Before anything else:
who's actually after you?
Every tool on this page is useless without a threat model. That's not jargon. It means: who might want your data, what can they realistically do to get it, and what happens if they do? Answer that first. Then pick tools.
"I want fewer ad trackers" and "I need to keep a source safe" are not the same problem and they don't have the same solution. The first is handled with a browser extension and a VPN. The second requires a completely different posture around devices, communications, and identity. If you don't know which camp you're in, you're probably over-engineering the wrong things.
-
01Name the adversaryAd platforms, a litigious employer, a stalker, law enforcement, a nation-state. These actors have different capabilities, different goals, different legal tools available to them. Trying to defend against all of them at once usually means defending effectively against none. Pick the realistic ones.
-
02Know what you're protectingYour real identity? Location? Communication graph? Content of conversations? Financial trails? Each of those is a different thing to protect. Spreading effort thin across all of them is how you end up with none of them actually secured. Prioritise.
-
03Revisit it when things changeNew job, new country, new project, new situation. Threat models shift. Treat it as a living document, not a one-time exercise you did in 2022 and forgot about.
VPN & Routing
A VPN moves trust. It shifts who can see your traffic from your ISP to the VPN provider. That's the whole thing. It does not make you anonymous. If your browser is signed into Google when you open a new tab, you're still identifiable regardless of what's running in the background.
What it's actually useful for: hiding activity from your ISP, reducing local network exposure, untrusted wifi, bypassing regional blocks. After setup, run a leak test. browserleaks.com and ipleak.net are fine. Confirm DNS isn't still resolving through your ISP.
No account required. You get a random number, no email, no name. Pay cash or Monero if you want. WireGuard and OpenVPN both well-implemented. Audits are published. If you're being serious about this, Mullvad is the answer.
Swiss jurisdiction, open-source clients, independently audited. Secure Core bounces your traffic through an extra hop in a privacy-friendly country before it exits. Useful if exit-node correlation is in your threat model. Works well with the Proton ecosystem.
Three relays. Traffic encrypted between each one. No single relay knows both who you are and what you're requesting. Right tool when you actually need network-level anonymity rather than just ISP privacy. Slow by design. Use it when you need it.
Note: exit nodes can be operated by governments or other interested parties. Anonymity is probabilistic, not guaranteed.
Boots from USB. Routes everything through Tor. Leaves nothing on the host when you shut down. Right tool when you need a clean session from hardware you don't fully trust. Journalists in hostile environments use it for a reason.
DNS & Resolvers
Before any request goes anywhere, a DNS lookup happens. Your default ISP resolver logs every single one. Even if your HTTP traffic is encrypted, your resolver knows exactly what domains you're hitting and when.
Switch to an encrypted resolver using DoH or DoT, and pick one that doesn't log. If you're on a VPN, confirm DNS resolves through it. Check at dnsleaktest.com.
| Resolver | Protocol | Logs | Operator | Notes |
|---|---|---|---|---|
| Mullvad DNS | DoH, DoT | + none | Mullvad (SE) | Ad/tracker blocking variants available. Pairs best with Mullvad VPN obviously. |
| NextDNS | DoH, DoT, DoQ | ~ opt-out | NextDNS Inc (US/EU) | Very configurable. Disable logging in settings first thing. Good blocklist control. |
| Quad9 | DoH, DoT | + none | Non-profit (CH) | Swiss data protection. Blocks known malware domains by default. Solid general use. |
| Cloudflare 1.1.1.1 | DoH, DoT | ~ 25h purge | Cloudflare (US) | Fast. KPMG-audited. Fine for most. But Cloudflare is already in the path for a lot of the web. |
| ISP default | plain UDP/53 | x full logs | your ISP | Logged, monetised, legally accessible. Replace it. |
Secure Comms
End-to-end encryption is the floor, not the ceiling. Metadata, who you talk to, how often, what times, is often more useful to an adversary than the actual message content. Pick tools that minimise both.
For most people Signal is the right call. For email, Proton. The cases where you need more than that are specific and you'll know why you're in them when you are.
The Signal Protocol is the gold standard for messaging encryption. WhatsApp licensed it, which tells you something. Open source, audited, minimal metadata collection. Disappearing messages, sealed sender, note-to-self. Registration requires a phone number. Use a VoIP number if identity separation is part of your setup.
Zero-access encryption at rest. Proton can't read your inbox. Swiss jurisdiction. Has a .onion address. Sign up over Tor if you want a clean identity. E2EE only applies when both parties are on Proton or you're using PGP. The to/from/subject header is still metadata regardless.
German jurisdiction, open-source clients. Encrypts the subject line which is unusual and genuinely useful. Good Proton alternative if you want to diversify or prefer being under EU regulatory scope. Calendar and contacts encrypted too.
Generate email aliases that forward to your real address. Never hand out your actual inbox again. Service gets breached, you kill the alias. Owned by Proton now, integrates cleanly. Addy.io is the alternative if you want self-hostable.
Federated. You can run your own homeserver. E2EE in DMs and private rooms, cross-signing for device verification. Good when coordinating a team without depending on a commercial provider. More setup than Signal, justified when the control matters.
Identity Hygiene
Compartmentalisation means keeping identities separated so that a breach of one doesn't unravel the others. Not paranoia. Blast radius management.
The most common failure mode isn't technical. Someone builds a careful setup, then reuses an old email or a username that traces back to a real name somewhere from 2015. One thread. Everything unravels.
-
01Separate devices for separate identitiesBrowser profiles aren't sufficient. VM escapes are real. If the separation needs to hold, it needs to be physical: different hardware, different network, different everything. Qubes OS is the practical middle ground if buying two laptops isn't realistic.
-
02Unique accounts, aliases, numbers per identitySimpleLogin or Addy for email. A separate VoIP number for registration. Privacy.com or equivalent for payment separation where available. Nothing crosses between identities. Not a shared extension. Not the same font list. Nothing.
-
03Strip metadata before sharing filesPhotos embed GPS coordinates, camera model, timestamp. Documents carry author name, revision history, software version. Use ExifTool or MAT2 before sending. Dangerzone for documents you don't fully trust the source of.
-
04Writing style is a fingerprintStylometric analysis can de-anonymise writing even when the whole technical stack is clean. Distinctive phrasing, punctuation habits, sentence rhythm. If you're running a pseudonym that needs to hold, write differently than you normally do. And do it consistently from the start.
Devices & Operating Systems
Software security means nothing when the hardware or OS is compromised. Most people can get most of the way there with full-disk encryption, a sane OS config, and not running random executables as root. That's already more than most do.
Each app, browser session, and network zone runs in its own Xen VM. A browser compromise can't touch your work files because they're in a separate VM entirely. Disposable VMs for one-off tasks. Hardware requirements are real, learning curve is real. Worth it when your threat model calls for it.
Hardened Android fork, Pixel hardware only. Hardened memory allocator, verified boot, per-app network/sensor/storage permissions, sandboxed Google Play that you can install or skip entirely. Right answer for a private Android phone. Install from their installer. Don't flash random builds from forums.
LUKS2 with Argon2id on Linux. VeraCrypt cross-platform, or if you need hidden volumes for plausible deniability. FDE protects against physical seizure. It does nothing to a running system or a compromised OS. Enable it, use a strong passphrase, don't leave machines unlocked and unattended.
Replaces proprietary BIOS/UEFI with open firmware. Heads adds measured boot and TPM attestation so you can verify the boot chain hasn't been tampered with. Relevant if physical interdiction or supply-chain firmware compromise is in scope. Specific ThinkPad models only.
Passwords & Auth
Unique password for every account. No exceptions. If that sounds like a lot of effort, that's what password managers are for. One service gets breached with a reused credential and it gets tested against your email, bank, and everything else within hours. Credential stuffing is automated and runs constantly.
Open source, audited, zero-knowledge. Self-host with Vaultwarden if you want to remove the server trust entirely. Works everywhere. Use a long Diceware passphrase for the master. Enable a hardware key for vault access.
Fully offline. Vault is an encrypted file you sync yourself. Syncthing handles this well. Nothing touches a server anywhere. FIDO2 hardware key unlock supported. Right choice when you don't want to trust any cloud infrastructure with your credentials.
FIDO2 hardware key. Phishing-resistant because authentication binds to the specific origin. A fake site can't intercept it. Buy direct from Yubico. Get two: one to use, one backup somewhere secure. Enable on every high-value account that supports it.
Open-source hardware alternative to YubiKey. Firmware is fully auditable. Also works as a hardware OpenPGP card. German company. Good choice if open hardware is part of your model.
Browser Fingerprinting
Modern tracking doesn't need cookies or IP addresses. Browsers leak subtle signals: screen resolution, installed fonts, GPU rendering behaviour, timezone offsets, how graphics are drawn. The Canvas API gets abused to generate stable identifiers because different hardware, drivers, and software stacks produce slightly different pixel outputs.
Network anonymity tools help but the browser is often the strongest identifier in the chain. A unique browser can be tracked right through routing privacy layers.
Designed to reduce fingerprinting entropy on the clearnet. Applies Tor Browser-style hardening without requiring the Tor network. Defaults tuned to make users look similar to each other rather than unique. Pairs well with a VPN. Not a routing anonymity tool.
Currently the most mature anti-fingerprinting implementation available. Standardises window size, blocks identification APIs, isolates sites into separate contexts, reduces entropy from rendering behaviour. Both network and browser layer protection in one.
Can be made reasonably private with configuration. Disable telemetry. Keep extensions minimal. Consider canvas permission prompts and fingerprint-resisting settings. Out of the box it's not there, but it's the most configurable mainstream option.
Operational Practice
The tools are easy. The habits are the hard part. Most operational failures aren't technical. Someone forgets which identity they were using. They get comfortable and skip a step. They reuse something across contexts once because it seemed fine at the time.
-
01Pre-operation checklistBefore anything sensitive: right device, right profile, VPN confirmed and tested, correct identity materials loaded. Write it down and use it. Checklists exist because stress and routine both cause you to skip obvious things at exactly the wrong moment.
-
02Need-to-know is a real principleEvery additional person who knows something is an additional attack surface. Not because they're untrustworthy, but because people get socially engineered, devices get seized, and people make mistakes. Fewer who know means fewer vectors. This is how it works.
-
03Policy over in-the-moment judgmentSocial engineering works because humans are wired to help, especially under time pressure or apparent authority. Policies remove the decision. "I do not share credentials over any channel" is not a judgment call. It's a rule. Rules are much harder to manipulate than situational reasoning.
-
04The physical layer is realScreens readable in coffee shops. Conversations overheard in offices. Device left unlocked when you step away. Hotel rooms searched. CCTV covering your workspace. None of this cares how good your encryption is. Lock the screen. Watch your environment. Treat sensitive work as sensitive in every context.
-
05Review after the factWhat was necessarily exposed? What could have been less? Did compartments hold? Any unexpected contact or anomalies? This is how you improve, not by assuming everything was fine because nothing visibly went wrong.