This guide is written with a non-technical audience in mind, so if you are an “average internet user/consumer” then you should be able to follow along. If you have any questions or anything is not clear, please ask! What you’ll need to get started:

Your personal computing devices including desktop, laptop, phones, and tablets

A way to transfer files from your computer to your mobile devices (usually a USB cable, SD card & reader, or Bluetooth, etc.)

Basic technical competence (signing up for accounts, checking email, finding the right button to click in an application, copy-pasting text from one application to another, etc.)

1–2 hours of your time

A couple of backup devices like a USB key, SD card, DVD, etc. (optional / recommended)

If you are concerned about your online privacy (and especially if you use a single platform such as Google, Apple, or Microsoft for all of your online services — you should be!), this guide is for you. For the large majority of services — search, maps, email, chat, storage, etc., there are more privacy-conscious, secure, free, and easy-to-use alternatives. Unfortunately, if you decide to leave one of these platforms, you will immediately face the problem of too many choices, and many of them are simply not easy to use, don’t do what you want, or more appropriate for businesses rather than individuals.

My goal is to give you a head-start by explaining how to migrate what I consider to be “core” online services to more secure platforms that meet the following requirements:

Free to use — at least for the basic feature set Easy to use — comparable to the ones you’re familiar with Cross platform — works on Windows, Mac, Linux, Android, and iOS Privacy conscious — company registered in a privacy-friendly country, minimal tracking and logging of use, may be permanently deleted Secure — user-end encrypted wherever possible Open source when possible

Alternative Core Services

For me, these basic services cover most of the information about my personal and private life that I would like to keep away from prying eyes of the companies and governments that spy on us. There are certainly others (office applications, streaming video, etc.), and of course the operating systems themselves (Windows, Mac, Android, iOS). These all have alternatives, but unfortunately nothing that meets the 6 requirements I have listed out above.

And just to be clear — you don’t need to be doing anything “wrong” to take privacy and security seriously. You are your online identity. Allowing companies to spy on you, show you ads, filter your internet, and pass your information along to 3rd parties (including the government) is no joke.

Let’s get started!

Disclaimers:

Except for Dropbox, none of the above links or any other links in this guide are affiliate links. If you sign up for Dropbox using the referral link above, I get 500MB extra storage space. If you’d prefer not to for any reason, go to the Dropbox homepage instead. I am not affiliated with any of the services I am recommending — they are just my own personal favorites. Feel free to use something else, and let me know if you find something you like better. Nothing connected to the internet will ever be totally secure. You still need to take care to maintain the secrecy of your passwords and update them regularly, monitor your accounts for abuse, etc. The options for non-Google, non-Apple, non-Microsoft mobile platforms are still, unfortunately, limited. I’m holding out for a better Ubuntu Phone, it seems they aren’t currently available, but in the mean time following the steps in this guide is an excellent first step towards securing your digital life!

First Step: Bye-bye Chrome, bye-bye Google!

If you use Chrome, Safari, IE, or Edge, this step only takes a minute.

Download Firefox, run the installer, and set it as the default browser when prompted. Also, install Firefox on your mobile devices from the App Store / Play Store. Open Firefox on your computer. Click the Menu icon at the top right, click Options, then on the Search tab set your Default Search Engine to DuckDuckGo. You can also remove Google, Bing, etc., if you would like to remove them from the search options entirely. Tips: Use !Bangs to improve your search experience with DuckDuckGo, and also read the help pages for more advanced searching.

Here are a few more things you can do to make Firefox more private:

From the Options > Privacy tab, enable Do Not Track. (See screenshots below.) Search for the uBlock Origin Add-on for ad blocking. After installing, click the uBlock Origin icon next to the Firefox menu, and click the settings gear (it’s very small in the top left corner). Go to the 3rd-party filters tab and enable any filters you want, like Facebook or regional filters. Install the Noscript add-on to disable Javascript on a per-site, whitelist basis. Sites are not trusted by default, but you can easily click a single button to trust a site and allow it to run Javascript as normal. (You can also install Noscript on Firefox mobile for similar protection.) If you want to block Facebook, Twitter, and Google beacons from “phoning home” on every website that includes a Like, Tweet, or +1 button, open up your Noscript preferences and add the following lines in the Advanced > ABE > USER section (see screenshot below):

# Block Facebook

Site .facebook.com .fbcdn.net facebook.net

Accept from SELF

Accept from .facebook.com .fbcdn.net facebook.net

Deny INCLUSION # Block Twitter

Site .twitter.com

Accept from SELF

Accept from .twitter.com

Deny INCLUSION # Block Google

Site .google.com googleapis.com

Accept from SELF

Accept from .google.com

Deny INCLUSION

Set DuckDuckGo as the Default Search Engine

Block Facebook, Twitter, and Google beacons with Noscript.

Now we’re going to set up the rest of our services, but first I want to show you how to use a password manager. You can completely skip the next 2 sections, but I strongly recommend using a password manager to keep your passwords and all of your accounts as secure as possible for very little extra work. I guarantee you will thank me later if you take the few extra minutes now to set up your password manager.

A Word on Passwords

When you only use one platform, you only need 1 password. When it’s saved on your device or your browser, you only need to enter it once in a while. In other words: one hack, and all of your personal data is compromised. Using a new (and secure!) password for every service sounds nice, but what do you do about remembering all of them? In short, don’t worry — you’ll still only need to remember one password.

A secure password should consist of two parts, also known as two-factor authentication (2FA). Essentially, a password should contain:

A secret that only you know Something you physically possess

Most people only use (1). Using a combination of (1) and (2) will better ensure that you are who you say you are, because it will be more difficult for a hacker to get their hands on the thing that you physically (or in this case, digitally) possess.

Installing a Password Manager

My choice for password management: KeePass2 (Home / Download)

There are other options, but many of the online providers are not free for cross-platform use. Besides, I do not like the idea of keeping the passwords for my private services in yet another online service. KeePass2 allows us to use 2FA, and we can keep our passwords on our own devices.

Now we will create two files, a .kbdx file which is our encrypted password database, and a .key file which is the digital equivalent to a physical key (like your house key or car key).

Steps to installing and setting up your password manager:

Visit the download link above and download KeePass 2 on your computer. Open the app and click File > New to make a new password database, save it to a temporary location like the Desktop. Check the Master password box. YOU MUST REMEMBER YOUR MASTER PASSWORD! If you forget your master password, all of your other passwords will be permanently inaccessible. Use a few words or a short sentence rather than random letters. Remember, your master password should be something only you know. (See screenshots below.) Check the Key file boxes. Click Create. (See screenshots below.) Move your mouse around inside of the box and press random keys until the bar fills up (this generates a “more random” password for your key file). The key file is something only you have, so never give it away to anyone else and never store it anywhere accessible to the public internet. Click OK to open your new password database. In the next options box, give your database a name and description if you want (like “My Passwords”), then click the Security tab. Increase the number of transformation rounds. Click the 1 second delay button for a baseline number. My 1 second delay was about 9 million, but that file took 6 seconds to open on my phone. I chose 5 million, and it takes about 3 seconds to open on my phone. A higher number means that attackers will be unable to crack your database because it would simply take thousands of years to try many different password combinations. (See screenshots below.) Once you have opened your password database, you will see some folders on the left and 2 sample entries on the right. You can safely delete the sample entries and the folders, or keep them if you would like to organize your passwords that way.

Step 3 & 4: Set Master Password and Key file.

Step 7: Increase key transformation rounds to between 1 ~ 10 million.

Managing and Syncing Your Passwords

Now that we have a password database (.kbdx file), an encryption key (.key file), and a master password, we need to be able to add password entries for all of our online services. We also want to sync the passwords to all of our devices. Let’s set up Dropbox to sync the .kbdx file containing our passwords, and in the process we will create a random password for our Dropbox service. (If you already have Dropbox, follow the same steps but change your password instead of opening a new account.)

Adding a new password for Dropbox:

To add a new password, click Edit > Add Entry. Click the button next to the password box, then click Open password generator to make a new password. Click the Profile drop-down menu, and select Hex Key - 256-Bit, then press OK. This will generate a 64 character random password. Some websites limit password length, so you can use the other options if 64 characters is too long for a particular service. (See screenshots below.) Enter Dropbox in the Title field, then press OK, and save your database. (File > Save or ctrl+s). Go to the Dropbox website and sign up for an account as usual, but instead of typing in a password, use the password you just generated. Click on the Dropbox entry you added, and press ctrl+c to put the password on your clipboard, or right click and select Copy Password. Use ctrl+v or right click to paste as usual. You can install Dropbox on your computer, or use the web interface. In either case, put your password database file (the one that ends with .kdbx) onto your Dropbox. Do NOT include your key file (the one that ends with .key) — remember, the key file must be kept private. Never keep it in the same location as your password database, or it will entirely defeat the purpose of having it in the first place. You wouldn’t leave your house keys out in public for anyone to pick up, would you? Install Dropbox on your phone, tablet, or other device.

And now the obvious question is:

But if the password is in the database, and the database is in Dropbox, how can you log in to Dropbox from another device?

For the initial setup of any new devices where you want access to your passwords, you must copy the password database and key files manually to the device. Yes, this is a bit of a pain in the butt, but just remember the amount of security you gain by taking this 1 single step to set up a new device — it only takes a minute!

For using your passwords on other computers, there is a much simpler solution: a USB key. Keep your password database and the standalone version of KeePass2 on a USB key. If you like, hook it on your key ring along with your house and car keys, and take it with you. You can even get a USB key that has connections for both your computer and mobile (called an OTG USB key), and use the same key for all of your devices. Pretty soon, USB 3.1 (a.k.a USB C) connectors which are the same for desktops and mobile devices will make this issue a thing of the past.

Keeping your password database secure:

If you have a USB key ready, go ahead and copy your password database over to it so you have a backup. Remember, if you backup your .key file, it is essentially like making a copy of your house keys or your car keys, so you must keep it in a safe physical location. My personal setup is as follows:

.kbdx file on Dropbox for sync and daily use on all of my devices.

file on Dropbox for sync and daily use on all of my devices. Redundant backup of .kbdx file in multiple places (on my computer / laptop, on another cloud storage provider, USB, etc.)

file in multiple places (on my computer / laptop, on another cloud storage provider, USB, etc.) .key file on USB drive that is kept on my key ring with my house and car keys, and on my mobile devices since USB drives are inconvenient there

file on USB drive that is kept on my key ring with my house and car keys, and on my mobile devices since USB drives are inconvenient there Redundant .key file backup on physical media and stored in a safe physical location. This is a duplicate, just like you might have a duplicate of your house key that you give to a friend for safekeeping.

Essentially, even if all of your daily use devices are stolen or damaged at the same time:

Your password databases should be useless to a 3rd party (because either the key or the password or both will be missing), and You should be able to retrieve a backup of your .kbdx and .key files from wherever you have kept the backups — be sure to keep them separately for the best security (i.e., the .kbdx file with a friend and the .key file in a safety deposit box at a bank).

Syncing your password file with Dropbox:

Plug your device’s SD card or USB into your computer, and copy your password database and key file over. Open Android2KeePass or iKeePass, select your database and key file, enter your master password, and you will be able to access your Dropbox password. Install Dropbox from the Play Store / App Store, and when prompted, copy your password from KeePass to log in. Look for your password database that should now be synced from your computer, and click on the settings arrow, then set it to Available offline so you will always have access to your password database. Go back to your KeePass app, close the current database, then open your database directly from Dropbox. You will see the Dropbox option from the main menu of the app. Your password database is now successfully synced between your devices, and you should delete the copy of the database file that you copied onto your device in step (1). Do not delete the key file since you need it to open the password database, and do not store the key file on Dropbox to keep it secure.

With your password management set up and ready to go, you are ready to move all of your services over from Google / Apple / Microsoft spyware services to the more secure alternatives mentioned above.

One final note: you can set up a KeePass to work with Firefox by installing the KeeFox Add-on in Firefox. KeeFox will take the usernames and passwords directly from your password database if you set the URL of an entry in the database, making it a breeze to use the complicated 64-character passwords with no muss and no fuss.

Encrypting Dropbox with Boxcryptor

From now on, whenever you want to open an account on a new service, the process is the same: open KeePass2 (on any of your synced devices), add a new entry, and generate the longest allowable random password for the service. In most cases, 256-Bit (64 character) passwords will work fine.

Go to your Dropbox folder and make a new folder for secured & encrypted files. I keep a separate folder, because I don’t need to encrypt all of my files, just the ones with sensitive data. For example: tax returns, copies of my passport and credit cards, etc. I call my secure folder “Private,” but you can call it anything you like. Sign up for Boxcryptor. Install the app on your computer, phone, etc. Boxcryptor should automatically detect your Dropbox account. A free Boxcryptor account can only be linked to one service at a time, so if you have Google Drive, OneDrive, or any other services that Boxcryptor recognized, you may need to switch Boxcryptor so that it points to Dropbox instead of those other services. Once Boxcryptor points to Dropbox, you will see a Dropbox folder inside of your Boxcryptor folder. Click on that, and then right-click on your “Private” folder and choose Boxcyptor > Encrypt to encrypt the entire folder. The folder name will change to “Private_encrypted.” You can change the name back after it has synced to Dropbox. Anything you put in your “Private” folder via Boxcryptor will be encrypted before it is synced to Dropbox. You can try it now. Take any file and copy-paste it into the Boxcryptor > Dropbox > Private folder. Then go to the normal Dropbox > Private folder and you will see that it has been encrypted.

Great! You now have secure access to files that are encrypted on your local device and stored in the cloud. Boxcryptor can’t open those files, nor can Dropbox, nor can your ISP, nor the government, nor anyone else. To see those files, you need your Boxcryptor password which is stored safely in your KeePass2 password database. Again, if you lose your KeePass database or key file, or you forget the password, you will permanently lose all of your files on Boxcryptor. Please review the section above for tips on password database safekeeping.

Securing Your Communications — Email and Messaging

So far we have securely stored our passwords, synced them to our devices, and secured our online cloud storage for our personal files. The next most important step will be to secure our communications, and this is really where companies like Google and Facebook like to mine us for data to sell to 3rd parties and advertisers. Setting up is pretty straightforward.

Setting up secure email with ProtonMail:

Sign up for ProtonMail. Create two passwords, one to log in, and one to decrypt your inbox. Enter the passwords when requested during account creation. I recommend not linking your ProtonMail account to another account, as the ProtonMail account with passwords securely stored in KeePass will be more secure than the other account. Security is only as strong as the weakest link in the chain. When sending an email, if your recipient has a ProtonMail address, your emails will be encrypted automatically. If they don’t, you can send a secure email and set a password on the message. You must give them the password, e.g., over the phone or in person. They will receive an email with a link to your message, and they can only read and reply if they know the password. This is not necessary for most communications, but it’s nice to know that the feature is available if you need it. For example, you can confidently and securely send private information like bank account details, ID numbers, passwords, etc. to a trusted person. You can also automatically expire or manually delete messages sent using this feature. Install the ProtonMail apps for your mobile devices, and as before get the passwords from the KeePass app when requested. Send a bulk email to your friends and family, telling them about your new address. You can also set your new address as a forwarding address from your previous email service, although as far as I know there is no way currently to copy over all of your old emails into ProtonMail. The free version has a 500MB limit, so don’t use too many large attachments. Use Dropbox and Boxcryptor to securely send and control access to larger files.

Setting up secure chat (instant messaging):

Now that your secure email service is set up, let’s talk about messaging. Unfortunately, there is no clear winner in this arena. Instead, we have 3 different apps that all have pros and cons: Signal Messenger, Telegram, and WhatsApp.

Whichever app(s) you choose to use, the signup process is exactly the same. All 3 apps require an iOS or Android device and your mobile phone number to get started.

Download Signal, Telegram, and/or WhatsApp from the App Store or Play Store. Launch the app and enter your mobile phone number when prompted. Wait for the SMS verification code, it should be detected automatically, but type it in if not. Your contacts will show up automatically if they also use the same app. If your contacts don’t show up, they must download and register for the app the same way you did. They will automatically show up on your list once they complete the SMS verification.

Let’s talk about the major pros and cons for each of these 3 apps.

Signal Messenger

Pros. Best quality encryption, verified through open source. Always encrypted by default.

Best quality encryption, verified through open source. Always encrypted by default. Cons. Limited cross-platform compatibility, only works on Android, iOS, and as a Chrome App (Chrome is further restricted to only working if you have Android). If you want a desktop app and have iOS, or if you just want to avoid Chrome, you’re out of luck.

Telegram

Pros. You can choose a username to chat with people without giving them your phone number, this potentially allows for more anonymous chats and better privacy. Has a decent standalone desktop app.

You can choose a username to chat with people without giving them your phone number, this potentially allows for more anonymous chats and better privacy. Has a decent standalone desktop app. Cons. Encryption is not on by default. You must click the button to start a secret chat to enable encryption. Potentially weaker encryption method. It’s open source, but not a standard method and has not yet been mathematically proven. That being said, it’s also not yet been dis-proven, i.e., cracked — however, this so-called “security by obscurity” is generally seen as a big no-no in the security world.

WhatsApp

Pros. Excellent cross-platform support, with fully featured mobile and desktop apps. Uses the same encryption platform as Signal. Has the largest user base.

Excellent cross-platform support, with fully featured mobile and desktop apps. Uses the same encryption platform as Signal. Has the largest user base. Cons. Owned by Facebook. Not open source (claims cannot be guaranteed by checking the source code). Encryption is not 100% guaranteed; the company could turn off encryption on one end of a conversation without the other party being aware (for example, to aid law enforcement). There was talk for a while of charging an annual 99¢ fee, although this seems to have not been implemented.

To sum up: if you can put up with the limitations, go for Signal. If you want to chat without giving up your phone number, try Telegram. If you just want the best user experience and don’t mind that Facebook is the parent company, use WhatsApp. There’s no harm in signing up on all 3 and using whichever one is most convenient for your friends (but ask if they can switch to Signal, too).

Other Services

I’m sure there are lots of other online services you use, so I’m not going to cover alternatives to everything. But good alternatives do exist, you just need to look around. For maps, try OpenStreetMap — it’s the Wikipedia of the map world. Depending on where you are, it may even have more information than Google maps! For mobile devices, you can try MAPS.ME, which actually also uses the data from OpenStreetMap.

One of the great things about OSM is that, since it’s like a Wiki, you can edit it yourself. Just a few days ago a restaurant opened on my block — I added it to OSM right away, and it’s still not up on Google Maps and probably won’t be for a while. Also, since the map data is free, you can download offline maps to use on your mobile devices without an internet connection — perfect for when you want to avoid roaming charges or when traveling overseas.

Cleaning Up

Make sure you go through all of your existing accounts at Google, Yahoo, Microsoft, Facebook, etc., and look for the Privacy or Security settings. If you don’t remember where you have accounts, just search for your real name and common usernames on all of the major search engines — you’ll be surprised what pops up.

I recommend turning off everything you can — prevent these companies from logging or tracking your activities to the greatest extent possible. You can choose your own level of comfort, but remember, the supposed “benefits” you get (Google suggests that it can offer “shorter commute times” when you try to delete your data and increase privacy settings) are mostly nonsense. They want your data to sell you stuff, and to sell you, plain and simple. They certainly don’t have your best interests at heart.

For Google in particular, make sure you visit the My Activity page (available from the My Account page) and delete your complete activity history. Take a look through first to see the enormous amount of data this company collects about you, and imagine what that data might look like from the perspective of a marketing agency (or worse: a criminal looking to steal your identity, or the government looking to make a case against you).

If you’ve followed all of the above steps, congratulations! For most people, the above steps should be plenty to get started, so you can stop here for now — you are already well on your way to a more private, more secure internet identity. But, if you want to go the extra mile to really beef up your privacy and security, read on to see the next steps you can take.

Advanced Privacy & Security

VPN

This one costs money, there’s really no way around it, but you may think it’s worth a few dollars a month to maintain your anonymity, privacy, and security online. That One Privacy Site has an enormous collection of data on VPN services that you might find useful. The link above absolutely refuses to recommend one service over another, insisting that you do your own research. I agree, and encourage you to do your own research. That being said, I have used IVPN, which seems to be a popular choice, and cryptostorm, which is significantly cheaper and also works just fine for me.

Whichever VPN service you use, connect through the VPN on any device you wish to use privately. You can also connect your VPN directly through your router so that all of your devices will work with a single VPN connection. You will need to refer to your VPN’s documentation for instructions to set that up.

Tor

You can read more about Tor on their website, but in brief, Tor routes your internet use through a series of more-or-less random computers before finally getting the website or data you originally requested. Data leaving your computer is encrypted, and passes through at least 3 “nodes” (these nodes can be anywhere in the world) where it is encrypted again as it passes through each node before finally reaching the destination. When data comes in to your computer, the reverse process happens. Tor is free and very anonymous, but it is slow. Tor also allows access to “.onion” web pages, or so-called “hidden” pages, but you will have to do your own searches to find them.

Bitcoin

If you want to buy things without leaving a credit card record, try Bitcoin if the website or service accepts it. You can buy bitcoins either anonymously from a place like LocalBitcoins with cash, or from any of the major Bitcoin markets that allow credit card, debit card, bank transfer, or PayPal purchases. In either case, you’ll want to first make sure that Bitcoin is legal in your country, and then route your Bitcoins through some pooled accounts to ensure anonymity. There are plenty of guides online for how to do this, so I won’t go into further detail here.

Disk Encryption

Android, Windows, Mac, and iOS (already on by default) now all have full disk encryption built in. You could also choose a third party solution like VeraCrypt if you are concerned about the security of the manufacturer-provided option. VeraCrypt also has an excellent option for creating a hidden volume, which is an almost perfectly secret, invisible storage space on your computer. This is a great way to store your copies of your most sensitive documents like credit cards, social security cards, passports, legal or court documents, or Bitcoin wallets. Someone who has complete access to your computer will have a very difficult time even discovering that a hidden volume exists, let alone being able to see what’s inside.

Final Thoughts & Further Reading

Well, I hope that this guide is enough to get you started on keeping your internet use private and secure. Sure, it is slightly more complicated to set up all of these different services, to make sure the encryption works, and so on, but just remember: for a little bit of effort you get a huge reward — you get your privacy back. No more spying from Google or Facebook, no more potential for hackers to access all of your private data by getting in a single account, no possibility for the government to ever access your conversations. Plus, if you set up the password manager, you’ll never need to type another password!

If you’re interesting in diving deeper, check out the following communities on reddit:

Good luck, and please let me know if you have any comments, questions, or suggestions for how to improve this guide.

Thanks for reading!