Governments and Big Tech are making it harder than ever to defend your privacy online, but it’s not (yet) impossible.

In my previous column, I wrote: “The only way to keep your online identity private is by not giving out your online identity in the first place.”

Here’s a follow-up article on how I try to stay safe online.

One rather insulting response was: “People who think ‘online privacy’ is possible, are idiots.”

Well, sure, in the same sense that people who think that eliminating your risk of dying today is possible, are idiots. Risk is never zero. But risk can usually be meaningfully reduced.

Crossing a road is dangerous, but looking right, left and right again makes it a lot safer. Crossing at a controlled pedestrian crossing even more so. It doesn’t guarantee you’ll live, but it’s a damn sight better than just barging out into the street from behind a bus and hoping for the best – which is how far too many people approach internet safety.

And just like you’re going to have a hard time dodging someone who actively wants to run you over, no reasonable amount of precaution is going to save you if a competent hacker or a state-level entity comes after you, specifically.

Not only do they have technological means to attack your computers and online services, but in the case of governments, they have legal weapons they can deploy, and if all else fails, they can come to your door and put a gun to your head to get your encryption keys.

Let’s get a couple of misconceptions out of the way, first.

Showing ID

Proving your identity online is not analogous to showing your ID at a bar, club, bottle store or casino to prove that you’re of age.

It is analogous to letting the bouncer create a perfect duplicate of your ID to store forever, and then hoping that he never decides to use it to pretend to be you for some nefarious reason.

Sure, there are encryption algorithms and third-party services that in principle make it safe and secure to flash your online credentials. You already use secure credential verification for your banking apps – although that typically requires in-person verification of your identity.

The problem is that no system is fully secure. All systems are vulnerable to being hacked, and data breaches occur with alarming frequency even with the most secure systems (like banking, healthcare databases, dating sites, tax authorities and government services).

These breaches dump millions of credit card numbers, identity numbers, passwords (sometimes unencrypted), and other personal data onto the black market for data.

Once it’s out there, the data is used for various purposes, with identity theft, extortion, and bank fraud being the most prominent.

“I’ve got nothing to hide”

A stock response to concerns about privacy is “but I’ve got nothing to hide”, or “they’ve got all my data anyway”.

Both of those statements are wrong. Most sites don’t have all your data anyway. If they did, bad people would be extorting you, emptying your bank account, or hijacking your cloud accounts.

Everyone has something to hide. Many people have very good reasons to keep their identity, and their communications, secret from prying eyes.

Medical, financial, personal, and legal communication should be protected.

Identity information should be protected from oppressive governments or corrupt politicians.

Confidential information shared with colleagues, lawyers, doctors or journalists should stay confidential, no matter who asks.

Court rulings or laws that threaten to make your communications and personal information accessible to governments and big corporations – even if they promise, cross-my-heart-and-hope-to-die, never to abuse it – make you a slave.

It inevitably puts your financial security, professional reputation and personal safety at the mercy of bad actors.

If you think you have nothing to hide, you should be okay with monthly police searches of your house, annual tax audits, changing your social media profiles to “public”, giving all your exes your new number and address, and putting your bank card PIN on a bumper sticker on the back of your car.

Here’s a short essay on the “nothing to hide” fallacy, and here’s a longer one.

Minimising your public profile

So, in principle, you want to minimise your “attack surface”; minimise your exposure, so that you have to be really unlucky to get caught up in a data breach, and commercial marketers, government surveillance and criminal networks can’t build a complete profile of you.

You especially don’t want companies to have profiles that include your verified identity; that identity is ripe to be exploited. Remember, corporations, governments and criminals do not have your best interests at heart. They all want something from you, and it’s usually loyalty, money, or both. Your personal data is leverage.

You don’t want to put all your eggs in one basket, either, so that if, say, your cloud data service is compromised, your company secrets, banking passwords and nudes don’t end up on 4chan forever.

Every time you interact with a company or site online, you want to give up as little personal information as possible. Your basic instinct when asked for information online should always be, “Why do you want to know, how are you planning to secure it, and how could you abuse it?”

How I stay safe

It may be helpful if I explain a few of my privacy and security habits, and why I follow them. I would welcome constructive comments from actual security experts on my privacy practices.

I use layered defences against targeted online marketing and mass surveillance.

I can’t lock everything down, because then you sacrifice too much functionality and convenience. It’s a trade-off. But I can do various fairly simple things that make it a lot harder for companies or criminals to catch me in a least-effort sweep of the internet.

I never use a single-sign on service, like Google or Facebook, to log into other sites. (I don’t use Facebook at all, for that matter.)

For sites where I want my interests to be tracked, like music, I have a music identity. It has a pseudonym, and is isolated from my other identities.

For services where I specifically don’t want to be tracked, like search, I use a non-tracking search engine. That way, I can be assured that it returns an objective set of results instead of feeding my confirmation bias. I currently use Brave Search, but I’ve used DuckDuckGo before, and there are a few other decent options.

I’m not a serious gamer, but still, I have a gaming identity that is not linked to any other accounts, because I have no interest in being bombarded with gaming videos when I’m trying to work, or trying to watch videos that actually interest me.

If I were to be interested in, say, adult material (which I’m not saying I am), I would have a separate identity for that, because I wouldn’t, hypothetically speaking, want my personal data to be splashed all over the internet.

One identity per site

I use a service to routinely create throwaway email addresses for logging in to websites, or signing up to newsletters. It is a feature of my password manager, which ensures that no two websites use the same login details.

If one website is breached, the damage to my privacy is limited, and nobody can track me across websites using my unique email address. More importantly, websites can’t easily share my data with each other.

This also allows me to track exactly who I can trust, and who sells email addresses to marketers.

I don’t have to rely on a site’s willingness to unsubscribe me if I’m no longer interested, or wasn’t interested in the first place. I can just disable a compromised email alias to nuke spammers.

Passwords

My password manager is part of a service bundle that I subscribe to. It also enables me to use a different random password for every site.

I use a small number of well-considered passwords, generally including multiple words that don’t form obvious phrases, as master passwords: one for my password manager, one for my bank, one (or actually two) for my email, one for my computer’s user account, and one for the root account. Those passwords are never used anywhere else.

That way, no data breach can expose them, and even if I get punched in the head and forget my password manager’s password, I can still get into my most important accounts.

I also enable two-factor authentication on any service that is important to me, like my X account.

Proton

My fancy password manager is supplied by Proton, which also provides me with encrypted email, calendaring, cloud storage and a VPN (virtual private network), for a reasonable monthly subscription.

Proton has been rapidly building out its service offering (too rapidly, but that’s a story for another day and another website), because it wants to become a drop-in replacement for Google. It now offers online document editing, a wallet, and so forth, though I don’t use all these services (yet).

Proton is a Swiss company, which means it is subject to Swiss privacy laws. Someone would have to convince the Swiss government to force Proton to surrender my data, which is a sufficiently high hurdle for me to feel safe.

Moreover, Proton was started by former scientists from CERN, the European Organisation for Nuclear Research, which was instrumental in developing much of the foundational technology of the World Wide Web, including the very first web browser, even before NCSA Mosaic.

These are people who understand what privacy means, and why the internet needs to be saved from government and corporate surveillance.

Multiple services

As much as I like Proton, I also use a second service provider for a similar set of services. Again, I avoided using one of the Big Tech companies, because they all have fat pipes flowing directly into corporate databases and Five Eyes intelligence services.

I use Mega, because I happened to choose them years ago for cloud storage, before Proton also offered that. The benefit is that I now have redundancy: if Mega’s cloud goes down, I have Proton as a backup. If Proton’s VPN gives trouble (which it sometimes does), I have MegaVPN as a backup.

As an additional safeguard, my Mega service is registered to an entirely different pseudonymous email account, which I don’t use for anything else.

Software

I use Linux instead of Microsoft Windows, for many reasons, including privacy and security. I switched entirely a very long time ago, and distro-hopped for a while before settling on Arch (btw). It is a bit of a tinkerer’s operating system, and its repositories keep software on the leading (if not bleeding) edge, so it’s not as stable as a non-technical user might want.

There are many other Linux distributions that are targeted at general users. I have no recent direct experience with them, but Linux Mint Debian Edition comes highly recommended for first-time Linux users who want a Windows-like experience and rock-solid reliability. For gamers, Bazzite seems to be the way to go these days.

There’s a real groundswell of support for Linux, fuelled on one hand by the Valve Corporation’s contributions to making Linux capable of running most Steam games, and on the other by a growing backlash against Windows 11’s high minimum requirements, its mandatory Microsoft account login, its tendency to advertise at users, and its insistence on smearing AI over everything.

Windows was always pretty dodgy, in my view, but it really has become malware. It is the biggest corporate spy bot out there, and that’s even before hackers hijack your system with viruses and trojans.

Linux isn’t necessarily bulletproof, but in 23 years, I have yet to encounter a single virus, rootkit or trojan in the wild. It requires some compromises, especially in certain lines of work, but it’s come a long way, and is ready to go head-to-head with Windows (and MacOS) now.

Browser

I use Brave, a privacy-oriented browser that is resistant to fingerprinting and has tools to block known ads and trackers, and risky behaviour like third-party cookies.

I allow adverts only on sites that I would actually like to support, like South African media publications.

It is a bit irritating to have to switch off the crypto features that Brave ships with, but it does ad- and tracker-blocking really well. I only let specific websites that actually need to remember my preferences store cookies on my machine. Third-party cookies are off by default. I could block all scripts to make it even more secure, but that would break a lot of websites.

If I didn’t use Brave, I’d use Firefox with uBlock Origin and a few other privacy extensions. It is easier to secure than a Chrome-based browser, and I always prefer to avoid platforms that dominate their market (as Google does) and are actively hostile to privacy (as Google is), because those are the platforms that get targeted by exploiters, if they aren’t telemetry-driven advertising engines themselves (as Chrome and most other Google-based browsers are).

Since I have access to two paid no-log VPNs as part of my online services bundles, I usually obfuscate my location. Some websites (like Takealot) break when I use a VPN, so I will turn it off when I use it, but usually, the VPN just stays on. (I need to figure out website-based split tunnelling one day, to automate this.)

So most websites, most of the time, can’t track me by my IP, and as long as I insist on https (secure http) connections, there’s no chance of an attacker tracking my browsing activity, even if they have access to my ISP, for example.

Sure, I probably don’t need that level of security 99% of the time, but it is nice to have, since it also means commercial trackers can’t amass good data on my behaviour.

On the rare occasion that I do see online adverts, I’m always delighted to see how badly they mis-target me. If I get ads for online Bible study, pregnancy clothes, or foreign language films, I always enjoy a little frisson of victory.

Habits

I think that’s most of it. There’s probably a bit more, but this is getting over-long as it is. In addition to these measures, I always balk at giving away my personal information.

Want my birthday? It’s 1 January 1970, which is the epoch time in Unix (and is close enough to my real birthday that I don’t get flooded with teen romance adverts or something. Want my cellphone number? Unless I actually want you to call me, you get a fake one. Want my name? I have a name generator for that.

All of that deliberately poisons the marketing data that companies hoover up, which suits me just fine.

None of this is foolproof, of course, especially because I wasn’t always so diligent about privacy, and also I have a public profile which I know contains some information about me, like the town where I live.

I could go further than I have done, but I’ve tried to strike a good balance between convenience and privacy. None of this is too onerous, but all of it together makes me a much smaller target. There are easier identities to steal, and easier people to market to.

Defend privacy

If you want privacy, you need to put in a little effort. It isn’t hard, but you need to defend it every day.

Besides taking what privacy measures you can, lobby legislators not to adopt laws that will annihilate privacy and anonymity, as legislators in the US, the UK, Europe, Australia and here in South Africa are eagerly doing.

Governments cannot promise to preserve privacy, and cannot promise that no harm will come to you from their attempts to verify age or identity online, or to make communications available to law enforcement.

What they’re promising is technically impossible to deliver, so even if you do trust your government (which is silly), you can’t trust your government.

Make public arguments against opportunistic tort cases against companies with deep pockets, even if you don’t like or trust those companies. Especially if you don’t like or trust those companies. Your privacy will be violated if those lawsuits succeed.

Learn about online privacy. Learn why everyone needs it, even if you have nothing to hide.

Widespread age verification or online ID laws will ruin the internet. It will sacrifice our peace of mind and put people’s money and personal safety at risk.

More broadly, both governments and Big Tech are destroying free speech and online privacy, each for ends that do not coincide with the interests of the people.

That’s why it’s important to take privacy seriously. Resist attempts to extract more information out of you than is really needed. Work out how to circumvent online ID and age verification, if you can. Take basic privacy precautions.

Your privacy matters, and nobody other than you cares about protecting it.

[Image: Neither governments nor big corporations will protect you from the consequences of losing control of your personal information. Illustration created by the author]

The views of the writer are not necessarily the views of the Daily Friend or the IRR.

If you like what you have just read, support the Daily Friend

contributor

Ivo Vegter is a freelance journalist, columnist and speaker who loves debunking myths and misconceptions, and addresses topics from the perspective of individual liberty and free markets.