There's probably hundreds of
guides to Internet privacy out there now, and most of them are terrible. They recommend browsers from evil companies like Mozilla Firefox; E-mail providers that collect LOTS of your data, such as Mailfence or Runbox; useless or malicious addons like Privacy Badger or NoScript; communication software that ask for your phone number like Signal or Telegram; suspicious VPNs like Proton; care too much about where a service is hosted instead of its policies or functionality; fall for false advertising; have "sponsored" recommendations; ignore very good providers and fail to mention essential things that you SHOULD do. My aim here is to create an ultimate guide which will hopefully not suffer from any of these issues. And the best thing is, you can do everything here for free! Why the Ninja's guide? Well, they hide in the shadows (archive). And it sounds fucking cool, doesn't it?
Can't avoid talking about them since that's what all your software runs on in the first place. Obviously, do not use Windows - it spies on almost everything you do (archive) and has auto-updates that cannot be turned off in the Home edition. Apparently some newer updates have allowed to disable some more of the spying, but that still doesn't salvage this system. Even if you disable all of the telemetry, Windows still sends 11 unsolicited requests per minute (archive). Of course Linux has its own problems too - Ubuntu has had spyware issues (archive) in the past, and systemd is pretty much an attempt at a takeover of Linux (archive) by big corporations. The best thing to do here is to use a Linux distribution without systemd, like Salix.
Briefly, most browsers don't care about your privacy or even are actively malicious; many of those that aren't suffer from usability issues like no extension support. Ungoogled-Chromium or IceCat send no unsolicited requests and support add-ons. However they are dependent on the evil giants Google and Mozilla, respectively, so I suggest using a de-spyware'd and addon-hardened Pale Moon. For more information read this article.
The most important one, offering almost complete control of your browsing, is uMatrix. Decentraleyes is another essential one that works in the background, preventing connections to Content Delivery Networks. WebRTC Control is essential for Chrome-based browsers to not leak your real IP through VPN / Tor. All other extensions are pretty much toys or distractions. Avoid malicious addons like NoScript, Ghostery and Stylish. More information here.
Since this section was getting too long, I've created a separate article for it. Briefly: the best one is Swisscows with good usability and no logs. Right after them come Disroot and Snopyta with their SearX instances that unfortunately don't go beyond the first page in results (but have a thousand other useful features; Snopyta's also has a hidden service). DuckDuckGo, MetaGer and Qwant are some other privacy-respecting engines with more or less significant flaws which make it inferior to the above. StartPage is not recommended at all due to getting its results exclusively from Google, which censors all alternative and conspiratorial content. There is lots more to say about this topic - highly recommend to check out my report to get a deeper view.
RiseUp is the best, followed by Disroot and Autistici - though they either need a written justification or an invitation. Posteo is the best from the paid ones; there are no completely hassle-free ones that are really worth it. LOTS of providers out there that falsely pretend to care about your privacy - watch out! Read my full report here and remember to GPG-encrypt your e-mail locally (Claws Mail client supports that automatically). For registration, all of Autistici, Disroot and RiseUp have an alias feature - however, Disroot's is paid for and Autistici's reveals your main account in the headers, so RiseUp's is the best. With that and a few VPNs (see below), you have the ability to bypass all bans.
Don't venture out without this! But be sure to get a trustworthy one. My best free recommendation is the RiseUp VPN - but Snopyta does also provide one. Do not recommend ProtonVPN whose E-mail service leaves a lot to be desired, so we should expect the VPN to be the same. In general, OpenVPN does take a lot of setting up before it can be used - but when you're finished, it should be more reliable and secure than custom clients. Here, I've compiled the steps to doing just that to the best of my knowledge:
sudo ufw allow out to [IP] port [PORT]. Of course replace IP and PORT with the relevant values. This will let the system connect to the VPN through the firewall.
dev tun. Change the
tunto something recognizable, like
sudo ufw allow in on tun_myvpnand
sudo ufw allow out on tun_myvpn. This will allow both incoming and outgoing connections through the VPN.
sudo ifconfig. Take note if the IP that appears after
inet. This is your local (router) IP.
sudo ufw allow out to [LOCAL_IP]. This will enable actually establishing the VPN connection.
sudo ufw default deny incomingand
sudo ufw default deny outgoing. This is the part that actually keeps your shit secure.
if [ -x /lib/ufw/ufw-init ]; thenThis is for Slackware-based distros and might not necessarily work on others. Search around for equivalents.
That's it for OpenVPN! However, web browsers can also leak your real IP address through WebRTC, so you're going to have to disable that as well. Firefox uses the
media.peerconnection.enabled about:config entry, while Chrome-based browsers need an extension such as WebRTC Control (Pale Moon users do not need to do anything). An earlier version of this guide suggested turning off IPv6 system-wide, but it doesn't seem to be necessary if you do everything else right. However, some VPNs apparently do leak if you don't do that, so if yours is one of those, use the command
echo 'blacklist ipv6' | sudo tee -a '/etc/modprobe.d/blacklist.local' >/dev/null to blacklist the IPv6 kernel module. Now run your VPN with a command such as cd /etc/openvpn; sudo openvpn [vpn_config_file.conf]. Then visit https://ipleak.net to check for leaks. A leakless result for RiseUp VPN, for example, would look like this.
What if you cannot connect anywhere? One possibility is that the update-resolv-conf script isn't updating your DNS servers correctly. If so, type
sudo resolvconf -l and copy the nameservers for your VPN interface. For RiseUp this would be
nameserver 172.27.0.1. Put that in /etc/resolv.conf. For some reason, this file has a limit of 3 nameservers so in theory, you can make 3 different VPNs work through it. Some VPN providers' websites also provide a list of their DNS servers, so you can use that as well if resolvconf somehow didn't provide the required info.
Keep in mind you're still relying on trust for any VPN you use - theoretically they could choose to spy on you if they wanted to - but eventually, you'd think that information would come out (and has for some VPNs). However, if you were personally targeted, nothing would help you. What about the Tor network? It's blocked much more often and does not proxy all the traffic (for example, video game netplay), so I prefer VPNs. Also, read my Avoiding "The Botnet" - impossible? article before getting too confident about either VPNs or Tor (in fact anything you do electronically or even IRL).
XMPP + OMEMO encryption is the gold standard. Newfangled shit keeps coming out, but it is still the best. Pidgin, Gajim and Conversations are some of the clients that support it. Don't use Signal or Telegram (despite their sustained shilling) - they ask for your freaking phone number! Discord is even worse. WhatsApp is owned by Facebook - enough said. Skype works directly with the Prism program and used to redirect Chinese people to a modified version, which allowed the Chinese government to implement censorship and surveillance. XMPP is decentralized - anyone can run a server, so you should choose one with good privacy such as RiseUp (insider info - they seem to be planning to deprecate it), Snopyta or Autistici (which you get if you sign up for their E-mail account). Don't skip out on the encryption even if you're using a secure software and server! That's the main takeaway here.
Get into the habit of storing everything locally! After you've got that, Disroot has really the only good, private cloud storage available for free (and yes, I've actually checked most of them - they either require your private data like name or phone number, don't support the English language, pretend to be free but are actually paid, or have other issues). The amount of space available used to be 4 GB but is now 2.
Disroot wins again. Its HubZilla allows uploading and sharing of photos as well as many other features - you will need an account though. Don't use Imgur - tracks your IP and the usual data including page and image viewing statistics. They also have targeted advertisements. Imggmi requires a Cloudflare browser check. There are other "less bad" alternatives like imgbb, postimages (uses google stuff heavily) or pasteboard (prohibits porn), but you should really get a Disroot account. It's the only one with a proven focus on privacy, while all the others are pretty much a minefield. To be perfectly clear - with the Disroot HubZilla, you will be able to post an image on a forum and have other people see it. Update: Another seemingly private one that doesn't even require an account is https://coinsh.red -
No data will be recorded on who inserts what coin-- all I'll get is a timestamp.
dash quality as preferred in the settings). The other is youtube-dl, which, by downloading the video instead of using someone's server, completely avoids their issues like throttling etc. The video is now just a file on your drive - you do whatever you want with it. Of course, if you want "features" like comments, you have to succumb to the botnet and sign in with your google account (which I don't recommend, of course). What about the so-called youtube alternatives? Briefly - they all suck. Vimeo and Dailymotion have much less content and their privacy policies aren't good anyway. Bitchute requires a cloudflare browser check before you can even access it. Brighteon is anti-censorship but requires an invitation (really like the content there though). You can try some peertube instances but those could die at any time (obviously, since they are not supported by a big corpo) and there is so many of them that you can forget about gaining popularity as a content creator (since there is no big, centralized database for people to find your videos - a problem common to mostly any decentralized service). Unfortunately I do not foresee this solved until Google fucks with content creators so hard they all decide to pack up, leave and create their own YouTube alternative - which they aren't going to do as long as they earn the ad money - so capitalism has to die first.
Swisscows has the only one that's private. However it has one massive flaw - cannot translate swear words due to its "family friendly" policy. DeepL is often mentioned as an alternative to Google Translate, but forget it - it's just as terrible from a privacy standpoint. Realistically, you should ask a human translator if you actually need something, since all of these services suck (yes even Google's).
Autistici provides a private one at NoBlogs.org, but it's just for blogs (you can't design your own site there). Disroot's HubZilla also has a website feature that is undocumented and not ready for production (I couldn't get custom CSS to work there at all for example). Otherwise, I'm not aware of any good ones. You're going to have to use one of the decentralized solutions. And with that, we move on to the most important section...
In the end, whenever we use a clearnet service, we're relying on some server controlled by a stranger or big corpo that can install any policies it wants to and change them at any time. It can also die of course, and take your data with it (big corpos kind of resist that but still...). The Internet is being consolidated in the hands of a few players like Cloudflare, Amazon, Google, Twitter and Facebook. Did you know that, for example, even if the site you're connecting to has no elements from any of those, it can still go through their data centers (you can confirm that through a network monitor)? Not to mention the fact that all connections go through a few ISPs, which can not only install their own policies, but are also subject to the governments' increasing crackdown on free speech (or even free read) and privacy. To bypass these, we need to rely on decentralized solutions that are harder to censor or block. Some of them are ZeroNet, RetroShare, Tor and IPFS (all these have serious flaws), and Freenet, which is, IMO, the only decent one out of those (though not all that great either). Decentralization has many inherent flaws in general (some I've touched on in the Video section) - however, if the clearnet becomes unusable, we will have no choice but to move onto them, and wait for their inevitable improvement (or help make it happen if you can!). Freenet is the oldest and the only one available that allows hosting a site without being online 24 hours per day. It cannot be censored and can be made highly anonymous with proper security settings (you choose the level of compromise you're going to make). I recommend moving to it right now since I don't give the clearnet too much time from now on. But also read Avoiding "The Botnet" - impossible? for some clarification on decentralization and the internet in general (short summary: we will need the physical infrastructure eventually). But for now, Freenet is our hope!
Hate to do this, but I must (and when you read it, you will see why I had to write this article):
The seized machine did not contain any riseup email accounts, lists, or user data.. Signal, Debian (systemd), Tails live system instead of heads, does mention Disroot but not under the most important sections like E-mail or even the cloud storage...Just an all around bad site.