This section explains privacy risks associated with regular internet activity from your home network and phone - who can see your web activity and how it can be associated with you. We will discuss three main mitigation strategies - VPNs, secure DNS servers, and hardened web browsers with privacy-centric configurations for each.
It is important to distinguish between privacy and anonymity for this guide -
- Privacy - who can see your data
- Anonymity - whether that data is associated with you
All online activity leaves traces that can be collected by various entities that supply web-based services -
- Browsing history, search queries, and device fingerprints (IP, hardware, OS, browser config)
- Behavioral patterns (mouse movement, clicks, scrolling, keystrokes, session timing)
- Location and network data, including nearby Wifi and Bluetooth devices
- Social activity, friend graphs, posts, likes, and profile views
- Private emails, messages, and cloud storage contents
- Purchase history, payment methods, and shopping behavior
- Media consumption and playback behavior
- Cookies and cross-device tracking that links all your devices to one profile
This data might seem benign, but it is very valuable and can be further enriched by associating it with your identity. Companies engaged in tracking behavior seek to combine all of the unique data points about your online activity into a profile that defines you, your demographic, your interests, and ultimately how likely you are to buy certain things when presented with advertisements at a particular time and place. These profiles are traded in a behavioral futures market that represents an entire sector of the US economy, and is strategically opaque so as to keep users from understanding its mechanisms so that it can escape social backlash and government regulation while continuing to produce profits.
While most of the threats discussed here are from the private sector, no legal barriers exist between these companies and the government. In the US, the Supreme Court upholds Third Patry Doctrine, which states that information shared to third parties loses all constitutional protection. You can assume that any entity with your information can be compelled to produce it in response to a court order from law enforcement. To make matters worse, governments and big tech corporations have been creating increasingly dubious partnerships that blur the line between between them, and corporate influence in politics and law work to bend the system in their favor.
This is to say that crucially, you have no control over your information once it is made available, and no way to verify who has it, how it is stored, and how it may be used.
This system is arguably a breach of the Fourth Amendment which protects “the right of the people to be secure in their persons, houses, papers, and effects”, but falls short when users give up this information “voluntarily”. Have you ever read a privacy policy? Only 11% of people do, most stating that the documents are too long or too hard to understand. This is by design. Companies in this market are incentivized to obfuscate or needlessly complicate their tracking and telemetry practices on the basis that most people don’t have the time or energy to read every privacy policy they encounter. They will justify their actions by framing this trend as “people don’t care”, but I believe that most people do care, and simply don’t know what to do about it. This is a new problem for humanity, and we have yet to develop mutual cultural ethics around digital privacy. Never before have individuals needed to maintain hundreds of digital accounts, or interact with systems that so aggressively and covertly pursue their information.
An additional risk associated with this system is that vast stores of information create power asymmetries. To illustrate this, we can model countries with no internet privacy, like China and Russia. These countries have highly centralized power structures, and they collect information about their citizens through ubiquitous mass surveillance systems because they know one simple fact - information confers power.
Companies in the US know this too, so they engage in eerily similar mass surveillance practices, but it is done in the name of economic growth (at least on paper) rather than state control. But what happens when the state takes an interest in surveillance practices as we saw with the Snowden leaks in 2013, and as we are seeing now with a sharp bend toward authoritarianism and state power centralization in the current US administration? The risk is that this surveillance apparatus will be transformed into something that can be used to control, manipulate and suppress people, just like China and Russia. We are already seeing evidence of this transformation at the time of writing in early 2026.
The internet was not intended to be used as an authoritarian tool, but its capabilities make it the perfect candidate. What started as a vector of free speech and expression now becomes a means to the exact opposite. I have seen this transition in my lifetime and there will soon be people that know no different. The generational dissolution of resistance to online tracking, and the lack of education on how it is accomplished, will work in their favor.
Online privacy in America is rapidly in decline, and because we can observe what happens in societies without it, I believe that online privacy and anonymity is a democratic principle that must be protected. Educating yourself and building your own digital suite of privacy tools is one of the simplest and most impactful things an individual can do to resist the proliferation of this system. This document is intended to be a “zero to hero” style guide with step-by-step instructions and no required prerequisite knowledge. Completing it along with 11. Leaving Big Tech is most optimal.
We will start by looking at the various tracking mechanisms employed on the web.
Threat Model
I have limited the scope of this guide specifically to using the internet through a web browser with a typical computer or mobile device. Some aspects of surveillance like cellular tracking, IoT devices and wearables are relevant concerns but expand the scope of this particular section more than I would like. These will be covered in other sections of this guide.
The threat models listed below are a stack and not singular occurrences, meaning one action (like loading a web page), can trigger all threats.
ISP Logging
Your internet service provider (ISP) attempts to log all of your internet traffic. Typically, internet connections are made with HTTPS encryption protocol, which does not reveal the content of the request, but the ISP can see the names (domains) of the websites you visit. An unencrypted HTTP request is fully exposed, but modern browsers do not allow these types requests without a warning. An ISP holding your entire internet history poses the following risks:
- Your ISP can be subpoenaed by law enforcement to obtain your internet activity.
- Every major US ISP sells your activity to third party data brokers for ad targeting.
- ISPs will often manipulate or inject trackers into requests.
- You don’t know their data security standards. A data breach could expose your information.
- Since your ISP knows your real name and address, all of your internet activity is associated with you, meaning you have no online anonymity.
- Your ISP also knows various details about your home network - how many and what type of devices you have, your network configuration, and usage patterns (when devices connect/disconnect, sleep schedules). These can be used to make inferences about your daily routine and household activity, which can be used to create a more valuable profile product.
IP-Based Tracking
When you connect a device to the internet, it is assigned a globally unique IP address that identifies your device. In the US, this identifier is not typically cycled, meaning you could have the same IP attached to your device for years. This is convenient for ad companies who can cross-reference your traffic between sites and build a profile on you to sell to other entities for ad targeting. IP addresses can also be approximately geolocated - good enough for regional ad targeting but not accurate enough to pinpoint your address.
Cookies and Trackers
Cookies are small pieces of data that your browser stores at the request of websites and emails that can be accessed by other sites.
- First-party cookies - embedded by the site you are visiting (login sessions, preferences). For non-aliased services (where your real credentials are used) these cookies can contain sensitive identifying information.
- Third-party cookies - embedded by external domains loaded by the website (ads, analytics).
Trackers are scripts, pixels, or other resources embedded in web pages and emails that read and write data from cookies and send it to third-party services like ad networks. Because these ad networks are embedded across many websites, our browsers send the same cookies to them regardless of which site we’re on. This is how these ad networks can track our internet activity across domains and build behavioral profiles on us. The cookies tie everything together, and if they are not anonymized, then all of this data is connected to you.
Cookies and trackers can persist across browsing sessions and remain active even after closing the browser. Session cookies are deleted when the browser closes, and persistent cookies have explicit expiration dates, often months or years. Additionally, trackers often store identifiers in multiple locations (localStorage, cache), allowing them to evade deletion from typical processes and even “respawn” after deletion (zombie cookies).
Account-Based tracking
When you use an SSO or Federated Identity provider to log into a service (e.g. “Sign in with Google, Facebook, Microsoft”), you share identifying information you have given to the provider with the service you are signing into (typically your email, name, and profile), and the provider knows that you just signed into that service. So even if you try to anonymize an account by providing alias information, clicking “Sign in with Google” defeats the anonymity. Also, Google now has these services as data points to continue building out your behavioral profile.
This tracking is particularly pervasive because now that Google has identified your browser session, it can associate your identity with all Google trackers you encounter during that session. Keep in mind that Google trackers exist on 55% of all websites, and 86% of the top websites on the internet in 2026. Additionally, they can track you across devices if you use SSO on your phone, laptop, tablet, etc, something that cookie-based tracking struggles with.
Additionally, all of your activity and personal information on these big tech platforms is collected, stored, sold, fed to ML models, and distributed fractally to numerous third-parties, even things that should be private like emails and cloud storage contents.
Browser-Based Tracking
Using a proprietary browser like Chrome, Edge, or Safari transmits all of your internet activity to Google, Microsoft or Apple respectively. Browsers vary in their privacy standards, security mechanisms, and ecosystems of tools and extensions. Your selection of browser is a very important decision with regards to privacy and anonymity.
Fingerprinting
Beyond IP based tracking, a newer method of user ID called “fingerprinting” has become a common threat. A web service can scrape dozens of attributes about your browser and device and combine them to create a unique identifier. There is some debate on whether fingerprinting can even be defeated with browser configuration, because the act of resisting fingerprinting can often make you stand out among normal web traffic. This is true with custom configurations on common browsers, but some browsers have developed solid strategies to defend against it. Mullvad for instance, normalizes all browser signals for its users so they all look the same so that you blend into the crowd of Mullvad users, while Brave combats it by constantly randomizing the fingerprint so trackers can’t link sessions.
DNS Logging
When you visit a website, your browser first queries a DNS server to translate the domain name to an IP address. These requests are unencrypted by default. Your ISP and anyone on your local network can see these requests, and they are susceptible to man-in-the-middle attacks.
Public Wifi Networks
Requests made over public wifi can be viewed by the owner of the router and intercepted by others connected to the network.
Threat Response
These threats can seem overwhelming, but consider that most can be mitigated by three things - a VPN, secure DNS, and a hardened web browser. These tools are well within the average person’s ability to obtain and configure, and will take no more than a couple of hours to set up with this guide. We can fill in the gaps by adopting new anti-tracking digital habits, learning how to scrutinize privacy policies, and moving away from big tech.
We should recognize that full anonymity and privacy is practically impossible. Our goal is to find the right balance between privacy and functionality, and have high standards of trust for the tools that we will use to respond. It follows that this guide is not fit for extreme threat models like stalking and abuse, and is not a recipe for “digital disappearance”. If this is your situation, contact an expert directly.
Virtual Private Networks (VPN)
A VPN is a tool for internet anonymity. Its core functionality is masking your IP address from your ISP and the websites you visit by encrypting your requests and routing them through VPN servers before reaching their destination. When this happens, the websites and services you visit see your traffic as a VPN server instead of your device, and your ISP only sees that you connected to a VPN. Your real IP address is concealed.
Internet without VPN -
- Your device → ISP → internet → website
- No encryption, your ISP can see what website you requested.
- No routing, the websites you visit see your real IP address.
- Remember that your traffic is valuable data to your ISP and your IP address is valuable data to the websites you visit. Both will be exploited.
Internet with VPN -
- Your device → encryption → ISP → VPN server (new IP address assigned) → internet → website
- All traffic is encrypted (HTTP, HTTPS, DNS - not just HTTPS).
- Your ISP only sees that you connected to a VPN server, and the websites you visit see the IP address of the VPN server, not your real one.
- This is an effective opt-out of third-party data sharing at this level. You provide nothing of value to your ISP, and websites cannot exploit your IP address. You are still vulnerable to other tracking techniques we will work on later.
Another great feature of VPNs is that it allows you to bypass geo-locked content and censorship. You can connect to VPN servers all over the world, and since your traffic appears to come from that country, you will receive the website experience one would receive from that country. Check out the Japanese version of Netflix or view content that is pay-walled in the US for free.
VPNs can run on most devices. I insist on installing them on all devices on my home network, phones included. All of the above information also applies to mobile VPNs except you can replace “ISP” with “mobile data provider”.
VPNs can be installed in different ways with varying levels of protection -
- Browser extension - protects only your browser activity
- Computer or phone application - protects all traffic from your computer or phone
- Hardware - can be configured on compatible routers to protect all devices on your network
For our threat model and to limit the scope, we will only discuss computer and phone applications.
When to use a VPN
The short answer is always by default.
There are certain situations where VPNs are problematic or redundant -
- Fraud aware services like financial accounts may not work properly
- They may trigger identity verification prompts - using a VPN makes your traffic look somewhat more “fraudulent”. You also may perpetually fail “Are you a real human” verification.
- They may cause you to be temporarily blocked from services who monitor for bot activity. Connecting to a new VPN server usually mitigates this.
- Connecting to a service that knows your real name with a VPN is redundant.
There are also situations where it is critical to use a VPN -
- Torrenting or P2P file sharing.
- Accessing data-hungry services that would seek to monetize your interaction data or cross-identify you.
- When connected to a public WiFi network.
- Performing any kind of activism or resistance to corporations and governments.
- Doing anything online you would wish to keep private.
Choosing a VPN
The simplest and most common way to use VPNs is through a centralized VPN provider. You will download an app onto your device that connects to the VPNs proprietary servers and pay for it ideally with an anonymous payment method. VPN providers will know your real IP address and possibly the websites you visit, so a level of trust is required between you and the provider. Also, since different countries have different privacy laws, the physical location of the company has legal implications that can affect the security of your data, usually in regards to court ordered audits.
You should look for VPNs with the following characteristics -
- Does not store logs, though you can never be sure of this.
- Encrypts internet traffic in-flight.
- Encrypts their physical servers.
- Has high standards of physical security for their servers.
- Based in a country outside of the 14 Eyes foreign intelligence-sharing agreement. These countries routinely share intercepted communications and can request or pressure each other’s companies for data.
- Will ask no personal information of you, and take anonymous payment methods like mailed cash or masked cards.
- Does not store, sell, or abuse any of your information whatsoever.
- Paid service - if you don’t pay for the service you should not expect any of the above requirements to be met, no matter what they advertise.
My official recommendation that meets all of these requirements is ProtonVPN.
ProtonVPN
ProtonVPN can be acquired standalone or as part of the Proton Unlimited plan. I recommend the Unlimited plan which gives you a Google-esque suite of digital tools including email, calendar, cloud storage, VPN, and password manager. If you are following this guide, I will recommend other Proton tools later, so the Unlimited plan is the best choice.
Proton is based in Switzerland, a country with some of the strongest privacy protections in the world, which is also outside of the 14 Eyes agreement mentioned before. This is good for privacy because any request for user data must go though the Swiss courts and will be subject to strict Swiss privacy laws.
ProtonVPN is open-source and independently verified for security. Every year they publish a no-logs audit conducted by independent experts who verify their no-logs claim. It has encrypted DNS connections and built-in ad and malware blockers, so if you decide to skip the DNS section of this guide, this VPN is an adequate solution for secure DNS. All connections support Wireguard end-to-end encryption standards and use Perfect Forward Secrecy (PFS) key rotation techniques, meaning that each VPN session uses a short-lived encryption key that cannot be used again.
I have used ProtonVPN for many years across every major OS and have had almost no issues. The worst I have encountered is reliability issues on a particular niche Linux distro, and occasional bandwidth issues with certain servers, which you can expect occasionally and fix by quickly selecting a different server. The app has been running silently and automatically on my phone since the day I purchased it. I never even think about it.
Configure ProtonVPN
If you don’t already have a Proton account, create one. Make sure to pay anonymously with strategies from 7. Private Payments. Paying for VPNs with a credit card containing your real name connects your internet traffic to you.
Next, download the ProtonVPN app onto your phone and computer and sign in.
Always-on VPN (AKA Killswitch) The killswitch is a VPN setting that, when enabled, blocks internet access entirely if the connection to the VPN is lost. While I like the idea of this feature, I personally do not enable it on my computer because I have to turn off my VPN often enough for it to be a nuisance. I do have it enabled on my phone, but this is personal preference. I recommend enabling this feature.
To enable this feature on a mobile device, you will need to go to your phone’s VPN settings (not ProtonVPN) with the app installed, tap ProtonVPN, and enable Always-on VPN.
Start on device start up Configuring the app to start when the device starts up is important. The Always-on VPN setting accomplishes this on mobile, but for computers, you will need to follow the process for configuring startup apps depending on your operating system.
Other settings More granular settings below apply to both phones and computers -
- Enable VPN Accelerator
- Enable IPv6
- Enable Auto Connect - type a VPN server name that the app will connect to on start up. For now you can go back to the home screen and click Quick Connect, which will connect to the fastest server. Record this server name and type it in the Auto Connect field
- Turn off “share anonymous crash reports”
- Make sure Connection Protocol is Wireguard
- If you do not want to set up a custom DNS server, enable NetShield.
- If you do want to set up a custom DNS server, note the setting now, you will see an empty text field that we will soon populate with address of a private DNS server we will create ourselves.
Choosing Servers
You don’t have to choose servers, clicking Quick-Connect will connect you to the fastest server (likely near you) and is sufficient for most threat models. You can, however, connect to any one of hundreds of ProtonVPN servers in the world. Your choice of country will have different privacy and security implications, and will affect the speed of the connection, but you still get great benefits from using a VPN regardless of the country.
For better privacy or higher risk threat models, consider the following -
Avoid servers in 14 Eyes countries. - Proton claims to encrypt traffic and store no logs. On the off chance that they don’t keep this promise, we can mitigate any potential audit of our internet traffic by routing through servers in countries where surveillance cooperation and data-sharing treaties don’t apply. Even though ProtonVPN is headquartered in Switzerland (outside 14 Eyes), servers physically located in 14 Eyes countries may have their traffic monitored at the infrastructure level, or have their servers seized by local intelligence agencies.
Use Secure Core servers - Route your VPN traffic through two servers instead of one. Your connection first passes through a very high-security server in a privacy-friendly country (Switzerland, Iceland, or Sweden) before exiting through your chosen destination server. If an attacker compromises or monitors the exit VPN server, they can only trace traffic back to the Secure Core server, and not to your real IP address. This is particularly useful if you must for whatever reason connect to a server in a country like Russia, where servers are more likely to be compromised. In this case you would use CH-RU#1 - routing you through Switzerland before connecting to the Russian server.
VPN Advocacy
An interesting list of countries engage in VPN blocking - which is the rejection of the encryption protocol that VPNs use and the blacklisting of IP ranges from known servers. Additionally, we have already discussed that using a VPN can get you temporarily blocked from big tech services like YouTube and Google. There is growing online sentiment and disinformation against the use of VPNs and some US states have already introduced legislation to ban them. The usual stated reasons for such laws are age verification (VPNs can circumvent it), fraud prevention, and fighting online crime. While these are valid concerns, it is important that solutions to problems do not infringe on our privacy rights.
VPNs are obviously disliked by centralized power sources like authoritarian governments and large corporations for a few reasons -
- VPN users hide their valuable behavioral data.
- VPNs subvert institutional control of media by allowing you to access geo-blocked or censored content.
- Activism and dissent is harder trace and suppress.
- Law enforcement cannot obtain logs for evidence in criminal courts.
- VPNs are often used for obtaining copyright protected content in ways that bypass restrictions.
In light of all of this, I believe this technology should be widely adopted and protected. The argument that encryption and anonymity is suspicious becomes less compelling as more people embrace the principles. Using VPNs is an act of resistance against mass surveillance, censorship, and data harvesting. We should be aware of anti-VPN messaging and legislation and fight for our right to use them.
Domain Name Resolution Servers (DNS)
As stated in the threat model, visiting a website results in two internet requests we need to protect - the request to the website and the request to a DNS server. We have covered requests to the website with VPNs, so now we must address the DNS request. DNS servers exist all over the world to translate IP addresses into human-friendly URLs - (64.233.160.0 → google.com). These requests are unencrypted and logged by your ISP by default, meaning they have a list of every website you have visited. If your home internet is in your real name, all of this traffic is associated with you and can be easily obtained by law enforcement in the US.
Using a VPN is an adequate threat response because they route DNS queries through their own secure servers, hiding them from your ISP. With ProtonVPN, this routing is fully encrypted with no logging. Enabling NetShield also gives you some protection from ads, trackers and malware, which is one of the main benefits of a custom DNS server.
If you already set up ProtonVPN, you can stop here and be very well protected. Next, we will set up a custom DNS server using NextDNS.
NextDNS
NextDNS is a “DNS as a service” platform. You will take ownership of a partition of a remote server that will be used to process your DNS requests. You can access and configure this server from a web browser. NextDNS has some benefits over Proton’s DNS handling -
- Greater control of ad, tracker, and malware blocking with huge repositories of blocklists you an easily toggle.
- More security features.
- Functions even when disconnected from VPN.
- Custom rules (e.g. blocking requests to all google domains).
- Parental controls (block time wasting sites).
- View all traffic coming from your device (most apps send data without your knowledge).
- You control the logging setting, which is respected by NextDNS according to their privacy policy.
Server setup
- Create a NextDNS account with alias credentials. See Creating new accounts.
- You can to create profiles with different settings. Each profile will have its own URL you can connect to. I prefer to have one profile for computers and one profile for phones because phone ad blocking strategies can be a bit different.
Connect your computer to the server
- On the home screen of the NextDNS profile, refer to the setup guide for your device to connect. For linux, I recommend the command-line client -
sh -c "$(curl -sL https://nextdns.io/install)" - Connect to https://test.nextdns.io/ and verify status = ok
- Configure ProtonVPN to use our NextDNS server.
- Disconnect from the VPN
- In ProtonVPN settings, toggle Custom DNS Servers on
- In the Add a New Server field, paste the IPv6 address from your NextDNS profile home page. It is ok to not use DNS-over-TLS or DNS-over-HTTPS because Proton encrypts the DNS traffic itself. We do not need two layers of encryption.
- Re-connect to the VPN
- Configure your browser to NOT use their own DNS servers and default to the device servers. This setting is covered later in this guide.
In this configuration, we will still use the NextDNS server even when we disconnect from the VPN. I have noticed a quirk on Linux where disconnecting from the VPN requires a restart of the NextDNS server by running the command nextdns restart.
Connect your phone to the server
Phone setups are a little different because the ProtonVPN mobile app actually respects the global device DNS setting. We do not need to configure ProtonVPN to use the DNS server, only the phone. In this process, ensure you are assigning DNS-over-TLS or DNS-over-HTTPS addresses to your phone. If this is not possible, you will want to configure it in the VPN instead.
The following steps are for GrapheneOS -
- Go to phone Settings → Network & Internet → Private DNS
- Toggle Private DNS provider hostname and paste your DNS-over-TLS address and hit Save.
Server settings
Log into your NextDNS instance and configure the following settings. Each setting has a detailed description within NextDNS.
- In the NextDNS Profile Security tab
- Enable DNS Rebinding Protection
- Enable Block Newly Registered Domains (NRDs)
- Enable Block Dynamic DNS Hostnames
- Enable Block Parked Domains
- In the Privacy tab
- Click Add a Blocklist and browse the options, choose any that seem useful. This is the core feature of NextDNS where you can configure detailed blocklists for ads, trackers, and malware. I recommend NextDNS Ads & Trackers Blocklist, OISD, and AdGuard Mobile Ads filter.
- In Parental Controls tab
- Block addictive or time wasting websites
- In Settings tab
- Disable Logs
- Clear logs
- Turn on Bypass Age Verification
- If you want to make another profile with similar settings, you can duplicate it here.
Logs
A great feature of DNS servers is the ability to view ALL traffic coming from your device. Turn on logs and play around on a device, you can see every request made by every app on your device. Use this information to create detailed deny lists if you wish. Remember to delete and turn off logs after experimenting.
Private Browsers
Your browser is the tool we use to access the web and it goes without saying that your choice of browser and its setup greatly affects your privacy and anonymity on the web.
Because we have done a lot of work to anonymize our web traffic and block trackers at the device level, we can narrow our threat model for browsers a bit - we will focus on security, fingerprinting, and telemetry. Good native tracking protection from a browser will be considered a nice-to-have and regardless of anything I still recommend installing an ad blocker extension to cover some things that DNS tracking protection might miss.
Choosing a Browser
We want to take into account privacy, security, and anonymity for our choice of browser, and seek the following characteristics -
- NOT a proprietary product from a big-tech company that collects your data or seeks to build and sell user profiles. This immediately rules out Chrome, Edge, Safari, or Firefox. A note on Firefox - until 2025, Firefox was a solid choice for privacy, but they have recently introduced a dubious Terms of Use and updated their privacy language to remove promises that they would never sell user data.
- Solid fingerprinting protection - with the caveat that current protections are not bulletproof.
- No telemetry or disabled telemetry by default.
- Open-source for security auditing.
- Good security track record - widely adopted, frequent updates, and timely security patches.
- Good balance of usability and privacy - anti-tracking mechanisms can degrade user experience.
We have few different modern, privacy-centric browsers to choose from, all of which roughly fit these requirements and have various advantages and disadvantages -
- Brave
- Tor Browser
- Mullvad Browser
- Librewolf
- Waterfox
- Vanadium
I encourage you to research these browsers on your own as you may prefer something different than my recommendation. Truthfully, my recommendation is not very strong and I believe that any of the above browsers are sufficient for our threat model. You can find more information with the following links -
For this guide we will choose and set up Brave browser for Linux and Android.
Brave Browser
Brave is my choice for this guide because it offers a great balance between usability and privacy. It is very easy to use and set up, and feels very familiar for users coming from Chrome since it is based on Chromium. Brave has its own native ad and tracker blocking mechanisms, Brave Shields (no extensions needed). This is good because in the past, this functionality was best achieved with uBlock Origin extention, which no longer works with Chromium Manifest version 3, which Brave is forced to adopt to stay secure and relevant. Brave is also supported on Linux and Android with encrypted, no-account-needed syncing.
Brave is completely open-source and since it is Chromium based we can expect quick reactions to new security threats and frequent updates. When it comes to fingerprinting, Brave consistently scores very high on tests. Brave randomizes your fingerprint for each session, and your web signature appears to most trackers as the Chrome browser (very common) - meaning you blend in very well to the crowd. This is favorable even to using Tor or more niche browsers like Librewolf because those signatures stand out more.
Some downsides of Brave is that it has less resistance to cross-session tracking, but we can mitigate this with browser settings in the next section. There is considerable bloat in form of AI features, Ethereum wallets, and Web3 stuff, but this can all be disabled. We should also not a controversy in 2020 with affiliate link injection that broke trust for some users, but they stopped this behavior quickly. They are also a VC backed company, but I see this as a plus for now as we get some really good and unique features. Time will tell if they stay true to their commitment to privacy.
Additionally, there are some issues with the Android app, including no support for custom search engines (which we will configure on desktop), bad settings syncing, and lack of extension support. Extension support is apparently in development.
At this point, install brave browser on your computer and phone. When you first start the browser, decline all prompts and un-check all boxes about diagnostics.
Extensions
Download and install the following extensions on both computer and phone versions of Brave -
- uBlock Origin Lite - Blocks ads and trackers. Set the filtering mode to “complete”. Lite is the Chromium Manifest V3 version of the popular uBlock Origin for Chromium MV2, which is not as powerful as the MV2 extension. This would be a third layer of tracking protection for our setup (after DNS and Brave Shields), so while not totally necessary, I see no harm in adding it.
- uBlock Origin Scope - easily see any third party connections from the website you are on.
- Decentraleyes - Prevents tracking through CDN (Content Delivery Network) requests. It contains some local copies of the most common libraries request from these networks so your browser no longer has to ping for them.
- Privacy Badger - Privacy Badger sends the Global Privacy Control signal, to opt you out of data sharing and selling, and the Do Not Track signal to tell companies not to track you. If they ignore these signals, Privacy Badger will learn to block them. This is very helpful if you live in a place without any privacy laws that enforce websites to honor these signals. Privacy Badger will enforce it for you.
- Chrome Multi-Account Containers - These are isolated tabs with their own cookie jars. We will discuss how to use these later.
- Kill The Referrer - removes tracking parameters from URLs you encounter while browsing.
Browser Settings
Configure the following Brave settings on computer and phone -
- Global Privacy Control signal - A browser setting that tells websites you visit not to sell or share your personal data. Websites are legally required to honor this signal in jurisdictions with privacy laws (GDPR, CCPA, etc.). We learned above that Privacy Badger will handle this for us in certain cases. Further, the Brave browser emits this signal by default, so we are more than covered here.
In Brave settings -
- Get Started
- Make Brave your default browser
- On Startup → Open the New Tab page
- New Tab Page → Blank Page
- Appearance
- Customize your toolbar -
- Navigation -
- Sidebar - Off
- Waller - Off
- Leo AI - Off
- Address bar
- Rewards - Off
- Add RSS feed - Off
- Navigation -
- Show autocomplete suggestions in address bar - Off
- Sidebar → Sidebar - Never
- Show bookmarks bar - Always
- Customize your toolbar -
- Shields
- Trackers & ads blocking - Aggressive.
- Upgrade connections to HTTPS - Strict.
- Block Fingerprinting - On.
- Block cookies - Block third-party cookies.
- Forget me when I close this site - On. This is a powerful feature called Forgetful Browsing, and has similar functionality to incognito mode. All cookies and other storage is cleared when you leave a website.
- Store contact information for future broken site reports - Off.
- Content filtering - Browse available content filters and choose any that you find interesting. These decisions are similar to NextDNS block lists.
- Social media blocking - Turn off all.
- Privacy and security
- Delete browsing data → On exit - check all boxes. This will delete all traces of activity every time you close the browser, except bookmarks and extensions. This is a core anti-tracker behavior that prevents cross-session tracking.
- Security → Use secure DNS - We want Brave to use our NextDNS connection we set up earlier. Depending on the system, you may either need to turn off Use secure DNS, or select “Add custom DNS service provider” and paste the DNS-over-HTTPS url for your NextDNS server. To test this functionality, block a site in Parental Controls in NextDNS and test which configuration results in a blocked site. This indicates you are connected to NextDNS.
- Send a “Do Not Track” request with your browsing traffic - On. Privacy Badger also does this but no harm in having both.
- Data collection - Turn off all.
- Leo AI - Disable everything
- Search engine
- Improve search suggestions - Off
- (We will set up a default search engine soon)
- Autofill and Passwords
- Password Manager → Settings - Turn off all. We will set up Bitwarden password manager later.
- Payment Methods - Turn off all. Bitwarden will help with this too.
- Addresses and more → Save and fill addresses - off
- System
- Continue running background apps when Brave is closed - Off
- Close window when closing last tab - Off
- Enable containers. We will discuss these further in a later section.
- Go to brave://flags/
- Press CTRL + F and search for “container”
- Enable “Enable Containers”
Testing your settings
Use these test sites to see how resilient your browser is to tracking and fingerprinting.
Search Engine
You can probably guess that we don’t want to use Google as our default search engine because they will collect all of your activity. Brave ships with its own search engine, but my recommendation for search is to use Startpage.
Startpage strips all identifying information from your search request and makes an encrypted connection to Google, and returns un-profiled and un-personalized results. You get all the benefits of Google without giving them any of your information. Startpage itself does not store or sell your information or activity, and performs some ad and tracker blocking on your requests.
Here, we will customize Startpage and set it as the default search engine in Brave.
- Go to https://www.startpage.com
- Click the hamburger icon in the top right → Settings
- Search location - Set this to your location. This is a safe setting - Google doesn’t see this and Startpage doesn’t keep it.
- Open results in new tab - Off. This is personal preference.
- Search suggestions - Off. Also personal preference.
- Instant answers - Off
- Promotional messaging - Off
- Results per page - 20
- Unit of temperature - Your preference.
- Date and time format - Your preference.
- Privacy and Safety → Safe search - Off
- HTTP Request method - GET.
Now, scroll back up to the top and look for (but don’t click) the Save Your Settings button. Beneath it is a line that says -
Don’t want a cookie? Copy the Settings URL below, then bookmark or set as homepage.
We don’t want a cookie because we have configured our browser to delete cookies when we close it.
- Copy this text and paste it in the address bar of the browser. It will take you to a Startpage page that uses your configuration
- Type anything in the search field and hit Enter.
- Copy the resulting URL from your address bar in your browser
- Go to Brave Settings → Search Engine → Manage search engines and site search.
- Scroll down to Search engines and click the “Add” button.
- For Name, type something like “Startpage with settings”
- For Shortcut, type something like “:sps”
- For “URL with %s in place of query” Paste the custom Startpage url you copied from your address bar earlier.
- Carefully look through the text you pasted for
query=and the random word you searched. Replace the searched word with%s, and click Save. - Find your new search engine under Site search → Click the ellipsis icon → Click Make Default.
Now, when you search in the address bar, you will be using your custom Startpage configuration.
Sync
Brave has an encrypted sync feature that does not require an account, and we hold the key. Lets turn this on so we can sync our bookmarks and some of the settings with our phone.
- Turn on the sync service and click “Add a new device”. It will show a QR code.
- Follow the prompts to sync your phone.
- Back in your browser, click “View sync code”. Save this in a secure location. We will add this to our password manager later. Click Ok to finish the sync.
- In Sync Settings - Choose what data syncs, I prefer Bookmarks, Extensions and settings.
- Sadly, settings do not fully sync, so go though the above sections again on your phone and make sure everything is configured correctly. Big fail from Brave but we only need to do this once.
- Some phone specific settings -
- Block ‘Switch to App’ Notices - On
- Homepage - Off
- Search Engine - Currently custom search engines are not supported on Android, so simply set the default search engine to Startpage.
- Appearance - Turn off Brave Rewards icon, Enable bottom navigation toolbar
Incognito / Private Mode
Incognito mode is a commonly misunderstood feature of browsers. With respect to our threat model, it does almost nothing. The core benefit of incognito mode is that it deletes session data and cookies when you close the window, and does not save history or form data for the session. You are still completely exposed to your ISP and the websites you connect to.
Browsing Behavior
We can adopt new anti-tracking patterns of behavior when using the internet, and learn to scrutinize services to determine levels of trust.
- Close browser after use - This habit combined with “Forgetful Browsing” settings that delete cookies when the browser is closed ensure that no open tabs can perform any level of tracking when you are not looking. On desktop, you can simply close the browser window, but on Brave mobile, you will need to tap the ellipsis icon in the bottom right, and tap Exit.
- Container tabs - container tabs are isolated browser tabs with their own cookie jar, meaning cookies and trackers in that tab cannot see the rest of your browsing session. These are useful when accessing tracking heavy services like Google or Amazon domains as they restrict cross-site tracking. There are some intricacies in the setup of this at the time of writing.
- Brave currently has this feature in development and it is currently unreliable.
- Until this is ready, there are various extensions that do this. The one I have recommended already is Chrome Multi-Account Containers.
- To open a new container, click on the extension icon in your browser and see the various options you have for opening them.
- The “Always open this site in…” feature is very useful. I set all of my work related google services to open in a “Work” tab. Any big tech services I encounter regularly, like Amazon links, are set to open in a group I have called “Anti-Tracking”.
- Marketing emails - Marketing emails will start tracking behaviors as soon as you click on them. Protonmail and some other email services have anti-tracking settings that may restrict loading certain assets known to embed trackers without explicit permission. Make sure these settings are turned on. Upon opening a marketing email, the only thing you should do here is unsubscribe. Often, the unsubscribe button itself has trackers embedded, and our DNS and browser based tracking protection will likely block the links. The solution here is blocking the sender email address, or if you use SimpleLogin, disable the email alias that is receiving the marketing spam.
- Unsafe website warnings - Your browser will warn you when you are trying to visit an insecure website with expired SSL certificates or standard HTTP without encryption. Listen to these warnings and do not load the pages.
- Avoid OAuth and Federated Identity services - don’t use “Sign in with Google / Facebook” as discussed in Account-Based tracking.
- Avoid big tech services - Look for privacy-forward alternatives to common services offered by big tech companies. Prefer open-source software where integrity is verified externally. Avoid big tech companies that practice Surveillance Capitalism and “free” closed-source services where the value / cost trade-off seems too good to be true. Remember that if a service is free, you are not the real customer, data brokers are - and your personal information is the product.
- Read privacy policies - When choosing a new service, make an effort to understand a company’s stance on collecting and selling your information. You do not have to read entire privacy policies. There are key words we can search for and important sections we can skip to.
- CTRL + F is your friend, search for things like “sell”, “parties”, “stored”, “opt”, “collect”, etc.
- Feed the privacy policy to an LLM to summarize it and point out the relevant parts.
- Look for options that the user can execute to delete data or opt out of telemetry.
- If a company gives data to subsidiaries and is kind enough to list them, you will need to review each subsidiary’s privacy policy. A particularly egregious example of this is Privacy.com - a masked credit card service. Despite the name, the company sometimes requires identity verification through a company called Persona. While Privacy.com’s privacy policy is robust, Persona shares data to many subprocessors, including Google, OpenAI, and AWS. This fact does not appear in Privacy.com’s policy.
- Deny requested permissions - do not allow location, camera, or microphone permissions unless absolutely necessary. They will persist for the duration of the session and offer a valuable new data vector to trackers. If you do need to enable these, ensure you immediately disable them after use.
Anonymous Home Internet
Signing up for home internet with alias credentials may not be possible for all readers. Most major ISPs in the US require a government ID or SSN to establish service. I must note that I have not achieved this. I am limited to one service provider at my apartment (Comcast), who requires an SSN to establish service.
That being said, I have successfully acquired aliased phone service through Mint Mobile, a company that also offers 5G home internet. I am unable to know if its possible to sign up without verification, but you can easily get to the checkout page and see that there appears to be no verification process between the sign up form and the “Place your order” button. I am very curious if it is possible to use an alias name here. If you try this, best of luck.
The benefit of doing this is that even if you slip at threat response strategies, your internet traffic will still be anonymous. I am not sure how this method will hold against a court-ordered subpoena due to there being other ways of connecting you to your address which cannot be aliased for the service.
ISP Privacy Settings and Data Deletions
Some ISPs allow the customer to configure privacy settings, and some will allow you to delete “certain” kinds of data. For both of these options, you want to start in the privacy policy. I will use my ISP, Xfinity, as an example of how this process might look for you.
Privacy settings
- Go to https://www.xfinity.com/ and scroll to the bottom of the page, look for a link to the Privacy Policy.
- In the Privacy Policy press CTRL + F (find in page), and type “opt”, or “settings”. These settings may also appear in your account settings.
- Xfinity has an excerpt that says the following, there is no link but I was able to snoop around the Privacy Center and find the section they are referring to here.
We may disclose personal information to third parties, including for marketing and advertising purposes, which you can control through opt-in or opt-out settings, depending on the type of personal information disclosed.
- Xfinity has the following settings you can toggle on or off -
- Participate in audience measurement and reports
- Disclose information to related Comcast businesses
- Allow personalized ads online, in mobile apps, and in video service
- Allow banner ads in your inbox
- In another section, there is the following setting
- Storage and usage of sensitive personal information - Turn on the use of sensitive personal information to support activities like personalized recommendations, marketing, and advertising. Even when off, we may still use your sensitive personal information for certain purposes, including to provide your Services, security purposes, and fraud monitoring.
Toggling all of these things to “Off” is a glorious feeling. I do not know the extent to which these settings actually work in my favor, and I still assume that Xfinity still shares my information to some degree, so I will continue to use the strategies listed in this guide. I do believe that this task had some effect, while not measurable, and is completely worth doing.
Data deletions
- Starting in the privacy policy, press CTRL + F and type “delete”, this should bring you to a section on data deletions. Xfinity says this -
All individuals may also make requests to access and correct certain personal information, and to have us delete certain personal information through our Privacy Center by visiting xfinity.com/privacy/requests.
- We will happily follow this link. A deletion request usually requires you to sign in and choose your state, since the laws regarding data deletion vary by state.
- Exactly what kind of information is deleted varies by company. Xfinity simply uses the phrase “certain data”, and then offers a large section about what kinds of data they don’t delete. In my experience with this type of thing, the deleted data is probably behavioral information gained from analytics that is typically sold to data brokers.
- Follow the prompts to start a deletion request. You may also want to request data that the ISP has on you if you would find that interesting to look at.
- These requests usually take around a month, and you will receive a notification when it is complete.
Cycling IP Address
Now that we have a feeling of “resetting”, or “cleaning” or data from our ISP, we can do one final thing. We will try to use a VPN at all times from now on, but occasionally we will need to disconnect. In those cases, we would ideally not want to be associated with the IP address we used to have, the one that is probably spread all around various ad networks. If we force our router to fetch an new IP address via DHCP from our ISP. We can usually trigger this in your router settings.
- Turn off your VPN and check https://whatismyipaddress.com/.
- Check the bottom of your router for an IP address, it should look like 192.168.0.1. This is a local IP you can use to access your router settings. Paste this in the address bar in a browser.
- Log into your router with the username and password on the bottom of your router.
- Look for an option to lease a new IP address and follow the prompts.
- If there is no such setting, changing the MAC address of your router should trigger a new DHCP lease.
- Check https://whatismyipaddress.com/ again to see if your IP changed.
- If none of the above works, you can call your ISP and request a new IP.
- Turn your VPN back on.
Threat Model Review
We have done a lot of work in this section. Let’s look at the threat model and consider what has been accomplished.
ISP Logging
Our VPN hides our regular internet traffic from our ISP, and our NextDNS server is routing our DNS requests securely. We have cleaned as much data as we can from the ISP and assumed a new identity. From here on out, your ISP gets no useful information about our internet activity.
IP-Based Tracking
Websites don’t see your real IP address, instead they see a ProtonVPN server, the same one as thousands of other people connected to the same server. You are now hidden from any trackers and services that have indexed you by your IP address, and cross-site tracking by IP is no longer possible.
Cookies and Trackers
We now have three layers of tracking protection - Block Lists in our NextDNS profile, Brave Shields, and uBlock Origin Lite. Brave browser is configured to delete cookies when the browser is closed, and we will try to build a habit of closing the browser after using it to clean them out every session. This reduces the amount of information available to the few trackers we will encounter.
Account-Based tracking
Hopefully you took or will take my advice to stop using these services. If you do have to access them, container tabs will be used to isolate them.
Browser-Based Tracking
We have a privacy-first web browser that does not store our activity or send it anywhere, and hardened with extensive configuration. We also no longer need to use Google search.
Fingerprinting
Brave browser has best-in-class fingerprinting protection. While not bulletproof, will protect against all but the most sophisticated attempts to fingerprint your device.
DNS Logging
NextDNS is encrypting and routing our DNS requests so our ISP cannot see them.
Public Wifi Networks
A VPN encrypts our web traffic so it cannot be seen on public networks.