If possible, use DNS over TLS (DoT), if not then DNS over HTTPS (DoH). DoT is fast and offers several advantages. Modern Android operating systems and home routers offer DoT. DoH should only be set for web browsers if no system-wide configuration of DoT is possible.
When combining VPN and non-default DNS: In general, it can be said that you are often more anonymous if you use the standard DNS of the VPN provider, because since almost all users use the standard setting, your own traffic (or your own surfing behavior) is mixed with the mass of VPN-users.
Security is more important than privacy. I myself usually use Quad9 DNS, even via VPN, as the security gain is more important than the possibility of standing out from the mass of default setting users.
Advertising, malware and trackers are easily blocked at the DNS level if you use the Mullvad DNS revolver base.dns.mullvad.net (194.242.2.4 / 2a07:e340::4). Mullvad also offers other DNS versions, e.g. with blocking of gambling and social media. I am not adding them here. Mullvad also operates the DNS servers in RAM, i.e. without hard disks, and also makes a very strong data protection promise. If you simply want to do something good, you should set up base.dns.mullvad.net with friends and family, ideally for the entire home network in the router. For me personally, Quad9 DNS is still the first choice, I block ads/trackers or other things locally, depending on my needs.
And this also brings me to the web browser. Every Android device should have the DuckDuckGo browser installed with “app tracking protection” enabled. This browser is more than just a browser, because once this function is activated, it protects the entire Android device from trackers that are integrated in all kinds of apps. This excellent DuckDuckGo browser is also available or planned for other operating systems.
Install Firefox only if desired, but follow the other recommendations even if Firefox is not wanted! Example: Your wife uses a different web browser. You can of course let her continue to use it, but still carry out the other recommendations here for her device. For example, install the browser add-ons mentioned and adjust the DNS.
Messenger: SimpleXchat is decentralized and can be used without registration/phone number. Users connect with each other or join a group via an invitation link or QR code.
Desktop operating system: Whonix
Android devices: eOS
Install Quad9DNS App if the private DNS mode is not supported (for older devices, on iOS) or if the manual entry of DNS addresses is too complicated (for the mostly ignorant user)
** Desktop operating systems**
In this day and age, unless you are doing anything very very specific, e.g. that requires a specific OS, then I would automatically go with any number of modern GNU/Linux desktop setups. I even installed Fedora on my 72 year old mother’s desktop. I personally have Tuxedo OS 2 running out of convenience and couldn’t be happier with it (3 years now).
I won’t go too far into it though, b/c there are certainly people here with far more insights than what I have to offer.
** Web browsers**
This is where it gets more interesting. I keep one version of firefox (Librewolf) running as my daily driver, but if I ever encounter a sight that it breaks due to my settings, but want/need to access it, then I jump over to Brave (Opera is fine, as well).
** VPNs (Virtual Private Networks)**
A dime a dozen nowadays. However, for all of my desktops and notebooks, I have Safing’s Portmaster with their "S"PN network activated in the background. It’s open source, an absolute powerhouse for network transparancy, protection and centralized monitoring of bi-directional connection/data flows - making it easier than ever to control the connection abilities of individual apps.
For mobile devices, I just use Protonmail’s basic VPN connection services
(I wanted to like Mysterium Dark, but they seem to be shifting to a new/different service style that I haven’t become too familiar with, yet)
Email software and services
I had been a dedicated user of Skiff Mail (*which I found through unstoppable domains), but since they are closing down their services in the near future, I migrated to ProtonMail.
Office software and services
LibreOffice all day long
Productivity software and services
Notesnook is my be all, end all for organization and information storage. I had enough of Evernote and the new revamp dropped Linux support, while the webapp completely left off the main features.
I have been with Notesnook for a long time now (even writing this using it) and I scan all important mail/documents here, it is open source and has a robust development team behind it.
It is still an unsung hero, but is supported on ALL platforms, both desktops and mobile.
I am also a fan of Aegis authenticator app for non-token 2FA
Payment & financial software and services
I haven’t found an adequate solution for this since switching to /e/. I use the bank services/authentification apps + services, which is nice and fine; but I haven’t yet found an adequate solution for nft payments when in stores/restaurants after ditching google services…
Cloud storage options
Nextcloud - or Murena Cloud (which is the same thing under a different name, but without the admin panel)
Enhanced privacy settings for commercial Android or iOS devices
Password managers
Bitwarden
DNS (Domain Name System) services
I’ve been using nextDNS for a while now and it seems to be doing well.
I’m not an expert in this area, so I can’t be certain, but like I said, so far, so good.
Good practises for everyone
regularly read updates and sources for best practices. Spend a little time every couple of months to reflect and review how you are connecting to different services. Draw it out, look at the individual points where data is exchanged or handed-off to a third party service.
Review where and how you have online accounts - does you password manager include a service for monitoring data breaches at the site of the account? Do you receive updates about changing passwords?
How is your browser setup? Does it block trackers? Does it automatically regularly “really” delete cookies/cache?
Most of this is of course very subjective, so this is a mixture of things that work for myself and what works for people I know who are not very tech savy.
Of course the only real answer these days is Linux. I found most Windows and Mac users can find their way around Linux Mint right away. The only thing where it can cause trouble is when you try to do a distribution upgrade to a new major version. Otherwise it seems stable and easier to use for many people than to go from one Windows version to the next. Commercial software support is the biggest issue of course and the reason why I still have to work with other platforms. Not an issue for a regular home or small office user though.
Haiku is an interesting open source OS that started as a re-implementation of BeOS, but it’s improving slowly and steadily with more and more modern featues added. For now I’d say it’s useful especially for old computers. How well it can work as a daily use OS depends a lot on the individual’s requirements, but it’s getting better with each release. They even have Wine working now.
My recommendation is Firefox/LibreWolf/Fennec with uBlock Origin, LocalCDN and ClearURLs add-ons for now.
Just don’t use Google Chrome and especially don’t log in with a Google account …
I personally don’t use one right now (aside from my own VPN for connecting to my home network), but Mullvad seems to be the general concensus as the best option.
Thunderbird has been working well for me since they added built-in CardDAV support. K9 (including Murena’s fork) works well on Android. On iOS and macOS, the Apple Mail client works well, too.
I’m using the mail server of my web hosting package, so I can’t make good recommendations for a service provider.
Generally, I avoid e-mail where possible since current mail clients make encryption like S-MIME so cumbersome that it’s difficult to justify, especially if it has to work across platfoms and clients.
If possible, just use local software. LibreOffice is of course a common recommendation, but I’m also using Softmaker FreeOffice since it is available on all major platforms, has ecellent MS Office compatibility and launches much faster than LibreOffice. It’s not open source but doesn’t have any tracking. Features are a bit limited of course, but fine for what most people use. There is a paid version with more features, too that occasionally goes on sale.
Several people I installed this for didn’t even notice and just assumed it was Microsoft Office, so the learning curve is not very steep.
On Apple platforms, I quite like Apple’s Numbers, Pages and Keynote, using local files only, no iCloud sync. I quite like the concept of Numbers that doesn’t use an infinite sheet of cells but tables that can have header and footer rows and can be freely arranged.
Serif with their Affinity suite have a good alternative to Adobe’s creative cloud. It is available as one-time purchase. Their programs don’t have any telemetry or background processes and work on both Windows and macOS, but not in Wine. They also have fully-featured iPad versions, unlike Adobe.
They are still comparatively new on the market, so Adobe still has some more specialized features and enterprise workflows for large magazines and such, but for the majority of people, they can already replace the Adobe suite as a professional tool.
I use MoneyMoney on an old Mac for banking. Great software, no telemetry, also good support for old OS versions.
As for privacy friendly payments, I’m putting high hopes into the digital Euro project. Otherwise, as a casual user, Apple Pay is probably the lesser evil among the digital payment options as far as I know. I just use cash where I can.
Synology NAS for me. Works great and they support their devices with updates for a very long time, with a VPN through my router for remote access. Support has been extremely helpful whenever there were any problems, including getting me spare parts for relatively old devices.
It can also be used to sync contacts and calendars.
Casual users may need a bit of help to set this up, though.
Don’t bother with cloud storage. If your phone accidentally syncs a harmless photo of your naked newborn or if the provider discontinues the service or has a fire in a datacenter, or if there is a sync error, all your family photos could be gone forever. Moreover, you data could be stolen, analyzed, sold, or used to train AI, or all of them.
Remember that you are responsible for your own backups, whether you store locally or in the cloud. Assume that either can be gone in an instant.
Aside from running something like /e/, Graphene or LineageOS instead of a stock Android, never logging in with a Google account and using TrackerControl is something pretty much any user can do. Using an alternate browser like Fennec with an ad blocker like uBlock Origin instead of a vendor browser that sends your browsing history to China is a must, too.
Using TrackerControl, you can take internet access away from apps that don’t need it, such as scan apps for example. Or your public transport app while you’re not using it. On iOS, use Organic Maps or Apple Maps instead of Google Maps. If you need to look up reviews, use the browser.
On Android, you can use NewPipe, Organic Maps, K9 with a trustworthy mail provider, Aurora Store/F-Droid and so on instead of the corresponding Google apps.
Remove bloatware apps, since Facebook etc. connect to the internet and send data even if you never even launched them.
For iOS/iPadOS, disabling access to the Ad ID, installing an ad blocker for Safari like AdGuard and a firewall like Lockdown Apps is among the most basic things even a novice user can do.
Also, on any system, keep off location services when you don’t need them. Don’t install spyware like Instagram, TikTok etc., use the browser version in incognito mode if you must. If you install them anyway, at least revoke permissions while you’re not using them, i.e. only grant camera and microphone access while you actually need it in those apps, even if it’s a bit inconvenient. Don’t give them background permissions.
Use Signal instead of WhatsApp. Even if you can’t get away from WhatsApp, get Signal because it might allow 10 of your friends to get away without WhatsApp. It’s not perfect, but unlike other options, it’s widely used.
KeePass XC on Desktop and KeePassium for iOS/iPadOS work well for me with a database on a NAS. On Android, this is more annoying since the regular file system doesn’t have access to SMB shares like the Files app on Apple devices. I haven’t invested the time to find a better solution yet, so other people here probably have better suggestions like Bitwarden.
If a company whose products or services you use doesn’t offer a privacy friendly option, complain to them.
I would also like to add that nowadays many services work via e-mail registrations. You can avoid that those free offers, that are financed by advertising, can draw parallels about what else services you use with this email-adress. The best way to do this is to use the service https://relay.firefox.com, which creates random e-mail addresses for you, which you can then use to register with all kinds of services. You can also simply block all emails that come from certain services. But more importantly: your personal main email remains hidden.
If you use the social network Facebook, that is known to violate your privacy and exploit and sell your personal habits and behavior, then you can protect yourself a bit by using the Firefox addon facebook-container: https://addons.mozilla.org/en-US/firefox/addon/facebook-container/
Fina.Cash is a relatively private payment method. It is based on the blockchain, which supports private Smartcontracts. But the Prepaid Card provider is still Visa: https://fina.cash/ It should be possible to charge with the privacy-protecting sSCRT. Perhaps Murena will also be able to accept private currencies such as SecretNetwork and XMR Monero for payments in the future?
[quote=“nanabanaman, post:25, topic:56126”]mail clients make encryption like S-MIME so cumbersome that it’s difficult to justify[/quote] For e-mail, I would recommend Posteo, where almost everything is done correctly. For example, you can activate DANE and automatically reject insecurely encrypted emails and activate automatic notifications in these individual cases. There are also very nice descriptions, as in the case of S-Mime: https://posteo.de/en/help/how-do-i-create-and-use-an-smime-key-pair
[quote=“nanabanaman, post:25, topic:56126”]
get Signal because it might allow 10 of your friend
[/quote] That’s a great aspect, thank you very much. You can also use signal alternatives:
hi @sonyxa2
I’ve never seen/found anything similar to it before. It is a true decentralized VPN, which is what the modern purpose of a VPN really is about. The original purpose of a VPN was to build a secure tunnel to a server/local network from a remote location. Today, while that purpose still exists in some instances, the most common purpose is for privacy and security. However, since the technology hasn’t really changed too much, all it is doing is moving the exit of the signal from the ISP to the operator or the VPN node. Therefore, instead of the ISP monitoring and selling the user data, it is potentially the node/VPN operator. Several well known VPN operators have already been caught doing this.
By distributing the signals as Safing has done, a Node operator could potentially monitor a single exit point, but since there are usually between 15-30 exit points simultaneously in place (depending on the level of activity), they would only be able to glean a sliver of the activity, if at all.
I don’t have any specific resources that I could recommend other than, like you said, their own website or e.g. forum discussions and the like. The SPN function is available through the subscription while the portmaster function is free - and also extremely useful).
Hope this helps a little, sorry that I can’t offer more.
Cheers
Acilius
I have read somewhere on the Internet that it is also good practice to set airplane mode or restart phone like each 12 - 24 hours for 1 minute or 2 to stop possible outside connections as per privacy.