Lots of good answers, so I’ll also throw in my two cents as well.
I think what you are having difficulty with is assessing a threat model for yourself. In short, how much privacy is good enough for you? I don’t think there is such a thing as 100% privacy, even in the real world. With this, you’ll want to understand the implications of what choices to make or what not to make. This also comes with understanding the technology, which can be overwhelming to newcomers.
With this, here is a great article to read on MDN which should answer a lot of questions for you about the tech. And remember Security is not the same as Privacy, you can achieve both independently, sometimes together.
Lastly, a lot of these questions are about not fully understanding the technologies. This is definitely hard for newcomers, and I don’t have a solution to this.
When is it advisable to use Tor? Having three browsers (Firefox, Mullvad and Tor) seems redundant.
Different browsers for different purposes. Tor Browser is maximum privacy, but a lot of websites will block you. To get around that, you’ll need a backup browser if there are sites you wish to interact with (Firefox or Mullvad Browser generally). Firefox is less unique than Mullvad Browser (fingerprinting is slightly harder), but doesn’t have as good of privacy configurations out of the box. Honestly any option is better than chrome imo.
When should a VPN be used, exactly? PG says: it is useful when anonymity is needed, but when is anonymity needed in the first place?
You’ll have to answer this yourself. In general, if you are accessing sites using HTTPS (HTTP Secure, or encrypted), then most of your web traffic is encrypted to and from the website. However, its decrypted on the website, and all of the metadata of the request can be read from the site. Even then, sites can give you JavaScript which can pull even more information about your device and location. The VPN’s paid for your use case (there are different use cases for VPNs) will route all of your traffic through a different computer essentially, obscuring your location. This doesn’t necessarily protect your from other tracking methods like cookies.
Personally, VPNs don’t have to be your first step in privacy, and are slightly overhyped in my opinion. Great for security on unsecure networks like public WiFi, but there better first free options to anonymizing yourself. I’d say pay for a VPN once you understand the use case for it.
How should people handle their personal information for online orders? Is it recommended to use their real name or a fake name or initials?
You’ll want to read up on data laws regarding how people can store their information. In general, the worst case in these scenarios (I believe) are the following:
- Merchant sells your data. Bigger concern for big companies like Amazon, not as concerning for small business. They may use some sort of analytics, but its often just reporting.
- Data breaches. Largest concern in my opinion, and the worst is getting leaking metadata on your name, phones, e-mails, and password hashes. Definitely annoying, and I had to shut down one of my e-mails as too many websites have been associated with breaches.
If your online threat model doesn’t allow then, then you should be going to stores and paying in cash. Keep in mind Credit Card companies probably sell every ounce of metadata you are worth, but its a price of convenience.
How can people avoid receiving unencrypted order confirmation emails that contain their personal data?
Pretty much impossible. But again, whats your threat model? Are you worried someone has breached our e-mail secretly and is monitoring all of your e-mails? That some high class level attacks (if you’ve secured your accounts), you probably don’t need to worry about that. Worried that Gmail is analyzing your emails or something? Switch to a paid e-mail provider, there are suggestions in the guide.
Is it recommended to use a VPN when purchasing online, even when using a real-life identity? PG says: ‘Using a VPN in cases where you’re using your real-life or well-known identity online is unlikely be useful,’ and ‘When purchasing online, ideally you should do so over Tor.’ However, PG also suggests using a VPN before connecting to Tor. This seems contradictory, and may require further clarification.
This is confusing and should be clarified. I think understanding how Tor and VPN works will give you a better idea. In general, they recommend a VPN before Tor, so that if someone traces your entry Tor Node, its the VPN. This isn’t about identity, its about security.
I think the “Using Tor when purchasing online” should be explained further.
What are some good Firefox extensions to enhance privacy and security? uBlock Origin on ‘medium mode’ and Skip Redirect are recommended by uBlock and Arkenfox, as extensions.
Security <> Privacy. More extensions, the more unique your fingerprint, but the more likely you can block malicious content. uBlock Origin is the only one you need in my opinion as the best bang-for-buck for privacy + security.
Is it better to use Bitwarden’s extension or web vault? The trade off here seems to be between fingerprintability, and convenience + phishing protection. Is addy.io more effective as a website or a browser extension?
Its a tradeoff. I go for convenience, and have the web extension.
Is it a good practice to register all online accounts to a single Proton Mail account using aliases, or should different email addresses be used?
Depends on your threat model. This usually goes back to if companies will sell your data, how much of that you want tied back to specific IP address if used, and so on so forth. Using aliases is likely the best bet.
What are some ways that people can deanonymize themselves online? PG says: ‘We know people can quite easily deanonymise themselves in a number of ways, e.g.: Reusing personal information (e.g., email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN , etc.).’ What does this mean, and how can it be prevented?
Deanonymize means to no longer be anonymous. There are cases where even if you use all the privacy respecting tech, proclaiming your name is John Doe living at 123 Street is gonna ruin the purpose of that.
Is Orbot recommended as a VPN on iOS, the problem is it is unusably slow, so shouldProtonVPN be used?
I haven’t used Orbot. I generally don’t like to trust free VPNs (whats in it for them?), so I pay for mine. Don’t use free VPNs.
What is the best alternative for multi-factor authentication (MFA) if physical keys are not convenient? Is TOTP the next best option?
Depends on your threat model. I have a specific system and redundancy (backup options so I don’t get locked out).
- I have Raivo TOTP on my phone. Only used for Bitwarden.
- I have a backup physical key to unlock Bitwarden in case my phone explodes.
- All other TOTP is in Bitwarden.
Is Thunderbird hardening recommended? Is this a one-time process or does it require regular updates?
One time process, so I’d just recommend doing it. Feel free to double check its still configured after major updates though.
Which iOS email client is more suitable for a non-Proton email account: Apple Mail or Canary? Is Canary’s encryption worth paying for?
I use Apple Mail, as I don’t use non-Proton email for anything I don’t want leaked.
What is the purpose and benefit of OpenPGP (answer: email encryption), and how can it be used? What is Mailvelope (still not entirely sure) and why is it listed in the email clients section?
Email is sent in plaintext and is the “HTTP” of email. OpenPGP is like the HTTPS of e-mail. Problem is, most people don’t use it. This goes down to your threat model - is it a problem that your e-mails are unencrypted? What are you specifically worried about?
What is the best way emails can be encrypted from sender to receiver, even if one or both parties don’t use a privacy-oriented email service provider? Can Thunderbird (an email client) enhance the privacy of email addresses that don’t support encryption by default?
Encrypted e-mails using OpenPGP is the point - even the email service provider can’t read it. You can technically manually encrypt/decrypt emails, so the email provider isn’t the problem. Again, its the threat model - what are you specifically trying to prevent in this scenario?
Should sending emails and registering accounts be limited to personal computers, or can this be done equally safely on mobile devices? E.g., is it safer to use Proton mail + SimpleLogin on a PC rather than on an iPhone?
Depends on your threat model. This is more a security question. If you are looking for privacy, then I’d say iPhone is probably better than Windows, but its still proprietary.
Are Picocrypt and VeraCrypt redundant if BitLocker is already used on Windows 11? From my understanding, Picocrypt (used for encrypting single files) is not redundant, since full-disk encryption slows down some actions in the computer, such as file organisation. What is the use case for Cryptomator? Is it possible to encrypt files using any other method and then upload them to Proton Drive?
This is more-so a security issue. Single file encryption != full drive encryption. Single file encryption has different use cases than full drive encryption. Full drive encryption is useful is someone steals your computer, than cannot arbitrarily read everything you have stored (i’ve recovered data easily from computers that were unencrypted); however, if your computer is left unlocked or a hacker has the password, they can read everything. Single file encryption is just that - even if a hacker stole your computer, knows your computer password, the single file encryption is used with a different password, so that is a whole separate issue to crack it. You can also pass around the encrypted file anywhere - email, copy it on an enencrypted drive - the works, and it’ll be secure so long as your password is secure.
How can passwords in Bitwarden be backed up securely? Is it better to export, encrypt, and save them on Proton Drive using Cryptomator, or on a separate encrypted hard drive using BitLocker?
This is more-so security. Bitwarden will export plaintext in some form. You definitely should encrypt the information in some manner. This depends on your threat model - if you upload to Proton Drive in plain text (which is encrypted on their server), how paranoid are you that someone is going to breach your Proton Drive? Encrypting the file then uploading to Proton Drive is extremely secure, just don’t lose the password to the backup file.
- Can changing settings within a search engine like DuckDuckGo affect fingerprintability?
This goes to understanding how Cookies work. I’d recommend reading up on then. Might not be an issue. If this is an issue, use a privacy respecting search engine like SearXNG.
What is self-hosting, and what are its pros and cons? From my understanding, web servers are used to provide people with services when people make requests for them, self-hosting is the act of using a private web server.
In short, I have a computer (server) running in my closet with Linux installed that runs services through a VPN. I own the computer, I know exactly what it does (ignoring the rabbit hole of Intel ME or LibreBoot stuff). I own it. If I want to use the same service hosted by another entity, its running on their computers doing whatever it is they do. How do I know they aren’t tracking me? Again, this comes down to threat model - typically, most people are fine with renting out a VPS from someone else to do their hosting, and its perfectly acceptable. As the saying goes: There is no cloud, just someone else's computer.
Is it worth the hassle? Depends… if you aren’t interested in setting up and maintaining a server, its going to become quite the side project. But its very rewarding once you get it working.
What is the role of the “Router Firmware” page? Is it necessary to install such firmware? What does this software do? Does it allow changing the DNS settings on a wireless router?
Depends on your threat model. Do you trust the router firmware running is not doing anything malicious? In general, I’d recommend ditching whatever your ISP gives you, and buy your own router. Then,
In general**, some PG tool recommendations are vague or incomplete, e.g., the function of the tools and whether they are essential or optional for most users, needs to be explained more clearly.
This is a hard issue for newcomers, and I think privacy guides could improve in this - explaining the tech and pros/cons a bit more. Its a hard transition to wanting to gain privacy and also learning how basic networking works.
As always, feel free to correct me.