The internet is a fascinating place. Gaming with friends, ordering products online, connecting with family via social media, navigating the streets on your phone and searching the internet are just some of the things we do every day without thinking too much about it. You might hear a story in the news one day about a data breach or how Facebook needs to stand trial and you might have heard the name Edward Snowden pop up once or twice. Typically in the context of internet privacy or the lack thereof. But despite the dangers of online privacy, most people tend to stick with the comfortable and ignore those dangers.
The same goes for me, I’ve been using some of Facebook and Google’s comfortable products for over 15 years now without hesitation. But after reading more and more about how modern online advertising and big data collection works on the internet (I can highly recommend this Dutch book) and watching movies like The Social Dilemma and The Creepy Line (and in a way also the Snowden movie), I finally decided to change things. This is a story about why and how I’m achieving digital privacy. A story that might be relevant to you too.
The internet changed
Sometimes I long for the days that online ads were those annoying banners that were blinking and mentioning I had won an iPod. Those days are over. Nowadays advertisers sell their products by targeting very specific customers in a subliminal way. And the only way to do so is by knowing who those customers are. This is why big tech companies like Google and Facebook gather everything they can about you. They have become monopolists in personal data gathering and sell that data to advertisers. And I’m not just taking about the data you feed them willingly by sharing it on social media, but I’m especially talking about the data that they extract from you by simply using their very convenient services.
Take the Google search engine for example. Google stores every search term you ever fill in and knows how to connect this to you as a person. From your hobbies to your beliefs and from your jobs to your sex life; Google knows it. Whether this is because you are logged into your Google account when using their search engine, or because Google has access to all kinds of metadata when you are searching (e.g. your browser cookies, IP address, device fingerprint) that ties that search query to you; they know it was you who searched. Incognito mode is not going to help you there.
On smartphones things get even worse, since most apps require all kinds of permissions before you can use them. Want to chat with your friends using WhatsApp? Well, you’ll need to give WhatsApp access to your entire contacts list first. Even though the chats are end-to-end encrypted and Meta (the company that owns Facebook, Instagram and WhatsApp) cannot read your exact messages, they will know who and how frequent you are messaging someone, how long your messages are, etc. This metadata is enough to extrapolate the type of relationship you have with a certain contact. If you are cheating in a relationship, chances are Meta will know this before your wife does.
Then there are apps like Google Maps. Extremely convenient, but to get “the best experience” you need to share your location with Google at all times. Sure, you can turn off your GPS settings when not using the app, but they will still know approximately where you are you using IP addresses and WiFi triangulation.
If you use the Facebook app, you need to give permission for the app to look at your WiFi connections and to be able to pair with Bluetooth devices. Ever wondered why that friend of yours shows up as a recommended contact on Facebook, even if you never searched for them? Maybe it was because the two of you have the Facebook App installed and were using the same WiFi or were in range of Bluetooth one day.
In short: by using free and convenient proprietary software, you often do not pay with your money, but with your personal data. Even if you are not logged in. And most people are not aware about how sneaky this data is extracted most of the time.
Is this a bad thing?
Now you might think that big data harvesting is not a bad thing per se. You might even think it’s convenient that the ads that you are seeing online are relevant to you. Sure, it’s creepy that big tech knows everything about you, but the Meta and Alphabet (Google) data centers are probably one of the best secured ones in the world. So the chances of an external data breach are slim and the chances that somebody from within will use your data with bad intentions might also be. Same for the slim changes that some algorithm might interpret your actions incorrectly, resulting in noticeable penalties for you as a user. But even though these chances are slim, it does not mean that they cannot happen. And those are not the only reasons why one might go for a more privacy-focused digital life.
For me, it’s mostly a matter of principle. Why should I give all my data to commercial companies who have a monopolist position in the internet? Why should I trust algorithms that might be programmed to show me biased information, based on everything they know about me? Why should I support companies that might prioritize hateful content in their algorithms to increase their customer’s retention? (see the recent leaks by Frances Haugen) Especially in times of a global pandemic, with so much misinformation floating around the internet, we don’t want big tech to polarize our society even more.
So is it a bad thing to use big tech products that harvest all your data? I decided that for me it is. And while it might be true that big tech’s products can be very comfortable in use, especially if all your friends use them too, they are not the only products out there. I noticed that some open-source apps and websites that respect my privacy more can be equally good and sometimes even better in use than the well-known proprietary ones.
By moving away from data harvesting software, will I stop Google and Meta completely from knowing a single thing about me? Probably not, since a lot of my friends are still using their products, thus still feeding their algorithms with my indirect data. But again, it’s mostly a matter of principle for me. I might not be able to stop big tech from spying on me completely, but I can sure make it a lot tougher for them to do so and limit what they know about me.
In the end, I believe it’s up to governments to set up clearer rules for what data commercial companies may track from their users and how (non-)transparent that may happen. But I also think that the more individuals think about this, the higher the chances are that governments are actually going to set the right rules on this topic. It’s the same as going on a vegetarian diet and hoping that by doing so, more people will follow and eventually more vegetarian products will appear in shops and more rules are set for the meat industry to make the world a better place.
And finally, when there’s less data about you to be found online, you don’t only increase your digital privacy, but also your digital security. I was scammed on the phone earlier this year, resulting in having to reset all my passwords, since I knew that data of mine was out there, that I did not want to be out there. It was then that I definitely knew I wanted to improve both my privacy as well as my security online.
Finding alternative products
If you decide that you want to stop using apps that harvest your data, you might think you need to stop using all Alphabet and Meta products at once, and possibly those of other companies with terrible terms of services too. But this can be a very overwhelming change if you’re deep into the Google and Facebook ecosystems already. What helped for me is to start with small steps. Every now and then, I changed one little online habit or swapped one app for a more privacy-friendly one. By doing so, I was able to find alternatives for a lot of software in a year time. And to be fair, for some products I’m currently still relying on Google (which I’m planning to change, but I’ve accepted that these things take time). However, some of the transfers were actually really easily made, and I would encourage anyone to at least look at the low-hanging fruit.
So below is a list of the alternative products that I switched to in the past year. Marked with asterisks to show how easy it was for me to do the transfer (* being very easy, *** being quite a lot of work) and marked with a dollar sign if they cost me subscription money. Most services however are free and all of them are either open-source and/or very transparent on how they handle your data. Do note that this is a list of services that works for me and this is by no means a privacy solution for everyone. What works for me might not be convenient for you and based on your needs and why you want to achieve online privacy (aka your threat model), you might want to be using other services.
But it might be a good starting point for whoever wants to live a more privacy- and security-focused online live. That being said, here’s my list:
Browser* – I use Firefox on PC. It has excellent settings to avoid trackers and fingerprinting, most of which are turned on by default. Brave on both PC and mobile and DuckDuckGo’s mobile browser are also good ones for privacy. I use those as a secondary browser solely when I still want to use Google products or Facebook and I clear my cookies after every use.
Search engine* – DuckDuckGo is excellent. It has a lot of built-in features that Google Search engine also has and some nice extras, but never stores any of your data. It uses Bing and Yahoo under the hood, but I never really felt the results were off compared to my Google searches. Alternatively, there’s Startpage.com. Another privacy-friendly alternative that does use Google Search under the hood. Both are great for daily use.
Private messaging* – I use Signal primarily instead of WhatsApp nowadays. I told all my friends they can reach me here, and if enough contacts have made the transfer, I’ll eventually delete WhatsApp altogether. For those friends who do not want to download Signal; they can still always send me text messages. Fun fact: those can be read on Signal as well if you give the app permission to do so (on Android). Do note that backups for Signal chats have to be enabled manually (I learned this the hard way)
Update 2023: Unfortunately Signal has dropped SMS support, but it’s still my go-to messenger app!
Video calls* – As far as I know Jitsi Meet is the only video chatting service that is open-source, supports end-to-end encryption (although you’ll need a Chromium browser like Brave for this to work) and that can directly be used from the browser by sending someone a URL. It can be a bit janky however. I also use Singal’s video calls function with those who have the app installed. I stopped using proprietary software like Skype or Discord as much as possible, although I still rely on Zoom and Microsoft Teams for work, but I try to avoid those for personal use.
App Stores* – For Android, there’s the F-Droid Store that only has FOSS (free open source) apps in there. Certain apps (like DAVx5) are actually free to download here, while the developers charge you money if you were to get them from the Play Store. This is the developers saying thank you for not using a proprietary Google Store.
From within the F-Droid Store, you can download Aurora Store. This app takes all the latest apps from the Play Store, but has the option to anonymize the login, so Google cannot track your app search queries or downloads. It will give you alerts when updates are available, just like the Play Store would. There’s one small catch: you cannot pay for apps using this store, so payments for apps or in-app purchases handled throughout the Play Store are not available using Aurora.
YouTube, SoundCloud and Reddit* – Here’s a secret: I still use YouTube and I love it. But similarly to the Aurora Store, there are Android apps that let you access YouTube without Google tracking you, like Vanced. I highly recommend NewPipe however, which has cool bonus features, like showing zero ads, letting you play videos in the background and also being able to search SoundCloud. You can still subscribe to channels you love and read video comments, but you cannot post comments or upload new videos yourself. Another downside is that casting to a big screen requires you to have a media center running Kodi. You can find NewPipe in the F-Droid Store. Infinity is also available there, a FOSS Reddit viewer without the tracking.
Update 2023: Unfortunately Reddit has made their API use a paid feature, causing Infinity and many other third party Reddit viewers to soon become subscription-based or to stop working entirely.
VPN* ($) – VPN* ($) – Virtual Private Networks (VPNs) can be used to access content as if you were in another country. But it also makes it a lot harder for big tech to track you if you have a VPN enabled, since it changes your IP adress, which is used for tracking. Because of this, I have VPN enabled all the time on all my devices. The VPN provider that was recommended to me is called Mullvad, which is very privacy-friendly and supports five devices on one account. Proton VPN is another good one, and if you already pay for Protonmail, you can use it one one device in the bundled price.
Photos and files*** – Here’s a big one: Nextcloud. I’ll admit, it is a tad slower and less smooth than Google Photos, but it has all the bells and whistles that you might from a photo archiving and file sharing service. There are webhosting companies out there that offer NextCloud servers for a subscription fee, but I set one up myself using a Raspberry Pi 4 and the NextCloudPi image. You need to buy some equipment (I spend ~120 euros for everything, including 256GB storage, which in hindsight could have been more), and it takes about a day to initially set it up. But now that it’s online, I have an absolute blast with it.
Contacts & Calendar*** – Again: Nextcloud. Once you have a NextCloud server running, you can just login, create a new calendar or contact list and sync them with all your devices. If you already have your contacts and calendars hosted at Google, you can easily export them and then import them into NextCloud. Syncing with Apple devices should be easy. For Android it requires a bit more work, since that does not support CardDav, CalDav and WebCal protocols out of the box. Luckily there’s DAVx5 in the F-Droid Store that adds this functionality and aCalendar+ as a great calendar app if you want to avoid the default Google Calendar on Android.
Notes* – I once used Evernote, but recently switched to Joplin when I found out that Evernote might not be the best app when it comes to privacy. The transfer was easy, since Joplin can import Evernote notebooks. I connected Joplin to my NextCloud server so I can sync my notes to all my devices without having to pay for Joplin Cloud.
Android keyboard** – Google says they do not use the default Android keyboard (Gboard) for storing any of your data, but they only upload anonymized snippets to their servers for improving their keyboard. While that might be true, I’d rather use a keyboard on my phone that does not upload anything that I type anywhere. The FOSS app AnySoftKeyboard from the F-Droid Store is a good one. It is highly customizable, so it takes some time to set it up in such a way that it resembles the familiar Gboard interface (or however you like it for that matter).
Social media*: I’m planning to only keep my LinkedIn account and not to use any Facebook, Instagram, TikTok, Twitter or whatever. A secondary reason for deleting these accounts is to reduce the amount of addicting endless scrolling through my feeds. This is supposedly very relieving. For some it might be harder to remove social media altogether (e.g. if you need it for work), in which case I advise you to not use their apps, but only use them from within a dedicated privacy-focused web browser (see above). Your social media browser, if you will. This will limit the amount of tracking from social media significantly, especially if you also use a VPN. If you do delete your social media, do not forget to download a copy of all the data that the service has of you and inform your friends in advance before hitting that delete button.
E-mail** ($) – I recommend Proton Mail instead of Gmail. While they offer a free version, I’d recoomend the “Plus” subscription for more storage. Tutanota offers a similar privacy-friendly e-mail service. I’ve set up a filter on my old e-mail account so it automatically forwards any e-mails to my new privacy-aware e-mail account. That was the easy part. What made this a challenging transfer, is that your e-mail address is also often your username to login to websites. I am still in the process of adjusting those every time I login to a website and I notice I’m still using my Google e-mail there. But some day, I’ll have no use for my Gmail anymore and I might delete it completely.
E-mail aliasing** ($): Within paid Proton Mail and Tutanota, you can set up multiple e-mail addresses: e.g. one for friends, one for business. Sending a message to either address will make it pop up the same inbox. This is called aliasing. Now to take this even further, I generate new e-mail aliases for every random webshop order that I place and every random account that I make online. If that website ever leaks my data or they start sending me spam, I can just throw away that alias and my real e-mail address will never get exposed. I use the amazing service SimpleLogin for this, which has free and premium models. AnonAddy is a similar service, if you want to give that one a try instead.
Update 2023: SimpleLogin is nowadays aquired by Proton, so expect SimpleLogin integration in Proton Mail soon!
Password Manager*** ($): I recommend Bitwarden as a digital password vault. You can store all your secure notes and login credentials in here: generated passwords (using Bitwarden itself) and generated e-mail aliases (using SimpleLogin) for logging into websites. This way, you never have to remember a single password or alias e-mail ever again. Bitwarden automatically enters this data and the Premium version can even handle two-factor authentication for you. In order to protect my vault, I recommend a very strong password and two-factor authentication like the DUO app (their free trial will do), so you can conveniently click “approve” on your phone with every login to your vault. It takes some time to set this one up, but it’s a life saver and an improvement for both your privacy as well as your security once you have your password manager up and running!
Phone “aliasing”* ($): I wondered if there was a service similar to e-mail aliasing for phone numbers. While there are some in the US (silent.link, Abine Blur), they do not seem to exist in Europe yet. So I came up with my own solution, which is actually a lot cheaper then those services: buying a prepaid burner SIM card for 7 euros and putting this in the second SIM slot (or eSIM) of my phone. Whenever I make a random order online and I need to specify a phone number, I fill in this one (or let Bitwarden do it for me). This way, only my friends and trusted companies know my real number. If I ever receive spam over the phone, I can just throw away the secondary SIM card and get a new one. Very convenient.
What about Apple and Microsoft?
Most alternatives that I’ve listed above will work on iPhone as well, but some apps (taken from the F-Droid Store) are not available from Apple’s App Store. If you want to avoid tracking from third parties, it’s overall better to use a dedicated privacy-friendly browser for their services rather than their apps that need extra permissions to work.
Apple has a less evil business model than Facebook, but their software is still closed-source. They tell the world that privacy is their #1 priority, but how can we tell for sure if we can’t look at their source code? I use as minimal Apple services on my MacBook myself.
Windows is also proven to harvest some of your data as well from the get-go. Techlore has a great video on what you can do to prevent that. They also have a similar video on privacy and security on MacOS.
Finally, about security on your computer (whether it’s running macOS or Windows), I suggest using a passphrase-protected admin account for installing software and a normal user account with less permissions for everyday use. If someone then enters your computer on your regular user account, they cannot install anything that might harm it. For a laptop it might also make sense to encrypt all your files when the device is locked.
Looking back at the top list, I’ve already made huge steps when it comes to improving my digital privacy and security in the past 12 months. I’m actually quite surprised myself about how long this list already has become. However, there are still a few things on my to-do list. I want to go over old accounts in my Bitwarden that I haven’t used in a long time and either delete them or update them by creating new e-mail aliasses for them. And as mentioned, at some point I will be able to completely delete Whatsapp and possibly also my Google account when there’s no more use for them anymore.
But the biggest step is still to be made: I want to change the operating system on my smartphone. I’m currently using a version of Android that came with my phone. And like most people with an Android phone, it is filled with Google software and that from the phone’s manufacturer from the get-go. Some of this software is located so deeply within the operating system, that even if I were to remove all Google apps from my phone, the company would still be able to track, for example, my location at all times. Luckily there’s also a version of Android that does not come with Google and phone manufacturer tracking: the open-source version of Android. Some clever people made an easy-to-install version of this that works on a lot of Android phones called LineageOS, which is probably the version that I will go for (in combination with MicroG so I can still use all apps that might rely on Google services, without having to use those actual Google services).
Update 2023: I finally took the step to install a privacy-friendly version of Android on my phone. While I mentioned LineageOS above, I actually went for the even more privacy and security focused GrapheneOS in the end, which supports sandboxing of Google services, so no need to run MicroG. Do note GrapheneOS only runs on Google Pixel phones (ironically. But that’s no big deal if you ditch all/most of the Google software on it anyway :))
Finally, I want to set up a reliable backup system for my NextCloud server, especially since I have so much data running on it already. Although everything is nicely synced to multiple devices, having a NAS somewhere that automatically runs back-ups is a reassuring thought.