated login requests, and it is called Credential Stuffing. Unfortunately this is all too common, but it's simple to protect against- use a different password for each of your online accounts - point: Use a Secure Password Manager priority: Recommended details: >- For most people it is going to be near-impossible to remember hundreds of strong and unique passwords. A password manager is an application that generates, stores and auto-fills your login credentials for you. All your passwords will be encrypted against 1 master passwords (which you must remember, and it should be very strong). Most password managers have browser extensions and mobile apps, so whatever device you are on, your passwords can be auto-filled. A good all-rounder is [BitWarden](https://bitwarden.com), or see [Recommended Password Managers](https://github.com/Lissy93/awesome-privacy#password-managers) - point: Avoid sharing passwords priority: Recommended details: >- While there may be times that you need to share access to an account with another person, you should generally avoid doing this because it makes it easier for the account to become compromised. If you absolutely do need to share a password for example when working on a team with a shared account this should be done via features built into a password manager. - point: Enable 2-Factor Authentication priority: Recommended details: >- 2FA is where you must provide both something you know (a password) and something you have (such as a code on your phone) to log in. This means that if anyone has got your password (e.g. through phishing, malware or a data breach), they will not be able to log into your account. It's easy to get started, download [an authenticator app](https://github.com/Lissy93/awesome-privacy#2-factor-authentication) onto your phone, and then go to your account security settings and follow the steps to enable 2FA. Next time you log in on a new device, you will be prompted for the code that displays in the app on your phone (it works without internet, and the code usually changes every 30-seconds) - point: Keep Backup Codes Safe priority: Recommended details: >- When you enable multi-factor authentication, you will usually be given several codes that you can use if your 2FA method is lost, broken or unavailable. Keep these codes somewhere safe to prevent loss or unauthorized access. You should store these on paper or in a safe place on disk (e.g. in offline storage or in an encrypted file/drive). Don't store these in your Password Manager as 2FA sources and passwords and should be kept separately. - point: Sign up for Breach Alerts priority: Optional details: >- After a website suffers a significant data breach, the leaked data often ends up on the internet. There are several websites that collect these leaked records, and allow you to search your email address to check if you are in any of their lists. [Firefox Monitor](https://monitor.firefox.com), [Have I been pwned](https://haveibeenpwned.com) and [DeHashed](https://dehashed.com) allow you to sign up for monitoring, where they will notify you if your email address appears in any new data sets. It is useful to know as soon as possible when this happens, so that you can change your passwords for the affected accounts. Have I been pwned also has domain-wide notification, where you can receive alerts if any email addresses under your entire domain appear (useful if you use aliases for [anonymous forwarding](https://github.com/Lissy93/awesome-privacy#anonymous-mail-forwarding)) - point: Shield your Password/ PIN priority: Optional details: >- When typing your password in public places, ensure you are not in direct line of site of a CCTV camera and that no one is able to see over your shoulder. Cover your password or pin code while you type, and do not reveal any plain text passwords on screen - point: Update Critical Passwords Periodically priority: Optional details: >- Database leaks and breaches are common, and it is likely that several of your passwords are already somewhere online. Occasionally updating passwords of security-critical accounts can help mitigate this. But providing that all your passwords are long, strong and unique, there is no need to do this too often- annually should be sufficient. Enforcing mandatory password changes within organisations is [no longer recommended](https://duo.com/decipher/microsoft-will-no-longer-recommend-forcing-periodic-password-changes), as it encourages colleagues to select weaker passwords - point: Don’t save your password in browsers priority: Optional details: >- Most modern browsers offer to save your credentials when you log into a site. Don’t allow this, as they are not always encrypted, hence could allow someone to gain access into your accounts. Instead use a dedicated password manager to store (and auto-fill) your passwords - point: Avoid logging in on someone else’s device priority: Optional details: >- Avoid logging on other people's computer, since you can't be sure their system is clean. Be especially cautious of public machines, as malware and tracking is more common here. Using someone else's device is especially dangerous with critical accounts like online banking. When using someone else's machine, ensure that you're in a private/ incognito session (Use Ctrl+Shift+N/ Cmd+Shift+N). This will request browser to not save your credentials, cookies and browsing history. - point: Avoid password hints priority: Optional details: >- Some sites allow you to set password hints. Often it is very easy to guess answers. In cases where password hints are mandatory use random answers and record them in password manager (`Name of the first school: 6D-02-8B-!a-E8-8F-81`) - point: Never answer online security questions truthfully priority: Optional details: >- If a site asks security questions (such as place of birth, mother's maiden name or first car etc), don't provide real answers. It is a trivial task for hackers to find out this information online or through social engineering. Instead, create a fictitious answer, and store it inside your password manager. Using real-words is better than random characters, [explained here](https://news.ycombinator.com/item?id=29244870) - point: Don’t use a 4-digit PIN priority: Optional details: >- Don’t use a short PIN to access your smartphone or computer. Instead, use a text password or much longer pin. Numeric passphrases are easy crack, (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a 4-character alpha-numeric code) - point: Avoid using SMS for 2FA priority: Optional details: >- When enabling multi-factor authentication, opt for app-based codes or a hardware token, if supported. SMS is susceptible to a number of common threats, such as [SIM-swapping](https://www.maketecheasier.com/sim-card-hijacking) and [interception](https://secure-voice.com/ss7_attacks). There's also no guarantee of how securely your phone number will be stored, or what else it will be used for. From a practical point of view, SMS will only work when you have signal, and can be slow. If a website or service requires the usage of a SMS number for recovery consider purchasing a second pre-paid phone number only used for account recovery for these instances. - point: Avoid using your PM to Generate OTPs priority: Advanced details: >- Many password managers are also able to generate 2FA codes. It is best not to use your primary password manager as your 2FA authenticator as well, since it would become a single point of failure if compromised. Instead use a dedicated [authenticator app](https://github.com/Lissy93/awesome-privacy#2-factor-authentication) on your phone or laptop - point: Avoid Face Unlock priority: Advanced details: >- Most phones and laptops offer a facial recognition authentication feature, using the camera to compare a snapshot of your face with a stored hash. It may be very convenient, but there are numerous ways to [fool it](https://www.forbes.com/sites/jvchamary/2017/09/18/security-apple-face-id-iphone-x/) and gain access to the device, through digital photos and reconstructions from CCTV footage. Unlike your password- there are likely photos of your face on the internet, and videos recorded by surveillance cameras - point: Watch out for Keyloggers priority: Advanced details: >- A hardware [keylogger](https://en.wikipedia.org/wiki/Hardware_keylogger) is a physical device planted between your keyboard and the USB port, which intercepts all key strokes, and sometimes relays data to a remote server. It gives a hacker access to everything typed, including passwords. The best way to stay protected, is just by checking your USB connection after your PC has been unattended. It is also possible for keyloggers to be planted inside the keyboard housing, so look for any signs that the case has been tampered with, and consider bringing your own keyboard to work. Data typed on a virtual keyboard, pasted from the clipboard or auto-filled by a password manager can not be intercepted by a hardware keylogger. - point: Consider a Hardware Token priority: Advanced details: >- A U2F/ FIDO2 security key is a USB (or NFC) device that you insert while logging in to an online service, in to verify your identity, instead of entering a OTP from your authenticator. [SoloKey](https://solokeys.com) and [NitroKey](https://www.nitrokey.com) are examples of such keys. They bring with them several security benefits, since the browser communicates directly with the device and cannot be fooled as to which host is requesting authentication, because the TLS certificate is checked. [This post](https://security.stackexchange.com/a/71704) is a good explanation of the security of using FIDO U2F tokens. Of course it is important to store the physical key somewhere safe, or keep it on your person. Some online accounts allow for several methods of 2FA to be enabled - point: Consider Offline Password Manager priority: Advanced details: >- For increased security, an encrypted offline password manager will give you full control over your data. [KeePass](https://keepass.info) is a popular choice, with lots of [plugins](https://keepass.info/plugins.html) and community forks with additional compatibility and functionality. Popular clients include: [KeePassXC](https://keepassxc.org) (desktop), [KeePassDX](https://www.keepassdx.com) (Android) and [StrongBox](https://apps.apple.com/us/app/strongbox-password-safe/id897283731) (iOS). The drawback being that it may be slightly less convenient for some, and it will be up to you to back it up, and store it securely - point: Consider Unique Usernames priority: Advanced details: >- Having different passwords for each account is a good first step, but if you also use a unique username, email or phone number to log in, then it will be significantly harder for anyone trying to gain unauthorised access. The easiest method for multiple emails, is using auto-generated aliases for anonymous mail forwarding. This is where [anything]@yourdomain.com will arrive in your inbox, allowing you to use a different email for each account (see [Mail Alias Providers](https://github.com/Lissy93/awesome-privacy#anonymous-mail-forwarding)). Usernames are easier, since you can use your password manager to generate, store and auto-fill these. Virtual phone numbers can be generated through your VOIP provider softwareLinks: - title: Password Managers url: https://github.com/Lissy93/awesome-privacy#password-managers - title: 2-Factor Authentication url: https://github.com/Lissy93/awesome-privacy#2-factor-authentication - title: Web Browsing slug: web-browsing description: Avoiding tracking, censorship, and data collection online icon: browser intro: >- Most websites on the internet will use some form of tracking, often to gain insight into their users behaviour and preferences. This data can be incredibly detailed, and so is extremely valuable to corporations, governments and intellectual property thieves. Data breaches and leaks are common, and deanonymizing users web activity is often a trivial task. There are two primary methods of tracking; stateful (cookie-based), and stateless (fingerprint-based). Cookies are small pieces of information, stored in your browser with a unique ID that is used to identify you. Browser fingerprinting is a highly accurate way to identify and track users wherever they go online. The information collected is quite comprehensive, and often includes browser details, OS, screen resolution, supported fonts, plugins, time zone, language and font preferences, and even hardware configurations. This section outlines the steps you can take, to be better protected from threats, minimise online tracking and improve privacy. checklist: - point: Block Ads priority: Recommended details: >- Using an ad-blocker can help improve your privacy, by blocking the trackers that ads implement. [uBlock Origin](https://github.com/gorhill/uBlock) is a very efficient and open source browser addon, developed by Raymond Hill. When 3rd-party ads are displayed on a webpage, they have the ability to track you, gathering personal information about you and your habits, which can then be sold, or used to show you more targeted ads, and some ads are plain malicious or fake. Blocking ads also makes pages load faster, uses less data and provides a less cluttered experience. - point: Ensure Website is Legitimate priority: Basic details: >- It may sound obvious, but when you logging into any online accounts, double check the URL is correct. Storing commonly visited sites in your bookmarks is a good way to ensure the URL is easy to find. When visiting new websites, look for common signs that it could be unsafe: Browser warnings, redirects, on-site spam and pop-ups. You can also check a website using a tool, such as: [Virus Total URL Scanner](https://www.virustotal.com/gui/home/url), [IsLegitSite](https://www.islegitsite.com), [Google Safe Browsing Status](https://transparencyreport.google.com/safe-browsing/search) if you are unsure. - point: Watch out for Browser Malware priority: Basic details: >- Your system or browser can be compromised by spyware, miners, browser hijackers, malicious redirects, adware etc. You can usually stay protected, just by: ignoring pop-ups, be wary of what your clicking, don't proceed to a website if your browser warns you it may be malicious. Common signs of browser malware include: default search engine or homepage has been modified, toolbars, unfamiliar extensions or icons, significantly more ads, errors and pages loading much slower than usual. These articles from Heimdal explain [signs of browser malware](https://heimdalsecurity.com/blog/warning-signs-operating-system-infected-malware), [how browsers get infected](https://heimdalsecurity.com/blog/practical-online-protection-where-malware-hides) and [how to remove browser malware](https://heimdalsecurity.com/blog/malware-removal). - point: Use a Privacy-Respecting Browser priority: Recommended details: >- [Firefox](https://www.mozilla.org/en-US/firefox/new) (with a few tweaks) and [Brave](https://brave.com) are secure, private-respecting browsers. Both are fast, open source, user-friendly and available on all major operating systems. Your browser has access to everything that you do online, so if possible, avoid Google Chrome, Edge and Safari as (without correct configuration) all three of them, collect usage data, call home and allow for invasive tracking. Firefox requires a few changes to achieve optimal security, for example - [arkenfox](https://github.com/arkenfox/user.js/wiki) or [12byte](https://12bytes.org/firefox-configuration-guide-for-privacy-freaks-and-performance-buffs/)'s user.js configs. See more: [Privacy Browsers](https://github.com/Lissy93/awesome-privacy#browsers). - point: Use a Private Search Engine priority: Recommended details: >- Using a privacy-preserving, non-tracking search engine, will reduce risk that your search terms are not logged, or used against you. Consider [DuckDuckGo](https://duckduckgo.com), [Qwant](https://www.qwant.com), or [SearX](https://searx.me) (self-hosted). Google implements some [incredibly invasive](https://hackernoon.com/data-privacy-concerns-with-google-b946f2b7afea) tracking policies, and have a history of displaying [biased search results](https://www.businessinsider.com/evidence-that-google-search-results-are-biased-2014-10). Therefore Google, along with Bing, Baidu, Yahoo and Yandex are incompatible with anyone looking to protect their privacy. It is recommended to update your [browsers default search](https://duckduckgo.com/install) to a privacy-respecting search engine. - point: Remove Unnecessary Browser Addons priority: Recommended details: >- Extensions are able to see, log or modify anything you do in the browser, and some innocent looking browser apps, have malicious intentions. Websites can see which extensions you have installed, and may use this to enhance your fingerprint, to more accurately identify/ track you. Both Firefox and Chrome web stores allow you to check what permissions/access rights an extension requires before you install it. Check the reviews. Only install extensions you really need, and removed those which you haven't used in a while. - point: Keep Browser Up-to-date priority: Recommended details: >- Browser vulnerabilities are constantly being [discovered](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=browser) and patched, so it’s important to keep it up to date, to avoid a zero-day exploit. You can [see which browser version you're using here](https://www.whatismybrowser.com/), or follow [this guide](https://www.whatismybrowser.com/guides/how-to-update-your-browser/) for instructions on how to update. Some browsers will auto-update to the latest stable version. - point: Check for HTTPS priority: Recommended details: >- If you enter information on a non-HTTPS website, this data is transported unencrypted and can therefore be read by anyone who intercepts it. Do not enter any data on a non-HTTPS website, but also do not let the green padlock give you a false sense of security, just because a website has SSL certificate, does not mean that it is legitimate or trustworthy. [HTTPS-Everywhere](https://www.eff.org/https-everywhere) (developed by the [EFF](https://www.eff.org/)) used to be a browser extension/addon that automatically enabled HTTPS on websites, but as of 2022 is now deprecated. In their [accouncement article](https://www.eff.org/) the EFF explains that most browsers now integrate such protections. Additionally, it provides instructions for Firefox, Chrome, Edge and Safari browsers on how to enable their HTTPS secure protections. - point: Use DNS-over-HTTPS priority: Recommended details: >- Traditional DNS makes requests in plain text for everyone to see. It allows for eavesdropping and manipulation of DNS data through man-in-the-middle attacks. Whereas DNS-over-HTTPS performs DNS resolution via the HTTPS protocol, meaning data between you and your DNS resolver is encrypted. A popular option is Cloudflare's 1.1.1.1, or compare providers- it is simple to enable in-browser. Note that DoH comes with its own issues, mostly preventing web filtering. - point: Multi-Session Containers priority: Recommended details: >- Compartmentalisation is really important to keep different aspects of your browsing separate. For example, using different profiles for work, general browsing, social media, online shopping etc will reduce the number associations that data brokers can link back to you. One option is to make use of Firefox Containers which is designed exactly for this purpose. Alternatively, you could use different browsers for different tasks (Brave, Firefox, Tor etc). - point: Use Incognito priority: Recommended details: >- When using someone else's machine, ensure that you're in a private/ incognito session. This will prevent browser history, cookies and some data being saved, but is not fool-proof- you can still be tracked. - point: Understand Your Browser Fingerprint priority: Recommended details: >- Browser Fingerprinting is an incredibly accurate method of tracking, where a website identifies you based on your device information. You can view your fingerprint at amiunique.org- The aim is to be as un-unique as possible. - point: Manage Cookies priority: Recommended details: >- Clearing cookies regularly is one step you can take to help reduce websites from tracking you. Cookies may also store your session token, which if captured, would allow someone to access your accounts without credentials. To mitigate this you should clear cookies often. - point: Block Third-Party Cookies priority: Recommended details: >- Third-party cookies placed on your device by a website other than the one you’re visiting. This poses a privacy risk, as a 3rd entity can collect data from your current session. This guide explains how you can disable 3rd-party cookies, and you can check here ensure this worked. - point: Block Third-Party Trackers priority: Recommended details: >- Blocking trackers will help to stop websites, advertisers, analytics and more from tracking you in the background. Privacy Badger, DuckDuckGo Privacy Essentials, uBlock Origin and uMatrix (advanced) are all very effective, open source tracker-blockers available for all major browsers. - point: Beware of Redirects priority: Optional details: >- While some redirects are harmless, others, such as Unvalidated redirects are used in phishing attacks, it can make a malicious link seem legitimate. If you are unsure about a redirect URL, you can check where it forwards to with a tool like RedirectDetective. - point: Do Not Sign Into Your Browser priority: Optional details: >- Many browsers allow you to sign in, in order to sync history, bookmarks and other browsing data across devices. However this not only allows for further data collection, but also increases attack surface through providing another avenue for a malicious actor to get hold of personal information. - point: Disallow Prediction Services priority: Optional details: >- Some browsers allow for prediction services, where you receive real-time search results or URL auto-fill. If this is enabled then data is sent to Google (or your default search engine) with every keypress, rather than when you hit enter. - point: Avoid G Translate for Webpages priority: Optional details: >- When you visit a web page written in a foreign language, you may be prompted to install the Google Translate extension. Be aware that Google collects all data (including input fields), along with details of the current user. Instead use a translation service that is not linked to your browser. - point: Disable Web Notifications priority: Optional details: >- Browser push notifications are a common method for criminals to encourage you to click their link, since it is easy to spoof the source. Be aware of this, and for instructions on disabling browser notifications, see this article. - point: Disable Automatic Downloads priority: Optional details: >- Drive-by downloads is a common method of getting harmful files onto a users device. This can be mitigated by disabling auto file downloads, and be cautious of websites which prompt you to download files unexpectedly. - point: Disallow Access to Sensors priority: Optional details: >- Mobile websites can tap into your device sensors without asking. If you grant these permissions to your browser once, then all websites are able to use these capabilities, without permission or notification. - point: Disallow Location priority: Optional details: >- Location Services lets sites ask for your physical location to improve your experience. This should be disabled in settings. Note that there are still other methods of determining your approximate location. - point: Disallow Camera/ Microphone access priority: Optional details: >- Check browser settings to ensure that no websites are granted access to webcam or microphone. It may also be beneficial to use physical protection such as a webcam cover and microphone blocker. - point: Disable Browser Password Saves priority: Optional details: >- Do not allow your browser to store usernames and passwords. These can be easily viewed or accessed. Instead use a password manager. - point: Disable Browser Autofill priority: Optional details: >- Turn off autofill for any confidential or personal details. This feature can be harmful if your browser is compromised in any way. Instead, consider using your password manager's Notes feature. - point: Protect from Exfil Attack priority: Optional details: >- The CSS Exfiltrate attack is a method where credentials and other sensitive details can be snagged with just pure CSS. You can stay protected, with the CSS Exfil Protection plugin. - point: Deactivate ActiveX priority: Optional details: >- ActiveX is a browser extension API that built into Microsoft IE, and enabled by default. It's not commonly used anymore, but since it gives plugins intimate access rights, and can be dangerous, therefore you should disable it. - point: Disable WebRTC priority: Optional details: >- WebRTC allows high-quality audio/video communication and peer-to-peer file-sharing straight from the browser. However it can pose as a privacy leak. To learn more, check out this guide. - point: Spoof HTML5 Canvas Sig priority: Optional details: >- Canvas Fingerprinting allows websites to identify and track users very accurately. You can use the Canvas-Fingerprint-Blocker extension to spoof your fingerprint or use Tor. - point: Spoof User Agent priority: Optional details: >- The user agent tells the website what device, browser and version you are using. Switching user agent periodically is one small step you can take to become less unique. - point: Disregard DNT priority: Optional details: >- Enabling Do Not Track has very limited impact, since many websites do not respect or follow this. Since it is rarely used, it may also add to your signature, making you more unique. - point: Prevent HSTS Tracking priority: Optional details: >- HSTS was designed to help secure websites, but privacy concerns have been raised as it allowed site operators to plant super-cookies. It can be disabled by visiting chrome://net-internals/#hsts in Chromium-based browsers. - point: Prevent Automatic Browser Connections priority: Optional details: >- Even when you are not using your browser, it may call home to report on usage activity, analytics and diagnostics. You may wish to disable some of this, which can be done through the settings. - point: Enable 1st-Party Isolation priority: Optional details: >- First party isolation means that all identifier sources and browser state are scoped using the URL bar domain, this can greatly reduce tracking. - point: Strip Tracking Params from URLs priority: Advanced details: >- Websites often append additional GET parameters to URLs that you click, to identify information like source/referrer. You can sanitize manually, or use an extension like ClearUrls to strip tracking data from URLs automatically. - point: First Launch Security priority: Advanced details: >- After installing a web browser, the first time you launch it (prior to configuring its privacy settings), most browsers will call home. Therefore, after installing a browser, you should first disable your internet connection, then configure privacy options before reenabling your internet connectivity. - point: Use The Tor Browser priority: Advanced details: >- The Tor Project provides a browser that encrypts and routes your traffic through multiple nodes, keeping users safe from interception and tracking. The main drawbacks are speed and user experience. - point: Disable JavaScript priority: Advanced details: >- Many modern web apps are JavaScript-based, so disabling it will greatly decrease your browsing experience. But if you really want to go all out, then it will really reduce your attack surface. softwareLinks: - title: Privacy Browsers url: https://github.com/Lissy93/awesome-privacy#browsers - title: Search Engines utl: https://github.com/Lissy93/awesome-privacy#search-engines - title: Browser Extensions url: https://github.com/Lissy93/awesome-privacy#browser-extensions - title: Browser & Bookmark Sync url: https://github.com/Lissy93/awesome-privacy#browser-sync color: emerald - title: Email slug: email description: Protecting the gateway to your online accounts icon: email intro: >- Nearly 50 years since the first email was sent, it's still very much a big part of our day-to-day life, and will continue to be for the near future. So considering how much trust we put in them, it's surprising how fundamentally insecure this infrastructure is. Email-related fraud [is on the up](https://www.csoonline.com/article/3247670/email/email-security-in-2018.html), and without taking basic measures you could be at risk. If a hacker gets access to your emails, it provides a gateway for your other accounts to be compromised (through password resets), therefore email security is paramount for your digital safety. The big companies providing "free" email service, don't have a good reputation for respecting users privacy: Gmail was caught giving [third parties full access](https://www.wsj.com/articles/techs-dirty-secret-the-app-developers-sifting-through-your-gmail-1530544442) to user emails and also [tracking all of your purchases](https://www.cnbc.com/2019/05/17/google-gmail-tracks-purchase-history-how-to-delete-it.html). Yahoo was also caught scanning emails in real-time [for US surveillance agencies](http://news.trust.org/item/20161004170601-99f8c) Advertisers [were granted access](https://thenextweb.com/insider/2018/08/29/both-yahoo-and-aol-are-scanning-customer-emails-to-attract-advertisers) to Yahoo and AOL users messages to “identify and segment potential customers by picking up on contextual buying signals, and past purchases.” checklist: - point: Have more than one email address priority: Recommended details: >- Consider using a different email address for security-critical communications from trivial mail such as newsletters. This compartmentalization could reduce the amount of damage caused by a data breach, and also make it easier to recover a compromised account. - point: Keep Email Address Private priority: Recommended details: >- Do not share your primary email publicly, as mail addresses are often the starting point for most phishing attacks. - point: Keep your Account Secure priority: Recommended details: >- Use a long and unique password, enable 2FA and be careful while logging in. Your email account provides an easy entry point to all your other online accounts for an attacker. - point: Disable Automatic Loading of Remote Content priority: Recommended details: >- Email messages can contain remote content such as images or stylesheets, often automatically loaded from the server. You should disable this, as it exposes your IP address and device information, and is often used for tracking. For more info, see [this article](https://www.theverge.com/2019/7/3/20680903/email-pixel-trackers-how-to-stop-images-automatic-download). - point: Use Plaintext priority: Optional details: >- There are two main types of emails on the internet: plaintext and HTML. The former is strongly preferred for privacy & security as HTML messages often include identifiers in links and inline images, which can collect usage and personal data. There's also numerous risks of remote code execution targeting the HTML parser of your mail client, which cannot be exploited if you are using plaintext. For more info, as well as setup instructions for your mail provider, see [UsePlaintext.email](https://useplaintext.email/). - point: Don’t connect third-party apps to your email account priority: Optional details: >- If you give a third-party app or plug-in full access to your inbox, they effectively have full unhindered access to all your emails and their contents, which poses significant security and privacy risks. - point: Don't Share Sensitive Data via Email priority: Optional details: >- Emails are very easily intercepted. Furthermore, you can’t be sure of how secure your recipient's environment is. Therefore, emails cannot be considered safe for exchanging confidential information, unless it is encrypted. - point: Consider Switching to a Secure Mail Provider priority: Optional details: >- Secure and reputable email providers such as Forward Email, ProtonMail, and Tutanota allow for end-to-end encryption, full privacy as well as more security-focused features. Unlike typical email providers, your mailbox cannot be read by anyone but you, since all messages are encrypted. - point: Use Smart Key priority: Advanced details: >- OpenPGP does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. Therefore, you should take great care to keep your private keys safe. One method of doing so, is to use a USB Smart Key to sign or decrypt messages, allowing you to do so without your private key leaving the USB device. - point: Use Aliasing / Anonymous Forwarding priority: Advanced details: >- Email aliasing allows messages to be sent to [anything]@my-domain.com and still land in your primary inbox. Effectively allowing you to use a different, unique email address for each service you sign up for. This means if you start receiving spam, you can block that alias and determine which company leaked your email address. - point: Subaddressing priority: Optional details: >- An alternative to aliasing is subaddressing, where anything after the `+` symbol is omitted during mail delivery. This enables you to keep track of who shared/ leaked your email address, but unlike aliasing, it will not protect against your real address being revealed. - point: Use a Custom Domain priority: Advanced details: >- Using a custom domain means that you are not dependent on the address assigned by your mail provider. So you can easily switch providers in the future and do not need to worry about a service being discontinued. - point: Sync with a client for backup priority: Advanced details: >- To avoid losing temporary or permanent access to your emails during an unplanned event (such as an outage or account lock), Thunderbird can sync/ backup messages from multiple accounts via IMAP and store locally on your primary device. - point: Be Careful with Mail Signatures priority: Advanced details: >- You do not know how secure of an email environment the recipient of your message may have. There are several extensions that automatically crawl messages, and create a detailed database of contact information based upon email signatures. - point: Be Careful with Auto-Replies priority: Advanced details: >- Out-of-office automatic replies are very useful for informing people there will be a delay in replying, but all too often people reveal too much information- which can be used in social engineering and targeted attacks. - point: Choose the Right Mail Protocol priority: Advanced details: >- Do not use outdated protocols (below IMAPv4 or POPv3), both have known vulnerabilities and out-dated security. - point: Self-Hosting priority: Advanced details: >- Self-hosting your own mail server is not recommended for non-advanced users, since correctly securing it is critical yet requires strong networking knowledge. - point: Always use TLS Ports priority: Advanced details: >- There are SSL options for POP3, IMAP, and SMTP as standard TCP/IP ports. They are easy to use, and widely supported so should always be used instead of plaintext email ports. - point: DNS Availability priority: Advanced details: >- For self-hosted mail servers, to prevent DNS problems impacting availability- use at least 2 MX records, with secondary and tertiary MX records for redundancy when the primary MX record fails. - point: Prevent DDoS and Brute Force Attacks priority: Advanced details: >- For self-hosted mail servers (specifically SMTP), limit your total number of simultaneous connections, and maximum connection rate to reduce the impact of attempted bot attacks. - point: Maintain IP Blacklist priority: Advanced details: >- For self-hosted mail servers, you can improve spam filters and harden security, through maintaining an up-to-date local IP blacklist and a spam URI realtime block lists to filter out malicious hyperlinks. color: teal softwareLinks: - title: Secure Email Providers url: https://github.com/Lissy93/awesome-privacy#encrypted-email - title: Mail Forwarding url: https://github.com/Lissy93/awesome-privacy#anonymous-mail-forwarding - title: Pre-Configured Mail Servers url: https://github.com/Lissy93/awesome-privacy#pre-configured-mail-servers - title: Email Clients url: https://github.com/Lissy93/awesome-privacy#email-clients - title: Messaging slug: messaging description: Keeping your communications private and secure icon: messaging intro: '' checklist: - point: Only Use Fully End-to-End Encrypted Messengers priority: Recommended details: >- End-to-end encryption is a system of communication where messages are encrypted on your device and not decrypted until they reach the intended recipient. This ensures that any actor who intercepts traffic cannot read the message contents, nor can anybody with access to the central servers where data is stored. - point: Use only Open Source Messaging Platforms priority: Recommended details: >- If code is open source then it can be independently examined and audited by anyone qualified to do so, to ensure that there are no backdoors, vulnerabilities, or other security issues. - point: Use a "Trustworthy" Messaging Platform priority: Recommended details: >- When selecting an encrypted messaging app, ensure it's fully open source, stable, actively maintained, and ideally backed by reputable developers. - point: Check Security Settings priority: Recommended details: >- Enable security settings, including contact verification, security notifications, and encryption. Disable optional non-security features such as read receipt, last online, and typing notification. - point: Ensure your Recipients Environment is Secure priority: Recommended details: >- Your conversation can only be as secure as the weakest link. Often the easiest way to infiltrate a communications channel is to target the individual or node with the least protection. - point: Disable Cloud Services priority: Recommended details: >- Some mobile messaging apps offer a web or desktop companion. This not only increases attack surface but it has been linked to several critical security issues, and should therefore be avoided, if possible. - point: Secure Group Chats priority: Recommended details: >- The risk of compromise rises exponentially, the more participants are in a group, as the attack surface increases. Periodically check that all participants are legitimate. - point: Create a Safe Environment for Communication priority: Recommended details: >- There are several stages where your digital communications could be monitored or intercepted. This includes: your or your participants' device, your ISP, national gateway or government logging, the messaging provider, the servers. - point: Agree on a Communication Plan priority: Optional details: >- In certain situations, it may be worth making a communication plan. This should include primary and backup methods of securely getting in hold with each other. - point: Strip Meta-Data from Media priority: Optional details: >- Metadata is "Data about Data" or additional information attached to a file or transaction. When you send a photo, audio recording, video, or document you may be revealing more than you intended to. - point: Defang URLs priority: Optional details: >- Sending links via various services can unintentionally expose your personal information. This is because, when a thumbnail or preview is generated- it happens on the client-side. - point: Verify your Recipient priority: Optional details: >- Always ensure you are talking to the intended recipient, and that they have not been compromised. One method for doing so is to use an app which supports contact verification. - point: Enable Ephemeral Messages priority: Optional details: >- Self-destructing messages is a feature that causes your messages to automatically delete after a set amount of time. This means that if your device is lost, stolen, or seized, an adversary will only have access to the most recent communications. - point: Avoid SMS priority: Optional details: >- SMS may be convenient, but it's not secure. It is susceptible to threats such as interception, sim swapping, manipulation, and malware. - point: Watch out for Trackers priority: Optional details: >- Be wary of messaging applications with trackers, as the detailed usage statistics they collect are often very invasive, and can sometimes reveal your identity as well as personal information that you would otherwise not intend to share. - point: Consider Jurisdiction priority: Advanced details: >- The jurisdictions where the organisation is based, and data is hosted should also be taken into account. - point: Use an Anonymous Platform priority: Advanced details: >- If you believe you may be targeted, you should opt for an anonymous messaging platform that does not require a phone number, or any other personally identifiable information to sign up or use. - point: Ensure Forward Secrecy is Supported priority: Advanced details: >- Opt for a platform that implements forward secrecy. This is where your app generates a new encryption key for every message. - point: Consider a Decentralized Platform priority: Advanced details: >- If all data flows through a central provider, you have to trust them with your data and meta-data. You cannot verify that the system running is authentic without back doors. softwareLinks: - title: Secure Messaging Apps url: https://github.com/Lissy93/awesome-privacy#encrypted-messaging - title: P2P Messaging Platforms url: https://github.com/Lissy93/awesome-privacy#p2p-messaging color: cyan - title: Social Media slug: social-media description: Minimizing the risks associated with using online communities icon: social intro: > Online communities have existed since the invention of the internet, and give people around the world the opportunity to connect, communicate and share. Although these networks are a great way to promote social interaction and bring people together, that have a dark side - there are some serious [Privacy Concerns with Social Networking Services](https://en.wikipedia.org/wiki/Privacy_concerns_with_social_networking_services), and these social networking sites are owned by private corporations, and that they make their money by collecting data about individuals and selling that data on, often to third party advertisers. Secure your account, lock down your privacy settings, but know that even after doing so, all data intentionally and non-intentionally uploaded is effectively public. If possible, avoid using conventional social media networks. checklist: - point: Secure your Account priority: Recommended details: >- Social media profiles get stolen or taken over all too often. To protect your account: use a unique and strong password, and enable 2-factor authentication. - point: Check Privacy Settings priority: Recommended details: >- Most social networks allow you to control your privacy settings. Ensure that you are comfortable with what data you are currently exposing and to whom. - point: Think of All Interactions as Public priority: Recommended details: >- There are still numerous methods of viewing a users 'private' content across many social networks. Therefore, before uploading, posting or commenting on anything, think "Would I mind if this was totally public?" - point: Think of All Interactions as Permanent priority: Recommended details: >- Pretty much every post, comment, photo etc is being continuously backed up by a myriad of third-party services, who archive this data and make it indexable and publicly available almost forever. - point: Don't Reveal too Much priority: Recommended details: >- Profile information creates a goldmine of info for hackers, the kind of data that helps them personalize phishing scams. Avoid sharing too much detail (DoB, Hometown, School etc). - point: Be Careful what you Upload priority: Recommended details: >- Status updates, comments, check-ins and media can unintentionally reveal a lot more than you intended them to. This is especially relevant to photos and videos, which may show things in the background. - point: Don't Share Email or Phone Number priority: Recommended details: >- Posting your real email address or mobile number, gives hackers, trolls and spammers more munition to use against you, and can also allow separate aliases, profiles or data points to be connected. - point: Don't Grant Unnecessary Permissions priority: Recommended details: >- By default many of the popular social networking apps will ask for permission to access your contacts, call log, location, messaging history etc. If they don’t need this access, don’t grant it. - point: Be Careful of 3rd-Party Integrations priority: Recommended details: >- Avoid signing up for accounts using a Social Network login, revoke access to social apps you no longer use. - point: Avoid Publishing Geo Data while still Onsite priority: Recommended details: >- If you plan to share any content that reveals a location, then wait until you have left that place. This is particularly important when you are taking a trip, at a restaurant, campus, hotel/resort, public building or airport. - point: Remove metadata before uploading media priority: Optional details: >- Most smartphones and some cameras automatically attach a comprehensive set of additional data (called EXIF data) to each photograph. Remove this data before uploading. - point: Implement Image Cloaking priority: Advanced details: >- Tools like Fawkes can be used to very subtly, slightly change the structure of faces within photos in a way that is imperceptible by humans, but will prevent facial recognition systems from being able to recognize a given face. - point: Consider Spoofing GPS in home vicinity priority: Advanced details: >- Even if you yourself never use social media, there is always going to be others who are not as careful, and could reveal your location. - point: Consider False Information priority: Advanced details: >- If you just want to read, and do not intend on posting too much- consider using an alias name, and false contact details. - point: Don’t have any social media accounts priority: Advanced details: >- Social media is fundamentally un-private, so for maximum online security and privacy, avoid using any mainstream social networks. softwareLinks: - title: Alternative Social Media url: https://github.com/Lissy93/awesome-privacy#social-networks - title: Alternative Video Platforms url: https://github.com/Lissy93/awesome-privacy#video-platforms - title: Alternative Blogging Platforms url: https://github.com/Lissy93/awesome-privacy#blogging-platforms - title: News Readers and Aggregation url: https://github.com/Lissy93/awesome-privacy#news-readers-and-aggregation color: blue - title: Networks slug: networks description: Safeguarding your network traffic icon: network intro: > This section covers how you connect your devices to the internet securely, including configuring your router and setting up a VPN. checklist: - point: Use a VPN priority: Recommended details: >- Use a reputable, paid-for VPN. This can help protect sites you visit from logging your real IP, reduce the amount of data your ISP can collect, and increase protection on public WiFi. - point: Change your Router Password priority: Recommended details: >- After getting a new router, change the password. Default router passwords are publicly available, meaning anyone within proximity would be able to connect. - point: Use WPA2, and a strong password priority: Recommended details: >- There are different authentication protocols for connecting to WiFi. Currently, the most secure options are WPA2 and WPA3 (on newer routers). - point: Keep router firmware up-to-date priority: Recommended details: >- Manufacturers release firmware updates that fix security vulnerabilities, implement new standards, and sometimes add features or improve the performance of your router. - point: Implement a Network-Wide VPN priority: Optional details: >- If you configure your VPN on your router, firewall, or home server, then traffic from all devices will be encrypted and routed through it, without needing individual VPN apps. - point: Protect against DNS leaks priority: Optional details: >- When using a VPN, it is extremely important to exclusively use the DNS server of your VPN provider or secure service. - point: Use a secure VPN Protocol priority: Optional details: >- OpenVPN and WireGuard are open source, lightweight, and secure tunneling protocols. Avoid using PPTP or SSTP. - point: Secure DNS priority: Optional details: >- Use DNS-over-HTTPS which performs DNS resolution via the HTTPS protocol, encrypting data between you and your DNS resolver. - point: Avoid the free router from your ISP priority: Optional details: >- Typically they’re manufactured cheaply in bulk in China, with insecure propriety firmware that doesn't receive regular security updates. - point: Whitelist MAC Addresses priority: Optional details: >- You can whitelist MAC addresses in your router settings, disallowing any unknown devices to immediately connect to your network, even if they know your credentials. - point: Change the Router’s Local IP Address priority: Optional details: >- It is possible for a malicious script in your web browser to exploit a cross-site scripting vulnerability, accessing known-vulnerable routers at their local IP address and tampering with them. - point: Don't Reveal Personal Info in SSID priority: Optional details: >- You should update your network name, choosing an SSID that does not identify you, include your flat number/address, and does not specify the device brand/model. - point: Opt-Out Router Listings priority: Optional details: >- WiFi SSIDs are scanned, logged, and then published on various websites, which is a serious privacy concern for some. - point: Hide your SSID priority: Optional details: >- Your router's Service Set Identifier is simply the network name. If it is not visible, it may receive less abuse. - point: Disable WPS priority: Optional details: >- Wi-Fi Protected Setup provides an easier method to connect, without entering a long WiFi password, but WPS introduces a series of major security issues. - point: Disable UPnP priority: Optional details: >- Universal Plug and Play allows applications to automatically forward a port on your router, but it has a long history of serious security issues. - point: Use a Guest Network for Guests priority: Optional details: >- Do not grant access to your primary WiFi network to visitors, as it enables them to interact with other devices on the network. - point: Change your Router's Default IP priority: Optional details: >- Modifying your router admin panel's default IP address will make it more difficult for malicious scripts targeting local IP addresses. - point: Kill unused processes and services on your router priority: Optional details: >- Services like Telnet and SSH that provide command-line access to devices should never be exposed to the internet and should also be disabled on the local network unless they're actually needed. - point: Don't have Open Ports priority: Optional details: >- Close any open ports on your router that are not needed. Open ports provide an easy entrance for hackers. - point: Disable Unused Remote Access Protocols priority: Optional details: >- When protocols such as PING, Telnet, SSH, UPnP, and HNAP etc are enabled, they allow your router to be probed from anywhere in the world. - point: Disable Cloud-Based Management priority: Optional details: >- You should treat your router's admin panel with the utmost care, as considerable damage can be caused if an attacker is able to gain access. - point: Manage Range Correctly priority: Optional details: >- It's common to want to pump your router's range to the max, but if you reside in a smaller flat, your attack surface is increased when your WiFi network can be picked up across the street. - point: Route all traffic through Tor priority: Advanced details: >- VPNs have their weaknesses. For increased security, route all your internet traffic through the Tor network. - point: Disable WiFi on all Devices priority: Advanced details: >- Connecting to even a secure WiFi network increases your attack surface. Disabling your home WiFi and connect each device via Ethernet. color: violet softwareLinks: - title: Virtual Private Networks url: https://github.com/Lissy93/awesome-privacy#virtual-private-networks - title: Mix Networks url: https://github.com/Lissy93/awesome-privacy#mix-networks - title: Router Firmware url: https://github.com/Lissy93/awesome-privacy#router-firmware - title: Open Source Proxies url: https://github.com/Lissy93/awesome-privacy#proxies - title: DNS Providers url: https://github.com/Lissy93/awesome-privacy#dns - title: Firewalls url: https://github.com/Lissy93/awesome-privacy#firewalls - title: Network Analysis Tools url: https://github.com/Lissy93/awesome-privacy#network-analysis - title: Self-Hosted Network Security Tools url: https://github.com/Lissy93/awesome-privacy#self-hosted-network-security - title: Mobile Devices slug: mobile-devices description: Reduce invasive tracking for cells, smartphones and tablets icon: mobile intro: > Smart phones have revolutionized so many aspects of life and brought the world to our fingertips. For many of us, smart phones are our primary means of communication, entertainment and access to knowledge. But while they've brought convenience to whole new level, there's some ugly things going on behind the screen. Geo-tracking is used to trace our every move, and we have little control over who has this data- your phone is even able to [track your location without GPS](https://gizmodo.com/how-to-track-a-cellphone-without-gps-or-consent-1821125371). Over the years numerous reports that surfaced, outlining ways in which your phone's [mic can eavesdrop](https://www.independent.co.uk/life-style/gadgets-and-tech/news/smartphone-apps-listening-privacy-alphonso-shazam-advertising-pool-3d-honey-quest-a8139451.html), and the [camera can watch you](https://www.businessinsider.com/hackers-governments-smartphone-iphone-camera-wikileaks-cybersecurity-hack-privacy-webcam-2017-6)- all without your knowledge or consent. And then there's the malicious apps, lack of security patches and potential/ likely backdoors. Using a smart phone generates a lot of data about you- from information you intentionally share, to data silently generated from your actions. It can be scary to see what Google, Microsoft, Apple and Facebook know about us- sometimes they know more than our closest family. It's hard to comprehend what your data will reveal, especially in conjunction with other data. This data is used for [far more than just advertising](https://internethealthreport.org/2018/the-good-the-bad-and-the-ugly-sides-of-data-tracking/) - more often it's used to rate people for finance, insurance and employment. Targeted ads can even be used for fine-grained surveillance (see [ADINT](https://adint.cs.washington.edu)) More of us are concerned about how [governments use collect and use our smart phone data](https://www.statista.com/statistics/373916/global-opinion-online-monitoring-government/), and rightly so, federal agencies often [request our data from Google](https://www.statista.com/statistics/273501/global-data-requests-from-google-by-federal-agencies-and-governments/), [Facebook](https://www.statista.com/statistics/287845/global-data-requests-from-facebook-by-federal-agencies-and-governments/), Apple, Microsoft, Amazon, and other tech companies. Sometimes requests are made in bulk, returning detailed information on everybody within a certain geo-fence, [often for innocent people](https://www.nytimes.com/interactive/2019/04/13/us/google-location-tracking-police.html). And this doesn't include all of the internet traffic that intelligence agencies around the world have unhindered access to. checklist: - point: Encrypt your Device priority: Recommended details: >- In order to keep your data safe from physical access, use file encryption. This will mean if your device is lost or stolen, no one will have access to your data. - point: Turn off connectivity features that aren’t being used priority: Recommended details: >- When you're not using WiFi, Bluetooth, NFC etc, turn those features off. There are several common threats that utilise these features. - point: Keep app count to a minimum priority: Recommended details: >- Uninstall apps that you don’t need or use regularly. As apps often run in the background, slowing your device down, but also collecting data. - point: App Permissions priority: Recommended details: >- Don’t grant apps permissions that they don’t need. For Android, Bouncer is an app that allows you to grant temporary/ 1-off permissions. - point: Only install Apps from official source priority: Recommended details: >- Applications on Apple App Store and Google Play Store are scanned and cryptographically signed, making them less likely to be malicious. - point: Be Careful of Phone Charging Threats priority: Optional details: >- Juice Jacking is when hackers use public charging stations to install malware on your smartphone or tablet through a compromised USB port. - point: Set up a mobile carrier PIN priority: Recommended details: >- SIM hijacking is when a hacker is able to get your mobile number transferred to their sim. The easiest way to protect against this is to set up a PIN through your mobile provider. - point: Opt-out of Caller ID Listings priority: Optional details: >- To keep your details private, you can unlist your number from caller ID apps like TrueCaller, CallApp, SyncMe, and Hiya. - point: Use Offline Maps priority: Optional details: >- Consider using an offline maps app, such as OsmAnd or Organic Maps, to reduce data leaks from map apps. - point: Opt-out of personalized ads priority: Optional details: >- You can slightly reduce the amount of data collected by opting-out of seeing personalized ads. - point: Erase after too many login attempts priority: Optional details: >- To protect against an attacker brute forcing your pin, set your device to erase after too many failed login attempts. - point: Monitor Trackers priority: Optional details: >- εxodus is a great service which lets you search for any app and see which trackers are embedded in it. - point: Use a Mobile Firewall priority: Optional details: >- To prevent applications from leaking privacy-sensitive data, you can install a firewall app. - point: Reduce Background Activity priority: Optional details: >- For Android, SuperFreeze makes it possible to entirely freeze all background activities on a per-app basis. - point: Sandbox Mobile Apps priority: Optional details: >- Prevent permission-hungry apps from accessing your private data with Island, a sandbox environment. - point: Tor Traffic priority: Advanced details: >- Orbot provides a system-wide Tor connection, which will help protect you from surveillance and public WiFi threats. - point: Avoid Custom Virtual Keyboards priority: Optional details: >- It is recommended to stick with your device's stock keyboard. If you choose to use a third-party keyboard app, ensure it is reputable. - point: Restart Device Regularly priority: Optional details: >- Restarting your phone at least once a week will clear the app state cached in memory and may run more smoothly after a restart. - point: Avoid SMS priority: Optional details: >- SMS should not be used to receive 2FA codes or for communication, instead use an encrypted messaging app, such as Signal. - point: Keep your Number Private priority: Optional details: >- MySudo allows you to create and use virtual phone numbers for different people or groups. This is great for compartmentalisation. - point: Watch out for Stalkerware priority: Optional details: >- Stalkerware is malware that is installed directly onto your device by someone you know. The best way to get rid of it is through a factory reset. - point: Favor the Browser, over Dedicated App priority: Optional details: >- Where possible, consider using a secure browser to access sites, rather than installing dedicated applications. - point: Consider running a custom ROM (Android) priority: Advanced details: >- If you're concerned about your device manufacturer collecting too much personal information, consider a privacy-focused custom ROM. color: fuchsia softwareLinks: - title: Mobile Apps, for Security + Privacy url: https://github.com/Lissy93/awesome-privacy#mobile-apps - title: Encrypted Messaging url: https://github.com/Lissy93/awesome-privacy#encrypted-messaging - title: Mobile Operation Systems url: https://github.com/Lissy93/awesome-privacy#mobile-operating-systems - title: Personal Computers slug: personal-computers description: Securing your PC's operating system, data & activity icon: computer intro: > Although Windows and OS X are easy to use and convenient, they both are far from secure. Your OS provides the interface between hardware and your applications, so if compromised can have detrimental effects. checklist: - point: Keep your System up-to-date priority: Recommended details: >- System updates contain fixes/patches for security issues, improve performance, and sometimes add new features. Install new updates when prompted. - point: Encrypt your Device priority: Recommended details: >- Use BitLocker for Windows, FileVault on MacOS, or LUKS on Linux, to enable full disk encryption. This prevents unauthorized access if your computer is lost or stolen. - point: Backup Important Data priority: Recommended details: >- Maintaining encrypted backups prevents loss due to ransomware, theft, or damage. Consider using Cryptomator for cloud files or VeraCrypt for USB drives. - point: Be Careful Plugging USB Devices into your Computer priority: Recommended details: >- USB devices can pose serious threats. Consider making a USB sanitizer with CIRCLean to safely check USB devices. - point: Activate Screen-Lock when Idle priority: Recommended details: >- Lock your computer when away and set it to require a password on resume from screensaver or sleep to prevent unauthorized access. - point: Disable Cortana or Siri priority: Recommended details: >- Voice-controlled assistants can have privacy implications due to data sent back for processing. Disable or limit their listening capabilities. - point: Review your Installed Apps priority: Recommended details: >- Keep installed applications to a minimum to reduce exposure to vulnerabilities and regularly clear application caches. - point: Manage Permissions priority: Recommended details: >- Control which apps have access to your location, camera, microphone, contacts, and other sensitive information. - point: Disallow Usage Data from being sent to the Cloud priority: Recommended details: >- Limit the amount of usage information or feedback sent to the cloud to protect your privacy. - point: Avoid Quick Unlock priority: Recommended details: >- Use a strong password instead of biometrics or short PINs for unlocking your computer to enhance security. - point: Power Off Computer, instead of Standby priority: Recommended details: >- Shut down your device when not in use, especially if your disk is encrypted, to keep data secure. - point: Don't link your PC with your Microsoft or Apple Account priority: Optional details: >- Use a local account only to prevent data syncing and exposure. Avoid using sync services that compromise privacy. - point: Check which Sharing Services are Enabled priority: Optional details: >- Disable network sharing features you are not using to close gateways to common threats. - point: Don't use Root/Admin Account for Non-Admin Tasks priority: Optional details: >- Use an unprivileged user account for daily tasks and only elevate permissions for administrative changes to mitigate vulnerabilities. - point: Block Webcam + Microphone priority: Optional details: >- Cover your webcam when not in use and consider blocking unauthorized audio recording to protect privacy. - point: Use a Privacy Filter priority: Optional details: >- Use a screen privacy filter in public spaces to prevent shoulder surfing and protect sensitive information. - point: Physically Secure Device priority: Optional details: >- Use a Kensington Lock to secure your laptop in public spaces and consider port locks to prevent unauthorized physical access. - point: Don't Charge Devices from your PC priority: Optional details: >- Use a power bank or AC wall charger instead of your PC to avoid security risks associated with USB connections. - point: Randomize your hardware address on Wi-Fi priority: Optional details: >- Modify or randomize your MAC address to protect against tracking across different WiFi networks. - point: Use a Firewall priority: Optional details: >- Install a firewall app to monitor and block unwanted internet access by certain applications, protecting against remote access attacks and privacy breaches. - point: Protect Against Software Keyloggers priority: Optional details: >- Use key stroke encryption tools to protect against software keyloggers recording your keystrokes. - point: Check Keyboard Connection priority: Optional details: >- Be vigilant for hardware keyloggers when using public or unfamiliar computers by checking keyboard connections. - point: Prevent Keystroke Injection Attacks priority: Optional details: >- Lock your PC when away and consider using USBGuard or similar tools to protect against keystroke injection attacks. - point: Don't use commercial "Free" Anti-Virus priority: Optional details: >- Rely on built-in security tools and avoid free anti-virus applications due to their potential for privacy invasion and data collection. - point: Periodically check for Rootkits priority: Advanced details: >- Regularly check for rootkits to detect and mitigate full system control threats using tools like chkrootkit. - point: BIOS Boot Password priority: Advanced details: >- Enable a BIOS or UEFI password to add an additional security layer during boot-up, though be aware of its limitations. - point: Use a Security-Focused Operating System priority: Advanced details: >- Consider switching to Linux or a security-focused distro like QubeOS or Tails for enhanced privacy and security. - point: Make Use of VMs priority: Advanced details: >- Use virtual machines for risky activities or testing suspicious software to isolate potential threats from your primary system. - point: Compartmentalize priority: Advanced details: >- Isolate different programs and data sources from one another as much as possible to limit the extent of potential breaches. - point: Disable Undesired Features (Windows) priority: Advanced details: >- Disable unnecessary Windows "features" and services that run in the background to reduce data collection and resource use. - point: Secure Boot priority: Advanced details: >- Ensure that Secure Boot is enabled to prevent malware from replacing your boot loader and other critical software. - point: Secure SSH Access priority: Advanced details: >- Take steps to protect SSH access from attacks by changing the default port, using SSH keys, and configuring firewalls. - point: Close Un-used Open Ports priority: Advanced details: >- Turn off services listening on external ports that are not needed to protect against remote exploits and improve security. - point: Implement Mandatory Access Control priority: Advanced details: >- Restrict privileged access to limit the damage that can be done if a system is compromised. - point: Use Canary Tokens priority: Advanced details: >- Deploy canary tokens to detect unauthorized access to your files or emails faster and gather information about the intruder. color: pink softwareLinks: - title: Secure Operating Systems url: https://github.com/Lissy93/awesome-privacy#desktop-operating-systems - title: Linux Defenses url: https://github.com/Lissy93/awesome-privacy#linux-defences - title: Windows Defenses url: https://github.com/Lissy93/awesome-privacy#windows-defences - title: Mac OS Defenses url: https://github.com/Lissy93/awesome-privacy#mac-os-defences - title: Anti-Malware url: https://github.com/Lissy93/awesome-privacy#anti-malware - title: Firewalls url: https://github.com/Lissy93/awesome-privacy#firewalls-1 - title: File Encryption url: https://github.com/Lissy93/awesome-privacy#file-encryption - title: Smart Home slug: smart-home description: Using IoT devices without compromising your privacy icon: home intro: >- Home assistants (such as Google Home, Alexa and Siri) and other internet connected devices collect large amounts of personal data (including voice samples, location data, home details and logs of all interactions). Since you have limited control on what is being collected, how it's stored, and what it will be used for, this makes it hard to recommend any consumer smart-home products to anyone who cares about privacy and security. Security vs Privacy: There are many smart devices on the market that claim to increase the security of your home while being easy and convenient to use (Such as Smart Burglar Alarms, Internet Security Cameras, Smart Locks and Remote access Doorbells to name a few). These devices may appear to make security easier, but there is a trade-off in terms of privacy: as they collect large amounts of personal data, and leave you without control over how this is stored or used. The security of these devices is also questionable, since many of them can be (and are being) hacked, allowing an intruder to bypass detection with minimum effort. The most privacy-respecting option, would be to not use "smart" internet-connected devices in your home, and not to rely on a security device that requires an internet connection. But if you do, it is important to fully understand the risks of any given product, before buying it. Then adjust settings to increase privacy and security. The following checklist will help mitigate the risks associated with internet-connected home devices. checklist: - point: Rename devices to not specify brand/model priority: Recommended details: >- Change default device names to something generic to prevent targeted attacks by obscuring brand or model information. - point: Disable microphone and camera when not in use priority: Recommended details: >- Use hardware switches to turn off microphones and cameras on smart devices to protect against accidental recordings or targeted access. - point: Understand what data is collected, stored and transmitted priority: Recommended details: >- Research and ensure comfort with the data handling practices of smart home devices before purchase, avoiding devices that share data with third parties. - point: Set privacy settings, and opt out of sharing data with third parties priority: Recommended details: >- Adjust app settings for strictest privacy controls and opt-out of data sharing with third parties wherever possible. - point: Don't link your smart home devices to your real identity priority: Recommended details: >- Use anonymous usernames and passwords, avoiding sign-up/log-in via social media or other third-party services to maintain privacy. - point: Keep firmware up-to-date priority: Recommended details: >- Regularly update smart device firmware to apply security patches and enhancements. - point: Protect your Network priority: Recommended details: >- Secure your home WiFi and network to prevent unauthorized access to smart devices. - point: Be wary of wearables priority: Optional details: >- Consider the extensive data collection capabilities of wearable devices and their implications for privacy. - point: Don't connect your home's critical infrastructure to the Internet priority: Optional details: >- Evaluate the risks of internet-connected thermostats, alarms, and detectors due to potential remote access by hackers. - point: Mitigate Alexa/ Google Home Risks priority: Optional details: >- Consider privacy-focused alternatives like Mycroft or use Project Alias to prevent idle listening by voice-activated assistants. - point: Monitor your home network closely priority: Optional details: >- Use tools like FingBox or router features to monitor for unusual network activity. - point: Deny Internet access where possible priority: Advanced details: >- Use firewalls to block internet access for devices that don't need it, limiting operation to local network use. - point: Assess risks priority: Advanced details: >- Consider the privacy implications for all household members and adjust device settings for security and privacy, such as disabling devices at certain times. color: red softwareLinks: - title: Home Automation url: https://github.com/Lissy93/awesome-privacy#home-automation - title: AI Voice Assistants url: https://github.com/Lissy93/awesome-privacy#ai-voice-assistants - title: Personal Finance slug: personal-finance description: Protecting your funds, financial accounts and transactions icon: finance intro: >- Credit card fraud is the most common form of identity theft (with [133,015 reports in the US in 2017 alone](https://www.experian.com/blogs/ask-experian/identity-theft-statistics/)), and a total loss of $905 million, which was a 26% increase from the previous year. The with a median amount lost per person was $429 in 2017. It's more important than ever to take basic steps to protect yourself from falling victim Note about credit cards: Credit cards have technological methods in place to detect and stop some fraudulent transactions. Major payment processors implement this, by mining huge amounts of data from their card holders, in order to know a great deal about each persons spending habits. This data is used to identify fraud, but is also sold onto other data brokers. Credit cards are therefore good for security, but terrible for data privacy. checklist: - point: Sign up for Fraud Alerts and Credit Monitoring priority: Recommended details: >- Enable fraud alerts and credit monitoring through Experian, TransUnion, or Equifax to be alerted of suspicious activity. - point: Apply a Credit Freeze priority: Recommended details: >- Prevent unauthorized credit inquiries by freezing your credit through Experian, TransUnion, and Equifax. - point: Use Virtual Cards priority: Optional details: >- Utilize virtual card numbers for online transactions to protect your real banking details. Services like Privacy.com and MySudo offer such features. - point: Use Cash for Local Transactions priority: Optional details: >- Pay with cash for local and everyday purchases to avoid financial profiling by institutions. - point: Use Cryptocurrency for Online Transactions priority: Optional details: >- Opt for privacy-focused cryptocurrencies like Monero for online transactions to maintain anonymity. Use cryptocurrencies wisely to ensure privacy. - point: Store Crypto Securely priority: Advanced details: >- Securely store cryptocurrencies using offline wallet generation, hardware wallets like Trezor or ColdCard, or consider long-term storage solutions like CryptoSteel. - point: Buy Crypto Anonymously priority: Advanced details: >- Purchase cryptocurrencies without linking to your identity through services like LocalBitcoins, Bisq, or Bitcoin ATMs. - point: Tumble/ Mix Coins priority: Advanced details: >- Use a bitcoin mixer or CoinJoin before converting Bitcoin to currency to obscure transaction trails. - point: Use an Alias Details for Online Shopping priority: Advanced details: >- For online purchases, consider using alias details, forwarding email addresses, VOIP numbers, and secure delivery methods to protect your identity. - point: Use alternate delivery address priority: Advanced details: >- Opt for deliveries to non-personal addresses such as PO Boxes, forwarding addresses, or local pickup locations to avoid linking purchases directly to you. color: purple softwareLinks: - title: Virtual Credit Cards url: https://github.com/Lissy93/awesome-privacy#virtual-credit-cards - title: Cryptocurrencies url: https://github.com/Lissy93/awesome-privacy#cryptocurrencies - title: Crypto Wallets url: https://github.com/Lissy93/awesome-privacy#crypto-wallets - title: Crypto Exchanges url: https://github.com/Lissy93/awesome-privacy#crypto-exchanges - title: Other Payment Methods url: https://github.com/Lissy93/awesome-privacy#other-payment-methods - title: Budgeting Tools url: https://github.com/Lissy93/awesome-privacy#budgeting-tools - title: Human Aspect slug: human-aspect description: Avoiding social engineering security risks icon: human intro: >- Many data breaches, hacks and attacks are caused by human error. The following list contains steps you should take, to reduce the risk of this happening to you. Many of them are common sense, but it's worth takin note of. checklist: - point: Verify Recipients priority: Recommended details: >- Emails can be easily spoofed. Verify the sender's authenticity, especially for sensitive actions, and prefer entering URLs manually rather than clicking links in emails. - point: Don't Trust Your Popup Notifications priority: Recommended details: >- Fake pop-ups can be deployed by malicious actors. Always check the URL before entering any information on a popup. - point: Never Leave Device Unattended priority: Recommended details: >- Unattended devices can be compromised even with strong passwords. Use encryption and remote erase features like Find My Phone for lost devices. - point: Prevent Camfecting priority: Recommended details: >- Protect against camfecting by using webcam covers and microphone blockers. Mute home assistants when not in use or discussing sensitive matters. - point: Stay protected from shoulder surfers priority: Recommended details: >- Use privacy screens on laptops and mobiles to prevent others from reading your screen in public spaces. - point: Educate yourself about phishing attacks priority: Recommended details: >- Be cautious of phishing attempts. Verify URLs, context of received messages, and employ good security practices like using 2FA and not reusing passwords. - point: Watch out for Stalkerware priority: Recommended details: >- Be aware of stalkerware installed by acquaintances for spying. Look out for signs like unusual battery usage and perform factory resets if suspected. - point: Install Reputable Software from Trusted Sources priority: Recommended details: >- Only download software from legitimate sources and check files with tools like Virus Total before installation. - point: Store personal data securely priority: Recommended details: >- Ensure all personal data on devices or in the cloud is encrypted to protect against unauthorized access. - point: Obscure Personal Details from Documents priority: Recommended details: >- When sharing documents, obscure personal details with opaque rectangles to prevent information leakage. - point: Do not assume a site is secure, just because it is `HTTPS` priority: Recommended details: >- HTTPS does not guarantee a website's legitimacy. Verify URLs and exercise caution with personal data. - point: Use Virtual Cards when paying online priority: Optional details: >- Use virtual cards for online payments to protect your banking details and limit transaction risks. - point: Review application permissions priority: Optional details: >- Regularly review and manage app permissions to ensure no unnecessary access to sensitive device features. - point: Opt-out of public lists priority: Optional details: >- Remove yourself from public databases and marketing lists to reduce unwanted contacts and potential risks. - point: Never Provide Additional PII When Opting-Out priority: Optional details: >- Do not provide additional personal information when opting out of data services to avoid further data collection. - point: Opt-out of data sharing priority: Optional details: >- Many apps and services default to data sharing settings. Opt out to protect your data from being shared with third parties. - point: Review and update social media privacy priority: Optional details: >- Regularly check and update your social media settings due to frequent terms updates that may affect your privacy settings. - point: Compartmentalize priority: Advanced details: >- Keep different areas of digital activity separate to limit data exposure in case of a breach. - point: WhoIs Privacy Guard priority: Advanced details: >- Use WhoIs Privacy Guard for domain registrations to protect your personal information from public searches. - point: Use a forwarding address priority: Advanced details: >- Use a PO Box or forwarding address for mail to prevent companies from knowing your real address, adding a layer of privacy protection. - point: Use anonymous payment methods priority: Advanced details: >- Opt for anonymous payment methods like cryptocurrencies to avoid entering identifiable information online. color: indigo - title: Physical Security slug: physical-security description: Taking measures to prevent IRL security incidents icon: physical intro: >- Public records often include sensitive personal data (full name, date of birth, phone number, email, address, ethnicity etc), and are gathered from a range of sources (census records, birth/ death/ marriage certificates, voter registrants, marketing information, customer databases, motor vehicle records, professional/ business licenses and all court files in full detail). This sensitive personal information is [easy and legal to access](https://www.consumerreports.org/consumerist/its-creepy-but-not-illegal-for-this-website-to-provide-all-your-public-info-to-anyone/), which raises some [serious privacy concerns](https://privacyrights.org/resources/public-records-internet-privacy-dilemma) (identity theft, personal safety risks/ stalkers, destruction of reputations, dossier society) CCTV is one of the major ways that the corporations, individuals and the government tracks your movements. In London, UK the average person is caught on camera about 500 times per day. This network is continuing to grow, and in many cities around the world, facial recognition is being rolled out, meaning the state can know the identity of residents on the footage in real-time. Strong authentication, encrypted devices, patched software and anonymous web browsing may be of little use if someone is able to physically compromise you, your devices and your data. This section outlines some basic methods for physical security checklist: - point: Destroy Sensitive Documents priority: Recommended details: Shred or redact sensitive documents before disposal to protect against identity theft and maintain confidentiality. - point: Opt-Out of Public Records priority: Recommended details: Contact people search websites to opt-out from listings that show personal information, using guides like Michael Bazzell's Personal Data Removal Workbook. - point: Watermark Documents priority: Recommended details: Add a watermark with the recipient's name and date to digital copies of personal documents to trace the source of a breach. - point: Don't Reveal Info on Inbound Calls priority: Recommended details: Only share personal data on calls you initiate and verify the recipient's phone number. - point: Stay Alert priority: Recommended details: Be aware of your surroundings and assess potential risks in new environments. - point: Secure Perimeter priority: Recommended details: Ensure physical security of locations storing personal info devices, minimizing external access and using intrusion detection systems. - point: Physically Secure Devices priority: Recommended details: Use physical security measures like Kensington locks, webcam covers, and privacy screens for devices. - point: Keep Devices Out of Direct Sight priority: Recommended details: Prevent devices from being visible from outside to mitigate risks from lasers and theft. - point: Protect your PIN priority: Recommended details: Shield your PIN entry from onlookers and cameras, and clean touchscreens after use. - point: Check for Skimmers priority: Recommended details: Inspect ATMs and public devices for skimming devices and tampering signs before use. - point: Protect your Home Address priority: Optional details: Use alternative locations, forwarding addresses, and anonymous payment methods to protect your home address. - point: Use a PIN, Not Biometrics priority: Advanced details: Prefer PINs over biometrics for device security in situations where legal coercion to unlock devices may occur. - point: Reduce exposure to CCTV priority: Advanced details: Wear disguises and choose routes with fewer cameras to avoid surveillance. - point: Anti-Facial Recognition Clothing priority: Advanced details: Wear clothing with patterns that trick facial-recognition technology. - point: Reduce Night Vision Exposure priority: Advanced details: Use IR light sources or reflective glasses to obstruct night vision cameras. - point: Protect your DNA priority: Advanced details: Avoid sharing DNA with heritage websites and be cautious about leaving DNA traces. color: lime