Online Privacy and Security Tips
I am a firm believer that people should be able to be anonymous and secure online. Over a lifetime of trial and error, I've slowly learned the best ways to protect myself, and I'd like to pass on that knowledge to anyone who wants to hear it.
Last updated May 2024 (added links to news articles about PimEyes being used to identify someone in real life)
Switch to Firefox for your main browser on Windows and Android
Avoid any browser based on the Chromium project (like Microsoft Edge or Google Chrome), as Google has a major conflict of interest that prevents it from truly having users' privacy interests at heart. It makes ~70-80% of its revenue from its highly targeted advertising business, for which it must collect as much information about you as possible. That means that no matter how badly certain parts of Google want to build privacy into the browser, business interests and pressure will always supersede them, or at least force a compromise that still enables some tracking. Firefox is owned and maintained by a non-profit, so it does not have that same conflict, and it shows in the features it builds (and does not build) and the way it treats its users.
I made a list of my favorite Firefox extensions if you want to make your internet experience more pleasant and/or more secure!
Note: on iOS (i.e. iPhones), Firefox' functionality is limited by Apple restrictions and I do not recommend it - using Safari with Extensions like Adguard or 1Blocker is more secure and will give you a better experience. I made a list of my favorite iOS Safari extensions too!
Use a reputable password manager
I suggest 1Password (avoid LastPass and all of the password managers built into browsers, they're not safe). A good password manager increases your online safety by:
Helping you avoid password reuse (a common cause of account hacking)
Generating complex passwords that are difficult to guess or brute-force, and
Allowing you to keep records of all the different sites you have accounts on (so you can quickly change passwords in the event of a breach or delete your accounts on them when they outlive their usefulness)
Delete old accounts you no longer need
If your data has been deleted, no one can steal and leak it if they manage to hack the company.
Sign up for alerts from HaveIBeenPwned (HIBP) to be notified when your data is leaked in a site hacking.
This allows you to quickly change your password, hopefully before anyone is able to decrypt it (if it wasn't stored properly) or use it (if it was easy to guess). If you have reused that password on other sites, be sure to change your password on those sites either.
Note that some leaks donโt actually have any info about what website they were stolen from; if criminals just dump a huge text file onto a hacking forum that has your username and an accompanying password in it, HIBP doesnโt necessarily know what site they hacked to get that info. This is where a password manager like 1Password will come in handy, because 1P can actually use HIBPโs API to check each of your passwords and see if any of them have been leaked before. It will alert you if you need to change a specific password, even if you werenโt aware that site had been hacked.
Note: 1P only sends the first 5 characters of the password hashes to HIBP, not the passwords themselves. You can read more about the feature and how it preserves your privacy here.
Assume all profile pictures on any site are public, and avoid using your face for them if possible
New AI-powered sites like PimEyes can take an image of you, identify your face, and search for it in other, unrelated images around the internet. I searched for myself using a recent image that had never been posted to the internet before, and it immediately identified me in completely separate images I was using as my profile pictures on Facebook and LinkedIn and provided links to my accounts there. In this new AI era, assume anyone who snaps a picture of you can link you to your identity on any website where you have publicly posted your face before. This is not hyperbole; fans used PimEyes to identify a cameraman at a Taylor Swift concert using nothing more than a screenshot of a video taken of him by a concertgoer. Note: for what it's worth, you can submit an opt-out request to PimEyes if you are worried about someone using it to find your accounts online, but it requires you to submit images of your face and your government ID to the company...
Never post the same (original) image on two accounts that you do want to keep separate
Even a simple reverse image search can allow someone to link your different sites together (i.e. don't post the same vacation sunset photo on both Facebook and Tumblr because anyone can use that to link those sites together. Even if your Facebook or Instagram images are private, a follower of yours on one of those sites could still find the Tumblr you are not comfortable sharing with anyone. Marking your Tumblr as hidden only discourages search engines from indexing it; shady companies can and will ignore that and index it anyway.











