With alt tech repeatedly being attacked by both big tech and self proclaimed "citizen detectives", it's more important now than ever, to up your security game. Data has been scraped from Parler and Gab is completely compromised. People's posts and personal info are being leaked to some nasty people, and some are being reported to the FBI for simply supporting the "wrong" political candidate or just being at the wrong place at the wrong time. The FBI isn't even doing due diligence on these tips, they will fly across the country and kick down your door because some rando thinks you might look like someone who was at the capital on Jan 6th. Here are some simple steps to anonymize and safeguard your online presence. Feel free to post questions or suggestions, I'll try and correct and keep this guide updated as time goes on. The more people understand and learn from each other, the more the message will spread, and the safer our communities will be from malicious actors. This is a guide meant for people new to security/privacy, and aims to be the easiest way to get started protecting your identity from the civilian/hacktivist threat vector. Everything here is free/has a free option, because privacy is for everyone, not just those with $. With that in mind I won't be covering complex topics like TOR, Tails, burner numbers, cryptocurrency, or state actor security threats, though if people are interested, I can do another blog covering those things and much more in the future.
Ditch Chrome, it's essentially spyware by Google that tracks everything you do. Switch to a privacy centric browser like Brave or an open source browser like Chromium or Waterfox, if you feel confident securely configuring it yourself (such as PrivacyBader or Decentraleyes). In addition to ditching the Google browser, be sure to ditch Google search for a more private search engine like Swisscows, Brave Search or Quant.
It is fairly easy for a bad actor to monitor your network traffic, your ISP tracks and sells your internet history (no, clearing your browser history does not stop this) and every site/service you connect to has your real IP, which gives them your location (sometimes down to the building #), and other metadata which can be used to identify you IRL. If you want to see for yourself some of the info that can be gleaned from your IP, head over here to get your external IP, copy your IP address, then head over to Shodan and search what info is publicly available from your address. Spooky huh? You'll need a reputable VPN that doesn't log your traffic to mask your real IP, and encrypt your traffic in order to hide it from other prying eyes. ProtnVPN is probably the best free option out there, and there is a paid tier to access more and faster servers. PIA is another reputable, and affordable, option for a good VPN that doesn't spy on you like your ISP does, and even threatened to shut down all US operations if forced by court order to log and hand over user data. Although Sweden doesn't have the same legal protections as Switzerland, Mullvad is another choice with anonymous accounts and allows you to pay in crypto.
Your email is extremely private, it contains everything from correspondence with family and bank statements to that invoice for the strange, vibrating egg thing you bought online you don't want anyone knowing about. In the Gmail terms of service, you consent to Google reading every email that comes into that inbox in order for them to serve you ads. This means you have 0 privacy from a bad actor at the company who wants to read through your mail! Switch to a private, end to end encrypted service like ProtonMail or Tutanota, where all your mail is stored encrypted with a private key generated on your computer, and not even the service provider can access it. ProtonMail even has a helpful guide for migrating from Gmail over to ProtonMail. In addition to mail being stored securely, all messages between users of the same service are encrypted in transit automatically.
In addition to your inbox, your email address itself is a key piece of info you want to keep private from almost everyone. Accounts are leaked daily, and you don't want your private email being shared with every spammer in the world. Even worse, reusing the same email between sites/apps creates a pattern that can potentially be tied to your real life identity by finding all your accounts with the same address and Doxing you. Email forwarders like AnnonAddy (my favorite) and 33Mail provide a layer of protection through unlimited randomized email addresses that forward email to your real mail account, hiding your true address. This is also great for spam, as you can just deactivate the address you generated that got compromised and create a new one. You should also refrain from reusing the same username/pseudonym on more than one site. I find random word generators helpful for creating new usernames.
Just like email addresses and usernames, you should use a different password for every site/service. This is impossible to do from memory alone, which is where password managers come in. Bitwarden is my go to password manager, it stores all your logins for all your services/apps and generates strong passwords as well. The paid version can also store TOTP (2 Factor Auth, like Google Authenticator) tokens. I trust Bitwarden because it is open source, but there are other proprietary solutions like LastPass that offer a similar level of security and ease of use.
Personal messages are just that, personal. The metadata from text messages can say a lot about a person's daily habits, as well as revealing who they are connected to, allowing bad actors to create a map of friends and family to exploit. Ditch SMS (or god forbid, Facebook Messenger), which is extremely insecure, for private chat like Signal, Threema or Wire.
The majority of all finance is done online nowadays, everything from shopping to sending money to family and friends. Having your credit card info stolen by a less than reputable site or through the security breach of a card processor, is no fun. Solution? Privacy.com. Just like we create unique and disposable addresses, usernames and passwords, we can do the same with payment cards. Privacy's service allows you to link a debit card or bank account as payment method, and generate Visa cards (just like Visa cash gift cards) on the fly for use anywhere online. It's almost like paying with cash, and just like how cash is anonymous, Privacy can be pretty close to anonymous. You can use aliases or fake billing addresses at checkout to hide your identity from the merchant you're using, and have the option for all transactions to show up on your bank statement as simply PRVCY, it's no one else's business where and why you bought strange vibrating egg thing 😉.
Personal privacy isn't a sprint, but an endless marathon. The threat environment and actors are constantly changing, and it takes persistence to keep up with it all. Don't feel like you have to do everything all at once, tackling one of these things a day is a great start to securing your online presence.
If you want to learn more about privacy oriented software and services, check out privacytools.io. If you want to deep dive into how private citizens and investigators gather intel and identify people online, check out inteltechniques.com for The Privacy, Security, & OSINT Show that keeps up to date with modern offensive and defensive information and intelligence techniques. If you want to dive deep into the technical aspects of cyber security and the hacking side of things, check out Hak5. And finally, if you just like the drama of white hat/black hat stories, check out the Darknet Diaries podcast for some quality entertainment. It's like True Crime for us nerds.
Remind, share and stay anonymous frens!