Edit: I understand that this post is lengthy and intimidating, however, if anyone can even answer one of my questions that would be appreciated.
Hello, good people at Privacy Guides (PG)! I hope everyone is having a great holiday season. I have compiled a list of recommendations that I have implemented, along with the questions that surfaced during my reading of the entire Recommendations page, below.
Before this, I need to say that this post is lengthy, so no one is obliged to read it (it’s kind of a headache really), however, if you do take the time, I would greatly appreciate any suggestions for areas I might have overlooked. The many questions I ask should provide an insight into my knowledge gaps, thus, allowing more informed people to potentially address these gaps. Doing so could be extremely informative for readers of this post. Furthermore, I would like to mention that I am a complete noob in this field, my ‘expertise’ is in the field of biology and more generally science, and not in computer science.
My current circumstances are:
To begin with, I am using Windows 11 for my personal computer and iOS for my mobile device. I am a university student and my main goal is to study, so I will need to use digital devices and the internet, I will need to access resources without wasting time, such as my university’s LMS. I am stating my circumstances because they may put my decisions into context and help provide more helpful advice.
Automatic privacy hardening:
Now, I have what I believe to be an important question about ‘privacy automation’. Specifically, why aren’t there more scripts or applications that automatically enhance the security and privacy (harden) of software like Windows or Firefox (e.g., automated Arkenfox which is self-maintaining)? These scripts or applications could have adjustable settings, allowing users to modify the degree of security hardening and the corresponding usability of the software. At the same time, these tools could educate users about the function of each setting at various levels (e.g., on or off), the recommended level for each setting, and how each level influences usability. So I have another related sub-question, what are all of your opinions on scripts like the following: GitHub - simeononsecurity/Windows-Optimize-Harden-Debloat: Enhance the security and privacy of your Windows 10 and Windows 11 deployments with our fully optimized, hardened, and debloated script. Adhere to industry best practices and Department of Defense STIG/SRG requirements for optimal performance and security., which are able to automatically ‘harden’ software?
Web browsers and extensions:
I have downloaded Firefox (FF) and changed its settings accordingly to improve my privacy and security (as recommended by PG, except I am reluctant on using Arkenfox). I am using FF for when I want to sign into accounts. I have downloaded both the Mullvad browser and the Tor browser, and I understand that I should use the Mullvad browser for viewing webpages that I can view without signing in, but this begs the questions, what is the point of Tor browser?
With regard to FF browser extensions, I have installed uBlock Origin and set it up as recommended by PG.
A crucial question I have is: if PG updates their guide based on new information, such as changing a recommended content blocker, altering a filter list setting within uBO or notifying users of a FF release making Arkenfox redundant, where could I subscribe to receive notifications of these changes? Are there other sites for this?
Now, returning to the main topic, I previously had Bitwarden and Skip Redirect as extensions. However, in an attempt to reduce my ‘fingerprint’ and ‘attack surface’ (terms I believe I’m using correctly, but I have a poor understanding of), I removed them. I chose not to use Skip Redirect (which might not be a good idea) and instead opted to use Bitwarden’s web vault (inconvenient since I cannot use autofill). The same situation applies to addy.io, should I use it as a website for enhanced security and privacy, or is this inconvenient compared to browser extension? For those of you who argue it is personal choice, it may be that using a website and extension may be similarly convenient, and so choosing to use an extension could be deemed pointless.
VPN:
In addition, as instructed by PG, I am using Proton VPN, except where it is inconvenient to do so (so far, I have not tested it out for online shopping, so I don’t know if it is feasible for this, this could be a possible inconvenience. Moreover, sometimes loading speeds are slow using a VPN, this could be an inconvenience for some people or in specific situations e.g., doing an online exam). However, I need to clarify when PG recommends that VPNs and anonymous browsers are to be used, in other words, what are the specific scenarios when using a VPN would be a bad idea? PG says: ‘Using a VPN in cases where you’re using your real-life or well-known identity online is unlikely be useful.’ Firstly, this sentence is a bit ambiguous, what is meant by ‘in cases where you’re using your real-life or well-known identity online’? PG could answer this by elaborating with actual, specific examples. To add to my confusion, PG says: ‘When purchasing online, ideally you should do so over Tor.’ Is purchasing online, not a case where a real-life identity is being used? If so, this would contradict the first quote, as PG also recommends that users connect to a VPN prior to connecting to Tor. As you can see, understanding the first quote is hard for me, and it may be my misinterpretation, but elaboration would be appreciated.
I find this point to be less important, so feel free to ignore it, PG says: ‘Use responsible language: i.e., it is okay to say that a VPN is ‘disconnected’ or ‘not connected’, however claiming that someone is ‘exposed’, ‘vulnerable’ or ‘compromised’ is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider’s service or using Tor.’ Firstly, PG recommends using a VPN before connecting to TOR, so the alarming language might be necessary in the case that the person is ‘using Tor’. Secondly, and less importantly Proton uses alarmist language (‘You are not protected’) when you are not connected to it, just something to note.
Online shopping safety and privacy advice:
The quote: ‘When purchasing online, ideally you should do so over Tor,’ reminds me to ask some questions regarding online shopping safety and privacy advice. Firstly, if a company needs and acquires my shipping address, name and debit card information for an online order, and then sends these details back to me using a text message or email to my Proton account, as an order confirmation, will my details be unencrypted? In addition, is there any way I can maximise my privacy in this situation or avoid this situation in the first place? For example, should I give them a fake name, or my initials rather than my real name? I know I could get them to send the package to a nearby location that is not my home, but this would be inconvenient. Due to the ubiquity of online shopping, some online shopping advice would be appreciated.
Password management:
As instructed by PG, I use Bitwarden to generate passwords that are as complex as online services allow. I have a quick related question, should I uncheck the avoid ambiguous characters option in the Bitwarden password generator? It seems that since I am not memorising the randomly generated passwords, and perhaps due to the possibility of this selection decreasing the randomness of the passwords, it may be a bad idea to keep this checked, or am I completely misunderstanding the purpose of this option?
A question regarding deanonymisation:
PG briefly mentions this: ‘We know people can quite easily deanonymise themselves in a number of ways, e.g.: Reusing personal information (e.g., email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN , etc.) Browser fingerprinting.’ Could we expand on this, so I and others who may be reading this, can avoid making such mistakes in the future? I ask this because I do not understand what is meant by this: ‘Reusing personal information (e.g., email accounts, unique pseudonyms, etc.) that they accessed without anonymity software (Tor, VPN , etc.),’ it may be that the wording is not clear enough for me or I am misreading it, but elaboration would be appreciated.
Hardening iOS:
Regarding my mobile device, I am using an iPhone, as such I have configured Safari and other settings like Advanced Data Protection as recommended by PG. One thing that PG does not recommend, but that I have discovered is that you can turn on Screen Time and disable the allow account changes option, which means that even if an attacker gets into my iPhone, they cannot change my Apple ID password without guessing my screen time passcode, which I myself do not even know (for reasons not mentioned here). The only other way for an attacker to change my Apple ID password, would be for them to use my Bitwarden password and turn off Screen Time by clicking ‘Forgot Passcode’.
I appreciate that PG has privacy software recommendations for iOS, but what is not explicitly answered is whether I need a VPN for my mobile, whether I need to use DNS on my mobile, and how to configure DNS on mobiles in general. Answering these questions would be greatly appreciated.
What is DNS for? Why should I use it?
I have no idea about DNS in general, the explanation offered by PG is complicated to me. All I know is Mullvad is using their DNS for their browser and Firefox is using Cloudflare, I have no idea what it is for, or how to set it up for Windows or iOS (do I need to set it up for Safari or device-wide?), or whether it is exclusive to browsers, or if I need to set it up in the first place? Can anyone give me a rundown?
Prevalence of Facebook and Instagram:
Unfortunately, I have a Meta account which I used to contact my friends and family (on Facebook [FB]), and I also use this account for an old photography Instagram account. With this being said, are there any recommendations on hardening my Meta account? For example, can I enable end-to-end encryption on FB messenger?
Another challenge I face will be to convince my family and friends to use Signal as a primary messenger.
MFA:
I need help on what to do for MFA, as using physical keys seems to be inconvenient for me. The next best thing is TOTP, right? Is MFA to be used for all online accounts? Can it actually be used for all online accounts in the first place, or do services have to support it?
What are some physical privacy measures (such as staying offline) I could implement?
Email clients and aliasing:
Should I harden Thunderbird? It may help to answer this question first, is hardening Thunderbird a one-off thing or would I need to update the modifications like in Arkenfox?
For iOS should I send emails with Canary Mail using my Proton Mail email address, or should I use Proton’s App Store email client?
Are email aliasing services such as addy.io, available on iOS, and should I avoid sending emails and registering accounts from iOS in the first place?
If I am using a university email which comes with a preset provider like outlook, how can I end-to-end encrypt my emails? From my limited knowledge, I guess Mailvelope may be of use here. Furthermore, will using an outlook email address on an email client like Thunderbird make my emails more private? In other words, can email clients independently improve the privacy of email addresses created with providers that have ‘native clients’ (i.e., their own clients) which may not be a private by default or at all.
Open PGP:
Open PGP is not explained to a degree that I can understand what it is for, why I need it and how I can use it.
In the recommended email clients section, Mailvelope seems to be the odd one out in that it is a browser extension. I am interested in what this extension is for and whether I need it, considering I am using Proton Mail.
Encryption:
I have gotten but not used: Cryptomator (for cloud encryption), Picocrypt (for file encryption) (no idea what all the options are) and VeraCrypt (for disk encryption). Since I am using Windows 11, are the first two programs not redundant if I use BitLocker to encrypt my entire laptop storage drive? Furthermore, can’t BitLocker also encrypt external drives like VeraCrypt. Finally, what is the use case for Cryptomator? These questions may highlight gaps in my knowledge, which could be ideally filled.
File sharing and sync (Send versus OnionShare?):
In the recommended file sharing and sync category in PG, unlike in the other categories, the use cases and pros and cons of the tools are not listed, making choosing a provider of this service difficult.
Also, I am having trouble differentiating between the use cases of the file sharing and sync tools and the cloud storage tools, as well as the productivity tools. In fact, I do not understand the use cases of the productivity tools in the first place, what is meant by ‘productivity tools’? This is a very ambiguous term. In addition, what is the point of Freedom box?
General questions:
• Does changing settings within a search engine such as DuckDuckGo, make me more ‘fingerprintable’?
• What is a news aggregator and what can it do, moreover, do I need one? Is it convenient? Could it address my previous concern: ‘if PG updates their guide based on new information, such as changing a recommended content blocker, altering a filter list setting within uBO or notifying users of a FF release making Arkenfox redundant, where could I subscribe to receive notifications of these changes? Are there other sites for this?’
Is a new aggregator different to say subscribing to an online newsletter via email?
• If Bitwarden’s ‘clouds’ or servers shut down will my passwords be lost? In other words, do I need to back up my passwords and should I encrypt this backup on an external drive? I have the Bitwarden app on Windows 11, so my passwords should be stored locally and encrypted, right?
• What is self-hosting? Should I need to do it in my case?
• To watch YouTube, should I use the Mullvad browser or should I use the FreeTube app on Windows 11? The same question applies with iOS, should I used Safari or an app recommended by PG (e.g., Yattee)?
Side note: I have noticed that the Most Popular category in FreeTube is non-random, it is filled with content that seems to be catered towards the people who made this software. Recommendations are disproportionately about engineering, technology, physics, gaming and general, entertainment-focused science videos. Whereas videos on niche topics seem to be lacking. Concerningly, there are no videos on biology or chemistry, or more educational, niche content. While I am happy more educational content is recommended by default, these biases need to be removed. The person who has made this program, is clearly a fan of big science/tech channels with a predisposition to engineering, physics type content.
• What is this page about: Router Firmware - Privacy Guides, do I need it?
• Again, after reading all the things I have done in order to improve my privacy and security, are there any obvious things that I have missed?
Site feedback:
- I think you need to update this page: Encrypted Private Email Recommendations - Privacy Guides, as Tuta claims to have password locked emails now. See: Protonmail vs. Tutanota.
- PG says Canary Mail is a paid app, whereas it appears to be free on the App Store at the moment.
- In a page that is early in the Knowledge Base, there is a spelling error.
Accounts (not super relevant):
I have tediously deleted all of my old online accounts, that I have signed up for over the years. Furthermore, I am planning to delete all of my Google accounts permanently. For the online accounts that I still possess, all of them are attached to a single Proton Mail account.
