5 tools I use to protect my privacy online

It shouldn’t have to be this way, but the burden of protecting your privacy as you browse the web is your own. I do what I can in my research and consulting to advocate for systemic change in design and policy to reduce the burden on the individual user; but that kind of change is slow to fruit. Meanwhile, there are tools that you, the individual, can use to partially protect yourself against the forces of surveillance capitalism and other institutional privacy threats. I will share five that I use myself.

I use the Dashlane VPN to curtail web tracking and circumvent regional content filters

You probably already know about Virtual Private Networks (VPNs). If you work at a sufficiently large institution, chances are your workplace has one in place to allow you remote access to the institution’s intranet. VPNs do more than helping employers facilitate secure intranet access, however. VPNs help obfuscate your web traffic — both from the websites you visit, and from your Internet Service Provider (e.g., Verizon, Comcast, AT&T).

Eliding key technical details, you can think of a VPN as a middleman / intermediary between you and the Internet-at-large. While this slows down your connection slightly, the benefit is that the rest of your web traffic is encrypted and routed through this middleman. This provides privacy benefits because, without the use of something like a VPN, ISPs can track every website you visit online. If you visit websites over plain HTTP (instead of HTTPS), they can only track what you do on those websites. And any personal data that your ISP keeps on you can be subpoena’d by, e.g., law enforcement. Moreover, ISPs can sell this information freely — e.g., to advertising brokers, who may want to sell you targeted ads based on the websites you have frequented. You consented to this when you agreed to their terms of service.

Does that sound a little shady? It is! There are only a handful of ISPs in the country; in specific regions, there may be only one. And they work tirelessly to make sure that competitors cannot make headway. So most people do not have a real choice when it comes to their ISP. They agree to the terms because what else can they do if they want Internet?

Using a VPN service, the ISP will no longer be able to see what you download and what websites you visit. They will be able to see some meta-data, however — e.g., that you are using a VPN, the encrypted data you are receiving and when you are connecting.

VPNs also allow you to hide or disguise yourself from the websites you visit. Indeed, many VPNs have servers all over the world. So, if there is content that is being blocked in the U.S. but not in Germany, you can use a VPN to make it seem like you are connecting from Germany.

The downside? Middlemen are usually inefficient — and indeed, using a VPN will make your connection a little slower than if you were to not use it. Also, private VPN services cost money — usually between $5 and $15 / month. Moreover, you are simply displacing trust from the ISP to the VPN service. While your ISP will not be able to see the websites you visit, the VPN service will be able to. Because of this, as a part of their terms of service, good private VPN services should be stateless — they should not keep any record of the websites you visit through the VPN. This is also why you probably do not want to use your corporate VPN for surfing the web privately — your employer will be able to see your web traffic if you do so.

Private VPN services are now common — some popular private VPN services include Express VPN and Nord VPN. I have not used either, so I will not comment on them. But I know many people who use those services and have not heard any direct complaints.

I use the Dashlane VPN, and it works great. I use the Dashlane VPN because I use the Dashlane premium password manager, and the VPN service is included in the fee I pay for Dashlane premium. If you would like to try Dashlane premium for free for six months, you may use this referral link.

I use Firefox with uBlock Origin + Decentraleyes for curtailing web trackers while browsing

ISPs are just one threat to your privacy; many of the websites you visit also track and store as much information about you as they can — the websites you visit, what you do on them, at what time of day, etc. Why? Because the prevailing business model of the web is surveillance capitalism — keeping track of your personal data allows advertisers to develop rich profiles of what you like and what they would like you to like. These data, in turn, can be used to serve you with personalized advertisements — and it’s important to note that these advertisements are not just obvious ones like Nike shoes you might like, but also things like article recommendations from political campaigns.

Stopping this tracking and nudging is not easy, but it starts with your choice of web browser. If you care about privacy, do not use web browsers released by institutions that have little vested interest in protecting your personal data.

I use Firefox. Firefox has some nice in-built or officially supported privacy-preserving features — e.g., automated tracking prevention and containers. Containers help you isolate cookies to prevent third-party tracking. For example, with the Facebook container add-on on Firefox, you can be assured that Facebook cookies will not be

In addition to these in-built features, I also use a few extensions to further subvert tracking efforts. The most important is uBlock Origin, an extension that automatically blocks thousands of known tracking scripts and advertisements. The second is Decentraleyes, which blocks requests for common scripts distributed through centralized CDNs and provides local versions of those scripts instead — e.g., for Google fonts. This prevents the hosts of those CDNs (often large companies like Google, Microsoft, Facebook) from tracking which websites you visit when those websites request content from those CDNs. Both of these extensions are open source; so I trust them more than I do less transparent alternatives like Ghostery.

Other privacy enthusiasts use Brave instead of Firefox. Brave is a relatively new web browser that has in-built tracker protection. It is also piloting an interesting new business model for privacy-preserving targeted ads — the goal is to match a local “interests” profile that never leaves your computer with a set of candidate advertisements; this way, you get targeted advertisements without being tracked by a remote entity.

So why do I use Firefox and not Brave? I used to use Brave; I like Brave. But it started getting very slow for collaborative text editing on Overleaf on my machine. So, I switched to Firefox as my primary browser because I spend a lot of time writing papers on overleaf. There is also refer gate — i.e., Brave’s autocompleting of urls to cryptocurrency webpages to append their own affiliate codes. This has since been fixed, but it did build some enmity with the community.

My main qualm with Firefox is that while Mozilla is doubling down on its identity as a consumer privacy company, the majority of its revenues do still come from Google ads — when you search for something through the Mozilla browser and you click on an ad on Google, Mozilla gets a royalty. While this is not a direct conflict of interest, it does mean that Mozilla profits from surveillance capitalism, too.

I use ProtonMail for secure, encrypted email that is not tracked or analyzed

Would it surprise you to learn that many free email services analyze your email? It shouldn’t; it’s how spam detection works, for example. But services like Gmail analyze your email for a lot more than spam detection. As with most other Google services, Gmail is beautiful, fast, usable and free. But in using it, you consent to Google being able to track what you say, what people are saying to you, and who you know. That information can be used by Google to learn more about you and your interests to serve you personalized ads; it can also be subpoena’d by the government.

I won’t dwell on this point for long, because most people understand email privacy without me needing to delve into the technical details. There are many secure email alternatives to Gmail now; what you are looking for, again, is service provided by a company that does not make its money from collecting personal data. Ideally, you will also want to find a company with servers hosted in a country with stronger consumer privacy protections — e.g., Switzerland or Estonia.

I use ProtonMail. It has a clean interface, and provides a host of nice security features (included end-to-end encryption and self-destructing messages).

I use Signal for end-to-end encrypted messaging

For all the same reasons that you might want privacy-preserving email, you want privacy-preserving messaging as well and this means a messaging service that utilizes end-to-end encryption (E2EE). E2EE means that only the sender and intended receivers will be able to read the messages. Nobody else — not even the service it self — will be able to read the messages.

While there are a number of E2EE messaging applications on the marketplace, I use and recommend Signal for two reasons. First, security in theory is different than security in practice. The Signal protocol is open-source and has been vetted by many in the security community, and so it easier to trust its security “in practice”. Second, at least partially owing to WhatsApp’s recent announcement that it will share data with Facebook, a lot of people now use Signal — and that’s important because a messenger is only useful if the person you want to message uses it! In fact, some research I did back in 2016 found that the key driver of secure messaging use was not promises of security, but simply the presence of one’s friends on the platform ¹.

I use DuckDuckGo for tracking-free search

If you are reading this blog post, I do not think I have to convince you that search engines like Google track your search queries in order to infer your interests and web-usage; this data, in turn, may be used to serve you targeted advertising or customized content.

So, when I need to search for something online, I start with DuckDuckGo. DuckDuckGo is a stateless search engine — it does not keep track of your previous search queries, nor does it build a profile of your interests for future use. Each query is independent of all of your previous ones. In short, DuckDuckGo — unlike Google and Bing — does not track you.

DuckDuckGo is not as good as Google, but it is good. I still occasionally have to revert to using Google when I have very specific queries, but DDG is good enough for the vast majority of my queries.

The broad upshot: the prevailing business model of the Internet, today, is surveillance capitalism. The government is slow to change this because surveillance capitalism also serves their intelligence efforts — they allow private companies to do the heavy engineering work, and use subpoenas to access information about individuals on-demand. This means that you are largely on your own if you want to protect your privacy. There do exist tools that can help, however. The five I mentioned above are a good start.

Thanks for reading! If you think you or your company could benefit from my expertise, I’d be remiss if I didn’t alert you to the fact that I am an independent consultant and accepting new clients. My expertise spans UX, human-centered cybersecurity and privacy, and data science.

If you read this and thought: “whoah, definitely want to be spammed by that guy”, there are three ways to do it:

• Subscribe to my mailing list (spam frequency: a couple of times a month.)
• Follow me on Twitter (spam frequency: weekly)
• Subscribe to my YouTube channel (spam frequency: ¯\_(ツ)_/¯)

You also can do none of these things, and we will all be fine.