From 7c015837b08c950476e114f110c61c1744b9bbcf Mon Sep 17 00:00:00 2001 From: sm18lr88 <64564447+sm18lr88@users.noreply.github.com> Date: Fri, 28 Nov 2025 18:09:43 -0500 Subject: [PATCH] update for 2025 --- personal-security-checklist.yml | 3128 +++++++++++++++++-------------- 1 file changed, 1679 insertions(+), 1449 deletions(-) diff --git a/personal-security-checklist.yml b/personal-security-checklist.yml index 8c237d4..678caf5 100644 --- a/personal-security-checklist.yml +++ b/personal-security-checklist.yml @@ -4,201 +4,225 @@ icon: password color: yellow intro: >- - Most reported data breaches are caused by the use of weak, default, or stolen passwords - (according to [this Verizon report](http://www.verizonenterprise.com/resources/reports/rp_dbir-2016-executive-summary_xg_en.pdf)). - Use long, strong, and unique passwords, manage them in a secure password manager, enable + In 2025, over 80% of breaches involve compromised credentials, including AI-generated phishing (per IBM's Cost of a Data Breach Report). Use long, strong, and unique passwords, manage them in a secure password manager, enable 2-factor authentication, keep on top of breaches, and take care while logging into your accounts. checklist: - - point: Use a Strong Password - priority: Essential - details: >- - If your password is too short, or contains dictionary words, places, or names, then it can be easily - cracked through brute force or guessed by someone. The easiest way to make a strong password is by - making it long (12+ characters) — consider using a 'passphrase' made up of many words. Alternatively, - use a password generator to create a long, strong random password. Have a play with - [Security.org's How Secure Is My Password?](https://security.org/how-secure-is-my-password/), to get an idea of how quickly common - passwords can be cracked. Read more about creating strong passwords: - [securityinabox.org](https://securityinabox.org/en/passwords/passwords-and-2fa/). + - point: Use a Strong Password + priority: Essential + details: >- + If your password is too short, or contains dictionary words, places, or names, then it can be easily + cracked through brute force or guessed by someone. The easiest way to make a strong password is by + making it long (12+ characters) — consider using a 'passphrase' made up of many words. Alternatively, + use a password generator to create a long, strong random password. Have a play with + [Security.org's How Secure Is My Password?](https://security.org/how-secure-is-my-password/), to get an idea of how quickly common + passwords can be cracked. Read more about creating strong passwords: + [securityinabox.org](https://securityinabox.org/en/passwords/passwords-and-2fa/). - - point: Don't Reuse Passwords - priority: Essential - details: >- - If someone were to reuse a password and one site they had an account with suffered a leak, then a - criminal could easily gain unauthorized access to their other accounts. This is usually done through - large-scale automated login requests, and it is called Credential Stuffing. Unfortunately, this is all - too common, but it's simple to protect against — use a different password for each of your online accounts. + - point: Don't Reuse Passwords + priority: Essential + details: >- + If someone were to reuse a password and one site they had an account with suffered a leak, then a + criminal could easily gain unauthorized access to their other accounts. This is usually done through + large-scale automated login requests, and it is called Credential Stuffing. Unfortunately, this is all + too common, but it's simple to protect against - use a different password for each of your online accounts. - - point: Use a Secure Password Manager - priority: Essential - details: >- - For most people, it is going to be near-impossible to remember hundreds of strong and unique passwords. - A password manager is an application that generates, stores, and auto-fills your login credentials for you. - All your passwords will be encrypted against 1 master password (which you must remember, and it should be - very strong). Most password managers have browser extensions and mobile apps, so whatever device you are on, - your passwords can be auto-filled. A good all-rounder is - [Bitwarden](https://awesome-privacy.xyz/essentials/password-managers/bitwarden), or see - [Recommended Password Managers](https://awesome-privacy.xyz/essentials/password-managers). + - point: Use Passkeys Where Available + priority: Essential + details: >- + Passkeys (FIDO2/WebAuthn) are rapidly becoming the default in 2025 for major platforms. They are phishing-resistant and replace passwords with public-key + cryptography, so there is no shared secret for attackers to steal. Enable passkeys wherever supported and keep at least one hardware security key enrolled + for your most important accounts as a backup and for services that do not yet support passkeys. - - point: Avoid Sharing Passwords - priority: Essential - details: >- - While there may be times that you need to share access to an account with another person, you should - generally avoid doing this because it makes it easier for the account to become compromised. If you - absolutely do need to share a password — for example, when working on a team with a shared account — this - should be done via features built into a password manager. + - point: Use a Secure Password Manager + priority: Essential + details: >- + For most people, it is going to be near-impossible to remember hundreds of strong and unique passwords. + A password manager is an application that generates, stores, and auto-fills your login credentials for you. + All your passwords will be encrypted against 1 master password (which you must remember, and it should be + very strong). Most password managers have browser extensions and mobile apps, so whatever device you are on, + your passwords can be auto-filled. A good all-rounder is + [Bitwarden](https://bitwarden.com) (open source, independently audited, free tier available) or + [Proton Pass](https://proton.me/pass) (integrated with Proton ecosystem, built-in aliases). + [Recommended Password Managers](https://awesome-privacy.xyz/essentials/password-managers). - - point: Enable 2-Factor Authentication - priority: Essential - details: >- - 2FA is where you must provide both something you know (a password) and something you have (such as a - code on your phone) to log in. This means that if anyone has your password (e.g., through phishing, - malware, or a data breach), they will not be able to log into your account. It's easy to get started, - download [an authenticator app](https://github.com/Lissy93/awesome-privacy#2-factor-authentication) - onto your phone, and then go to your account security settings and follow the steps to enable 2FA. Next - time you log in on a new device, you will be prompted for the code that is displayed in the app on your phone - (it works without internet, and the code usually changes every 30 seconds). + - point: Avoid Sharing Passwords + priority: Essential + details: >- + While there may be times that you need to share access to an account with another person, you should + generally avoid doing this because it makes it easier for the account to become compromised. If you + absolutely do need to share a password — for example, when working on a team with a shared account — this + should be done via features built into a password manager. - - point: Keep Backup Codes Safe - priority: Essential - details: >- - When you enable multi-factor authentication, you will usually be given several codes that you can use if - your 2FA method is lost, broken, or unavailable. Keep these codes somewhere safe to prevent loss or - unauthorized access. You should store these on paper or in a safe place on disk (e.g., in offline storage - or an encrypted file/drive). Don't store these in your password manager as 2FA sources and passwords - should be kept separately. + - point: Enable 2-Factor Authentication + priority: Essential + details: >- + 2FA is where you must provide both something you know (a password) and something you have (such as a + code on your phone) to log in. This means that if anyone has your password (e.g., through phishing, + malware, or a data breach), they will not be able to log into your account. It's easy to get started, + download [an authenticator app](https://github.com/Lissy93/awesome-privacy#2-factor-authentication) + onto your phone, and then go to your account security settings and follow the steps to enable 2FA. Next + time you log in on a new device, you will be prompted for the code that is displayed in the app on your phone + (it works without internet, and the code usually changes every 30 seconds). - - point: Sign Up for Breach Alerts - priority: Optional - details: >- - After a website suffers a significant data breach, the leaked data often ends up on the internet. Several websites collect - these leaked records and allow you to search your email address to check if you are in any of their lists. - [Firefox Monitor](https://monitor.firefox.com), [Have I Been Pwned](https://haveibeenpwned.com), - and [DeHashed](https://dehashed.com) allow you to sign up for monitoring, where they will notify you if your - email address appears in any new data sets. It is useful to know as soon as possible when this happens so - that you can change your passwords for the affected accounts. [Have i been pwned](https://awesome-privacy.xyz/security-tools/online-tools/have-i-been-pwned) also has domain-wide - notification, where you can receive alerts if any email addresses under your entire domain appear (useful if - you use aliases for [anonymous forwarding](https://github.com/Lissy93/awesome-privacy#anonymous-mail-forwarding)). + - point: Keep Backup Codes Safe + priority: Essential + details: >- + When you enable multi-factor authentication, you will usually be given several codes that you can use if + your 2FA method is lost, broken, or unavailable. Keep these codes somewhere safe to prevent loss or + unauthorized access. You should store these on paper or in a safe place on disk (e.g., in offline storage + or an encrypted file/drive). Don't store these in your password manager as 2FA sources and passwords + should be kept separately. - - point: Shield your Password/PIN - priority: Optional - details: >- - When typing your password in public places, ensure you are not in direct line of sight of a CCTV camera and - that no one can see over your shoulder. Cover your password or pin code while you type, and do not - reveal any plain text passwords on your screen. + - point: Sign Up for Breach Alerts + priority: Optional + details: >- + After a website suffers a significant data breach, the leaked data often ends up on the internet. Several websites collect + these leaked records and allow you to search your email address to check if you are in any of their lists. + [Firefox Monitor](https://monitor.firefox.com), [Have I Been Pwned](https://haveibeenpwned.com), + and [DeHashed](https://dehashed.com) allow you to sign up for monitoring, where they will notify you if your + email address appears in any new data sets. It is useful to know as soon as possible when this happens so + that you can change your passwords for the affected accounts. [Have i been pwned](https://awesome-privacy.xyz/security-tools/online-tools/have-i-been-pwned) also has domain-wide + notification, where you can receive alerts if any email addresses under your entire domain appear (useful if + you use aliases for [anonymous forwarding](https://github.com/Lissy93/awesome-privacy#anonymous-mail-forwarding)). + - point: Beware of AI-Generated Phishing + priority: Essential + details: >- + In 2025, AI tools create hyper-personalized phishing emails and deepfake calls. Verify urgent requests via secondary channels (e.g., phone call). + Use AI-detection browser extensions and enable email filters for anomalies like unusual language or sender mismatches. + - point: Implement Zero-Trust for Personal Accounts + priority: Optional + details: >- + Treat every login as untrusted: Use device-bound 2FA, verify app permissions, and audit connected devices quarterly via account settings. + - point: Prepare for Post-Quantum Cryptography Migration + priority: Advanced + details: >- + Quantum attacks will eventually break today's RSA and ECC. Start inventorying where you rely on long-term confidentiality (backups, email archives, + password databases) and prefer products that are adding NIST-standardized post-quantum algorithms (e.g., CRYSTALS-Kyber for key establishment and + Dilithium / FALCON / SPHINCS+ for signatures) over time. - - point: Update Critical Passwords Periodically - priority: Optional - details: >- - Database leaks and breaches are common, and, likely, several of your passwords are already somewhere - online. Occasionally updating passwords of security-critical accounts can help mitigate this. But providing - that all your passwords are long, strong, and unique, there is no need to do this too often — annually should be - sufficient. Enforcing mandatory password changes within organisations is [no longer recommended](https://duo.com/decipher/microsoft-will-no-longer-recommend-forcing-periodic-password-changes), - as it encourages colleagues to select weaker passwords. + - point: Shield your Password/PIN + priority: Optional + details: >- + When typing your password in public places, ensure you are not in direct line of sight of a CCTV camera and + that no one can see over your shoulder. Cover your password or pin code while you type, and do not + reveal any plain text passwords on your screen. - - point: Don’t Save your Password in Browsers - priority: Optional - details: >- - Most modern browsers offer to save your credentials when you log into a site. Don’t allow this, as they are - not always encrypted and could allow someone to gain access to your accounts. Instead, use a dedicated - password manager to store (and auto-fill) your passwords. + - point: Update Critical Passwords Periodically + priority: Optional + details: >- + Database leaks and breaches are common, and, likely, several of your passwords are already somewhere + online. Occasionally updating passwords of security-critical accounts can help mitigate this. But providing + that all your passwords are long, strong, and unique, there is no need to do this too often — annually should be + sufficient. Enforcing mandatory password changes within organisations is [no longer recommended](https://duo.com/decipher/microsoft-will-no-longer-recommend-forcing-periodic-password-changes), + as it encourages colleagues to select weaker passwords. - - point: Avoid Logging In on Someone Else’s Device - priority: Optional - details: >- - Avoid logging in on other people's computers since you can't be sure their system is clean. Be especially cautious - of public machines, as malware and tracking arr more common here. Using someone else's device is especially - dangerous with critical accounts like online banking. When using someone else's machine, ensure that you're in a - private/incognito session (Use Ctrl+Shift+N/ Cmd+Shift+N). This will request the browser to not save your credentials, - cookies, and browsing history. + - point: Don’t Save your Password in Browsers + priority: Optional + details: >- + Most modern browsers offer to save your credentials when you log into a site. Don’t allow this, as they are + not always encrypted and could allow someone to gain access to your accounts. Instead, use a dedicated + password manager to store (and auto-fill) your passwords. - - point: Avoid Password Hints - priority: Optional - details: >- - Some sites allow you to set password hints. Often, it is very easy to guess answers. In cases where password hints - are mandatory, use random answers and record them in your password manager (`Name of the first school: 6D-02-8B-!a-E8-8F-81`). + - point: Avoid Logging In on Someone Else’s Device + priority: Optional + details: >- + Avoid logging in on other people's computers since you can't be sure their system is clean. Be especially cautious + of public machines, as malware and tracking arr more common here. Using someone else's device is especially + dangerous with critical accounts like online banking. When using someone else's machine, ensure that you're in a + private/incognito session (Use Ctrl+Shift+N/ Cmd+Shift+N). This will request the browser to not save your credentials, + cookies, and browsing history. - - point: Never Answer Online Security Questions Truthfully - priority: Optional - details: >- - If a site asks security questions (such as place of birth, mother's maiden name, or first car, etc.), don't provide - real answers. It is a trivial task for hackers to find out this information online or through social engineering. - Instead, create a fictitious answer, and store it inside your password manager. Using real words is better than - random characters, as [explained here](https://news.ycombinator.com/item?id=29244870). + - point: Avoid Password Hints + priority: Optional + details: >- + Some sites allow you to set password hints. Often, it is very easy to guess answers. In cases where password hints + are mandatory, use random answers and record them in your password manager (`Name of the first school: 6D-02-8B-!a-E8-8F-81`). - - point: Don’t Use a 4-digit PIN - priority: Optional - details: >- - Don’t use a short PIN to access your smartphone or computer. Instead, use a text password or a much longer PIN. - Numeric passphrases are easy to crack (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a - 4-character alpha-numeric code). + - point: Never Answer Online Security Questions Truthfully + priority: Optional + details: >- + If a site asks security questions (such as place of birth, mother's maiden name, or first car, etc.), don't provide + real answers. It is a trivial task for hackers to find out this information online or through social engineering. + Instead, create a fictitious answer, and store it inside your password manager. Using real words is better than + random characters, as [explained here](https://news.ycombinator.com/item?id=29244870). - - point: Avoid Using SMS for 2FA - priority: Optional - details: >- - When enabling multi-factor authentication, opt for app-based codes or a hardware token if supported. SMS is - susceptible to several common threats, such as [SIM-swapping](https://www.maketecheasier.com/sim-card-hijacking) - and [interception](https://secure-voice.com/ss7_attacks). There's also no guarantee of how securely your phone - number will be stored or what else it will be used for. From a practical point of view, SMS will only work when - you have a signal and can be slow. If a website or service requires the usage of an SMS number for recovery, consider - purchasing a second pre-paid phone number only used for account recovery for these instances. + - point: Don’t Use a 4-digit PIN + priority: Optional + details: >- + Don’t use a short PIN to access your smartphone or computer. Instead, use a text password or a much longer PIN. + Numeric passphrases are easy to crack (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a + 4-character alpha-numeric code). - - point: Avoid Using your PM to Generate OTPs - priority: Advanced - details: >- - Many password managers are also able to generate 2FA codes. It is best not to use your primary password manager - as your 2FA authenticator as well, since it would become a single point of failure if compromised. Instead, use a - dedicated [authenticator app](https://github.com/Lissy93/awesome-privacy#2-factor-authentication) on your phone or laptop. + - point: Avoid Using SMS for 2FA + priority: Optional + details: >- + When enabling multi-factor authentication, opt for app-based codes or a hardware token if supported. SMS is + susceptible to several common threats, such as SIM-swapping and SS7 interception. There's also no guarantee of how securely your phone + number will be stored or what else it will be used for. From a practical point of view, SMS will only work when + you have a signal and can be slow. If a website or service requires the usage of an SMS number for recovery, consider + purchasing a second pre-paid phone number only used for account recovery for these instances. - - point: Avoid Face Unlock - priority: Advanced - details: >- - Most phones and laptops offer a facial recognition authentication feature, using the camera to compare a snapshot - of your face with a stored hash. It may be very convenient, but there are numerous ways to [fool it](https://www.forbes.com/sites/jvchamary/2017/09/18/security-apple-face-id-iphone-x/) - and gain access to the device through digital photos and reconstructions from CCTV footage. Unlike your password, - there are likely photos of your face on the internet and videos recorded by surveillance cameras. + - point: Avoid Using your PM to Generate OTPs + priority: Advanced + details: >- + Many password managers are also able to generate 2FA codes. It is best not to use your primary password manager + as your 2FA authenticator as well, since it would become a single point of failure if compromised. Instead, use a + dedicated [authenticator app](https://github.com/Lissy93/awesome-privacy#2-factor-authentication) on your phone or laptop. - - point: Watch Out for Keyloggers - priority: Advanced - details: >- - A hardware [keylogger](https://en.wikipedia.org/wiki/Hardware_keylogger) is a physical device planted between - your keyboard and the USB port, which intercepts all keystrokes and sometimes relays data to a remote server. - It gives a hacker access to everything typed, including passwords. The best way to stay protected is just by - checking your USB connection after your PC has been unattended. It is also possible for keyloggers to be planted - inside the keyboard housing, so look for any signs that the case has been tampered with, and consider bringing your - own keyboard to work. Data typed on a virtual keyboard, pasted from the clipboard, or auto-filled by a password - manager can not be intercepted by a hardware keylogger. + - point: Avoid Face Unlock + priority: Advanced + details: >- + Most phones and laptops offer a facial recognition authentication feature, using the camera to compare a snapshot + of your face with a stored hash. It may be very convenient, but there are numerous ways to [fool it](https://www.forbes.com/sites/jvchamary/2017/09/18/security-apple-face-id-iphone-x/) + and gain access to the device through digital photos and reconstructions from CCTV footage. Unlike your password, + there are likely photos of your face on the internet and videos recorded by surveillance cameras. - - point: Consider a Hardware Token - priority: Advanced - details: >- - A U2F/FIDO2 security key is a USB (or NFC) device that you insert while logging in to an online service to - verify your identity instead of entering a OTP from your authenticator. [SoloKey](https://solokeys.com) and - [NitroKey](https://www.nitrokey.com) are examples of such keys. They bring with them several security benefits. - Since the browser communicates directly with the device, it cannot be fooled as to which host is requesting - authentication because the TLS certificate is checked. [This post](https://security.stackexchange.com/a/71704) is - a good explanation of the security of using FIDO U2F tokens. Of course, it is important to store the physical key - somewhere safe or keep it on your person. Some online accounts allow for several methods of 2FA to be enabled. + - point: Watch Out for Keyloggers + priority: Advanced + details: >- + A hardware [keylogger](https://en.wikipedia.org/wiki/Hardware_keylogger) is a physical device planted between + your keyboard and the USB port, which intercepts all keystrokes and sometimes relays data to a remote server. + It gives a hacker access to everything typed, including passwords. The best way to stay protected is just by + checking your USB connection after your PC has been unattended. It is also possible for keyloggers to be planted + inside the keyboard housing, so look for any signs that the case has been tampered with, and consider bringing your + own keyboard to work. Data typed on a virtual keyboard, pasted from the clipboard, or auto-filled by a password + manager can not be intercepted by a hardware keylogger. - - point: Consider Offline Password Manager - priority: Advanced - details: >- - For increased security, an encrypted offline password manager will give you full control over your data. - [KeePass](https://awesome-privacy.xyz/essentials/password-managers/keepass) is a popular choice, with lots of [plugins](https://[KeePass](https://awesome-privacy.xyz/essentials/password-managers/keepass).info/plugins.html) and - community forks with additional compatibility and functionality. Popular clients include: [KeePassXC](https://keepassxc.org) - (desktop), [KeePassDX](https://www.keepassdx.com) (Android) and [StrongBox](https://apps.apple.com/us/app/strongbox-password-safe/id897283731) - (iOS). The drawback being that it may be slightly less convenient for some, and it will be up to you to back it up - and store it securely. + - point: Consider a Hardware Token + priority: Advanced + details: >- + A FIDO2 security key (YubiKey, Nitrokey, SoloKey, Google Titan, etc.) is currently the most secure 2FA method. + It provides strong phishing resistance because the authenticator cryptographically proves the origin. Use it for + high-value accounts (email, banking, crypto). Many services now support multiple keys – register at least two + so you are not locked out if one is lost. - - point: Consider Unique Usernames - priority: Advanced - details: >- - Having different passwords for each account is a good first step, but if you also use a unique username, email, or - phone number to log in, then it will be significantly harder for anyone trying to gain unauthorised access. The easiest - method for multiple emails, is using auto-generated aliases for anonymous mail forwarding. This is where - [anything]@yourdomain.com will arrive in your inbox, allowing you to use a different email for each account (see - [Mail Alias Providers](https://github.com/Lissy93/awesome-privacy#mail-forwarding)). Usernames are easier - since you can use your password manager to generate, store, and auto-fill these. Virtual phone numbers can be generated - through your VOIP provider. + - point: Consider Offline Password Manager + priority: Advanced + details: >- + For increased security, an encrypted offline password manager will give you full control over your data. + [KeePass](https://awesome-privacy.xyz/essentials/password-managers/keepass) is a popular choice, with lots of [plugins](https://keepass.info/plugins.html) and + community forks with additional compatibility and functionality. Popular clients include: [KeePassXC](https://keepassxc.org) + (desktop), [KeePassDX](https://www.keepassdx.com) (Android) and [StrongBox](https://apps.apple.com/us/app/strongbox-password-safe/id897283731) + (iOS). The drawback being that it may be slightly less convenient for some, and it will be up to you to back it up + and store it securely. + + - point: Consider Unique Usernames + priority: Advanced + details: >- + Having different passwords for each account is a good first step, but if you also use a unique username, email, or + phone number to log in, then it will be significantly harder for anyone trying to gain unauthorised access. The easiest + method for multiple emails is using auto-generated aliases for anonymous mail forwarding. This is where + [anything]@yourdomain.com will arrive in your inbox, allowing you to use a different email for each account (see + [Mail Alias Providers](https://github.com/Lissy93/awesome-privacy#mail-forwarding)). Usernames are easier + since you can use your password manager to generate, store, and auto-fill these. Virtual phone numbers can be generated + through your VOIP provider. + + - point: Audit Single Sign-On and Connected Apps + priority: Optional + details: >- + “Sign in with Google / Apple / Microsoft” is convenient but it also links many apps and services to the same identity. Periodically review which + mobile apps and websites are connected to your main identity provider accounts and revoke access for those you no longer use. Where possible, use + aliases or separate identities for high-risk or experimental apps so compromise or data sharing in one place does not expose your entire digital footprint. softwareLinks: - title: Password Managers url: https://awesome-privacy.xyz/essentials/password-managers @@ -210,8 +234,8 @@ description: Avoiding tracking, censorship, and data collection online icon: browser intro: >- - Most websites on the internet will use some form of tracking, often to gain - insight into their users behaviour and preferences. This data can be incredibly + In 2025, GenAI amplifies tracking via predictive profiling; most sites deploy advanced behavioral analytics. This data can provide + deep insight into their users behaviour and preferences. This data can be incredibly detailed, and so is extremely valuable to corporations, governments and intellectual property thieves. Data breaches and leaks are common, and deanonymizing users web activity is often a trivial task. @@ -229,314 +253,322 @@ This section outlines the steps you can take, to be better protected from threats, minimise online tracking and improve privacy. checklist: - - point: Block Ads - priority: Essential - details: >- - Using an ad-blocker can help improve your privacy, by blocking the trackers that ads implement. - [uBlock Origin](https://awesome-privacy.xyz/networking/ad-blockers/ublock-origin) is a very - efficient and open source browser addon, - developed by Raymond Hill. When 3rd-party ads are displayed on a webpage, they have the ability to - track you, gathering personal information about you and your habits, which can then be sold, or used - to show you more targeted ads, and some ads are plain malicious or fake. Blocking ads also makes pages - load faster, uses less data and provides a less cluttered experience. + - point: Block Ads + priority: Essential + details: >- + Using an ad-blocker can help improve your privacy, by blocking the trackers that ads implement. + [uBlock Origin](https://awesome-privacy.xyz/networking/ad-blockers/ublock-origin) is a very + efficient and open source browser addon, + developed by Raymond Hill. When 3rd-party ads are displayed on a webpage, they have the ability to + track you, gathering personal information about you and your habits, which can then be sold, or used + to show you more targeted ads, and some ads are plain malicious or fake. Blocking ads also makes pages + load faster, uses less data and provides a less cluttered experience. - - point: Ensure Website is Legitimate - priority: Basic - details: >- - It may sound obvious, but when you logging into any online accounts, double check the URL is correct. - Storing commonly visited sites in your bookmarks is a good way to ensure the URL is easy to find. When - visiting new websites, look for common signs that it could be unsafe: Browser warnings, redirects, - on-site spam and pop-ups. You can also check a website using a tool, such as: - [Virus Total](https://awesome-privacy.xyz/security-tools/online-tools/virus-total), - [IsLegitSite](https://www.islegitsite.com), [Google Safe Browsing Status](https://transparencyreport.google.com/safe-browsing/search) - if you are unsure. + - point: Ensure Website is Legitimate + priority: Basic + details: >- + It may sound obvious, but when you logging into any online accounts, double check the URL is correct. + Storing commonly visited sites in your bookmarks is a good way to ensure the URL is easy to find. When + visiting new websites, look for common signs that it could be unsafe: Browser warnings, redirects, + on-site spam and pop-ups. You can also check a website using a tool, such as: + [Virus Total](https://awesome-privacy.xyz/security-tools/online-tools/virus-total), + [IsLegitSite](https://www.islegitsite.com), [Google Safe Browsing Status](https://transparencyreport.google.com/safe-browsing/search) + if you are unsure. - - point: Watch out for Browser Malware - priority: Basic - details: >- - Your system or browser can be compromised by spyware, miners, browser hijackers, malicious redirects, - adware etc. You can usually stay protected, just by: ignoring pop-ups, be wary of what your clicking, - don't proceed to a website if your browser warns you it may be malicious. Common signs of browser malware - include: default search engine or homepage has been modified, toolbars, unfamiliar extensions or icons, - significantly more ads, errors and pages loading much slower than usual. These articles from Heimdal - explain [signs of browser malware](https://heimdalsecurity.com/blog/warning-signs-operating-system-infected-malware), - [how browsers get infected](https://heimdalsecurity.com/blog/practical-online-protection-where-malware-hides) - and [how to remove browser malware](https://heimdalsecurity.com/blog/malware-removal). + - point: Watch out for Browser Malware + priority: Basic + details: >- + Your system or browser can be compromised by spyware, miners, browser hijackers, malicious redirects, + adware etc. You can usually stay protected, just by: ignoring pop-ups, be wary of what your clicking, + don't proceed to a website if your browser warns you it may be malicious. Common signs of browser malware + include: default search engine or homepage has been modified, toolbars, unfamiliar extensions or icons, + significantly more ads, errors and pages loading much slower than usual. These articles from Heimdal + explain [signs of browser malware](https://heimdalsecurity.com/blog/warning-signs-operating-system-infected-malware), + [how browsers get infected](https://heimdalsecurity.com/blog/practical-online-protection-where-malware-hides) + and [how to remove browser malware](https://heimdalsecurity.com/blog/malware-removal). - - point: Use a Privacy-Respecting Browser - priority: Essential - details: >- - [Firefox](https://awesome-privacy.xyz/essentials/browsers/firefox) (with a few tweaks) - and [Brave](https://awesome-privacy.xyz/essentials/browsers/brave-browser) - are secure, private-respecting browsers. Both are fast, open source, user-friendly and available on all - major operating systems. Your browser has access to everything that you do online, so if possible, avoid - Google Chrome, Edge and Safari as (without correct configuration) all three of them, collect usage data, - call home and allow for invasive tracking. Firefox requires a few changes to achieve optimal security, - for example - [arkenfox](https://github.com/arkenfox/user.js/wiki) or [12byte](https://12bytes.org/firefox-configuration-guide-for-privacy-freaks-and-performance-buffs/)'s - user.js configs. See more: [Privacy Browsers](https://github.com/Lissy93/awesome-privacy#browsers). + - point: Use a Privacy-Respecting Browser + priority: Essential + details: >- + LibreWolf, Mullvad Browser, or hardened Firefox are currently the strongest choices for desktop. + Brave remains a solid option with strong built-in blocking. Avoid unhardened Chrome, Edge, and Safari. + Recommended configurations: LibreWolf (out-of-the-box), arkenfox user.js for Firefox, or Mullvad Browser. + See: [Privacy Browsers](https://github.com/Lissy93/awesome-privacy#browsers). - - point: Use a Private Search Engine - priority: Essential - details: >- - Using a privacy-preserving, non-tracking search engine, will reduce risk that your search terms are not - logged, or used against you. Consider [DuckDuckGo](https://awesome-privacy.xyz/essentials/search-engines/duckduckgo), - or [Qwant](https://awesome-privacy.xyz/essentials/search-engines/qwant). - Google implements some [incredibly invasive](https://hackernoon.com/data-privacy-concerns-with-google-b946f2b7afea) - tracking policies, and have a history of displaying [biased search results](https://www.businessinsider.com/evidence-that-google-search-results-are-biased-2014-10). - Therefore Google, along with Bing, Baidu, Yahoo and Yandex are incompatible with anyone looking to protect - their privacy. It is recommended to update your [browsers default search](https://duckduckgo.com/install) - to a privacy-respecting search engine. + - point: Beware “Open in App” Prompts + priority: Essential + details: >- + Many sites try to push you into their native mobile or desktop apps with full-screen banners and “Continue in app” buttons. Native apps typically have + broader access to device identifiers, sensors and background activity than a hardened browser tab. When privacy matters, prefer staying in the browser + instead of installing yet another app. - - point: Remove Unnecessary Browser Addons - priority: Essential - details: >- - Extensions are able to see, log or modify anything you do in the browser, and some innocent looking - browser apps, have malicious intentions. Websites can see which extensions you have installed, and may - use this to enhance your fingerprint, to more accurately identify/ track you. Both [Firefox](https://awesome-privacy.xyz/essentials/browsers/firefox) and Chrome - web stores allow you to check what permissions/access rights an extension requires before you install it. - Check the reviews. Only install extensions you really need, and removed those which you haven't used in a while. + - point: Use a Private Search Engine + priority: Essential + details: >- + Using a privacy-preserving, non-tracking search engine will reduce the risk that your search terms are logged and profiled. Consider + [DuckDuckGo](https://awesome-privacy.xyz/essentials/search-engines/duckduckgo), [Qwant](https://awesome-privacy.xyz/essentials/search-engines/qwant), + [Brave Search](https://awesome-privacy.xyz/essentials/search-engines/brave-search) or a self-hosted metasearch like SearxNG. + Google implements some [incredibly invasive](https://hackernoon.com/data-privacy-concerns-with-google-b946f2b7afea) + tracking policies, and have a history of displaying [biased search results](https://www.businessinsider.com/evidence-that-google-search-results-are-biased-2014-10). + Therefore Google, along with Bing, Baidu, Yahoo and Yandex are incompatible with anyone looking to protect + their privacy. It is recommended to update your [browsers default search](https://duckduckgo.com/install) + to a privacy-respecting search engine. - - point: Keep Browser Up-to-date - priority: Essential - details: >- - Browser vulnerabilities are constantly being [discovered](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=browser) - and patched, so it’s important to keep it up to date, to avoid a zero-day exploit. You can [see which browser - version you're using here](https://www.whatismybrowser.com/), or follow [this guide](https://www.whatismybrowser.com/guides/how-to-update-your-browser/) - for instructions on how to update. Some browsers will auto-update to the latest stable version. + - point: Remove Unnecessary Browser Addons + priority: Essential + details: >- + Extensions are able to see, log or modify anything you do in the browser, and some innocent looking + browser apps, have malicious intentions. Websites can see which extensions you have installed, and may + use this to enhance your fingerprint, to more accurately identify/ track you. Both [Firefox](https://awesome-privacy.xyz/essentials/browsers/firefox) and Chrome + web stores allow you to check what permissions/access rights an extension requires before you install it. + Check the reviews. Only install extensions you really need, and removed those which you haven't used in a while. - - point: Check for HTTPS - priority: Essential - details: >- - If you enter information on a non-HTTPS website, this data is transported unencrypted and can therefore - be read by anyone who intercepts it. Do not enter any data on a non-HTTPS website, but also do not let - the green padlock give you a false sense of security, just because a website has SSL certificate, does - not mean that it is legitimate or trustworthy. [HTTPS-Everywhere](https://www.eff.org/https-everywhere) - (developed by the [EFF](https://www.eff.org/)) used to be a browser extension/addon that automatically - enabled HTTPS on websites, but as of 2022 is now deprecated. In their [accouncement article](https://www.eff.org/) - the EFF explains that most browsers now integrate such protections. Additionally, it provides instructions - for [Firefox](https://awesome-privacy.xyz/essentials/browsers/firefox), Chrome, Edge and Safari browsers on how to enable their HTTPS secure protections. + - point: Keep Browser Up-to-date + priority: Essential + details: >- + Browser vulnerabilities are constantly being [discovered](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=browser) + and patched, so it’s important to keep it up to date, to avoid a zero-day exploit. You can [see which browser + version you're using here](https://www.whatismybrowser.com/), or follow [this guide](https://www.whatismybrowser.com/guides/how-to-update-your-browser/) + for instructions on how to update. Some browsers will auto-update to the latest stable version. - - point: Use DNS-over-HTTPS - priority: Essential - details: >- - Traditional DNS makes requests in plain text for everyone to see. It allows for eavesdropping and - manipulation of DNS data through man-in-the-middle attacks. Whereas DNS-over-HTTPS performs DNS - resolution via the HTTPS protocol, meaning data between you and your DNS resolver is encrypted. - A popular option is [CloudFlare](https://awesome-privacy.xyz/networking/dns-providers/cloudflare)'s [1.1.1.1](https://awesome-privacy.xyz/security-tools/mobile-apps/1.1.1.1), or compare providers- it is simple to enable in-browser. - Note that DoH comes with its own issues, mostly preventing web filtering. + - point: Check for HTTPS + priority: Essential + details: >- + Do not enter any data on a non-HTTPS website. Data transported over plain HTTP is unencrypted and can be read by anyone who intercepts it. + Most modern browsers (Firefox, Chrome, Edge, Safari) now have a built-in "HTTPS-Only Mode" that automatically forces secure connections. + You should enable this in your browser settings. The previously popular HTTPS-Everywhere extension has been discontinued and is no longer needed. - - point: Multi-[Session](https://awesome-privacy.xyz/communication/encrypted-messaging/session) Containers - priority: Essential - details: >- - Compartmentalisation is really important to keep different aspects of your browsing separate. For - example, using different profiles for work, general browsing, social media, online shopping etc - will reduce the number associations that data brokers can link back to you. One option is to make - use of [Firefox Containers](https://awesome-privacy.xyz/security-tools/browser-extensions/firefox-multi-account-containers) - which is designed exactly for this purpose. - Alternatively, you could - use different browsers for different tasks - ([Brave](https://awesome-privacy.xyz/essentials/browsers/brave-browser), - [Firefox](https://awesome-privacy.xyz/essentials/browsers/firefox), - [Tor](https://awesome-privacy.xyz/networking/mix-networks/tor) etc). + - point: Use DNS-over-HTTPS + priority: Essential + details: >- + Traditional DNS makes requests in plain text for everyone to see. It allows for eavesdropping and + manipulation of DNS data through man-in-the-middle attacks. Whereas DNS-over-HTTPS performs DNS + resolution via the HTTPS protocol, meaning data between you and your DNS resolver is encrypted. + A popular option is [CloudFlare](https://awesome-privacy.xyz/networking/dns-providers/cloudflare)'s [1.1.1.1](https://awesome-privacy.xyz/security-tools/mobile-apps/1.1.1.1), or compare providers- it is simple to enable in-browser. + Note that DoH comes with its own issues, mostly preventing web filtering. For enhanced privacy, consider DNS-over-TLS (DoT). + - point: Block AI-Driven Trackers + priority: Essential + details: >- + Emerging GenAI trackers predict user intent from partial data. Use extensions like uBlock Origin with custom filters for AI endpoints (e.g., OpenAI APIs). + Regularly review and revoke third-party data shares in browser settings. + - point: Secure AI Browser Agents + priority: Optional + details: >- + AI agents (e.g., ChatGPT Atlas) risk prompt injection; limit permissions, use sandboxed sessions, and verify outputs for sensitive tasks. - - point: Use Incognito - priority: Essential - details: >- - When using someone else's machine, ensure that you're in a private/ incognito session. This will - prevent browser history, cookies and some data being saved, but is not fool-proof- you can still - be tracked. + - point: Multi-[Session](https://awesome-privacy.xyz/communication/encrypted-messaging/session) Containers + priority: Essential + details: >- + Compartmentalisation is really important to keep different aspects of your browsing separate. For + example, using different profiles for work, general browsing, social media, online shopping etc + will reduce the number associations that data brokers can link back to you. One option is to make + use of [Firefox Containers](https://awesome-privacy.xyz/security-tools/browser-extensions/firefox-multi-account-containers) + which is designed exactly for this purpose. + Alternatively, you could + use different browsers for different tasks + ([Brave](https://awesome-privacy.xyz/essentials/browsers/brave-browser), + [Firefox](https://awesome-privacy.xyz/essentials/browsers/firefox), + [Tor](https://awesome-privacy.xyz/networking/mix-networks/tor) etc). - - point: Understand Your Browser Fingerprint - priority: Essential - details: >- - Browser Fingerprinting is an incredibly accurate method of tracking, where a website identifies you - based on your device information. You can view your fingerprint at amiunique.org- The aim is to be - as un-unique as possible. + - point: Use Incognito + priority: Essential + details: >- + When using someone else's machine, ensure that you're in a private/ incognito session. This will + prevent browser history, cookies and some data being saved, but is not fool-proof- you can still + be tracked. - - point: Manage Cookies - priority: Essential - details: >- - Clearing cookies regularly is one step you can take to help reduce websites from tracking you. - Cookies may also store your session token, which if captured, would allow someone to access your - accounts without credentials. To mitigate this you should clear cookies often. + - point: Understand Your Browser Fingerprint + priority: Essential + details: >- + Browser Fingerprinting is an incredibly accurate method of tracking, where a website identifies you + based on your device information. You can view your fingerprint at amiunique.org- The aim is to be + as un-unique as possible. - - point: Block Third-Party Cookies - priority: Essential - details: >- - Third-party cookies placed on your device by a website other than the one you’re visiting. This - poses a privacy risk, as a 3rd entity can collect data from your current session. This guide explains - how you can disable 3rd-party cookies, and you can check here ensure this worked. + - point: Manage Cookies + priority: Essential + details: >- + Configure your browser to clear cookies on exit for untrusted sites and to restrict third-party cookies. Cookies may store session tokens, + which if captured, would allow someone to access your accounts without credentials. Site-isolation features (like "Total Cookie Protection" + in Firefox) help, but you should still periodically clear cookies and log out of sensitive accounts in shared environments. - - point: Block Third-Party Trackers - priority: Essential - details: >- - Blocking trackers will help to stop websites, advertisers, analytics and more from tracking you in - the background. [Privacy Badger](https://awesome-privacy.xyz/security-tools/browser-extensions/privacy-badger), - [DuckDuckGo Privacy Essentials](https://awesome-privacy.xyz/security-tools/browser-extensions/privacy-essentials), - [uBlock Origin](https://awesome-privacy.xyz/networking/ad-blockers/ublock-origin) and uMatrix (advanced) - are all very effective, open source tracker-blockers available for all major browsers. + - point: Block Third-Party Cookies + priority: Essential + details: >- + Third-party cookies placed on your device by a website other than the one you’re visiting. This + poses a privacy risk, as a 3rd entity can collect data from your current session. This guide explains + how you can disable 3rd-party cookies, and you can check here ensure this worked. - - point: Beware of Redirects - priority: Optional - details: >- - While some redirects are harmless, others, such as Unvalidated redirects are used in phishing attacks, - it can make a malicious link seem legitimate. If you are unsure about a redirect URL, you can check - where it forwards to with a tool like RedirectDetective. + - point: Block Third-Party Trackers + priority: Essential + details: >- + Blocking trackers will help to stop websites, advertisers, analytics and more from tracking you in + the background. [Privacy Badger](https://awesome-privacy.xyz/security-tools/browser-extensions/privacy-badger), + [DuckDuckGo Privacy Essentials](https://awesome-privacy.xyz/security-tools/browser-extensions/privacy-essentials), + [uBlock Origin](https://awesome-privacy.xyz/networking/ad-blockers/ublock-origin) and uMatrix (advanced) + are all very effective, open source tracker-blockers available for all major browsers. - - point: Do Not Sign Into Your Browser - priority: Optional - details: >- - Many browsers allow you to sign in, in order to sync history, bookmarks and other browsing data across - devices. However this not only allows for further data collection, but also increases attack surface - through providing another avenue for a malicious actor to get hold of personal information. + - point: Beware of Redirects + priority: Optional + details: >- + While some redirects are harmless, others, such as Unvalidated redirects are used in phishing attacks, + it can make a malicious link seem legitimate. If you are unsure about a redirect URL, you can check + where it forwards to with a tool like RedirectDetective. - - point: Disallow Prediction Services - priority: Optional - details: >- - Some browsers allow for prediction services, where you receive real-time search results or URL auto-fill. - If this is enabled then data is sent to Google (or your default search engine) with every keypress, - rather than when you hit enter. + - point: Do Not Sign Into Your Browser + priority: Optional + details: >- + Many browsers allow you to sign in, in order to sync history, bookmarks and other browsing data across + devices. However this not only allows for further data collection, but also increases attack surface + through providing another avenue for a malicious actor to get hold of personal information. - - point: Avoid G Translate for Webpages - priority: Optional - details: >- - When you visit a web page written in a foreign language, you may be prompted to install the Google Translate - extension. Be aware that Google collects all data (including input fields), along with details of the current - user. Instead use a translation service that is not linked to your browser. + - point: Disallow Prediction Services + priority: Optional + details: >- + Some browsers allow for prediction services, where you receive real-time search results or URL auto-fill. + If this is enabled then data is sent to Google (or your default search engine) with every keypress, + rather than when you hit enter. - - point: Disable Web Notifications - priority: Optional - details: >- - Browser push notifications are a common method for criminals to encourage you to click their link, since - it is easy to spoof the source. Be aware of this, and for instructions on disabling browser notifications, - see this article. + - point: Avoid G Translate for Webpages + priority: Optional + details: >- + When you visit a web page written in a foreign language, you may be prompted to install the Google Translate + extension. Be aware that Google collects all data (including input fields), along with details of the current + user. Instead use a translation service that is not linked to your browser. - - point: Disable Automatic Downloads - priority: Optional - details: >- - Drive-by downloads is a common method of getting harmful files onto a users device. This can be mitigated - by disabling auto file downloads, and be cautious of websites which prompt you to download files unexpectedly. + - point: Disable Web Notifications + priority: Optional + details: >- + Browser push notifications are a common method for criminals to encourage you to click their link, since + it is easy to spoof the source. Be aware of this, and for instructions on disabling browser notifications, + see this article. - - point: Disallow Access to Sensors - priority: Optional - details: >- - Mobile websites can tap into your device sensors without asking. If you grant these permissions to your - browser once, then all websites are able to use these capabilities, without permission or notification. + - point: Disable Automatic Downloads + priority: Optional + details: >- + Drive-by downloads is a common method of getting harmful files onto a users device. This can be mitigated + by disabling auto file downloads, and be cautious of websites which prompt you to download files unexpectedly. - - point: Disallow Location - priority: Optional - details: >- - Location Services lets sites ask for your physical location to improve your experience. This should be - disabled in settings. Note that there are still other methods of determining your approximate location. + - point: Disallow Access to Sensors + priority: Optional + details: >- + Mobile websites can tap into your device sensors without asking. If you grant these permissions to your + browser once, then all websites are able to use these capabilities, without permission or notification. - - point: Disallow Camera/ Microphone access - priority: Optional - details: >- - Check browser settings to ensure that no websites are granted access to webcam or microphone. It may also - be beneficial to use physical protection such as a webcam cover and microphone blocker. + - point: Disallow Location + priority: Optional + details: >- + Location Services lets sites ask for your physical location to improve your experience. This should be + disabled in settings. Note that there are still other methods of determining your approximate location. - - point: Disable Browser Password Saves - priority: Optional - details: >- - Do not allow your browser to store usernames and passwords. These can be easily viewed or accessed. - Instead use a password manager. + - point: Disallow Camera/ Microphone access + priority: Optional + details: >- + Check browser settings to ensure that no websites are granted access to webcam or microphone. It may also + be beneficial to use physical protection such as a webcam cover and microphone blocker. - - point: Disable Browser Autofill - priority: Optional - details: >- - Turn off autofill for any confidential or personal details. This feature can be harmful if your browser - is compromised in any way. Instead, consider using your password manager's Notes feature. + - point: Disable Browser Password Saves + priority: Optional + details: >- + Do not allow your browser to store usernames and passwords. These can be easily viewed or accessed. + Instead use a password manager. - - point: Protect from Exfil Attack - priority: Optional - details: >- - The CSS Exfiltrate attack is a method where credentials and other sensitive details can be snagged with - just pure CSS. You can stay protected, - with the [CSS Exfil Protection](https://awesome-privacy.xyz/security-tools/browser-extensions/css-exfil-protection) plugin. + - point: Disable Browser Autofill + priority: Optional + details: >- + Turn off autofill for any confidential or personal details. This feature can be harmful if your browser + is compromised in any way. Instead, consider using your password manager's Notes feature. - - point: Deactivate ActiveX - priority: Optional - details: >- - ActiveX is a browser extension API that built into Microsoft IE, and enabled by default. It's not commonly - used anymore, but since it gives plugins intimate access rights, and can be dangerous, therefore you should - disable it. + - point: Protect from Exfil Attack + priority: Optional + details: >- + The CSS Exfiltrate attack is a method where credentials and other sensitive details can be snagged with + just pure CSS. You can stay protected, + with the [CSS Exfil Protection](https://awesome-privacy.xyz/security-tools/browser-extensions/css-exfil-protection) plugin. - - point: Disable WebRTC - priority: Optional - details: >- - WebRTC allows high-quality audio/video communication and peer-to-peer file-sharing straight from the - browser. However it can pose as a privacy leak. To learn more, check out this guide. + - point: Deactivate ActiveX + priority: Optional + details: >- + ActiveX is a browser extension API that built into Microsoft IE, and enabled by default. It's not commonly + used anymore, but since it gives plugins intimate access rights, and can be dangerous, therefore you should + disable it. - - point: Spoof HTML5 Canvas Sig - priority: Optional - details: >- - Canvas Fingerprinting allows websites to identify and track users very accurately. You can use the - Canvas-Fingerprint-Blocker extension to spoof your fingerprint or - use [Tor](https://awesome-privacy.xyz/networking/mix-networks/tor). + - point: Disable WebRTC + priority: Optional + details: >- + WebRTC allows high-quality audio/video communication and peer-to-peer file-sharing straight from the + browser. However it can pose as a privacy leak. To learn more, check out this guide. - - point: Spoof User Agent - priority: Optional - details: >- - The user agent tells the website what device, browser and version you are using. Switching user agent - periodically is one small step you can take to become less unique. + - point: Spoof HTML5 Canvas Sig + priority: Optional + details: >- + Canvas Fingerprinting allows websites to identify and track users very accurately. You can use the + Canvas-Fingerprint-Blocker extension to spoof your fingerprint or + use [Tor](https://awesome-privacy.xyz/networking/mix-networks/tor). - - point: Disregard DNT - priority: Optional - details: >- - Enabling Do Not Track has very limited impact, since many websites do not respect or follow this. Since - it is rarely used, it may also add to your signature, making you more unique. + - point: Spoof User Agent + priority: Optional + details: >- + The user agent tells the website what device, browser and version you are using. Switching user agent + periodically is one small step you can take to become less unique. - - point: Prevent HSTS Tracking - priority: Optional - details: >- - HSTS was designed to help secure websites, but privacy concerns have been raised as it allowed site - operators to plant super-cookies. It can be disabled by visiting chrome://net-internals/#hsts in - Chromium-based browsers. + - point: Enable Global Privacy Control (GPC) + priority: Essential + details: >- + The old "Do Not Track" (DNT) standard is dead. Replace it with [Global Privacy Control (GPC)](https://globalprivacycontrol.org/), + which is a legally binding signal under laws like the CCPA/CPRA (California) and GDPR. Browsers like Firefox and Brave support + this natively. It signals to websites that you do not want your data sold or shared. - - point: Prevent Automatic Browser Connections - priority: Optional - details: >- - Even when you are not using your browser, it may call home to report on usage activity, analytics and - diagnostics. You may wish to disable some of this, which can be done through the settings. + - point: Prevent HSTS Tracking + priority: Optional + details: >- + HSTS was designed to help secure websites, but privacy concerns have been raised as it allowed site + operators to plant super-cookies. It can be disabled by visiting chrome://net-internals/#hsts in + Chromium-based browsers. - - point: Enable 1st-Party Isolation - priority: Optional - details: >- - [First Party Isolation](https://awesome-privacy.xyz/security-tools/browser-extensions/first-party-isolation) means - that all identifier sources and browser state are scoped using the URL bar - domain, this can greatly reduce tracking. + - point: Prevent Automatic Browser Connections + priority: Optional + details: >- + Even when you are not using your browser, it may call home to report on usage activity, analytics and + diagnostics. You may wish to disable some of this, which can be done through the settings. - - point: Strip Tracking Params from URLs - priority: Advanced - details: >- - Websites often append additional GET parameters to URLs that you click, to identify information like - source/referrer. You can sanitize manually, - or use an extension like [ClearURLs](https://awesome-privacy.xyz/security-tools/browser-extensions/clearurls) to strip tracking data - from URLs automatically. + - point: Enable 1st-Party Isolation + priority: Optional + details: >- + [First Party Isolation](https://awesome-privacy.xyz/security-tools/browser-extensions/first-party-isolation) means + that all identifier sources and browser state are scoped using the URL bar + domain, this can greatly reduce tracking. - - point: First Launch Security - priority: Advanced - details: >- - After installing a web browser, the first time you launch it (prior to configuring its privacy settings), - most browsers will call home. Therefore, after installing a browser, you should first disable your internet - connection, then configure privacy options before reenabling your internet connectivity. + - point: Strip Tracking Params from URLs + priority: Advanced + details: >- + Websites often append additional GET parameters to URLs that you click, to identify information like + source/referrer. You can sanitize manually, + or use an extension like [ClearURLs](https://awesome-privacy.xyz/security-tools/browser-extensions/clearurls) to strip tracking data + from URLs automatically. - - point: Use The Tor Browser - priority: Advanced - details: >- - The [Tor](https://awesome-privacy.xyz/networking/mix-networks/tor) Project provides a browser that encrypts and routes your traffic through multiple nodes, keeping - users safe from interception and tracking. The main drawbacks are speed and user experience. + - point: First Launch Security + priority: Advanced + details: >- + After installing a web browser, the first time you launch it (prior to configuring its privacy settings), + most browsers will call home. Therefore, after installing a browser, you should first disable your internet + connection, then configure privacy options before reenabling your internet connectivity. - - point: Disable JavaScript - priority: Advanced - details: >- - Many modern web apps are JavaScript-based, so disabling it will greatly decrease your browsing experience. - But if you really want to go all out, then it will really reduce your attack surface. + - point: Use The Tor Browser + priority: Advanced + details: >- + The [Tor](https://awesome-privacy.xyz/networking/mix-networks/tor) Project provides a browser that encrypts and routes your traffic through multiple nodes, keeping + users safe from interception and tracking. The main drawbacks are speed and user experience. + + - point: Disable JavaScript + priority: Advanced + details: >- + Many modern web apps are JavaScript-based, so disabling it will greatly decrease your browsing experience. + But if you really want to go all out, then it will really reduce your attack surface. softwareLinks: - title: Privacy Browsers url: https://github.com/Lissy93/awesome-privacy#browsers - title: Search Engines - utl: https://github.com/Lissy93/awesome-privacy#search-engines + url: https://github.com/Lissy93/awesome-privacy#search-engines - title: Browser Extensions url: https://github.com/Lissy93/awesome-privacy#browser-extensions - title: Browser & Bookmark Sync @@ -548,13 +580,13 @@ description: Protecting the gateway to your online accounts icon: email intro: >- - Nearly 50 years since the first email was sent, it's still very much a big part + With 2025's expansion of U.S. state privacy laws (e.g., Delaware, Nebraska effective Jan 1), email remains a high-risk vector for data sales and profiling. Nearly 50 years since the first email was sent, it's still very much a big part of our day-to-day life, and will continue to be for the near future. So considering how much trust we put in them, it's surprising how fundamentally insecure this infrastructure is. Email-related fraud [is on the up](https://www.csoonline.com/article/3247670/email/email-security-in-2018.html), and without taking basic measures you could be at risk. - + If a hacker gets access to your emails, it provides a gateway for your other accounts to be compromised (through password resets), therefore email security @@ -570,145 +602,154 @@ to Yahoo and AOL users messages to “identify and segment potential customers by picking up on contextual buying signals, and past purchases.” checklist: - - point: Have more than one email address - priority: Essential - details: >- - Consider using a different email address for security-critical communications from trivial mail such - as newsletters. This compartmentalization could reduce the amount of damage caused by a data breach, - and also make it easier to recover a compromised account. + - point: Have more than one email address + priority: Essential + details: >- + Consider using a different email address for security-critical communications from trivial mail such + as newsletters. This compartmentalization could reduce the amount of damage caused by a data breach, + and also make it easier to recover a compromised account. - - point: Keep Email Address Private - priority: Essential - details: >- - Do not share your primary email publicly, as mail addresses are often the starting point for most - phishing attacks. + - point: Keep Email Address Private + priority: Essential + details: >- + Do not share your primary email publicly, as mail addresses are often the starting point for most + phishing attacks. - - point: Keep your Account Secure - priority: Essential - details: >- - Use a long and unique password, enable 2FA and be careful while logging in. Your email account - provides an easy entry point to all your other online accounts for an attacker. + - point: Keep your Account Secure + priority: Essential + details: >- + Use a long and unique password, enable 2FA and be careful while logging in. Your email account + provides an easy entry point to all your other online accounts for an attacker. - - point: Disable Automatic Loading of Remote Content - priority: Essential - details: >- - Email messages can contain remote content such as images or stylesheets, often automatically loaded - from the server. You should disable this, as it exposes your IP address and device information, and - is often used for tracking. For more info, see [this article](https://www.theverge.com/2019/7/3/20680903/email-pixel-trackers-how-to-stop-images-automatic-download). + - point: Disable Automatic Loading of Remote Content + priority: Essential + details: >- + Email messages can contain remote content such as images or stylesheets, often automatically loaded + from the server. You should disable this, as it exposes your IP address and device information, and + is often used for tracking. For more info, see [this article](https://www.theverge.com/2019/7/3/20680903/email-pixel-trackers-how-to-stop-images-automatic-download). - - point: Use Plaintext - priority: Optional - details: >- - There are two main types of emails on the internet: plaintext and HTML. The former is strongly preferred - for privacy & security as HTML messages often include identifiers in links and inline images, which can - collect usage and personal data. There's also numerous risks of remote code execution targeting the HTML - parser of your mail client, which cannot be exploited if you are using plaintext. For more info, as well - as setup instructions for your mail provider, see [UsePlaintext.email](https://useplaintext.email/). + - point: Use Plaintext + priority: Optional + details: >- + There are two main types of emails on the internet: plaintext and HTML. The former is strongly preferred + for privacy & security as HTML messages often include identifiers in links and inline images, which can + collect usage and personal data. There's also numerous risks of remote code execution targeting the HTML + parser of your mail client, which cannot be exploited if you are using plaintext. For more info, as well + as setup instructions for your mail provider, see [UsePlaintext.email](https://useplaintext.email/). - - point: Don’t connect third-party apps to your email account - priority: Optional - details: >- - If you give a third-party app or plug-in full access to your inbox, they effectively have full unhindered - access to all your emails and their contents, which poses significant security and privacy risks. + - point: Don't connect third-party apps to your email account + priority: Optional + details: >- + If you give a third-party app or plug-in full access to your inbox, they effectively have full unhindered + access to all your emails and their contents, which poses significant security and privacy risks. This includes "smart inbox" and + marketing-automation apps on mobile that connect via IMAP or OAuth; assume they can read, copy, and profile everything you receive and send. - - point: Don't Share Sensitive Data via Email - priority: Optional - details: >- - Emails are very easily intercepted. Furthermore, you can’t be sure of how secure your recipient's - environment is. Therefore, emails cannot be considered safe for exchanging confidential information, - unless it is encrypted. + - point: Don't Share Sensitive Data via Email + priority: Optional + details: >- + Emails are very easily intercepted. Furthermore, you can’t be sure of how secure your recipient's + environment is. Therefore, emails cannot be considered safe for exchanging confidential information, + unless it is encrypted. - - point: Consider Switching to a Secure Mail Provider - priority: Optional - details: >- - Secure and reputable email providers such as [Forward Email](https://awesome-privacy.xyz/communication/encrypted-email/forward-email), - [ProtonMail](https://awesome-privacy.xyz/communication/mail-forwarding/protonmail), - and [Tutanota](https://awesome-privacy.xyz/communication/encrypted-email/tuta) allow for end-to-end - encryption, full privacy as well as more security-focused features. Unlike typical email providers, your - mailbox cannot be read by anyone but you, since all messages are encrypted. + - point: Consider Switching to a Secure Mail Provider + priority: Optional + details: >- + Secure and reputable email providers such as [Forward Email](https://awesome-privacy.xyz/communication/encrypted-email/forward-email), + [ProtonMail](https://awesome-privacy.xyz/communication/mail-forwarding/protonmail), + and [Tuta](https://tuta.com) (formerly Tutanota) allow for end-to-end + encryption, full privacy as well as more security-focused features. Unlike typical email providers, your + mailbox cannot be read by anyone but you, since all messages are encrypted. - - point: Use Smart Key - priority: Advanced - details: >- - OpenPGP does not support Forward secrecy, which means if either your or the recipient's private key is - ever stolen, all previous messages encrypted with it will be exposed. Therefore, you should take great - care to keep your private keys safe. One method of doing so, is to use a USB Smart Key to sign or decrypt - messages, allowing you to do so without your private key leaving the USB device. + - point: Use Smart Key + priority: Advanced + details: >- + OpenPGP does not support Forward secrecy, which means if either your or the recipient's private key is + ever stolen, all previous messages encrypted with it will be exposed. Therefore, you should take great + care to keep your private keys safe. One method of doing so, is to use a USB Smart Key to sign or decrypt + messages, allowing you to do so without your private key leaving the USB device. - - point: Use Aliasing / Anonymous Forwarding - priority: Advanced - details: >- - Email aliasing allows messages to be sent to [anything]@my-domain.com and still land in your primary inbox. - Effectively allowing you to use a different, unique email address for each service you sign up for. This means - if you start receiving spam, you can block that alias and determine which company leaked your email address. + - point: Use Aliasing / Anonymous Forwarding + priority: Advanced + details: >- + Email aliasing allows messages to be sent to [anything]@my-domain.com and still land in your primary inbox. + Services like [SimpleLogin](https://simplelogin.io), [Addy.io](https://addy.io), or Apple's "Hide My Email" allow you to use a + different, unique email address for each service you sign up for. This means if you start receiving spam, you can block that + specific alias and determine exactly which company leaked your email address. - - point: Subaddressing - priority: Optional - details: >- - An alternative to aliasing is subaddressing, where anything after the `+` symbol is omitted during mail delivery. - This enables you to keep track of who shared/ leaked your email address, but unlike aliasing, it will not protect - against your real address being revealed. + - point: Subaddressing + priority: Optional + details: >- + An alternative to aliasing is subaddressing, where anything after the `+` symbol is omitted during mail delivery. + This enables you to keep track of who shared/ leaked your email address, but unlike aliasing, it will not protect + against your real address being revealed. - - point: Use a Custom Domain - priority: Advanced - details: >- - Using a custom domain means that you are not dependent on the address assigned by your mail provider. So you can - easily switch providers in the future and do not need to worry about a service being discontinued. + - point: Use a Custom Domain + priority: Advanced + details: >- + Using a custom domain means that you are not dependent on the address assigned by your mail provider. So you can + easily switch providers in the future and do not need to worry about a service being discontinued. - - point: Sync with a client for backup - priority: Advanced - details: >- - To avoid losing temporary or permanent access to your emails during an unplanned event (such as an outage or - account lock), Thunderbird can sync/ backup messages from multiple accounts via IMAP and store locally on your - primary device. + - point: Sync with a client for backup + priority: Advanced + details: >- + To avoid losing temporary or permanent access to your emails during an unplanned event (such as an outage or + account lock), Thunderbird can sync/ backup messages from multiple accounts via IMAP and store locally on your + primary device. - - point: Be Careful with Mail Signatures - priority: Advanced - details: >- - You do not know how secure of an email environment the recipient of your message may have. There are several - extensions that automatically crawl messages, and create a detailed database of contact information based upon - email signatures. + - point: Be Careful with Mail Signatures + priority: Advanced + details: >- + You do not know how secure of an email environment the recipient of your message may have. There are several + extensions that automatically crawl messages, and create a detailed database of contact information based upon + email signatures. - - point: Be Careful with Auto-Replies - priority: Advanced - details: >- - Out-of-office automatic replies are very useful for informing people there will be a delay in replying, but all - too often people reveal too much information- which can be used in social engineering and targeted attacks. + - point: Be Careful with Auto-Replies + priority: Advanced + details: >- + Out-of-office automatic replies are very useful for informing people there will be a delay in replying, but all + too often people reveal too much information- which can be used in social engineering and targeted attacks. - - point: Choose the Right Mail Protocol - priority: Advanced - details: >- - Do not use outdated protocols (below IMAPv4 or POPv3), both have known vulnerabilities and out-dated security. + - point: Choose the Right Mail Protocol + priority: Advanced + details: >- + Do not use outdated protocols (below IMAPv4 or POPv3), both have known vulnerabilities and out-dated security. - - point: Self-Hosting - priority: Advanced - details: >- - Self-hosting your own mail server is not recommended for non-advanced users, since correctly securing it is - critical yet requires strong networking knowledge. + - point: Self-Hosting + priority: Advanced + details: >- + Self-hosting your own mail server is not recommended for non-advanced users, since correctly securing it is + critical yet requires strong networking knowledge. - - point: Always use TLS Ports - priority: Advanced - details: >- - There are SSL options for POP3, IMAP, and SMTP as standard TCP/IP ports. They are easy to use, and widely - supported so should always be used instead of plaintext email ports. + - point: Always use TLS Ports + priority: Advanced + details: >- + There are SSL options for POP3, IMAP, and SMTP as standard TCP/IP ports. They are easy to use, and widely + supported so should always be used instead of plaintext email ports. - - point: DNS Availability - priority: Advanced - details: >- - For self-hosted mail servers, to prevent DNS problems impacting availability- use at least 2 MX records, with - secondary and tertiary MX records for redundancy when the primary MX record fails. + - point: DNS Availability + priority: Advanced + details: >- + For self-hosted mail servers, to prevent DNS problems impacting availability- use at least 2 MX records, with + secondary and tertiary MX records for redundancy when the primary MX record fails. - - point: Prevent DDoS and Brute Force Attacks - priority: Advanced - details: >- - For self-hosted mail servers (specifically SMTP), limit your total number of simultaneous connections, and maximum - connection rate to reduce the impact of attempted bot attacks. + - point: Prevent DDoS and Brute Force Attacks + priority: Advanced + details: >- + For self-hosted mail servers (specifically SMTP), limit your total number of simultaneous connections, and maximum + connection rate to reduce the impact of attempted bot attacks. - - point: Maintain IP Blacklist - priority: Advanced - details: >- - For self-hosted mail servers, you can improve spam filters and harden security, through maintaining an up-to-date - local IP blacklist and a spam URI realtime block lists to filter out malicious hyperlinks. + - point: Maintain IP Blacklist + priority: Advanced + details: >- + For self-hosted mail servers, you can improve spam filters and harden security, through maintaining an up-to-date + local IP blacklist and a spam URI realtime block lists to filter out malicious hyperlinks. + + - point: Control AI and Auto-Summarization Features + priority: Optional + details: >- + New email clients and add-ins offer AI-based summarization, drafting, and “smart reply” features. Before enabling them, check where your + message content is processed and stored. Prefer on-device or self-hosted models for sensitive mail and disable AI features that require sending + full message bodies to third-party clouds. color: teal softwareLinks: - title: Secure Email Providers @@ -724,125 +765,133 @@ slug: messaging description: Keeping your communications private and secure icon: messaging - intro: '' + intro: "" checklist: - - point: Only Use Fully End-to-End Encrypted Messengers - priority: Essential - details: >- - End-to-end encryption is a system of communication where messages are encrypted on your device and - not decrypted until they reach the intended recipient. This ensures that any actor who intercepts - traffic cannot read the message contents, nor can anybody with access to the central servers where - data is stored. + - point: Only Use Fully End-to-End Encrypted Messengers + priority: Essential + details: >- + End-to-end encryption is a system of communication where messages are encrypted on your device and + not decrypted until they reach the intended recipient. This ensures that any actor who intercepts + traffic cannot read the message contents, nor can anybody with access to the central servers where + data is stored. - - point: Use only Open Source Messaging Platforms - priority: Essential - details: >- - If code is open source then it can be independently examined and audited by anyone qualified to do - so, to ensure that there are no backdoors, vulnerabilities, or other security issues. + - point: Use only Open Source Messaging Platforms + priority: Essential + details: >- + If code is open source then it can be independently examined and audited by anyone qualified to do + so, to ensure that there are no backdoors, vulnerabilities, or other security issues. - - point: Use a "Trustworthy" Messaging Platform - priority: Essential - details: >- - When selecting an encrypted messaging app, ensure it's fully open source, stable, actively maintained, - and ideally backed by reputable developers. + - point: Use a "Trustworthy" Messaging Platform + priority: Essential + details: >- + When selecting an encrypted messaging app, ensure it's fully open source, stable, actively maintained, + and ideally backed by reputable developers. - - point: Check Security Settings - priority: Essential - details: >- - Enable security settings, including contact verification, security notifications, and encryption. - Disable optional non-security features such as read receipt, last online, and typing notification. + - point: Check Security Settings + priority: Essential + details: >- + Enable security settings, including contact verification, security notifications, and encryption. + Disable optional non-security features such as read receipt, last online, and typing notification. - - point: Ensure your Recipients Environment is Secure - priority: Essential - details: >- - Your conversation can only be as secure as the weakest link. Often the easiest way to infiltrate a - communications channel is to target the individual or node with the least protection. + - point: Ensure your Recipients Environment is Secure + priority: Essential + details: >- + Your conversation can only be as secure as the weakest link. Often the easiest way to infiltrate a + communications channel is to target the individual or node with the least protection. - - point: Disable Cloud Services - priority: Essential - details: >- - Some mobile messaging apps offer a web or desktop companion. This not only increases attack surface but - it has been linked to several critical security issues, and should therefore be avoided, if possible. + - point: Disable Cloud Services + priority: Essential + details: >- + Some mobile messaging apps offer a web or desktop companion and cloud backup. These increase attack surface and often store messages or metadata + in a way that is no longer end-to-end encrypted. Where possible, disable chat backups to generic cloud storage, and treat web/desktop bridges as + temporary sessions you sign out of when done. - - point: Secure Group Chats - priority: Essential - details: >- - The risk of compromise rises exponentially, the more participants are in a group, as the attack surface - increases. Periodically check that all participants are legitimate. + - point: Secure Group Chats + priority: Essential + details: >- + The risk of compromise rises exponentially, the more participants are in a group, as the attack surface + increases. Periodically check that all participants are legitimate. - - point: Create a Safe Environment for Communication - priority: Essential - details: >- - There are several stages where your digital communications could be monitored or intercepted. This includes: - your or your participants' device, your ISP, national gateway or government logging, the messaging provider, - the servers. + - point: Create a Safe Environment for Communication + priority: Essential + details: >- + There are several stages where your digital communications could be monitored or intercepted. This includes: + your or your participants' device, your ISP, national gateway or government logging, the messaging provider, + the servers. - - point: Agree on a Communication Plan - priority: Optional - details: >- - In certain situations, it may be worth making a communication plan. This should include primary and backup - methods of securely getting in hold with each other. + - point: Agree on a Communication Plan + priority: Optional + details: >- + In certain situations, it may be worth making a communication plan. This should include primary and backup + methods of securely getting in hold with each other. - - point: Strip Meta-Data from Media - priority: Optional - details: >- - Metadata is "Data about Data" or additional information attached to a file or transaction. When you send a - photo, audio recording, video, or document you may be revealing more than you intended to. + - point: Strip Meta-Data from Media + priority: Optional + details: >- + Metadata is "Data about Data" or additional information attached to a file or transaction. When you send a + photo, audio recording, video, or document you may be revealing more than you intended to. - - point: Defang URLs - priority: Optional - details: >- - Sending links via various services can unintentionally expose your personal information. This is because, - when a thumbnail or preview is generated- it happens on the client-side. + - point: Defang URLs + priority: Optional + details: >- + Sending links via various services can unintentionally expose your personal information. This is because, + when a thumbnail or preview is generated- it happens on the client-side. - - point: Verify your Recipient - priority: Optional - details: >- - Always ensure you are talking to the intended recipient, and that they have not been compromised. One method - for doing so is to use an app which supports contact verification. + - point: Control Link Previews and AI Features + priority: Optional + details: >- + Many messengers fetch link previews or run AI features on their own servers, which can expose the URLs you share and sometimes the content + of linked pages or messages. Disable link previews in sensitive chats and turn off cloud-based AI summarization or translation for conversations + that contain confidential information. - - point: Enable Ephemeral Messages - priority: Optional - details: >- - Self-destructing messages is a feature that causes your messages to automatically delete after a set amount - of time. This means that if your device is lost, stolen, or seized, an adversary will only have access to the - most recent communications. + - point: Verify your Recipient + priority: Optional + details: >- + Always ensure you are talking to the intended recipient, and that they have not been compromised. One method + for doing so is to use an app which supports contact verification. - - point: Avoid SMS - priority: Optional - details: >- - SMS may be convenient, but it's not secure. It is susceptible to threats such as interception, sim swapping, - manipulation, and malware. + - point: Enable Ephemeral Messages + priority: Optional + details: >- + Self-destructing messages is a feature that causes your messages to automatically delete after a set amount + of time. This means that if your device is lost, stolen, or seized, an adversary will only have access to the + most recent communications. - - point: Watch out for Trackers - priority: Optional - details: >- - Be wary of messaging applications with trackers, as the detailed usage statistics they collect are often very - invasive, and can sometimes reveal your identity as well as personal information that you would otherwise not - intend to share. + - point: Avoid SMS + priority: Optional + details: >- + SMS may be convenient, but it's not secure. It is susceptible to threats such as interception, sim swapping, + manipulation, and malware. - - point: Consider Jurisdiction - priority: Advanced - details: >- - The jurisdictions where the organisation is based, and data is hosted should also be taken into account. + - point: Watch out for Trackers + priority: Optional + details: >- + Be wary of messaging applications with trackers, as the detailed usage statistics they collect are often very + invasive, and can sometimes reveal your identity as well as personal information that you would otherwise not + intend to share. - - point: Use an Anonymous Platform - priority: Advanced - details: >- - If you believe you may be targeted, you should opt for an anonymous messaging platform that does not require - a phone number, or any other personally identifiable information to sign up or use. + - point: Consider Jurisdiction + priority: Advanced + details: >- + The jurisdictions where the organisation is based, and data is hosted should also be taken into account. - - point: Ensure Forward Secrecy is Supported - priority: Advanced - details: >- - Opt for a platform that implements forward secrecy. This is where your app generates a new encryption key - for every message. + - point: Use an Anonymous Platform + priority: Advanced + details: >- + If you believe you may be targeted, you should opt for an anonymous messaging platform that does not require + a phone number, or any other personally identifiable information to sign up or use. - - point: Consider a Decentralized Platform - priority: Advanced - details: >- - If all data flows through a central provider, you have to trust them with your data and meta-data. You cannot - verify that the system running is authentic without back doors. + - point: Ensure Forward Secrecy is Supported + priority: Advanced + details: >- + Opt for a platform that implements forward secrecy. This is where your app generates a new encryption key + for every message. + + - point: Consider a Decentralized Platform + priority: Advanced + details: >- + If all data flows through a central provider, you have to trust them with your data and meta-data. You cannot + verify that the system running is authentic without back doors. softwareLinks: - title: Secure Messaging Apps url: https://github.com/Lissy93/awesome-privacy#encrypted-messaging @@ -868,97 +917,104 @@ after doing so, all data intentionally and non-intentionally uploaded is effectively public. If possible, avoid using conventional social media networks. checklist: - - point: Secure your Account - priority: Essential - details: >- - Social media profiles get stolen or taken over all too often. To protect your account: use a unique - and strong password, and enable 2-factor authentication. + - point: Secure your Account + priority: Essential + details: >- + Social media profiles get stolen or taken over all too often. To protect your account: use a unique + and strong password, and enable 2-factor authentication. - - point: Check Privacy Settings - priority: Essential - details: >- - Most social networks allow you to control your privacy settings. Ensure that you are comfortable with - what data you are currently exposing and to whom. + - point: Check Privacy Settings + priority: Essential + details: >- + Most social networks allow you to control your privacy settings. Ensure that you are comfortable with + what data you are currently exposing and to whom. - - point: Think of All Interactions as Public - priority: Essential - details: >- - There are still numerous methods of viewing a users 'private' content across many social networks. - Therefore, before uploading, posting or commenting on anything, think "Would I mind if this was totally public?" + - point: Think of All Interactions as Public + priority: Essential + details: >- + There are still numerous methods of viewing a users 'private' content across many social networks. + Therefore, before uploading, posting or commenting on anything, think "Would I mind if this was totally public?" - - point: Think of All Interactions as Permanent - priority: Essential - details: >- - Pretty much every post, comment, photo etc is being continuously backed up by a myriad of third-party - services, who archive this data and make it indexable and publicly available almost forever. + - point: Think of All Interactions as Permanent + priority: Essential + details: >- + Pretty much every post, comment, photo etc is being continuously backed up by a myriad of third-party + services, who archive this data and make it indexable and publicly available almost forever. - - point: Don't Reveal too Much - priority: Essential - details: >- - Profile information creates a goldmine of info for hackers, the kind of data that helps them personalize - phishing scams. Avoid sharing too much detail (DoB, Hometown, School etc). + - point: Don't Reveal too Much + priority: Essential + details: >- + Profile information creates a goldmine of info for hackers, the kind of data that helps them personalize + phishing scams. Avoid sharing too much detail (DoB, Hometown, School etc). - - point: Be Careful what you Upload - priority: Essential - details: >- - Status updates, comments, check-ins and media can unintentionally reveal a lot more than you intended - them to. This is especially relevant to photos and videos, which may show things in the background. + - point: Be Careful what you Upload + priority: Essential + details: >- + Status updates, comments, check-ins and media can unintentionally reveal a lot more than you intended + them to. This is especially relevant to photos and videos, which may show things in the background. - - point: Don't Share Email or Phone Number - priority: Essential - details: >- - Posting your real email address or mobile number, gives hackers, trolls and spammers more munition to - use against you, and can also allow separate aliases, profiles or data points to be connected. + - point: Don't Share Email or Phone Number + priority: Essential + details: >- + Posting your real email address or mobile number, gives hackers, trolls and spammers more munition to + use against you, and can also allow separate aliases, profiles or data points to be connected. - - point: Don't Grant Unnecessary Permissions - priority: Essential - details: >- - By default many of the popular social networking apps will ask for permission to access your contacts, - call log, location, messaging history etc. If they don’t need this access, don’t grant it. + - point: Don't Grant Unnecessary Permissions + priority: Essential + details: >- + By default many of the popular social networking apps will ask for permission to access your contacts, + call log, location, messaging history etc. If they don't need this access, don't grant it. Use your phone's permission manager to periodically + review which social apps can see your address book, photos and location and revoke anything non-essential. - - point: Be Careful of 3rd-Party Integrations - priority: Essential - details: >- - Avoid signing up for accounts using a Social Network login, revoke access to social apps you no longer - use. + - point: Be Careful of 3rd-Party Integrations + priority: Essential + details: >- + Avoid signing up for accounts using a Social Network login, revoke access to social apps you no longer + use. - - point: Avoid Publishing Geo Data while still Onsite - priority: Essential - details: >- - If you plan to share any content that reveals a location, then wait until you have left that place. - This is particularly important when you are taking a trip, at a restaurant, campus, hotel/resort, public - building or airport. + - point: Prefer the Browser to Social Apps + priority: Optional + details: >- + When possible, access social networks via a hardened browser instead of their native apps. Browser tabs are easier to containerize and block with + extensions, while social apps often run persistently, collect more telemetry, and may sync contacts or activity in the background. - - point: Remove metadata before uploading media - priority: Optional - details: >- - Most smartphones and some cameras automatically attach a comprehensive set of additional data (called - EXIF data) to each photograph. Remove this data before uploading. + - point: Avoid Publishing Geo Data while still Onsite + priority: Essential + details: >- + If you plan to share any content that reveals a location, then wait until you have left that place. + This is particularly important when you are taking a trip, at a restaurant, campus, hotel/resort, public + building or airport. - - point: Implement Image Cloaking - priority: Advanced - details: >- - Tools like Fawkes can be used to very subtly, slightly change the structure of faces within photos in a - way that is imperceptible by humans, but will prevent facial recognition systems from being able to recognize - a given face. + - point: Remove metadata before uploading media + priority: Optional + details: >- + Most smartphones and some cameras automatically attach a comprehensive set of additional data (called + EXIF data) to each photograph. Remove this data before uploading. - - point: Consider Spoofing GPS in home vicinity - priority: Advanced - details: >- - Even if you yourself never use social media, there is always going to be others who are not as careful, - and could reveal your location. + - point: Implement Image Cloaking + priority: Advanced + details: >- + Tools like Fawkes can be used to very subtly, slightly change the structure of faces within photos in a + way that is imperceptible by humans, but will prevent facial recognition systems from being able to recognize + a given face. - - point: Consider False Information - priority: Advanced - details: >- - If you just want to read, and do not intend on posting too much- consider using an alias name, and false - contact details. + - point: Consider Spoofing GPS in home vicinity + priority: Advanced + details: >- + Even if you yourself never use social media, there is always going to be others who are not as careful, + and could reveal your location. - - point: Don’t have any social media accounts - priority: Advanced - details: >- - Social media is fundamentally un-private, so for maximum online security and privacy, avoid using any - mainstream social networks. + - point: Consider False Information + priority: Advanced + details: >- + If you just want to read, and do not intend on posting too much- consider using an alias name, and false + contact details. + + - point: Don’t have any social media accounts + priority: Advanced + details: >- + Social media is fundamentally un-private, so for maximum online security and privacy, avoid using any + mainstream social networks. softwareLinks: - title: Alternative Social Media @@ -975,176 +1031,187 @@ slug: networks description: Safeguarding your network traffic icon: network - intro: > - This section covers how you connect your devices to the internet securely, + intro: >- + In 2025, 5G and quantum threats expand attack surfaces; secure routing is essential against interception. This section covers how you connect your devices to the internet securely, including configuring your router and setting up a VPN. checklist: - - point: Use a VPN - priority: Essential - details: >- - Use a reputable, paid-for VPN. This can help protect sites you visit from logging your real IP, reduce - the amount of data your ISP can collect, and increase protection on public WiFi. + - point: Use a VPN + priority: Essential + details: >- + Use a reputable, paid-for VPN. This can help protect sites you visit from logging your real IP, reduce + the amount of data your ISP can collect, and increase protection on public WiFi. - - point: Change your Router Password - priority: Essential - details: >- - After getting a new router, change the password. Default router passwords are publicly available, - meaning anyone within proximity would be able to connect. + - point: Change your Router Password + priority: Essential + details: >- + After getting a new router, change the password. Default router passwords are publicly available, + meaning anyone within proximity would be able to connect. - - point: Use WPA2, and a strong password - priority: Essential - details: >- - There are different authentication protocols for connecting to WiFi. Currently, the most secure options - are WPA2 and WPA3 (on newer routers). + - point: Use WPA2, and a strong password + priority: Essential + details: >- + There are different authentication protocols for connecting to WiFi. Currently, the most secure options + are WPA2 and WPA3 (on newer routers). - - point: Keep router firmware up-to-date - priority: Essential - details: >- - Manufacturers release firmware updates that fix security vulnerabilities, implement new standards, and - sometimes add features or improve the performance of your router. + - point: Keep router firmware up-to-date + priority: Essential + details: >- + Manufacturers release firmware updates that fix security vulnerabilities, implement new standards, and + sometimes add features or improve the performance of your router. - - point: Implement a Network-Wide VPN - priority: Optional - details: >- - If you configure your VPN on your router, firewall, or home server, then traffic from all devices will - be encrypted and routed through it, without needing individual VPN apps. + - point: Implement a Network-Wide VPN + priority: Optional + details: >- + If you configure your VPN on your router, firewall, or home server, then traffic from all devices will + be encrypted and routed through it, without needing individual VPN apps. - - point: Protect against DNS leaks - priority: Optional - details: >- - When using a VPN, it is extremely important to exclusively use the DNS server of your VPN provider or - secure service. + - point: Protect against DNS leaks + priority: Optional + details: >- + When using a VPN, it is extremely important to exclusively use the DNS server of your VPN provider or + secure service. - - point: Use a secure VPN Protocol - priority: Optional - details: >- - OpenVPN and WireGuard are open source, lightweight, and secure tunneling protocols. Avoid using PPTP - or SSTP. + - point: Use a secure VPN Protocol + priority: Optional + details: >- + OpenVPN and WireGuard are open source, lightweight, and secure tunneling protocols. Avoid using PPTP + or SSTP. - - point: Secure DNS - priority: Optional - details: >- - Use DNS-over-HTTPS which performs DNS resolution via the HTTPS protocol, encrypting data between you - and your DNS resolver. + - point: Secure DNS + priority: Optional + details: >- + Use DNS-over-HTTPS which performs DNS resolution via the HTTPS protocol, encrypting data between you + and your DNS resolver. For quantum resistance, evaluate post-quantum DNS options emerging in 2025. + - point: Prepare for Quantum Threats + priority: Advanced + details: >- + Quantum computing risks breaking current encryption; migrate to quantum-resistant VPN protocols (e.g., Kyber-based) where available. + Monitor NIST standards for personal implementation. - - point: Avoid the free router from your ISP - priority: Optional - details: >- - Typically they’re manufactured cheaply in bulk in China, with insecure propriety firmware that doesn't - receive regular security updates. + - point: Avoid the free router from your ISP + priority: Optional + details: >- + Typically they’re manufactured cheaply in bulk in China, with insecure propriety firmware that doesn't + receive regular security updates. - - point: Whitelist MAC Addresses - priority: Optional - details: >- - You can whitelist MAC addresses in your router settings, disallowing any unknown devices to immediately - connect to your network, even if they know your credentials. + - point: Whitelist MAC Addresses + priority: Optional + details: >- + You can whitelist MAC addresses in your router settings, disallowing any unknown devices to immediately + connect to your network, even if they know your credentials. - - point: Change the Router’s Local IP Address - priority: Optional - details: >- - It is possible for a malicious script in your web browser to exploit a cross-site scripting vulnerability, - accessing known-vulnerable routers at their local IP address and tampering with them. + - point: Change the Router’s Local IP Address + priority: Optional + details: >- + It is possible for a malicious script in your web browser to exploit a cross-site scripting vulnerability, + accessing known-vulnerable routers at their local IP address and tampering with them. - - point: Don't Reveal Personal Info in SSID - priority: Optional - details: >- - You should update your network name, choosing an SSID that does not identify you, include your flat - number/address, and does not specify the device brand/model. + - point: Don't Reveal Personal Info in SSID + priority: Optional + details: >- + You should update your network name, choosing an SSID that does not identify you, include your flat + number/address, and does not specify the device brand/model. - - point: Opt-Out Router Listings - priority: Optional - details: >- - WiFi SSIDs are scanned, logged, and then published on various websites, which is a serious privacy - concern for some. + - point: Opt-Out Router Listings + priority: Optional + details: >- + WiFi SSIDs are scanned, logged, and then published on various websites, which is a serious privacy + concern for some. - - point: Hide your SSID - priority: Optional - details: >- - Your router's Service Set Identifier is simply the network name. If it is not visible, it may receive - less abuse. + - point: Hide your SSID + priority: Optional + details: >- + Your router's Service Set Identifier is simply the network name. If it is not visible, it may receive + less abuse. - - point: Disable WPS - priority: Optional - details: >- - Wi-Fi Protected Setup provides an easier method to connect, without entering a long WiFi password, but - WPS introduces a series of major security issues. + - point: Disable WPS + priority: Optional + details: >- + Wi-Fi Protected Setup provides an easier method to connect, without entering a long WiFi password, but + WPS introduces a series of major security issues. - - point: Disable UPnP - priority: Optional - details: >- - Universal Plug and Play allows applications to automatically forward a port on your router, but it has - a long history of serious security issues. + - point: Disable UPnP + priority: Optional + details: >- + Universal Plug and Play allows applications to automatically forward a port on your router, but it has + a long history of serious security issues. - - point: Use a Guest Network for Guests - priority: Optional - details: >- - Do not grant access to your primary WiFi network to visitors, as it enables them to interact with other - devices on the network. + - point: Use a Guest Network for Guests + priority: Optional + details: >- + Do not grant access to your primary WiFi network to visitors, as it enables them to interact with other + devices on the network. - - point: Change your Router's Default IP - priority: Optional - details: >- - Modifying your router admin panel's default IP address will make it more difficult for malicious scripts - targeting local IP addresses. + - point: Change your Router's Default IP + priority: Optional + details: >- + Modifying your router admin panel's default IP address will make it more difficult for malicious scripts + targeting local IP addresses. - - point: Kill unused processes and services on your router - priority: Optional - details: >- - Services like Telnet and SSH that provide command-line access to devices should never be exposed to the - internet and should also be disabled on the local network unless they're actually needed. - - point: Don't have Open Ports - priority: Optional - details: >- - Close any open ports on your router that are not needed. Open ports provide an easy entrance for hackers. + - point: Secure 5G Connections + priority: Advanced + details: >- + 5G expands attack surfaces; enable eSIM isolation and monitor for IMSI catchers on mobile hotspots. - - point: Disable Unused Remote Access Protocols - priority: Optional - details: >- - When protocols such as PING, Telnet, SSH, UPnP, and HNAP etc are enabled, they allow your router to be - probed from anywhere in the world. + - point: Kill unused processes and services on your router + priority: Optional + details: >- + Services like Telnet and SSH that provide command-line access to devices should never be exposed to the + internet and should also be disabled on the local network unless they're actually needed. - - point: Disable Cloud-Based Management - priority: Optional - details: >- - You should treat your router's admin panel with the utmost care, as considerable damage can be caused - if an attacker is able to gain access. + - point: Don't have Open Ports + priority: Optional + details: >- + Close any open ports on your router that are not needed. Open ports provide an easy entrance for hackers. - - point: Manage Range Correctly - priority: Optional - details: >- - It's common to want to pump your router's range to the max, but if you reside in a smaller flat, your - attack surface is increased when your WiFi network can be picked up across the street. + - point: Disable Unused Remote Access Protocols + priority: Optional + details: >- + When protocols such as PING, Telnet, SSH, UPnP, and HNAP etc are enabled, they allow your router to be + probed from anywhere in the world. - - point: Route all traffic through [Tor](https://awesome-privacy.xyz/networking/mix-networks/tor) - priority: Advanced - details: >- - VPNs have their weaknesses. For increased security, route all your internet traffic through the [Tor](https://awesome-privacy.xyz/networking/mix-networks/tor) - network. + - point: Disable Cloud-Based Management + priority: Optional + details: >- + You should treat your router's admin panel with the utmost care, as considerable damage can be caused + if an attacker is able to gain access. - - point: Disable WiFi on all Devices - priority: Advanced - details: >- - Connecting to even a secure WiFi network increases your attack surface. Disabling your home WiFi and - connect each device via Ethernet. + - point: Manage Range Correctly + priority: Optional + details: >- + It's common to want to pump your router's range to the max, but if you reside in a smaller flat, your + attack surface is increased when your WiFi network can be picked up across the street. + + - point: Route all traffic through [Tor](https://awesome-privacy.xyz/networking/mix-networks/tor) + priority: Advanced + details: >- + VPNs have their weaknesses. For increased security, route all your internet traffic through the [Tor](https://awesome-privacy.xyz/networking/mix-networks/tor) + network. + + - point: Disable WiFi on all Devices + priority: Advanced + details: >- + Connecting to even a secure WiFi network increases your attack surface. Disabling your home WiFi and + connect each device via Ethernet. color: violet softwareLinks: - - title: Virtual Private Networks - url: https://github.com/Lissy93/awesome-privacy#virtual-private-networks - - title: Mix Networks - url: https://github.com/Lissy93/awesome-privacy#mix-networks - - title: Router Firmware - url: https://github.com/Lissy93/awesome-privacy#router-firmware - - title: Open Source Proxies - url: https://github.com/Lissy93/awesome-privacy#proxies - - title: DNS Providers - url: https://github.com/Lissy93/awesome-privacy#dns - - title: Firewalls - url: https://github.com/Lissy93/awesome-privacy#firewalls - - title: Network Analysis Tools - url: https://github.com/Lissy93/awesome-privacy#network-analysis - - title: Self-Hosted Network Security Tools - url: https://github.com/Lissy93/awesome-privacy#self-hosted-network-security + - title: Virtual Private Networks + url: https://github.com/Lissy93/awesome-privacy#virtual-private-networks + - title: Mix Networks + url: https://github.com/Lissy93/awesome-privacy#mix-networks + - title: Router Firmware + url: https://github.com/Lissy93/awesome-privacy#router-firmware + - title: Open Source Proxies + url: https://github.com/Lissy93/awesome-privacy#proxies + - title: DNS Providers + url: https://github.com/Lissy93/awesome-privacy#dns + - title: Firewalls + url: https://github.com/Lissy93/awesome-privacy#firewalls + - title: Network Analysis Tools + url: https://github.com/Lissy93/awesome-privacy#network-analysis + - title: Self-Hosted Network Security Tools + url: https://github.com/Lissy93/awesome-privacy#self-hosted-network-security - title: Mobile Devices slug: mobile-devices @@ -1184,379 +1251,396 @@ made in bulk, returning detailed information on everybody within a certain geo-fence, [often for innocent people](https://www.nytimes.com/interactive/2019/04/13/us/google-location-tracking-police.html). And this doesn't include all of the internet traffic that intelligence agencies around the world have unhindered access to. + + Separate from the network and location layer, one of the biggest ongoing privacy risks now comes from the apps you install. Large-scale studies of Android and iOS apps show that most include third-party tracking components, and that categories like shopping and food-delivery collect particularly broad sets of data (device identifiers, usage patterns, location, purchase history) that are shared with multiple companies. Browsers give you more control over this data flow; native apps typically do not. checklist: - - point: Encrypt your Device - priority: Essential - details: >- - In order to keep your data safe from physical access, use file encryption. This will mean if your - device is lost or stolen, no one will have access to your data. + - point: Encrypt your Device + priority: Essential + details: >- + In order to keep your data safe from physical access, use file encryption. This will mean if your + device is lost or stolen, no one will have access to your data. - - point: Turn off connectivity features that aren’t being used - priority: Essential - details: >- - When you're not using WiFi, Bluetooth, NFC etc, turn those features off. There are several common threats - that utilise these features. + - point: Turn off connectivity features that aren’t being used + priority: Essential + details: >- + When you're not using WiFi, Bluetooth, NFC etc, turn those features off. There are several common threats + that utilise these features. - - point: Keep app count to a minimum - priority: Essential - details: >- - Uninstall apps that you don’t need or use regularly. As apps often run in the background, slowing your - device down, but also collecting data. + - point: Keep app count to a minimum + priority: Essential + details: >- + Uninstall apps that you don’t need or use regularly. Each extra app increases your attack surface and the amount of background data collection taking place on your device. - - point: App Permissions - priority: Essential - details: >- - Don’t grant apps permissions that they don’t need. For Android, [Bouncer](https://awesome-privacy.xyz/security-tools/mobile-apps/bouncer) is an app that allows you to grant - temporary/ 1-off permissions. + - point: Understand Smartphone App Data Collection + priority: Essential + details: >- + Popular apps typically embed multiple third-party trackers and analytics SDKs. These can collect information about your device, location, identifiers and in-app behavior and send it to external companies, often in the background. Shopping, food-delivery and social media apps are consistently among the most data-hungry, so install as few of them as possible and remove ones you no longer truly need. - - point: Only install Apps from official source - priority: Essential - details: >- - Applications on Apple App Store and Google Play Store are scanned and cryptographically signed, making them - less likely to be malicious. + - point: App Permissions + priority: Essential + details: >- + Don’t grant apps permissions that they don’t need. Use your OS privacy features (e.g., granular permission prompts, App Tracking Transparency and App Privacy Report on iOS, Privacy Dashboard on Android) to give apps the minimum access necessary, ideally “only while using the app”. For Android, [Bouncer](https://awesome-privacy.xyz/security-tools/mobile-apps/bouncer) is an app that allows you to grant temporary / one-off permissions. - - point: Be Careful of Phone Charging Threats - priority: Optional - details: >- - Juice Jacking is when hackers use public charging stations to install malware on your smartphone or tablet - through a compromised USB port. + - point: Only install Apps from official source + priority: Essential + details: >- + Applications on Apple App Store and Google Play Store are scanned and cryptographically signed, making them + less likely to contain outright malware. But this review does not prevent apps from embedding extensive tracking and data collection. Treat “official” apps as potentially invasive and still evaluate their permissions and trackers before installing. - - point: Set up a mobile carrier PIN - priority: Essential - details: >- - SIM hijacking is when a hacker is able to get your mobile number transferred to their sim. The easiest way - to protect against this is to set up a PIN through your mobile provider. + - point: Be Careful of Phone Charging Threats + priority: Optional + details: >- + Juice Jacking is when hackers use public charging stations to install malware on your smartphone or tablet + through a compromised USB port. - - point: Opt-out of Caller ID Listings - priority: Optional - details: >- - To keep your details private, you can unlist your number from caller ID apps like TrueCaller, CallApp, SyncMe, - and Hiya. + - point: Set up a mobile carrier PIN + priority: Essential + details: >- + SIM hijacking is when a hacker is able to get your mobile number transferred to their sim. The easiest way + to protect against this is to set up a PIN through your mobile provider. - - point: Use Offline Maps - priority: Optional - details: >- - Consider using an offline maps app, such as OsmAnd or Organic Maps, to reduce data leaks from map apps. + - point: Opt-out of Caller ID Listings + priority: Optional + details: >- + To keep your details private, you can unlist your number from caller ID apps like TrueCaller, CallApp, SyncMe, + and Hiya. - - point: Opt-out of personalized ads - priority: Optional - details: >- - You can slightly reduce the amount of data collected by opting-out of seeing personalized ads. + - point: Use Offline Maps + priority: Optional + details: >- + Consider using an offline maps app, such as OsmAnd or Organic Maps, to reduce data leaks from map apps. - - point: Erase after too many login attempts - priority: Optional - details: >- - To protect against an attacker brute forcing your pin, set your device to erase after too many failed - login attempts. + - point: Opt-out of personalized ads + priority: Optional + details: >- + You can slightly reduce the amount of data collected by opting-out of seeing personalized ads in your device’s privacy / ads settings, both for the OS vendor and for individual apps where available. - - point: Monitor Trackers - priority: Optional - details: >- - [εxodus](https://awesome-privacy.xyz/security-tools/online-tools/εxodus) is a great service which - lets you search for any app and see which trackers are embedded in it. + - point: Reset and Limit Ad Identifiers + priority: Optional + details: >- + Both Android and iOS assign your device an advertising identifier that apps can use to link your activity across apps and services. Regularly reset this ID in system settings and disable personalized ads where possible to make long-term profiling more difficult. - - point: Use a Mobile Firewall - priority: Optional - details: >- - To prevent applications from leaking privacy-sensitive data, you can install a firewall app. + - point: Erase after too many login attempts + priority: Optional + details: >- + To protect against an attacker brute forcing your pin, set your device to erase after too many failed + login attempts. - - point: Reduce Background Activity - priority: Optional - details: >- - For Android, SuperFreeze makes it possible to entirely freeze all background activities on a per-app basis. + - point: Monitor Trackers in Your Apps + priority: Essential + details: >- + Use tools like [εxodus](https://awesome-privacy.xyz/security-tools/online-tools/εxodus) to see which trackers and permissions are embedded in Android apps, and your OS privacy dashboard to review which apps access sensitive data. If an app includes many trackers or requests sensitive access it does not need, uninstall it or block its network access. - - point: Sandbox Mobile Apps - priority: Optional - details: >- - Prevent permission-hungry apps from accessing your private data with [Island](https://awesome-privacy.xyz/security-tools/mobile-apps/island), a sandbox environment. + - point: Use a Mobile Firewall or DNS Filter + priority: Optional + details: >- + To prevent applications from leaking privacy-sensitive data, use a firewall or DNS-filtering app to control which domains each app can reach. This can reveal constant background connections to analytics and advertising endpoints and lets you block them while keeping core functionality. - - point: Tor Traffic - priority: Advanced - details: >- - [Orbot](https://awesome-privacy.xyz/security-tools/mobile-apps/orbot) provides - a system-wide Tor connection, which will help protect you from surveillance and public WiFi threats. + - point: Reduce Background Activity + priority: Essential + details: >- + Restrict background data and activity for apps that do not truly need it. On Android, tools like SuperFreeze can entirely freeze background activities on a per-app basis; on iOS, disable “Background App Refresh” for non-essential apps. This reduces silent tracking, battery drain, and accidental data leaks. - - point: Avoid Custom Virtual Keyboards - priority: Optional - details: >- - It is recommended to stick with your device's stock keyboard. If you choose to use a third-party keyboard app, - ensure it is reputable. + - point: Sandbox Mobile Apps + priority: Optional + details: >- + Prevent permission-hungry apps from accessing your private data with [Island](https://awesome-privacy.xyz/security-tools/mobile-apps/island), a sandbox environment. - - point: Restart Device Regularly - priority: Optional - details: >- - Restarting your phone at least once a week will clear the app state cached in memory and may run more smoothly - after a restart. + - point: Tor Traffic + priority: Advanced + details: >- + [Orbot](https://awesome-privacy.xyz/security-tools/mobile-apps/orbot) provides + a system-wide Tor connection, which will help protect you from surveillance and public WiFi threats. - - point: Avoid SMS - priority: Optional - details: >- - SMS should not be used to receive 2FA codes or for communication, instead use an encrypted messaging app, - such as [Signal](https://awesome-privacy.xyz/communication/encrypted-messaging/signal). + - point: Avoid Custom Virtual Keyboards + priority: Optional + details: >- + It is recommended to stick with your device's stock keyboard. If you choose to use a third-party keyboard app, + ensure it is reputable. - - point: Keep your Number Private - priority: Optional - details: >- - [MySudo](https://awesome-privacy.xyz/finance/virtual-credit-cards/mysudo) allows - you to create and use virtual phone numbers for different people or groups. This is great for - compartmentalisation. + - point: Restart Device Regularly + priority: Optional + details: >- + Restarting your phone at least once a week will clear the app state cached in memory and may run more smoothly + after a restart. - - point: Watch out for Stalkerware - priority: Optional - details: >- - Stalkerware is malware that is installed directly onto your device by someone you know. - The best way to get rid of it is through a factory reset. + - point: Avoid SMS + priority: Optional + details: >- + SMS should not be used to receive 2FA codes or for communication, instead use an encrypted messaging app, + such as [Signal](https://awesome-privacy.xyz/communication/encrypted-messaging/signal). - - point: Favor the Browser, over Dedicated App - priority: Optional - details: >- - Where possible, consider using a secure browser to access sites, - rather than installing dedicated applications. + - point: Keep your Number Private + priority: Optional + details: >- + [MySudo](https://awesome-privacy.xyz/finance/virtual-credit-cards/mysudo) allows + you to create and use virtual phone numbers for different people or groups. This is great for + compartmentalisation. - - point: Consider running a custom ROM (Android) - priority: Advanced - details: >- - If you're concerned about your device manufacturer collecting too much - personal information, consider a privacy-focused custom ROM. + - point: Watch out for Stalkerware + priority: Optional + details: >- + Stalkerware is malware that is installed directly onto your device by someone you know. + The best way to get rid of it is through a factory reset. + + - point: Favor the Browser over Dedicated Apps + priority: Essential + details: >- + For many services (shopping, food-delivery, social media, banking), a hardened browser leaks less data than the official app. Browsers give you fine-grained control over cookies, scripts, containers and extensions, while native apps often run persistent background processes and include multiple trackers you cannot disable. Use a security-focused browser and pin key sites to your home screen as “web apps” if you want quick access without installing their app. + + - point: Consider running a custom ROM (Android) + priority: Advanced + details: >- + If you're concerned about your device manufacturer collecting too much + personal information, consider a privacy-focused custom ROM. + + - point: Limit OS-Level AI Assistants (Mobile) + priority: Optional + details: >- + Mobile operating systems are adding AI assistants that can read messages, notifications and on-screen content to provide summaries or suggestions. + Before enabling them, check what data is processed on-device versus in the cloud, and turn off features that require broad access to other apps if you + handle sensitive information on your phone. color: fuchsia softwareLinks: - - title: Mobile Apps, for Security + Privacy - url: https://github.com/Lissy93/awesome-privacy#mobile-apps - - title: Encrypted Messaging - url: https://github.com/Lissy93/awesome-privacy#encrypted-messaging - - title: Mobile Operation Systems - url: https://github.com/Lissy93/awesome-privacy#mobile-operating-systems + - title: Mobile Apps, for Security + Privacy + url: https://github.com/Lissy93/awesome-privacy#mobile-apps + - title: Encrypted Messaging + url: https://github.com/Lissy93/awesome-privacy#encrypted-messaging + - title: Mobile Operation Systems + url: https://github.com/Lissy93/awesome-privacy#mobile-operating-systems - title: Personal Computers slug: personal-computers description: Securing your PC's operating system, data & activity icon: computer - intro: > - Although Windows and OS X are easy to use and convenient, they both are far from secure. + intro: >- + With AI-integrated OS features (e.g., Windows Copilot), data exfiltration risks have surged in 2025. Although Windows and OS X are easy to use and convenient, they both are far from secure. Your OS provides the interface between hardware and your applications, so if compromised can have detrimental effects. checklist: - - point: Keep your System up-to-date - priority: Essential - details: >- - System updates contain fixes/patches for security issues, improve performance, and sometimes add new - features. Install new updates when prompted. + - point: Keep your System up-to-date + priority: Essential + details: >- + System updates contain fixes/patches for security issues, improve performance, and sometimes add new + features. Install new updates when prompted. - - point: Encrypt your Device - priority: Essential - details: >- - Use BitLocker for Windows, FileVault on MacOS, or LUKS on Linux, to enable full disk encryption. This - prevents unauthorized access if your computer is lost or stolen. + - point: Encrypt your Device + priority: Essential + details: >- + Use BitLocker for Windows, FileVault on MacOS, or LUKS on Linux, to enable full disk encryption. This + prevents unauthorized access if your computer is lost or stolen. - - point: Backup Important Data - priority: Essential - details: >- - Maintaining encrypted backups prevents loss due to ransomware, theft, or damage. Consider using - [Cryptomator](https://awesome-privacy.xyz/security-tools/mobile-apps/cryptomator) - for cloud files or [VeraCrypt](https://awesome-privacy.xyz/essentials/file-encryption/veracrypt) for USB drives. + - point: Backup Important Data + priority: Essential + details: >- + Maintaining encrypted backups prevents loss due to ransomware, theft, or damage. Consider using + [Cryptomator](https://awesome-privacy.xyz/security-tools/mobile-apps/cryptomator) + for cloud files or [VeraCrypt](https://awesome-privacy.xyz/essentials/file-encryption/veracrypt) for USB drives. - - point: Be Careful Plugging USB Devices into your Computer - priority: Essential - details: >- - USB devices can pose serious threats. Consider making a USB sanitizer with CIRCLean to safely check USB - devices. + - point: Be Careful Plugging USB Devices into your Computer + priority: Essential + details: >- + USB devices can pose serious threats. Consider making a USB sanitizer with CIRCLean to safely check USB + devices. - - point: Activate Screen-Lock when Idle - priority: Essential - details: >- - Lock your computer when away and set it to require a password on resume from screensaver or sleep to - prevent unauthorized access. + - point: Activate Screen-Lock when Idle + priority: Essential + details: >- + Lock your computer when away and set it to require a password on resume from screensaver or sleep to + prevent unauthorized access. - - point: Disable Cortana or Siri - priority: Essential - details: >- - Voice-controlled assistants can have privacy implications due to data sent back for processing. Disable - or limit their listening capabilities. + - point: Disable OS-Level AI Assistants + priority: Essential + details: >- + Modern operating systems are integrating AI deeply (e.g., Windows Copilot, Apple Intelligence). Some features require sending data to the + cloud or periodically capturing screenshots of your entire desktop (such as Windows Recall). Independent tests have shown that these tools can still + capture sensitive data despite vendor filters. Prefer disabling them entirely or, if you need them, limiting which accounts and apps they can see and + using privacy tools (like browsers or messengers that block Recall) for the most sensitive work. - - point: Review your Installed Apps - priority: Essential - details: >- - Keep installed applications to a minimum to reduce exposure to vulnerabilities and regularly clear - application caches. + - point: Review your Installed Apps + priority: Essential + details: >- + Keep installed applications to a minimum to reduce exposure to vulnerabilities and regularly clear + application caches. - - point: Manage Permissions - priority: Essential - details: >- - Control which apps have access to your location, camera, microphone, contacts, and other sensitive - information. + - point: Manage Permissions + priority: Essential + details: >- + Control which apps have access to your location, camera, microphone, contacts, and other sensitive + information. - - point: Disallow Usage Data from being sent to the Cloud - priority: Essential - details: >- - Limit the amount of usage information or feedback sent to the cloud to protect your privacy. + - point: Disallow Usage Data from being sent to the Cloud + priority: Essential + details: >- + Limit the amount of usage information or feedback sent to the cloud to protect your privacy. - - point: Avoid Quick Unlock - priority: Essential - details: >- - Use a strong password instead of biometrics or short PINs for unlocking your computer to enhance - security. + - point: Avoid Quick Unlock + priority: Essential + details: >- + Use a strong password instead of biometrics or short PINs for unlocking your computer to enhance + security. - - point: Power Off Computer, instead of Standby - priority: Essential - details: >- - Shut down your device when not in use, especially if your disk is encrypted, to keep data secure. + - point: Power Off Computer, instead of Standby + priority: Essential + details: >- + Shut down your device when not in use, especially if your disk is encrypted, to keep data secure. In 2025, this also halts background AI telemetry. - - point: Don't link your PC with your Microsoft or Apple Account - priority: Optional - details: >- - Use a local account only to prevent data syncing and exposure. Avoid using sync services that compromise - privacy. + - point: Don't link your PC with your Microsoft or Apple Account + priority: Optional + details: >- + Use a local account only to prevent data syncing and exposure. Avoid using sync services that compromise + privacy. - - point: Check which Sharing Services are Enabled - priority: Optional - details: >- - Disable network sharing features you are not using to close gateways to common threats. + - point: Check which Sharing Services are Enabled + priority: Optional + details: >- + Disable network sharing features you are not using to close gateways to common threats. - - point: Don't use Root/Admin Account for Non-Admin Tasks - priority: Optional - details: >- - Use an unprivileged user account for daily tasks and only elevate permissions for administrative changes - to mitigate vulnerabilities. + - point: Don't use Root/Admin Account for Non-Admin Tasks + priority: Optional + details: >- + Use an unprivileged user account for daily tasks and only elevate permissions for administrative changes + to mitigate vulnerabilities. - - point: Block Webcam + Microphone - priority: Optional - details: >- - Cover your webcam when not in use and consider blocking unauthorized audio recording to protect privacy. + - point: Block Webcam + Microphone + priority: Optional + details: >- + Cover your webcam when not in use and consider blocking unauthorized audio recording to protect privacy. - - point: Use a Privacy Filter - priority: Optional - details: >- - Use a screen privacy filter in public spaces to prevent shoulder surfing and protect sensitive - information. + - point: Use a Privacy Filter + priority: Optional + details: >- + Use a screen privacy filter in public spaces to prevent shoulder surfing and protect sensitive + information. - - point: Physically Secure Device - priority: Optional - details: >- - Use a Kensington Lock to secure your laptop in public spaces and consider port locks to prevent - unauthorized physical access. + - point: Physically Secure Device + priority: Optional + details: >- + Use a Kensington Lock to secure your laptop in public spaces and consider port locks to prevent + unauthorized physical access. - - point: Don't Charge Devices from your PC - priority: Optional - details: >- - Use a power bank or AC wall charger instead of your PC to avoid security risks associated with USB - connections. + - point: Don't Charge Devices from your PC + priority: Optional + details: >- + Use a power bank or AC wall charger instead of your PC to avoid security risks associated with USB + connections. - - point: Randomize your hardware address on Wi-Fi - priority: Optional - details: >- - Modify or randomize your MAC address to protect against tracking across different WiFi networks. + - point: Randomize your hardware address on Wi-Fi + priority: Optional + details: >- + Modify or randomize your MAC address to protect against tracking across different WiFi networks. - - point: Use a Firewall - priority: Optional - details: >- - Install a firewall app to monitor and block unwanted internet access by certain applications, protecting - against remote access attacks and privacy breaches. + - point: Use a Firewall + priority: Optional + details: >- + Install a firewall app to monitor and block unwanted internet access by certain applications, protecting + against remote access attacks and privacy breaches. - - point: Protect Against Software Keyloggers - priority: Optional - details: >- - Use key stroke encryption tools to protect against software keyloggers recording your keystrokes. + - point: Protect Against Software Keyloggers + priority: Optional + details: >- + Use key stroke encryption tools to protect against software keyloggers recording your keystrokes. - - point: Check Keyboard Connection - priority: Optional - details: >- - Be vigilant for hardware keyloggers when using public or unfamiliar computers by checking keyboard - connections. + - point: Check Keyboard Connection + priority: Optional + details: >- + Be vigilant for hardware keyloggers when using public or unfamiliar computers by checking keyboard + connections. - - point: Prevent Keystroke Injection Attacks - priority: Optional - details: >- - Lock your PC when away and consider using USBGuard or similar tools to protect against keystroke - injection attacks. + - point: Prevent Keystroke Injection Attacks + priority: Optional + details: >- + Lock your PC when away and consider using USBGuard or similar tools to protect against keystroke + injection attacks. - - point: Don't use commercial "Free" Anti-Virus - priority: Optional - details: >- - Rely on built-in security tools and avoid free anti-virus applications due to their potential for - privacy invasion and data collection. + - point: Don't use commercial "Free" Anti-Virus + priority: Optional + details: >- + Rely on built-in security tools and avoid free anti-virus applications due to their potential for + privacy invasion and data collection. - - point: Periodically check for Rootkits - priority: Advanced - details: >- - Regularly check for rootkits to detect and mitigate full system control threats using tools like - [chkrootkit](https://awesome-privacy.xyz/operating-systems/linux-defenses/chkrootkit). + - point: Periodically check for Rootkits + priority: Advanced + details: >- + Regularly check for rootkits to detect and mitigate full system control threats using tools like + [chkrootkit](https://awesome-privacy.xyz/operating-systems/linux-defenses/chkrootkit). - - point: BIOS Boot Password - priority: Advanced - details: >- - Enable a BIOS or UEFI password to add an additional security layer during boot-up, though be aware of - its limitations. + - point: BIOS Boot Password + priority: Advanced + details: >- + Enable a BIOS or UEFI password to add an additional security layer during boot-up, though be aware of + its limitations. - - point: Use a Security-Focused Operating System - priority: Advanced - details: >- - Consider switching to Linux or a security-focused distro like QubeOS or - [Tails](https://awesome-privacy.xyz/operating-systems/desktop-operating-systems/tails) - for enhanced privacy and - security. + - point: Use a Security-Focused Operating System + priority: Advanced + details: >- + Consider switching to Linux or a security-focused distro like [Qubes OS](https://www.qubes-os.org/) or + [Tails](https://awesome-privacy.xyz/operating-systems/desktop-operating-systems/tails) + for enhanced privacy and + security. - - point: Make Use of VMs - priority: Advanced - details: >- - Use virtual machines for risky activities or testing suspicious software to isolate potential threats - from your primary system. + - point: Make Use of VMs + priority: Advanced + details: >- + Use virtual machines for risky activities or testing suspicious software to isolate potential threats + from your primary system. - - point: Compartmentalize - priority: Advanced - details: >- - Isolate different programs and data sources from one another as much as possible to limit the extent of - potential breaches. + - point: Compartmentalize + priority: Advanced + details: >- + Isolate different programs and data sources from one another as much as possible to limit the extent of + potential breaches. - - point: Disable Undesired Features (Windows) - priority: Advanced - details: >- - Disable unnecessary Windows "features" and services that run in the background to reduce data collection - and resource use. + - point: Disable Undesired Features (Windows) + priority: Advanced + details: >- + Disable unnecessary Windows "features" and services that run in the background to reduce data collection + and resource use. - - point: Secure Boot - priority: Advanced - details: >- - Ensure that Secure Boot is enabled to prevent malware from replacing your boot loader and other critical - software. + - point: Secure Boot + priority: Advanced + details: >- + Ensure that Secure Boot is enabled to prevent malware from replacing your boot loader and other critical + software. - - point: Secure SSH Access - priority: Advanced - details: >- - Take steps to protect SSH access from attacks by changing the default port, using SSH keys, and - configuring firewalls. + - point: Secure SSH Access + priority: Advanced + details: >- + Take steps to protect SSH access from attacks by changing the default port, using SSH keys, and + configuring firewalls. - - point: Close Un-used Open Ports - priority: Advanced - details: >- - Turn off services listening on external ports that are not needed to protect against remote exploits and - improve security. + - point: Close Un-used Open Ports + priority: Advanced + details: >- + Turn off services listening on external ports that are not needed to protect against remote exploits and + improve security. - - point: Implement Mandatory Access Control - priority: Advanced - details: >- - Restrict privileged access to limit the damage that can be done if a system is compromised. + - point: Implement Mandatory Access Control + priority: Advanced + details: >- + Restrict privileged access to limit the damage that can be done if a system is compromised. - - point: Use Canary Tokens - priority: Advanced - details: >- - Deploy canary tokens to detect unauthorized access to your files or emails faster and gather - information about the intruder. + - point: Use Canary Tokens + priority: Advanced + details: >- + Deploy canary tokens to detect unauthorized access to your files or emails faster and gather + information about the intruder. color: pink softwareLinks: - - title: Secure Operating Systems - url: https://github.com/Lissy93/awesome-privacy#desktop-operating-systems - - title: Linux Defenses - url: https://github.com/Lissy93/awesome-privacy#linux-defences - - title: Windows Defenses - url: https://github.com/Lissy93/awesome-privacy#windows-defences - - title: Mac OS Defenses - url: https://github.com/Lissy93/awesome-privacy#mac-os-defences - - title: Anti-Malware - url: https://github.com/Lissy93/awesome-privacy#anti-malware - - title: Firewalls - url: https://github.com/Lissy93/awesome-privacy#firewalls-1 - - title: File Encryption - url: https://github.com/Lissy93/awesome-privacy#file-encryption + - title: Secure Operating Systems + url: https://github.com/Lissy93/awesome-privacy#desktop-operating-systems + - title: Linux Defenses + url: https://github.com/Lissy93/awesome-privacy#linux-defences + - title: Windows Defenses + url: https://github.com/Lissy93/awesome-privacy#windows-defences + - title: Mac OS Defenses + url: https://github.com/Lissy93/awesome-privacy#mac-os-defences + - title: Anti-Malware + url: https://github.com/Lissy93/awesome-privacy#anti-malware + - title: Firewalls + url: https://github.com/Lissy93/awesome-privacy#firewalls-1 + - title: File Encryption + url: https://github.com/Lissy93/awesome-privacy#file-encryption - title: Smart Home slug: smart-home @@ -1585,89 +1669,94 @@ The following checklist will help mitigate the risks associated with internet-connected home devices. checklist: - - point: Rename devices to not specify brand/model - priority: Essential - details: >- - Change default device names to something generic to prevent targeted attacks by obscuring brand or model information. + - point: Rename devices to not specify brand/model + priority: Essential + details: >- + Change default device names to something generic to prevent targeted attacks by obscuring brand or model information. - - point: Disable microphone and camera when not in use - priority: Essential - details: >- - Use hardware switches to turn off microphones and cameras on smart devices to protect against accidental recordings or targeted access. + - point: Disable microphone and camera when not in use + priority: Essential + details: >- + Use hardware switches to turn off microphones and cameras on smart devices to protect against accidental recordings or targeted access. - - point: Understand what data is collected, stored and transmitted - priority: Essential - details: >- - Research and ensure comfort with the data handling practices of smart home devices before purchase, avoiding devices that share data with third parties. + - point: Understand what data is collected, stored and transmitted + priority: Essential + details: >- + Research and ensure comfort with the data handling practices of smart home devices before purchase, avoiding devices that share data with third parties. - - point: Set privacy settings, and opt out of sharing data with third parties - priority: Essential - details: >- - Adjust app settings for strictest privacy controls and opt-out of data sharing with third parties wherever possible. + - point: Set privacy settings, and opt out of sharing data with third parties + priority: Essential + details: >- + Adjust app settings for strictest privacy controls and opt-out of data sharing with third parties wherever possible. - - point: Don't link your smart home devices to your real identity - priority: Essential - details: >- - Use anonymous usernames and passwords, avoiding sign-up/log-in via social media or other third-party services to maintain privacy. + - point: Scrutinize Companion Smartphone Apps + priority: Essential + details: >- + Most smart-home and wearable devices funnel data through their companion smartphone apps, which often include multiple trackers and broad + permissions (location, contacts, background network access). Review these apps with tools like Exodus where possible, strip non-essential permissions, + and avoid installing vendor apps you don't actually need to operate the device. - - point: Keep firmware up-to-date - priority: Essential - details: >- - Regularly update smart device firmware to apply security patches and enhancements. + - point: Don't link your smart home devices to your real identity + priority: Essential + details: >- + Use anonymous usernames and passwords, avoiding sign-up/log-in via social media or other third-party services to maintain privacy. - - point: Protect your Network - priority: Essential - details: >- - Secure your home WiFi and network to prevent unauthorized access to smart devices. + - point: Keep firmware up-to-date + priority: Essential + details: >- + Regularly update smart device firmware to apply security patches and enhancements. - - point: Be wary of wearables - priority: Optional - details: >- - Consider the extensive data collection capabilities of wearable devices and their implications for privacy. + - point: Protect your Network + priority: Essential + details: >- + Secure your home WiFi and network to prevent unauthorized access to smart devices. - - point: Don't connect your home's critical infrastructure to the Internet - priority: Optional - details: >- - Evaluate the risks of internet-connected thermostats, alarms, and detectors due to potential remote access by hackers. + - point: Be wary of wearables + priority: Optional + details: >- + Consider the extensive data collection capabilities of wearable devices and their implications for privacy. - - point: Mitigate Alexa/ Google Home Risks - priority: Optional - details: >- - Consider privacy-focused alternatives like - [Mycroft](https://awesome-privacy.xyz/smart-home-and-iot/voice-assistants/mycroft) or use - Project Alias to prevent idle listening by voice-activated assistants. + - point: Don't connect your home's critical infrastructure to the Internet + priority: Optional + details: >- + Evaluate the risks of internet-connected thermostats, alarms, and detectors due to potential remote access by hackers. - - point: Monitor your home network closely - priority: Optional - details: >- - Use tools like FingBox or router features to monitor for unusual network activity. + - point: Mitigate Alexa/ Google Home Risks + priority: Optional + details: >- + Consider privacy-focused alternatives like [OpenVoiceOS](https://openvoiceos.org/) (community successor to Mycroft) + or [Home Assistant](https://www.home-assistant.io/voice_control/) which offers fully local voice control. + If using commercial assistants, review your voice recording history regularly and delete it. - - point: Deny Internet access where possible - priority: Advanced - details: >- - Use firewalls to block internet access for devices that don't need it, limiting operation to local network use. + - point: Monitor your home network closely + priority: Optional + details: >- + Use tools like FingBox or router features to monitor for unusual network activity. - - point: Assess risks - priority: Advanced - details: >- - Consider the privacy implications for all household members and adjust device settings for security and privacy, such as disabling devices at certain times. + - point: Deny Internet access where possible + priority: Advanced + details: >- + Use firewalls to block internet access for devices that don't need it, limiting operation to local network use. + + - point: Assess risks + priority: Advanced + details: >- + Consider the privacy implications for all household members and adjust device settings for security and privacy, such as disabling devices at certain times. color: red softwareLinks: - - title: Home Automation - url: https://github.com/Lissy93/awesome-privacy#home-automation - - title: AI Voice Assistants - url: https://github.com/Lissy93/awesome-privacy#ai-voice-assistants + - title: Home Automation + url: https://github.com/Lissy93/awesome-privacy#home-automation + - title: AI Voice Assistants + url: https://github.com/Lissy93/awesome-privacy#ai-voice-assistants - title: Personal Finance slug: personal-finance description: Protecting your funds, financial accounts and transactions icon: finance intro: >- - Credit card fraud is the most common form of identity theft (with [133,015 reports in the - US in 2017 alone](https://www.experian.com/blogs/ask-experian/identity-theft-statistics/)), - and a total loss of $905 million, which was a 26% increase from the previous year. - The with a median amount lost per person was $429 in 2017. - It's more important than ever to take basic steps to protect yourself from falling victim + Credit card fraud is the most common form of identity theft, with hundreds of thousands of reports annually + according to [FTC data](https://www.ftc.gov/news-events/data-visualizations/data-spotlight). + It's more important than ever to take basic steps to protect yourself from falling victim. Note about credit cards: Credit cards have technological methods in place to detect and stop some fraudulent transactions. Major payment processors implement @@ -1676,77 +1765,207 @@ fraud, but is also sold onto other data brokers. Credit cards are therefore good for security, but terrible for data privacy. checklist: - - point: Sign up for Fraud Alerts and Credit Monitoring - priority: Essential - details: >- - Enable fraud alerts and credit monitoring through Experian, TransUnion, or Equifax to be alerted of suspicious activity. + - point: Sign up for Fraud Alerts and Credit Monitoring + priority: Essential + details: >- + Enable fraud alerts and credit monitoring through Experian, TransUnion, or Equifax to be alerted of suspicious activity. - - point: Apply a Credit Freeze - priority: Essential - details: >- - Prevent unauthorized credit inquiries by freezing your credit through Experian, TransUnion, and Equifax. + - point: Apply a Credit Freeze + priority: Essential + details: >- + Prevent unauthorized credit inquiries by freezing your credit through Experian, TransUnion, and Equifax. - - point: Use Virtual Cards - priority: Optional - details: >- - Utilize virtual card numbers for online transactions to protect your real banking details. Services like [Privacy.com](https://awesome-privacy.xyz/finance/virtual-credit-cards/privacy.com) and [MySudo](https://awesome-privacy.xyz/finance/virtual-credit-cards/mysudo) offer such features. + - point: Use Virtual Cards + priority: Optional + details: >- + Utilize virtual card numbers for online transactions to protect your real banking details. Services like [Privacy.com](https://awesome-privacy.xyz/finance/virtual-credit-cards/privacy.com) and [MySudo](https://awesome-privacy.xyz/finance/virtual-credit-cards/mysudo) offer such features. - - point: Use Cash for Local Transactions - priority: Optional - details: >- - Pay with [Cash](https://awesome-privacy.xyz/finance/other-payment-methods/cash) for local and everyday purchases to avoid financial profiling by institutions. + - point: Use Cash for Local Transactions + priority: Optional + details: >- + Pay with [Cash](https://awesome-privacy.xyz/finance/other-payment-methods/cash) for local and everyday purchases to avoid financial profiling by institutions. - - point: Use Cryptocurrency for Online Transactions - priority: Optional - details: >- - Opt for privacy-focused cryptocurrencies like - [Monero](https://awesome-privacy.xyz/finance/cryptocurrencies/monero) for - online transactions to maintain anonymity. Use cryptocurrencies wisely to ensure privacy. + - point: Harden Banking and Finance Apps + priority: Essential + details: >- + Banking, brokerage, and payment apps often have stronger fraud controls than the web but also collect extensive telemetry. Install them only from + official stores, keep them updated, disable non-essential permissions (contacts, Bluetooth, location where not needed), and avoid installing unrelated + “financial assistant” apps that ask for full access to your email or bank logins. - - point: Store Crypto Securely - priority: Advanced - details: >- - Securely store cryptocurrencies using offline wallet generation, hardware wallets - like [Trezor](https://awesome-privacy.xyz/finance/crypto-wallets/trezor) or - [ColdCard](https://awesome-privacy.xyz/finance/crypto-wallets/coldcard), or - consider long-term storage solutions like - [CryptoSteel](https://awesome-privacy.xyz/finance/crypto-wallets/cryptosteel). + - point: Use Cryptocurrency for Online Transactions + priority: Optional + details: >- + Opt for privacy-focused cryptocurrencies like + [Monero](https://awesome-privacy.xyz/finance/cryptocurrencies/monero) for + online transactions to maintain anonymity. Use cryptocurrencies wisely to ensure privacy. - - point: Buy Crypto Anonymously - priority: Advanced - details: >- - Purchase cryptocurrencies without linking to your identity through services - like [LocalBitcoins](https://awesome-privacy.xyz/finance/crypto-exchanges/localbitcoins), - [Bisq](https://awesome-privacy.xyz/finance/crypto-exchanges/bisq), or Bitcoin ATMs. + - point: Store Crypto Securely + priority: Advanced + details: >- + Securely store cryptocurrencies using offline wallet generation, hardware wallets + like [Trezor](https://awesome-privacy.xyz/finance/crypto-wallets/trezor) or + [ColdCard](https://awesome-privacy.xyz/finance/crypto-wallets/coldcard), or + consider long-term storage solutions like + [CryptoSteel](https://awesome-privacy.xyz/finance/crypto-wallets/cryptosteel). - - point: Tumble/ Mix Coins - priority: Advanced - details: >- - Use a bitcoin mixer or CoinJoin before converting Bitcoin to currency to obscure transaction trails. + - point: Buy Crypto Anonymously + priority: Advanced + details: >- + Purchase cryptocurrencies without linking to your identity through services + like [Bisq](https://awesome-privacy.xyz/finance/crypto-exchanges/bisq), [HodlHodl](https://hodlhodl.com), + or Bitcoin ATMs. - - point: Use an Alias Details for Online Shopping - priority: Advanced - details: >- - For online purchases, consider using alias details, forwarding email addresses, VOIP numbers, and secure delivery methods to protect your identity. + - point: Tumble/ Mix Coins + priority: Advanced + details: >- + Use a bitcoin mixer or CoinJoin before converting Bitcoin to currency to obscure transaction trails. - - point: Use alternate delivery address - priority: Advanced - details: >- - Opt for deliveries to non-personal addresses such as PO Boxes, forwarding addresses, or local pickup locations to avoid linking purchases directly to you. + - point: Use an Alias Details for Online Shopping + priority: Advanced + details: >- + For online purchases, consider using alias details, forwarding email addresses, VOIP numbers, and secure delivery methods to protect your identity. + + - point: Use alternate delivery address + priority: Advanced + details: >- + Opt for deliveries to non-personal addresses such as PO Boxes, forwarding addresses, or local pickup locations to avoid linking purchases directly to you. color: purple softwareLinks: - - title: Virtual Credit Cards - url: https://github.com/Lissy93/awesome-privacy#virtual-credit-cards - - title: Cryptocurrencies - url: https://github.com/Lissy93/awesome-privacy#cryptocurrencies - - title: Crypto Wallets - url: https://github.com/Lissy93/awesome-privacy#crypto-wallets - - title: Crypto Exchanges - url: https://github.com/Lissy93/awesome-privacy#crypto-exchanges - - title: Other Payment Methods - url: https://github.com/Lissy93/awesome-privacy#other-payment-methods - - title: Budgeting Tools - url: https://github.com/Lissy93/awesome-privacy#budgeting-tools + - title: Virtual Credit Cards + url: https://github.com/Lissy93/awesome-privacy#virtual-credit-cards + - title: Cryptocurrencies + url: https://github.com/Lissy93/awesome-privacy#cryptocurrencies + - title: Crypto Wallets + url: https://github.com/Lissy93/awesome-privacy#crypto-wallets + - title: Crypto Exchanges + url: https://github.com/Lissy93/awesome-privacy#crypto-exchanges + - title: Other Payment Methods + url: https://github.com/Lissy93/awesome-privacy#other-payment-methods + - title: Budgeting Tools + url: https://github.com/Lissy93/awesome-privacy#budgeting-tools + +- title: AI and Emerging Tech + slug: ai-emerging-tech + description: Mitigating risks from AI, IoT, and quantum innovations + icon: ai + color: orange + intro: >- + In 2025, AI has overtaken ransomware as the top concern, with GenAI enabling 1200% more phishing; quantum risks loom for encryption. Individuals must prioritize governance and resilience. + checklist: + - point: Vet AI Tools for Privacy + priority: Essential + details: >- + Review terms for data usage; prefer local/offline models (e.g., Ollama). Avoid feeding sensitive info to cloud AI; use differential privacy for personal datasets. + + - point: Constrain Mobile AI “Copilots” + priority: Essential + details: >- + Many new mobile and desktop apps ship with AI “copilots” that read your screen, notifications, or files to offer suggestions. Treat them as additional + data processors: turn them off for apps that handle legal, medical, or financial data unless you are satisfied with how and where that data is processed. + + - point: Secure IoT Devices + priority: Essential + details: >- + Change defaults, segment on guest network, and firmware-update regularly. Disable mics/cams when idle; monitor for anomalous traffic with tools like Fing. + - point: Detect and Mitigate Deepfakes + priority: Essential + details: >- + Use verification tools (e.g., Hive Moderation) for video calls; enable biometric liveness checks and cross-verify via trusted channels. + - point: Address Quantum Data Risks + priority: Advanced + details: >- + "Harvest now, decrypt later" threatens archived personal data; encrypt with PQC hybrids and limit long-term storage of sensitive files. + softwareLinks: + - title: AI Privacy Tools + url: https://github.com/Lissy93/awesome-privacy#ai-privacy + - title: IoT Security + url: https://github.com/Lissy93/awesome-privacy#iot + +- title: For Organizations + slug: for-organizations + description: Governance, compliance, and security patterns for teams and companies + icon: shield + color: slate + intro: >- + Some controls in this checklist are primarily relevant to organizations rather than individuals. This section collects + enterprise-style identity, network, and compliance practices for teams, startups, and small businesses that handle user data. + checklist: + - point: Adopt an Identity Fabric for Multi-Account Management + priority: Essential + details: >- + Use a unified identity platform (e.g., Okta, Entra ID / Azure AD, Keycloak) to manage workforce and customer identities across SaaS apps and internal + systems. Centralizing SSO, MFA, and deprovisioning reduces shadow accounts and improves auditability. + + - point: Implement Zero-Trust Network Access + priority: Essential + details: >- + Move away from flat “trusted internal networks” toward zero-trust principles: verify every access request regardless of network location, enforce + strong device posture checks, and segment production, staging, and corporate networks. Use identity-aware proxies and per-app access instead of + broad VPN tunnels. + + - point: Enable Zero-Trust Device Access + priority: Essential + details: >- + Use OS isolation features such as Windows Defender Application Guard, sandboxed browsers, or VMs for untrusted workloads (e.g., ad-hoc downloads, + risky browsing, vendor portals). Combine with strict admin rights and EDR so compromise of one app does not imply compromise of the whole endpoint. + + - point: Review Privacy Policy Compliance + priority: Essential + details: >- + Maintain an accurate, living privacy notice that reflects your actual data flows. Document what personal data you collect, your purposes, legal bases, + retention periods, and sharing with processors or partners. Use tools or periodic reviews (e.g., Osano or internal ROOPAs) to keep this aligned with + reality, not just your initial launch. + + - point: Comply with 2025 State and Global Privacy Laws + priority: Essential + details: >- + Map where your users are and which regimes apply (GDPR, CCPA/CPRA, Colorado, Connecticut, Texas, Florida, Delaware, Minnesota and others). Implement + data minimization, purpose limitation, DSAR handling, and opt-out flows. Honor Global Privacy Control (GPC) and similar signals in your web and mobile + apps. + + - point: Combat Regulatory Fragmentation + priority: Optional + details: >- + If you operate across many jurisdictions, use a central consent and preference management system and maintain a register of processing activities (RoPA). + Consider a privacy/compliance platform to orchestrate DSARs, Do Not Sell/Share requests, and opt-outs across multiple vendors. + + - point: Limit Sensitive Data Processing + priority: Essential + details: >- + Treat health, biometric, location, and children’s data as high-risk. Avoid collecting it unless strictly necessary, and keep it segregated (separate + databases or schemas, stricter access controls, shorter retention). Require DPIAs / TIAs for new uses of sensitive data. + + - point: Opt-out of Data Sharing by Default + priority: Essential + details: >- + Configure analytics, A/B testing, and advertising SDKs in your web and mobile apps to minimize identifiers and disable data sharing by default. Offer + clear in-product controls to opt out of tracking, and make sure SDK settings actually honor those choices instead of ignoring them. + + - point: Mitigate Supply Chain Attacks + priority: Essential + details: >- + Maintain a software bill of materials (SBOM) for critical components, pin dependency versions, and monitor advisories (OSV, GitHub Security Advisories). + Treat firmware and router updates as part of the same supply chain: verify vendor sources, signatures, and change logs before deployment. + + - point: Audit Supply Chain Software + priority: Optional + details: >- + Regularly review third-party libraries and SaaS tools that touch production data. Verify code signing, check for abandoned or compromised projects, + and avoid extensions or “free” tools that require broad mailbox, drive, or admin access in exchange for convenience. + + - point: Protect Against AI Data Exfiltration in Email and Docs + priority: Essential + details: >- + Shadow AI and browser plugins can copy entire mailboxes, document drives, and chat logs to external clouds. Maintain an approved AI-tool list, block + unapproved ones, and configure DLP policies for health, financial, and legal data. Prefer on-prem or VPC-hosted models for high-risk content. + + - point: Govern AI Assistants and Copilots + priority: Optional + details: >- + Document where OS-level and SaaS “copilots” are allowed (IDEs, helpdesk, office suite) and what data they can touch. Disable full-screen capture + features like Windows Recall on systems that handle production secrets, trade secrets, or regulated data. + - title: Post-Quantum Cryptography + url: https://github.com/Lissy93/awesome-privacy#post-quantum-cryptography - title: Human Aspect slug: human-aspect @@ -1755,114 +1974,120 @@ intro: >- Many data breaches, hacks and attacks are caused by human error. The following list contains steps you should take, to reduce the risk of this - happening to you. Many of them are common sense, but it's worth takin note of. + happening to you. Many of them are common sense, but it's worth taking note of. checklist: - - point: Verify Recipients - priority: Essential - details: >- - Emails can be easily spoofed. Verify the sender's authenticity, especially for sensitive actions, and prefer entering URLs manually rather than clicking links in emails. + - point: Verify Recipients + priority: Essential + details: >- + Emails can be easily spoofed. Verify the sender's authenticity, especially for sensitive actions, and prefer entering URLs manually rather than clicking links in emails. - - point: Don't Trust Your Popup Notifications - priority: Essential - details: >- - Fake pop-ups can be deployed by malicious actors. Always check the URL before entering any information on a popup. + - point: Don't Trust Your Popup Notifications + priority: Essential + details: >- + Fake pop-ups can be deployed by malicious actors. Always check the URL before entering any information on a popup. - - point: Never Leave Device Unattended - priority: Essential - details: >- - Unattended devices can be compromised even with strong passwords. Use encryption and remote erase features like Find My Phone for lost devices. + - point: Never Leave Device Unattended + priority: Essential + details: >- + Unattended devices can be compromised even with strong passwords. Use encryption and remote erase features like Find My Phone for lost devices. - - point: Prevent Camfecting - priority: Essential - details: >- - Protect against camfecting by using webcam covers and microphone blockers. Mute home assistants when not in use or discussing sensitive matters. + - point: Prevent Camfecting + priority: Essential + details: >- + Protect against camfecting by using webcam covers and microphone blockers. Mute home assistants when not in use or discussing sensitive matters. - - point: Stay protected from shoulder surfers - priority: Essential - details: >- - Use privacy screens on laptops and mobiles to prevent others from reading your screen in public spaces. + - point: Stay protected from shoulder surfers + priority: Essential + details: >- + Use privacy screens on laptops and mobiles to prevent others from reading your screen in public spaces. - - point: Educate yourself about phishing attacks - priority: Essential - details: >- - Be cautious of phishing attempts. Verify URLs, context of received messages, and employ good security practices like using 2FA and not reusing passwords. + - point: Educate yourself about phishing attacks + priority: Essential + details: >- + GenAI drove a 1200% phishing surge in 2025; cross-verify via known channels and use AI-flagging tools like those in Gmail or Outlook. - - point: Watch out for Stalkerware - priority: Essential - details: >- - Be aware of stalkerware installed by acquaintances for spying. Look out for signs like unusual battery usage and perform factory resets if suspected. + - point: Watch out for Stalkerware + priority: Essential + details: >- + Be aware of stalkerware installed by acquaintances for spying. Look out for signs like unusual battery usage and perform factory resets if suspected. - - point: Install Reputable Software from Trusted Sources - priority: Essential - details: >- - Only download software from legitimate sources and check files with tools - like [Virus Total](https://awesome-privacy.xyz/security-tools/online-tools/virus-total) before installation. + - point: Install Reputable Software from Trusted Sources + priority: Essential + details: >- + Only download software from legitimate sources and check files with tools + like [Virus Total](https://awesome-privacy.xyz/security-tools/online-tools/virus-total) before installation. - - point: Store personal data securely - priority: Essential - details: >- - Ensure all personal data on devices or in the cloud is encrypted to protect against unauthorized access. + - point: Store personal data securely + priority: Essential + details: >- + Ensure all personal data on devices or in the cloud is encrypted to protect against unauthorized access. - - point: Obscure Personal Details from Documents - priority: Essential - details: >- - When sharing documents, obscure personal details with opaque rectangles to prevent information leakage. + - point: Obscure Personal Details from Documents + priority: Essential + details: >- + When sharing documents, obscure personal details with opaque rectangles to prevent information leakage. - - point: Do not assume a site is secure, just because it is `HTTPS` - priority: Essential - details: >- - HTTPS does not guarantee a website's legitimacy. Verify URLs and exercise caution with personal data. + - point: Do not assume a site is secure, just because it is `HTTPS` + priority: Essential + details: >- + HTTPS does not guarantee a website's legitimacy. Verify URLs and exercise caution with personal data. - - point: Use Virtual Cards when paying online - priority: Optional - details: >- - Use virtual cards for online payments to protect your banking details and limit transaction risks. + - point: Use Virtual Cards when paying online + priority: Optional + details: >- + Use virtual cards for online payments to protect your banking details and limit transaction risks. - - point: Review application permissions - priority: Optional - details: >- - Regularly review and manage app permissions to ensure no unnecessary access to sensitive device features. + - point: Review application permissions + priority: Optional + details: >- + Regularly review and manage app permissions to ensure no unnecessary access to sensitive device features. - - point: Opt-out of public lists - priority: Optional - details: >- - Remove yourself from public databases and marketing lists to reduce unwanted contacts and potential risks. + - point: Treat App Installs as Long-Term Decisions + priority: Optional + details: >- + Installing a new smartphone or desktop app usually means granting an ongoing data relationship: background telemetry, crash reports, analytics and + push notifications. Before installing, ask whether you trust the vendor with years of behavioral data and whether the website version would be sufficient. - - point: Never Provide Additional PII When Opting-Out - priority: Optional - details: >- - Do not provide additional personal information when opting out of data services to avoid further data collection. + - point: Opt-out of public lists + priority: Optional + details: >- + Remove yourself from public databases and marketing lists to reduce unwanted contacts and potential risks. - - point: Opt-out of data sharing - priority: Optional - details: >- - Many apps and services default to data sharing settings. Opt out to protect your data from being shared with third parties. + - point: Never Provide Additional PII When Opting-Out + priority: Optional + details: >- + Do not provide additional personal information when opting out of data services to avoid further data collection. + - point: Opt-out of Data Sharing in Your Own Accounts + priority: Optional + details: >- + Many apps and services default to sharing data with "partners" or ad networks. Periodically review privacy settings in your main accounts + (email, browser, phone OS, major apps) and turn off options like "personalized ads", "product improvement", and "sharing with third parties". - - point: Review and update social media privacy - priority: Optional - details: >- - Regularly check and update your social media settings due to frequent terms updates that may affect your privacy settings. + - point: Review and update social media privacy + priority: Optional + details: >- + Regularly check and update your social media settings due to frequent terms updates that may affect your privacy settings. - - point: Compartmentalize - priority: Advanced - details: >- - Keep different areas of digital activity separate to limit data exposure in case of a breach. + - point: Compartmentalize + priority: Advanced + details: >- + Keep different areas of digital activity separate to limit data exposure in case of a breach. - - point: WhoIs Privacy Guard - priority: Advanced - details: >- - Use WhoIs Privacy Guard for domain registrations to protect your personal information from public searches. + - point: WhoIs Privacy Guard + priority: Advanced + details: >- + Use WhoIs Privacy Guard for domain registrations to protect your personal information from public searches. - - point: Use a forwarding address - priority: Advanced - details: >- - Use a PO Box or forwarding address for mail to prevent companies from knowing your real address, adding a layer of privacy protection. + - point: Use a forwarding address + priority: Advanced + details: >- + Use a PO Box or forwarding address for mail to prevent companies from knowing your real address, adding a layer of privacy protection. - - point: Use anonymous payment methods - priority: Advanced - details: >- - Opt for anonymous payment methods like cryptocurrencies to avoid entering identifiable information online. + - point: Use anonymous payment methods + priority: Advanced + details: >- + Opt for anonymous payment methods like cryptocurrencies to avoid entering identifiable information online. color: indigo @@ -1893,75 +2118,80 @@ your devices and your data. This section outlines some basic methods for physical security checklist: - - point: Destroy Sensitive Documents - priority: Essential - details: | - Shred or redact sensitive documents before disposal to protect against - identity theft and maintain confidentiality. + - point: Destroy Sensitive Documents + priority: Essential + details: | + Shred or redact sensitive documents before disposal to protect against + identity theft and maintain confidentiality. - - point: Opt-Out of Public Records - priority: Essential - details: | - Contact people search websites to opt-out from listings that show persona - information, using guides like Michael Bazzell's Personal Data Removal Workbook. + - point: Opt-Out of Public Records + priority: Essential + details: | + Contact people search websites to opt-out from listings that show personal + information, using guides like Michael Bazzell's Personal Data Removal Workbook. Where available (for example under the California Delete Act), + use one-stop mechanisms to send deletion requests to registered data brokers. - - point: Watermark Documents - priority: Essential - details: | - Add a watermark with the recipient's name and date to digital copies of - personal documents to trace the source of a breach. + - point: Watermark Documents + priority: Essential + details: | + Add a watermark with the recipient's name and date to digital copies of + personal documents to trace the source of a breach. - - point: Don't Reveal Info on Inbound Calls - priority: Essential - details: | - Only share personal data on calls you initiate and verify the recipient's phone number. + - point: Don't Reveal Info on Inbound Calls + priority: Essential + details: | + Only share personal data on calls you initiate and verify the recipient's phone number. - - point: Stay Alert - priority: Essential - details: Be aware of your surroundings and assess potential risks in new environments. + - point: Stay Alert + priority: Essential + details: Be aware of your surroundings and assess potential risks in new environments. - - point: Secure Perimeter - priority: Essential - details: Ensure physical security of locations storing personal info devices, minimizing external access and using intrusion detection systems. + - point: Secure Perimeter + priority: Essential + details: Ensure physical security of locations storing personal info devices, minimizing external access and using intrusion detection systems. - - point: Physically Secure Devices - priority: Essential - details: Use physical security measures like Kensington locks, webcam covers, and privacy screens for devices. + - point: Physically Secure Devices + priority: Essential + details: Use physical security measures like Kensington locks, webcam covers, and privacy screens for devices. - - point: Keep Devices Out of Direct Sight - priority: Essential - details: Prevent devices from being visible from outside to mitigate risks from lasers and theft. + - point: Keep Devices Out of Direct Sight + priority: Essential + details: Prevent devices from being visible from outside to mitigate risks from lasers and theft. - - point: Protect your PIN - priority: Essential - details: Shield your PIN entry from onlookers and cameras, and clean touchscreens after use. + - point: Protect your PIN + priority: Essential + details: Shield your PIN entry from onlookers and cameras, and clean touchscreens after use. - - point: Check for Skimmers - priority: Essential - details: Inspect ATMs and public devices for skimming devices and tampering signs before use. + - point: Check for Skimmers + priority: Essential + details: Inspect ATMs and public devices for skimming devices and tampering signs before use. - - point: Protect your Home Address - priority: Optional - details: Use alternative locations, forwarding addresses, and anonymous payment methods to protect your home address. + - point: Protect your Home Address + priority: Optional + details: Use alternative locations, forwarding addresses, and anonymous payment methods to protect your home address. - - point: Use a PIN, Not Biometrics - priority: Advanced - details: Prefer PINs over biometrics for device security in situations where legal coercion to unlock devices may occur. + - point: Use a PIN, Not Biometrics + priority: Advanced + details: Prefer PINs over biometrics for device security in situations where legal coercion to unlock devices may occur. - - point: Reduce exposure to CCTV - priority: Advanced - details: Wear disguises and choose routes with fewer cameras to avoid surveillance. + - point: Reduce exposure to CCTV + priority: Advanced + details: Wear disguises and choose routes with fewer cameras to avoid surveillance. + - point: Guard Against Quantum-Enabled Surveillance + priority: Advanced + details: >- + Quantum sensors could enhance tracking by 2030; advocate for PQC in personal devices and minimize data trails now. - - point: Anti-Facial Recognition Clothing - priority: Advanced - details: Wear clothing with patterns that trick facial-recognition technology. + - point: Anti-Facial Recognition Clothing + priority: Advanced + details: Wear clothing with patterns that trick facial-recognition technology. - - point: Reduce Night Vision Exposure - priority: Advanced - details: Use IR light sources or reflective glasses to obstruct night vision cameras. + - point: Reduce Night Vision Exposure + priority: Advanced + details: Use IR light sources or reflective glasses to obstruct night vision cameras. - - point: Protect your DNA - priority: Advanced - details: Avoid sharing DNA with heritage websites and be cautious about leaving DNA traces. + - point: Protect your DNA + priority: Advanced + details: Avoid sharing DNA with heritage websites and be cautious about leaving DNA traces. color: lime