Do-It-Yourself Online Privacy/Safety Guide

This online safety guide was written for people concerned about being tracked and stalked online. It's a good resource.

Posted on February 8, 2017 at 1:20 PM • 46 Comments


JamieFebruary 8, 2017 1:53 PM

I may be paranoid due to reading too much Schneier on Security, among other things, but the lack of HTTPS on a site like that makes me immediately suspicious of its recommendations.

ChiefFebruary 8, 2017 2:32 PM

How ironic. You seem to have to commit the serious violation of privacy protection principles of enabling scripting, in order to view the privacy guide.

Dirk PraetFebruary 8, 2017 2:34 PM

The advanced guide is a good start for absolute beginners. But advising Skype for secure conversations ?

@ Er....

It is ironic that they blacklist all tor nodes...

No, they don't. Click the onion in the upper left corner. Pick "New Tor Circuit for this Site". Keep trying until the site pops up.

My InfoFebruary 8, 2017 3:10 PM

Re: lack of https


The web pages at these https links degrade gracefully with javascript disabled. All the content appears to be readable, and navigable in basic fashion, but it is not as fancy and does not work as wonderfully as one would expect with Javascript enabled.

@Dirk Praet

But advising Skype for secure conversations ?

Who's your adversary? An angry ex-boyfriend, the Mafia, a hostile nation-state, or the NSA?

Er...February 8, 2017 3:26 PM

@My Info

Who's your adversary? An angry ex-boyfriend, the Mafia, a hostile nation-state, or the NSA?

Define "adversary"...

If by adversary, you mean, the one who's most-likely "targeting" (or focusing their attention on) only me right now... just the angry ex-boyfriend...

But if by adversary, you include those who are "targeting" (or mass-focusing their attention on) every person on the planet... then you have all the above, plus every single one of the most sophisticated illegal hackers in existence on the whole planet... You have to protect against all of them, or you will be owned. It's you vs the world, and it's not a fair game. Just imagine every knowledgeable person in the world being able to try the most sophisticated lock-picking techniques on every lock in the world at once, with little more effort than just focusing on a single lock, and you get the idea of the scale here. We need better ways of protecting our stuff in the face of that.

DanielFebruary 8, 2017 3:37 PM

I have to be honest and say I have never seen a security guide that I have actually liked or can recommend, this one included. My underlying problem with all these so-called guides is that the attempt to increase security by attacking software with software and that is an endless game. Operational security beats computer security every time. Want to stay safe? Wear a hoodie. Use public wifi. Use public wifi at random locations and random times wearing your hoodie. Don't cross contaminate. Keep your mouth shut you twit. Don't ever use social media. Buy your computer with cash wearing your hoodie.

It's that type of stuff that will keep you safe, not deleting your fucking browser history or spoofing your MAC address.

My InfoFebruary 8, 2017 4:33 PM


the one who's most-likely "targeting" (or focusing their attention on) only me right now...
those who are "targeting" (or mass-focusing their attention on) every person on the planet...

And how much access does the former have to the latter?

You have to protect against all of them, or you will be owned. It's you vs the world, and it's not a fair game. ... We need better ways of protecting our stuff in the face of that.

That is quite correct. Even NSA has problems with LOVEINT. And even NSA is no doubt infiltrated both by domestic criminal cartels and by hostile nation-states, never mind all other mundane government agencies and private mega-corporations that have accumulated vast quantities of our personal and private information.

DesmondFebruary 8, 2017 5:00 PM


Not only the website isn't HTTPS, basic and advance guide pages are using Google Analytics to track users.

I didn't even bother to read the content. There are many other good guides that respect the privacy of their users. EFF's SSD, Tactical Tech Collective's Security in-a-box project etc.

Clive RobinsonFebruary 8, 2017 5:23 PM

@ Er..., My Info,

If by adversary, you mean, the one who's most-likely "targeting" (or focusing their attention on) only me right now... just the angry ex-boyfriend...

What if the angry Ex is in some kind of "official capacity"?

Remember in the US any transport organisation is alowed to have it's own Law Enforcment Agency...

In the UK the "Snoopers Charter" lets all sorts of people run searches including those who work for any of the emergancy services which include the "Ambulance Service"...

In theory anyone who works in a bank or other financial institution, Health Insurer, etc etc can get at your private communications with quite minimal effort.

Oh the joker in the pack in the US is the NSL, how do you go about checking it's real? If you are a small ISP etc you are not going to go to court, the NSL includes all sort of secrecy clauses. So how do you check that the details on the letter are correct...

Er...February 8, 2017 5:26 PM

@My Info

And how much access does the former have to the latter?

Well, since it's a former boyfriend, presumably the same access at the moment, since I've cut off physical access, right? That is, assuming I've junked everything he had physical access to upon which he could have left something behind... (you may have a point that that could be too big of an assumption to make)

rFebruary 8, 2017 5:55 PM


Wiping and moving on only goes so far, have you seen @Clive's references to living in a whole (business suit) ?

Keep an eye to reinventing not yourself but somebody else.

Erdem MemisyaziciFebruary 8, 2017 10:56 PM

Browsing this website is also a great way to generate network traces on what type of services you use.

RonKFebruary 9, 2017 3:23 AM

I just love the "subtle" sexism (and/or genderism) of having a stated goal of avoiding abusive partners yet depicting 11 women and 0 men in the home page image.

According to this website the CDC statistics indicate that 1 in 10 men might be interested in this site. According to this, up to 4 men should have been in that home page image in order for it to be a representative audience.

Dirk PraetFebruary 9, 2017 4:33 AM

@ Er...

And how much access does the former have to the latter?

Does it matter? Adopting any type of digital hygiene against whatever adversary - even at the non-state actor level - precludes use of utilities like Skype that are known to be backdoored by design, especially when there's sufficient alternatives available. You may only be up against a stalker today, but whatever logs or archived (meta)data that remain can be used by whoever else produces a valid court order or legal equivalent tomorrow. Which especially if you're loose-lipped, inclined to profanity or prone to emotional outbursts may at some point jump up and bite you in the *ss.

Myself, I use Skype with one person only who is a technologically challenged 80-year-old. And on a dedicated device in a separate subnet.

Clive RobinsonFebruary 9, 2017 5:00 AM

@ Ron K,

The physical abuse by women towards men is badly under reported in the UK by both the authorities and the victims. I've spoken to people in the mental health community who think that when you include mental abuse as well as physical women are probably more abusive than men by around 3-2. Similar figures come back from those dealing with the legal side of marriage break down.

As with "men's health" like cancer the "squeaky wheel" principle applies. Women are better not just at communicating but of garnering considerably more empathy from those of the opposite sex they speak to. There is thus a "Think of the Children" type situation where UK law certainly is significantly biased to "Think of the Mothers" and health and social resourcing is based on "Think of the Women".

As one mental health practitioner pointed out to me the unfunny joke of it is that it's actually what you would expect. In that men in more senior positions tend to be more sympathetic towards women not just out of "fair sex" conditioning, but also by not wanting to appear biased for fear of being accused of being "sexist" directly or by implication.

As one well known feminist was heard to remark some years ago the main enemy of women achiving higher goals is women not men. That is there are a section of women in society who find the current status quo to be advantageous and do not want it changed for the worse for them.

Apparently this is also well known issue that goes back millennia as the story of the Sword of Damocles from around 350BC that Cicero later argues,

    Does not King Dionysius seem to have made it abundantly clear to Damocles that there can be nothing happy for the person no mater how powerfull over whom some fear always looms?

Which we see today with "sunday quaterbacks", "armchair strategists" and employees that can always second guess their employers with hindsight, yet will never become a boss or become self employed etc. As the words of the song about a bird in a guilded cage indicate life be it oh so dull / drear is comfortable, and you quickly spot the subtext that life outside the cage is not realy desired due to the fear of having to take responsability for ones self. Or as a later song[1] put it "the subtle whoring that costs too much to be free"

[1] The song "I've Never Been to Me" recorded in 1976 by Charlene and released on her debut album -- on the Motown label-- did badly. It only became popular in 1982 when she had given up on being a US pop singer, and left to become a surbuban housewife to a sweet shop owner in Ilford UK...

Ergo SumFebruary 9, 2017 5:32 AM

I must be doing something wrong when clicking on this link:

Yes, it is SSL link...

The site does not actually show information about the system/browser accessing the site, just the possible traces that it may leave behind. Reminds me of the, if I'd buy a lottery, I'd be rich...

In both browsers, Ghostery blocked Piwik site analytics...

Maybe I am wrong, but OS, applications, even security software and social networking telemetries are much more accurate for tracking the devices and the end users than browser based tracking. Not to mention that it is much more accurate and a lot harder to control.

Like MS Office 2016 requires a valid MS account for activating the license. If you don't have one, you'll need to create one. Doing so the registration will ask for your name, email address, address, DoB, etc. MS Office had telemetry since version 2013 for "improving end user experience"... Yeah, about that bridge...

Slime Mold with Mustard February 9, 2017 5:43 AM

Re: Gender and Abuse

My wife is a shrink. @Clive is correct (shocking, isn't it?)

When one partner is physically abusive, it is most often the female. However, most commonly it is both . In those situations, the outcome heavily favors the stronger, faster, and far more experienced (school) male. This may partly account society's wildly distorted view of domestic violence.

Slime Mold with MustardFebruary 9, 2017 6:16 AM

@ Daniel

I tend to agree with you. My employment demands we use these vulnerable tools, so we practice fanatical compartmentalization and use off-line machines and draconian media rules. We have on-line and game machines in a separate area. This possible because 90% of our clients are within four blocks of us. They think we're nuts for hand delivering everything. Until we remind them of the value of their data (also adds personal contact bonus).

Management here is selected as "least likely" to be vulnerable to compromise. I must decline to detail the vetting. I try to get them to practice personal security, but ya know, that damned 13th Amendment...

Who's targeting us? People with many millions, as well as friends in both government and LCN (redundant?), who stand to gain a lot.

Dirk PraetFebruary 9, 2017 7:00 AM

@ Clive, @ Slime Mold with Mustard

When one partner is physically abusive, it is most often the female. However, most commonly it is both .

I think it's kinda hard to generalise such statements. Domestic violence is often shaped by all kinds of societal factors (cultural, educational, religious, political). In Russia, the Duma has just passed a law that decriminalises some forms of domestic battery. It also makes sense that women in general are better at mental abuse as to compensate for their physical disadvantage. And which indeed often stays under the radar. Several friends of mine eventually had to search professional help to get out of horribly abusive relations they put up with for fear of having their children taken away from them but that were totally destroying their lives.

MatteoFebruary 9, 2017 9:52 AM

@Daniel "I have never seen a security guide that I have actually liked or can recommend"
I have one good guide that i can recommend! This one!! (the only one so far, and i have read almost any i have found)
this is really great!

and if you want a secure pc get Qubes OS it is revolutionary, far way better than windows/linux

btw i really hate people who say don't use public wifi/use a vpn.
it makes no difference!!
use https that makes difference!
wifi password protect your data for 5 meters compared to 9000km that your data makes in different countries.
vpn just change the exit point, doesn't encrypt anything.
https encrypt the connection from the start to the end, yes it's end to end (if you visit a website)
so pls anyone stop saying don't use public wifi!!

J DoeFebruary 9, 2017 11:10 AM

Aside from making a general problem that affects anyone as "think of the poor women" ... is OK.

Reply - ChiefFebruary 9, 2017 12:16 PM

"You seem to have to commit the serious violation of privacy protection principles of enabling scripting, in order to view the privacy guide."

You nailed it. At least it doesn't ask you to disable your adblocker, right? >:)

Dirk PraetFebruary 9, 2017 12:25 PM

@ Matteo

vpn just change the exit point, doesn't encrypt anything.

You're probably conflating the way Tor works with that of a VPN . I think you don't entirely understand the concept of a VPN as an encrypted tunnel between your own device and the internet. That's why every security manual you have ever read probably also recommends using a VPN whenever using public wifi, because without it intercepting your traffic at the access point is completely trivial. Using https on top of it indeed increases the difficulty for snoopers, but which is also regularly MITM'ed either by antivirus utilities or certain types of malware. Just do a DuckDuckGo for a thing called Superfish.

if_you_see_something_maybe_leak_somethingFebruary 9, 2017 4:27 PM

For a good graphical description of Tor and https:

After spending five minutes at the website:

0) I thought the "online safety guide" was very good (it appeared comprehensive) and it may be relevant for all threat models
1) use javascript for better results imo
2) remember Tails (for PC and Macintosh users) can be your friend

From a practical perspective why bother with a vpn. In other words either user Tails' Tor when you want to obfuscate your location. Or use Tails' Unsafe Browser when you don't care about location sharing. Is it worth bothering to channel Tor through a vpn endpoint? Even if the vpn is one you control? In other words, what use cases is one giving up by sticking with Tor or Tails' Unsafe Browser from a practical users' point of view?

Regardless, search the Schneier blog for how using Tor might be bad for your health; on the other hand Tails is my go to swiss army knife for accessing the web, from a dvd with, I hope, no persistence or for things w/o web access like re-initializing hdds or ssds.

if_you_see_something_maybe_say_somethingFebruary 9, 2017 4:44 PM

p.s. #1 of course consider using to see how poor, or good, your browser fingerprint is

Does anybody know of downsides to testing your browsers' fingerprints this way?

Dirk PraetFebruary 9, 2017 6:42 PM

@ if_you_see_something_maybe_leak_something

From a practical perspective why bother with a vpn.

Because Tor does not hide from your ISP that you're using it, and neither does it protect you against malicious exit nodes. While tunneling Tor through a VPN protects you from the former, it still doesn't against the latter. Which can be solved by tunneling a VPN through Tor, which gives you the added advantage of being shielded against VPN logging (they will only see a Tor exit node IP, not your real one). While you can run I2P over TAILS, it does not allow you to combine Tor with a VPN. Whonix does: you connect to your VPN from within the Whonix Workstation VM.

Another - and more secure way - to tunnel a VPN through Tor is by using a separate, dedicated device routing all traffic through Tor, like the @thegrugq's PORTAL, or a Raspberry Pi Tor router you can either buy off the shelf or DIY.

If you want/need a Tor/VPN solution, make sure you get a VPN service you can both register and pay anonymously for, and never use it stand-alone. Another good reason to get a VPN is to protect against malicious or compromised public wifi access points, which is essentially most of them. If that's the only thing you need it for, it's pretty easy to set up your own Raspberry Pi OpenVPN server at home for when you're on the road, and which at the same time gives you transparant access to your home network.

yonk0ow3nyoFebruary 10, 2017 4:27 AM

Yep you should have your own VPN and you can pay for them securely and you can set up your own VPN router, for WIFI on the road anon as long as you don't go log into stuff, expose your ma, URL history with ya little google type unique prefixing stuff and all the tracker bugger crap.

But why would I need security and privacy anyway. I'm just waiting to be a victim of identity theft, have my bank accounts and CCs robbed as cover while my ID gets used to verify for all kinds of stuff that my banks fraud squad couldn't give the slightest hoot about. You might think that the banks can't protect themselves, why should I? Well you're not a criminal and you will never think as creatively as they do, and occasionally some of them are also intelligent. "What", you might say, "intelligent"?

Well who do you think knocks out the malware, your grandmother? The
only reason the internet is still standing is it is too valuable a resource.

Vigilante Road KillFebruary 11, 2017 12:54 PM

NOT withstanding appreciation for all this good dialogue...

Look in the source.

Do even 10% of the webmasters using JQUERY or Wordpress or OFFSITE banners etc really KNOW what content is running? Isn't ignorance and helplessness the WHOLE idea behind these imported helps?
IMO its having many heads in sand: vast majority.

for example, do ANY android users KNOW why "system webview" boots from the DISABLED list when you send a message?

- VRK under-csis-bus

Nick PFebruary 11, 2017 10:04 PM


Well, that's not sexist at all. Guess the huge number of male victims of stalking, domestic violence, and rape attempts get left out.

"WHO IS THIS GUIDE FOR? Everyone, everywhere."

Oh OK. Maybe not. :)

EDIT: Just skimmed comments to see RonK beat me to that. I've heard from and/or counseled many male victims of crimes like this. They tell me authorities don't take them seriously and women groups they contacted didn't help them. Some even get replies back trivializing their ordeal. (rolls eyes)

Nick PFebruary 11, 2017 11:39 PM

Simultaneously, Thomas Ptacek and Maciej Ceglowski have a guide for journalists and nonprofits here with a lot of comments. Might be worth discussing.

Cut_N_PasteFebruary 12, 2017 2:32 PM

@Nick P

After spending an hour reading through the Hacker News link you provided, Cut N Paste is providing the reference piece from Hacker News.
The below is from:

Tech Solidarity > Resources > Security Guide

Basic security precautions for non-profits and journalists in the United States, early 2017.

Don't send any sensitive information by email.
Don't store sensitive information in cloud services like Evernote or Dropbox.
Don't use your fingerprint to lock/unlock devices.
Don't back up mobile messages to the cloud/iCloud/Google Drive.
Don't use your phone number for password recovery.
Don't use an Android phone.
Don't take the devices you work on across the US border.
Don't plug your device directly into an unknown port (such as an airport charger) without the safeguards outlined below.


Use a long passphrase to lock your devices.
Make sure you apply all software upda Turn on auto-updates where possible.
Use a iPhone 6 or later with a hard-to-guess passphrase. Don't use an Android phone.
If you are going to use email, use Gmail, with a physical security key on your laptop and Google Authenticator on your phone.
Here’s a security key FAQ with instructions for setting it up.
Use a password manager and have it generate random passwords for every site you use. A good password manager is 1password.
Turn on two-factor authentication on Twitter, Facebook, Github and anywhere else that supports it.
Don't use SMS to your phone number as the second factor.
Use Signal or WhatsApp on your phone to communicate with other people, rather than SMS or iMessage.
Follow this guide to secure your WhatsApp settings.
Follow this guide to secure your Signal settings.
Do as much of your work as possible on an iPhone or iPad rather than on a laptop. Use a bluetooth keyboard for easier typing.
Consider using a Chromebook. Chromebooks are secure options especially for opening attachments: you can safely open them on it.
If you have a Windows laptop, uninstall any antivirus products except for Windows Defender (from Microsoft).
Use Chrome as your browser. Avoid installing spurious, unknown or unnecessary extensions.
Turn on full-disk encryption on all devices.
How to do this on OS X
How to do this on Windows

When Traveling:

Don't take devices across the US border. Have a dedicated laptop and phone for travel abroad, don't keep sensitive information on them, and don't use them anywhere else.
Never plug your device into an unknown port. Never plug an unknown device into your computer or mobile device. Carry a “USB data blocker” (either the whole cable or an adapter that plugs into your cable like this) to at airport or hotel chargers.
If you believe your hotel room is monit, work under the covers on the bed. It is less conspicuous, and prevents video surveillance of what you’re typing and viewing.
Don’t use hotel phones for calls to sources. Assume that anything you say inside a hotel room may be recorded.
Don’t leave your phone or laptop unattended; always carry them with you.

Last updated: February 12, 2017

MatteoFebruary 13, 2017 5:47 AM

@Dirk Praet

i will repeat myself: DON'T USE A VPN, you don't need it!
as i said vpn encrypt your data between you and vpn provider (like wifi encrypt data between you and the router).
from there to the destination the data is unencrypted!!.
-vpn: connection can be interepted by vpn provider
-wifi: connection can be intercepted by router
-tor: connection can be intercepted by exit node (but it can't know the source)
-always: connection can be intercepted after router and vpn
-always assume network as hostile
USE HTTPS!!! it encrypt data between you and the destination!
about superfish, i know it but as you/someone install program to subvert https the same can be done with vpn or any other program.
if you have a virus in your computer you are doomed no matter what program you use.
if you assume a clean computer https is the solution, vpn isn't
if i use https you can't intercept my connection.
please read this:
"Don't use VPN services."

Dirk PraetFebruary 13, 2017 8:05 AM

@ Matteo

i will repeat myself: DON'T USE A VPN, you don't need it!

Repeating yourself does not make for a better argument, bruv. A VPN is just one of many tools you can use to enhance your privacy and security when connecting to the internet. The gist you refer to actually lists some valid use cases, one of which I explicitly mentioned. It also recommends rolling your own, which I equally suggested. But since you're obviously just here to make an unsubstantiated point with no intention whatsoever to listen to anything else, why would I bother anyway?

Dirk PraetFebruary 15, 2017 3:55 AM

@ if_you_see_something_maybe_leak/link _something

Is there any easy way to tell if my local free wifi connection is subject to a mitm attack.

If with a MITM attack you mean traffic going through the wifi router being intercepted/monitored, the way a script kiddie will usually go about it is by using Wireshark. Higher-end routers will usually have a port monitoring or packet capturing function, or you can use an old hub or cheap port-mirroring capable switch to copy traffic to another port for Wireshark monitoring. The presence of one or more network cards in promiscuous mode is generally a dead giveaway, but if the attacker is just copying traffic to a dedicated monitoring port, it's going to be difficult to know. But you can always try using netstat to find out where your traffic is going and/or use a number of utilities for the presence of known monitoring protocols.

I assume the local proprietor (where I might or might not be drinking coffee) and their local isp, have access to my identity and the fact I am using Tor, if they want it or are set up to collect that sort of stuff by default, regardless, whether I send internet traffic through a vpn at home or elsewhere.

When using Tor over public wifi, both the AP owner and his ISP can see you are using Tor and easily monitor/intercept your non-encrypted traffic. If you combine it with a VPN that tunnels/encrypts your traffic you can either hide from the AP owner/ISP that you are using Tor (Tor over VPN), or hide the traffic origin from malicious Tor exit nodes (VPN over Tor). The easiest way to go about the 2nd scenario is by using a laptop with Virtualbox Whonix Gateway/Workstation VM's, launching your VPN from inside the workstation. Those are options you don't have when just using a TAILS DVD from the local Starbucks.

MatteoFebruary 21, 2017 2:26 AM

"using a VPN whenever using public wifi, because without it intercepting your traffic at the access point is completely trivial"
true, but also true when using vpn the only difference is the "access point" that is your vpn provider.
https can not be mitm without you noticing. and if you see that big scary warning say connection is not secure and you ignore it it's not my fault.
the link i pasted list many use cases and explicitly say that for most of them you don't need it.
if i'm at home i connect from an ip and my connection can be intercepted by my isp.
if i use a vpn i have different ip and connection can be intercepted by vpn provider+ his isp.
if i use a wifi with known password or no password connection can be intercepted by who know the password and again the isp.
if you think that there are two knind of networks: trusted and untrusted you are wrong.
connection can be intercepted that is why https has been invented. if you connect to a website that has only http vpn can't magically encrypt anything. from the vpn provider to that web site everything is unencrypted exactly like at home or public wifi.
so people should not think use a vpn and everything is safe.
people should think that connection can be always intercepted.
and that changing ip will not welp.
it only helps if you are in a known bad connection that censor something in that case vpn or just a proxy helps. otherwise not.
vpn it's called Virtual Private Network for a reason. it has been designed to be used as a virtual private network not as a proxy to the internet.

Dirk PraetFebruary 21, 2017 4:14 AM

@ Matteo

https can not be mitm without you noticing

Nope. You only need to DNS spoof the destination and issue a fake SSL cert as a response and then you can use SSLDUMP to decrypt the stream. Virus scanners are doing it all the time.

But anyway, you are just reiterating a couple of points no one is denying, while stubbornly ignoring (or failing to understand) the valid use cases for a VPN. Which is fine with me, but not really worth investing more of my time in.

MatteoFebruary 21, 2017 8:49 AM

dns spoof true
fake ssl cert, possible but will show a warning. antivirus one doesn't show warning because they declare themself as CA Root. if you don't have a virus (like superfish) on your pc there is no fake ca root and so no fake ssl cert (happens sometimes but its quite rare and the issuer will be known: diginotar case)
decrypt ssl possible if you have the key, which is not true without fake cert that will show warning.

yes i think that i'm failing to understand valid use case of vpn, if you have a bit of time for me i will be happy to hear, i always like to learn new things.
valid use cases for me:
->use as Virtual Private Network (it's designed use)
->use to tunnel all traffic on known bad connection that for example when someone try to mitm ssl traffic so you can only:
-ignore the warning and be mitm
-don't visit the website
-visit it through vpn or any other tunnel (ssh for example) bypassing the bad guy.

if i want to hide my browser history i use tor not vpn (vpn just change who log the history doesn't prevent it)
isp will see that i use tor exactly like it would see that i'm using vpn (and also which one)

if you think that i'm missing something pls let me know

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.