Some might say the internet was built on anonymity, paving the way for a place where free speech reigns supreme. But after years of learning about who’s snooping into everything we do online, privacy on the web is hardly a given.
It’s not just about government spying; it’s also about how much big companies like Amazon, Google, Facebook, and Microsoft have collected in order to serve up targeted ads. (Not to mention how much of your personal data gets scooped up in all the breaches and hacks.)
There are always going to be good reasons for people to go online without being tracked. It may be the only way for a real whistleblower to reveal corruption, considering how some have been treated. There’s nothing wrong with wanting to stay anonymous, no matter what you’re doing.
Is it even possible to take control of your own personal privacy online? Ultimately, the only way to stay truly anonymous online is…to not go online at all. That’s not really an option for most of us. Here’s a rundown of what you can do to minimize the spying, targeted ads, and ID theft as you explore the world online.
If you want to be anonymous, forget the smartphone. The big-name OS makers are control freaks (Apple) and ad servers (Google). If you want to be anonymous on a phone, your choice is a prepaid phone, a.k.a., a burner.
Even with a burner, call records exist, and you can be triangulated via GPS. The upside of a burner is not having your real name associated with the device. As you see in the movies, you can always throw the phone into a passing truck and lead whoever might be tracking you on a goose chase.
However, when you’ve got an expensive smartphone, getting more hardware is a pain. Thankfully, there are apps aplenty to get you temporary, anonymous numbers you can use with Android or iOS. One of those apps is named, aptly, Burner.
Is your desktop or laptop computer connected directly to a broadband modem? That’s a very bad idea. Hackers are constantly bombarding IP addresses to see if they can get onto a system.
You should always have a router on your home network that can mitigate that with its built-in firewall. A router uses Network Address Translation (NAT) to assign an IP address to every device on your home network, which are then only visible on that network. Direct attacks can sometimes be stopped dead right there. Plus, you need the router for sharing the internet connection and Wi-Fi, anyway.
Some ISPs’ modems come with a built-in router, so that should keep you covered. For more, see our roundup of the Best Wireless Routers, any of which will help protect your home.
You could also use firewall software installed on your PC. Windows 10 comes with a pretty decent solution called, you guessed it, Windows Firewall. You can also find firewalls as part of security suites. But as PCMag’s security expert Neil J. Rubenking explains, you don’t really need a firewall if you use the one that ships with Windows.
If you want real anonymity based on your OS, stop using Windows or macOS on the desktop, and move to a Linux distro that specializes in all forms of keeping you secret. Your best bet is Tails: The Amnesic Incognito Live System.
What does your computer (or tablet or smartphone for that matter) give away about you when you visit websites? At the very least, the site knows your IP address (and that’s necessary, otherwise you’d get no results).
In most cases, it also knows your approximate physical location (by checking where your ISP supplies those IP addresses—see it in action at IPLocation), and probably your time zone and what language you speak—all good info for advertisers. Your browser can also report on your operating system, browser type, and what versions of software you run for browser plug-ins. It even reports on the fonts you have installed. All of which can add up to giving your system a unique fingerprint. And anyone who’s watched Law & Order knows, a unique fingerprint is sometimes all it takes to track you down.
If you don’t believe it, visit MyBrowserInfo or BrowserLeaks.com for a full report. Then check out the EFF’s Panopticlick tool to see how well your browser and VPN are protecting you. They’ll push their worthwhile browser extension called Privacy Badger at you; it monitors sites that monitor you. The Ghostery browser extension, which blocks all sorts of trackers and advertising on almost all browsers, is a lot like Privacy Badger, but gives you a little more control.
What’s more, even if you’ve got a VPN—virtual private network—running, as you should, it could be leaking. Here’s how to get yourself back into stealth mode.
Make sure your browser isn’t storing too much personal info. In the settings menu, turn off the ability for the browser to store the passwords you use to access websites and services. That can be a pain, as you should have a different password for every service you use. The best alternative: use a password manager, like PCMag’s 4.5-star Editors’ Choices, LastPass and Dashlane.
Browsers store things like images, surfing history, and what you’ve downloaded, as well as cookie files, which can remember helpful things like settings and passwords. Obliterate that info occasionally; here’s how.
Major browsers also have anonymous surfing modes. In Chrome it’s called Incognito (Ctrl+Shift+N to access); in Firefox it’s Private Browsing (Ctrl+Shift+P); and in Microsoft Edge and Internet Explorer it’s In Private browsing (also Ctrl+Shift+P). Using it will prevent the browser from saving info on pages visited, whatever you search for—passwords, cookies, downloads, and cached content like images.
There are a number of browsers that bill themselves as privacy focused. Of course, they all use the same rendering engines as the big names, especially Google’s Chromium engine; the difference is the browsers don’t share any info with Google. Examples include Epic, Comodo Dragon, Comodo IceDragon (based on Firefox), and of course the Tor Browser (see below).
If you’re looking for a more mainstream browser with some extra security, consider getting Opera—it at least has a free VPN built right in. (Note that it only protects your browser traffic, not the other apps that utilize the internet.)
Use a different search engine than Google or Bing, which want to sell, sell, sell you. Go to DuckDuckGo—which doesn’t track you or sell your info, it says—or these options.
Keep in mind, using stealth modes and special browsers won’t make you completely anonymous, but they do prevent sites from writing info to your computer, including cookies, which can later be read by other sites to figure out your browsing habits.
The way to ensure outsiders don’t gather information about you while you’re browsing the web is to appear to be someone else in a different location. This requires a proxy server and/or a virtual private network (VPN) connection. With the right combo, you can not only be anonymous, but surf sites in other countries as if you’re a native.
Proxies aren’t for newbies, but FoxyProxy can get you started. It works with the major browsers and offers proxy services and VPN tools.
VPN services are everywhere. They have the advantage of not only securing the traffic between your computer and servers but also masking your IP address and location. For example, by connecting through my work VPN, sites believe I’m at corporate HQ, even though I work from home.
VPNs also double as a way to get access to location-blocked content—if you are in a country that can’t get the BBC iPlayer or Netflix, for example, a VPN could be your ticket.
No discussion of anonymity online is complete without mentioning Tor. The name comes from once being the acronym for “The Onion Router”—the implication being there are many layers of security offered.
Tor is a free network of tunnels for routing web requests and page downloads—it’s not the same as a VPN, but might be even more secure when it comes to your identity. It’s supposed to make it impossible for the site you access to figure out who you are. But does it?
The NSA’s spying controversy leaked by Edward Snowden in 2013 included what some thought was a workaround to identify users of Tor. But it wasn’t that simple. As explained by security expert Bruce Schneier in The Guardian, the NSA actually monitors what’s called the Tor “exit nodes”—the agency could tell users were using Tor, but not who the users were. By setting up a “man in the middle” attack, the NSA pretended to be the site the user wanted (Google, for example) and could send data back to the user that would take advantage of exploitable holes in the browser—not a hole in Tor.
The lesson there: keep your browsers up to date, or use one of the previously noted anonymizing browsers.
Guess who else has an anonymizing browser? Tor, that’s who. It’s a browser bundle for Windows (run it off a flash drive to take with you), macOS, or Linux; it’s available in 16 languages. There’s also a Tor Browser for Android devices; iOS users can try the third-party VPN+TOR Browser Private Web app.
Tor is not entirely foolproof—the theory is you could still be tracked by someone skilled enough (even if they can’t read what you send). The list of potential Tor weaknesses is long. If you’re sensing a trend in that nothing can keep you 100 percent anonymous, you’re paying attention. But it’s like a lock on a door—sure someone could kick it in, but if why leave the door open?
As nice as it is to remain anonymous as you surf, it may be even more essential for your email to go unnoticed if you want to avoid spam or surveillance. The problem is, email simply wasn’t built with security in mind.
There are secure email services, of course, which use encryption to scramble what you send and require the recipient to have a password that decrypts your message. Edward Snowden used a webmail service known as Lavabit, which was so secure the government insisted that it hand over the private keys of users. Lavabit, to its credit, immediately shut down to protect its customers. Later, it returned with even more user-forward security features. So be aware that just because you use such a service doesn’t mean it can’t be compromised, or will die to protect you.
If you want a Webmail service that’s going to handle encrypted messages, ProtonMail is considered the top of the heap. With a data center in privacy-minded Switzerland, the service has a free tier or charges 5 euros a month on up to 30 euros per month for more storage and aliases. It keeps all your email info secure from search, allows for self-destructing messages, plus offers apps for iOS and Android. For more options, read How to Create an Anonymous Email Account.
You might think your Gmail account is safe since you see that lock icon on the browser, and access it with a secure sockets layer (SSL) connection (indicated by the https:// in the URL). But SSL only encrypts data as it is transferred from your device to the server. Google still reads your email to tweak the advertising it places on Gmail. That is always going to be a problem with web-based services.
That said, there are tools to encrypt web-based email. Mailvelope is an extension (for Chrome and Firefox) that will secure Gmail, Outlook.com, and Yahoo Mail. FlowCrypt is another.
Perhaps the smart move is to eschew web-based mail and stick with desktop client software. Outlook 2007 and up have some built-in encryption tools, while Mozilla’s Thunderbird has add-ons such as Engimail to handle message encryption/decryption.
Beyond the obvious things—like never, EVER clicking on a link in a spam message, or even opening a spam email—the best way to avoid spam is to never let them get your address. It’s almost impossible, but there are methods to mitigate.
Number one is to utilize an alias or dummy email, which can be used with any service that requires an email address. You might be able to set one up if you own your own domain name. In G Suite, for example, you have your primary address, like firstname.lastname@example.org, but there’s the option to use William@yoursite.com as an alias for online sign-ups, messages to which can be forwarded to the main address. When spam begins to collect, change or kill that second address; there can be up to 30 aliases per individual.
Gmail is a little more straightforward: to make an alias, you append something to the user name. Turn email@example.com into firstname.lastname@example.org. Once the alias in question accumulates spam, filter it right into the trash. Here’s a video on how to do that in Gmail:
In Yahoo Mail, there are Disposable Addresses (under Settings > Security), which are similar—there’s a base name, then a secondary keyword appended, like email@example.com. Outlook.com also supports aliases, up to 10 per account. Look for “Account Aliases” under the Account settings. If you have your own domain name, check the control panel at your web host—they’re likely to have tools for creating aliases galore.
If you only need an alias for a short time, a disposable address is very handy. Free services like GuerrillaMail.com and Mailinator create an address you can check for just a short time.
Should you care about security when it comes to social networks like Facebook? One word: Duh. Facebook isn’t an altruistic nonprofit. It makes money by having lots of users looking at lots of ads. That occasionally means making your data available to questionable entities. Plus, you might not want all your “friends” or their extended networks to know all of your business, right?
There are several steps you can take to regain some Facebook anonymity. First, on a desktop, go to the Account menu in the upper right and select Settings > Privacy. You’re going to want to click the “Edit” link on every choice on this page to personalize who can see what, who can friend you, even who can look you up. Make sure your posts are not spidered by search engines.
Get as granular as you want, making sure, for example, that old boyfriends or girlfriends don’t see your posts—even the old posts. To perform a full Facebook Privacy Checkup, click > Privacy Checkup. Under Timeline and Tagging, ensure that you don’t get tagged in images or posts without your express permission.
Finally, inspect your contact info. Go to your General Account Settings, and again click “Edit” next to every entry. Double check the email address and phone numbers entered. Minimize the list of who has access as much as possible to maximize anonymity.
If you need out of Facebook entirely, delete the account. Deactivating it leaves your data on the site for your potential return. Go to this page and follow the instructions. It’ll deactivate your account for two weeks, just in case you really, really, really didn’t mean it. After that, it’s gone. However, even then, some digital photos may linger.
On LinkedIn, go to the Settings icon of your face in the upper right and select Settings & Privacy. In the center, select the Privacy tab.
What about Twitter? Don’t list your website or real email in your profile. Make sure your password is different from that of any other site. That’s good advice across the board, but we know people don’t follow it so we repeat it a lot. You really should with Twitter, which has had some security breaches. You also have the option, under Settings > Privacy and Safety, to protect your tweets, meaning only those followers you approve get access to them. Protected tweets aren’t searchable, aren’t retweetable, and you can’t share permanent links to them with non-approved followers.
That said, you’re fooling yourself if you think using social networking (or making any post online) is 100 percent safe—all it takes is an “approved follower” to take a screengrab and share it with the world.
If you’re worried about getting tracked as you surf, it also behooves you to sign out of the above services, as well as Microsoft, Google, Amazon, and Apple when you’re done using them. Otherwise, the ad servers and cookies and so forth that are run by them or their affiliates will pretty much know where and when you go online at all times. Not signing out is a pain—and exactly what the big companies are counting on.