Operations security (OPSEC) is the process which identifies critical information in order to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information. Considerations for this must include a wide range of kinds of threats, both civilian and governmental ones. Though some believe mass surveillance by the state is necessary for national security, in reality it doesn't help that goal. What such surveillance has been known to be used for, however, is tracking dissidents and gaining information about them. Even anti-war and anti-segregation activists have been put under surveillance, often illegally, as was in the case of Muhammad Ali, Whitney Young, and Martin Luther King Jr. Activists today are far more surveilled — with tools such as IMSI catchers, drones, facial recognition software, and the pulling of location data from big tech and phone companies — without a warrant and almost never because the target is believed to be a threat to peace. It is further claimed that privacy doesn't exist, but this is not necessarily true and can be addressed through a combination of factors like good practices, media access controls, and the use of particular software and settings.
For the most up-to-date information, consult other resources such as privacytools.io, PrivSec.dev, or Spyware Watchdog.
Both Microsoft Windows and macOS are backdoored by intelligence agencies and phone home, and so are inherently insecure options for privacy and security. Use Linux instead. There is no single "Linux" operating system, and so truly Linux refers to just the essential kernel software, thus you'll be downloading what's called a "distro", or distribution. Distros are basically ready-made operating systems that take the Linux kernel and add software onto it that makes it usable like Windows or macOS. Most distros, especially the more popular ones, are actually really easy to install; step-by-step like many well-known operating systems. You can start off with something like Linux Mint, which specializes in giving a particularly easy-to-use experience through the software and multimedia support that it comes with. The vast majority of software that is available on Windows and macOS can also be readily installed on Linux as well, with Wine being available to provide support for most other things otherwise.
If you need extra privacy for a particular reason, use the Tails operating system, which is a version of Linux optimized for anonymity.
Google Chrome has spyware built into it, as does Chromium. Firefox is a more secure option that also happens to be very customizable and fast (especially since the Firefox Quantum update).
Use Tor bridges (also known as Tor bridge relays) with Tor. These are alternative entry points to the Tor network that are not all listed publicly. Using a bridge makes it harder, but not impossible, for your Internet Service Provider to know that you are using Tor, which would be disadvantageous for a few reasons. Your traffic can be singled out and identified if you are known to use this service, so it's a method of tracking first of all. Using Tor may also be illegal, or just otherwise bring closer scrutiny towards yourself otherwise. Official manual on Tor bridges
- uMatrix: blocks out things like scripts and cookies unless you specifically specify which ones you want enabled and on what level of a domain you want it enabled on (for instance, you can enable a certain script either only on the subdomain www.example.com, or only everything on the domain example.com, or everything contained by the top-level domain .com.
- HTTPS Everywhere: Makes your browser use HTTPS instead of HTTP wherever possible. Of course, this won't work if a website hasn't configured HTTPS and only works on HTTP, so be wary about going to HTTP pages. Most of the time though, especially in the case of more important websites, there will be an HTTPS version of a page.
- uBlock Origin: filters content, largely advertisements that can track your activity across the Internet. It's less resource-intensive than other content filters, like Adblock Plus. Adblock Plus itself furthermore has reportedly been paid off by Google and other companies to whitelist their ads.
- Cookie AutoDelete: deletes unused cookies upon tab close, however may be configured in plenty of other ways. Has support for whitelists and greylists.
- User-Agent Switcher: randomizes your user agent, which tells websites what kind of operating system and browser you use.
- Privacy Settings: allows you to change settings found in about:config (on Firefox at least). You may want to keep this add-on as opposed to just changing those settings once because some websites may break because of these changes, and you may have to toggle some settings periodically, which this tool allows you to quickly do.
- Invidition: automatically redirects requests to YouTube and Twitter towards Invidious and Nitter, respectively. Both of these are alternative front-ends that basically just give you the content without the spyware. In the case of Invidious, this extension also lets you do some other things like switch between different instance of the Invidious service or setting the default resolution. On the Invidious instances themselves you can also set many more settings, such as whether dark mode is enabled or the default speed.
The more people using these extensions, the more they can blend in and not have a unique signature. Thus it is important to share them.
Change browser cookie preferences to reject all third-party cookies or at least to only accept third-party cookies from visited pages.
Try not to use Flash, which is insecure but is on its way out. Most browsers disable Flash content by default, and thus it can only be played if you click on it and press "Allow" in the dialog box.
thatoneprivacysite.net has a chart comparing a lot of different VPNs so you can choose a decent one. The following VPNs have a history of logging and cooperating with US/UK law enforcement, so do not use them:
Set your DNS server settings to use the resolvers of Quad9, whose primary address is 18.104.22.168 (2620:fe::fe for IPv6). Alternatively, there is 22.214.171.124, which is a service run by Cloudflare. Even if you use a VPN, your computer will still give away what domains you're connecting to since that part of the message isn't encrypted, as DNS servers have to be able to read in cleartext what domain to connect you to.
Fully encrypt your storage device
Use an encryption password that is, at a minimum, 20 characters long and consists of random letters, numbers, and symbols. Alternatively, use a passphrase/sentence. Do not use anything from song lyrics or pop culture when using a passphrase. Use at least six words (consisting of at least five letters each) in the phrase, which should be nonsense and not found anywhere on the internet or in pop culture. These are much easier to memorize and therefore can be much, much longer, which is good. Your encryption password should be as long as is possible and therefore as hard to crack as possible, but you still need to remember it. True full-disk encryption requires either Coreboot/Libreboot with a payload like SeaBIOS or GRUB as the first-stage bootloader or putting the bootloader on some kind of removable medium. Normal UEFI/BIOS is unable to read encrypted EFI partitions/MBR and thus you cannot do full-disk encryption with it. An unencrypted bootloader partition is a point of vulnerability.
Encryption will be moot if the device is already running, as any adversary can simply live image it, so turn it off when not using it — including when going to sleep, taking a shower, or answering a knock on the door. If this process feels too time-consuming for you, get a faster storage device so your computer will boot up and shut down faster, as well as configuring RAID for faster disk speed.
- Tox: Open-source, peer-to-peer text, image, and video-calling protocol. Available for desktop and Android.
- Signal: Open-source, centralized text, image, and video-calling application. Available for desktop or Android/iOS.
- Telegram: It claims government data requests must reach a very high threshold before it complies, and reportedly, it has complied with some, but not all requests from German authorities. Telegram has also made a compromise with Russian authorities to be officially unblocked there, involving measures to combat certain content but with insistence from Telegram's founder that there are no changes regarding safety and privacy.
Use Startpage or some other privacy-oriented search engine like Searx or Qwant. Google, Bing, and Yahoo all aggressively farm your data and you should try to never use these.
Protonmail and Tutanota are decent email providers — Riseup.net on the other hand has been known to give up records of its users, so stay clear of that one.
Phones continuously send out signals to cell towers to identify their location, thus giving away your location if you have it at you. If this is a concern, take out its battery or put it in a Faraday cage. Furthermore, the microphone and camera can be remotely activated without you knowing it, so consider getting a cover slider for cameras and a microphone blocker for microphones — this applies to any other electronics with such. Default operating systems like Android or iOS are also best replaced with an alternative OS, although devices with iOS often do not allow their OS to be replaced.
To reduce the amount of data sent to Google (and thus available to authorities/hackers), you should use an operating system that does not have Google Play Services bundled. This means you will be using the phone without any of Google's apps or services. Thus apps that were downloaded from the Google Play Store may not work since they may rely on Google Play Services. Only install apps from trusted sources (such as a developer's GitHub repository or F-droid).
Alternative OSes to consider:
- LineageOS - Independent and popular open source OS based on AOSP (Android Open Source Project). Does not have any Google Play Services by default. There are versions for many devices (some of which may be out of date or unofficial ports). List of devices supported by the latest version is available here. Second hand phones such as Samsung Galaxy S5 have a straight forward installation process.
- GrapheneOS - Independent open source project based on AOSP (Android Open Source Project) with significant amounts of hardening and privacy improvements. Does not have any Google Play Services, but plans to make builds of MicroG available in the future. This OS only supports the latest Google Pixel devices for ease of development and full hardware-backed security. WebUSB installer available, making it easy to install the OS on all supported devices (even from other phones).
If it's necessary, you can do all your browsing within a virtual machine, using the aforementioned tools and practices, and reset it every single time. This is basically the equivalent of using a new computer every time you use the Internet, destroying the previous ones, so most unique identifiers tagged on that machine are useless — unless of course it relates to IP addresses or content that could still be used to identify you. A Live USB (or CD, or DVD) can also be used, which saves nothing to the disk when the computer is shut down.
Some websites for determining your browser fingerprint, or basically how much you stand out among other users:
- https://coveryourtracks.eff.org/ (Successor to Pantopiclick)
Various privacy tools:
- ↑ The NSA phone-spying program exposed by Edward Snowden didn't stop a single terrorist attack, federal judge finds. Business Insider.
- ↑ Google Saved An Estimated $887 Million By Paying Adblock Plus To Show Its Ads. Business Insider.
- ↑ Telegram reportedly surrendered user data to authorities despite insisting '0 bytes' had ever been shared. Android Police.