The most common response I get when I talk about information security is that it's overwhelming. A lot of people shy away from making changes because they feel that they don't know where to start, or they've been led to believe that information security is an all-or-nothing game - either you go all in and chuck your phone into the river, or you may as well not even bother. Nothing could be further from the truth.
Below I have outlined my recommended priorities for implementing some of these principles into your own life. Every person is unique and every situation is different. If you feel that something is a higher priority for you personally, such as deleting unused apps on your phone, feel free to do that first. If you feel that some things are not a priority at all, such as using a VPN, then don't. Only you can make that decision. You can implement all these steps in one fell swoop - a single day or afternoon of sitting down and doing it all at once - or you can do it one day, week, or even month at a time. It's totally up to you. But the journey of a thousand miles begins with one step, and hopefully this checklist can help you take those first few steps.
- Enable Multifactor Authentication on every account you can. This step alone will prevent unauthorized access from data breaches, keylogging, and a myriad of other attack surfaces. This single step will probably get you the furthest in terms of single steps you can take to protect yourself.
- Change your online habits. Post less personal, revealing information. Have as few online accounts as possible. Sign up for fewer email lists. The smaller your digital footprint, the less information that can be leaked or stolen in a data breach, and the less that can be traced back to you.
- Secure your browsing habits. Download Firefox (Chrome is basically just a spyware from Google that tracks you everywhere). Add the plugins HTTPS Everywhere, Privacy Badger, and Ad Nauseum.
- Use a password manager. Change all your passwords to be unique and strong, at least 20 characters compromised of upper and lowercase letters, numbers, and special characters. Don't reuse passwords and use a secure password manager instead of just a normal spreadsheet or word doc.
- Backup your information and devices. I advise against services like Google Drive for privacy purposes, but even that's better than nothing. Get an external hard drive or a cloud backup service and back up your devices regularly.
- Encrypt your devices, especially mobile phones and laptops. Encryption will ensure that if your device is lost or stolen, your personal information is safe from whoever finds/steals it.
- Switch to secure messaging, both instant and email. This will allow you to trade sensitive information safely with authorized people. Encourage the person you're communicating with the use the same platform to ensure maximum security.
- Purchase a VPN. This will help anonymize you online (to an extent) and will protect your browsing from your Internet Service Provider, who is legally allowed to influence your traffic in the US, or any unauthorized, local spies.
- Turn off as many location and telemetry (ex: crash reporting, "anonymous usage," etc) features on your phone as you can. Most programs that need location data (such as navigation) will still have access, and if not it's usually pretty obvious which option you need to turn back on to use it.
- Delete unused accounts. This will reduce the potential ways that someone can find out information about you for things like social engineering or stalking.
- Remove unused apps from your phone. Unsecured apps can potentially be an attack vector for malware and data breaches.
Good General Practices When Using the Internet
Dont give any unnecessary information (address, phone number, real name, etc). Always ask yourself "do they really need to know this?" Probably not. This applies not only to messaging others, but to websites. Facebook, for example, has several extensive fields where you can add an address or phone number. These are unnecessary and are often abused.
Switch from the Chrome internet browser (which is basically just spyware for Google) to Firefox and use the following browser plugins:
- HTTPS Everywhere encrypts your traffic and protects your login information
- Privacy Badger learns which websites track you automatically in the background as you browse and blocks those trackers with no effort on your end
- Ad Nauseum is a powerful ad- and tracker-blocker that pulls from a variety of lists for maximum effect and simultaneously clicks ads behind-the-scenes, effectively making your marketing profile random and useless
- (Optional) Snowflake allows you to help internet users in restrictive countries bypass censorship at no risk to you
- (Optional) Neat URL gets rid of most tracking URLs while leaving the core link functional. A tracking URL is junk put at the end of a link that allows the website you're sharing to see who you've shared with, whether or not they click the link, and information about the person clicking the link such as web browser, operating system, IP address, and more
Try to switch from mainstream social media platforms like Facebook and Twitter to more privacy-respecting platforms like Mastodon, PixelFed, or Diaspora.
Try to replace Google search with a privacy-respecting alternative, such as DuckDuckGo, SearX, or Qwant.
Consider your Metadata at all times. Consider what information you might be unwillingly giving up, how it can be aggregated to identify you and your actions, and what you can do to mitigate it.
Encrypt your devices, especially those most-likely to be stolen or lost (such as laptops and mobile devices).
Remember that no app, program, protocol, or thing is 100% secure. Anything that claims to be 100% secure should be treated suspiciously; they are lying, probably to fleece those who don't know better out of money or data they claim to be protecting so they actually sell it. Additionally, because nothing is 100% secure, you should always try to do anything sensitive in person away from electronic mediums. If something is life-or-death important, don't email it even if you're both using PGP.