Home - Karegohan-And-Kamehameha/privacyguide GitHub Wiki

Introduction

This is a guide about privacy on the internet, it covers some advanced topics and technical details involving operating systems, web browsers, virtual private networks and other areas that involve privacy. Its target audience are people who already have a firm understanding of the basics of privacy and the terminology involved; it is not a privacy guide for beginners and was never intended as such. There are many great beginners privacy guides out there, for example The Crypto Paper by Seb. If you are a beginner wanting to get involved with privacy, security and crypto, read that. For more in-depth theoretical knowledge on the subject take a look at the Lectures section of the useful links in this guide, those are some really good lectures that can help you understand the theory behind the technologies involved. There are also many articles and guides on certain niche topics, such as removing spyware from Windows 7 and optimizing Open VPN, this guide does not aim to repeat all of the information in them, but rather provides links to those source of knowledge in the correct context, chaining them all together for a more holistic understanding of the problem.

Threat model

The threat model used for this guide assumes a medium to high threat level. The methods described in the guide are enough to prevent companies from tracking you, to stop your ISP from snooping on your traffic, and to make it fairly hard (but not impossible) for government agencies to link you to your online activities. Basically, it is going to be enough of a headache for them to not bother with you for DMCA violations and other misdemeanors, but not enough to hide something highly illegal − that would require a completely different level of security, such as using Tails.

It is also important to understand, that while the methods described in the guide are helpful in protecting one's privacy, they are no magic bullet. The amount of publicly known information about you is always going to be more or equal to the amount of information that you have ever publicly revealed about yourself. This is just common sense, which seems to be less than common these days. If you have a Facebook page with your real name and your nickname or e-mail visible to the public, then all your activities on the internet associated with these data are also going to be known to anyone interested. Obviously, this is not exclusive to Facebook, but true for all other public pages, and even some private ones, which are still crawled by search engine bots.

Whenever you upload any kind of information to the internet, assume the worst, that way if the worst comes to pass, it is not going to take you by surprise. If you upload data that you have not personally locally encrypted using a strong cipher with a good password to a cloud service, assume they will be leaked − do not upload sensitive information without solid encryption. If you discuss something on the phone, via unencrypted e-mail, in social media private chats, or in any proprietary IM programs, assume the government is listening − do not discuss anything they might be interested in over these channels. When you register with a service or website, assume it will be pwned − never reuse passwords. This line of thought may seem a bit paranoid, but it will keep you safe(-ish).

Fingerprinting

Many of the browser addons, settings, and even VPN configuration options in this guide exist for the sole purpose of preventing adversaries from easily fingerprinting you online, however the harsh truth is that unless you use a privacy oriented live CD OS like Tails or single use "burner" virtual machines with varying configurations of OS and browser that are always routed through Tor, a skilled adversary that is after you specifically will likely always be able to fingerprint you. This happens because there are simply too many ways a system can be fingerprinted. For example, the Firefox Resource fingerprinting method is currently resistant to all forms of spoofing short of rotating independent browser setups. Luckily, due to our threat model, most of us are not facing such adversaries, instead all we need to do is to prevent much lesser threats, such as automated tracking systems used by advertising companies and social networks. For doing this we do not require perfect protection against every possible fingerprinting method. Instead, all we need is to achieve a high enough ratio of noise to signal in order to set such methods off the track, tricking them into creating multiple fingerprint profiles of us and not just one. This can be achieved relatively easily by automatically rotating profiles in Random Agent Spoofer and switching VPN servers every once in a while, as well as disabling some additional technologies that can help fingerprint you, which are described in more detail in other sections of this guide.

Contributions

If you find this guide lacking in any aspect, please suggest your contributions via the issue tracker of this repository. For a contribution to be accepted it has to include justification of the suggested changes along with solid evidence in favor of your case. For example, if you are suggesting an additional setting change for Waterfox, it has to include the specifics of how the default setting threatens privacy and proof that changing the setting to the suggested value is not going to break any important functionality of the browser.
For all other feedback and in case of questions do not hesitate to e-mail me or contact me on Reddit.
PGP Key