Published: Dec 19, 2019 by Zac
Most major tech companies sell your data to advertisers and governments. You need to stay safe online, so you should be careful about what you use and how you use it.
All the recommendations here are just that: recommendations. Most users will not need to follow everything in this guide.
Table of Contents
You should try to avoid anything hosted in, or owned by, a company in the US. You should also use end to end encryption wherever possible.
Don’t use your real name, real address, or information that could be linked to your identity in sensitive situations. This includes social media, photos, email addresses, location, and anything else that could be linked to your identity. If you host a website, use WHOIS privacy protection.
This section is not a guide on unionizing, just security recommendations.
Do not use company Email, Messaging (Slack, Hipchat, etc.), phones, computers, networks, or other resources for organization. A simple rule of thumb is: If the company pays for it, don’t use it. You have no protection under labor law if you do. Check your company handbook/policies to see what they can access or claim they can access, because you may also want to avoid organizing on your own devices during work hours. Follow the other recommendations in this guide for what apps and services to use, especially when it comes to messaging and email.
Use passphrases over passwords if you need to be able to remember it. Prefer random passwords generated by a password manager like KeePassXC or Bitwarden when you can. Never reuse passwords anywhere, and rotate your passwords regularly. Check for password/phrase security here, and check regularly to see if your data has been involved in a leak here (Firefox has this feature built in now).
Keybase is a featureful app that makes encrypted files, messaging, group chat, teams, identiy proofs, and Git hosting all very easy to use. It’s also a US-based company, so is not an ideal option for very sensitive data.
Prefer almost any OS over Windows. Windows is buggy, full of telemetry (read: Microsoft Spyware), and insecure. If you’re tech savvy, learning Linux is a good route. You could try Xubuntu as a good starter distro. If you’re very tech-minded, you could try OpenBSD or FreeBSD. Mac OS is also a better choice than Windows, but comes with some of the same vendor lock in (and a huge price tag).
Whichever OS you use, you absolutely need to enable Full-Disk Encryption
- Most Linux distributions will offer setting up FDE at install time, which is easier.
For mobile, both iOS and Android are okay options, as long as you keep them up to date and don’t install anything requiring permissions it shouldn’t need. In the Android world, you could also look into Lineage, UBPorts (Ubuntu Phone fork), and other hobbyist OSs and phones.
Avoid Chrome. Google’s business model is surveillance, and their browser exists to collect your data. Also avoid Internet Explorer (it’s unmaintained and insecure), Microsoft Edge (because of the telemetry), and anything closed-source or proprietary (which rules out Opera and Vivaldi).
- Firefox is all-around the easiest option, and has tons of addons.
- Waterfox is an independent fork of Firefox.
- Brave is Chrome-based, has built in ad and tracker blocking, and has a Tor mode. It also includes its own advertisements and a cryptocurrency, though.
- Tor Browser is a very secure option, but will be slow for everyday browsing, and Tor itself has had numerous flaws, besides being funded by the US military.
Avoid Google, Microsoft, Yahoo, and other US companies. Also try to avoid companies that want your real name. Protonmail is in Switzerland and has a free plan. Tutanota also has a free plan, and is in Germany. See the links at the bottom of the page for more recommendations.
You need end-to-end encrpytion for anything sensitive. This means your communications should be encrypted in transit (TLS 1.2 is the only thing you should accept as of early 2020), and also encrypted at rest (on the server where they’re stored) without the company running the messaging platform being able to read them. If communications are not E2EE, you should treat them as if they’re public.
Change your default DNS provider, which is probably your ISP or Google, to something like BlahDNS or SecureDNS. See the links at the bottom of the page for more recommendations. Avoid DNS providers hosted or run in the US, providers that have logging, and providers that do not have DNSSEC. You can also use Pi-hole, Unbound, or other systems to block trackers, ads, and other bad IPs. Lists to get you started are available here.
Use a VPN with no logging, that is not hosted or run by a company in the US:
Avoid proprietary and exploitable formats. That means no Microsoft Word
docx and no PDFs if possible.
Plain text formats (
html, etc.) allow reading through any application and limit the chance of executing arbitrary code.
Use plain text editors that are open source and not made by major US companies (avoid Google Docs, VS Code, Atom, etc.) as much as you can, and use
LibreOffice when you can’t.
Encrypt any documents that contain sensitive data, like information that could be used to identify someone, schedules, and addresses.