Improve your online privacy with this comprehensive guide, developed by the Proton Mail team. Here, we’ll help you determine your threat model and take steps to achieve online privacy that meets your needs.
Updated July 2019
Total Internet privacy is impossible, but you can get close by adjusting your online behavior — and a few of your privacy settings. This guide is designed to help you with simple, practical solutions to keep prying eyes away from your personal information and private email.
Many Internet privacy guides promote unrealistic solutions, like using Tor all the time (which will slow your Internet) or communicating only through Signal encrypted messenger (which is useless unless your contacts are using it too). While such technologies provide a high level of privacy, they may not be necessary under your personal threat model. In other words, you probably don’t need to take the same privacy precautions as a Turkish dissident or an NSA whistleblower. And the best privacy recommendations can be counterproductive if you burn out following them, like one writer for Slate did(new window).
So, in this guide to Internet privacy, we’ll show you how to understand your own threat model, followed by some practical steps you can take. Each of the sections has a simple recommendation you can follow to increase your online privacy. This page is designed to be a handy, ongoing resource rather than a quick checklist, so consider bookmarking this page to come back to it later when you need a refresher.
Table of contents:
- Why Internet privacy matters
- Understanding your threat model
- Browsing online privately
- Communicating privately
- Secure your device
I. Internet privacy is important for everyone
If you use the Internet at all, then privacy issues directly impact you. Without Internet privacy, someone could steal your credit card number or your identity and damage your credit score. Internet privacy keeps hackers from infiltrating your online accounts (you don’t want to be this guy(new window)) and spying on your activity while using public WiFi.
As both citizens and users of the Internet, we all have a stake in the quality of our society. Privacy is a fundamental human right and a prerequisite for democracy. For authoritarian governments and profit-seeking companies alike, invasions of privacy are a useful means of control. If you value your freedom, then Internet privacy should matter to you.
II. Understanding your threat model
A threat model(new window) is a method of evaluating security and privacy risks in order to mitigate them strategically. You can define a personal threat model to understand your Internet privacy priorities. Start by answering the following questions:
- What information do you want to protect?
- Who might want to gain access to that information?
- Where is that information stored and transferred?
Because there is no such thing as 100% privacy, we provide solutions for both low and high threat scenarios. You don’t have to implement them all depending on your threat model.
III. Browse the Internet privately
Your browsing data is extremely valuable to companies that buy and sell targeted advertising. The largest companies in this space, like Google and Amazon, make so much money from your personal data that it is now more valuable than oil(new window). But these companies are vague about how they use and store(new window) your information, and data breaches(new window) and privacy scandals(new window) are so common that we’ve come to expect them. Prying corporations aside, governments also collect huge amounts of data through mass surveillance, and some of them even conduct targeted surveillance (e.g. against journalists or activists). Also, the more data you transmit online and store in the cloud, the more likely hackers are to take advantage of it for financial gain.
Increasingly, there are private alternatives to data-hungry companies. For example, Proton Mail is a private alternative to Gmail. Instead of Google Drive, which can access and scan your files and documents, you could use encrypted cloud storage.
Learn more: What is end-to-end encryption?(new window)
Use a privacy-focused browser
Google Chrome is the most popular browser in the world. But it enables so much data collection that The Washington Post said it “has become spy software(new window).” That’s because Chrome logs your browsing history and allows third parties to plant tracking cookies that monitor your activity.
We recommend: Use a web browser to block online tracking(new window). Firefox is the most popular privacy-focused browser, but Brave and Safari are also good options. If you must use Chrome, you can manage your Google activity(new window) to limit how much data it can collect.
Encrypt your Internet connection with a VPN
A VPN(new window) encrypts your Internet connection from your device to the server owned by your VPN service provider. Using a VPN can help keep your web traffic safe from anyone monitoring the network at the local level: hackers, your Internet service provider, and surveillance agencies. A VPN will also mask your true location and IP address, allowing you to browse more privately and access geo-restricted content.
A VPN will not, however, protect your web traffic against the VPN provider. That’s why it’s important to choose a VPN service you trust(new window) that does not keep logs of your activity.
We recommend: Use Proton VPN(new window) on your desktop and mobile devices. It offers access to hundreds of servers in dozens of countries, has advanced security features like Secure Core(new window), and follows a strict no-logs policy(new window). Proton VPN also has a free VPN service(new window) to guarantee basic access to the Internet to everyone.
Protect your search queries
Google tracks all its users’ search queries and clicks(new window). If you’re logged in to your Google account while using Search, the company keeps a record of this information connected to your profile. This has helped Google refine its search algorithms, but it also helps the company profit from your private data.
We recommend: DuckDuckGo(new window) is a private alternative to Google Search that doesn’t store users’ personal data or track their activity.
Limit the information you share publicly
A lot of sensitive information about you is publicly available on the Internet. Some of it is a matter of public record, like court records, addresses, and voter registration. But much of it we put on the Internet voluntarily, usually via social media, like photos (often location tagged), family members’ names, and work history.
Hackers can use these clues for social engineering and to answer security questions. Photos of you on social media can even be used to create deepfake(new window) videos of you. Almost all online services and Internet-connected devices have privacy settings you can adjust to restrict the amount of information collected and/or shared online. You can also add an additional email address to your Proton Mail account, which you can share publicly, instead of your primary email.
Limit the information you share privately
Online service providers can be vulnerable to data breaches(new window), which can instantly compromise your privacy, sometimes in embarrassing ways(new window). Even large services like Google or Facebook are not immune to data breaches. You can mitigate the privacy threat of data breaches by limiting the information you share with these services. For instance, you can use Google Chrome or Google Maps without logging into your account, or simply switching to a more privacy-friendly browser like Firefox.
If the services themselves (and their third-party partners) are part of your threat model, switch to privacy-focused services that do not collect user data. With Proton Mail, accounts are anonymous (not linked to your real-life identity), and we collect as little user information as possible.
Make your account safe and secure
First things first: To keep your online accounts private, you must keep them secure. Your password is your first line of defense. Make sure you use strong, unique passwords. A password manager can help you generate and store them so that you don’t have to write them down.
Your second line of defense is two-factor authentication(new window) (2FA). This is a way to secure your account with a second piece of information, usually something you have with you on your person, like a code created on an authenticator app or fob.
Avoid using public computers to access your accounts because keyloggers can record your login credentials. And if you absolutely must use a public computer, be sure to log out of your accounts.
Many services (such as Proton Mail and Proton VPN) allow you to see when and from what IP address your account has been accessed. If you do not recognize one of these logins, you can log out of other sessions remotely.
We recommend: Use a password manager such as Bitwarden, KeePass, LastPass, or 1Password to help you create and securely store strong passwords.
Learn more: How to create a strong password(new window)
Use HTTPS everywhere
Always ensure that your Internet connection is encrypted from your device to the company’s servers. You can check that this is the case by making sure the URL of the website begins with “https”.
We recommend: Download the browser plugin called HTTPS Everywhere(new window) to help you do this automatically.
When to use Tor
If your threat model requires a very high level of Internet privacy, you should connect to the Internet through Tor. Tor is a technology maintained by the nonprofit Tor Project, which allows you to use the Internet anonymously. It works by bouncing your connection through multiple layers of encryption, both protecting your data and concealing its origin. Tor also allows you to access blocked websites (such as those offering E2EE services) via the dark web. However, the downside of Tor is that it is generally significantly slower compared to using a VPN.
We recommend: Download the Tor browser(new window) or connect to the Tor network using Proton VPN(new window) if you have advanced privacy needs.
Learn more: How to use Proton Mail with Tor(new window)
IV. Keep your communications private
When communicating online, there are several ways companies or hackers can access your private conversations. Without encryption, an attacker monitoring the Internet would be able to see the information being transmitted, from credit cards to chat messages.
Of course, the vast majority of online services use some form of encryption to protect the data traveling to and from their servers. But only a few tech companies encrypt your information in such a way that even the company cannot decrypt it. This kind of encryption is called end-to-end encryption(new window) (E2EE). Whenever possible, use services that offer E2EE and protect your privacy by default.
Use encrypted email
Services like Gmail and Yahoo can scan your mailbox to collect data. Google, for instance, reads your purchase confirmation emails(new window) to build a database of everything you buy. If you don’t want your email service provider to have access to this kind of private information, you should switch to an end-to-end encrypted email provider.
Messages between Proton Mail users are always transmitted in encrypted form. When a user sends an email to another Proton Mail user, the emails are encrypted on the sender’s device, and can only be decrypted by the recipient. All emails sent to/from a Proton Mail account (even if the other side is not using Proton Mail) are stored with zero-access encryption(new window). Once a message is encrypted, only the account owner can decrypt it.
We recommend: Create a free Proton Mail account and download our mobile app(new window) to start using private email. When signing up for newsletters or online services, you should provide them with your encrypted email address.
Chat privately with secure apps
For instant messaging, you have many options. WhatsApp is one of the most popular chat apps, and it features E2EE. But Facebook (which owns WhatsApp) can see who you communicate with and when, and there may even be ways for Facebook to gain access to your messages(new window) if it wanted to. Facebook Messenger is not E2EE by default. WeChat also offers no E2EE.
We recommend: For better chat security and privacy, we recommend using Wire or Signal.
Phone number apps
Private phone number apps use Voice over Internet Protocol technology to allow you to make and receive calls and SMS with a second phone number. This can offer some privacy benefits because you are not always required to give the app provider any identifying information.
We recommend: Apps like Phoner(new window) provide anonymous calling and texting. You should keep your main phone number private while providing your second phone number for account verification and to online services that require a phone number.
V. Secure your device
Most threat models should include the possibility of your device getting stolen or lost. Often, a compromised smartphone will also compromise many of your online accounts. Other times, device privacy simply means privacy from people looking over your shoulder.
We recommend: Adjust your notification settings so that messages and senders don’t appear on your lock screen.
Keep your device locked down
Because of the differences between different operating systems and devices, we will only provide general recommendations here. Always set a password on your device. Biometric authentication, such as fingerprints or facial recognition, should be sufficient for most users. However, people with elevated security concerns may opt to require a password every time.
Those with advanced threat models may also want to encrypt their devices. This is usually an additional step. Follow the links for instructions to do so on Windows(new window), Mac(new window), and Android and iOS(new window).
Additionally, there are apps(new window) that allow you to wipe, locate, and potentially identify the thief if your device is stolen.
If your device somehow is compromised with spyware, a low-tech privacy solution, ironically popularized by Mark Zuckerberg(new window), is to cover your webcam with a piece of opaque tape.
Be vigilant for phishing attacks
A phishing attack(new window) attempts to steal your account credentials or infect your device with malware by tricking you into clicking on a link or downloading an attachment. Email is one of the easiest ways for hackers to get into your computer. So it’s important to be alert and never click on links or download anything from a source you don’t completely trust.
We recommend: Read our article about how to prevent phishing attacks(new window) to understand what phishing looks like and how you can protect yourself or your business.
Delete unused apps and ensure software is up to date
Another critical part of protecting your device is maintaining its software. You can help prevent attackers from installing malware on your device by keeping your apps and operating systems up to date. Software updates often include security patches for recently discovered vulnerabilities.
At Proton Mail, we believe a more private Internet is possible, but it will require a major shift from the current ad-based business model. With your support, we will continue to develop tools that enable privacy, security, and freedom online. In the meantime, everyone can take simple, positive steps in their own behavior to improve their privacy individually. Because Internet privacy is a sliding scale, implementing just a few of the solutions in this guide will give you more privacy than you had before.
What are your thoughts? Do you know some online privacy tips that aren’t mentioned in this guide? We would love to hear your feedback. You can find us on Twitter(new window) or Reddit(new window) to share your ideas.
The Proton Mail Team
You can get a free secure email account from Proton Mail here(new window).
We also provide a free VPN service(new window) to protect your privacy.
Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window). Thank you for your support!