The difficulty of safe browsing depends on what you want to be safe from. If you want to be free from advertisements, you have other criteria for success and failure than somebody who is trying to hide their sexual orientation from their parents or the state.
The following chapters get increasingly privacy focused. We recommend the first sub-chapter Open traffic and communication as a general base line for everyone. Depending on the level of security / privacy you want or need, the following chapters might also be additionally relevant.
A through line that you will observe is, that if you've seen a product advertised on YouTube or elsewhere before, it is probably something you should avoid.
The first threat level is removing snooping on your activities.
This involves choosing the right browser, applications and only using secure connections.
Most modern browsers actively warn you if you are about to visit a site that doesn't support traffic encryption.
Getting those certificates to encrypt the traffic can be done for free and within a day.
If a website doesn't offer encrypted traffic, don't use it.
They don't care about you, so why should you care about them?
If you are sure that the page is well intentioned, email the maintainer to enable encryption.
The following browsers are recommended:
The following browsers are actively not recommended! If you use one of the following browsers we recommend that you switch immediately!
Brave also is the only browser that supports clearing caches when you close
the browser.
Navigate to settings > privacy
> delete browsing data > on exit
and select what is important to you.
Having your messages delivered with confidentiality and not used to analyze you is a your basic right. And given that you are reading this, it is probably crucial to you right now.
Messaging apps enjoy networking effects, same as social media. So it is important that you also advocate for a switch in communication apps even for people who claim that "they have nothing to hide". We are talking about installing an app. Not about sitting in the mud protesting for something for multiple days. The minute required to install is not too much work.
The following messengers are recommended:
The following messengers are actively not recommended! If you use one of the following messengers we recommend that you switch immediately!
In countries in which encrypted communication is outlawed, you should consider using communication software like Briar.
Those apps use Bluetooth to communicate with other devices. This circumvents the message going though mobile traffic and so undetectable from the authorities.
Even if you think that your country won't do that, you should still install services like Briar to help others that rely on them. Again: messaging apps enjoy networking effects/economies of scale. The more people participate, the more useful those solutions become.
The following email providers are recommended:
The following email provider are actively not recommended! If you use one of the following email provider we recommend that you switch immediately!
I can't stress this enough.
READ. Please read the information that the developer is required to give you.
Nobody likes combing though one EULA and license after the other,
but in those documents the manufacturer is providing you with the information you need to know if this app is safe to use or not.
Think about it this way: If the maintainer didn't do something important with your data,
why did they draft a 80 page document instead of one or two paragraphs?
The longer the agreement, the more important it becomes to read it.
The worldwide-lgbt-resources project also has a
license.
Feel free to give it a read. It's only 4 sentences long.
The PlayStore from Google and some alternative app stores now also have a information section
that gives you first information about the data the application collects.
While this information is enough for a quick judgement,
it is not sufficient and does not replace reading the agreements that you are signing.
One of the ways people collect increasingly concerning amounts of information about you
without notifying you is through scripts embedded in their websites.
You can disable scripts in the settings of your browser by searching for
Don't allow sites to use JavaScript
in your browsers settings.
You can always enable JavaScript on a page for page basis if you need to.
Sadly most interactive pages like YouTube require JavaScript to work properly, but most pages should not and by actively adding exceptions instead of permitting everyone by default, you can increase your browsing security. This page also works without JavaScript. Feel free to try it out.
Now, even Google doesn't work without JavaScript.
Take this as another push to switch to
a better search engine.
A service should only collect the information that is absolutely crucial to be collected and store it for the shortest duration possible. If you are using a map app, it will need to know your position if you want it to calculate a route. But it should only need to know your location until you are done with your navigation and not continue to collect or store your position data.
Yes, this means that rejecting the cookie banners is important. No, you don't need to share your information with over 100 different vendors in the first place to look at a web-page that only consists of texts. I know that it is annoying, but it is recommended to reject them as much as possible, even if you are not concerned about your data.
The absolute pinnacle of information trading can be observed on pages like betterhelp.com that have revealed consumers' sensitive data to third parties such as Facebook and Snapchat for advertising after promising to keep such data private.
There is the saying that "if something is free, you are the product". While this is not always true, it should be assumed until proven otherwise!
One way they track you is using build in browsers. Apps like Twitter (now X), Reddit and many more open external links not inside your browser, but launch the browser as a child of the application. This enables them to observe your browsing behavior and how you interact with the link you just clicked.
A step in the right direction was made by BlueSky. The now prompt you and ask your preferred way of interacting with external links. This shows that it is not a technical limitation that makes other apps use an embedded browser, instead of relinquishing control.
Another way is through cookies and referral URL's. Cookies are just small text documents that apps can save in your browser. These also can be transmitted as part of a message to the server. So, when you click a link inside an app, they can attach a cookie with your information to be delivered to the webpage.
Referral URLs are the same thing in easier. This explanation will get somewhat technical, but it will be easy. I promise.
Let's take a look at the following url:
https://www.google.de/search?q=cat%20picture
The URL consists of multiple parts.
https is the protocol.
www.google.de is the domain. The name of the website that we are visiting.
search is the name of the sub-page.
? signals that the following are parameters for the server.
q=cat%20picture is one parameter.
In this case the parameter q (short for query) is equal (=) cat%20picture.
Developers can attach different queries to a URL to save the need to transfer cookies. Encoding it into the link is quicker and easier.
When you now click on external links in an app, many apps attach more information about you in the URLs that you click.
This is why you should try to remove such tracking extensions from links when ever possible.
A easy first step you can try
is to remove everything behind the "?".
Most URLs will work fine even if you remove the things behind it.
The following search engines are recommended:
The following search engines are actively not recommended! If you use one of the following search engines we recommend you to switch immediately!
The first sub-chapter was just general good practice and advice and also forms the basis for any further actions. This chapter will be relevant if you need to hide your web traffic in general. If you have an unsupportive family or live in a country where you might face harassment for who you are, the following steps are for you.
There are two fields that you need to worry about. The first one is the device or local level. This includes your browsing history, your installed applications, your saved images and alike. The second field is your traffic. With whom are you (digitally) communicating, and when. This is the online level. Please be careful about both of them. While this chapter will only focus on online measurements, the next chapter will focus on offline measurements.
Pages like translifeline.org offer a "quick exit button". Features like this operate on the local level. While such features are effective against shoulder surfing (people observing your screen from behind), they are ineffective on the online level.
The problem with normal browsers is that they hide what you are doing on the web, but not where you are doing it. If you are on this page, your family, government, internet provider, and potentially more know that you visited this page. This is not desirable if you want to hide that you are part of the LGBT community for example.
From this point onward the only browser recommended for private use is the Tor Browser. Tor automatically reroutes your requests through a set of intermediary points to hide where and who made the request. It was specifically developed for situations like this.
You can use your normal browser normally, but if you are suspecting that you might do something that could peak unwanted interest, do it in Tor.
Using a VPN is not bad in general.
But they are not privacy focused products in them selves.
What you are doing is shifting the person you must trust.
Do you trust your internet service provider or the VPN company more?
VPNs have additional restrictions that don't make them a suitable replacement for Tor.
But even ignoring that:
A good VPN is expensive and you need to pay it somehow.
This leaves a money trail behind.
Additionally the traffic will be "hidden" if you use a VPN.
Meaning that instead of "google.com" people now see "snakeoil-vpn.com".
Leading to people you don't want to know that you want to keep something private,
to know that there must be something you want to keep private.
Attracting unwanted attention.
And no, any VPN you see advertised on regular media, like YouTube, is not a good VPN.
The best free VPN are:
But traffic also gets generated if you just work on your computer normally.
You operating system will talk to remote locations all the time.
They have full knowledge of what you are doing.
Every file on your hard-drive. Every program you have installed.
This is why it is important that the operating system is trustworthy.
The following operating systems are recommended:
The following operating systems are actively not recommended! If you use one of the following operating systems we recommend you to switch immediately!
On your desktop, you are browsing the web, move some data around on your disks or write something for your job.
All those things are equally well supported on all operating systems.
The only major difference is the look of the applications.
Not the functionality.
There is no reason not to switch, especially if you are an Apple user.
Mac and Linux share a common ancestor and behave similarly.
If you are a windows user, the switch will also be not as hard as you think.
You will be pleasantly surprised by the removal of all the nuisances that Microsoft has introduced over the last years.
You already have a phone. You have learned another operating system. Another will be as easy.
Meanwhile mobile phones are that: phones. As long as you can make calls, write messages, photograph, search the internet, and navigate, the basics are covered. Everything else is a bonus and already possible with those 4 features. Privacy focused operating systems for phones like Graphene are able to provide all that without problem. There is maybe some new things to get used to, but you can customize many aspects, if you rather have your android behave like IOs or something else entirely.
But what if you think you are "save". What ever you think that means. Is there a way to compromise your comfort and effort with your privacy and related safety? The following are some options.
There are kits to clean up your windows settings to not push unwanted quantities of personal data over to Microsofts data centers. The by far best de-Microsoft-tool's are from Chris Titus.
These tools can remove some telemetry, but at the end of the day, you are still using Microsoft products. There is also no guaranties that everything continues to work after modifying your Windows installation. At the end of the day, such scripts are community compiled and maintained and not officially endorsed by Microsoft. If Microsoft would endorse such options, they would simply make them the default in their next update.
The ability to compromise on Android heavily depends on your device and the Android modification that you are running. Many vendors ship their own version of Android with their phones.
If you are using a device from a manufacturer you can trust, you can try to factory reset your device and then set up all your accounts without using google. This is very tedious and requires a lot of clicking "no".
Afterwards you can download an alternative app store from the internet like FDroid that is replacing the play store and Aurora that allows you to use the play store with a temporary/no account.
From there on you can install the apps that you need and want. A list of common apps might be:
No, there isn't an acceptable way to compromise. BUT: if you are stuck on your device, make the best of it.
There has rarely been a bigger personal data distribution method than social media. If you are concerned about your safety, don't do social media. Stay away from it as far as possible.
Sadly a lot of interaction happens over social media and some have substituted their independent news feeds, to those in walled gardens of social media. For those who need a form of social media for communication, information gathering, ... the following guidelines apply. For everyone who just uses social media to share memes: you can live without it. The risk reward is just too high for you.
The following social networks are prefered:
The following social networks are actively not recommended! If you use one of the following social networks we recommend you to switch immediately!
If you need help others to consider a switch to alternative social media platforms, remember them that the "Meta" group has stated that it's ok to call women "household objects" and queer persons "mentally ill".
I recognize that platforms like LinkedIn and Discord have become an integral part in organization, contact holding, and work.
If you need those platforms for the above reasons, try to access it though secure connection only and engage with them as little as possible.
Discord servers are public and direct messages are not encrypted. Don't discuss sensitive topics over discord!
"Open Source intelligence" (OS-int) is a form of information gathering, that consists of reading information that the target has published publicly about it self. Many companies allow you to make a call or send an email to reset passwords or alter information. The more information an attacker has about it's target, the easier it becomes to deceive people on the other end of the line.
With that in mind, you hopefully now understand the cross section between safety and privacy. The more information about yourself you publish, the more susceptible to those kinds of attacks you become.
Hence don't use your loved ones birthday as a pin. Don't use your favorite musicians name as a password. Those kinds of information are too easily obtainable.
To add insult to injury, the recent advances in generative artificial intelligence open new attack vectors using public data. Use videos of you to train a deepfake, use the voice recordings of you to train a voice changer, and generate believable photos with an image model and a bit of photoshop. The possibilities to impersonate you based on your public data is getting easier. There is only one reliable way of combatting this: publish less!
There is protective foil for screen to block shoulder surfing. It blocks the view from steep angles onto your screen. This makes it hard or impossible for your relative next to you to look at your screen without you noticing.
The usual password guidance applies here also:
The list for pins is a lot shorter: pins should be random. So please stop using the birthday of your loved ones as pins.
You should avoid other forms of authentication as much as possible. No finger prints, no face recognition, no location based unlocking, no swipe patterns. They are all much more insecure compared to a good password or pin with aggressive retry locking.
Your retry policy should be adequately strict. At the very least you should get notified over a second channel, that you failed the unlock.
Another thing you should enable for everything that supports it is two factor authentication. There are multiple two factor apps you can install. What isn't a viable second factor is SMS. You want to get the code over a secure channel. SMS isn't secure. Most email is also. Avoid them as second factors as possible.
Now that you have passwords and pins, secure everything with them. Things I rarely see protected with a password is the BIOS. If you put a password on it, it becomes harder to get to the data on your computer. It isn't a substitution for hardware encryption, but it is a good addition.
If you are lucky enough to have a person you can trust with your most important things, you can write down your master pin and master password and put them in a view proof covert. Write a small message on it like "for emergencies" and sign it. Then hand the covert to them. This is useful in case of death, disappearance, kidnapping ... since they will "inherit" your online accounts. Passwords are not going away - Per Thorsheim - NDC Security 2022
Enable two factor on every application that allows for that NOW. Two factor applications are reducing the chances to get compromised significantly. The idea behind them is that you now need to have 2 devices to log into an account. Yes, this is less convenient. But this also means that people can't log into the email on your PC, if they don't have your phone. They can't get access to your accounts without having a second of your devices.
And this also increases your resilience against honest mistakes. If a company has a data breach and leaks your password, people still can't log into your accounts, since they will also need your second factor.
You also don't want to give those important tokens to any company, that is already mentioned on this site as bad.
Enable the following settings in your browser if possible:
Bonus Tip: Did you know you can customize the font your browser uses by default? This can be helpful if you have trouble reading the default font.
While security through obscurity is a very bad idea, you can make it harder to get to your private stuff through some basic measurements.
Many android version have the ability to create multiple accounts on the same device. Use it and create a "public" and a "private" account on your phone. As mentioned previously, don't link the private account to a google account!
Another feature many phones have is the ability to hide apps and files on the device. This introduces another step a physical "attacker" will have to clear to find them.
Continuing the theme of hiding, hide everything from your lock screen. Your lock screen on any device should be clean and not expose more than a password field. Don't leak your messages though the lockscreen!
But what if you are in a precarious situation? You want to be an activist or live in a place that gets more and more dangerous by the day. Then you need to consider more extreme measures. We have some initial impulses in the following chapters. But they don't substitute actual advice from other hacktivists in your area! Go and talk with hacktivists in your area!
Tails OS is a operating system used by activists and journalists, since it automatically resets it self with each shutdown, and it fits and can be booted from a USB-stick. This portability enables working from anywhere with a save environment. The Tor browser is installed by default for example.
If you need to be off the grid, going offline is probably the easiest way to do so. There are two ways of going offline: taking out the batteries and putting the device in a faraday bag.
You can only take the batteries out of something, that was designed to do so. If your laptop or smart phone has an integrated battery, that is not possible. Luckily, this trend seems to reverse slowly. For now the FairPhone and the Framework Laptops seem good options to do so easily and quickly.
In case you can't do that, the next best thing is putting the devices in a faraday bag. The bag will isolate the device from the internet. When meeting up with people who you know have laxer safety/privacy requirements that you have, ask them kindly to put their devices in those bags when you meet them. Even better would be if they left those devices at home entirely.
A problem of faraday bags is that they just isolate the internet. Meaning a device could continue to record video/audio and then send the gathered data once it is connected to the internet again.
Another attack channel are other people. Malware can be hidden/attached to otherwise legit files. Once the files are accessed, they will then spread to your system.
This is why it is advisable to have two systems. One for testing and one real one. If you then want to download something or get handed an USB-stick, you can test the files out on the test system. This system should have a suite of forensic tools with which you can inspect the files, before transferring them to your main system.
Want to add something here?
Contact Pongo under
worldwidelgbtresources@gmail.com
Technical difficulties?
Contact Add on
Discord (add_gaming)
or
Twitter!
Found a mistake? Let us know via
email.
Disclaimer:
This advice is based on our lived experience, we are not doctors/therapists/lawyers/experts.
Any products/companies are just suggestions.
Please use your own discretion and research with any advice listed.
Always seek the advice of your qualified health care provider regarding any medical questions.