Digital Privacy and Security Checklist
Digital privacy and security can be intimidating. This checklist is a good place to start as you determine what kind of solutions will be the right fit for you. Each section includes a list of options that start with the most secure/private (often the most involved and/or expensive) and end with the least secure/private option (often the least involved and/or cheapest/free).
The options are given grades from A (best) to F (worst) depending on how private and secure they are. Also included are links to additional resources if you want to go beyond the scope of this checklist. Some links are affiliate links.
The Golden Standard: Zero Knowledge, Open Source
The ideal scenario is to have your data protected by zero knowledge, open source platforms/services. Zero knowledge means that nobody besides you can access your data, not even the service or provider you are using. Open source means the source code for the service/program/platform is accessible and free and can be inspected by anyone, which should mean there is nothing questionable in the code. Open source means you do not need to just blindly trust the service that they are doing things right. Zero knowledge and open source services are sometimes not as convenient as the big, well-known options that sell or leverage your data. They might require you to change some of your personal habits and might even cost money. But these options provide the best security and peace of mind for those concerned about their online privacy.
✓ Multi-factor Authentication (MFA) /Two-factor Authentication (2FA)
Definition: You change your settings so that when you log into a website or service, you need to enter one or more authentication items in addition to your password.
Why this matters: If someone were to get a hold of your login and password they would need an additional piece of information in order to get into your account. This makes your account more secure and harder to get into. More information
A
You use a hardware token like a Yubikey or similar product. A hardware token is a device that you plug into your USB drive that will provide a code for the service you are using. It is basically impossible to spoof or imitate.
B
You use an authenticator, which produces a changing code that you will need to login wherever you enable the authenticator. Authenticators are apps or programs that get an input code from your account (often in the form of a QR code) and then provide the changing code whenever you need to login. Authy, Google Authenticator, and Microsoft Authenticator are all fine authenticator apps.
C
You use SMS authentication, which is when you receive an SMS with a unique code that you must enter when you want to login. However, this makes you vulnerable to SIM swapping, which is when someone calls up your mobile phone company pretending to be you and they get a new SIM card with your phone number, which will let them get into your accounts. While SMS authentication is not the most secure option, it is still better than nothing.
F
You avoid multifactor authentication whenever you can.
✓ Password Management
Definition: A password manager is service and/or app that helps you to create, store, and manage all of your passwords and logins in one convenient location. You use a master password to log in and then the manager logs into all of your accounts for you. It can help you to create and keep track of unique passwords for everywhere you need a login, so you aren’t reusing or forgetting any of your passwords. A good password manager is open source and so is very safe to use. Password managers are very secure and should be used with multi-factor authentication.
Why this matters: This allows you to have complex, unique passwords everywhere. They are so complex you don’t even know them, meaning it is very difficult for even sophisticated software to crack your passwords. More information
You use KeepassXC because you want to stay in control and you don’t trust the cloud. It is open source and free. The password database only exists where you put it, for example, on your pc, phone, and even a USB stick. It is not in the cloud at all, which adds another layer of security.
You use a zero knowledge password manager that stores your information in the cloud. Examples are: Bitwarden, 1Password, Zoho Vault, Dashlane, Keeper, LastPass, RoboForm, StickyPassword, NordPass. While prices and services vary, they are all fairly similar in the services they offer. We recommend Bitwarden since they have a great free plan and are open source.
You don't use a password manager, which we strongly recommend against. Maybe you use the same few passwords for most of your services, which is a legitimately really bad security practice. If this is you, stop reading this and create an account at one of the password managers listed above right now. Even the worst password manager is much better than reusing passwords.
✓ Secure Email using Zero Knowledge Email Providers
Definition: Zero knowledge email providers means that the only people who can read the emails are the sender and the recipients.
Why this matters: Gmail, Outlook, and Yahoo are the most widely used email providers. While they are free and incredibly convenient, they are not zero knowledge. You are their product. They make money selling you to advertisers. Their servers are very secure, but they have access to all of your emails. They don't abuse that access, but they do give it up if required by law. Zero-knowledge email providers have very little information they could give up on you since nobody can read your emails but you. More information
You use Protonmail or Tutenota, two of the most common secure email providers. When emailing within their platform (e.g., from a Protonmail account to a Protonmail account, or from Tutanota to Tutanota), your emails are only accessible to the sender and recipient. If someone emails you from his Gmail account, the email is still readable by Gmail, since the email goes between multiple email providers. To be the most secure, you would use the paid version of one of these services with your own domain.
You use a paid option for email. Paid usually means you are their customer not their product. Unpaid means you are the product they sell to advertisers. There are many options and most aren't too pricey. Fastmail, Zoho, and Hey are good options.
You could keep using Gmail or Outlook. While their security is sufficient, it is usually not worth the tradeoff of decreased privacy.
✓ Email Masking Services
Definition: A service that allows you to create a different email address that forwards to your real inbox.
Why this matters: If you are tired of getting so much spam in your inbox, this is a great place to start in taking back control of your email. For example, you can sign up for that newsletter or purchase from that one online store without telling them your real email address. You don’t have to worry about them selling your email address or sending you unwanted spam. If they do you can just turn off the email address. More information
You have a premium (paid) account with an email forwarding service like 33mail, anonaddy, or simplelogin with a domain you own and you can create alias emails on the fly as needed.
You have a free account with one or multiple email forwarding services. You sign up for new things with masked emails. You just don’t get to use your own domain (this is usually a premium feature).
You just use your Gmail account for everything. You trust in Google's spam filter. You get way too many emails.
✓ Unique usernames
Definition: For every site/service/app you use, your username or the email address you use to login is different.
Why this matters: When you combine unique logins and unique passwords it makes you significantly safer online. For example, if you use the same login/email address and your information gets leaked once, then the bad guys will try that same login with other services hoping to find a match. If you have a different login everywhere, it won't matter if the bad guys try your leaked login other places since it won't work or won't be you. Your password manager can keep track of your unique logins. More information
You use email masking services for non-sensitive online services and transactions (so not for online banking). For sensitive accounts, like online banking, you use plus addressing (also known as subaddressing): right before the @ in your main email address you add a + and then some extra characters. If your email were billy@gmail.com you could have billy+bankofamerica3843@gmail.com be your email for bank of America and it would be unique, but still go to your main inbox. Even if someone knew your plain (billy@gmail.com) email address and password they wouldn't work with Bank of America since they would need to have the '+bankofamerica3843' part of the email address to be able to login. Some websites don’t like plus addressing. With these two options you can have mostly unique logins for the services you use.
You use unique usernames some of the time, mostly with new accounts, but if they ask for your email you forget to use a masked email address.
You use the same email address for everything that requires an email address and the same username for everything that requires a username. So what if your email or username is included in a data breach somewhere. Hopefully, the bad guys won't try it other places.
✓ Secure Communication (Message, Voice, and Video)
Definition: Zero-knowledge messaging, voice, and video, meaning that only you and the recipient can read or access it.
Why this matters: Insecure communication can be shared or intercepted. Texts messages are visible to telecom companies and others with the right access or equipment. Many things we text or say were not meant to be made public. More information
You use iMessage, WhatsApp, Messenger, or other encrypted messaging services (e.g., Line, Viber, Zoom). Whatever the service, you are sharing some of your data with the service provider (Facebook, Apple, Zoom, etc.) and whoever they share it with.
You use SMS. This encryption is the weakest. SMS messages are accessible by your provider (for example, Verizon or Sprint), whoever they share it with, and to anyone else with the right equipment and motivation (a personal investigator or potential identity thief).
✓ Cloud Storage
Definition: Storing files/data in the cloud, which means on the internet, on someone else's server.
Why this matters: Some people want their files backed up or stored safely and accessible anywhere. Not all cloud storage providers are equal. Some can access your files if needed. If they are a zero-knowledge provider, then they can't see your files. If you want to store files on the cloud or backup your files you want to make sure you are using the right kind of provider: ideally an open-source zero-knowledge provider. More information
You self-host. or don’t store files in the cloud. This isn't realistic for most because it is complicated (requires some technical skills, time, and resources).
You use Google Drive, Dropbox, etc. because they were great 10 years ago.
✓ Full disk encryption
Definition: When turning on your encrypted device (computer or phone) you first have to type in a password. Without the password you can't get access to the data on the device. If someone were to take the hard drive from an unencrypted laptop and plug it in to another computer, they would be able to see all the files. If someone were to do the same thing with an encrypted laptop, they wouldn’t see anything.
Why this matters: It protects the information on your physical devices from being seen by someone else if they get their hands on your device. Encrypted devices can still be stolen and reformatted and used, but with proper encryption the thieves won't have access to any of your data or files. More information
You fully encrypt your hard drive, ssd, and even your thumb drives. Veracrypt works great, is cross-platform, and is free. It is not quite as user-friendly as some of the paid options.
The paid options should be just fine (e.g., Bitlocker for Windows Professional, FileVault for Mac).
No encryption. Obviously, this is most convenient, but least secure/private.
✓ Online Aliases
Definition: Not going by your real name online. Picking one or a few fake names you use for services that don't need to know who you are. You probably need email addresses and other details to go along with those names.
Why this matters: If you sign up for a service in an alias and the service is hacked and the data leaked, then you are much safer since they don’t have your real information. Some services need to know who you really are, but many don't. For example, Netflix is happy if they get paid and I'm happy if I can watch, even if the name on the account is John Doe. More information
You go alias crazy. No one knows who you really are online. This might be too much. Some services need to know who you really are.
You use aliases generously. You use an email masking service (mentioned above). You use your real name and email when it is necessary (for example, banking).
Just be you. Everywhere. With everyone. The scammers on craigslist aren't that bad. All the Nigerian princes have your email address and email you first.
✓ Privacy Conscious Web Browsers
Definition: Web browsers (e.g., Firefox, Safari, Edge, and Chrome) you use to view websites are not the same when it comes to your privacy. Some are better than others. A privacy-friendly browser can limit the tracking cookies and data shared about what you do online.
Why this matters: Your browser can know a lot about you and your online activity. Browsers can also impact what companies and their tracking cookies know about what you do online. Using a privacy-friendly browser will keep your activities more private. More information
You use the Tor browser. This is the most private option, but it can be a hassle because some websites block access if you are on the Tor network.
You use Firefox with containers for each separate site or at least types of sites (a container for shopping: amazon, eBay, and craigslist, one for banking, etc.). This restricts the advertising cookies that are tracked from site to site so that Google, Facebook, and other advertisers don’t know everything you do online. You could also consider some of the privacy-friendly browsers like Vivaldi or Brave. Firefox is always going to be a solid option for privacy enthusiasts.
You use Chrome, Safari, or Edge. Chrome is very convenient, but there is zero privacy. Don't.
✓ Privacy-Friendly Search Engines
Definition: Some search engines track you aggressively, while others don't. Google, Bing, and the other big search engines track what you search and what you click on. They have an extensive search history for their users. Privacy-friendly search engines don't. Both make money from ads, but some respect your privacy while others use your profile to target you with specific ads.
Why this matters: Even what you type in a search bar says a lot about you, with companies collecting and paying for this information. Privacy-friendly web search engines is another way that you can avoid data being collected and amalgamated on you. More information
You always use DuckDuckGo or other privacy-friendly search engines like StartPage, Qwant, or Swisscows.
You use DuckDuckGo a lot, but sometimes you just have to search with Google.
Google is a verb isn't it? DuckDuckGo just doesn't roll of the tongue as easily.
✓ Anonymous and/or Private Purchases/Transactions
Definition: Making purchases anonymously or privately means you pay in a way that can’t be easily traced back to you. For example, you don’t pay with a credit card in your name, a check in your name, or any other payment method that exposes your identity.
Why this matters: Should what things you spend your money on be shared and sold? Credit card companies bundle and sell your purchase data to anyone willing to buy it. In addition, credit card numbers can be stolen/leaked from sites or services you use. More information
You use privacy.com for as much of your online purchases as possible. (Privacy.com is a company that provides credit card numbers linked to your bank account that can be in any name or connected to any address.) You use cash in real life. You consider crypto currencies when it makes sense.
You use a browser extension that will give you a masked credit card number for your purchases. Capital One has one called Eno.
You go for credit card points and use plastic as much as possible for your purchases. You get your rewards and the credit card companies make money bundling and selling your purchase data to whoever is willing to pay. Cash is dirty and coins are annoying.
✓ Use a VPN (Virtual Private Network)
Definition: A VPN is a service that lets you route your internet activity through encrypted servers. Instead of your internet activity going straight to the sites you use, it instead goes through the VPN. A VPN hides what you are doing from your internet service provider (e.g., Xfinity or Verizon can't see what you are doing online). It also hides your true IP address from websites you visit and online services you use (e.g., espn.com wouldn't know where you actually are or that you have Xfinity internet). If you are using public Wi-Fi it also hides what you are doing from anyone on that network.
Why this matters: Internet search providers (ISP) often have logs of what sites their users visit and can sell that information or give it to law enforcement if requested. Some sites or services change depending on where you are or who your ISP is. If you are using public Wi-Fi at the airport or a coffee shop, using a VPN will protect you from anyone watching the traffic on that network. More information
You put a VPN on your router or on a dedicated firewall device you plug your router into. You can use one of the more privacy-friendly VPN services like ProtonVPN. This would make it so that everything on your home network is behind a VPN. You would also have a VPN that was always active on your phone and other devices that leave your home network. You could even be crazy and have two different VPN companies, one for the firewall and one for each device. You might also use the Tor network sometimes. Some websites won't let you visit if you have a VPN. They make you angry. You are pretty good at doing captchas since a lot of sites make you do captchas while on a VPN to make sure you are not a robot.
You have a VPN on your pc and your phone. You turn it on when it makes sense and don't when it doesn't. You always turn on your VPN when using public Wi-Fi. Some services don't like VPNs. Your captcha game is getting better. While there are many good VPN services, some good options are MozillaVPN, NordVPN, PIA, and ExpressVPN.
You don't use a VPN. Your ISP sees everywhere you go and probably has an impressive log of your online activities. They could share it if required by law. When using public Wi-Fi you share what you do online with that network or anyone hacking it.
✓ Remove Your Personal Data from People Search Sites and Data Brokers
Definition: People search sites know a ton about you: name, addresses, phone numbers, relatives, etc. Anyone who wants to can look you up on those sites. Data brokers sell your data (it's often marketing data). You can't always see what they know, but they usually know a lot.
Why this matters: Your data is likely on hundreds of people search sites and being sold by data brokers. If someone wanted to stalk or harass you, finding you on a people search site would give them lots of information about you: your full name, birthday, current address, previous addresses, phone numbers, emails, relatives, etc. You are also more likely to get spam or have your identity stolen or compromised. More information
You use a service like MyDataRemoval to remove your data and check the biggest offending services every month. Some sites will add you back when they find your data somewhere else so it would be good to have a service that checks every month. We'd love to help. Take a look at our free trial to see how much of your data is out there.
You can do it yourself, which would take approximately 30 hours. And hope it doesn't come back.
You can remain ignorant and not look at how exposed you really are.
✓ Get a P.O. Box
Definition: Any time you need to receive mail in your real name, you don’t send it to your house. It can go to a P.O. Box, a CMRA, or another similar service.
Why this matters: This is offline, but it will spill into your online life. Having things sent to your house in your real name shares with more people and companies your real address. This in turn will get it into databases that will be shared and sold. If you limit what comes to your house in your name, you will limit the information that connects you to your address. More information
The hardcore privacy people do everything they can to not associate their residence with their name. Mail in your name would be to a post office box and things that come to your house would be to an alias name.
Some stuff comes to your house in your real name and your house is owned in your name. Some utilities are in your name, but not all of them.
Everything is in your name. That's how you set it up and it's pretty annoying to change it.
✓ Purchase property privately
Definition: Property and big purchases are in the name of an entity that protects your identity. This is likely a trust or LLC. This masks ownership (it's penetrable by law enforcement or private investigators, but probably not advertisers or snoopers).
Why this matters: This is also offline, but good to think about. This does a lot to keep your real name from being associated with your residence/property. More information
You use LLCs and trusts to purchase your home, vehicles, and other big-ticket items.
You thought about buying your car with a LLC or living trust, but it seemed like a hassle.
Everything is in your name. Oops.
✓ Use a mobile phone provider that lets you be anonymous
Definition: Verizon and the other big carriers know a lot about you. They share and sell your information. They track who you call and what you do online.
Why this matters: If you could get by without them knowing who you are, you wouldn’t care if there was a data breach (T-Mobile!) or if they sold information on their subscribers. More information
You use a privacy-friendly provider. Mint Mobile will let you sign up without requiring identification. You can use a privacy.com card with them too. If you used a VPN on your phone, your network wouldn't know what you did online. If you are hardcore you don't use the mobile number they gave you. You use VOIP or secure communication platforms for all of your calls/texting. This would mean they have no call log of who you communicate with. They would only know how much data you use and when and what cell towers you connect to when.
You can use a VPN with a normal mobile provider to mask what you do on your phone. They still have a log of who you call and text.
You can just give Verizon and the advertisers who pay for access to you and your interests a thorough list of what you do online. They are going to get it sooner or later, right?
✓ Freeze Your Credit
Definition: You can lock down (freeze) your credit profiles with the big credit agencies (TransUnion, Equifax, Experian) and the little agencies. This would prevent anyone from opening an account in your name unless you temporarily unfreeze your credit.
Why this matters: Stealing your identity is a lot harder (and less profitable) if you freeze your credit. Many people think about freezing their credit only when an emergency comes up, but proactively freezing your credit can be a good step in protecting your information and assets. More information
You freeze your credit at all the major credit bureaus. You have pins and can temporarily unfreeze when needed.
You have been meaning to freeze your credit, but you were thinking of opening a new credit card and haven't gotten around to it.
Freezing and unfreezing your credit sounds like a hassle. It is.