ghost.moe

A minimalist guide to digital privacy, security, and anti-censorship.

Welcome to ghost.moe. This guide is meant to help you take control of your digital privacy and security. With more privacy and security, comes less convenience. This is an unfortunate reality. We've broken things down by topic, and each topic has three levels:

Start where you're comfortable.

🕵️‍♂️ Threat Modeling

The most important thing to consider when you are worried about privacy and security is your threat model. Who are you trying to hide your data from? If you only need to hide your data from your family, you may just need to delete your browser history. If you are trying to hide your data from governments and corporations, you will have to do quite a bit more work than just deleting your browser history. Come up with your threat model, and think about the tools that this adversary has at their disposal. Keep your threat model in mind when going through this guide.

🧭 Web Browsing

Your web browser is typically one of the most used programs on your system. Taking steps to lock down your web browser will greatly increase your privacy.

Switch to Brave or Firefox

Brave is easier out of the box. Firefox can be configured to be more private than Brave.

Use DuckDuckGo instead of Google.

DuckDuckGo does not track your searches or browsing history.

Use Tor Browser for all sensitive browsing.

Tor is the gold standard browser for privacy and anti-censorship. It will be very slow, however.

🦊 Firefox Configuration

If you are using Firefox these settings could be enabled to make it more private/secure. Otherwise, skip this section.

Enable "Tell websites not to sell or share my data"

Note: Websites do not have to adhere to this request.

Enable "Delete cookies and site data when Firefox is closed"

This will make it harder to track you between sessions.

Disable "Ask to save passwords"

If someone gets access to your computer they can't find your passwords saved in your browser.

Disable all "Autofill" settings

If someone gets access to your computer they can't find your information saved in your browser.

Disable all "Firefox data collection"

Minimize the data collected on you, even from products you trust.

Enable "Allow websites to perform privacy-preserving ad measurement"

Controversial explaination coming soon

Enable "HTTPS-only mode in all windows"

Forces encryption between you and the website you visit. Can show a warning message if the website doesn't support HTTPS.

Enable "DNS over HTTPS (Increased Protection)"

This prevents someone on your local network from seeing what websites you are visiting.

Install an adblocker like uBlock Origin

Ads can be used to track you across websites or give your computer malware.

Enable "DNS over HTTPS (Max Protection)"

This can cause warning pages to show up before using insecure DNS.

Enable "Always use private browsing mode"

This will log you out of everything and erase your history after closing the browser. This is very useful on shared computers or on laptops that could easily be stolen.

Enable "Strict tracking protection"

Note: This could cause some websites to break.

Block javascript with NoScript

Javascript is code that a website chooses to run on your computer. Blocking javascript can stop websites from learning more about your computer.

📱 Phones

Most people carry their phone everywhere they go. This can be used to track you.

Disable personalized ads in iOS or Android settings.

Android: Settings > Google > Ads > Turn off "Ad Personalization"
iOS: Settings > Privacy & Security > Apple Advertising > Turn off Personalized Ads

Manage app permissions.

Set location permissions to “While using the app” or “Ask every time”. Disable microphone and camera access for non-essential apps. Disable system-wide location when not needed.

Remove unused apps.

Apps can run in the background even if you are not using them.

Use a pin or password to unlock your phone.

In some jurisdictions you can be required to unlock your phone with your fingerprint or face, but not with a pin or password.

Use open-source apps from F-Droid.

These are typically more privacy respecting, and the code is available for code audits.

Buy a Google Pixel.

Because the Pixel is the reference device for Android, it gets security updates sooner than other phones.

Install GrapheneOS.

GrapheneOS is a privacy and security focused OS to replace your stock android version. It is available for the Google Pixel.

Avoid all Google services.

Google makes money tracking users around the internet and advertsing to them. You should do your best to avoid Google services.

🔐 Accounts

Use strong and unique passwords for every account.

Password reuse should always be avoided. If one website gets hacked and you use the same password for everything, then hackers can use your information to login to other services.

Consider switching to privacy respecting services like Proton.

Proton has email, VPN, cloud storage, a password manager, and more.

Use an open source password manager like Bitwarden or Proton Pass.

Using a password manager makes it very easy to create strong and unique passwords.

Check if services you use have been hacked with Have I Been Pwned.

You should change any passwords you use for the services that show up here. You can also sign up to be notified if you are in a new data breach.

Enable two-factor authentication (2FA) where available.

Many websites support 2FA and it should be enabled when possible, especially for your bank and email.

Avoid using social logins (Google, Facebook).

Using social logins creates a single point of failure. If Google gets hacked and you use Google to login to everything, then all of your accounts are comprimised.

Use pseudonyms and email aliases.

Use pseudonyms or alternate email addresses to create separation between different things that you do online. For example: One identity for shopping, and one for activism.

Segment identities for different activities.

Fully separating identities (e.g., using distinct browsers, devices, and accounts for different activities) is difficult to do without any crossover, but it can greatly reduce tracking risks.

🛡️ Two-Factor Authentication

Enabling 2FA makes it significantly harder to hack your accounts. Even if someone has your password they would also need to be able to authenticate with your 2FA device to login.

Enable 2FA using SMS or email.

While SMS or email is better than nothing, these methods are vulnerable to SIM swap attacks or email account takeovers. For stronger protection use a TOTP app.

Use TOTP apps like Aegis.

Aegis is an open-source app available on Android.

Use hardware tokens like YubiKey or Nitrokey.

These are physical devices and not all services support them.

🛰️ VPN

VPNs are NOT a tool that make you more private. Rather they shift who can look at what you are doing. Without a VPN your ISP can see what websites you visit. With a VPN, your ISP can see that you are connecting all of your traffic to one server (VPN), and your VPN can see what websites you visit. This is important because many VPN sellers claim that they make you more private or secure which is NOT the case. If you just want to be more private or secure you do NOT need a VPN. However, VPNs are useful for bypassing censorship. If something is banned or blocked in your country, you may be able to bypass the block with a VPN.

Use a no-log VPN in a privacy friendly country like Mullvad.

Choosing a VPN with no logs is important because any logs could be handed over if requested. Having your service in a country with strong privacy laws reduces this risk, but remember the VPN can see your traffic.

Self-host your own VPN using WireGuard.

If you don't trust any VPN company, you do have the option of renting a server somewhere and making your own with Wireguard. Renting a server with your own identity will lead to less anonymity though.