Security is a Process

Privacy Foundations

Follow the steps in order, or jump to whichever feels most urgent. Every step you take matters.

Secure Your Browser

Firefox — harden it with strict tracking protection and a few key extensions.
Mullvad Browser — Firefox-based, designed to reduce fingerprinting, built with the Tor Project.
Brave — Chromium-based with built-in ad and tracker blocking, if you need Chrome compatibility.
Install uBlock Origin and NoScript for ad-blocking and script control.
Set DuckDuckGo as your default search engine — no tracking, no filter bubbles.

Your browser is the front door to the internet. Lock it down first.

Encrypted Email

Proton Mail — end-to-end encrypted, Swiss-hosted, open-source. The default recommendation.
Tuta Mail — fully encrypted alternative based in Germany, also open-source.
Use SimpleLogin or Proton's built-in aliases to create disposable email addresses — one per service, so no one can link your accounts.

Gmail, Outlook, and Yahoo read your mail to serve ads. Encrypted email means only you and the recipient can read it.

Password Management

Bitwarden — open-source, cross-platform, generous free tier. Our top pick.
Proton Pass — integrates well if you're already in the Proton ecosystem.
KeePassXC — offline, local-only option. You control the database file entirely.
Enable passkeys wherever supported — they're phishing-resistant and passwordless.

One unique, long password per account. Your password manager remembers them all — you just remember one master password.

Two-Factor Authentication

YubiKey — hardware security keys are the gold standard. Phishing-proof.
Aegis Authenticator (Android) / 2FAS (cross-platform) for TOTP one-time codes.
Enable 2FA on every important account — email, password manager, banking, social media. No exceptions.

A password alone isn't enough. 2FA means that even if your password leaks, attackers still can't get in.

Private Messaging

Signal — end-to-end encrypted by default, open-source, minimal metadata. The best choice for most people.
Wire, Threema, Element (Matrix) — solid alternatives depending on your needs.
Telegram note: chats are not end-to-end encrypted by default. Groups and channels are never E2EE. Use "Secret Chats" for private conversations, or better yet, use Signal.

WhatsApp is owned by Meta. Your messages may be encrypted, but your metadata isn't. Switch to something trustworthy.

VPN & DNS Privacy

Mullvad VPN — anonymous accounts (no email needed), accepts cash and crypto, WireGuard support. Our top pick.
Proton VPN — good alternative, especially if bundled with Proton Mail.
NextDNS or ControlD — encrypted DNS to block trackers and ads at the network level.

Your ISP sees every site you visit. A VPN encrypts that traffic and hides your IP. Encrypted DNS stops DNS leaks.

Anonymous Browsing

Tor Browser — routes your traffic through three encrypted relays. You look like every other Tor user.
VPN + Tor — connect to your VPN first, then open Tor. Your ISP won't know you're using Tor, and Tor exit nodes won't see your real IP.
Guardian Project — maintainers of Tor on Android, plus privacy apps like Orbot and Haven.

When you need real anonymity — not just privacy — Tor is the tool. Use it for sensitive research, whistleblowing, or just because you can.

Secure Storage

Nextcloud — self-hosted cloud storage you fully control. The gold standard for data sovereignty.
Proton Drive — end-to-end encrypted cloud storage if you prefer a hosted solution.
VeraCrypt — create encrypted containers for sensitive files on any platform.
Cryptomator — encrypt files before uploading to any cloud provider (Dropbox, Google Drive, etc.).
Enable full-disk encryption — FileVault (macOS), BitLocker (Windows), LUKS (Linux). Non-negotiable.

If your device is stolen, full-disk encryption is the difference between an inconvenience and a catastrophe.

Encrypted Notes

Notesnook — end-to-end encrypted, open-source, cross-platform. A true private alternative to Evernote or Google Keep.
Standard Notes — minimal, encrypted, long-running. Great for plain-text note-taking.

Your notes contain ideas, passwords, plans, and personal thoughts. They deserve encryption too.

Cryptocurrency Privacy

Monero (XMR) — private by default. Transactions are confidential and untraceable.
Bitcoin (BTC) with Bisq — decentralized P2P exchange, no KYC required.
RoboSats and Peach Bitcoin — additional P2P trading options.
Use a hardware wallet — Ledger or Trezor. Not your keys, not your coins.

Cryptocurrency lets you pay for privacy tools (VPNs, email, domains) without linking your identity to the purchase.

Secure Your Phone

GrapheneOS — a hardened, privacy-focused Android OS for Pixel phones. The single best thing you can do for mobile privacy.
Get apps from F-Droid (open-source app store) and Aurora Store (anonymous access to Play Store apps).
For enthusiasts: PinePhone runs full Linux on a phone. Not daily-driver ready for most, but an exciting option.

Your phone knows more about you than any other device. GrapheneOS removes Google's surveillance while keeping Android's usability.

Secure Your Computer

Keep everything updated. Enable automatic updates for your OS and all software. Enable your firewall.
Tails — a portable Linux OS that runs from a USB stick and leaves no trace. Perfect for sensitive tasks.
Qubes OS — security through compartmentalization. Each app runs in its own isolated virtual machine.
Whonix — routes all traffic through Tor. Can run inside Qubes or as standalone VMs.

For everyday use, a fully updated OS with a firewall and the tools above covers most threats. For high-risk situations, Tails or Qubes.

The Fediverse & Open Source

Mastodon instead of Twitter/X — decentralized, no algorithm, no ads.
Lemmy instead of Reddit — federated link aggregation and discussion.
PeerTube instead of YouTube — decentralized video hosting.
Jitsi instead of Zoom — open-source video conferencing, no account needed.
OpenStreetMap / Organic Maps instead of Google Maps.

The fediverse is social media without the surveillance capitalism. Decentralized, community-run, and open-source.

Core Practices Checklist

Use a password manager for every single account. No reused passwords, ever.
Hardware-key 2FA on critical services — email, password manager, banking.
Separate identities with email aliases. One alias per service.
Encrypted backups — both local (external drive) and cloud (encrypted before upload).
Keep everything updated. OS, browser, apps, firmware. Automate it.
Prefer open-source software whenever a viable option exists.

Privacy isn't a product you buy — it's a practice you maintain. These habits, applied consistently, are your strongest defense.

2026 Privacy Stack

Quick-reference cards for the tools we recommend right now.

Browsers

Firefox — hardened with extensions
Mullvad Browser — anti-fingerprinting
Brave — Chromium, built-in blocking
Tor Browser — anonymous browsing

Proton Mail — E2EE, Swiss-hosted
Tuta Mail — E2EE, German-hosted

Messaging

Signal — gold standard for private chat
Element — Matrix protocol, federated

VPN

Mullvad — anonymous, WireGuard
Proton VPN — bundled with Proton suite

DNS

NextDNS — encrypted DNS with filtering
ControlD — customizable DNS firewall

Storage

Nextcloud — self-hosted cloud
Proton Drive — E2EE cloud storage
Cryptomator — encrypt before upload

Notes

Notesnook — E2EE, open-source
Standard Notes — minimal, encrypted

Passwords

Bitwarden — open-source, cross-platform
Proton Pass — integrated with Proton
KeePassXC — offline, local database

2FA

YubiKey — hardware security key
Aegis — TOTP for Android
2FAS — TOTP cross-platform

OS (Mobile)

GrapheneOS — hardened Android for Pixel

OS (Desktop)

Qubes OS — security by compartmentalization
Tails — portable, leaves no trace
Whonix — all traffic through Tor

Social

Mastodon — decentralized microblogging
Lemmy — federated link aggregation
PeerTube — decentralized video

Crypto

Monero — private by default
Bitcoin + Bisq — P2P, no KYC

Analytics

Plausible — lightweight, privacy-first
Umami — open-source, self-hostable
Matomo — full-featured, GDPR-ready

Take Back Your Privacy