Using the internet can be a real drag. Big tech spies tracking our every move, malware landmines planted in every search query, hackers ready to pounce on every website we select. It's 2023: we internet users endure less privacy, less security, and more surveillance than ever before. Yet we continue to receive little to no warning when vulnerabilities arise, and we are offered little to no compensation for all our data. The risk, while it's become the norm, is hardly worth the reward.

Below are some simple tips we can use to reduce the impact of big tech spies in our day-to-day lives.

Table of Contents

Messaging

Signal

To limit your accessible data footprint, transition from current messaging applications to Signal. Reason? E2E Encryption and privacy protection.

SMS communications are unencrypted, allowing anyone to intercept and read communications between parties without issue. In contrast, Signal ensures privacy and security for messages, calls, and video chats via E2E encryption both at-rest (i.e., messages stored on your phone or desktop application) and in-transit (i.e., while sending and receiving communications). Further, Signal does not breach customer privacy and security by decrypting, data mining, and/or sharing communications to others (i.e., law enforcement). This makes Signal an optimal choice for anyone engaging in digital communication today.


Email Applications

ProtonMail

ProtonMail is a private email service developed and maintained by Proton. Proton is an open-source company created by former scientists at CERN who believe that trust is earned through transparency. All the source code used in Proton's applications is public and freely available for inspection. For Proton, privacy and security come first.

ProtonMail uses open source, independently audited end-to-end and zero-access encryption to secure email communications at rest and in-transit. Even Proton itself can't read your emails. Learn more about Proton's privacy and security promise here.

ProtonMail offers both free and paid service tiers. For free, users are afforded an email address with MFA, up to 150 messages per day, encrypted file share via ProtonDrive, a medium-speed VPN connection via ProtonVPN, a privacy-preserving calendar via ProtonCalendar, and 1GB of total storage space. For a $4 USD per month, Proton affords users 10 email addresses, each with unlimited messages, a custom email domain, 20 calendars with calendar sharing, and 15 GB total storage. If needed, Proton offers at $10 USD per month an even broader service plan. Learn more about ProtonMail pricing options here.

Other Notable Options:


Quick Comparison

A quick comparison with the status quo shows ProtonMail outperforming Gmail in privacy and security measures, from the most basic to the advanced. ProtonMail has suffered only one reported CVE (Common Vulnerabilities and Exposures), while Google Gmail has suffered more than 15 publicly reported vulnerabilities. Proton has endured no Antitrust investigations, while Google has commanded an astounding 10+ Antitrust lawsuits across the US, the UK, and the EU, related to Advertising (learn more here).

ProtonMail Google Gmail
Total Storage
1 GB**
15 GB**
Calendar
Yes
Yes
VPN
Yes
No
Encryption
At-Rest
In-Transit

Yes
Yes

No
Depends
Privacy
Yes
Not Exactly
CVEs
1
16
Antitrust Lawsuits
0
10+
Cost
free**
free**

Companies such as Proton, FastMail, and HushMail ensure our private identities and electronic communications stay private. In contrast, companies such as Google[1][2] and Microsoft[1][2][3] amplify their profits and our personal risk by mining our personal email data (learn more here and here).

In the United States there exists no mandatory reporting regiment for CVEs today; only "good-faith." It is up to the company and/or the discoverer to make public any discovered vulnerabilites and exposures. When companies such as Google and Microsoft choose not to announce a vulnerability (let's say, it's ongoing and they are still trying to identify the root-cause and push a fix), we end-users don't know we are exposed. For the company this amounts to a trouble ticket and an escalation. For end-users this amounts to identity theft.


Web Browsers

DO NOT use Google Chrome (see FAQs).

UPDATE: As of 14 April 2023, Google has finally “discovered” the issue reported to them in December 2022 (CVE-2022-4262 | CVE-2023-2033).

Mozilla Firefox

Mozilla Firefox is a fast, private & safe web browser suitable for Windows, MacOS and Linux operating systems. Firefox is developed and maintained by the Mozilla Foundation, an actual non-profit organization that actively supports online privacy & security, trustworthy artificial intelligence (AI), and accountability for big tech corporations. Mozilla puts people before profit; they create products, technologies and programs that make the internet healthier for everyone. Firefox is ethical, open-source, and customizable. And, it's free.

Brave

Brave is a privacy-focused, open source web browser based on Chromium (under Mozilla Licence), suitable for Windows, MacOS, Linux, Android and iOS operating systems. Brave is developed and maintained by Brave Software, Inc.. Brave is one of two Chromium-based browsers offering true user privacy protection via out-of-the-box Firewall, VPN, Ad and Tracker Shields, and Tor integration. Brave is highly customizable both in its privacy and security settings and search engine optimization. Brave is also the first browser to offer its users compensation for ads viewership, in the form of BAT (Basic Attention Tokens). And, it's free.

Vivaldi

Vivaldi is an open source web browser based on Chromium, suitable for Windows, MacOS, Linux, and Android operating systems. Vivaldi is developed by Vivaldi Technologies, a Norwegan company founded by Tatsuki Tomita and Jon Stephenson von Tetzchner (co-founder and CEO of Opera Software). Vivaldi is the second of two Chromium-based browsers offering true user privacy protection via out-of-the-box Ad, Pop-Up and Tracker blocking integration. Vivaldi is highly customizable and privacy-focused: Vivaldi doesn’t profile or track you, collect or sell your data, it can’t see which sites you visit, what you search for, or what you download. Your data is either encrypted or stored just on your machine. And, it's free.


DO NOT use Google Chrome (see FAQs).

UPDATE: As of 14 April 2023, Google has finally “discovered” the issue reported to them in December 2022 (CVE-2022-4262 | CVE-2023-2033).

Firefox

Firefox supports addition of multiple search engines, custom search Engines, ranking of search suggestions in relation to browsing history, and more. Learn more about search customization in Firefox web browser here.

DuckDuckGo

DuckDuckGo offers a privacy-focused search experience. DuckDuckGo is perhaps most well-known for its privacy feature called "untracked search." While privacy-preserving, DuckDuckGo SEO suffers in terms of relevance and robustness, such that it becomes increasingly burdensome to find exactly what one is actually looking for when (re-)forming a search query. One may find themselves re-indexing the internet in hopes of landing a meaningful result. Maybe that's a good thing, for those with time to spare. Learn more about search integration and customization in DuckDuckGo here.

Brave

Brave search engine offers users ability to customize and refine search performance via user-defined search engine shortcuts and re-ranking optimization functions.

Custom SearchEngines

Custom searchEngines enable users to create shortcuts for quicklinking to personal email accounts, executing queries across specific news sites, retail sites, and more. For example, let's define a shortcut for querying HackerNews:

1. In the address bar, enter brave://settings/searchEngines.

2. Under "Site Search," select "Add" to create a shortcut. Define the custom search engine name (e.g., HackerNews Query) and the shortcut (e.g., hnq). In the URL, substitute %s in place of the query item (e.g., query=%s), and "Save." 

Search Engine: HackerNews Query
Shortcut: hnq
URL: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&query=%s&sort=byDate&type=story

3. Navigate to the address bar, enter the shortcut hnq + [spacebar].

4. Type a query item (e.g., 'crypto'), and press [enter].

5. A search query is executed in HackerNews, and results are displayed. Pretty nice!

Custom Search Re-Ranking

For personalized search optimization, Brave Goggles enables users to define and customize re-ranking preferences on top of Brave’s Search index using a set of instructions (i.e., rules and filters). Anyone can create, apply, and/or extend a Brave Goggle for both public or private use. With Goggles, Brave Search offers users an almost limitless number of ranking options, as defined by the user.

For example, let's say we want to omit specific websites from our search results:

The "Amazon-Excluded Search" Goggle refines the results of any search query performed using Brave Search such that it discards Amazon-owned companies from appearing altogether.

Before applying the filter:

After applying the filter:


Similarly, the "No Pinterest" Goggle refines the results of any Brave search query such that it removes pages and threads hosted on Pinterest from appearing in the search results.

Before applying the filter:

After applying the filter:


How simple! Discover more Brave Goggles offerings here.


Ad & Tracking Blockers

With a web browser and search engine selected, it's important to configure an Adblocker that will help protect us against big tech spies and other malware. Across both Firefox and Chromium-based web browsers, one well-known and widely respected Adblocker browser extension is called uBlock Origin. One relatively new and upcoming Adblocker gaining notoriety is called DuckDuckGo Privacy Essentials.

FireFox Web Browser

For Firefox, Adblock browser extensions are uBlock Origin (Mozilla) and DuckDuckGo Privacy Essentials (Mozilla).

Chromium-based Web Browsers

Both Vivaldi and Brave offer users a built-in, highly customizable Ad and Tracking blocker extension. For Brave, the default Adblocker extension is called "Shield," with uBlock Origin configured as the default Adblocker setting. Shield customizations I've found useful include the following:

Filter lists:

Fanboy Annoyances List

Fanboy Social List

Fanboy's Anti-chat apps List

uBlock Annoyances List

In addition to Shield customization, I've added the browser extension DuckDuckGo Privacy Essentials (Chrome). As new trackers and ad services are detected by DuckDuckGo Privacy Essentials, I add them to the custom filter list in Shield.


Multi-Factor Authentication

Multi-factor authentication (MFA) (i.e., 2FA or 2-step authentication) is a way to enhance password security by requiring more than one method (i.e., factor) for successful authentication. Without a form of MFA, anybody who guesses, steals, or hacks your password can access your account from anywhere. When MFA is enabled, account access requires another, more unique factor to prove you are who you say you are; something (hopefully) only you can provide.

MFA can take the form of SMS (text message), a software application (e.g., an authenticator app), and/or a hardware device (e.g., a yubikey). 2FA via SMS is prone to security issues, as text messages are unencrypted and able to be intercepted with little to no effort. Because the objective is to increase our online security, is not advised to use SMS as the 2FA solution. Instead, we will choose as our MFA mechanism either the authenticator app or hardware authentication solution.

Note: MFA is not fool-proof. Learn about MFA blind-spots here.

Authy

Authy is a free two-factor authentication application developed by Twilio. For a given account, Authy generates time-sensitive codes locally, on your device, based on a secret key. Authy is available for use on both mobile and desktop devices: iOS, Android, Windows, Mac, and Linux.

Authy supports 2FA for many applications/services including: 

LinkedIn | PayPal | Reddit | Binance | Uber | Grammarly | MailChimp
Bitwarden | Amazon | Facebook | Instagram | Dropbox | Box | Cloudflare
Slack | Twitter | FastMail | ProtonMail | Gmail | GitHub | Microsoft
SnapChat | Teamviewer | Twitch | Pinterest | Apple | EverNote | Discord

Learn more about Authy here.

Other Notable 2FA Apps:



Yubikey

Yubikey is a hardware authentication device developed and manufactured by Yubico. It is used to protect access to user accounts on computers, networks, and online services. Yubikeys are personal USB security keys; they plug into your computer and/or phone and are used alongside your primary password to complete the second half of a MFA web login authentication process. Each Yubikey device has a unique code built on to it which is used to generate codes that help confirm your unique identity.

2FA via apps and SMS, while an improvement to the alternative (single-authentication), remain vulnerable to time-delay attacks. Yubikey offers an additional level of robustness, as it can protect users from phishing and advanced man-in-the-middle attacks, e.g., attacks in which a person or maligning process attempts to intercept the two-factor authentication as it is entered and processed. Yubikeys are tech industry standard.

Yubikey supports 2FA for many applications/services including:

AWS (IAM) | Google | Microsoft | Apple | Brave | Oracle
Dropbox | 1Password | Bitwarden | Duo | Cloudflare | Linux
ProtonMail | FastMail | GitHub | GitLab | Reddit | Drupal
Binance | Kraken | Facebook | Twitter | Instagram | Twitch
Teamviewer | Ebay |  DocuSign | Tesla | Salesforce | Shopify

Learn more about Yubikey here.


Password Managers

Password theft is a serious problem. Websites and applications we use are under constant attack. When security breaches occur, they expose sensitive and unique identifying information about us (e.g., username, email address, password, phone number, physical address) to the world. Using a password manager helps protect us against password theft occurrences, and limits our exposure when security breaches happen.

Bitwarden

Bitwarden is an open source password management service that stores sensitive information (i.e., usernames, passwords, metadata) in an encrypted vault. At present Bitwarden is one of the safest ways to store all logins and passwords while also keeping them synced between all of your devices, and secure via MFA.

Bitwarden offers native desktop applications for macOS, Windows, and Linux, and native mobile applications for Android and iOS. Bitwarden also offers browser extension support for Chrome, Edge, Firefox, Opera, Safari, Vivaldi, Brave, and Tor Browsers. Users can leverage Bitwarden web interface, desktop/mobile application, and/or browser extension to create and edit entries in their password vault.

Bitwarden offers both free and paid service tiers. The Free tier includes a password generator, credential sharing, and the option to self-host. With the Free tier users can sync an unlimited number of password vault items across multiple devices. For most users, the free service tier is sufficient.

Note: Be sure to choose a long passphrase as a PIN (i.e., don't choose a 4-6 alphanumeric value). Learn more about brute-forcing Bitwarden PINs here.

Other Notable Options:


VPNs

Virtual Private Networks (VPNs) help our data remain private and secure. VPNs work by creating a encrypted tunnel between our device and our VPN provider, protecting us in two key ways:

  • Concealing our IP address, which protects our identity and geolocation.
  • Encrypting our traffic between us and our VPN provider, so that no one on our local network can decipher or modify it.

VPNs protect us when connecting to public WiFi networks (e.g., Starbucks, the airport, by accident when our smartphones are set to WiFi -> ON + Autoconnect). VPNs also limit the amount of data our internet service provider (ISP) can reliably gather (and sell) about our internet usage.

Note: VPNs are not free.

Notable VPN Service Options:

Learn more about VPN options here.


FAQs

Why suggest internet users avoid Google Chrome? Why?

Malware in Google Ads and Search results. Oh, and password mining [1].

What do you mean?

Ads dominate Google search results; it's how they make so much money every year. Many of those ads contain malware.

Okay, but... How?

Google Search results contain Malicious Ads with links to phishing sites[1][2][3][4][5]. The end user can't differentiate good links from bad, malicious links. This results in lots of innocent users falling victim to repeated phishing attacks; attacks which could be prevented.

That's super risky to all users of Google products. Why wouldn't Google do something to improve customer experience?

Like filter out those malicious items before surfacing search results to the end user? Great question. I asked Google the same question when I reported the ongoing malicious activity, beginning December 2022.

You actually contacted Google? What did Google say?

Google referred me to their privacy and security URLs, and suggested I have my lawyer contact them if needed.

Wow, that's extremely unhelpful, and doesn't really address your credible concern. Did Google ever fix the issues?

Unfortunately, no. As of April 2023 [1], the vulnerability is still ongoing.

What?! How scary! Do you know how many people use Google Chrome?

As a matter of fact, Google itself estimates 2.65 billion internet users use Chrome as their primary web browser in 2022 [1].

That is a huge number of impacted people to leave vulnerable. Is anyone taking action?!

Yes, sort of. The SEC and DOJ have a couple of Antitrust Lawsuits that appear helpful for us non-billionaire internet users [1]. Hopefully we'll win the justice we need to improve privacy and security for all users of the internet.

Is there anything we can do to help?

Definitely. Suggestions include:

  • Improve your internet privacy and security footprint using the tips described above.
  • Share these tips with your friends and family.
  • If you have improvements on and/or additions to these tips, please share them with me, and with each other.
  • Contact your local representatives and senators. Let them know this antitrust case against Google is important to you as a user of the internet, and your privacy and security matters.
  • Stay informed. Keep learning about and fighting for internet privacy and security.

How much will all this cost?

The only items that cost money are Yubikey and VPN. This means if you forgo Yubikey and VPN, nothing; it's all FREE. Can't beat that.

Including Yubikey and VPN, one can spend ~$200 USD, which includes the "fancy" Yubikey (USB-C + Lightning ports) and 1 year of VPN service.

Who are "big tech spies"? Who?

Glad you asked. Big tech spies include, but are not limited to, Google, Meta (Facebook), Amazon, Twitter, Microsoft and Apple.

How do you know?

These companies appear most often in Ad & Tracking Blocklists and in privacy/ad agreements with 3rd Party services (e.g., Plex, Spotify). A few examples are provided below:

  • graph.facebook.com
  • pixel.facebook.com
  • connect.facebook.com
  • graph.instagram.com
  • google-analytics.com
  • googleads.g.doubleclick.net
  • pagead2.googlesyndication.com
  • adservice.google.com
  • amazon-adsystem.com
  • unagi.amazon.com
  • device-metrics-us.amazon.com
  • analytics.twitter.com
  • syndication.twitter.com
  • ads-twitter.com
  • ads-api.twitter.com
  • ads-bidder-api.twitter.com
  • stats.microsoft.com
  • telemetry.urs.microsoft.com
  • microsoftadvertising.com
  • bing-ads-display-ads-cdn.afd.azureedge.net
  • smetric.ads.microsoft.com
  • adservices.apple.com
  • advp.apple.com
  • searchads.apple.com
Are there others?

Yes, there are many (e.g., Stripe: js.stripe.com). It is safe to assume everywhere we go on the internet, there are tracking objects (e.g., session cookie and/or json web token (JWT)) actively attempting to connect to our device(s) for the purpose of harvesting our user interaction data, along with all our activity across our browser(s) and any open apps. This is why it is important to make use of Adblocker software as soon as possible, on all devices (e.g., smartphones, computers).


[19 March 2023] Update: Added additional links and Messaging section.