Basic privacy adjustments on laptop and phone for beginners

Note: Following content is nothing complicated. Apps and approach mentioned below is NOT an over-kill. It is kind of mixture to be able to keep productivity and gain some privacy. Some services below are enhancing your security too.

Important to differentiate between security and privacy. It is not the same. An example: Google might provide you with good security when all steps are correctly applied; however, that does not indicate that you have good privacy. You are the product in Google services and your privacy is very low.

I want to focus on a couple of steps and apps that don't require you to be an expert.

It is important to mention that privacy is not black and white. As always, it is a scale. The more private and anonymous you try to be, the less user-friendly it becomes and turns into a pain for daily use. Plus, you need to understand well what you are doing.

Following steps are for beginners. With these simple steps and apps, you can get much better privacy while still maintaining usability without needing profound knowledge.

I might focus on some anonymity set-ups more in detail in the future, but that is not the case for this article. You can read a great article on security scenarios from EFF.

Basic Housekeeping

1. Dump Google and such. I know, many of you will probably say that it is not possible. You should think this twice, but if you can't dump Google services then at least do these steps:

   • Disable all tracking in Google account (settings)
   • Don't install Google Drive on your computer - it has access to your file system. Note: Google Drive is encrypted on the server only -> Google has keys, can access your information → do not store sensitive data in Google Drive.
   • Free commercial service means that you are the product. Your data will not be private, you will be logged, and metadata might be sold to third parties.

2. Securing access to services

   • Unique password generated from password manager
   • Strong Master password for key items (phone, laptop, password manager, encrypted files…). Don't reuse Master passwords.
   • Backup password manager in encrypted form in case you lose access. More on this in future articles.
   • Use TOTP everywhere. Dump SMS 2FA when possible (SIM card swap attack)
   • Don't save passwords in browsers
   • Use HTTPS everywhere
   • Use VPN everywhere. Access public WiFi always with VPN or Tor

3. Social media risks

   • Google - YouTube and the whole Google environment is harvesting your data. Be aware of that.
   • META - FB, WhatsApp, Messenger, IG. Harvesting your data. Data are not yours. WhatsApp is e2e encrypted but it is not open source. Rather switch to other services that are e2e encrypted and open-source.
   • Dump TikTok - mass surveillance with high probability.
   • Telegram - malware, not e2e encrypted.

4. What to do if you want to keep social media platforms?

   • 2FA everywhere
   • Treat all shared content as public and understand it can be used against you. You will never manage to get rid of the content in the future with 100% success rate.
   • Don't give apps access to all photos, they can use it. Give only access to "selected photos" in settings.

5. Mobile privacy adjustments

   • Notification preview on locked screen -> disable. Only when unlocked
   • Disable Siri or similar "helpers" if possible - all data being sent to provider to process it
   • Location - disable where possible (only while using app, otherwise you are being tracked everywhere). If having new iPhone with U1 chip, disable U1 chip in settings; otherwise, your location will be tracked.
   • Backups iCloud on iPhone - turn on iCloud e2e encryption, but don't backup sensitive data because it is not open-source. You cannot fully trust Apple.
   • Android - if you are running Android phone, switch to Google Pixel and install GrapheneOS - great privacy-oriented OS, sandboxing every single app.
   • Get rid of clutter
   • Delete unnecessary apps
   • Give only necessary permissions
   • Compartmentalize - have dedicated devices for certain types of work and compartmentalize within devices too.

Must Have Apps

1. Password managers:

   • Bitwarden - Opensource, free
   • KeePass - opensource, free

2. VPNs

   • Mullvad - Opensource, Anonymous (payment with bitcoin, monero), no email needed, no logs
   • Proton - Good choice as whole package with email, cloud, calendar, etc., Many servers, no logs, possible pay in crypto, Email needed
   • IVPN - no logs, opensource, no email, no data stored, pay in BTC, lightning, Monero

3. Anon networks

   • Orbot - free proxy app, uses Tor to encrypt your Internet traffic

4. E-mail

   • Protonmail - Secure, e2e encrypted for all proton mail emails, PGP signature for other emails, Non-pgp users can use passphrase, bitcoin payment possible, Easy switch from Google - transfer implemented. Paid version - more space, simple login, Jurisdiction: Switzerland. Some contact details are not e2e encrypted (as of now)
   • Tutanota - Worse UX compared to protonmail, e2e encrypted, not using Apple and Google servers for notifications, not using PGP but own cryptography, can be paid in bitcoin, Jurisdiction: Germany

5. Messengers

   • Signal - Network effect, E2e encrypted, no data collection except contact info - phone number (you can register to different anon. phone number), Open source, Forward secrecy, keys on the device, No logs, Self-destructing messages
   • Sessions - similar to Signal but less network effect compared to signal. No phone number, anonymous.
   • SimpleX - decentralized, E2EE, incognito mode, no users ID. Overall fantastic messenger.

6. Two factor authenticators
   It is good to have a second authenticator on another device. Don't use TOTP within the password manager because the result is that you are eliminating that second step if your password manager becomes compromised. Have it separated. And turn on TOTP (or other second step verification such as Yubikey) everywhere you can. I suggest having encrypted backup from TOTP codes in case your 2FA device is lost or stolen (more on this in future articles).

   • iOS - OTP AUTH
   • Android - AUTHY or FreeOTP

7. Browsers

   • Hardened Firefox - More on this topic in a separate article as this gets pretty complex.
     Basic rules: fewer extensions = more privacy. Many extensions are bad for privacy.
     Install these: HTTPS everywhere, Privacy Badger, Multi-accounts containers, Ublock origin
   • Mullvad browser
   • Tor browser
   • Chromium

8. Cloud

   • Proton Drive cloud - E2EE, don't need to run own server on own hardware
   • NextCloud - E2EE, open-source, private cloud, running on own hardware

9. Search Engines

   • DuckDuckgo
   • Startpage
   • Mullvad Leta

10. Firewall

    • Little Snitch - create own rules for what can or cannot connect to internet. A must-have.
    • NetGuard - version for Android

11. Notes

    • StandardNotes - E2EE, open-source

12. Hide my email

    • SimpleLogin - opensource

13. Privacy payment wallets

    • Phoenix - bitcoin lightning wallet, open-source, non-custodial, cheap immediate payments, great UX
    • Breez - bitcoin lightning wallet, open-source, non-custodial, cheap immediate payments, higher privacy due to constructing the payment route on the device.
    • Trezor - onchain hardware wallet (many currencies, such as bitcoin, monero). Fully open-source, non-custodial. Great for bigger amounts
    • Zeus - operate your own bitcoin node from your phone. Great and simple experience to access your node from mobile device.
    • Incognito wallet - easy simple private swaps

Good to Have Apps

1. Malware scan

   • Malwarebytes

2. Bluetooth communication app

   • Bridgefy - free messaging app that works without the Internet

3. Anonymous phone number service

   • Hushed - there is a way to pay for the service in BTC. Great to purchase Life-time number.

4. Offline maps

   • Maps.me - openstreetmaps, no tracking

5. Breach security scan

   • Jumbo

6. PGP encryption in simple way

   • PGPRO

7. Transcriptions for iOS

   • Hello Transcribe - all done locally on device. Private, offline

Wrap

• Eliminate META, GOOGL, etc., harvesting your data - be aware that what you share even in private is not private
• Many extensions in browsers might be trackers or malware
• Have strong passwords and unique for each service
• Use password manager with strong master password
• Use 2FA TOTP or Yubikey - don't forget to backup
• Don't use Excel sheets for anything important - no passwords, no private information. Instead, use password manager and for notes use E2EE service such as Standard Notes.
• Email by design is not encrypted. Have that in mind. Options: You can use encrypted emails (PROTON to PROTON), you can use PGP and encrypt any email (a bit nerdy for beginners)
• Use secure communication platform such as Signal, Session
• Share files via end-to-end encrypted way (Signal, Session, StandardNotes). You can even share files with yourself in this e2ee manner.
• Phone calls are not encrypted and are stored at mobile provider data centers, same for SMS. Minimize using them for anything private. Also keep in mind that mobile providers track you based on triangulation. More on this and how to mitigate this in future articles.
• Dictation (in some cases) is not private, using cloud computing GOOGL, APPLE to transcript voice into message —> they need to know what is being said.
• It is always a tradeoff between productivity and privacy. Many apps help with productivity but totally expose your content. It depends on every person to think about their threat model and what makes sense to apply and what is too much.
• All apps and approaches mentioned here are not decreasing productivity and everybody can apply them. Your privacy will move to the right on the privacy scale when applying them.