Not everyone needs the same level of Internet privacy. This guide will help you determine your threat model and take steps to achieve online privacy that meets your needs.
Total Internet privacy is impossible, and any service that claims to offer it is lying. But anyone can increase their Internet privacy by adjusting their online behavior, like choosing privacy-focused online service providers and limiting the amount of information they store on the Internet.
Many Internet privacy guides promote unrealistic goals with inconvenient solutions, like using Tor all the time (which will slow your Internet) or communicating only through Signal encrypted messenger (which is useless unless your contacts are using it too). While such technologies provide a high level of privacy, they may not be necessary under your personal threat model. In other words, you probably don’t need to take the same privacy precautions as a Turkish dissident or an NSA whistleblower. And the best privacy recommendations can be counterproductive if you burn out following them, like one writer for Slate did.
In this guide to Internet privacy, we’ll show you how to understand your own threat model and take practical steps to protect your online privacy. At the end of the article, we also include our online privacy checklist.
Internet privacy is important for everyone
If you use the Internet at all, then privacy issues directly impact you. Without Internet privacy, someone can steal your credit card or even your identity, potentially causing problems for your credit score or at the very least inconveniencing you while a replacement card is shipped. Internet privacy keeps hackers from infiltrating your online accounts (you don’t want to be this guy) and spying on your activity while using public WiFi.
As both citizens and users of the Internet, we all have a stake in the quality of our society. Privacy is a fundamental human right and a prerequisite for democracy. For authoritarian governments and profit-seeking companies alike, invasions of privacy are a useful means of control. If you value your freedom, then Internet privacy should matter to you.
Understanding your threat model
A threat model is a method of evaluating security and privacy risks in order to mitigate them strategically. You can define a personal threat model to understand your own Internet privacy priorities. Start by answering the following questions:
- What information do you want to protect?
- Who might want to gain access to that information?
- Where is that information stored and transferred?
It helps to draw a diagram of the information, where it moves and rests, and who could gain access at each location. For instance, you have data stored locally on your devices. When you use online services, like email or web browsing, your data travels across the network and gets stored on servers that belong to those companies. Along the way, it could be exposed to people in your house, your Internet service provider, hackers, third party websites, or even governments.
Now that you know which personal data you need to keep private and from whom, you can start to protect it. In the next section, we list a number of steps to protect Internet privacy and what threats they mitigate.
Limit the information you share publicly
A lot of sensitive information about you is publicly available on the Internet. Some of it is a matter of public record, like court records, addresses, and voter registration. But much of it we put on the Internet voluntarily, usually via social media: photos (often location tagged), family members’ names, work history, and a variety of clues about our daily lives.
Hackers can use these clues for social engineering and to answer security questions. Photos of you on social media can even be used to create deepfake videos of you. Almost all online services and Internet-connected devices have privacy settings you can update to restrict the amount of information collected and/or posted publicly online.
Limit the information you share privately
Online service providers can be vulnerable to data breaches, which can instantly compromise your privacy, sometimes in embarrassing ways. Even large services like Google or Facebook are not immune to data breaches. You can mitigate the privacy threat of data breaches by limiting the information you share with these services. For instance, you can use Google Chrome or Google Maps without logging into your account, or simply switching to a more privacy-friendly browser like Firefox.
If the services themselves (and their third-party partners) are part of your threat model, then you can switch to privacy-focused services that do not collect user data (and therefore cannot share it with third parties). With ProtonMail, accounts are anonymous (not linked to your real life identity), and we collect as little user information as possible. Unlike other email service providers, we also have no ability to read your inbox due to end-to-end encryption.
Learn more: How to protect your children’s privacy online
Strengthen your account security
Your password is your first line of defense. Make sure you use strong, unique passwords. A password manager can help you generate and store them so that you don’t have to write them down.
Your second line of defense is two-factor authentication (2FA). This is a way to secure your account with a second piece of information, usually something you have with you on your person, like a code created on an authenticator app or fob.
Avoid using public computers to access your accounts because these can be compromised by keyloggers. And if you absolutely must use a public computer, be sure to log out of your accounts.
Many services (such as ProtonMail and ProtonVPN) allow you to see when and from what IP address your account has been accessed and log out of other sessions remotely.
Protect your devices
Most threat models should include the possibility of your device getting stolen or lost. So it’s important to also have strong passwords protecting your devices. There are apps that allow you to wipe, locate, and potentially identify the thief if your device is stolen.
Another important part of protecting your device is maintaining its software. You can help prevent attackers from installing malware on your device by keeping your apps and operating systems up to date. Software updates often include security patches for recently discovered vulnerabilities. You can also use anti-virus software.
If your device somehow is compromised with spyware, a low-tech privacy solution, ironically popularized by Mark Zuckerberg, is to cover your webcam with a piece of opaque tape
Practice email safety
Email is one of the easiest ways for hackers to get into your computer. So it’s important to be alert for phishing attacks, in which the attacker tries to trick you into clicking on a link, downloading an attachment, or giving up sensitive information (such as entering your username and password into a spoofed webpage).
Learn more: Five essential steps to keep your email safe
Use encryption as much as possible
Encryption is the process of converting readable information into an unreadable string of characters. Without encryption, anyone monitoring the Internet could see the information being transmitted, from credit cards to chat messages. The vast majority of online services use some form of encryption to protect the data travelling to and from their servers. But only a few tech companies encrypt your information in such a way that even the company cannot decrypt it. This kind of encryption is called end-to-end encryption(E2EE). Whenever possible you should use services that offer E2EE because your privacy is protected by default.
Often, there is an E2EE alternative to less private services. For example, ProtonMail is a private alternative to Gmail. Instead of Google Drive, which can access your files, you could use Tresorit. DuckDuckGo is a private alternative to Google Search, and Brave is one example of an Internet browser that doesn’t track your browsing activity. For notes, Standard Notes is one E2EE option.
For instant messaging, you have a number of options. WhatsApp is one of the most popular chat apps, and it features E2EE. But Facebook (which owns WhatsApp) can see who you communicate with and when, and there may even be ways for Facebook to gain access to your messages if it wanted to. Facebook Messenger is not E2EE by default. WeChat offers no E2EE. For better chat security and privacy, we recommend using Wire or Signal.
For web services that are not E2EE, you should at least ensure that your Internet connection is encrypted from your device to the company’s servers. You can check that this is the case by making sure the URL of the website begins with “https”. There’s a browser plugin called HTTPS Everywhere to help you do this automatically.
Learn more: What is end-to-end encryption?
Use a virtual private network (VPN)
A VPN encrypts your Internet connection from your device to the server owned by your VPN service provider. Using a VPN can help keep your web traffic safe from anyone monitoring the network at the local level: hackers, your Internet service provider, and surveillance agencies. A VPN will also mask your true location and IP address, allowing you to browse more privately and access geo-restricted content.
A VPN will not, however, protect your web traffic against the VPN provider. That’s why it’s important to choose a VPN service you trust that does not keep logs of your activity. ProtonMail also provides ProtonVPN, a specialized high-security VPN service.
Learn more: Your Internet service provider is spying on you
If your threat model requires a very high level of Internet privacy, you should connect to the Internet through Tor. Tor is a technology maintained by the nonprofit Tor Project, which allows you to use the Internet anonymously. It works by bouncing your connection through multiple layers of encryption, both protecting your data and concealing its origin. Tor also allows you to access blocked websites (such as those offering E2EE services) via the dark web. However, the downside of Tor is that it is generally significantly slower compared to using a VPN.
Learn more: How to use ProtonMail with Tor
Internet privacy checklist
– Check your public social media profiles for sensitive personal content.
– Adjust the privacy settings on your online accounts.
– Use a strong, unique password for all your accounts.
– Update security settings and enable two-factor authentication.
– Inventory your online service providers and determine if there is a viable private alternative.
– Install software updates for all operating systems and apps.
– Review email safety practices and be alert to phishing attacks.
– Start using end-to-end encrypted services.
– Install the HTTPS Everywhere browser extension.
– Connect to a trusted VPN.
– Connect to Tor.
We hope this guide has helped to simplify your Internet privacy efforts.
At ProtonMail, we believe a more private Internet is possible, but it will require a major shift from the Internet’s current ad-based business model. With your support, we will continue to develop tools that enable privacy, security, and freedom online.
The ProtonMail Team
You can get a free secure email account from ProtonMail here.
We also provide a free VPN service to protect your privacy.