LEVEL 1: URGENT - WHAT YOU SHOULD DO NOW
1 Swap Google for Duckduckgo
As well as tracking what you tap into its Search bar, Google collects plenty of other information, including when you typed something and where, then plotting it on a map. That’s handy if you want to know whether you searched for ‘holiday home in cornwall’ from home or work, but otherwise it’s simply invasive.
To avoid this kind of stalking you have two options. One is to disable Google’s search tracking and location history. Sign into your Google account ( https:// myaccount.google.com), click the My Activity box at the bottom, then ‘Activity controls’ on the left. On the following page decide what to turn off, such as the Location History slider, and the ‘Web & App Activity’ slider (see screenshot below), which will stop Google saving your searches.
The alternative is to wave goodbye to Google, and use Duckduckgo ( https:// duckduckgo.com) instead. It doesn’t collect any of your personal data, though it does monitor what you search to better understand any misspelt words. It also tracks some searches that go to online retailers because it makes money through affiliated links, taking a cut of any purchases made on them. But none of this can be used to identify you, so it’s considerably more private than Google.
To make Duckduckgo your default search engine in Chrome, click the top-right menu (three vertical dots), click Settings, then under ‘Search engine’ click ‘Manage search engines’. Scroll down the alphabetical list of browsers to Duckduckgo, then click the three dots to its right and select ‘Make default’.
A further option is to also ditch Chrome for up-and-coming rival Vivaldi (named by our sister magazine Web User as the internet’s best browser). When you use the private mode in its latest version it sends searches by default through Duckduckgo. That’s about as private as you can currently get without veering into the dark web via Tor (see page 58).
2 Turn off location data
Where you are matters to advertisers. From your location data, they can tell where you live, where you work, and plenty of information about your lifestyle. That’s why, as well as disabling your location in Google, consider doing so in your browser. The process is similar in Firefox, Edge and Chrome.
In Chrome, for example, click the top-right menu, Settings, then scroll down and click Advanced. Next, in the ‘Privacy and security’ section, click Content Settings, then ‘Ask before accessing’ under the Location heading. On the next page click the top-right blue slider to switch off all location tracking. To block all location tracking make sure the top-right blue slider is switched off.
If you feel that’s too drastic, ensure the slider is left on, showing ‘Ask before accessing (recommended)’ (see screenshot above right). This forces websites to ask your permission to track your location, so be prepared to click ‘no’ rather frequently.
3 Change hidden browser settings
Disabling location tracking is just one of many browser settings you can tweak to reclaim your privacy. But some browsers try to dissuade you from changing them by hiding their privacy options in ‘Advanced’ sections. They hope you’ll think: ‘Advanced? I better not touch those then’. This is a cynical ploy, and the truth is browsers don’t want you to deactivate settings that may harm their advertising revenue. In an ideal world, privacy options would be upfront in a browser’s settings.
Here, we’ll explain how to find these hidden settings and tweak them to your advantage. In Chrome, go to Settings, Advanced, then ‘Privacy and security’. here, it’s worth clicking the slider that asks websites to comply with a ‘Do Not Track’ request (see screenshot on page 52). First proposed in 2009, then maintained by two US professors in technology and law – Jonathan Mayer and Arvind Narayanan – this setting aims to reduce tracking across the web. Websites and advertisers can ignore the request, but it’s still worth asking. Read more at http://donottrack.us.
In ‘Privacy and security’ you can also stop sending Google your ‘diagnostic and usage data’. The company says this
information helps it to improve its products and services, but that’s what they all say. Consider too disabling Autofill if you don’t want Chrome to automatically fill in forms with your address details or save passwords for websites. Like many of the privacy options we describe, it comes at the cost of convenience (see box below). Chrome won’t remember your details (great!), so you’ll have to type them in every time (perhaps not so great). Therefore, before you change a setting, consider how much hassle you’re prepared to put up with. And if you think you may change your mind, make a note of how to retrace your steps so you can reverse the setting.
Other major browsers have similar settings in the top-right menu buttons. In Firefox, go to Options, then ‘Privacy & Security’. In Edge, click Settings, then View Advanced Settings.
4 Force sites to use https
Websites are protected either by HTTP or HTTPS, which are different ways of encrypting the traffic between your browser and a website. That ‘S’ at the end is key - it stands for ‘secure’. If a URL in your browser bar is prefixed by HTTPS, it’s using the most secure standard of encryption, making it harder for anyone to eavesdrop on your online activities. Chrome highlights it in green, showing a “secure” lock in the URL bar.
You can’t simply enable HTTPS on a website that doesn’t support it. That’s a job for the site’s developers. Some sites already use it by default, but many don’t. Others include elements, such as adverts, that don’t connect over HTTPS. That’s why you should install the HTTPS Everywhere extension ( https://www.eff.org/https-everywhere). Built by developers at the privacy campaign group Electronic Frontier Foundation (EFF) and the anonymous browser Tor, it works in Chrome, Firefox, Opera and ‘Firefox for Android’. Once installed, it simply forces websites to use HTTPS if they can, meaning you have as much protection as is currently available.
If you want to be sure you’re only browsing with this level of encryption, click the extension’s icon at the top right of your browser bar, then tick ‘Block all unencrypted requests’. This stops you loading websites that don’t use HTTPS, which can be frustrating (see box), but will help put pressure on websites that need to tighten their privacy levels.
5 Use incognito mode
Choosing private browsing mode, also known as incognito mode (see screenshot above right), opens a fresh window where you can do whatever you like without your browser saving information on what you searched for or any data you enter into online forms. It’s handy if you share your computer with others and want to keep your browsing secret. This isn’t as sneaky as it sounds. It can be very useful when you’re shopping for a gift for someone because, if they
come to use the PC, they won’t see any adverts relating to presents you may have looked for, and therefore won’t ruin their surprise.
You can open a one-off private session via the dropdown menu in the top-right corner of Firefox, Chrome and Edge. You can also set Chrome so it always opens in private mode. Right-click the Chrome icon on your desktop, then click Properties. At the end of the ‘Target’ field, after ‘exe.”’, type a space, then -incognito (as shown in the screenshot below left). Follow the same instructions to do the same in Firefox, then type ” -private” at the end.
Browsing incognito doesn’t prevent websites from gathering data about your habits, something the latest version of Firefox does restrict (see page 16).
6 Block adverts
There are plenty of reasons to block adverts: they’re annoying, they follow you around the web, they can be riddled with malware. There are several tools you can use to do this, and many of them have similar names (Adblock Plus, Adblock, ublock and more).
You may be wondering whether you still need them now that Google has built a filter into Chrome that blocks irritating adverts – the kind that play videos automatically or pop up as you scroll down a web page. If a site subjects you to multiple adverts like this, Google will ask it to stop. If the site refuses, Chrome will remove all ads on the site. Google’s idea is to encourage good advertising standards, so that we’re not driven to block all ads – and it doesn’t lose revenue.
So, should you ditch your ad-blocker, and trust Chrome instead? It’s too early to judge. But we doubt Google will go all out to antagonise advertisers that it relies upon.
7 Add privacy extensions
Online advertisers are guilty of many privacy infringements, but blocking ads is only the first step. You should also use browser extensions like Ghostery ( www. ghostery.com) and Disconnect ( https:// disconnect.me) to block marketing tools that track what you do online. If you don’t mind a site following you, add them to a ‘whitelist’.
Privacy Badger ( www.eff.org/privacy badger), another tool from the EFF, reveals who is watching you, blocking advertisers only if they stalk you too aggressively. Install it, visit a site with adverts, then click the badger icon to the top-right of your browser bar. You’ll see the sites’ advertising trackers listed next to sliders, which should all be green.
As you browse and are tracked from site to site, these will change to yellow or red. Privacy Badger deems yellow trackers required for websites to load properly, but will remove unnecessary cookies within them. Red means all trackers have been disabled on a site (see screenshot below).
8 Choose a secure messaging app
Over the years we’ve spotted a trend: the most secure messaging apps have the fewest gimmicks. They’re the sensible choice for people who favour privacy over frivolous options like enhancing a selfie photo with a dog face.
We recommend apps that are protected by end-to-end encryption ( E2EE). One of the best E2EES is Signal ( http:// signal.org), which is fairly easy to use. Whatsapp uses Signal’s encryption, but it’s designed in a way that dilutes some of the protection. However, it’s still more than enough security for most of us. State-sponsored spies may want to look elsewhere.
But wait! Who owns Whatsapp? Yep, Facebook. The same Facebook involved in allegations over data breaches in the last few weeks (see page 11). Happily, legal regulators have prevented the two services sharing users’ data, so Whatsapp users can sleep comfortably at night - at least until the next scandal breaks.
9 Delete old online accounts
Don’t use Facebook but have an account? Delete it (we explain how on page 11). Every online account you’ve signed up for has the potential to leak data, intentionally or otherwise. A word game you once played but lost interest in can be bought, and your data sold to a marketing company. The risks add up over several years of browsing. However, deleting old accounts isn’t easy, not least because you may have forgotten which ones you signed up for in the first place.
Thankfully, there are plenty of online tools to help you clean up your forgotten online registrations. Deseat.me ( www. deseat.me), for example, uses your Gmail or Outlook account to search for anything associated with your email address. From the list provided, click Add to add an account to your ‘Delete queue’, then click the red ‘Delete’ button to erase it (see screenshot below). This won’t erase your account, but does provide a shortcut to the delete page on the relevant website, which can often be infuriatingly difficult to find. It won’t work with every account, but it’s definitely worth trying.
One word of warning: you’ll have to give Deseat.me access to your email (including your messages). After a similar service, Unroll.me, was shamed for selling user data, Deseat.me’s developers have been quick to insist that they don’t collect or share your private info. Perhaps the final item in your list of accounts to consider deleting is Deseat.me itself. Admirably, the service offers itself up for deletion once its job is done.
10 Use disposable email accounts
Email addresses are often the most critical elements of our online identities. They’re used for logins to sites and resetting accounts, as well as keeping in touch with family. Consequently, it may be worth setting up two accounts — one for contacting friends and family, and emails that matter, and another for registering for one-off purchases, email subscriptions and the like. This second account will then receive all those annoying newsletters and promotional ‘offers’ websites bombard you with.
That does mean you’re managing two accounts, though Gmail makes it easy to link multiple email addresses to one inbox – click your account icon in the top right, then click Add Account.
But why should you even have to think about emails you don’t need? To avoid this hassle, simply use disposable email accounts. You use these just once - to register for a site. If the site sends you a confirmation email with a link to click, use it for this purpose alone, then forget about the account forever.
Maildrop ( https://maildrop.cc) is a good choice. It lets you choose your own email address, but make sure you choose a highly unusual name ( mauveyakseatcheese@maildrop.cc in our screenshot above) to reduce the risk that someone else has already used it. They would stumble upon emails sent to you if they enter the same name.
Be aware that some online services have got wise to people using disposable accounts, and now block emails going to these type of addresses. So if you don’t receive a confirmation email, try again with another site, such as Mailinator ( www.mailinator.com), Guerrillamail ( www.guerrillamail.com) or Temp-mail ( https://temp-mail.org). There are also browser add-ons to make it all easier, such as Trashmail for Chrome ( https:// trashmail.com), which will notify you when the disposable account has received the email you’re waiting for.
11 Use a VPN
A virtual private network (VPN) is an encrypted tunnel your data slips through, keeping your payment-card details, browsing habits and email correspondence safe from prying eyes. VPNS serve two purposes. First, to keep data safe from anyone ‘sniffing’ a Wi-fi connection, preventing hackers from intercepting your data when you browse on a public Wi-fi network (in a cafe, for example). Second, a VPN lets you access sites blocked by your ISP, such as online TV and film services that are subject to geographical restrictions.
There’s one major worry about VPNS. In the wake of US laws whittling away at net neutrality, a wave of fake VPNS popped up designed to hoover up personal data when people thought they were being protected. Meanwhile high-profile service Hola was revealed to be selling user data to a botnet. So you need to be very careful about which VPN you choose.
The easiest VPN for beginners is Tunnelbear ( www.tunnelbear.com), which in March was bought by antivirus software company Mcafee. Like all VPNS, it offers unlimited data only in its paid-for version (from £4.23 per month). Also consider using the browser Opera ( www. opera.com), which has a VPN built in.
12 Send self-destructing messages
Sending messages that self-destruct may feel a bit James Bond, but they can be useful to us mere mortals as well. They’re perfect for sharing passwords or other sensitive information with trusted contacts.
We recommend Privnote ( https:// privnote.com). Type your message into the yellow box, then tap Show Options, which include deciding when the note will self-destruct (‘1 hour from now’ in our screenshot right). Next click ‘Create note’ to create a link to your note. Copy and paste this into an email, then send it to your recipient. They can read the message by pasting the link into a browser’s address bar.
You can also send self-destructing Gmail messages using the Chrome extension Snapmail ( https://snapmail.co). Install it, then when you send an email tap the green Snapmail button instead of Send. Your recipient will receive a link to the message, which is deleted after 60 seconds.