Protection: Change Your Online Habits
The topic of "changing your online habits" is a big one, but as I said in the introduction, this chapter of the site/book is dedicated to teaching you how to fish - that is, rather than giving you a to-do list, it's about teaching you to recognize things and make your own informed decisions.
Phishing & Clicking Links
Speaking of fishing, let's start there. Phishing historically has been and remains one of the top ways to gain unauthorized access to a specific machine, account, or network. Phishing occurs when a person clicks on a link and either enters information or downloads a payload that gives a malicious actor access to an account or device, which they can use to access the data on that machine or the network the machine is connected to. Typically this link-clicking occurs in the form of an email that appears to be legitimate, such as an email that appears to be from your bank asking you to confirm account details. Those details are actually logged by a hacker who now has your bank login information. Or it could be a text seemingly from your mother saying "here's a link to some old pictures I found" and it's actually a virus.
Phishing could also come in the form of a link on a website that appears to be legitimate. This is why ad-blockers are so important. In the early days of the internet, it was common to search for a specific software (such as a codec to play a certain type of video) and stumble on a website with an ad that says "click here to download your codec!" when in reality the true link was further down the page. This is called "malvertising," or "malicious advertising," and using an adblocker is a critical part of preventing this type of deception. There is even a such thing as "drive-by malvertising" where malicious ads can infect your computer without you even clicking on anything. Ad blockers are important!
In the case of direct messages, there's a lot of ways actors pretend to be someone they're not. Many of them are easy to see through. The email may say it's from "Chase Bank," but looking at the actual email address quickly reveals that its from "firstname.lastname@example.org," clearly not your actual bank.
Sometimes a technique may be more complex: a hacker may have gained access to a relative's account (usually through phishing) and then send an email from them, appearing totally legitimate in every way. In cases like this, your best defense is to be cautious. If something seems out of character, contact the person and ask about it. If your notoriously serious aunt sends you a funny video, ask her if that was actually her. If your bank sends an email requiring confirmation of something, ignore the email and go straight to their website. If it's legitimate, the same warning will pop up when you log in or be waiting in your messages. If you're still not sure, contact their support team and ask.
Another important digital habit to change is the handing out of information. I'm not opposed to sharing your life or picture online. I have a personal Mastodon account where I share my day-to-day and I even have a selfie as my profile picture. But think about what you're sharing and what it reveals. Back in the early days of social media, it was common that people would publicly share that they were going on vacation for a week, so criminals in the area would find their house and rob it while they were gone. That exact crime may or may not live on, but the principle still does. One woman had a stalker find her because she took a selfie where the street sign was visible. Again, I'm not saying don't share things online, but be mindful of what information is visible in the photo, such as a company logo on your shirt or financial information in your screenshot.
Additionally, when I say "handing out of information," that includes actual information. Try this experiment: next time you sign up for a website or pay for something online, try submitting as little as possible. Try filling out just your email address and password. It will likely stop you from moving on and ask for some more information, but you might be surprised exactly what information is optional. It may not need a last name, or maybe the phone number is optional. You should view every website as a data breach waiting to happen, and anything that isn't a password or card number is probably not encrypted, so the less personal information you hand over the better. If you are required to hand over information but the requesting site or service doesn't actually need it, consider using disinformation.
While I am opposed to mainstream social media services for a number of reasons, I understand that sometimes you have no choice in using them. My recommendation would be to not use the apps whenever possible, post as little as possible, and make your profile as private as possible.
If you feel the need to have social media, try checking out the decentralized and more privacy-respecting Fediverse. This is a volunteer run, peer-to-peer social networking system, and one of the coolest things about it (in my opinion) is the way it interacts universally. Imagine if you had a Twitter account but wanted to follow someone on Instagram. In mainstream social media, you have to sign up for Instagram. On the Fediverse, you can follow them from your own platform even without having an account with that service. For Twitter fans, I recommend Mastodon. For Instagram fans, PixelFed. Facebook users might feel more comfortable on Frendica and YouTube users might find new content on PeerTube.
Finally, I discourage using the same username or handle across all your social media accounts unless you're building a professional brand (like The New Oil or a band or a freelance account of some kind). For example, rather than using "@nbartram" on Twitter, Instagram, Reddit, etc, I propose using your password manager to generate a two or three random word passphrase and then use that as your handle. Furthermore, I don't recommend reusing that same handle. If somebody decides to cyberstalk you, this simple trick can make it harder for them to find all of your social media accounts, similar to the idea of using masked email addresses.
Change your default search engine. Google tracks all of your searches and records them, and these are all added to your profile to create a more complete picture of you as a person; your likes, dislikes, interests, and more. Try a privacy-respecting, no-logging search engine such as SearX, or MetaGer. DuckDuckGo and Startpage are popular search engines that claim to be privacy-respecting, but due to a wide variety of past questionable actions of both and the availablity of better options, I don't particularly encourage them except as backups.
I encourage using as few plugins as possible in your browser. Use only the ones you need, and only the ones you've vetted closely. Plugins run with elevated, administrative privileges, meaning they have tons of access to the information in your browser. News articles abound about plugins that stole passwords, history, and other sensitive data.
Likewise, I encourage you to set your browser to never remember history, cookies, or any autofill settings including passwords, payment information, and even addresses. This may cause you be logged out if you don't whitelist certain sites or configure the settings correctly, but I think this is a small price to pay as an insurance against a rogue plugin.
Delete any and all unused accounts. This includes old social media accounts, library accounts, work accounts, and services you signed up for once and never used again. If you can't delete them for whatever reason, change it to a secure password and hold onto it somewhere safe. My only exception to this is that I recommend holding onto old email accounts. You never know what you once used them for and when you might need them again for that purpose. It's better to have them stored safely behind a strong password and 2FA and not need them than to need them and not have access anymore.
Mindful Digital Correspondence
Also remember that even with encryption, no digital communication method should be considered secure for a variety of reasons. You never know if the person is going to print it out and share it or leave their messages open while they step away from their device briefly. Be careful what you send digitally, even if it is properly encrypted. There is always a risk.