Assuming you’re not doing anything illegal, there’s nothing inherently wrong with safeguarding your personal details and browsing habits. Privacy isn’t just an issue for celebrities.
In fact, it’s far more likely that your privacy is compromised by advertising agencies than anyone else. From a simple Google search, to pretty much any ad-funded website, your browsing behaviour can be tracked to establish which adverts you’re most likely to click on.
Fortunately, there are plenty of ways to prevent this monitoring. We’ll show you some of the best options, from simple tricks to more hardcore solutions that can shield you from almost any surveillance.
Twitter was allegedly hacked in June 2016, with 32 Million login credentials being offered for sale on the dark web. Despite forcing a number of users to reset their passwords, Twitter has maintained that it has not been hacked, and that what’s likely to have happened is that people have been careless with their passwords – for example using the same password for multiple different sites.
A Twitter spokesperson told us that “we are confident that these usernames and credentials were not obtained by a Twitter data breach – our systems have not been breached. In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks.”
If Twitter was hacked, it certainly wouldn’t be alone. A month before the Twitter hack 32 Million user accounts for business networking website LinkedIn were offered for sale online. A hack of Dropbox in August 2016 also resulted in 68 million passwords leaking onto the web.
In light of this, we’ve updated this guide with some first steps in making sure you’re protected online, before going into more advanced techniques.
The first rule about keeping yourself protected online is to make sure you have difficult-to-guess passwords, which ideally will be unique for every website that you log in to. If you’re using the same password for all of your logins, someone could gain access to one of your accounts, and then they would be able to access all of your other ones as well.
Security Expert Graham Cluley, has a useful tip of people who are worried that having multiple complicated passwords will be difficult to remember.
“I recommend that users use dedicated password managers to remember their passwords for them, and those can also be used to create unique, hard-to-crack passwords to boost security.”
These password managers – such as KeePass – store all of your passwords in an encrypted digital vault that you can access with one master password. The vault can be stored on your computer or on a removable drive like a USB stick so you control your data. When you click on an entry you can automatically copy passwords to clipboard and paste them into the password box on the site
Keepass also comes with a password generator which can create complex and near nigh uncrackable passwords for your accounts.
Check out our best password managers round up to find out which ones we think are the best for protecting you online.
Use two-step verification
Wherever possible you should use two-step verification to help improve the security of your login details. Two-step verification (also known as two factor authentication) makes it more difficult for someone to gain access to your login credentials by making you have to supply two items of authentication to log in.
The most popular version of this involves you providing your password, along with a verification code that’s sent to your smartphone. Other methods include PIN codes generated by a physical device.
Not all services and websites support two-step verification, but a growing number do, so you should make sure you turn this feature on when you can.
Check out our guides on how to add extra security to your Apple ID and how to boost your Google account’s security for explanations on how to turn on two-step authentication with those popular services.
Online privacy tends to make headlines with stories of governments spying on citizens. But while state surveillance is undeniable, the first invasion of your privacy is more likely to come via a Google search. Although apparently anonymous, Google has a habit of tracking your searches in order to bombard you with personalised adverts.
By contrast, a search engine such as DuckDuckGo generates unbiased search results without the added user profiling or tracking.
Switching to a less commercially driven search engine will certainly help you on the road to anonymity, but after visiting a few websites you’ll inevitably receive some cookies.
These tiny text files are usually perfectly legitimate ways for websites to record things, such as frequently viewed items, so they’ll appear on your next visit. But, cookies can easily turn on you…
Tracking cookies are more invasive and compile records of browsing habits and personal details in order for the cookie host to target you with specific adverts.
Since 2011, EU and US law has increased cookie awareness by requiring websites to display homepage notification banners that you can’t miss, but it’s really just a token nod at respecting privacy.
A more promising attempt at keeping your browsing less trackable is the Do Not Track HTTP header, now integrated into all common web browsers. When activated, websites are requested not to use tracking cookies.
However, the key word there is “requested”, as while Do Not Track may be great in theory, the feature can’t actually prevent websites and advertisers from tracking you.
There’s no law to say they can’t completely ignore a DNT request, however all sites registered in the EU must have your consent first before storing any tracking cookies.
Clean the slate
The bottom line is, it’s up to you to stay anonymous. Simply clearing your browser cache and cookies through your browser’s settings is a good start.
Alternatively, you can use clean-up software such as CCleaner to delete cookies, temporary internet files and various other web leftovers from multiple browsers in one go.
Once you’ve got a clean slate, keep it that way by using private browsing modes to keep your interests under wraps. This could be Microsoft’s InPrivate feature, Firefox’s Private Browsing mode or Incognito in Chrome.
They all do a pretty good job of preventing nosey tracking cookies from setting up camp on your computer. But even without going into full-on secret browsing mode, the big browsers also allow you to block third-party cookies, and while this doesn’t create an impenetrable barrier, it’s more effective than a Do Not Track request.
Another easy way to regain control of your internet anonymity is by exploiting browser extensions to close privacy loopholes. Active web content such as Java, Flash and Silverlight can be used to obtain system information without your knowledge and piece together various browsing habits.
Automated scripts can also be potential security risks, so controlling exactly what web content can and can’t run is a good thing.
Browser extensions such as NoScript for Firefox and ScriptSafe for Chrome allow you to do exactly that, blocking all active web content and asking for your approval before letting it run. At first these extensions can be annoying, but the more you use them, the smarter and less intrusive they get.
With a simple browser extension like Disconnect, you can see who’s tracking you and block them. Firefox’s Private browsing mode automatically uses Disconnect’s list of tracking cookies to protect you.
Spot the spies
Even when web tracking is legitimate, the fact it happens without your knowledge doesn’t inspire much trust.
Wouldn’t it be great if you could see exactly who’s trying to sneak information about you so you could stop them in their tracks? Well, that’s exactly what extensions such as Ghostery and Disconnect do. Both are available for Firefox and Chrome. Ghostery is also now available for Microsoft Edge.
With a simple browser button, you can see a list of active advertising, analytics and social media tracking organisations on a current webpage. You’re even able to control which ones can collect information about your browsing session. Both extensions are easy to use and far less troublesome than script-blockers.
Unlike private browsing modes, which simply stop tracking organisations from leaving cookies, these extensions can actually prevent them from monitoring you. Far more effective. However, just because your browser is locked down, this doesn’t necessarily mean your system is secure.
Any malware already present on your PC may still be snooping on you, and carelessly downloading the wrong zip, executable or even PDF file can transmit your personal details to unintended recipients.
Email attachments aren’t the only way in which your privacy can be compromised. Your actual written email correspondence is also far from anonymous.
When Gmail was launched in 2004 with a 1GB storage limit, Google wasn’t keen to market how this capacity was funded. This is because Google was, and still does, scan email content in order to target you with personalised adverts, and Yahoo is up to the same tricks.
Thankfully, there’s no shortage of ways to keep your email correspondence safe and secure. If you’re serious about email anonymity, providers such as Hushmail offer built-in PGP email encryption and no advertising.
Most companies will claim that e-mailing another person using the same site such as Hushmail will mean your message is automatically encrypted when sent and decrypted when read. They may even claim that not even their own employees can read your e-mails.
Nevertheless if you’re storing your private encryption keys on the company’s e-mail server, you have to take quite a lot on trust. Firstly that the company is being honest and secondly your keys won’t be stolen by hackers or surrendered to law enforcement. Hushmail is an excellent case in point as in 2007 Hushmail complied with a US-Canadian court order to turn over 12 CD’s worth of e-mails from three Hushmail accounts to the FBI.
Alternatively, you can also encrypt mail sent via webmail accounts such as Gmail, Outlook and Yahoo, simply by using a desktop email client like Mozilla Thunderbird, plus a few other tools.
With Thunderbird installed and configured as your email client, download and install the free GNUPrivacy Guard encryption software, and then download the Enigmail Thunderbird extension and follow the configuration wizard.
If that sounds like overkill for sending a couple of anonymous messages, then consider a disposable email address instead. Guerilla Mail and Mailinator both fit the bill, letting you quickly send and receive anonymous mail with no incriminating sign-up processes or content scanning. Both sites will however record your IP address when you visit, so consider connecting via Tor (see below).
The wonders of encryption can also keep instant messaging secure. Apps such as Cryptocat are available for Windows, Linux and Mac, giving you an encrypted chatroom to converse with other Cryptocat users using Off the Record Messaging (OTR).
Once you have registered your account on the main site, you can start your own conversation by adding your messaging buddies. You can then begin a private chat and send your buddy encrypted files and photos.
If you already have a messaging account with Yahoo, AOL and Google Talk and so on, consider installing the handy messaging app Pidgin, which is available for Windows, Mac and Linux.
If you and your buddies also install the Pidgin OTR Plugin, your conversations will be encrypted and no one will be able to decode what you’re saying or see the contents of any files you send. Pidgin supports a wide variety of messaging protocols including the open XMPP standard. Register an account with Otr.im to make sure all messages are sent encrypted.
Paranoid or Prudent?
In 2013, Edward Snowden was revealed to have downloaded and leaked up to 1.7 million classified documents, revealing the extent of mass surveillance in the US and around the globe.
Key revelations from these leaks include the existence of PRISM: a partnership between the NSA and at least seven major internet companies, including Google, Apple, Microsoft, Yahoo and Facebook. PRISM enables the NSA to access the emails, documents, photos and personal details of any non-US citizen from its participating companies (which have immunity from possible ramifications), en masse, without having to specify an individual target or communications method.
The only crumb of comfort is the NSA apparently has to request the information, rather than having direct server access.
Snowden’s leaks also revealed the UK’s Government Communications Headquarters (GCHQ) taps around 200 fibreoptic cables carrying global internet and telephone data amounting to up to 600 million daily communications.
This program (codenamed ‘Tempora’) had the potential to deliver more than 21 Petabytes of information a day, roughly equivalent to sending all the information in every book in the National British Library 200 times a day.
Tempora intel is shared with the NSA and stored for up to 30 days for analysis. Snowden’s leaks also detailed the NSA had collected over 200 million global text messages per day and stored details in a database accessible to GCHQ. The really scary bit? This surveillance made no distinction between those suspected of committing a crime and innocent people.
The big bad world
Exposing and blocking advertisers or encrypting email can help you take back some control of your privacy, but it’s not enough to keep you and your location hidden.
Whenever your computer is connected directly to the internet, you’re still within radar unless you’ve taken some measures to conceal your IP address.
There are many ways to hide your IP address – but consider if you really need to? The gatekeeper of your identifiable details is your internet service provider. But in the UK and the US, at least, they’re unlikely to have the time (or the money) to want to snoop on you themselves.
Both the Creative Content UK alert programme and the US Copyright Alert System are more lenient than you might imagine. If you’re found illegally downloading a copyrighted file by the rights holder, they can record and submit your IP address to ISPs in the alert program. If one ISP happens to be your provider, then you’ll be sent a copyright infringement notification letter informing you of ways to avoid future breaches.
The UK system allows you to receive four such letters or emails a year. After that, well, not much happens, as it stands. In the US, you get up to six warnings. By the fifth or sixth warning, ISPs can start throttling bandwidth or using other measures to make subscribers play ball. Even then, however, US ISPs are not required to disconnect subscribers or even disclose personal details to the copyright holders.
This all sounds forgiving, but relying on your ISP to protect your identity isn’t advisable. Even when most providers are reluctant to divulge your details, sooner or later they will have to give into the law.
Take the recent case of Voltage Pictures identifying and attempting to sue thousands of individuals in the US, Singapore and Australia for illegally downloading the film Dallas Buyers Club.
In November 2016, the “Snooper’s Charter Bill‘ was also passed in the Uk. Known officially as the Investigatory Powers Act 2016, it requires requires web and phone companies to store everyone’s web browsing histories for 12 months and give the police, security services and official agencies unprecedented access to the data.
Tor of duty
One way to get closer to complete anonymity on the cheap is to use Tor, aka The Onion Router. If there’s an element of the internet that divides opinion it’s Tor. Tor has the same effect as a proxy server, fooling monitoring systems by faking your computer’s location.
But it considerably boosts your anonymity by passing your internet data packets through multiple encryption servers (nodes) before they emerge on the open internet (clearnet) and scoot off to your requested website.
As your IP address is concealed by so many encryption servers, you get multiple layers of protection rather than just a single proxy server barrier. Each node only knows where the data came from and the next node it’s travelling to, peeling away layers of encryption like an onion.
However, like its veggie namesake, Tor can also be eye-wateringly annoying. The numerous encryption servers that relay your data within the Tor network create speed bottlenecks, and, being volunteer-run, demand usually outstrips available bandwidth.
Although technically you can access the Tor network via installing a command line application and your regular browser, it’s much safer to use the Tor project’s own Tor Browser Bundle, which is based on Firefox.
While Tor makes it difficult for agencies to perform traffic analysis, it’s not completely safe.
By default Tor doesn’t make any attempt to disguise the fact you’re accessing the Tor network, so while your ISP may not know which sites you’re visiting, they’ll know you’re hiding something. They may even try to throttle or stop your access to Tor. If so, the Tor Browser Bundle allows you to connect to special network “bridges” which will help to disguise your web traffic.
The final Tor node that a packet is relayed through before exiting onto the clearnet is known as the exit relay.
There are more than 1,000 of these active at any one time, and though unlikely that is still possible to eavesdrop on an exit node, as the data emerging there is unencrypted.
You can reduce this risk by using websites that have SSL (look for the padlock icon in the address bar). Tor also operates “hidden services” which can be accessed in the form of a .onion address. For instance Facebook’s address is http://facebookcorewww.onion. This makes intercepting your data much more difficult as your traffic never leaves the Tor network.
An alternative anonymous network without this weakness is Freenet. Freenet is a private peerto- peer network that’s totally under the radar. This is different to Tor in that it’s not a means of accessing the clearnet anonymously, but rather a secure network in which to communicate and share files with trusted circles of contacts.
Freenet uses a peer-to-peer model and allocates a portion of your hard drive to store Freenet data and serve it to the network. This is encrypted, as is all the data passed around Freenet, and thanks to such comprehensive end-to-end encryption, Freenet is almost impossible to penetrate and is ideal for anonymous communication and file sharing.
Users are also able to create and host Freesites, which are static websites hosted within, and only accessible from, the Freenet. There are also plug-ins for anonymous email, social network-style communication and forum contact. However, as with other peer-to-peer file-sharing systems, transfer speeds are seed-dependent, and don’t expect the overall speed of the network to be lightning-fast either.
Though networks such as Tor and Freenet are useful for protecting privacy, their slow and limited functionality hardly makes them ideal for everyday anonymous internet usage.
To go totally incognito with the fewest possible restrictions or drawbacks, you need a VPN (Virtual Private Network). Where services such as BTGuard will hide torrent traffic, and Tor can keep web browsing anonymous, a VPN will hide the entirety of your internet traffic inside an encrypted tunnel.
Traditionally, VPNs have been used by companies to securely connect employees working off -site to a private corporate network, but now they’re increasingly popular for the average Joe wanting to preserve their privacy.
To exploit a VPN, firstly you’ll have to come up with at least $5/month to subscribe to one of the huge number of personal VPN providers out there, and you’ll also need to install that provider’s client software so you can access your VPN tunnel.
Inside the tunnel, data is encrypted to various degrees, depending on the quality of VPN you choose. Try to find a provider which supports OpenVPN which is generally more secure and reliable. Consider also installing a program like TunnelRat which will disconnect web applications when your VPN connection fails. Make sure that your VPN provider also provides DNS forwarding. You can check this is working by visiting the DNS Leak Test website.
In and out
Similar to the potential Tor exit node vulnerability, the weakest links of a VPN tunnel are its entry and exit points.
The VPN server is able to see all data that goes into and out of the tunnel, so if you want to sleep at night leave no stone unturned in ensuring your VPN provider doesn’t log any user details or monitor traffic. It’s also a wise move to select a company that accepts payments by Bitcoin, to avoid any potential privacy breach that could occur if paying by credit card or PayPal.
With this amount of privacy protection in place, you’ll now be well and truly under the radar. If you’re still paranoid that your every move is being watched, it could be time to hone those secret agent skills and live completely off the grid.