When talking about online privacy, most people I know make use of the now famous «I have nothing to hide» phrase. However, these are the same people who hide the read status of Whatsapp conversations, who hide the phone when looking for a photo in the gallery, and who don’t leave the office if they haven’t logged out the session on the computer.

Evidently, I know that if you hide the phone when you look for a photo in the gallery, it is because you do not want me to see some other you have there. When you hide the read statuses in Whatsapp conversations I know that your intention is that the other person does not know when you read it and on that basis reproach you if you have not responded. Privacy should not be confused with secrecy, it isn’t about no one knowing what we are doing.

• When you go to the bathroom you close the door even though everyone knows what you are doing inside. You want privacy, not to be observed, respect for your intimacy and space.
• Even if you have nothing to hide, you don’t give anyone all the passwords to your online accounts so they can watch what you are doing at every moment.
• Saying you have no interest in privacy is like saying you have no interest in freedom of speech because you have nothing to say.

And the fact is that privacy is not about Facebook or Google seeing or not what you are doing in their app and then using it to show you more “relevant” ads, but it is a universal right of every human being that is being abused by these corporations and by governments for the control and prediction of people’s behavior, whether for economic, social or political purposes. Its violation inevitably makes it possible for others to influence your behavior as an individual, changing it to their advantage to the detriment of your existence in El reino de este mundo.

Something forgotten about freedoms

Giving up such a freedom to someone never brings anything good, and even less so when that someone has a certain amount of power over you.

A similar case to privacy is copyright. Centuries ago, the user gave up his freedom to make copies of the books he bought, because it was a freedom he could not exercise due to the fact that it is not common for a person to have a printing press at home with the capacity to print books on a large scale. These laws rather affected publishers, who could only publish a book if the author received a share of the profits, and could not take advantage of them. The result was that authors could devote themselves full time to producing more knowledge, as their financial solvency improved. However,

Copyright law no longer acts as an industrial regulation; it is now a draconian restriction on the general public. It used to be a restriction on publishers for the sake of authors. Now, for all practical purposes, it is a restriction on a public for the sake of publishers.

Extracted from Copyright and Globalization in the Age of Computer Networks

Nowadays, and in my own experience as it happened to me recently with the first and last book I buy on Amazon Kindle, one can not

(…) lend a book to a friend, borrow it from the public library, sell it to a second-hand bookstore or buy it anonymously without leaving a record in a database of who bought it. And perhaps even the right to read it twice.

Excerpted from Copyright and Globalization in the Age of Computer Networks

These are freedoms that are being usurped from the hands of users for the benefit of publishers by Digital Rights Management (DRM). Gradually, very subliminally, new restrictions are being imposed, sometimes in Terms of Use that are impossible to read. Of course, consenting to this would mean ceding to the publishers those basic rights over what we can or cannot do with a book that we have bought and that is ours.

I come from a country that 80 years ago was the most developed in Latin America, and because of concessions of freedoms to people with the capacity to exercise power over us, today we are, without fear of being mistaken, the last in all economic, social and political lines. Nothing justifies ceding a personal right to someone without the real, guaranteed and immediate capacity to recover it with the minimum effort. In the words of Benjamin Franklin, “Those who would give up essential liberty, to buy a little temporary safety, deserve neither liberty nor safety”, and that is precisely the curse that has fallen upon what was once La tierra más hermosa que ojos humanos hayan visto.

Well, these examples are exactly the same as the compromises that are made in the realm of online privacy. We allow governments and companies to know what we do, what we watch, how long we watch it, how and with whom we communicate, what we buy, what we support, when we go to protest, what political opinions we hold. These are concessions we make in exchange for watching a video on TikTok or seeing, between ads, the latest photo of that friend that Facebook wanted us to see, at this very moment because an algorithm trained and fed with our behavior has determined that this image will make us stay on the platform, so that they can continue to show ads and make money.

Real life problems

—But what do I care, if anyhow they already have all that information? What do they use it for, to show me ads?— says a friend, who continues —Well, sometimes I even see good deals on what I’m looking for and I take the opportunity to buy. If I have to see ads, at least they should be relevant, right? Besides, what I want is to follow the content of that influencer, see the photos uploaded by my friends and watch videos on TikTok.

That’s the most common response I’ve come across when talking about this topic. Evidently, as the saying goes, “out of sight, out of mind”. No one sees what happens behind the scenes. But let’s put it another way: Do you think it’s right that

Apps access your precise location 24/7

• “We’ll access your location to show you more relevant results for nearby restaurants,” says that app we have on our phone. But it never says it will save every two seconds your precise location to then sell it to the highest bidder. Keep in mind that the highest bidder may be your employer, to know what time you leave and enter work. And let’s be serious, although it is not a widespread practice so far, it could very well be the case and no one would agree to this being done, much less with personal information collected behind your back. Tell me, what will you do when this happens? Isn’t it better to take precautions so that it is never possible?
• Insurance companies, at least in the US, use this information to determine how often you go to the doctor and correspondingly raise your rate.

Companies and governments check your conversations

• Most used communication services already have access to your messages, and governments also force them to create backdoors through which they have real-time access to your communication.

Dissemination of hate speech

• Hate and extremist speeches are spread for the simple fact that they are the ones that make people react the most, stay on the platform, and therefore make the most money.
• Have you ever felt that those with ideologies opposed to yours are jerks or mercenaries, but then you talk to a lifelong friend and realize that he thinks that way and he is neither a jerk nor a mercenary. This is because social networks turn us into assholes by showing us extremist speeches and not the reality. How many times have you gone out on the street, to the bar, or seen at the bus stop someone shouting everything that is said on social networks? Seeing that many people supporting something, and especially if the supported subject is more or less in line with your current believes, makes us automatically and irrationally believe that this is the right thing to do when in a normal situation it would be analyzed carefully.

Information is manipulated

• We live in an information bubble controlled by others, by those in power. When we search on Google for a certain term, the results differ (sometimes completely) because the search engine’s suggestions are based on our entire search history, in our behavioral profile, and on what Google thinks is “better for you”.

You are being spied on the platforms

• So you think it’s OK for Google, Facebook, Amazon, etc., to see everything you do on their platform, to save even that post or message you started to write but didn’t send, and then use this information to create a profile of you and influence you for economic, political and social purposes.

You are spied outside of the platforms

• Is it right that algorithms are applied on all information that is collected on you, even when you are not a user of the “service” or are directly on their platforms, to make models of your personality more accurate than what a family member or friend might predict? Plus, it’s neither warned nor optional to be spied on by large corporations on almost the entire internet.

Being sold to the highest bidder

• Is it right that these platforms do not inform users that their data is being sold to the highest bidder, for unknown purposes? Data that identifies you as an individual, that tells where you go every day, who you meet, what you eat, when you drop your kids off at school and where you are at this very moment?

To be spied on by the state itself

• That the states spy on their citizens with security excuses?
  • In the case that your country has laws that say that the state cannot spy on its own citizens, there is a convention called 14 eyes, and it is very likely that other countries can spy on everything you do and then pass that information to your government agencies. Is this correct?
  • Is it right that governments, even if you use a VPN to decrease their spying, can store encrypted traffic so that when quantum computers exist in the future they can decrypt it and bring severe charges against you for having accessed TikTok 30 years ago using a VPN.

Being cheated

• Is it right that through intentionally created loopholes in already impossible to read Terms of Use, these companies can not only take what they claim to take, but much more that they don’t actually say?

And the list goes on

You can continue to dig into the personal, moral and human problems that come with the use of these platforms and the permissiveness on our part in the face of their denigrating actions in these other three articles:

• https://stallman.org/facebook.html
• https://salimvirani.com/facebook/
• https://vickiboykis.com/2017/02/01/what-should-you-think-about-when-using-facebook/

The last five seconds

Do you think you would sign an employment contract that says you have to wear a device that will monitor how many breaths you take per minute? Hey, and here you’d be getting paid, using all these online platforms you get absolutely nothing but small artificial doses of dopamine through content designed to manipulate you and make you spend more time embedded in that virtual world. I think you wouldn’t.

A study on human happiness showed that the key to a good life is spending time, physically, with the people you love the most. However, platforms like Facebook, TikTok, YouTube, etc., sell you their virtual universes (or shit-verse) as what you want and need to be happy, because their profits depends on it. Do you really allow yourself to be used that way, to be told what you need and what you want, even knowing it is a lie?

And I don’t deny that you can feel happiness through the use of these platforms by seeing what others do through a screen, and in my own experience this derives in that you are ultimately happy, but you don’t have a real life. That happiness depends on seeing the enjoyment and success of those influencers you follow, not yours or your loved ones.

Have you ever found yourself in a group of friends wanting to look at your phone to see what I Don’t Know Who has posted?

Have you ever wondered if that’s what you’d want to remember in the final five seconds of your life, when you look back and only have that last moment ahead of you to remember how happy you were. Although no one has lived to tell what came to his mind in those final seconds of existence, I believe I have the power to tell you that it is the people he spent his life with and the things he did with them that he remembered. Stop reading here, take three minutes with your eyes closed, thinking about the happy times you spent with your family, that puppy you had, or when you were a kid running around barefoot with friends. Then imagine yourself in the final moment, falling into an abyss, with a smile on your lips remembering what you lived next to your loved ones in those moments when you were happy.

Do you think that the time you spent following your favorite influencer and what he/she said will be there? If yes, perfect, you are on the right track using social networks and invasive platforms, you don’t have to do or change anything at all. If not, try to have people closer, live the reality, even if sometimes it is difficult and you want to escape to the “perfect” life of others, do not waste yours. Obviously this takes a change of mentality with it, but to realize it, to hear that click that wakes you up from hypnotism, and to want to get out of it is the first and most important step.

How to protect yourself?

If you feel that in the future you want to take a little more responsibility in choosing the platforms you use, I recommend that you select the services based on the recommendations made in:

• Privacy Guides
• Privacy Tools

But above all, being a minimalist is key. Having as few accounts open and applications installed on your phone as possible will reduce the risks by 70%. Check those apps that you rarely use, delete their data first, log out, and delete it. Keep in mind that many of the applications you use can be accessed through a web browser. Using a browser prevents the companies behind the apps from accessing unnecessary permissions and data. You can check Twitter from your computer, order Uber Eats from your computer, buy a ticket from your computer, check the weather from a browser, etc. The fewer programs you have installed, the less security risks and privacy violations you will be exposed to.

Of course this is not to do it all in one day, and even less if you are one of those who have 300 applications on your phone.

Keep in mind that the recommendations that follow are from my point of view, and I am not a professional on the subject. If you want, and I strongly recommend it, you can see other guides or resources on how to protect your privacy, for example the Electronic Frontier Foundation (EFF) guides on self-defense against spying or the Go Incognito video series by Techlore.

First steps

1. The first and most important step from a security point of view is to use a Password Manager, to store and generate random and strong passwords for each service you have or will open. Having the same password for everything is a quite serious security vulnerability. For most people the free plan from Bitwarden should be the best option. However, see this guide for more information.
2. Use an email provider that respects your privacy. If you use Gmail or something similar they would be reading all your communication with the services you subscribed to, which would be more information about you recorded by them. Tutanota (affiliate link) or Protonmail are the two I have tried, and while they have different features, they both respect users’ privacy, which is why we are here. See this guide from Privacy Guides for more.
3. Start using a reliable VPN as much as you can. This will allow neither your Internet Service Provider (ISP), nor the government, nor anyone to see what you are doing online. Below is a section where I explain a combination of services that although it adds two more services to the list, they are very reputable and help a lot to prevent spying on you. As of today I use ProtonVPN’s free plan, and although it is true that the speed is affected, this has not been an impediment to my activities, including watching videos and movies. For more information see this guide from Pivacy Guides, or this comparison from Techlore.

Regarding the use of a VPN, it is true that this is not going to make you anonymous, but that is not our goal here. You can see this IVPN article to know the limits of a VPN. Of course if you log in to any platform, they will know it’s you even if you have an active VPN, cause you are logged in into your account. But really, what we are looking for with this is that the traffic between our computer and the service we are accessing is encrypted, so that the ISP can’t see where we are accessing and then use that browsing history to make profiles tied to our identity.

Before opening the account

First of all, do not open the account at the first time, wait a week and reevaluate if it is really worth having that service, if it is strictly necessary, if you couldn’t do the same with an application or program that you already have installed. If you decide to install it, then check the Terms of Use of the service you want to use, investigate if there are free alternatives, then see how complex they make the procedure to delete the account in case you don’t feel comfortable, and finally check if the application they provide has trackers or unnecessary permissions.

When opening your account

Avoid giving identifying information, especially your phone number, name and address. It is always preferable to use email, and in this case not your personal email, but an alias. Simplelogin (affiliate link) is a service that helps in this regard. The free plan lets you create up to 15 aliases, and the paid plan costs $30 per year (-50% for students). If one of the aliases is compromised in a data breach and you start receiving spam, you can simply generate another one and delete it.

Also use as much Two Factor Authentication (2FA) as possible, this ensures that if the password was compromised, they still have to pass this other barrier to access your accounts. There are several methods used as 2FA, for example sending you an SMS with a code, but this is not recommended as SMS are not encrypted and could be intercepted by the attacker. Another way is to use an application that generates a 6-digit numerical code. But definitely the most secure of all is the use of physical keys, such as the YubiKey, or even better by the exclusive use of free software, the NitroKeys (see this guide for more information). Personally I use the Aegis Authenticator application.

VPN, DNS and Portmaster

Even if you use a VPN, the apps or programs you have installed and collect your personal data will still do so. Windows, MacOS, Spotify App, Facebook App, Opera, etc. will still collect information about you and show you ads. Remember that a VPN only encrypts the connection so that those in the middle (ISPs, hackers, governments) cannot see it, but obviously the services do receive the requests you make and the data your device sends them. The question is then how do we make the software we use less invasive?

The computer

The solution is to not use invasive software in the first instance. If it is not possible for you to avoid this, then you can employ methods that, at the OS level, block the connections that these applications want to make to their servers, and which are known to be invasive. Although there are several alternatives such as AdAway or AdGuard, for example, the method I use is the following.

On the computer I have Portmaster installed, which already blocks most of the unwanted connections based on its own lists of malicious services, and I can also specify the DNS of my choice. Since I use NextDNS, I can select more malicious address blocking lists, and then in a way, prevent connections and data transfers to services that are known to violate people’s privacy even when they are not used. Even taking all these measures, and despite the fact that I never access Facebook, Amazon, Windows, or Apple, they have tried to obtain data about my browsing on thousands of occasions in recent months, as revealed in the report generated by NextDNS.

The following is the list of blocked services I have set up in Portmaster. Evidently, it is now that I saw the Big Tech options in the Portmaster list, as they seem to be new in the latest version. I have enabled them leaving only Google active.

NextDNS also provides a feature that protects you from native trackers of the operating system you use.

On top of all this, I have ProtonVPN on the free plan active all the time.

If I need to do something that requires a certain level of anonymity then I turn off the VPN and open Tor, thus getting the “trust in VP” variable out of the way.

A problem with this approach is that I have to trust 3 services to not log my data and browsing history: ProtonVPN, Portmaster, and NextDNS. Although the three have a a clean record and are OpenSource, I have still to trust them somehow with some amount of my data. But this is a compromise I accept to take.

I have seen a video on Techlore some time ago where they explored similar setups only with VPN and DNS services, but it was IVPN the only one with the capability to directly do such scheme.

On the phone

Ideally one would have a Pixel and install GrapheneOS, but until it is possible for you, you can look up how to remove all the system apps that are bloatware on Android using ADB. On iOS you have to screw yourself, sorry to tell you that phone is not yours.

In my personal case, I also use ProtonVPN on the phone, and have set in the system options to use NextDNS.

I also have as few apps as possible, around 40, although this number is quite high. Of course I am including F-Droid, Google Play, Downloads, SMS, Phone and others like that.

DNS?

A small parenthesis about DNS. When we introduce in the browser that we want to connect to duckduckgo.com, for example, this one communicates with a service known as Domain Name System (DNS), which returns to the browser the IP address it must request to be able to connect to duckduckgo.com, because the computers communicate by IP, not by URLs. Normally the DNS service is provided by default by your internet provider, and it is clear that the DNS can see what page you are connecting to, although it cannot see what you are doing on it, very similar to what the internet provider does. For this reason, it is imperative that we select a DNS in which we can place some trust, which in these matters is the one that has been around the longest without any known scandal. The DNS service I selected was NextDNS. This one has a good reputation as far as I know, and it is also very configurable. There are others like quad9, for example, but with less analytics and configurations (see this guide).

Browser

This is another important issue, since we do nothing if we take these measures and then use Zafari or Chrome as a browser, because the browser will always know, obviously, what you are doing, for how long, etc.

You can see here a complete list of the capabilities and functionalities of the most famous ones. You can follow this guide from Privacy Guides about the selection of browsers and extensions.

Communications

Here the important thing is to be sure that the service we are using encrypts our communication and does not try to track us. Personally I prefer Signal, but since everyone is on Whatsapp, I also have Whatsapp. In the future I plan to delete Whatsapp for good. You can see this guide to learn about the existing alternatives to Whatsapp.

What happens with Whatsapp is that, although they say that communications are encrypted, there is no way to know because the code is not free. Generally, governments, and more so the US government, demand backdoors to this type of services, so if the code is not open you can not be sure whether what they say is true or not, and much less if the one who says it is Mark Zuckenberg. Also, it is known that Whatsapp records where you’ve been, who you’ve talked to, how long you’ve talked for, etc. This allows them, using their models about you, to almost read the conversation you had without seeing it.

Delete unused accounts

One of the final steps is to delete as many accounts as possible. Before doing so and whenever possible, modify your personal information, and then close the account. The fewer accounts you have, the less likely you are to have security problems or to be tracked.

Testing

Once you have made all the changes, it is important that you are sure that they work. Some resources are the following:

• See how the trackers see your browser
• See if the DNS service doesn’t have any leaks](https://www.dnsleaktest.com/): when you run the test, I suggest the extended one, you should not see any other DNS provider than the one you have configured. If you see others, then there has been an error in the configuration process and that other DNS is taking also your requests.
• See if you have IP or DNS leaks

About hardware and software

A few months after you have started on this path, don’t expect it to be a weekend project, you should already have everything mentioned above up and running. Now, it is time to focus on the hardware, and the software linked to it.

Think about whether it is worth paying $1500 for a computer that, despite projecting the illusion that it is yours, is simply rented. Or if it’s worth paying $900 for a phone on which, like the computer, you can’t install the applications you want or the operating system you want. And yes, I know, maybe you are not one of those people who change operating systems or install applications obtained through alternative ways,¹ but back to the initial question of this whole issue: Do you think it is fair to pay overprice for a product that does not respect you as a user? Do you think you should give those companies the slightest personal right of yours in exchange for a product that comes with limitations?

But of course, there is no need to go to extremes when it is not necessary. The measures outlined above are not exhaustive, nor do they apply to everyone. Each person must establish what trade-offs he or she can make to achieve his or her objectives, and which ones he or she is not willing to let go. This process is known as Threat Modeling, and is usually the beginning of the journey. Deep dive with this last link, you’ll surface somewhere.

Note on encryption

I have read from some sources, as I seem to recall, that there are people and states that advocate a ban on encryption, i.e., that they would be guaranteed the ability to spy on absolutely everything that everyone does online. The justification given for such barbarity is that this would increase the security of citizens and the state.

The problem with this is that while anonymous and encrypted services like Tor and Signal can be used to plan or carry out actions against people and governments, the solution cannot be to take away everyone’s right to privacy equally, and another way has to be found. This is the equivalent of the government assigning you an agent who is at all times next to you looking at your screen, watching what you do, who you talk to, what you buy, etc. No one would accept this practice.

Apart from the fact that it is a universal right, there are people whose lives depend on using secure, anonymous and private communication services and internet access. Think of journalists, especially those living in countries with oppressive regimes, or people like Edward Snowden. Precisely here is another important point: if no one else but those people use encryption, then it would be very easy to identify them and occupy their tools, compromising their sources and self privacy and security. For this reason, the more people are using encrypted services related to privacy and security online for everyday tasks, the more noise there is, and the more complex it will be for anyone who tries to identify which part of all the traffic belongs to the person they are interested in.

Footnotes