Introduction

This book is dedicated to all those good people giving their time and energy, even sometimes in some places, their freedom or even their lives, to do something they truly value. This is a book on anonymity and privacy in this lush forest full of data hunters called the internet.

Every species in this jungle has one thing in common: they all have data they want to protect, even if they don't want to admit it. Even if they say they have nothing to hide, and maybe they're right. I don't hide my credit card credentials either, but I never want anyone who I don't trust to have their hands on them. And that's what privacy is.

Privacy is a human right, and nobody should have the right to take it away from someone else. Unfortunately, we live in a world where our rights mean nothing. Companies, doxxers, governments, spy agencies—everyone violates our right to privacy every day. And they won't stop; they profit from our data. Our data is the bricks of their offices. We're the ones who need to stop handing them our data, at least to some degree, without making our lives miserable and unnecessarily difficult.

Some might call this need for privacy paranoia, but protecting yourself and your loved ones from future damage is not paranoia. Look at privacy as insurance; you might trust your government today, you might trust your messenger with your messages, you might trust Google with your whole life. But remember, Satan was once an angel too. Anyone can turn evil; any government can become corrupt and dictatorial. You wouldn't want them to know every single second of your life when they do.‍

Privacy nowadays is not possible without security. Your data needs to be secure to authorize those whom you want to have access to it. You should expect that everything you put online will be read and opened one day. All you can trust with your data is encryption algorithms and the mathematics behind them, ensuring their security and reliability. But even the most secure encryption algorithms might be broken one day, and that's something to keep in mind.

Privacy and security are also the building blocks of anonymity. You will need both to stay anonymous. Anonymity is when people see what you do—what you want them to see obviously—but they can't know who actually is behind those acts. It's similar to privacy, but in privacy, they know who you are but they don't know what you're doing.

This book isn't meant for criminals, terrorists, racists, or anyone seeking to hide their wrongdoing. It's for human rights activists, those fighting for freedom in places where it isn't allowed, and those who contribute positively to society rather than tearing it apart. It's for the heroes who wear masks to protect themselves and their loved ones, not for supervillains.

This book is also free, not in the sense of not costing anything to read, but free as in freedom. It's a side project of mine, written in my free time under the CC BY-NC 4.0 license. This license allows anyone to share and copy it in any medium and make changes to it, as long as they give credit to the author and indicate the changes they've made. Additionally, this license does not permit commercial use.

I'm not doing this for profit; if I wanted money, I would work for it. This book, along with all my other projects, is driven by my passion for creating free content and software that I believe can help others who need them. However, I do accept and greatly appreciate donations. They enable me to dedicate more time to what I value and worry less about working another job I don't enjoy just to make a living. So, if you find my work helpful or you want to support what I do, please check the donation section of this book.

Chapter 1

The Dunning-Kruger effect manifests when you begin learning a skill. Initially, you have high confidence in yourself and your abilities due to your limited understanding of the task. As you delve deeper into learning, your confidence declines as you realize how much you still have to grasp. However, as you continue to master the skill, your confidence gradually rises again. This time, it's supported by your actual proficiency.

The same principle applies to privacy and security. Initially, you might believe that simply opening an incognito tab makes you safe and anonymous. But as you learn more, paranoia sets in as you realize how vulnerable you actually are. Yet, over time, you'll build confidence, and you'll feel safe again. This time, however, your safety is grounded in actual knowledge and skill.

In the first chapter, the focus will be on debunking some privacy and security myths that many newcomers in the world of privacy believe in. These myths can actually worsen your privacy by making you more identifiable while providing no real benefit.

I have no enemies

The first myth, and perhaps the biggest one in the world of privacy, is what I call the "I have no enemies" phenomenon, or what you might know as "I have nothing to hide." As I mentioned in the introduction, even if we don't have things to "hide," we surely have things we want to protect. Maybe it's not even about us; perhaps people we know and care about have things to hide, and we could be the weak link in their privacy chain.

You and I might not have enemies today, and we might not have things to hide today. But can we say for sure that this will be true in five or ten years? Surely not. We don't and can't know what will happen. Our privacy today can serve as insurance for what might happen later.

Imagine if someone managed to gather your personal information and used it for illegal activity. Would it be harder to convince the police or FBI that you didn't do it than it would be to protect your personal information in the first place? Or maybe ten years later, if Google turned evil and worked as a "terrorist detection tool" for the government. When you're traveling with your wife and kids, they pull up your emails, search histories, and suggestions you've received. Due to your searches on explosives last year for your kid's birthday and the ad suggestions you received because of them, you get flagged as a terrorist. Now you spend the rest of your life on a watchlist.

But I assume that if you're reading this book, you probably understand the importance of privacy, especially in this day and age where it's the least respected human right. But we all can change that. The blame for this situation lies with governments, doxxers, companies, and those so-called "national security agencies." However, the responsibility to make things right lies with us. We should protect our privacy.

I'd just go incognito

If you ask someone who's not familiar with how the internet works what they would do to become totally anonymous online, they might say, 'I'd just open incognito mode.' And that is probably the most common myth in the privacy world among normies. The belief that incognito mode means no one will be able to track them or see their activities online. But that's far from reality. All incognito mode does is it won't save the history and logins on the browser you're using.

Still, your ISP knows what you're doing, the website knows your IP address, and you're still unique and fingerprintable. Incognito mode has some privacy benefits though, especially if you're using someone else's computer. In that case, you wouldn't want your cookies, your search history, or your logins to be stored on their device. But it doesn't contribute much more to your privacy or security than that.

To hide your activities, you'd need something that encrypts your requests and redirects them to your desired destination. This could be a secure proxy, an SSH tunnel, or a VPN. However, it's crucial to note that the sites you visit can still fingerprint you and track you across other websites. I'll cover these in depth in the next chapters.

VPNs are Anonymous

This is kind of the biggest myth in the privacy and anonymity world: the belief that if you use a VPN, nobody will know what you're doing and you'll become totally anonymous. But that's completely wrong. Think of VPNs as shifting the trust from your ISP to your VPN provider. When you connect to your VPN, you're now letting them see what your ISP was seeing before.

Also, they don't do a good job at hiding your real IP. With most VPN companies, a court order will get them to hand over all the logs and data they have on you, and usually, they have a lot. There are some exceptions though. Companies like Mullvad, ProtonVPN, and Windscribe have built their reputations based on the privacy of their users. They can be signed up for anonymously, paid with cash or crypto, and they claim not to log user traffic and activities. But still, that doesn't make them an anonymity tool.

Even if your VPN provider doesn't log anything, the datacenters hosting their servers surely will. Another thing is that VPNs are vulnerable to traffic analysis; the VPN traffic can be analyzed to find patterns that indicate the source and destination of your traffic. And that's okay; VPNs aren't meant to be anonymity tools after all.

Another problem with VPNs is fingerprinting. With Tor, you have the Tor Browser, which is designed to make all Tor users look identical. But with VPNs, you're the most unique person on this planet, especially if you have a browser that is modified in any way or if you're using an operating system like Linux or BSD. Even the smallest changes can make you super unique when it comes to fingerprinting, and that's not what you want for anonymity. For privacy, though, that would be fine. You can safely use a hardened Firefox, for example, for your personal usage, like watching YouTube and paying your bills. That's actually a good move. In that scenario, you don't need to look like everybody else; you can be unique. I'll cover fingerprinting more in the next chapters.

If you want to maintain your anonymity, you should use tools specifically built for it, like Tor (and the Tor Browser). What Tor does is precisely what its name stands for: the onion router. It works like an onion, encrypting your data in three layers. As the data passes through each Tor relay, one layer of encryption will be removed, revealing the address of the next relay in the chain until the data reaches the final destination. When browsing the clearnet with Tor, your last relay will be a node called the exit node. The exit node is able to see the data inside your packet, but it won't know for sure where the packet originated. To trace a packet back to its sender, all relays that your traffic passes through must be controlled by one person, which is very unlikely and costly to implement.

However, when you browse websites hosted on the Tor network, your data is end-to-end encrypted with the website's public key (the website's address is the public key, which is why Tor addresses are so long and hard to memorize). Therefore, nobody in the middle can open the traffic; they will simply pass it through until it reaches its destination.

There are other anonymity tools as well, such as Lokinet, which is the newest, and I2P. Both of these are technically more anonymous than the Tor network, but technicality isn't everything. I2P and Lokinet both have very limited nodes compared to Tor, which makes the network more vulnerable. Additionally, neither of them provides a browser like the Tor Browser to prevent fingerprinting of users.

So for now, the best option is Tor, both because of its proven track record over the years and the considerable number of volunteer nodes and relays it has. Moreover, the Tor Browser does a great job of making Tor users identical to each other when using the Tor network.

Something to keep in mind when using the Tor Browser is that you shouldn't modify anything. Leave it as is; don't install plugins or tweak it. The Tor Browser is meant to have similar fingerprints to other Tor browsers, and even the smallest changes might make you the most unique person on the Tor network.

I'm using a strong password

Another/ myth that I see a lot of normies believe in is that they have to have a strong password, something random and hard to memorize. Having strong passwords is a must, but having a strong password for everything not only doesn't contribute much to your security but also makes you really vulnerable.

Imagine you've used your password for every site you've ever signed up for. The password is really complicated and strong, though. But if one of these sites didn't store your password properly and they got hacked, and their database went public, now anybody can use that same password for any other website or service that you've signed up for, and they'd log in.

Instead of bothering with memorizing a really hard password, you should be using a password manager, either something locally stored like KeePass or something online like Bitwarden.

Those password managers that store the passwords locally are obviously more secure than the online ones, simply because if anyone wants to gain access to their database, they'd have to gain access to your computer. Not saying that it's impossible to gain access to your computer, but Bitwarden's servers might be far more targeted than you personally. Other than that, they're both fully encrypted. Even if something got leaked someday, your data will be securely stored and near impossible to access, at least with the tools and computers we have today.

Your password manager then can be accessed using a passphrase (not a password). Passphrases are way more memorable while being a lot more secure. A passphrase can be something like: Name-Seat-Look-Chair-Plane7-Stree7, just six words, one punctuation character, and 7s instead of the letter T. Compared to a password like: *&(*747983HJGHgdgsutpshlnb, the passphrase will be more secure while being memorable.

Big Tech is evil

There's this idea, even among people who are not normies, that the big tech companies are evil. They're believed to have bad security and bad privacy practices. While this may hold true for privacy concerns, it's not necessarily the case for security. Companies like Google and Microsoft probably have good security measures in place, but we can never be entirely sure.

The reason for this uncertainty is that they're not transparent about how they implement things. We can't see what they do to protect our data, and that's what makes them untrustworthy. A company like Signal has its server, client, and encryption schemes open-sourced for the public. On the other hand, something like Telegram only has its client open-sourced, and that's it. We don't know much about the server or even their encryption scheme that they brag is unbreakable. In this situation, we might say Telegram is not suitable for its purpose, which is messaging people, as it is not secure.

However, in the case of something like Google Drive, which offers a reasonable amount of free cloud storage, you can still use it. If you already have a Google account associated with your identity, you can use that Google Drive to upload some encrypted data that you don't have space for elsewhere. Just because it's Google doesn't mean it's pure evil, and there can still be uses for it. You can use Google once you're self-conscious about your privacy.

Although, every day, more and more privacy-friendly alternatives are emerging. In the near future, you might not need to use Google or other similar companies.

Open-source means private

Yes, open-source software is more transparent than proprietary software and has the potential to be more secure and private. However, transparency and potential alone don't make them more private or secure. It's essential to look for independent audits of the software you intend to use. Also, being proprietary doesn't necessarily mean it's less safe. Assess the reputation of the software and its maintainers and determine whether it undergoes audits.

These were some of the most common myths about online privacy and security. Countless misconceptions exist, and in such situations, it's crucial to approach them with logic rather than bias. We need to plan out where to focus our time and energy wisely. The next chapter will delve into threat modeling and the common threats you should be aware of before designing your own threat model.

Chapter 2

Imagine you're playing Minecraft. You've respawned somewhere random on the map, and you don't have the geo-location of the house you had built. It would be really annoying and time-consuming, or sometimes even impossible (leading to frustration), to find your home in the game if you don't know where and in which direction to go. You run out of food, out of energy, and there will be nights with all the mobs—zombies trying to attack you, skeletons shooting arrows at you, and creepers blowing themselves up right beside you. But if you had the X, Y, Z coordinates of your house and the direction you needed to go, you could've gotten there before nightfall, before facing all those challenges.

In this book, I've planned to explain more advanced stuff as the chapters progress. So, the first chapter was about debunking some common myths about privacy and security. In this chapter, things get a little more actionable. This chapter will focus on threat modeling because I believe it's the most crucial step to take when you start your privacy journey. Otherwise, you'll spend a lot of time, stress, hard work, and sufferings without achieving your personal needs.

Having a threat model can be the equivalent of having the location of your house in Minecraft written down on a paper. Whenever you go far away from your home, you know where to go to get back. In the case of privacy and security, you'll be understanding what threats are relevant to you personally, what you want to protect, and taking actions based on that. Instead of blindly using Tor on Whonix OS for no actual reason and making your own life harder and even worsening your privacy in the process.

There's nothing called full security

Nothing can be fully secure, fully private, or fully anonymous. When it comes to threat modeling, you need to make sacrifices. You should prioritize what matters the most and work on those areas, rather than wasting time trying to make everything private and secure, which would be impossible.

A threat model is a list of the threats that are most likely to happen. You can't protect yourself from every threat, never. However, you can work on protecting yourself from those that are most likely to occur.

For example, for a rapper, the most likely threat could be their music getting leaked. When designing your threat model, you should address these questions:

  • What do I need to protect the most? In the example of the rapper, the unreleased music would be the answer.
  • Who do I need to protect it from? For the rapper, this could include online hackers and those physically with access to the songs.
  • What are the chances of it happening? For the rapper, if they're famous enough, it's quite likely.
  • What will happen if I fail? For the rapper, this could cost them financially.
  • What can I do to protect it? For the rapper's example, they could use encrypted hard drives and restrict access to prevent human errors.

What do I need to protect the most?

To answer this question for yourself, you first need to list what you value the most. It could be your digital assets, like your cryptocurrencies, the information you have, such as your emails, contacts, messages, or important files. Whatever you value, write them down.

Make your list like this: specify what data it is that you're protecting, how and where you're keeping it, who you want to allow access to it, and what can be done to prevent unauthorized access.

Once you've written your list, prioritize it based on the most valuable to the least valuable data. Then, you can take a step forward.

Who do I need to protect it from?

It can be anyone or anything, depending on your personal situation. For an activist, for example, it could be governments. For someone protesting against fascism, it could be neo-Nazi hackers and doxxers. For a business, it could be their competitors.

Try making a list of those who might be interested in getting their hands on your assets or data. Your list can include individuals, federal agencies, corporations, doxxing groups, cults—anything you think might be relevant.

This list can help you understand what and who you're up against, what they can do, and what costs they might be willing to pay to get their hands on your data. It helps you see more clearly and realistically.

What are the chances of it happening?

Not everything that might happen will happen. Write down the threats that you think are likely to occur, as many as you can think of, and then rate them based on their probability. Is it highly probable to happen? Is it unlikely? Is it even possible to protect your data against it?

For example, you might get struck by lightning when it's raining and die, but how probable is that? Would you find an insulating shelter until the rain ends? No, because there's a low chance of it happening. Or you might crash your car every time you get behind the wheel to drive, but do you stop driving? No. Or you might get shot if you go to a gang war zone, and you probably won't, because it's quite likely to happen. The same applies to your threat modeling—you need to rate the threats based on their probability of happening.

What will happen if I fail?

Next, you need to consider the consequences of failing to protect your data. For example, if an anti-fascist protester's home address and information are put online by doxxers, it could pose physical threats to their safety. If a company fails to protect its data, hackers or competitors might corrupt all the company's data, leading to bankruptcy. Or, in my case, if someone were to read the memes I send to my friends on Telegram, probably nothing horrible would happen to me.

You need to write down what the attackers might want to do when they get their hands on your data. Will the harm they cause be minor enough that you wouldn't bother? Or is it severe enough that it could be life-threatening? You need to address those potential consequences.

What can I do to protect it?

Then, you can move on to researching what can be done to protect that data, what costs come with those measures, and how much they'll complicate your life, or if you're willing to make the effort.

For example, if you have cryptocurrencies, you can explore how to protect your assets. You might need to implement multisignature wallets, or store your assets offline on a secure and dedicated machine with encryption and no additional software.

Then you take action

After designing your threat model, you can move on to taking action. For example, with cryptocurrency assets, you can start by backing up your assets on paper, storing them somewhere safe, using an offline and audited wallet, downloading your own blockchain instead of relying on other nodes run by others, or even purchasing a dedicated machine specifically hardened for this need and purpose.

You might create a checklist at this point to ensure you don't forget anything and implement all the actions you believe will keep your data secure.

Common threats when threat modeling

Different threats require different actions; there would be no action you can take to protect yourself from all of them. And that's fine—you don't need to. That's why you designed a threat model: to take actions on the most probable and most consequential threats based on your own personal situation.

Your threats might not be among this list of common threats; they might require their unique strategies to protect yourself against. Again, you should act on your threat model. These are some concepts that I will refer to in this book, especially in this chapter:

  • Anonymity: Separating and protecting your real identity from your online activities, shielding yourself from anyone or anything wanting to unveil your vigilante mask and expose your real face.
  • Targeted Attacks: Shielding yourself from hackers, doxxers, government agencies, etc., that are specifically trying to get their hands on your data.
  • Passive Attacks: Defending yourself against attacks that target a large group of people, like when a company gets hacked and their data breaches to the public, or malware and scammers targeting thousands of people.
  • Supply Chain Attacks: Attacks that occur because of a vulnerability in a dependency of a trusted program, like the Linux distros getting backdoored because of a backdoor in xz utils (CVE-2024-3094) in 2024.
  • Service Providers: Protecting your data from service providers, like your ISP, usually through end-to-end encryption of your communications.
  • Mass Surveillance: Shielding yourself from surveillance systems that target the mass population, usually done by governments, but the websites that track you across the web are also in this category.
  • Big Tech Surveillance: Safeguarding yourself from big tech companies that profit from tracking you on the internet and selling your data for advertisement, like Google, Facebook, etc.
  • Public Exposure: Limiting the data available of you publicly on the internet, for example, your personal data indexed by search engines, etc.
  • Censorship: Bypassing digital censorship or avoiding being censored when using the internet or putting something out on the internet.

Anonymity vs Privacy

Anonymity is totally different from privacy, but privacy is required to achieve anonymity. Anonymity is when Daredevil goes out at night to fight the Russians working for Wilson Fisk. They don't know that Daredevil is Matt Murdock, but they know what he does. Matt Murdock has untied his personal identity, which is a blind attorney, from his vigilante identity, which is this badass dude in a black and red suit fighting crime in Hell's Kitchen. Matt Murdock is anonymous when he's Daredevil, and the Wilson Fisk and every other criminal he has fought are the attackers who would love to unveil his identity and find out who's behind this mask.

Here in this example, Matt Murdock has used privacy to achieve that anonymity. He has separated his identity in a way that nobody would be suspicious of him being Daredevil. He pretended all the years that he can't see anything, can't even walk without his cane, and even if he was injured, he would say that he fell down some stairs. And that's the privacy there, protecting his anonymity. He decided for people to see this side of Matt Murdock, not the Daredevil side of him.

The same thing applies in the online world, but here the tools are different. The masks are digital tools using encryption and onion routing, but the concept is the same. If you're some kind of vigilante like Matt Murdock, you probably need to protect and separate your real identity from your vigilante identity.

Targeted Attacks

Daredevil was targeted too; all of the Hell's Kitchen criminals were after him. So he needed to protect his identity and anonymity while defending himself against targeted attacks from one of the most powerful villains of New York, the Kingpin. But who else might be in a situation like Daredevil's? Whistleblowers, activists, and protesters. However, they need different tools than Matt Murdock. They might need the Tor browser rather than a mask, or end-to-end encryption tools to communicate and store data rather than an indestructible suit made by Melvin Potter.

But if you think the NSA, CIA, and other agencies are after you, you can't run from them forever. You might be able to fake your death and live in a submarine, but they will probably find you. This usually falls into the category of threats that you'd rather not bother about because of how difficult it might make your life. Also, it is quite rare to be that targeted. Usually, those targeted by the NSA have the support of another corrupt government.

Passive Attacks

This kind of attack affects most people of Hell's Kitchen, from Foggy Nelson to the Frank Castle, even the people of Gotham City. It affects both villains and heroes, from Batman to Harley Quinn. These attacks are usually towards large groups of people, like malware spreading on the internet. When WannaCry spread on the internet, it affected anything that had that vulnerable version of Windows; it didn't choose.

This kind of attack, in my opinion, is the most probable for the majority of people. We all have signed up for many websites in our lifetimes; a data breach in one of them would be really likely and can definitely affect us if we haven't taken any precautions.

Supply Chain Attacks

Supply chain attacks can target even the most trusted programs by exploiting vulnerabilities in the programs they depend on. Sometimes, these attacks are targeted towards businesses or governments, but they can affect the mass population in the process. Preventing supply chain attacks is challenging; it requires time and energy to audit and test every dependency in the chain to be sure, but even then, there are always flaws. Nothing can be fully secure.

But how are these attacks performed? There are several common methods:

  • Someone with enough power and a high enough position in a company or developer team can have the authority to add malicious code to a software.
  • In the open-source world, someone can contribute malicious code in a way that it gets added to the codebase unnoticed.
  • The author and maintainer of a library or dependency can decide to inject a backdoor into the code.

Minimizing the Risk

While the risk can't be fully eliminated, there are ways to reduce it:

  • Software and services from big companies like Google generally have a good reputation and better security than software developed by a small team or an individual.
  • Checking the commits, changes, and contributors in the case of open-source software.
  • Frequently checking for known security flaws in software.
  • Using independently audited software.
  • Sandboxing and isolation to minimize the impact of possible attacks.

Service Providers

Your ISP can see all your traffic, much like Joker has put a GPS tracker on Batman's Batmobile. Joker knows where Batman is going, and he can log that information as well. However, thanks to TLS and HTTPS, the data that ISPs can see has become limited. They can know the IP address, the Server Name Indicator (SNI) of your traffic, and the DNS queries. But there are fixes for this. We can encrypt DNS, encrypt the client hello and SNI, and then all your service provider would see is the destination IP and timestamps if TLS is enabled for that website or service.

Here, you can shift the trust from your ISP to a VPN provider that doesn't log your traffic and allows you to sign up anonymously, such as Mullvad and ProtonVPN. However, this is just shifting the trust, not eliminating it. For that, there are other tools made, like TOR, which would ensure that no one in the middle would be able to see where you are going and what you are doing if you use the websites on the TOR network and not the clearnet. Using encrypted DNS is also shifting the trust; still, the DNS server knows you and when and where you wanted to go. Luckily, TOR has its own DNS as well.

Mass Surveillance

David Liberman, also known as Micro, was an NSA analyst and hacker who, when trying to expose the CIA's drug transshipment in Afghanistan, got "killed" by a corrupt Homeland Security agent. However, he survived and gained access to all CCTV cameras and everything that these government agencies had access to so he could find Frank Castle, aka Punisher, to help him kill all those who were a threat to his family so he could get back home. At least, that's what I remember from the show. The movie is not the point. This kind of act—spying on all people, spying on all internet traffic, logging every packet—is what's called mass surveillance. It affects everyone.

Governments usually justify this by saying that they're fighting terrorism, but in reality, it has little to no effect on crime, and some governments use it for social credit systems.

Big Tech Surveillance

There is another kind of mass surveillance that isn't done by governments or agencies; it's done by big tech companies like Google and Facebook. Being the largest tech companies with the most internet users, they gather and collect a vast amount of data—sometimes even more than what governments collect in certain countries.

This kind of mass surveillance differs from that of governments. These companies don't deny their activities or claim it's for stopping terrorism or national security. They simply do it to sell the data they gather.

They make tons of money from your data by using it for advertising, tracking you across the internet. However, there are no guarantees that this won't go beyond being about money and advertisements. These companies might work with government agencies in the future as well.

Public Exposure

When I was 8 years old, I created a personal website that included my name, email, and phone number. It took months of back-and-forth with Google and the blogging website to remove it from search engine results. This is what public exposure is: the data publicly available about you online, often put out there by yourself when you didn't care about privacy. It can be quite hard and sometimes impossible to take this information down. In fact, it's always impossible to truly delete something you've posted on the internet. This is why you should adopt the mindset that anything you say, post, or share online might stay there forever. Even if it's encrypted, you need to assume it will be read one day—maybe not in your lifetime, but eventually.

Prevention is the best treatment. The best way to keep your data private is to not make it public in the first place. Remember, nobody will call the cops on you because you didn't sign up on Instagram with your real identity. It's the internet, not the military or a bank. You don't need to use your real name, phone number, or home address. Keep your real phone number for people you know personally, not for every troll, doxxer, or whoever might use the internet. The same goes for your real name and other personal details.

Avoiding Censorship

Sometimes you need privacy and security to avoid censorship, whether it's applied by a government, a platform like Twitter, or a Matrix server administrator. Most of us, including myself, hate censorship. Censorship holds society back from growth; it's like shutting off innovation, creativity, and new ideas. It is typically applied by those who need to protect their empires by force because they themselves know how wrong they are.

In this scenario, privacy tools like VPNs, proxies, encrypted DNS, and Tor can help you bypass censorship. Privacy-friendly platforms like Mastodon, which allow you to host them yourself, enable you to freely express your thoughts without someone like Elon Musk getting mad at you.

The journey begins...

These were some of the common threats and common ways to design your threat model based on. It can vary based on your very unique situation; you need to address your own personal needs when it comes to threat modeling. But it's not something you should skip; otherwise, you would be lost, wasting time and energy on things you don't need. That's how I started my privacy journey—I didn't design a threat model. Instead, I tried to make myself bulletproof from every possible attack and ended up wasting a year of my life. I also gave myself long-lasting anxiety and paranoia for no reason, all because I didn't plan out who I'm protecting my data from.

That's it for this chapter. In the next one, I'll cover operational security, which I find to be not technical yet one of the most important aspects of privacy and anonymity online. Operational security, or OpSec, is about preventing sensitive data from getting into the wrong hands.

Chapter 3

In 2012, the FBI nabbed a hacker known as w0rmer. He'd hacked several U.S. law enforcement websites and leaked their data online. You might think it took a big, complicated operation to catch him, but nope! w0rmer just had terrible operational security (opsec). He gave away his exact location to the FBI by replacing their database with a picture of his girlfriend from the neck down in a bikini, holding a sign that said "PwNd by w0rmer & CabinCr3w, <3 u BiTch's!" It's not like they identified the girl from the picture; w0rmer forgot (or didn't care) to erase the GPS coordinates from the picture's metadata. The FBI saw the coordinates were from an iPhone 4 in an outer Melbourne suburb. w0rmer overshared his location through a picture.

Having electrical tape on your webcam and using Tor browser inside Whonix OS won't save you if you share too much about yourself over time. Having good opsec often means being in control and aware of what you're sharing when talking to people or posting online.

Identify the sensetive data and information

The first step to improving our OPSEC is identifying the data that's sensitive to us. To do that, we need to check our threat model. We figure out what threats are common and which data would cause the most trouble if it fell into the wrong hands. Then, we prioritize the information based on how severe the consequences would be.

With this plan, we can cut down on unnecessary caution. Being overly cautious about everything we say or share can drain a lot of mental energy and increase the chances of slipping up. But if we focus on what's sensitive based on our own unique situation and threat model, we can reduce the mental energy needed to maintain our OPSEC.

Common Sensitive Information

These are some of the most common types of sensitive information that an individual might want to protect, but it all depends on your unique situation and whether these match your threat model.

  • Personally Identifiable Information (PII): Information that can uniquely identify an individual.

    • Full legal name: Your complete legal name as recorded on your identification documents.
    • Addresses: Your physical location where you live or work.
    • Phone numbers: Numbers assigned to your phone lines, including mobile and landline numbers.
    • Email addresses: Email accounts that are tied to your personal identity.
    • Date of birth: The date you were born, typically used for verification purposes, and can be used to narrow down your identity.
    • National identification numbers: Unique numbers issued by governments to identify citizens of a country, but even something like a library card number can be sensitive if tied to your personal identity.

  • Financial Information: Data related to your financial transactions and accounts. Some of this information can be PII as well.

    • Bank account numbers: Unique numbers assigned to your bank accounts for transactions.
    • Credit/debit card numbers: Numbers found on your payment cards used for purchasing goods and services.
    • Payment information (PayPal, Venmo, etc.): Details used to process financial transactions through payment services, like your PayPal email or Venmo username.
    • Financial statements: Documents detailing your financial transactions and balances.
    • Tax information: Details related to your tax filings and records.

  • Account Credentials: Information used to access online accounts.

    • Usernames
    • Passwords
    • Security questions and answers: Predefined questions with answers used for account recovery.
    • Two-factor authentication (2FA) codes: Temporary codes used in conjunction with passwords for additional security.

  • Digital Footprint and Metadata: Information that can be used to trace your online activities.

    • IP addresses: Unique numerical labels assigned to your devices on a network.
    • MAC addresses: Hardware identifiers assigned to network interfaces.
    • Browser fingerprints: Unique configurations and settings of your browser that can be used to track you.
    • Device information (model, OS, etc.): Details about the devices you use to access the internet.
    • Geolocation data: Information about your physical location derived from your devices.
    • Cookies and tracking scripts: Small files and code snippets used to track your activity online.

  • Communication Content: The actual content of your communications.

    • Emails: Digital messages sent through email services.
    • Text messages: Short messages sent via SMS or messaging apps.
    • Social media posts: Content shared on social networking platforms.
    • Chat logs: Recorded conversations from instant messaging services.
    • Voice and video call recordings: Audio and video data from calls made over VoIP services.

  • Behavioral Information: Data about your online behavior and habits.

    • Browsing history: Record of websites you have visited.
    • Search queries: Terms and phrases you have searched for on search engines.
    • Online shopping habits: Patterns and preferences in your online purchasing behavior.
    • Social media activity: Your interactions and engagement on social media platforms.
    • Writing style: The way you write or speak.
    • App usage patterns: Information about how you use mobile and web applications.

  • Professional Information: Work-related information.

    • Employment details: Information about your job and employer.
    • Work-related documents: Files and records related to your professional activities.
    • Business contacts: Information about your professional network.
    • Project information: Details about the projects you are working on.
    • Client data: Information about the clients you interact with in a professional capacity.

  • Biometric Information: Unique biological traits used for identification.

    • Fingerprints: Unique patterns of ridges and valleys on your fingertips.
    • Facial recognition data: Digital mapping of your facial features.
    • Voiceprints: Unique characteristics of your voice used for identification.
    • Iris scans: Detailed images of the colored part of your eye.

  • Personal Preferences and Opinions: Information about your beliefs, preferences, and opinions. This can be critical if you live under a dictatorship or in a highly repressive environment.

    • Political views: Your beliefs and stances on political issues.
    • Religious beliefs: Your faith and religious practices.
    • Sexual orientation: Your sexual preferences and identity.
    • Health information: Data about your medical history and current health status.
    • Memberships in various organizations: Affiliations with clubs, societies, and other groups.

Protecting Sensitive Information

Now that we're familiar with some common types of sensitive information in OPSEC, let's explore approaches we can take to protect this data. These protections vary widely based on your personal situation and unique threat model, so always refer to your threat model.

Personal Identifiable Information (PII)

  • Encrypt files and documents containing PII using robust encryption algorithms like AES. Avoid rolling your own encryption; use proven algorithms and audited implementations.
  • Minimize the collection and retention of unnecessary PII. Provide your PII only when absolutely necessary, and consider using a pseudonym or fake identity where possible.
  • Store physical documents containing PII, such as passports, in secure locations with surveillance systems like CCTV.

Financial Information

  • Use secure connections (HTTPS) when accessing financial websites like banks.
  • Regularly monitor your financial accounts for unauthorized access and enable warning features where available.
  • Enable transaction notifications for all transactions to stay informed about any suspicious activity.
  • For cryptocurrencies, use decentralized and anonymous options like Zcash and Monero for enhanced privacy.

Account Credentials

  • Utilize a reputable password manager to securely store passwords and account credentials. Avoid using the same password across multiple accounts.
  • Enable two-factor authentication (2FA) whenever possible for an added layer of security.
  • Never share account credentials via email or unencrypted messaging platforms. Use encryption or secure messaging apps like Signal for sensitive information.
  • Periodically review and update account passwords, and consider signing up for services that monitor for data breaches.

Digital Footprint and Metadata

  • Use a pseudonymous VPN or Tor (depending on your threat model) to mask your IP address and encrypt internet traffic.
  • Configure browsers to minimize browser history, cookies, and other metadata. Consider using Tor Browser for enhanced privacy.
  • Use privacy-focused search engines like DuckDuckGo or StartPage, or host your own search engine like Searx.
  • Disable location services on your devices when not needed to prevent location data from being stored in images.

Communication Content

  • Always use end-to-end encryption when communicating. Choose messaging apps like Session and Signal for strong encryption and minimal metadata storage.
  • Use encrypted email services like Tutanota and ProtonMail, or utilize PGP encryption for emails.
  • Avoid sharing sensitive information over unencrypted channels like public Wi-Fi networks.

Behavioral Information

  • Use privacy-friendly search engines and disable search suggestions to minimize tracking.
  • Regularly clear browser history, cookies, and caches, or consider using Tor Browser.
  • Review and adjust privacy settings on social media platforms to minimize personal data collection.

Professional Information

  • Encrypt work-related documents and files using strong encryption methods.
  • Use secure, encrypted collaboration tools for sharing sensitive work-related information.
  • Implement access controls and permissions to restrict access to confidential work data.

Biometric Information

  • Store biometric information encrypted using strong encryption algorithms.
  • Limit the collection and storage of biometric data to what is necessary for authentication purposes, or avoid biometric authentication if possible.

Personal Preferences and Opinions

  • Exercise caution when sharing personal preferences and opinions on public platforms, especially under your real name.
  • Adjust privacy settings on social media to limit the visibility of personal preferences and opinions.
  • Consider using pseudonyms or anonymous accounts for discussions on sensitive topics, which can sometimes be crucial depending on your location.

Effective OPSEC goes beyond implementing techniques; it's about shifting your mindset. It demands a heightened awareness of the information we share and a commitment to continuous learning and adaptation. Threats are always evolving, and techniques may become deprecated, but if you set your mindset to understand why what you put online may stay there forever and be read someday, you'll find the right techniques.

"If you know the why, you can live any how."

― Friedrich Nietzsche

The next chapter will explore the essentials of privacy and security. With the myths debunked, the roadmap established, and the mindset in place, we can delve into the tools and techniques that enhance your privacy in the digital world.

Chapter 4

Continuing with the Minecraft analogy from Chapter 2, imagine you're still in the game. You've become quite familiar with it now—you've even got your locations written down, and you've gathered some wood and set up a crafting table. With these resources, you can start crafting essential tools like wooden axes, shovels, swords, a bed, and a shelter to survive the night. You're ready to take on mobs, gather rocks and stones, and explore your surroundings.

As you become more skilled, you'll progress to stone tools, then iron, and maybe even diamond if you're up for the challenge. Just like in the game, reaching the diamond level requires embarking on deep adventures into scary caves, requiring time and dedication.

But this chapter focuses on the essentials—the wooden and stone tools—of the privacy world. These are the basic building blocks of your digital privacy and security. The essentials in the privacy world include encryption tools, anonymity tools, VPNs, emails, secure messengers, password managers, and multi-factor authentication tools. These are the bare minimums for privacy, aligning with the threat models of most individuals.

Passwords and Password Managers

Passwords are what protect our accounts, devices, and our secrets. We need to take all actions to keep them safe, secure, and accessible to ourselves. Trying to remember a hard password is a bad idea, and I've already explained why. If you use a single password for everything, no matter its complexity, and a data breach containing your account happens, then all your other accounts are accessible using that leaked password. And if you try remembering different passwords for every website, you will forget them all. Humans aren't that good at memorizing random passwords, especially if you don't recall them often.

Here, the password managers come to play. Password managers are software, either online or offline, to store passwords and other notes and secrets safely and securely using encryption. The content inside them will be accessible through one password, usually known as the master password. So when using a password manager, you will memorize a complex password as your master password, and that will be used to access other passwords inside your password manager's vault. Now you don't need to remember any other password or secret.

A good password manager should have these characteristics, in my opinion:

  1. They need to be encrypted. Never use a password manager that you're unsure of its encryption.
  2. They need to be open-source. Not that open-source software is necessarily safer, but with them being open-source, we can check their codes and the implementation of encryptions and make sure they're safe.
  3. They must be audited independently. We're not cryptography analysis experts. An audit will show if there are any flaws in the cryptography implementation of a software encryption.
  4. They better be offline or self-hosted. There is no problem with a cloud-based password manager if it is implemented correctly. Even if their database gets leaked, the passwords should still be encrypted and secure. But when using a self-hosted or offline password manager, like Bitwarden (which can be self-hosted) or Keepass, you minimize the risk of leakage because it is far less likely that you will be more targeted than a password manager's server with thousands of users.

Choosing a Secure Master Password

But how can you generate a secure master password? You need to forget the passwords first. Passwords are a string of random letters, numbers, and punctuation characters. They will get really hard really fast for humans to memorize but not as much for computers to crack and guess through brute force attacks. But on the other hand, the passphrases can be a list of words separated by a character, which is easy to remember for humans but a lot harder for a computer to crack because they're usually way longer and have more entropy than a password. They're easier to remember because they are words, and words to us have meanings but not to computers. They see random strings still.

These passphrases are called Diceware Passphrases. An example of a Diceware passphrase is: Batboy Wielder Defective Squire Facial Reptilian Monologue Avatar.

XKCD's password strength meme

Avoid changing your master passwords too often unless you suspect that it is compromised to minimize the risk of forgetting it. Also, a good practice would be having an encrypted back of your passwords somewhere safe, ideally outside your devices and with a different password (in case you forget the main password) so you can restore your password and minimize the risk of losing access to your accounts.

Email Security

Email services aren't secure by nature. New technology usually comes before security, and that's true for email as well as the earliest protocols of the internet. But this lack of security can be overcome to some extent by adding layers of encryption to email services.

The first layer of encryption needs to be added to the communication channel. By communication channel, I mean the channel that the data needs to go through to get to the destination, not the email content. This can be done by adding TLS to the transport layer of the email protocol. Nowadays, most email service providers have TLS enabled by default. But if you self-host your email service, you'd need to make sure transport layer encryption is enabled.

The second layer of encryption would be for the email content. This can be done through using PGP or S/MIME encryption. But we would need to have our recipient's public key in order to send them encrypted emails. There are encrypted and privacy-focused email providers like ProtonMail and Tutanota which can eliminate this need for having the public key, only if our recipient uses the same email provider as us. For example, two ProtonMail users can send each other encrypted emails without having to know each other's public keys.

And even if you encrypt the content of the email, the metadata would still be unencrypted. These metadatas can include:

  1. Sender Email Address: The email address of the person sending the email.
  2. Recipient Email Address(es): The email address(es) of the recipient(s) of the email.
  3. Timestamps: The date and time when the email was sent and sometimes when it was received.
  4. Subject Line: The subject line of the email, which summarizes its content.
  5. Message-ID: A unique identifier for the email message.
  6. Return-Path: The email address to which bounced emails are returned.
  7. Received: Information about the email servers and networks through which the email passed during transmission.
  8. X-Mailer: Optional field indicating the email client or software used to compose the email.
  9. MIME-Version: Version of the Multipurpose Internet Mail Extensions (MIME) protocol used in the email.
  10. Content-Type: The type and format of the message content, such as text/plain for plain text or text/html for HTML-formatted content.

Messaging Security

Most chat messages aren't secure either. For instance, Telegram, a messaging app that claims to be encrypted and secure, doesn't even have E2EE (end-to-end encryption) enabled by default. And even when it allows E2EE, it is only for mobile clients, meaning you cannot use Telegram securely on a desktop client. Worse yet, Telegram breaks the first and most important rule of cryptography, which states, "Do not roll your own crypto," by using a self-rolled cryptography scheme for its E2EE chats. Additionally, Telegram servers are all closed-source; nobody has any idea how the messages and data on Telegram are stored. Are they encrypted? Who has access to these servers? Nobody knows. Telegram is the perfect example of a bad messaging app in my opinion. I know there are messaging apps worse than Telegram, but none of them claim to be private and secure. So, I will use Telegram as a bad example of a messaging app to explain what a messaging app needs to have.

  • End-to-end Encryption: A secure messaging app would allow E2EE messages with a known and audited cryptography scheme and implementation. Telegram allows it to some degree, but its cryptography is questionable.
  • Anonymous Sign-up: A private messaging app would allow you to sign up anonymously, usually using an email. Telegram and Signal use phone numbers, which is reasonable for reducing spam. However, there are ways around this, like buying an anonymous VoIP number using Monero or cash.
  • Transparency: A secure messaging app should be transparent about how they store data, what data they store, and in what scenarios the data can be handed over to authorities.
  • Metadata Collection: Every message and account has some metadata that usually isn't encrypted. Telegram collects a lot about you, like your name, sign-up date, IP addresses, 2FA email, phone number, contacts, people you frequently talk to, and all your messages (if you do not use E2EE). They can hand this data over to authorities if they have to. Signal, on the other hand, collects little to no metadata about you and doesn't have much to hand over even if a court order compels them to do so.
  • Popularity: We can't make people use what we use. If everyone I know uses Telegram, I have to use Telegram too, and that's a big part of a messaging app. I might prefer Matrix over Signal, though Signal has better security and collects less metadata than Matrix, but most people I talk to use Matrix, so I have to make some sacrifices here.

Your threat model plays a huge role here. You might not care at all if your messages with your friends can be read by Telegram or any other company. It depends on you and your threat model.

Choosing a secure VPN

Normally when you use the internet, your ISP can technically see all the data that is passing through the network. But nowadays, with most websites and services supporting TLS/SSL encryption, your ISP is not able to see much. However, they can still figure out the IP address and the domain name that you're requesting. Anything that your ISP can see, your VPN provider can see as well. Because of that, VPNs are mostly a shift in trust. For example, my ISP logs a lot of information that I don't want to be logged, and they hold the data for a long period of time. The VPN provider that I use (ProtonVPN and Mullvad) promise not to log anything. They're reputable privacy-focused VPN providers and they allow anonymous payments, especially Mullvad VPN. So in this scenario, I prefer to use the VPN all the time because I trust it more than my ISP.

But we don't always need to shift the trust; sometimes it's because we want to bypass censorship. VPNs are a great way to bypass censorship as they encrypt the data that is passing through the network, making it hard for censorship systems to detect it. Even if it is for bypassing censorship, it is still shifting the trust, and it needs to be something that collects little to no data about us and our data.

graph TD;
    Client[Client Device]
    ISP[Internet Service Provider]
    VPN_Server[VPN Server]
    Destination[Destination Server]

    Client -->|Encrypted VPN Tunnel| VPN_Server
    VPN_Server -->|Regular Traffic| Destination
    Client -->|Regular Traffic| ISP
    ISP -->|Encrypted VPN Tunnel| VPN_Server
    ISP -.->|Encrypted Data| Destination

For me, a VPN provider should have these characteristics:

  • Strong encryption: It should use secure encryption methods and protocols. For example, a secure protocol would be something like WireGuard or OpenVPN, and an encryption method that supports perfect forward secrecy. Perfect forward secrecy ensures that the encrypted data wouldn't be accessible even if the actual key gets into the wrong hands.
  • No-Logs Policy: A private VPN provider should not keep logs of user activities, connections, timestamps, or IP addresses. For example, VPN providers like Mullvad, ProtonVPN, and Windscribe do not collect much about your traffic.
  • DNS Leak Protection: A secure and private VPN should ensure that DNS queries are routed through the VPN tunnel, not through the user's ISP. This prevents the leaking of visited websites to the ISP.
  • Kill Switch: A private VPN should provide a feature that disconnects the user from the internet if the VPN connection drops, ensuring that no data is transmitted over an unencrypted connection.
  • IP Address Masking: The VPN should hide the user's real IP with one provided by the VPN servers.
  • Multi-Hop: A nice feature for a VPN to have would be multi-hopping, which routes user's traffic through multiple servers in different locations, adding an extra layer of security and privacy.
  • Secure Authentication: An ideal VPN provider would have multi-factor authentication systems (like TOTP or even SMS/Email authentication codes) to protect users' accounts.
  • Private Servers: It should use private or dedicated servers rather than shared ones to reduce the risk of data interception.
  • Obfuscation: It should provide obfuscation features to bypass censorship systems like DPI (deep packet inspection), making the VPN traffic appear like regular traffic, usually using an obfuscation protocol like obfs4 or ScrambleSuit.
  • Jurisdiction: It’s better if it is based in a country with strong privacy laws and outside the influence of surveillance alliances like the Five Eyes, Nine Eyes, or Fourteen Eyes.
  • Regular Audits: It should have regular security audits by independent third parties to verify the no-logs policy and the overall security of the service.

But these characteristics can vary based on the user's threat model. Not everyone cares about multi-hops and no-log policies. You should always act based on your threat model.

These were the bare minimums of privacy and security. As the book progresses, the chapters will become more technically advanced and more focused on anonymity. The next chapter will be all about encryption, as it is the building block of security in the online world.