Quick privacy guide

← Back to all essays | Author's essays Quick privacy guide

by CriticalResist
Published: 2026-05-22 (last update: 2026-06-02)
15-25 minutes

Yes, there are many privacy guides. But this one is mine. Meant to be quick and give you the cognitive tools to understand privacy.

Read more

Yes, there are many privacy guides. But this one is mine. It's meant to be short and give you the cognitive tools and a checklist to understand privacy.

Look, fascism is coming back to Europe and North America. It never fully left. If you live in the Global South, chances are you're already living under a fascist dictatorship that the US installed in your country.

Digital privacy is a rabbit hole, I won't deny it. There's always something "more" you could do, and best practices evolve rapidly. Everyone kind of has their own security practices, and everyone thinks they're doing it better than anyone else.

Here's my philosophy: As the Filton 24 trials show, the point is not necessarily to prevent police from getting anything to indict you with. It's to prevent them from giving the prosecution a better case. Al Capone, the famous gangster, was arrested on tax evasion charges, not on the murder and bootlegging, because that's famously all the FBI could find on him.

Furthermore, my philosophy is also to do these steps before you actually need them. You won't install Linux while the SWAT is barging down your door - you do it 10 years in advance, in preparation for when you'll actually need it. This is why I say again: you have time to do this. Don't feel overwhelmed. Just come back to this list once in a while, do the next item on it.

First part: the technical checklist. There's a belief that switching to privacy-hardening alternatives is difficult; it's actually not, I will say that right away. You slowly learn and do it day by day. It takes some time to set up at first, but once it's done, you get used to it in 3 days and forget how the "more convenient" stuff ever looked like.

Trust me - I did it and it was painless. Worst case scenario if you get frustrated? You just take a break, leave everything as is, and get back to it on another day.

Here's what I'm suggesting. I tried to order the advice from simplest to do to most complex. 'Complex' doesn't mean it's difficult or prone to fail, just that you might want to set some time aside to do it.

• Switch to Librewolf browser. Technically you can harden Firefox, but Librewolf just does it for you automatically.
  • Before you do, just open this page: https://sinceyouarrived.world/taken. It's safe. It just tells you all the personally identifiable information your browser helpfully sends to every web page you open as part of its normal operation. This is called fingerprinting, but Librewolf spoofs this data automatically. Assume every website gets and tracks this information about you: your timezone, your location, your GPU(!), your resolution, your OS, your browser, etc.
  • By choice, Librewolf does not have a phone app. However, they officially recommend IronFox on Android.[1]

• Use a 2FA Authenticator app. I recommend Aegis on Android - open-source, fully-local. Set up 2FA on all your accounts - this is just further protection against hacking. You will need to scan a QR code with Aegis, and that's it, it's set up.

• Switch to a no-logs search engine. This is kinda based on how much you trust the provider.
  • I use 4get.ca, a tiny no-name (and kind of edgy, unfortunately) search engine that serves as a proxy to DDG, Google, Yandex, Brave etc. There's other search engines, but I don't trust big names. Just personal.

• Use Mullvad VPN. The only one that has a proven no-logs, ram-only policy. Nothing else comes close, don't even look anywhere else.
  • Use only Mullvad-owned servers, not ones they rent. There's a filter option in the app for it. Rented servers are not guaranteed to actually respect no-logs and ram-only policies.
  • VPN ALWAYS ON.
  • Pay by cash envelope, no more than ~100$/€/£ at a time. Don't leave fingerprints on the envelope.
  • Do not ever link your email address to your mullvad in any way.
  • VPNs don't just hide your IP address. They also hide your internet traffic from your ISP, and make finding your browsing history and browsing actions much harder. In 2024, Swedish police raided Mullvad to try and seize a server - after Mullvad explained their operation, they left empty-handed because there was nothing to seize.
  • Turn on all the stuff they have (dAIta, multihop, etc). Put it on your phone too.

• Email is just not secure. I don't know how else to say it. Email was invented in the 70s before hacking was even illegal. They did not even think about security or privacy back then.
  • Proton is slightly ahead of the curve but will cooperate with police agencies and give them whatever they can. They fundraise for Freedom House, a US government agency passing as an "NGO", and called it "nonprofit, nonpartisan organization"[2]... which is a lie. Personally, I don't trust proton. But that's just me.
  • Philosophy is: don't say it by email. Simple as. If you've already said stuff in emails you shouldn't have, delete them, that's the best you can do. Your recipient should also delete the emails. From now on, stop discussing sensitive stuff by email.

• Chat platforms: they all kinda suck. Telegram and Signal are not secure - Signal can be compelled by the US gov to give them data on you and you would never know it.[3] This data can be enough to prosecute you. They will give it, they won't protect you. So don't assume you can say whatever on Signal and be safe.
  • Metadata is valuable too. This is unencrypted information such as who you talked to, when, for how long, etc. "Data about data". Metadata is enough to lead to investigations and convictions.
  • Matrix is the only one that's still safe-ish (encryption and decentralized nature), but you have to trust the server owner. This is not a matrix guide, so I won't go into more details. Not many people use it.
  • Otherwise: just be mindful of how you act on these platforms, that's about the best you can do.

• Set a diceware pass phrase for any master password. I will talk more about this after the list, because I feel it's the most important part to understand.
  • Encrypt your hard drives. You may need to clone (technical term) the drives first, reformat with encryption, and then clone the backup back to the drive. Encrypt after you've switched to Linux because you will have to reformat your drives either way - and can encrypt with LUKS while you're installing Linux, saving time.
  • Use a password manager such as KeepassXC, the only one that's consistently recommended in actual privacy guides.
  • For all of the above, you can use the same diceware passphrase as the decrypting password. It's uncrackable* (again, see below). That way you remember one password for everything.

• Switch to a Linux OS.
  • There are very good working alternatives today, such as Mint or Zorin OS (very sleek and professional look).
  • Getting used to Linux is very easy nowadays. if you run into an issue, ask an LLM about it (preferably a Chinese one such as Deepseek or Kimi) and chances are you will find a fix.
  • Set up timeshift and Pika backups on a spare drive so you can always roll back if you break something.
  • FOSS software has come a long way in the past few years, it works and looks great now. Trust me, I was a Linux noob 6 months ago, now I'm deploying my own scripts and automations on it.

• Use different usernames everywhere. Or at least try to. Unique usernames for each service. Your password manager can remember them for you.
  • On social media, make new accounts periodically and delete the old ones. Don't use the same account for more than 6 months. You can have alt accounts: one for posting, one for browsing, for example. There are services that give you temporary email addresses you can use to register, or fake phone numbers to verify SMS codes. This is completely up to you, but it's an additional layer.
  • Changing your usernames right now, if you can, is worth it. If you can't change them, either make new accounts or leave it be, up to you. What matters is future-proofing yourself more than anything, again planning ahead for when this will actually be useful.

• Phone: switch to GrapheneOS. Not every phone is compatible, Graphene's website keeps a list. Google Pixels are currently the only possible choice because they use hardware that secures the phone itself, regardless of what its Operating System is.
  • Until you have GrapheneOS, get a privacy respecting keyboard. On Android, install F-droid store (only FOSS software) and install a keyboard from there. Yes, you can change your keyboards on Android. If you use the default one, it sends data back to its developing company.
  • This is last in the list because Graphene currently only supports Pixel phones, meaning you'd likely have to get a new phone for it and they're not cheap.

Yes, this is not the shortest list. But here's the thing: you don't have to do everything right now. Make a mullvad account today just to take a look, send the cash envelope next week. 3 months from now, when you have a long weekend off, install Linux. Switch to Librewolf part-time - you can absolutely install it alongside your current browser and just test it out.

Do it little by little as your cognitive load permits. Start exploring. Ask AI (Kimi for security/privacy questions tbh) how to go about it, or if you're curious about a part of it. Send it the essay and tell it to make you a guide.

If your devices ever get seized by state agents, however briefly: change them. Don't even play around. Throw the old ones out, buy new ones, redo everything. Assume they installed a trojan on it that you will never be able to remove. Recycle your pass phrases and passwords.

Don't take your phone with you on protests. It's very easy to track a phone with cell towers. Don't even turn it off, just leave it at home.

Diceware pass phrases

You can skip this section, but the tl;dr is: current best recommendations for your passwords is switch to a pass phrase you remember that lives only in your head. Do not ever write it down, if you do, pen-and-paper only and burn it afterwards. Only use for most sensitive personal stuff (encrypted drives and encrypted password manager database): do not enter it at a work computer. Your job won't protect you. Do not enter it on websites.

But I need to talk a bit about passwords and best practices, because I feel this is the most important part of this guide. Diceware is a method of password generation. On Linux, you just install it with 'sudo apt install diceware' and use it from the terminal. On Windows, I am not sure. I would avoid any web page for generating a password though - it's convenient, but you don't know where it's stored or what they do with it. If your password can be read in clear text 6 months from now because it was in your browser's cache files, there is no point in having a secure password. Everything is just easier on Linux.

In any case. Diceware has a novel way of generating passwords. Instead of a garbled mess of characters such as !AJ(%p"J3`3AZzAz, Diceware generates a longer but easier to remember phrase, such as: outthink-gesture-clay-audible-nursery

How easy is that to remember? Type it for a couple days and you'll remember it your entire life. The first password, with its exclamation marks and random letter arrangement? You will forget and mistype it often.

We are told to use special characters, capital letters, mix in numbers etc into our passwords, but these are mostly trivial for a computer program to crack through. Linux has a zxcvbn package, which is an algorithm created by Dropbox to check password strength. This is the most current and up to date checker right now, as it relies on the latest cracking methods to determine password strength. Let's check both passwords with it:

Password: !AJ(%p"J3`3AZzAz
zxcvbn results:
Crack Time Estimates:
    Online (throttled, 100/hr):  centuries
    Online (no throttling, 10/s):  centuries
    Offline (slow hash, 10k/s):  centuries
    Offline (fast hash, 10B/s):  12 days
Entropy: 53.2 bits

A sufficiently motivated attacker, such as a police lab with an array of RTX 5090 GPUs, can crack this "complicated" password in less than 2 weeks. Your case will take at least a year to go to court, in other words: this is not secure. Meanwhile, the diceware passphrase that looks deceptively simple:

password: outthink-gesture-clay-audible-nursery
zxcvbn results:
Crack Time Estimates:
    Online (throttled, 100/hr):  centuries
    Online (no throttling, 10/s):  centuries
    Offline (slow hash, 10k/s):  centuries
    Offline (fast hash, 10B/s):  centuries
Entropy: 95.8 bits

The diceware passphrase is much harder to crack, almost double the entropy, and much easier for you to remember entirely in your head - repeat it to yourself several times a day and you'll remember it in 72 hours. And it is future-proofed too: even at 100 billion guesses per second from a program trying to break through your encryption, it will still take millennia to crack. No GPU array today or in the future will ever be enough, not from a police lab that has a backlog and other passwords they need to crack.

Why diceware algorithm and not just making up 5 words in your head though? Because our head is not truly random. You will pick a word from a movie you watched recently, or a place you went to, or something you like. Diceware is truly random.

If you can't easily install or find diceware for your operating system though, there's a possible alternative method. Diceware, as its name implies, rolls dice to find words from a word list.

If you have a printed dictionary at home: roll a dice 4 or 5 times. First 3 rolls are page number (up to page 666), fourth and fifth rolls is the word # on this page. so if you roll and get:

5 3 3 4 1

Open the dictionary at page 533, and look for word 41 (if there are fewer than 41 words on that page, turn to the next page and keep counting).

You can make the dice rolls more complicated if you want so you can go above page 666.

Why so convoluted? Because again, our minds are not fully random. We are talking about an important password that controls access to every other password/file you own. Take the time to do it properly once, then forget about it - you'll remember it for the rest of your life.

Vectors of attack exist against diceware pass phrases:

• Compulsion: many jurisdictions are getting wise to this practice and passing laws to compel you to surrender your password. In some cases, saying "sorry but I forgot it" is not even a valid defense! But here's the thing: with a weak password or no encryption, you don't get the choice to talk with your lawyer about surrendering the password or not. That's just how I see it, it buys you time and a wider net of decisions if such laws exist where you live.
• The encryption algorithm itself could be cracked, allowing an agency to simply bypass needing your password entirely. This is unlikely but is one reason encryption algorithms change over time. It's still better to have a password than not.
• The last one I must acknowledge... criminals and in some places even police will just beat you up until you give them the password. This is already happening in crypto heists. Due diligence is required based on where you live.

Okay, that was the tangent on passwords.

In general, never assume you are fully safe. You don't need to be paranoid though, just remember why you do this: so that if you are ever investigated by the fascist state for your journalism or activism, they will have a harder time building a case against you.

It's an old cat and mouse game. Developers make new privacy/security features, hackers crack them, devs make new security features. You will never be ahead of the curve - just the other day, I saw a new form of attack that hijacks a website, pretends you have to do Cloudflare verification, and when you copy and run the code they ask you to run, it's actually malware getting installed on your machine. We are so used to having to do these "verification steps" (especially if you use a VPN) that some people just don't think about it and do whatever the page asks.

So yes, this means you still need to use your head. Having GrapheneOS or Librewolf+VPN doesn't mean you can say whatever on X dot com without repercussions. It doesn't mean your computer can't be hacked remotely by a three-letter agency and malware installed that you will never know about (if you're not on their radar though, then there is no reason they would even know you exist).

Like I said, this is a rabbit hole. There's now concerns with Intel CPUs that the US government has a backdoor into them. If deployed, this means they could just read and even access your computer through its CPU remotely, if you use Intel. We pretty much know, from the Snowden leaks, that the NSA owns backdoors into every big US tech company. Again, this doesn't mean you have to disconnect and live off the grid, just that you know to be mindful of what you share.

This is why I recommend everything Chinese as much as possible, because China will never work with US "security" agencies, seeing that these same agencies are the ones trying to dismantle China from the inside.

"But I have to trust China then". Yes. Welcome to the Chinese Century - it's great. What do you care if china knows something about you? The only country liable to bomb you and disappear you into a waterboarding black site is the United States of America, and they control most digital avenues until China overtakes them. Trust China, discard USA.

Hardware is not inherently safe either. A paper made the rounds recently when it showed that you could be tracked accurately through walls by your own wifi signal. Your body distorts the wifi waves, which shows on camera as a clear, accurate shape.^[4]

Technically, if police can seize a server/computer quickly enough and freeze the components with liquid nitrogen, they can freeze the RAM cells in place, allowing them to transport it even without electricity to the station, and extract the contents of your RAM sticks there.^[5]

These two methods have yet to be used in real, uncontrolled conditions (as far as I'm aware), but they are very real and new vectors of attack, so who knows what they'll come up with next. This is why I say, again: you don't have to become paranoid because security is a rabbit hole that never ends. You just have to be mindful that things are moving and what is the correct practice today may not be in 10 years.

To finish up, I also have to rant a little about privacy... it's often just a buzzword that gives you a false sense of security (hence the philosophy: never assume you are fully safe, limit what you share). "Privacy-focused" apps for example are plenty, but what exactly is privacy to their devs? How do they define it and help your privacy?

To me, privacy means there is no tracking whatsoever and as much as possible is encrypted. That's the strict minimum. If it needs to do tracking, it stays on your machine and never, ever leaves it (local-first). Linux for example has good privacy out of the box: it does not track anything about you, not even that you are a Linux user, unless you opt-in. Even something as innocuous as "does this machine use Linux? Yes/no" being sent back to servers not privacy-respecting, in my opinion. Steam for example collects information about your hardware... is this dangerous if you're an activist? Maybe, maybe not (could be used to know your hardware and deploy a trojan against you specifically, who knows). But it's not private.

There is a huge amount of trust as well. When an app says it is private, and says it has a no-logs, ram-only policy, you still have to trust that they actually follow their policy unless, like in Mullvad's case, it gets its baptism of fire. But, that's the limitation: you trust the devs to do what they said they do. It doesn't mean you shouldn't or can't use the app, it just means you trust them to that extent.

That's about it for this guide, otherwise it'll start being cognitive overload. Just do a little at a time, it's fine, nobody can ever do everything.