This list of low effort, privacy-protecting measures was written for someone who’s threat model includes hackers, identity thieves, and other types of criminals and fraudsters but who does not care about big data AI, surveillance capitalism or government tracking. Most of these steps you will have heard before, as these are the basics that should apply to nearly everyone.
This list is generally in order of highest to lowest priority, but each is important. If you’re just getting started with privacy and you feel overwhelmed, start slow and work on one item at a time. Many of the items on this list just scratch the surface and really deserve an entire post to themselves.
Remember that privacy usually is not black and white and does not have a one-size-fits-all solution. While I recommend the solutions that I feel will be right for the average person, you should choose what makes the most sense for you and your threat model.
Most Important
1. Check your credit report for any fraudulent activity
If you haven’t looked over your credit report in a while, it’s time. You can check your credit report for free three times per year, once with each agency. Make sure to use the official website annualcreditreport.com. Verify that you recognize everything listed in your credit report.
2. Freeze your credit
And keep it frozen all the time. As of 2018, new legislation was introduced in the U.S. that mandates freezing and unfreezing your credit must be free of charge. It’s easy enough to temporarily lift a credit freeze for a set amount of time (that you can specify) whenever you might be applying for a new credit card, buying a car, etc. After that time period your credit is automatically frozen again with no extra work.
Once an identity thief realizes that your credit is frozen, ninety-nine percent of the time they will move on to an easier target. Freezing your credit is more effective than any credit monitoring service ever could be. So ditch the Life Lock, or whatever service they’re selling these days, and just freeze your credit.
3. Identify any possibilities that your devices may be compromised
If your devices are compromised, doing many of the things on this list won’t make any difference. If there is any possibility that someone has installed snooping, malware, or key-logging software onto your device (emphasis on your), I highly recommend that you either reformat the device or replace it.
Have you had an abusive and tech-savvy partner or friend? Ever had a stalker? Ever downloaded something from an untrustworthy website? Identify any time you have let someone borrow your device, any time someone has known something they shouldn’t have, or any time your computer has done something out of the ordinary. There’s no need to be overly paranoid here, but if this is a possibility, it’s better to have the peace of mind that your devices are secure.
4. Remove your information from online data brokers
This is definitely on the higher end of the effort scale for this list. These are the companies that compile information about everyone. Look up your name and they will likely know things like your address history, phone number, employment, family members, etc. It is creepy, and it’s a very unregulated industry. If someone paid enough money, and it’s usually a surprisingly low amount, one of these brokers will sell them your personal information.
They do allow you to request that your information be taken down, but often do their best to hide these forms. Luckily, there exist worksheets like this one that attempt to take all of the research out of this process and point you to the exact links and steps you should take with each data broker. I’ll warn you, there are a lot of them. Sometimes just taking care of the bigger names will have a trickle down effect, but you can take this as far as you want.
5. Use a password manager
Gone are the days when all you needed was a complex enough password to secure your accounts from hackers and criminals. The greatest threat now is that your emails and passwords will be exposed in a data breach and used against you.
You don’t need to be specifically targeted for this kind of attack. Hackers will cast a wide net and hope that some percentage of the leaked passwords are being reused on other services. This is why we recommend that everyone needs unique, randomly generated passwords (20+ characters) for every account.
The pinch point of having all your passwords stored in one location is much better than the alternative. With the shear number of different accounts the average person has these days, it is just not possible to have unique, complex passwords and be able to remember them all.
I recommend Bitwarden for password storage in the cloud, and KeePassXC for offline storage. Even if you do nothing else from this list, please start using a password manager and doing damage control on all those reused passwords.
6. Set up 2-factor authentication (2FA)
I know, you’ve probably heard of 2FA before and you probably think it’s a pain. Enabling it does make you a much harder target though, giving you protection in case anyone does get a hold of your passwords.
If you’ve ever had to enter a code that was texted to your phone or emailed to you, this is what I’m talking about. If you fear that you are being specifically targeted for harassment or stalking, 2FA is essential and you should already have it in place.
The most secure solution is hardware 2FA, which is a small USB key that you can plug into your device to confirm it’s you. On the other hand, SMS 2FA, also known as getting a code texted to your phone, is probably the least secure solution. This option leaves you vulnerable to SIM-swapping attacks, but it’s much better than not having 2FA enabled at all. Another option is downloading an authentication app that can generate the codes you need.
7. Don’t ever share your passwords or PINs
It can be tempting and convenient to share your passwords with others at times, especially those that you love and trust. In the end, it is a risk you are taking and you should be prepared for the consequences should this person turn on you or otherwise not have your best intentions in mind. What could happen if this person were in a desperate situation?
If you do share any passwords, just make sure to change them afterwards. Ideally, replace them with a randomly generated string of characters that you store in your password manager. If you’re sharing a WiFi password, consider setting up a separate network for guests. It shouldn’t cost you anything extra.
8. Check Have I Been Pwned
This is a handy website where you can enter your email and determine if your information has been exposed in a data breach. It will tell you in which breaches your information was found, and what information was exposed.
Don’t be surprised if you’ve never heard of some of the companies that show up. Your information can be released from services you directly sign up for, but it can just as easily be released indirectly by a business service utilized by those services.
It should go without saying that you should change your password for any accounts that show up as well as any accounts that used the same password. And no, putting an asterisk on the end instead of an exclamation point isn’t different enough.
Software
9. Update software regularly
Ensuring your software is up-to-date safeguards your devices with the best security patches currently available. No software is 100% safe in the evolving world of hacking and penetration testing.
While turning on automatic updates is a personal choice, if you don’t automatically update your software, make sure you are checking it and updating frequently. Make sure to update the operating systems on your devices as well as any software you may have installed.
10. Review the privacy settings on your devices and important accounts
Every once in a while, it’s a good idea to review the privacy settings both on your devices as well as email accounts, bank accounts, or any other important services. Check that everything is set the way you would like.
I highly recommend adopting a least-privileges policy, meaning only giving apps or services the minimum amount of permissions needed to accomplish their functions and no more. A good way to go about it is turning everything off, and then individually granting permissions whenever an app requests them.
11. Install an ad-blocker for your browser
I recommend that everyone downloads uBlock Origin for their browser. This is a browser extension that will block most malicious scripts on the websites you visit. With this installed, you won’t have to worry about those annoying ads and pop-ups, and webpages will load faster using less data.
You should keep in mind that ad blockers will occasionally break the functionality of a website, if this happens, simply whitelist the site and refresh the page.
12. Make sure your browser is enforcing https:// connections
Firefox does this by default now, but if your choice of browser does not have this feature, I recommend that you install the browser extension HTTPS Everywhere.
This type of connection, as opposed to http://, encrypts the requests and responses to the webpage and makes it so that anyone intercepting those communications just sees a random string of characters. It also helps to authenticate the true owner of a website, preventing a number of hijacking and spoofing attacks.
13. Install antivirus software
Unfortunately, at this time there are no good, open-source antivirus or anti-malware software suites. You could use any number of commercial antivirus software, however I tend to be very cautious with this type of software that is not able to be audited by independent experts.
You must make sure that you trust your antivirus software, since it monitors everything you do on your computer. Certain commercial solutions in the past have been revealed to sell your data, inject tracking IDs, and create backdoor vulnerabilities.
If you don’t want to accept this risk, you’ll probably be fine using the other methods on this list to protect yourself. If you’re on Windows, I recommend that you use the built-in Windows Defender antivirus software, since you’re already sending all your data to Microsoft anyway.
14. Use a firewall
Firewall setups can vary drastically, and you could take this very far and have a complex setup. In general, a firewall will act like the security guard of your internet connection and block specified domains from sending or receiving information from your device. This should give you protection from well-known malicious websites, but the level of protection depends on the quality of your block-list.
At minimum, you should probably turn on the default firewall for Mac, Windows, and Linux machines that can usually be found in your device settings. Going further, you could look into any number of software firewalls that can protect specific devices or network firewalls for those devices on which you can’t install software, such as a smart TV.
15. Run Internet-of-Things devices on a separate home network
There have been several instances in recent news where Internet-of-Things devices have been targeted by hackers. By placing these devices on a separate network, you are protecting your main devices from being accessed through things like that new refrigerator, which now tells you the weather, but wasn’t built with the best security standards in mind.
Creating a separate WiFi network won’t cost you anything extra, you just need to be able to access your router settings to set it up. It’s also a great idea to change the default login information whenever possible on Internet-of-Things devices.
Physical Security
16. Lock your device screens
I know, it’s simple, but many of us don’t do it. If you’re in the U.S. or plan to cross any international borders, it’s best to use a passcode or PIN rather than a biometric fingerprint or face-scan. This is because law enforcement forcing people to unlock their devices through biometrics is currently a gray area under U.S. law. Additionally, if your device is ever physically stolen from you, it is much easier to forcibly press your finger against the scanner than get you to give up your password.
17. Encrypt your devices
In the event your device is stolen or lost, if your hard drive is not encrypted, it is quite easy to take out the drive and read its contents using another machine. Back up your data before you attempt this in case anything goes wrong. You shouldn’t lose any data in this process, but it is always better to be safe than sorry when making changes to your hard drive.
It should be a simple thing to do, but instructions will be different for different devices. On Macs, this service is typically called FileVault. If you’re on Windows or Linux, you should probably look into VeraCrypt. Do some research on how to encrypt whatever particular device you own.
18. Back up your data regularly
Keeping backups is not only a good idea for protecting from your own mishaps and natural hard drive decay, but also from ransomware attackers and software glitches that may put you at risk of losing your data.
It’s always a good idea to keep your backups encrypted in case they ever get lost or somehow get into the wrong hands. We prefer hard backups on a physical drive to cloud-based backups, especially for important documents that you wouldn’t want potentially released with the latest exploit.
19. Use a Virtual Private Network (VPN) on public WiFi
You’ve probably heard this advice recently by someone trying to sell you a VPN service. This is the next level of security beyond https:// connection that you should consider if you use any public WiFi networks or networks that you don’t trust. It is also useful to hide your traffic from your Internet Service Provider (ISP) or make your traffic appear to be coming from a different location.
Having said that, you should feel confident that you trust the VPN provider that you choose, since now they can record and sell all of your traffic if they chose to do so. I use and trust Proton VPN.
20. Only use USB drives and charging cables that you trust
This advice really goes to anything you plug into your computer. Any type of plug that can transmit data has the possibility of injecting malware onto your device or otherwise harming your security.
Does this mean you shouldn’t borrow your friend’s cable when your phone is dying? Unless your friend is tech-knowledgeable and a little creepy, you’re probably fine, however it does mean you shouldn’t use any public charging cables or USB drives you find in the street.
Communication and Social Media
21. Switch to an end-to-end encrypted messaging app
I am talking about true end-to-end encryption (e2ee), meaning your messages only get unencrypted on your device, and even the employees of the messenger service cannot read them. The threat here is that sometimes employees are bribed to snoop and gather information about customers.
Although it’s not perfect, I recommend Signal for most people. This will be the easiest service for non-tech-savvy friends and family members to adopt. Signal also offers encrypted voice and video calling as well as group chats.
22. Eliminate unnecessary social media sharing
This one can be a sticking point for a lot of people. I’m not going to try to convince you to completely give up social media, however you should be careful about posting any types of identifying information including your location, your face, your friends faces and names, your address, your phone number, your employer, etc.
Sometimes people find themselves in the situation where one day they are a victim of a stalker or a doxxing attack, and preventing these types of people from being able to find your information must happen proactively. You cannot react to this type of situation effectively once you realize it’s occurring, since they likely already have your information.
This goes for your friends and family sharing information about you as well. That well-meaning vacation picture showing you in another state could be the opportunity this person is looking for to break into your home while you are away.
23. Review social media privacy settings
It’s a good idea to review these settings periodically, especially since we are seeing a trend of social networks giving up more control to users about their privacy due to increased public scrutiny.
At minimum, I strongly recommend that you keep your profile private so that only your friends can see your profile. Keep in mind that your profile picture and certain details will likely still be public, however. Sometimes you can also remove yourself from search results, which can be effective in preventing targeted attacks.
24. Use email aliases to avoid exposing your real address
I don’t really recommend using email aliasing services for your important accounts like your bank, but for some of the random accounts or newsletters that we sign up for it is a perfect strategy.
Essentially, with these services you can create a number of email addresses that let you forward incoming mail to another primary address. If an address receives too much spam, you can simply turn it off and forget about it. You can also reply to this email with your alias, so the sender knows nothing of your primary address.
I recommend the services AnonAddy and SimpleLogin, which both have decent free plans but can be upgraded for a fee for more addresses and features.
25. Be careful of phishing attacks
It’s important for everyone to be vigilant against phishing attacks, where an attacker imitates someone, for example, in an email or a phone call in order to convince you to give up private information.
If you fear you are being specifically targeted, you should be especially vigilant and double check or otherwise verify any queries for information. For instance, this could be done by calling your bank at the official published number to verify that the email you got that requested information is legitimate.
Your password manager can also be an effective protective measure against this type of attack, since it will not auto-fill your username and password on a domain that is similar but not exactly right (bamk.com rather than bank.com).
Bonus
26. Change your mindset about privacy
Privacy and security is never black and white. We can never be 100% secure. I don’t say this to discourage you, but to encourage you to have a healthy mindset going forward. It’s easy to give up and get overwhelmed before you’ve even started. We’ve all been there.
The reality is that increasing your privacy and security is a process and it may take some time, but every action you take to protect yourself helps to reduce your attack surface and reduce the possibility that someone may take advantage of your personal information. Just because you won’t be protected from every type of attack doesn’t mean it’s not worth taking any action at all.
It’s also important to keep in mind that privacy and security are almost always a tradeoff with convenience. You’ll have to decide for yourself where you’re comfortable falling on that spectrum. We encourage everyone to think about their threat model, meaning to identify what information you would like to protect and from whom you would like to protect that information. This context is essential to figuring out what specific attacks you may be vulnerable to and how you can prevent them.
