Improve your online privacy with this comprehensive guide, developed by the ProtonMail team. Here, we’ll help you determine your threat model and take steps to achieve online privacy that meets your needs.

Updated July 2019

Total Internet privacy is impossible, but you can get close by adjusting your online behavior — and a few of your privacy settings. This guide is designed to help you with simple, practical solutions to keep prying eyes away from your personal information.

Many Internet privacy guides promote unrealistic solutions, like using Tor all the time (which will slow your Internet) or communicating only through Signal encrypted messenger (which is useless unless your contacts are using it too). While such technologies provide a high level of privacy, they may not be necessary under your personal threat model. In other words, you probably don’t need to take the same privacy precautions as a Turkish dissident or an NSA whistleblower. And the best privacy recommendations can be counterproductive if you burn out following them, like one writer for Slate did.

So, in this guide to Internet privacy, we’ll show you how to understand your own threat model, followed by some practical steps you can take. Each of the sections has a simple recommendation you can follow to increase your online privacy. This page is designed to be a handy, ongoing resource rather than a quick checklist, so consider bookmarking this page to come back to it later when you need a refresher.

Table of contents:

I. Internet privacy is important for everyone

If you use the Internet at all, then privacy issues directly impact you. Without Internet privacy, someone could steal your credit card number or your identity and damage your credit score. Internet privacy keeps hackers from infiltrating your online accounts (you don’t want to be this guy) and spying on your activity while using public WiFi.

As both citizens and users of the Internet, we all have a stake in the quality of our society. Privacy is a fundamental human right and a prerequisite for democracy. For authoritarian governments and profit-seeking companies alike, invasions of privacy are a useful means of control. If you value your freedom, then Internet privacy should matter to you.

II. Understanding your threat model

A threat model is a method of evaluating security and privacy risks in order to mitigate them strategically. You can define a personal threat model to understand your Internet privacy priorities. Start by answering the following questions:

What information do you want to protect?

Who might want to gain access to that information?

Where is that information stored and transferred?

Because there is no such thing as 100% privacy, we provide solutions for both low and high threat scenarios. You don’t have to implement them all depending on your threat model.

III. Browse the Internet privately

Your browsing data is extremely valuable to companies that buy and sell targeted advertising. The largest companies in this space, like Google and Amazon, make so much money from your personal data that it is now more valuable than oil. But these companies are vague about how they use and store your information, and data breaches and privacy scandals are so common that we’ve come to expect them. Prying corporations aside, governments also collect huge amounts of data through mass surveillance, and some of them even conduct targeted surveillance (e.g. against journalists or activists). Also, the more data you transmit online and store in the cloud, the more likely hackers are to take advantage of it for financial gain.

Increasingly, there are private alternatives to data-hungry companies. For example, ProtonMail is a private alternative to Gmail. Instead of Google Drive, which can access and scan your files and documents, you could use encrypted cloud storage. For notes, Standard Notes is one end-to-end encrypted option.

Learn more: What is end-to-end encryption?

Use a privacy-focused browser

Google Chrome is the most popular browser in the world. But it enables so much data collection that The Washington Post said it “has become spy software.” That’s because Chrome logs your browsing history and allows third parties to plant tracking cookies that monitor your activity.

We recommend: Use a web browser to block online tracking. Firefox is the most popular privacy-focused browser, but Brave and Safari are also good options. If you must use Chrome, you can manage your Google activity to limit how much data it can collect.

Encrypt your Internet connection with a VPN

A VPN encrypts your Internet connection from your device to the server owned by your VPN service provider. Using a VPN can help keep your web traffic safe from anyone monitoring the network at the local level: hackers, your Internet service provider, and surveillance agencies. A VPN will also mask your true location and IP address, allowing you to browse more privately and access geo-restricted content.

A VPN will not, however, protect your web traffic against the VPN provider. That’s why it’s important to choose a VPN service you trust that does not keep logs of your activity.

We recommend: Use ProtonVPN on your desktop and mobile devices. It offers access to hundreds of servers in dozens of countries, has advanced security features like Secure Core, and follows a strict no-logs policy. ProtonVPN also has a free VPN service to guarantee basic access to the Internet to everyone.

Learn more: Your Internet service provider is spying on you

Protect your search queries

Google tracks all its users’ search queries and clicks. If you’re logged in to your Google account while using Search, the company keeps a record of this information connected to your profile. This has helped Google refine its search algorithms, but it also helps the company profit from your private data.

We recommend: DuckDuckGo is a private alternative to Google Search that doesn’t store users’ personal data or track their activity.

Limit the information you share publicly

A lot of sensitive information about you is publicly available on the Internet. Some of it is a matter of public record, like court records, addresses, and voter registration. But much of it we put on the Internet voluntarily, usually via social media, like photos (often location tagged), family members’ names, and work history.

Hackers can use these clues for social engineering and to answer security questions. Photos of you on social media can even be used to create deepfake videos of you. Almost all online services and Internet-connected devices have privacy settings you can adjust to restrict the amount of information collected and/or shared online. You can also add an additional email address to your ProtonMail account, which you can share publicly, instead of your primary email.

Limit the information you share privately

Online service providers can be vulnerable to data breaches, which can instantly compromise your privacy, sometimes in embarrassing ways. Even large services like Google or Facebook are not immune to data breaches. You can mitigate the privacy threat of data breaches by limiting the information you share with these services. For instance, you can use Google Chrome or Google Maps without logging into your account, or simply switching to a more privacy-friendly browser like Firefox.

If the services themselves (and their third-party partners) are part of your threat model, switch to privacy-focused services that do not collect user data. With ProtonMail, accounts are anonymous (not linked to your real-life identity), and we collect as little user information as possible.

Learn more: How to protect your children’s privacy online

Make your account safe and secure

First things first: To keep your online accounts private, you must keep them secure. Your password is your first line of defense. Make sure you use strong, unique passwords. A password manager can help you generate and store them so that you don’t have to write them down.

Your second line of defense is two-factor authentication (2FA). This is a way to secure your account with a second piece of information, usually something you have with you on your person, like a code created on an authenticator app or fob.

Avoid using public computers to access your accounts because keyloggers can record your login credentials. And if you absolutely must use a public computer, be sure to log out of your accounts.

Many services (such as ProtonMail and ProtonVPN) allow you to see when and from what IP address your account has been accessed. If you do not recognize one of these logins, you can log out of other sessions remotely.

We recommend: Use a password manager such as Bitwarden, KeePass, LastPass, or 1Password to help you create and securely store strong passwords.

Learn more: How to create a strong password

Use HTTPS everywhere

Always ensure that your Internet connection is encrypted from your device to the company’s servers. You can check that this is the case by making sure the URL of the website begins with “https”.

We recommend: Download the browser plugin called HTTPS Everywhere to help you do this automatically.

When to use Tor

If your threat model requires a very high level of Internet privacy, you should connect to the Internet through Tor. Tor is a technology maintained by the nonprofit Tor Project, which allows you to use the Internet anonymously. It works by bouncing your connection through multiple layers of encryption, both protecting your data and concealing its origin. Tor also allows you to access blocked websites (such as those offering E2EE services) via the dark web. However, the downside of Tor is that it is generally significantly slower compared to using a VPN.

We recommend: Download the Tor browser or connect to the Tor network using ProtonVPN if you have advanced privacy needs.

Learn more: How to use ProtonMail with Tor

IV. Keep your communications private

When communicating online, there are several ways companies or hackers can access your private conversations. Without encryption, an attacker monitoring the Internet would be able to see the information being transmitted, from credit cards to chat messages.

Of course, the vast majority of online services use some form of encryption to protect the data traveling to and from their servers. But only a few tech companies encrypt your information in such a way that even the company cannot decrypt it. This kind of encryption is called end-to-end encryption (E2EE). Whenever possible, use services that offer E2EE and protect your privacy by default.

Use encrypted email

Services like Gmail and Yahoo can scan your mailbox to collect data. Google, for instance, reads your purchase confirmation emails to build a database of everything you buy. If you don’t want your email service provider to have access to this kind of private information, you should switch to an end-to-end encrypted email provider.

Messages between ProtonMail users are always transmitted in encrypted form. When a user sends an email to another ProtonMail user, the emails are encrypted on the sender’s device, and can only be decrypted by the recipient. All emails sent to/from a ProtonMail account (even if the other side is not using ProtonMail) are stored with zero-access encryption. Once a message is encrypted, only the account owner can decrypt it.

We recommend: Create a free ProtonMail account and download our mobile app to start using private email. When signing up for newsletters or online services, you should provide them with your encrypted email address.

Learn more: Five essential steps to keep your email safe

Chat privately with secure apps

For instant messaging, you have many options. WhatsApp is one of the most popular chat apps, and it features E2EE. But Facebook (which owns WhatsApp) can see who you communicate with and when, and there may even be ways for Facebook to gain access to your messages if it wanted to. Facebook Messenger is not E2EE by default. WeChat also offers no E2EE.

We recommend: For better chat security and privacy, we recommend using Wire or Signal.

Phone number apps

Private phone number apps use Voice over Internet Protocol technology to allow you to make and receive calls and SMS with a second phone number. This can offer some privacy benefits because you are not always required to give the app provider any identifying information.

We recommend: Apps like Phoner provide anonymous calling and texting. You should keep your main phone number private while providing your second phone number for account verification and to online services that require a phone number.

Learn more: How to protect your privacy with a second phone number app

V. Secure your device

Most threat models should include the possibility of your device getting stolen or lost. Often, a compromised smartphone will also compromise many of your online accounts. Other times, device privacy simply means privacy from people looking over your shoulder.

We recommend: Adjust your notification settings so that messages and senders don’t appear on your lock screen.

Keep your device locked down

Because of the differences between different operating systems and devices, we will only provide general recommendations here. Always set a password on your device. Biometric authentication, such as fingerprints or facial recognition, should be sufficient for most users. However, people with elevated security concerns may opt to require a password every time.

Those with advanced threat models may also want to encrypt their devices. This is usually an additional step. Follow the links for instructions to do so on Windows, Mac, and Android and iOS.

Additionally, there are apps that allow you to wipe, locate, and potentially identify the thief if your device is stolen.

If your device somehow is compromised with spyware, a low-tech privacy solution, ironically popularized by Mark Zuckerberg, is to cover your webcam with a piece of opaque tape.

Learn more: How to protect your phone or computer when crossing borders

Be vigilant for phishing attacks

A phishing attack attempts to steal your account credentials or infect your device with malware by tricking you into clicking on a link or downloading an attachment. Email is one of the easiest ways for hackers to get into your computer. So it’s important to be alert and never click on links or download anything from a source you don’t completely trust.

We recommend: Read our article about how to prevent phishing attacks to understand what phishing looks like and how you can protect yourself or your business.

Delete unused apps and ensure software is up to date

Another critical part of protecting your device is maintaining its software. You can help prevent attackers from installing malware on your device by keeping your apps and operating systems up to date. Software updates often include security patches for recently discovered vulnerabilities.

Conclusion

At ProtonMail, we believe a more private Internet is possible, but it will require a major shift from the current ad-based business model. With your support, we will continue to develop tools that enable privacy, security, and freedom online. In the meantime, everyone can take simple, positive steps in their own behavior to improve their privacy individually. Because Internet privacy is a sliding scale, implementing just a few of the solutions in this guide will give you more privacy than you had before.

What are your thoughts? Do you know some online privacy tips that aren’t mentioned in this guide? We would love to hear your feedback. Use the comment section below or reply to us on social media to share your ideas.

Best Regards,

The ProtonMail Team

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to

support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support!