Last updated: Sunday 1st June 2025.

This is my opinion, obviously.
Let's start with a note on definitions. There are three types of privacy:

1. Privacy from governments and law enforcement
2. Privacy from corporations
3. Privacy from people
   It's worth noting this because some entities, particularly corporations, will deliberately confuse the last two. Facebook, for example, gets in trouble for their privacy violations and so establishes 'granular controls to protect their users privacy'. Except these are mostly controls about who can see your profile and who can message you, with some toggles that will politely ask facebook not to track you buried in the same section of the app.

A lot of this document is angled towards corporations, but advice for one will usually help for the others.

General

Privacy VPN
tl;dr: use Mullvad
What is it: A privacy VPN is different to a corporate/networking VPN. A privacy VPN routes all your internet traffic through a single server somewhere remote so, instead of your traffic speaking to the internet through your Internet Provider, it's encrypted and

• Most privacy VPNS
• Location matters (kinda): I invariably use Swiss exit nodes where I can.
  Without a VPN, everyone between you and the internet can see what websites you’re visiting, at a minimum. That includes any WiFi, such as those in cafés and hotels. In fact, other people connecting to those same WiFi access points can very often see your traffic too.
  Use:
• Enable auto-connect on startup & kill switch - which block connections if the VPN is disconnected which can happen without you noticing.
• Enable DNS Content Blockers. These are like browser ad-blocks, but they apply to your whole machine, and you can easily switch them on and off depending on whether you want to be gambling or not.

Considerations:

• Some websites will appear as another language based on your exit node. This is incorrect behaviour on the side of the web developers but what can you do. Many websites have language selectors, some don't (ahem, Shopify) so you might just have to switch back to a UK exit node for these ones.
• The proliferation of DDoS protection and anti-abuse services like Cloudflare throughout the web means that you will run into a lot more CAPTCHAs when using a privacy VPN.

Operating Systems

tl;dr: Don't use Windows. If you must use Windows, regularly run privacy scripts.
Options: MacOS and Linux are great, don't feel you must use Windows. Windows is great at lots of things but Microsoft are a trash company now loading in such obscene quantities of spyware, advertising and bloatware, even their own devs have to run scripts to disable them on new machines. If you really must use Windows, run maintained privacy scripts from trusted sources - you must do this on a regular-basis (at least every time there's a Windows update) because Windows will re-enable much of the malware you disable, alternatively, you can
Apple is not this shining ideal in this specific regard like their marketing would like you to believe, but they are much, much better than using Windows, Android or ChromeOS.
Linux has come a long way and is great now and there are many versions (distributions) that will be great for non-technical people too. One of the drawbacks of Linux in the past has been software incompatibility, however much of this no longer applies. Microsoft Office doesn't have a native version but there are good alternatives here. Some media applications (like Adobe's) don't have native versions but there are good alternatives here too.
Use:

• Uninstall unused apps and extensions.

HTTPS

tl;dr: Mostly automatic but worth knowing about.
What is it: Encryption-in-transit. Someone who has access to your network can see that your devices is speaking to 'https://subdomain.example.com', though, notably, they can't see the path - this means that while they might be able to see you're connecting to YouTube, they can't see which video you're watching.

Browsers

tl;dr: use Firefox or Orion, disable tracking in settings, use uBlock Origin.
Options: Google Chrome and many off-brand browsers build-in tracking. If they have access to their
Settings: Disable telemetry and usage monitoring, switch from Google as the default search engine.
Use:

• Container tabs sandbox browsing data, it's like having multiple different browsers open. This can be very helpful for privacy, but also for general use (like for logging into the same site with different accounts).
• Decline all non-essential cookies.
  Extensions:
• uBlock Origin. Don't use other ad-block extensions as many of them are owned by ad & tracking companies - there's a grey market where good, useful extensions will become popular and then be silently bought out by such companies who then have access to your browser traffic.
• Facebook Container & Google Container sandbox FB and G websites to their own containers which means you can be logged in to your FB & G accounts
  One thing to note is when you navigate to and away their sites, Firefox will close the current tab and open a new one which breaks the browser's back & forward navigation.
• ClearURLs: strips tracking info from URLs are you browse.
  Fingerprinting: almost everything about your computer and browser is made available to websites. I'm a web developer and I cannot, for the life of me, figure out why they hand over so much information about you, but they do. Browsers and OSs like the Mullvad browser
  Unfortunately, one of the ways

Search Engines

tl;dr: Don't use Google.
Options: DuckDuckGo is a good free option that you can easily dip back out to Google if needs be. Kagi is a good paid option. It might sound wild to pay for a search engine, but my search engine is one of the most used technologies in my life, which also means their quality and content is vitally important - I like to take care of the streams of information coming into my life, with a preference towards having fewer, higher quality streams. Kagi also offers a lot more than just a simple search engine, and I appreciate some of their efforts.

The Cloud

tl;dr: If you trust them, use independent or self-hosted options.
I host all sorts of services for myself and others including password managers, photo cloud sync, instant messaging, Netflix alternative, etc., which are all open for others to use. Some of them are not as polished as the commercial offerings but, amazingly, some of them are.

Email

tl;dr: Don't use any of the major players like Google or Microsoft. Pay for your email.
Options: Fastmail, Protonmail.
Use:

• Consider using a native email client like Thunderbird.
  Although still a royal pain to develop for, modern emails are fully-fledged HTML documents which mean they can run the same tracking as any other webpage and so should be treated with the same suspicion. When you use a web app (like Gmail or Fastmail), the email data flows through your email provider and is not loaded directly from the origin. This means that even though you're accessing it through your browser, anti-tracking extensions like uBlock Origin are unable to step in where needed.
  Thunderbird, however, is a native client based on Firefox that fetches resolves the email content itself. This means you can install uBlock Origin on it, and you can go to Settings > Privacy and disabled Allow remote content in messages which gives you the option to manually allow only the content you allow content an email wants to load that isn't included in the document itself, most commonly to mail marketing trackers and media CDNs. You can allow content on an email, sender, or remote domain basis.
  This might sound fiddly and annoying, but most mail doesn't need the content it wants to fetch, and it doesn't take long to permanently configure the content you do want to see. You can also take this white-listing approach in web browsers, but that is more annoying than is worth it for me.
• These email offerings also come with Calendar and Contacts cloud sync which is preferred to Google, etc.

Password Manager

tl;dr: Use one.
Options: I run an open-source re-implementation of Bitwarden's backend called Vaultwarden on my infrastructure as this is arguably the most important service in my digital life and > 1000 logins, so I don't trust a private company with this kind of data. Bitwarden is a good option for a commercial option, though.
Use:

• Check your email address with Have I Been Pwned.
• Use a unique password with for everything.
  • They should all be long (20+ characters) with numbers, letters (upper & lower-case) and symbols. You'll almost never have to type these yourself so it doesn't matter how long and complex they are.
  • Interestingly, if a service has an upper limit on passwords, it's a red flag about their security - password length doesn't matter to them if they're handling it properly. I see this most often with banks.
• Use in tandem with a mail provider like Fastmail to create a unique email address for everything as well. This makes it harder for you to be tracked between different accounts across the web, protects you when services suffer from hacks and data leaks, and gives you control and visibility when one of an email address suddenly starts being abused.
• Setup MFA on every account you use everywhere.
  • Use OTPs for MFA.
  • Emails are good.
  • SMS is bad. Do not use SMS MFA and disable it where you can. SMS cannot be safely used as MFA and is a security risk.
  • Bitwarden will auto-fill these for you as well so it doesn't have to slow you down.
  • Some services appear to force you into using their own apps (e.g. Microsoft with MS Authenticator). You rarely actually need to use these and you shouldn't. MS Authenticator, for example, has had a series of critical issues that lock you out of your accounts, sometimes long-term.
• Also allows for payment card and identity auto-fill on web forms (like filling out your postal address), and saving secure notes.
• Supports collaborative (shared) secret vaults.

Payments

Media Consumption

Smart TVs: The reason smart TVs are so cheap is that they phone home with your usage data to sell. Don't connect smart TVs to the internet, instead benefit from the cheap price while plugging in your own means of making it smart.

General

• Check who and what have access to your services in the site/app settings. WhatsApp & Signal show you other devices currently logged in. Platforms like Facebook, Google or Github show you connections and integrations that have previously been allowed. It's easy to set and forget these.

Who is tracking you

Government and the police

I've bunched governments and law enforcement together there. That's not quite fair. The police generally do follow laws for searches because the courts will throw out inadmissible evidence.
Governments operate outside of the law. When I refer to the government, I mean the 3 letter agencies (CIA, FBI, NSA), GCHQ, Five Eyes, PRISM, and their ilk.
There's limited scope in what you can actually do against state-level spying. They can and do force any organisation that have any operations in their jurisdiction to peer with them directly or provide back-doors into their networks. They harvest an an amount of data that was frankly unbelievable prior to the Snowdon revelations (even though many of us knew it was happening, we didn't know anyone could handle the amount of data that they could, nor the extent) and, even if it's all encrypted now, they are able to sit on it all until such a time that that encryption can be cracked (e.g. with quantum computing).

Corporations

Generally web
Remember, if you're not paying for the product, you are the product. You pay with your data that is then sold on. Google's business model, for example, is not running a search engine, it is an ad company. The search engine is a means to an end. Defenders of the data & attention economies will claim that, say, Google never sells your data. Not only is this actually not true in some cases, the way Google's ad auctioneering (where they operate as both the sole seller and also the auctioneer themselves) functions, just because personal data may not leave their servers, does not mean they are not selling your data. I believe this is to a deliberate misunderstanding.

Facebook & Google will come up again and again because they have relatively limitless resources and many of the best engineers in the world to build empires around the idea of violating your privacy. Thus, slowing them down means you're often also slowing everyone else doing the same thing too. They also have enormous reach through both their own products and services, and slithering into everyone else's. One such 'innovation' that has come out of both organisations is the tracking 'pixel' which appears a great many of the sites that pull in resources from FB/G (logins, share buttons, etc.) which track your browsing throughout the web, even when away from their domains. This is where VPNs, uBlock Origin, containerised tabs help hinder this.

People

Some additional notes

Trade-offs
Privacy precautions are a convenience trade-off. It is inconvenient to jump through all of these hoops. There are any number of infinitely smaller hoops with gradually smaller returns you can jump through but this is some of what I do to protect my right to privacy and, for me, it's worth the trade-off.
Many people do not want to make this trade-off. Some will even attack your belief that you have a right to privacy with the challenge 'what do you have to hide?' - an insidious and ignorant stance. If nothing else, this simply isn't how rights, nor opinions, work.
The privacy-convenience trade-off is everything in the soft-science of popularising privacy. If you make a service too secure & private, it's a pain to use so no-one (except journalists & those hiding from the CCP) will use it.
Signal has done relatively well to strike a balance in this trade-off. They require a phone number in order to register with them as this is your identity on the platform, however you no longer need to expose your phone number to others as they've added usernames.

Something worth bearing in mind that is tangentially related to trade-offs is that you can go to great lengths to protect yourself, only to have it all undone by other people's own trade-offs. For example, you might resolutely deny services that ask for you to upload your contacts (including your phone's cloud sync), but they don't need you to upload your actual contacts if everyone you know has already uploaded theirs. They have the full social graph already.

Another trade-off you can often make if you don't want to lose the convenience is payment. Kagi is a paid-for search engine. They don't need to sell your data to stay afloat if you're paying them.

Anonymisation
Many entities in the business of tracking will make claims about anonymisation and pseudo-anonymisation. This is not real. It's be repeatedly proven that you identify individuals' data from 'anonymised' data through patterns.

Privacy and security go hand-in-hand and so many of the concepts here can be applied directly to security efforts. It's worth bearing in mind that there are always many parties between you and the person you're speaking to. While many of those parties may not have an interest in collecting your data now, this can quickly be changes
Total privacy and security are impossible - all efforts are a matter of reducing attack-surfaces

Encryption
Encryption is encoding data such that only those with the right keys can read it and is the reason the internet can be what it is today - the infrastructure that underpins all public networking can be zero-trust. This means that you don't have to trust some random switching equipment half-way round the world that your packets are travelling through because your data is encrypted.
There are 3 categories of encryption. Stating one implies the lack of the others.

• At-rest: data is encrypted while it is stored on their servers.
• In-transit: data is encrypted when travelling between you and their servers.
• E2E: end-to-end encryption is encrypted between you and the person you're sending it to. WhatsApp and Signal, for example, are e2e encrypted and thus have no visibility to actual body of your messages (Signal actually built WhatsApp's e2e encryption). The historic difference (not to mention WhatsApp's new AI button that offers to upload your messages to Facebook's servers).
  Quantum computers will have orders of magnitude more computing power than conventional machines and are a real concern for encryption. However, quantum resistant encryption has been making its way into domestic settings over the past few years, such as in Mullvad.

Glossary

• Fingerprinting: Figuring out who a user is based on indicators. Web services (like Google) will do this by capturing your practically unique combinations of traits like: browsing habits, device dimensions/model, location, battery percentage, other installed apps, nearby wifi & bluetooth beacons, contacts. Everything. It's dire.
• Authentication: Proving a user is who they say they are. The way identity is proven on the core of the web, for example, is by domain ownership (which can thus be atomised further to email ownership).
• Authorisation: Deciding what a user has access to. This follows the authentication step.
• Metadata: Any data that is not the body of content itself. This is just as rich in information as the body. A WhatsApp message's metadata, for example, tells Facebook who you're talking to you, how much, where from, when, the rough size of your message (text/image/video), and any information that it intentionally leaks about that message, like URLs (for link previews), and much more. Using their social graph, they'll be able to tell who you are and what you're doing speaking to those people. This is another reason why it makes me uncomfortable that my therapist uses WhatsApp.
• FQDN: Fully Qualified Domain Name, the complete domain string - e.g. 'subdomain.example.com'
• Domain: Usually the base of a URL, not including the subdomain - e.g. 'example.com'.
• Subdomain: The label of the FQDN before the domain - e.g. 'subdomain' in 'subdomain.example.com'.
• Protocol: The language two devices use to speak to each other, for example http:// (HyperText Transport Protocol) or https://. Email uses smtp:// (Simple Mail Transport Protocol).
• CDN: Content Delivery Network. A distributed infrastructure service used by websites to host content that is heavy, infrequently changed, or frequently accessed closer to users.
  For example, let's say you have your main servers in the UK, you host lots of images & videos, and you have users throughout Europe. Using a CDN to host this media means that users in Germany making requests for webpages to your UK servers will be told to fetch images from the CDN servers in Germany, thus reducing load on your servers and speeding up the UX. Cloudflare and Akamai are two of the major players in this space.
• Cookies: