Seeking Advice: Recommendations and Questions on Enhancing Privacy and Security

Edit: I understand that this post is lengthy and intimidating, however, if anyone can even answer one of my questions that would be appreciated.

Hello, good people at Privacy Guides (PG)! I hope everyone is having a great holiday season. I have compiled a list of recommendations that I have implemented, along with the questions that surfaced during my reading of the entire Recommendations page, below.

Before this, I need to say that this post is lengthy, so no one is obliged to read it (it’s kind of a headache really), however, if you do take the time, I would greatly appreciate any suggestions for areas I might have overlooked. The many questions I ask should provide an insight into my knowledge gaps, thus, allowing more informed people to potentially address these gaps. Doing so could be extremely informative for readers of this post. Furthermore, I would like to mention that I am a complete noob in this field, my ‘expertise’ is in the field of biology and more generally science, and not in computer science.

My current circumstances are:
To begin with, I am using Windows 11 for my personal computer and iOS for my mobile device. I am a university student and my main goal is to study, so I will need to use digital devices and the internet, I will need to access resources without wasting time, such as my university’s LMS. I am stating my circumstances because they may put my decisions into context and help provide more helpful advice.

Automatic privacy hardening:
Now, I have what I believe to be an important question about ‘privacy automation’. Specifically, why aren’t there more scripts or applications that automatically enhance the security and privacy (harden) of software like Windows or Firefox (e.g., automated Arkenfox which is self-maintaining)? These scripts or applications could have adjustable settings, allowing users to modify the degree of security hardening and the corresponding usability of the software. At the same time, these tools could educate users about the function of each setting at various levels (e.g., on or off), the recommended level for each setting, and how each level influences usability. So I have another related sub-question, what are all of your opinions on scripts like the following: GitHub - simeononsecurity/Windows-Optimize-Harden-Debloat: Enhance the security and privacy of your Windows 10 and Windows 11 deployments with our fully optimized, hardened, and debloated script. Adhere to industry best practices and Department of Defense STIG/SRG requirements for optimal performance and security., which are able to automatically ‘harden’ software?

Web browsers and extensions:
I have downloaded Firefox (FF) and changed its settings accordingly to improve my privacy and security (as recommended by PG, except I am reluctant on using Arkenfox). I am using FF for when I want to sign into accounts. I have downloaded both the Mullvad browser and the Tor browser, and I understand that I should use the Mullvad browser for viewing webpages that I can view without signing in, but this begs the questions, what is the point of Tor browser?
With regard to FF browser extensions, I have installed uBlock Origin and set it up as recommended by PG.

A crucial question I have is: if PG updates their guide based on new information, such as changing a recommended content blocker, altering a filter list setting within uBO or notifying users of a FF release making Arkenfox redundant, where could I subscribe to receive notifications of these changes? Are there other sites for this?

Now, returning to the main topic, I previously had Bitwarden and Skip Redirect as extensions. However, in an attempt to reduce my ‘fingerprint’ and ‘attack surface’ (terms I believe I’m using correctly, but I have a poor understanding of), I removed them. I chose not to use Skip Redirect (which might not be a good idea) and instead opted to use Bitwarden’s web vault (inconvenient since I cannot use autofill). The same situation applies to, should I use it as a website for enhanced security and privacy, or is this inconvenient compared to browser extension? For those of you who argue it is personal choice, it may be that using a website and extension may be similarly convenient, and so choosing to use an extension could be deemed pointless.

In addition, as instructed by PG, I am using Proton VPN, except where it is inconvenient to do so (so far, I have not tested it out for online shopping, so I don’t know if it is feasible for this, this could be a possible inconvenience. Moreover, sometimes loading speeds are slow using a VPN, this could be an inconvenience for some people or in specific situations e.g., doing an online exam). However, I need to clarify when PG recommends that VPNs and anonymous browsers are to be used, in other words, what are the specific scenarios when using a VPN would be a bad idea? PG says: ‘Using a VPN in cases where you’re using your real-life or well-known identity online is unlikely be useful.’ Firstly, this sentence is a bit ambiguous, what is meant by ‘in cases where you’re using your real-life or well-known identity online’? PG could answer this by elaborating with actual, specific examples. To add to my confusion, PG says: ‘When purchasing online, ideally you should do so over Tor.’ Is purchasing online, not a case where a real-life identity is being used? If so, this would contradict the first quote, as PG also recommends that users connect to a VPN prior to connecting to Tor. As you can see, understanding the first quote is hard for me, and it may be my misinterpretation, but elaboration would be appreciated.

I find this point to be less important, so feel free to ignore it, PG says: ‘Use responsible language: i.e., it is okay to say that a VPN is ‘disconnected’ or ‘not connected’, however claiming that someone is ‘exposed’, ‘vulnerable’ or ‘compromised’ is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider’s service or using Tor.’ Firstly, PG recommends using a VPN before connecting to TOR, so the alarming language might be necessary in the case that the person is ‘using Tor’. Secondly, and less importantly Proton uses alarmist language (‘You are not protected’) when you are not connected to it, just something to note.

Online shopping safety and privacy advice:
The quote: ‘When purchasing online, ideally you should do so over Tor,’ reminds me to ask some questions regarding online shopping safety and privacy advice. Firstly, if a company needs and acquires my shipping address, name and debit card information for an online order, and then sends these details back to me using a text message or email to my Proton account, as an order confirmation, will my details be unencrypted? In addition, is there any way I can maximise my privacy in this situation or avoid this situation in the first place? For example, should I give them a fake name, or my initials rather than my real name? I know I could get them to send the package to a nearby location that is not my home, but this would be inconvenient. Due to the ubiquity of online shopping, some online shopping advice would be appreciated.

Password management:
As instructed by PG, I use Bitwarden to generate passwords that are as complex as online services allow. I have a quick related question, should I uncheck the avoid ambiguous characters option in the Bitwarden password generator? It seems that since I am not memorising the randomly generated passwords, and perhaps due to the possibility of this selection decreasing the randomness of the passwords, it may be a bad idea to keep this checked, or am I completely misunderstanding the purpose of this option?

A question regarding deanonymisation:
PG briefly mentions this: ‘We know people can quite easily deanonymise themselves in a number of ways, e.g.: Reusing personal information (e.g., email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN , etc.) Browser fingerprinting.’ Could we expand on this, so I and others who may be reading this, can avoid making such mistakes in the future? I ask this because I do not understand what is meant by this: ‘Reusing personal information (e.g., email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN , etc.),’ it may be that the wording is not clear enough for me or I am misreading it, but elaboration would be appreciated.

Hardening iOS:
Regarding my mobile device, I am using an iPhone, as such I have configured Safari and other settings like Advanced Data Protection as recommended by PG. One thing that PG does not recommend, but that I have discovered is that you can turn on Screen Time and disable the allow account changes option, which means that even if an attacker gets into my iPhone, they cannot change my Apple ID password without guessing my screen time passcode, which I myself do not even know (for reasons not mentioned here). The only other way for an attacker to change my Apple ID password, would be for them to use my Bitwarden password and turn off Screen Time by clicking ‘Forgot Passcode’.

I appreciate that PG has privacy software recommendations for iOS, but what is not explicitly answered is whether I need a VPN for my mobile, whether I need to use DNS on my mobile, and how to configure DNS on mobiles in general. Answering these questions would be greatly appreciated.

What is DNS for? Why should I use it?
I have no idea about DNS in general, the explanation offered by PG is complicated to me. All I know is Mullvad is using their DNS for their browser and Firefox is using Cloudflare, I have no idea what it is for, or how to set it up for Windows or iOS (do I need to set it up for Safari or device-wide?), or whether it is exclusive to browsers, or if I need to set it up in the first place? Can anyone give me a rundown?

Prevalence of Facebook and Instagram:
Unfortunately, I have a Meta account which I used to contact my friends and family (on Facebook [FB]), and I also use this account for an old photography Instagram account. With this being said, are there any recommendations on hardening my Meta account? For example, can I enable end-to-end encryption on FB messenger?

Another challenge I face will be to convince my family and friends to use Signal as a primary messenger.

I need help on what to do for MFA, as using physical keys seems to be inconvenient for me. The next best thing is TOTP, right? Is MFA to be used for all online accounts? Can it actually be used for all online accounts in the first place, or do services have to support it?

What are some physical privacy measures (such as staying offline) I could implement?

Email clients and aliasing:
Should I harden Thunderbird? It may help to answer this question first, is hardening Thunderbird a one-off thing or would I need to update the modifications like in Arkenfox?

For iOS should I send emails with Canary Mail using my Proton Mail email address, or should I use Proton’s App Store email client?

Are email aliasing services such as, available on iOS, and should I avoid sending emails and registering accounts from iOS in the first place?

If I am using a university email which comes with a preset provider like outlook, how can I end-to-end encrypt my emails? From my limited knowledge, I guess Mailvelope may be of use here. Furthermore, will using an outlook email address on an email client like Thunderbird make my emails more private? In other words, can email clients independently improve the privacy of email addresses created with providers that have ‘native clients’ (i.e., their own clients) which may not be a private by default or at all.

Open PGP:
Open PGP is not explained to a degree that I can understand what it is for, why I need it and how I can use it.

In the recommended email clients section, Mailvelope seems to be the odd one out in that it is a browser extension. I am interested in what this extension is for and whether I need it, considering I am using Proton Mail.

I have gotten but not used: Cryptomator (for cloud encryption), Picocrypt (for file encryption) (no idea what all the options are) and VeraCrypt (for disk encryption). Since I am using Windows 11, are the first two programs not redundant if I use BitLocker to encrypt my entire laptop storage drive? Furthermore, can’t BitLocker also encrypt external drives like VeraCrypt. Finally, what is the use case for Cryptomator? These questions may highlight gaps in my knowledge, which could be ideally filled.

File sharing and sync (Send versus OnionShare?):
In the recommended file sharing and sync category in PG, unlike in the other categories, the use cases and pros and cons of the tools are not listed, making choosing a provider of this service difficult.

Also, I am having trouble differentiating between the use cases of the file sharing and sync tools and the cloud storage tools, as well as the productivity tools. In fact, I do not understand the use cases of the productivity tools in the first place, what is meant by ‘productivity tools’? This is a very ambiguous term. In addition, what is the point of Freedom box?

General questions:
• Does changing settings within a search engine such as DuckDuckGo, make me more ‘fingerprintable’?

• What is a news aggregator and what can it do, moreover, do I need one? Is it convenient? Could it address my previous concern: ‘if PG updates their guide based on new information, such as changing a recommended content blocker, altering a filter list setting within uBO or notifying users of a FF release making Arkenfox redundant, where could I subscribe to receive notifications of these changes? Are there other sites for this?’

Is a new aggregator different to say subscribing to an online newsletter via email?

• If Bitwarden’s ‘clouds’ or servers shut down will my passwords be lost? In other words, do I need to back up my passwords and should I encrypt this backup on an external drive? I have the Bitwarden app on Windows 11, so my passwords should be stored locally and encrypted, right?

• What is self-hosting? Should I need to do it in my case?

• To watch YouTube, should I use the Mullvad browser or should I use the FreeTube app on Windows 11? The same question applies with iOS, should I used Safari or an app recommended by PG (e.g., Yattee)?

Side note: I have noticed that the Most Popular category in FreeTube is non-random, it is filled with content that seems to be catered towards the people who made this software. Recommendations are disproportionately about engineering, technology, physics, gaming and general, entertainment-focused science videos. Whereas videos on niche topics seem to be lacking. Concerningly, there are no videos on biology or chemistry, or more educational, niche content. While I am happy more educational content is recommended by default, these biases need to be removed. The person who has made this program, is clearly a fan of big science/tech channels with a predisposition to engineering, physics type content.

• What is this page about: Router Firmware - Privacy Guides, do I need it?

• Again, after reading all the things I have done in order to improve my privacy and security, are there any obvious things that I have missed?

Site feedback:

  1. I think you need to update this page: Encrypted Private Email Recommendations - Privacy Guides, as Tuta claims to have password locked emails now. See: Protonmail vs. Tutanota.
  2. PG says Canary Mail is a paid app, whereas it appears to be free on the App Store at the moment.
  3. In a page that is early in the Knowledge Base, there is a spelling error.

Accounts (not super relevant):
I have tediously deleted all of my old online accounts, that I have signed up for over the years. Furthermore, I am planning to delete all of my Google accounts permanently. For the online accounts that I still possess, all of them are attached to a single Proton Mail account.


My advice is to make a post for each topic/question.


Man I would answer everything but you need to pay me consultation fees :rofl: :rofl: :rofl:



I agree with @anon85295620’s reply. People want to help you with advice. The current format is just a little too overwhelming.

Aside from creating multiple posts, you might also benefit from personal coaching with privacy stuff. For example, Techlore offers personal coaching: Techlore Coaching.

Have a great holidays season.


Yeah I agree, it is a little too much to ask for free I suppose!

1 Like

100% agree. However, I am definitely not a fan of paying for coaching, when I can educate myself for free.


Keep in minds simple elements to apply. Know the limits.

Maximizing privacy / security is not a good target, because it has a cost. Sometimes you have to show your identity to interact with the society, that is normal. Otherwise you will loose too much of other things, even privacy itself if you become too suspicious in your behavior.

No one is fully covered in privacy and security everyday, we regularly discover vulnerabilities. There is a whole black market of exploits.

Tomorrow a group achieves enough success in quantum computing and we are all in trouble regarding our “E2E encrypted tools”.
Some organisations are collecting the current encrypted data and waiting for this technological progress to happen.

So keep things simple or you will be lost in the complexity of privacy and security. Just having “good enough” habits is already huge compared to the average citizens.


paying can help you with clearing doubts and having a ready made action plan just specifically made for you.

. ''consultation": That’s why you visit a doctor for eg


I tried to comment on some items, but some of these are largely personal decisions you will have to answer for yourself. Whether Router Firmware options or Freedombox installs should be appealing to you is also likely based on your own opinion. If it doesn’t sound interesting to you, it may not be.

Definitely identify what your goals are and select pathways based on this.

  • Keeping up with PG updates: Subscribe to the RSS feed. Check out the weekly weekly recap videos as well. I imagine the noteworthy items would be there.

  • Using a VPN to hide your identity and then ordering shoes from the internet on your credit card shipped to your home address is likely not going to yield an anonymous experience online. I don’t really understand your other questions about shopping online.

  • Ambiguous characters: This feels like a personnel decision. You’re justification for keeping it off seems fine. If typing the password into your computers boot screen avoiding ambiguous characters may be more valuable.

  • I generally find people like Signal like it after giving it a try. I actively do not respond to insecure communication, such as SMS. Or, will simply reply only through the secure channel. Usually Signal. Sounds like you are on iOS, so you can take advantage of E2E iMessage as well. Lately I’m finding Signal has increased in popularity too.

  • iOS 17.3 will be out in a few weeks which addresses this.

  • DNS - My internet provider hijacks DNS requests. I don’t like this behavior and use secure DNS as a result. I use Mullvad DNS for the adblock benefit.

  • Use facebook/IG if you want. Meta likely has a privacy center with best practice recommendations. At least, years ago Facebook did so I’m sure there is something similar today. Enable a 2FA option.

  • I would not use university email for secure communication. However, if truly needed you could use PGP I suppose.

  • For encrypted files, what is the workflow you are attempting to achieve? Select the software based on that. Start with an encrypted system drive at minimum. (Does veracrypt still encrypt the Windows drive?)

  • Yes back up your password manager. I don’t as often as I should.

  • Again, after reading all the things I have done in order to improve my privacy and security, are there any obvious things that I have missed?
    You’ll need to sit down and identify exactly what you are trying to protect yourself against and I suppose you could have more specific feedback at that point. Are you trying to reduce your dependence on facebook? If so, than you likely haven’t achieved that goal. *I later read you are deleting old online accounts. Awesome! Now when I seldomly create accounts I try to only do so if I’m confident it can later be deleted. How to Create Internet Accounts Privately - Privacy Guides

  • Password locked emails in what way?

  • Canary mail appears to be a paid app


Thank you so much @ExcitingManatee for reading and answering my questions. You answered a sizeable amount of my questions and you were the first one to attempt to, so I commend you for that.

To clarify some things, firstly, you say:

How can I do this? I have no idea what an RSS feed is tbh.

You also say:

Basically, I want to know how to shop online in the most private way possible. I.e., should I use pseudonyms, a VPN, Tor etc. Although PG does provide information on this, some of it is confusing. For example, PG says: ‘Using a VPN in cases where you’re using your real-life or well-known identity online is unlikely be useful.’ However, they also say: ‘When purchasing online, ideally you should do so over Tor.’ If purchasing online is a case where a real-life identity is being used, this would contradict the first quote, as PG recommends that users connect to a VPN prior to connecting to Tor.

How can I check this for my internet provider?

This answers my question, I only have one question: how do I use PGP?

Their website you linked shows a free plan. In addition, I have downloaded their app on iOS for free.

For the answers I do not quote you on, you can assume you answered my questions successfully, well done!

Sorry I’m not prepared to give in-depth, but I’ll try to send you in a direction for your own research.

  • Choose an app from the PG news aggravation page and try a few RSS page links. I believe both Fluent and NetNewsWire are open source for Mac OS. For example: PG blog Feed: Direct: PG RSS link

  • I don’t know if it is DNS hijacking per se, but my issue was I might attempt to resolve a domain name from Google’s However, my ISP would reroute the request and return their own result. The result may have not been malicious but I found the behavior obnoxious. I couldn’t find the previous talk I listened to about it. My ISP can see what websites I browse based on the IP of the website. There are probably networking tools that can show you if this is occurring. See if this is applicable to your situation: Transparent DNS Proxy

  • I’m not an authority on PGP. There are guides however. Again, I don’t think using PGP is worth it over University email. The chance of your recipients also using PGP today is zero. Some would argue near-zero, but I’m going to make the case it’s zero. If you were apprehensive about onboarding others to Signal, this is not a solution.

  • Canary mail says 28 day free trial and then also says free forever. I don’t know. It’s not an app I would consider using since both Thunderbird and Apple Mail exist.

I am not well versed enough on all the issues that @Sprout3425 raised in this long post, but it seems to reflect my experience of going through the Privacy Guides website. I think it’s an excellent resource, and I’ve begun to implement some of the recommendations. But I have a lot of questions. I saw that one person was recommending a coach. But that seems like a financial obstacle for what needs to be seen as a right–security and privacy on the web. Are there other ways to present the information on the site that would help answer questions? Could there be a way to team up with some of the software developers to work with them? Or create a group of privacy volunteers who can help guide people? Maybe paid through tips? Just some thoughts.


I’ve been using Canary. The basic version is free. You need to pay for the Pro version to get access to features like encryption and AI.

So, why Apple Mail over Canary? Do you mean Apple Mail for iOS?

If Apple Mail (on iOS) comes with encryption for free, Canary seems obsolete?

The same logic applies for Windows 11, should I use the Proton Mail web client or use Proton Mail on the desktop Thunderbird client?

I think you can’t use third party clients in proton (last I checked)

Browser containers are always nice

first party support (high compatibility + complete feature set) is always better unless you have a very specific and reasonable requirement.

1 Like

You can. You just have to use their bridge software.


Thanks for clarifying.

Yesterday, I wasn’t worried about this.

Now, I am worried about this.