Little Steps is a guide to help you take back control of your data. It is a collection of small steps that you can take to improve your privacy and security. These steps take less than 5 minutes each and are easy to follow. You can do them in any order you like, but we recommend you start with the first step and work your way down.
YOU DO NOT NEED TO FOLLOW ALL OF THESE STEPS! This is all about choice, so do what you feel comfortable with.
It is often said that if you aren't paying for a product, you are the product. This is especially true for the internet. Companies like Google and Facebook make money by collecting data about you and selling it to advertisers. This data is used to target you with ads, but it can also be used to influence your behavior. If your data is your only form of payment, you should at least be able to control what you're paying with, and who you're paying it to.
This one is pretty simple, just don't use Chrome. Chrome is made by Google, and Google makes money by collecting data about you. Instead, use a browser like Firefox, which is made by a non-profit organization that is focused on privacy. Firefox is also open source, which means that anyone can look at the code and make sure that it isn't doing anything shady. It still has extension support (though you should be careful about which extensions you install, as many collect data from you), and it is available on all major platforms. It also has a mobile version, which is available on both iOS and Android and supports extensions.
If you're not using Firefox, you should at least be using a browser that is based on Chromium, the open source version of Chrome. This includes browsers like Brave, Vivaldi, and Microsoft Edge. These browsers are not as privacy respecting as Firefox, but they are still better than Chrome. If you must use Chrome, make sure you are using it in incognito mode, and that you have turned off all of the data collection options in the settings.
Whatever you choose to use, you should get a prompt when opening it for the first time asking if you want to import your data from another browser. This way you keep your bookmarks and you don't have to manually transfer them.
If your browser supports extensions, you can use them to improve your privacy and security. Here are some of the ones I recommend for privacy:
- uBlock Origin: Blocks ads and trackers
- ClearURLs: Removes tracking parameters from URLs
- DecentralEyes: Prevents tracking by CDNs
- Privacy Badger: Blocks trackers
Google makes money by collecting data about you and selling it to advertisers, so every search you make Instead, use a search engine like DuckDuckGo, which doesn't track you and doesn't store your search history, or SearXNG, which is a meta search engine that combines results from multiple search engines (including Google), and doesn't track you.
DuckDuckGo is a default search engine option in Firefox, and it is also available as an extension for Chrome.
Devices on the internet are generally addressed by a numerical value called an IP Address, but humans are not good at remembering IP addresses. This is why we use domain names, like "google.com", to access websites. When you type a domain name into your browser, your computer needs to look up the address of the website, and it does this by asking a DNS server. Generally, your computer will use the DNS server provided by your ISP by default, which can be used to track you and censor the internet. Instead, you should use a privacy respecting DNS server like Cloudflare (1.1.1.1) or Quad9 (9.9.9.9). These servers don't track you, and they don't censor the internet. You can change your DNS server by going to your network settings, and changing the DNS server to one of the ones I mentioned. You can find instructions for changing your DNS server on Windows or Mac at the links provided. If you're using a mobile device, you can change your DNS server by going to the Wi-Fi settings, and changing the DNS server to one of the ones I mentioned. You can find instructions for changing your DNS server on iOS or Android.
These 4 companies are the biggest data collectors in the world. They collect data about you from all over the internet, and sell that data or use it to target you with ads. It's difficult to avoid them completely, but you can at least limit the amount and type of data they collect about you.
I'm not going to tell you to delete your social media accounts, because I know that's not going to happen. Instead, I'm going to tell you to be careful about what you post on social media. Obviously you shouldn't post anything that you wouldn't want your boss or your grandma to see, but you also shouldn't post things that could be used to answer common security questions, like the street you grew up on or the name of your first pet. If you're going to post something like that, make sure that you're not using that information as the answer to a security question! If you're not deleting your Facebook, you can improve your privacy by deleting old posts and changing your privacy settings. You can delete your old posts using an open source utility like facebook-delete, created by Marcel Jankrift. You can change your privacy settings by going to https://www.facebook.com/settings/?tab=privacy. Here are some of the settings you should change:
-
Who can look you up using the email address or phone number you provided?
- I suggest setting this to "Only Me"
-
Who can look you up using the phone number you provided?
- I suggest setting this to "Only Me"
-
Who can see your future posts?
- I suggest setting this to "Friends"
-
Limit who can see past posts
- I suggest doing this to make all past posts visible only to friends.
You should also change your "Activity off Meta" settings to clear your previous data and not record future data. You can do this by going here: https://accountscenter.facebook.com/info_and_permissions/off_facebook_activity/, clicking "Manage Future Activity", selecting "Disconnect Future Activity", continue, and then clicking "Disconnect Future Activity" again. This will both delete your past activity and prevent future activity from being connected to your account.
You can adjust your Meta ad settings by going here: https://accountscenter.facebook.com/ad_preferences/ad_settings/data_from_partners/. For "Activity information from ad partners", I suggest setting this to "No". There are other settings in this section that you can change, but this is the most important one.
Instead of using the Facebook and Instagram apps, you can use the websites in your browser. This will prevent Facebook from tracking your location and phone activity. If you're using an iPhone, you can also turn off background app refresh for Facebook and Instagram, which will prevent them from tracking your location and phone activity when you're not using them. You can do this by going to Settings > General > Background App Refresh, and turning off the switch for Facebook and Instagram. For Facebook/Instagram messaging, check out the messenger section below, where I talk about alternative apps that can be used for messaging on Facebook.
If you're going through these steps in order, you've already stopped using Chrome and Google as your search engine. If you're not using Chrome, you should also make sure that you're not signed in to any Google services in your browser. If you're using Firefox, you can check this by going to https://accounts.firefox.com/, clicking "Connected Services", and making sure that Google is not listed. If you're using a Chromium-based browser, you can check this by going to https://myaccount.google.com/, clicking "Security", and making sure that your browser is not listed under "Your devices".
It's actually pretty simple to limit google's data collection of you. Go to the Google Activity Controls page, and turn off all of the options. This will prevent Google from collecting data about you from your browser, your search history, your location, and your YouTube history. On this page you can also turn off personalized ads.
This is a good time to repeat what I said at the beginning of this guide: YOU DO NOT NEED TO FOLLOW ALL OF THESE STEPS! This is all about choice, and I choose to leave my YouTube history on, because I like getting recommendations for videos that I might like. If you want to leave something on, by all means leave it on. By going through these steps and seeing what data is being collected about you, you can make an informed decision about what data you want to share.
Amazon is a little bit trickier to avoid, because the main place they gather data about you is on their website. If you're not using Amazon, you can skip this step. If you are using Amazon, you can improve your privacy by deleting your browsing history and turning off personalized ads. You can delete your browsing history by going to https://www.amazon.com/gp/history, clicking "Manage history", and then clicking "Remove all items". You can turn off personalized ads by going to https://www.amazon.com/adprefs, and turning off "Personalized ads from Amazon". On the same page you can also submit a request to "Delete your personal information from our ad systems", which will delete all data that amazon have collected for the purpose of showing you ads.
This is a microphone, owned by Amazon, that is connected to the internet. I'd say it's pretty obvious why this is a privacy concern. To be fair, I have one too, though I'm working on replacing it with a privacy respecting assistant, which will be covered in the Big Steps guide. If you have an Alexa, you can improve your privacy by deleting your voice recordings and turning off personalized ads. You can delete your voice recordings by going to https://www.amazon.com/alexa-privacy/apd/myad, clicking "Review Voice History", and setting the following:
- Voice Recordings
- Set to "Don't save recordings"
- Smart Home Device History
- Set to "Save history for 3 months"
- You can also delete your whole history now by clicking "One-time deletion of history"
- Detected Sounds History
- Set to "Save history for 3 months"
- Interest-Based Ads from Amazon on Alexa
- Turn Off
- Help improve Alexa
- Turn Off "Use of voice recordings" and all users under "Use messages to improve transcriptions"
When starting this, I didn't have anything to write about, but I did some research and found that Microsoft had a ton of data from me. First, you can improve your privacy by turning off personalized ads and deleting your browsing history. You can turn off personalized ads by going to https://account.microsoft.com/privacy/ad-settings/signedout, and turning off "Personalized ads in this browser". There are also instructions on how to turn off ads for Windows 10 and 11 here, which you can follow if you use Windows.
You can delete the other data Microsoft have collected on you by going to https://account.microsoft.com/privacy/activity-history, and clearing the data for each category. You can also set any data collected to be automatically deleted after 30 days, which I recommend doing. When you close the page, you should see "No Data" next to every option. Depending on the Microsoft products that you use (Office, Xbox Live, Teams, etc), you can change their settings from the "Privacy settings in our products " section of the page.
This section will focus on replacing the services you use with privacy respecting alternatives, or using alternative front ends for consuming services with a content that isn't available on other services (like YouTube, Twitter, or Reddit).
Alternative Front Ends are basically websites that allow you to use a service without being tracked by the service. For example, you can use Invidious to watch YouTube videos without being tracked by YouTube, you can use Nitter to browse Twitter without being tracked by Twitter, or you can use Libreddit to browse Reddit without being tracked by Reddit. These are all open source projects, so you can host your own instance if you want to. These front ends only work for consuming content, so you can't use them to post content to the service. This is another case where you have to decide what you're comfortable with. A fantastic list of alternative front ends can be found here. There are often many instances for each front end to distribute the load, so if one instance is down, you can try another one.
If you find that you're using a lot of alternative front ends, you can use a browser extension like Redirector to automatically redirect you to the front end when you visit the original website. For example, you can set it up so that when you visit "https://www.youtube.com/ you are redirected to the same channel or video on the Invidious instance "https://yewtu.be/".
If you're using Gmail, I'd suggest switching to a privacy respecting email provider like ProtonMail or Tutanota. If you're using Gmail, you can export your emails and import them into your new email provider. You can find instructions for ProtonMail here, and instructions for Tutanota here.
In an ideal world, we all use open-source, secure, and private messaging services like Signal or Matrix Unfortunately, most people use Facebook Messenger, WhatsApp, or iMessage (iMessage is actually pretty secure, but it's not cross platform so it has limited use). To reach people on those platforms, you can use Matrix Bridges, which allow you to communicate with people on other apps without installing those apps. This is also convenient, because you don't need 10 different apps to talk to your friends. You can use one app to talk to everyone, and they can use whatever app they want. While this is not as secure as using Signal or Matrix (the data is still going through the original apps' servers), it is usually better than using the original apps, because you're not installing them on your phone, and you're not giving them access to your contacts. Beeper is a pre-configured Matrix client and server that supports all of the major messaging apps, and it is available on all platforms. Beeper claims that they will never read your messages, will never sell your data, and while I have no reason to doubt them, I would still recommend using a self-hosted Matrix server if you're particularly concerned with privacy, like the one I've made here. That is, however, more of a "bit step"
This is hard, because you're probably used to getting free cloud storage from Google, Microsoft, or Dropbox. If you're willing to spend money, you can use a privacy respecting cloud storage provider like Tresorit, Sync, or pCloud. If you're not willing to spend money, you can use a self-hosted solution like Nextcloud, which will be covered in the "Big Steps" guide. If you decide to get a VPN, you may get cloud storage from it (Proton has cloud storage and PrivateInternetAccess run some promotions), but this should not dictate the VPN you use.
Most people are already using a password manager and don't know it. If you use Chrome, it will ask you if you want to save your password when you log in to a website. This is a password manager, but it only works if you're using Chrome. If you use Firefox, you can use the built-in password manager, but if you want to be extra secure, you should use a third-party password manager like Bitwarden (or the open source version, Vaultwarden), which stores your data with "zero knowledge", meaning that not even the company that makes the password manager can access your data. This is the most secure option, and it is also the most convenient, as it works on all platforms and browsers (via extensions).
You can set up a free account with Bitwarden here. You can also host your own instance of Vaultwarden, which is covered in the Big Steps guide.
While we're on the topic of passwords, I'm going to say what you've already heard a million times: don't reuse passwords. If you use the same password for multiple websites, and one of those websites gets hacked, the hackers will have access to all of your accounts. This is why you should use a password manager, so you can have a different password for every website. If you're not going to use a password manager, you should at least use a strong passphrase, which is a long password that is easy to remember (like "yard-wildcat-reset"). You can use a passphrase generator like this one to generate a passphrase.
A VPN, or Virtual Private Network, is a service that allows you to connect to the internet through a server in another country. This can be useful for a number of reasons, but the main reason is to hide your IP address from websites and services. This is useful because your IP address can be used to identify you, and it can also be used to track you across the internet. If you're using a VPN, your IP address will be hidden from websites and services, and they will only see the IP address of the VPN server. This means that they won't be able to identify you, and they won't be able to track you across the internet. This is especially useful if you're using a public Wi-Fi network, because anyone on the network can see your IP address, and they can use it to identify you and track you across the internet. If you're using a VPN, they will only see the IP address of the VPN server, and they won't be able to identify you or track you across the internet.
When choosing a VPN, you should look for one that doesn't keep logs of your activity, and that doesn't sell your data to third parties. I suggest ProtonVPN (which is made by the same company that makes ProtonMail) or Mullvad, which is what I use.
If you find this project useful and you would like to donate toward on-going development you can use the link below. Any and all donations are much appreciated!
