Ask HN: What do you do for online privacy?
Let's not confuse anonymity vs privacy vs tin-foil hat level paranoid. I'm hoping to have some conversation going here on the various levels of privacy and steps folks at HN take to increase their privacy online. If you don't take steps -- then what are your reasonings why? (Beyond the staple excuse of "I have nothing to hide").
I understand defining your threat model, and I don't think most of us have a specific threat model more than being your average technophile would.
### Applications, Operating Systems
Do you run specific browsers, and why? Do you have specific applications that you use to protect your privacy? Do you engage in any kind of hardening?
Do you run any specific kind of operating system (say, Windows, Mac, etc) and why? Does it matter to you personally whether you are tracked?
### Online Storage
For example, do you store files on cloud storage as-is? If so, what kind of criteria do you have for that? Do you encrypt all files before they go anywhere? Does AES128 or AES256 encryption provide reasonable protections?
### Social Media
Do you avoid or block social media? If so or if not, why?
81 comments
[ 3.0 ms ] story [ 154 ms ] threadI have two browsers, Firefox and Chrome. On Firefox I run add blocker, on Chrome I don't run it. Why? My job requires sometimes to help marketing team and if you block adds you don't see the whole picture or our and competitors activity.
I don't encrypt files before upload. Why? I'm not sure how to do it and my biggest fear is what if my encryption key stops working. I got locked out my Windows because I run a system update and I didn't disable bit locker before that. So I had to go through recovery procedure.
I use Twitter and LinkedIn. I'm not very social on social media. I don't create content.
I have nothing to hide except of when I run Tor browser.
> Do you run any specific kind of operating system (say, Windows, Mac, etc) and why? Does it matter to you personally whether you are tracked?
I quit Windows since 7 became outdated because modern Window's tracking bothers me, not because of somebody gets informed about something I do not want to be known but because it messes me with using my device (I have to decide when to update, when to reboot and when to change some settings, not a vendor). Debian may have some pesky settings which make OS leaking some data about me, but at least it doesn't bother me when I am trying to use my computer.
> For example, do you store files on cloud storage as-is?
No, because upload is always easy and download is always hard. A lot of HDDs works great for me.
> Do you avoid or block social media? If so or if not, why?
I do not find any of these interesting except of Youtube. And I try avoid using it too much because torrents have better video and not video content.
My browsers block connections to trackers and 3rd party cookies. Sometimes scripts too, for good measure, and some selected stuff from user.js (https://github.com/arkenfox/user.js). Separate profiles for each service just to make really sure important stuff doesn't get affected by casual browsing, and vice versa.
No google- or apple- owned phone. Phoning home from the PC is also at minimum - just Firefox does it and the package manager.
It's not total privacy because for some interactions you want to share your details, like payment info, but what I get is that I know where I pierce the boundary.
What device do you use, then?
It's easy to think "I have nothing to hide", but that's not what I mean. A better analogy is risk analysis/attack surface area you expect. The privacy requirements of someone doing investigative journalism are wildly different from a regular joe who only needs to worry about targeted ads.
I'm generally in that bucket, where my only real privacy concern is ads, and I'm ok with tailored ads... Especially since ad blockers remove over 95% of them anyway. And since I rarely buy stuff.
I take significant steps for security (yubikeys, password managers etc.), and mental health (regular social media breaks and such). But "privacy" is too vague a word without a risk assessment.
Some companies (e.g. Google) by default will capture multi-gigabyte decades-long records of information about us. We might let them do it thinking that it is not much threat to us.
But new technologies can be invented, for example things like widespread use of facial recognition, or deepfakes, or AI, which could make the trove of data we gave away become more dangerous in the future.
I use ad/tracking blockers, but having worked in this space, they don't/can't exactly offer complete privacy.
Beyond that, I think about the biggest risks and try to tackle them: It's for example pretty easy to send someone a link and as soon as they click on it you know roughly where they live. Any information about where you typically hang out, what you do and what your kids look like stays off social media - it's pretty easy to be stalked with just a hand full of these signals, if someone really wants to.
I don't feel I have much to hide, like others here, but you never know when someone decides to have a personal vendetta against you or something. Can't make it impossible to be stalked, but I can make it difficult enough for people to not bother. I think about it the same way as I think about securing my residence, really.
Some concrete stuff I use:
- Personal NAS and server for files/photos (Syncthing works great for me)
- Ad/tracking blocker (it's usually a matter of the lists, so just one extension)
- Firefox (I have some background with Mozilla so I personally trust them more than anyone)
- Caution / VPN for weird links
- No Gmail (I like FastMail, but there's a lot)
- No Amazon, e commerce is enough of a commodity
- Not using social media actively, not posting personal stuff
- Linux (PopOS and Ubuntu)
2. My countries openly shared my history with Government so I use VPN all the time.
3. Kagi search for privacy search.
4. Mozilla browsers with extensions.
5. Ente for Image storage
And ofc don't use much of social media
Don't put your real name or face on the Internet. Don't tell specifics of your life to strangers on the Internet.
That's about it.
Oh, and I always say "ask app not to track" when iOS asks :)
I also use different nicknames for different contexts so my personal and semi-professional accounts can't be trivially linked.
Apologies in advance if you already knew this!
OS - Ubuntu everywhere
Online Storage - This is part of my selfhosting stack. My server is in my house (but accessible from internet), no need for at rest encryption.
Social Media - Not much apart from some reddit and HN. Never got into other things.
Similarly, offsite backup for if your server is stolen / house burns down /you accidentally rm -rf everything
Just because something doesn’t offer complete security, doesn’t mean it’s a bad idea.
On the other hand, I mostly work on open source software, so all my work is publicly available in timestamped commits. It is easy for anyone to guess my working hours, timezone, and time off. And all the comments I write can tell you a lot about my views of the world.
I think the privacy impact of open source is not talked about enough.
Docs say that it's no problem now, but they "suggest merging multiple accounts" but probably because of less fuckups and support questions.
- only using my own cloud (NAS, Home Automation)
- heavily filtering internet (Pi-Hole or AdGuard + ublock when possible)
- no public social media (FB, Twitter, discord, whatever)
- Only throwaway accounts on some social media
- Not having a real phone number
- Using rented throwaway phone numbers when necessary
- Only use credit card for a few trusted services.
- Avoid services with questionable business practice (Forced 2fa over SMS being one common reason) but also things like Amazon, Microsoft, ..
In the context of privacy it mostly means you can't easily link my accounts trough my phone number.
As of why is a long story that mostly resolves around how bad and annoying a phone number as security measure is and how you have no way of actual owning your own number.
- Brave browser
Privacy by default
-- Brave Search / SearXNG
- Pi-hole
Block trackers and ads network wide
- ProtonVPN
I use this to route connections through z morf private country with stricter data laws like the GDPR for example.
- Gnu/Linux
A system that I can trust, and isn't motivated by stocks but rather value.
I won't say its perfect, its not, but it works for me.
- CalyxOS
I also run CalyxOS, a privacy focused OS that is actually usable, and supports SafetyNet, its a very normal experience, apart from the complications of using a work profile for closed source apps(which I'm thinking of removing because its just annoying).
Its of course very important to me not to get stalked by for profit companies.
Privacy is a human right.
### Online storage
I mainly use a local Nextcloud server for this.
The upload speeds are great because its local, and I'm working on backing it up to object storage like R2 or scaleway archive.
Another option is using privacy cloud like ProtonDrive or Mega.
### social media
I don't avoid it fully, and unlike others I personally think HN is a form of social media, maybe more accurately a social network.
I used to use Reddit a lot, but its honestly a crappy platform with tons of negativity and anything inevitability turns to NSFW.
I liked the tech communities on it, so I replaced it with HN.
I also use Twitter, which I think is(was) the best mainstream social media.
Probably gonna setup a mastodon account soon.
No other social media other than these.
Also, not using my public name everywhere. Where possible I use a random username.
And while I'm diametrically opposed to the "if you have nothing to hide" argument, I really don't have anything to hide, so individually it doesn't impact me.
<< People wildly overestimate how much other people care about them or their secrets.
People may not care about your secrets now. Right now you may be young. Right now you may have not pissed anyone off sufficiently to hire a private investigator to dig up stuff on you. Right now you may not be a party to a lawsuit.
All those things may be true right now, but things change. You have no idea how valuable right information can be at a given time. And here you are, volunteering it on a silver plate for anyone to pick as they please.
<<Nothing bad ever happened to me due to lack of privacy protection.
In other words, I think you are missing a key word here:"Yet". Nothing happened to you yet.
I would argue you have so much more to win, than you have to lose, from letting go of that fear to share your life online.
I am not sure if it is fear though. I personally feel I already spend way too much time online as it is. It was beyond awful as I was going through school, where I ended up doing work/school/fun by effectively just switching screen throughout the day. After years of that pattern I eventually severely cut back ( and even now I think I am overdoing it, but baby steps ).
I am ok with losing some people and some of the artificial online relationship that brings ( I accept that some online relationship may actually be stronger than generic RL ones ).
OS/Applications:
- Linux on the desktop since 2007.
- I was using Firefox with uBlock, switched to Brave because I like the model: it lets users "vote with their wallets" (by collecting the rewards and giving back to content creators they like) while keeping their personal data out of reach from advertisers.
- Went through a series of Android phones that could be rooted, installing Lineage OS whenever possible. I'm now on /e/OS, and I use only the apps that are available on F-Droid. I keep an old android around just for my banking app.
Online Storage:
- Avoid external cloud service at all costs. If the data is not on a server that I do not directly control, I treat it as a liability. No Google Drive, no Dropbox, no Spotify. Instead of being dependent on webapps, I prefer to sync my data between my machines with Syncthing and use the "proper" application to work/consume the data. I wrote more about it at https://raphael.lullis.net/thinking-heads-are-not-in-the-clo...
Social Media:
- Still using Twitter and reddit, but using libredirect. On mobile I browse through Fritter and Infinity for Reddit.
- Heavily encouraging anyone I can to switch away to the Fediverse. I may be biased though becuse I run a managed provider for Mastodon and Matrix (https://communick.com)
I mostly use OpenBSD these days, but any security is a bonus. I mostly do it for the minimalism. The pledge and unveil stuff built into the browsers is nice.
I have at this point dumped pretty much everything but self curated Reddit and HN, not just for privacy but for general sanity as well... That is also mostly the reason that I keep my phone (which is dumb anyway) turned off unless I need to use it.
I use a VPN because I don't trust my ISP.
I use LineageOS with microG because I don't trust the phone manufacturer and Google to not track me.
I use Linux coz fuck Windows. Hardened with secureboot and FDE with TPM.
I use ungoogled chromium with uBlock and NoScript.
I also selfhost most of the services that I can replace with FOSS alternatives. Can be a PITA maintaining them at times but I sleep happy at night knowing my data is not on some Google(-like) farm. E.g For Youtube I do make use of public invidious instances etc.
Any app (on phone and PC) that doesn't need internet permissions (or any other unnecessary permissions) has them toggled off. Flatpaks and flatseal makes this so easy on Linux.
Any social media app that works well as a PWA is not installed. And if needed on my phone, it's installed into the secondary work profile where it can't read my files/contacts/etc.
All data I consider private is encrypted at-rest. Same is routinely backed up to different cloud storage providers.
Any account that I consider important has 2FA behind it. Most accounts I just use disposable emails to register.
Ads are all effectively blocked on the devices I use courtesy of dns filtering.
- Why trust a VPN company more than your ISP? To me it seems like a commercial VPN could have equal or more incentive to do questionable things with your info.
- Is it somehow easier for an ISP to track my activity vs. a single VPN company whose servers I'd tunnel all my traffic through?
Sure, the ISP knows where I live and all that but it seems like a VPN could easily identify/know me to the same degree.
( - or is it like a self-hosted VPN sitting in the cloud, and would such a thing be practical/effective at all)
The one with more PII data on you or the one with less? Noting that some VPNs even allow you to pay with Bitcoin.
My ISP knows where I live right to my doorstep. A VPN only knows roughly from which city I'm accessing the service from. And for mobile data, it is worse since the carrier I use has a copy of my govt issue ID (as mandated by law).
Between the two, do you trust the one whose core business is competitively providing privacy products? or .... the local private entity (some operating as a market monopoly) susceptible to government interference & anti-privacy laws .... and who basically answers to no one with regard to customer data/privacy?
Am sure all this PII data could be made to be used against you on a worst-case scenario basis but still...
I do have a self-hosted VPN tunnel that I use occasionally, but it's not as effective for privacy as a commercial VPN is if we put all device fingerprinting aside. And besides, the cloud provider still has my credit card so this route doesn't provide any greater privacy benefits than a VPN does.
- Avoid cloud services
- Avoid services that require an account
- Avoid installing proprietary apps
- Use Free and open-source software (FOSS) if possible
There are of course always situations in which it is unavoidable to do one of those mentioned not-to-do things, but if you stick to those simple rules most of the time, you should be able to avoid the bulk of the undesirable stuff out there.
- Use Linux
- Encrypt files
- Use signals
- Use Android without a google account or a play store
- Use google products as little as possible
- No whatsapp, no Insta, no FB
- Use pcloud encrypted solution for online storage
But even with all that, I'm pretty sure the impact is limited, real privacy would require a lot more. Not to mention banking, power companies and so on are going to sell your data no matter what.
Besides, most people would not even do 10% of this. Not even switch to FF.
And if they are transparent and knows you, they give a lot of data on you anyway.
It's a battle we are loosing.
I won't lose access to my data if a company shuts down, or if some bad actor decides to maliciously send child pornography to my email and get my whole Apple/Google account cancelled (with no easy support for getting it back)
All in all, being able to export (data portability) comes first and foremost, regardless if it's not the most privacy-friendly program. If I can self-host it? All the better.
[0] https://peergos.org
Any steps I take to preserve my privacy are negated by my inactions of years past, the current actions of my friends and family, and the actions of my government
That said…
I use an adblocker because it makes the browsing experience better and I use Firefox because it makes me feel better about browsing the internet.
I’m in the apple ecosystem which makes me feel slightly more private and occasionally use signal to have certain conversations with certain people
Of course at the end of the day I know whatever I do doesn’t really matter and the worst thing that could happen is I get more targeted ads.
Sure, I could get targeted by the government should it turn evil, but I don’t believe that online privacy would prevent that from happening anyways. I’m just not that interesting of a person so I take solace in that.
Now that I’m writing this.. I’m non religious and I believe in the right to own firearms. These opinions could make me a target or make me more interesting to an evil government. I guess I just hope the checks and balances we have are enough.
Completely untrue. Data becomes less valuable as time goes on to the point that it becomes worthless.
Well pester your friends and family to move to Signal and install uBlock on their browsers x)
Honestly I used to try and convince people to be careful about online privacy but I found it made people like me less
* Linux with Firefox, uBlockOrigin and whitelist of JS enabled sites, off by default.
* Network wide DNS blocklist
* OpenWRT on Router
* Multiple VLANs to isolate black boxes such as TV when I can't avoid it
* I self-host a lot of services
- On the phone, besides a similar setup for the browser, I run LineageOS+microg, AdAway (system-wide ad-block), AfWall on allow mode (block internet access for all apps except whitelisted), and XPrivacyLua (fakes permissions for apps which refuse to run without them). Absolutely NO google apps whatsoever.
- Social media I mostly don't do, for my privacy but also for my sanity x)
- Email I use ProtonMail, storage I use my NAS (not ideal, I know, need offsite backup)
- neovim
- linux
- dumb phone
- DeFi