General "Privacy" Advice

In the absence of a specific adversary or threat model, here is some general advice. Others have said much the same thing elsewhere, but here it goes anyway:

Use a password manager.
-1Password
-KeePassX

Backup your data.
-Apple Time Machine, Apple Time Capsule
-Tarsnap
-Duplicity

Use full disk encryption.

Use two factor authentication.
-Google Authenticator
-Yubikey

Use a Gmail account to sign up for online accounts. Whoever controls this email address can re-set all of your passwords. Again, use two factor authentication. If you want to make it harder for an attacker, don't use this Gmail account for emailing other people. This will make it a little bit harder to discover the email address you use to create online accounts.

Update your software.

Use an adblocker.
-uBlock Origin is good.

Use Chrome or Chromium.

Uninstall Flash. Cremate it and throw its ashes into the sea.

Use an iPhone. If you can't afford an iPhone, use an iPod touch with a dumb phone for voice calls.

Use encrypted messengers instead of email, whenever possible (Signal > Wire > WhatsApp > iMessage).

Sometimes an unencrypted voice call is safer than an end-to-end encrypted message, if your adversary isn't a signals intelligence agency. People can be compelled to turn over logs. Writing things down sucks, prosecutions suck, and civil litigation sucks. Lawyers, politicians, and bankers understand this. They know when to speak and when to write. Be like them. Of course, an end-to-end encrypted voice call is the ideal (use Signal).

Keep your home address off of the internet. Use a UPS box (NOT a Post Office Box) to receive packages and for filling out forms that ask for your address.

Keep your life details off of the internet. Life is short and stalkers are not fun.

More in the same vein from the grugq here: https://gist.github.com/grugq/353b6fc9b094d5700c70

Solid points all around. What advice would you have to roll back some of the stuff folks have done, such as using a PO Box or using their real name or PII on the web?

Cheers

As far as PII goes, you can Google your name and search the various "people finder" sites. They usually have a contact page where you can request that they take down your information. After you get your information taken down, supply your new UPS box information to Amazon, your bank, your local library, and any other sites or businesses that have your address on file.

PO Boxes are bad because the Post Office will often publish the home address you give them to the local White Pages, which will get crawled and posted automatically by "people search" sites. Private post boxes such as the ones offered by UPS won't do this, although they do require proof of your home address, and will provide this information in response to a warrant. An added benefit of the UPS box address is that it looks like any normal address; your box number is listed as an "apartment number." Generally, you can give this address to anyone who asks for it, although you may run into problems if you give this address to the IRS or your state's department of motor vehicles (sorry this is fairly US-centric). For your vehicle, you can deal with this problem by registering it to a trust or to a LLC, in a jurisdiction that does not publish the names of LLC partners.

These sorts of measures go a long way towards protecting you from stalkers, vexatious litigants, debt collectors, and marketers, but definitely not the state. A decent & motivated private investigator or bail bondsman will probably not be deterred by these steps, alone. However, they will only work as hard as they are paid. If they can't find you before their client runs out of money, then you win.

As far as using one's name online goes, it's really best to never use one's real name online, but of course this isn't an option for many people who make a living under their real name, such as journalists, independent lawyers, and others. If that's you, it's best to strongly compartmentalize your professional and personal lives online. If you use Facebook to keep in touch with friends, don't also use it to advertise your law firm or publicize your journalism. Create a public Facebook profile for that. Make sure that your "personal" Facebook has appropriate privacy settings and be circumspect about adding new "friends." Common sense stuff.

If you're looking for a job, you don't need to put your resume online. If you have a public portfolio of your work, such as art work, fiction, design work, a Github, etc, then publish this information under a pseudonym, and reference this pseudonym on your resume, which you can email directly with your job application. No, this is not exactly tradecraft-level stuff, but your resume has really revealing information on it. It shouldn't be online, no matter what Linkedin would have you believe. I don't have a single friend who ever got a job through Linkedin, and I've never heard of anyone who did. It's mostly spam. And a massive privacy disaster. Asking people in $yourfield out to coffee is a far more productive way to find a job, imho.

If you hold a security clearance, you really shouldn't have a Facebook or Linkedin. I totally get that this is burdensome. That doesn't mean it's not the right way to go. Sorry

Basically, a person you just blocked on Twitter shouldn't be able to be on Google Street View looking at the front of your house or apartment in under five minutes, although this is sadly possible for many or even most people.

Violet Blue's "The Smart Girl's Guide To Privacy" is worth a read, as is "How To Be Invisible" by J.J. Luna.

Oh, and always lie about your birthday, unless you're talking to the IRS, the DMV, or the State Department.

Excellent postings! Thanks, Ethan! Of course, the best way to guard privacy is to stay off-line...but that's not really an option. Staying away from social media sites is always a nifty plan, too (especially Facebook, etc).

I would add stay away from Google products, this includes Chrome, loaded with spyware.

Whenever possible, use Firefox.

Here's the source code for Chromium:

https://chromium.googlesource.com/

When you find the spyware, could you let me know the line numbers? I'd be really curious to know. Thnx.

On a similar topic, we have tons of checklists on a lot of similar privacy and security related subjects in Umbrella App:

Google Play Store: https://play.google.com/store/apps/details?id=org.secfirst.umbrella

Amazon App Store: https://www.amazon.com/Security-First-Umbrella-made-easy/dp/B01AKN9M1Y

F-Droid Repo: https://secfirst.org/fdroid/repo

Github Repo:
https://github.com/securityfirst

Content is Creative Commons and available for reuse in various formats here:
https://github.com/securityfirst/Umbrella_content

Hello,

What Data of Mine Does Chrome Send to Google?

A unique ID (for installation): Originally to measure installation success rate, but kept around after that.

A unique string: A code string that Google says is non-identifying, and used to measure the success of Google's Chrome promotion/marketing campaigns.

Bookmarks and other sync data: Like your Gmail, Docs, and other personal effects, Google keeps the data you want synced between browsers on its own servers.

Searches, or partial searches, for auto-complete suggestions: Almost entirely so that Google can throw you back some relevant results.

http://lifehacker.com/5763452/what-data-does-chrome-send-to-google-about-me

I think you're missing the point. Neither Chrome/Chromium or Firefox are a good choice if your intention is to hide your browsing activity from advertising networks, including Google. If you want to browse the web anonymously, then Tor Browser is for you.

As for the other points, Firefox also syncs your bookmarks, Google has your searches and Google Docs either way, and Google is probably going to get your browsing history, since they have several ways of identifying you, including your IP address, your operating system, your system architecture, your browser version, the add-ons/extensions you have installed, 3rd party cookies, the Google Analytics code embedded in millions of the websites that you may visit, and more. This remains true whether you use Firefox or Chrome/Chromium or Safari or Internet Explorer.

Hiding from 3rd party advertisers writ large is hard. You can lock down either Firefox or Chrome/Chromium by installing an ad blocker like uBlock Origin and/or this extension (for Chrome only) which is actually developed by one of the people who frequents this forum. This will make things slightly better, but this still isn't anonymity (if you want that, by all means, use Tor Browser).

I like Chrome because it does a better job at protecting the user from malicious links and scripts via sandboxing. It's simply a better, more modern browser. I generally recommend it to people who want to pick a major browser, and who aren't going to install/use Tor, because of usability issues (no, the CAPTCHAs aren't the Tor Project's fault at all, of course, but that doesn't change the facts). I frequently use Tor Browser as a daily driver, but I am a masochist. Tor is not in the above list for the same reason PGP isn't there. I've had very little success in getting normal people to use it. Geeks? Yes. Activists with real threat models? Yes. Others, not so much.

You are right to be concerned about Google tracking you, but unfortunately, simply choosing Firefox doesn't empower you to opt out of that tracking.

If you would like a browser for daily use that does a good job of protecting users from 3rd party advertising networks, but which won't involve the latency or the CAPTCHAs you will unfortunately encounter using Tor Browser on the day-to-day, then you might take a look at a new company called Brave, which was founded by the co-founder of Mozilla. Brave is designed specifically to block ads and prevent tracking. Their principal security engineer is an alum of the Tor Project, as well.

https://brave.com/

Oh, but it's a Chromium fork, so maybe it's spyware. ¯\(ツ)/¯

Of course, you shouldn't have to take the snark of some rando on the internet at face value. Here's a lecture on private browsing from MIT's Computer Systems Security course, which helpfully explains the various ways in which your assumptions are wrong:

Ok you convinced me I was wrong, I am going to install Chrome or Brave.

I could edit my post if necessary but then your replies would look out of place, I will leave the post.

Thank you for the information

I'm glad that I didn't just manage to piss you off (which wasn't my intention, although that was certainly one possible outcome).

Browsers are just pretty awful, unfortunately, and the web itself is a burgeoning trashfire from a privacy/security perspective.

If you really want to stick it to to the man, you could run Tor Browser in a Qubes OS VM, which will make up for the fact that Firefox is missing some of the security & isolation properties that Chrome has, since Qubes offers you a robust way to manage the compartmentalization that Firefox lacks.

One nice thing I can say about Firefox is that it's less of a RAM hog than Chrome. Part of Chrome's security/isolation/robustness architecture involves creating a new process for each tab you open, so that each tab has its own rendering engine (instead of one rendering engine for the whole browser, so that if this hangs, the whole browser hangs). Unfortunately, this can cause your whole system to start paging out to the point of thrashing pretty quickly, when running Chrome, depending on how much RAM you have (which just means that your computer doesn't have enough resources to serve all of those processes, so it starts tapping out like a wrestler who has had enough).

Qubes OS is obviously a pretty non-trivial setup, but if you're gung-ho about privacy and security, I don't want to deter you at all. Qubes is quite easy to install if your machine has the necessary hardware spec prerequisites. It's as easy to install as Ubuntu and the Qubes desktop gets prettier and more intuitive with every release (they use XFCE now, they dropped KDE, which was a great decision).

Absent the Qubes OS route, using Brave or Chromium for day-to-day secure browsing alongside Tor Browser for private browsing is probably the least painful option. I also really recommend this Chrome extension:

https://noncombatant.org/2014/03/11/privacy-and-security-settings-in-chrome/

...along with uBlock Origin and HTTPS Everywhere.

Thanks for being willing to re-consider your opinions. It's a rare human trait. I strive to strike a similar balance between sticking to my guns and re-evaluating things based on new information. Occasionally I succeed. Good talking with you

Here's news to reinforce concerns about social media monitoring by law enforcement. It's an interactive map from the Brennan Center for Justice. Here is the URL for the article...
https://www.brennancenter.org/analysis/map-social-media-monitoring-police-departments-cities-and-counties):

and here is a synopsis...
Map: Social Media Monitoring by Police Departments, Cities, and Counties
November 16, 2016
Social media monitoring products are becoming an increasingly popular tool among local governments and police. Social media monitoring technology provides the capability to constantly monitor and archive information on millions of people’s activities, and can be used by law enforcement to probe posts on sites such as Facebook, Twitter, Instagram, and YouTube for information on protests, potential threats, breaking news, and more. This map depicts cities, counties, and law enforcement agencies across the United States that have spent at least $10,000 on social media monitoring software, according to public reports and information from the government procurement database SmartProcure.

What's that burning smell? Oh right it's Firefox Browser... again.

https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html

Amazing work, Ethan!

That's not my work. I was just linking to the email which disclosed the vulnerability, to make a (pretty petty, if I'm honest) point about Firefox.

I did not discover/write/disclose that exploit. I'm just linking to public info.

Sorry if that wasn't clear.