What they lied to you about internet safety
Safety and privacy on the internet are not about just VPNs, anti-viruses, firewalls, and any buzzword used to sell a useless product or to look "smarter", there is more to it, a lot more, but it could be easier than it sounds. Hackers recently leaked a database with over 530 million Facebook accounts, including names, phone numbers, occupation, and more sensitive data about its users, and you could be one of those 530 million. No firewall, expensive antivirus software, or VPN could save you from getting your data in one of many data breach databases out there(and there is a lot of it on the internet), only one thing, common sense.
Common sense is a very powerful tool on the internet, it is free and way better than anything a company could provide you for safety, if you don't click a malicious link, you don't get the virus, if you don't send money to someone attempting to scam you via email, you don't lose money. Simple right? Perhaps most of it is, if you're a cautious user who thinks twice about the information you give online, what you browse, and who you trust, you're pretty much safe from a lot of possible attacks and evil ancient trickery going on online. You may then ask "What is the point of a privacy guide about internet safety if you're just telling me to not accept candies from strangers?", and the answer is simple: you still accept those candies, willingly or not, every single day on every website you access.
How they track you and compromise your privacy
On the internet, while using applications and services you will either be asked to supply data or something will "silently" get it from you, as described in most website privacy policies. The idea of tracking comes from how the data gathered can be attributed to a specific user, they will attempt to get as much data as possible while knowing that this data comes from you. Data like this is profitable, it will tell a lot about user behavior and what they like to see, by knowing topics you like, one could show you advertisements that you're more likely to click.
When referring to trackers you'll often read the word "cookie", a cookie is a widely used way to store some information on your PC to be used by a website. A simple way of tracking you between different websites would be to store something on your computer when you visit website A, and if website B is part of this scheme it can check for the previously stored data.
Cookies are not necessarily evil, nor they should be, they exist for a great purpose and have been used for a long time, it is also worth noticing that a cookie is not the only way to store information and other techniques could be used to achieve the same result, the name just got popular for some reason, maybe because it sounds comical. As they need to be written or read by some script, one could attempt to stop the script that wants to access the cookie, making the website unable to keep tracking you, often a lot of different applications will offer to do this kind of job but it's not that easy to know if you can trust them, every time you use an application without knowing if its reliable you are creating privacy issues instead of solving them.
As a side note, if you are a Firefox user, you have some trustful tracker blocking feature built in, so it is something to consider.
How to achieve internet safety and privacy
Virtual machines, they remain and will remain the only true way to reach a somewhat good enough privacy alongside with other methods, but you don't need that amount of privacy on your regular browsing, or at least, it may not be worth the effort for a regular user. Those steps will be for a user who don't wanna face the virtual machine route, so some stuff need to be done to make privacy better in a regular system.
Easy steps for browsing privacy
This one is very opinionated, as well as this entire article, however, Firefox is open source, in fact, "Use an open-source browser" would be a better name for this, basically go for a browser with a public code repository, in which someone would spot shady activity going on if it would be the case. Note that we are not worrying about the browser safety or flaws, that would be a big rabbit hole, to compare x with y because of p, instead, we are choosing anything that is crystal clear(not the code itself 🤮 but the access to it).
You will need some browser addons
Most web browsers of today support browser addons, addons are extensions for the browser application, providing more functionality and attempting to improve some aspects of it. Addons are uploaded by users, so you should not install any that you see online without taking a look at who published and if the code is open source or not.
- HTTPS Anywhere: HTTPS is a protocol safer than HTTP as it uses encryption so others don't see your data going around the network. HTTPS Anywhere will make sure that your HTTPS connection works as expected, avoiding things like SSL stripping attacks. A very important note to make is that HTTPS Anywhere will not enable HTTPS on HTTP websites, if you are browsing a website using HTTP, it is not safe even if you are with HTTPS Anywhere enabled.
- Privacy Possum: Privacy Possum attempts to falsify data that is sent to the companies attempting to track you, it blocks tracking headers and is generally good to keep around.
- Disconnect: I'd say that it is a more robust version of Privacy Possum, although they can be used together, Disconnect can even speed up the loading and reduce bandwidth because of these tracker blocks
- uBlock Origin: A good adblocker that won't consume a lot of your machine, it is very efficient and you rarely will find a website with non-blocked ads, ads can often come along with some trackers, so sometimes it's a good idea to just shut it down.
This is a great start to rank up your privacy and as well be safe all around, a lot of trackers and ads are filled with scripts that take a lot of time to load, you're now less traceable and a lot of bullshit won't come to you.
But still... you're not anonymous, not really, your Public IP is exposed and your User Agent can help the applications you connect to distinguish you from other users! Every router/modem on the network has a public IP address, it is unique for your network and if someone can get your IP, they can distinguish you on the internet, your User Agent is something easier to change, you can use another browser extension for it.
For your IP address, only a VPN service can help with that, but because this guide is focused on the average user who simply wants to browse the internet without having privacy issues, a VPN is not needed, although your real IP is exposed, changing it through a VPN means paying for a service and you still will have to trust them while they hide your IP, it is not needed unless you have a true reason for it. There many VPN advertisements claiming things about VPNs, while in fact, they don't do all that. If you think a VPN may be suitable for your needs, reading into it and avoiding websites that are biased towards a product is the best way to get started.
Never assume you are safe
It's not because you have a more secure environment that you should open your email and click every link on the spam tab. Common sense is still in play, however, you have more security when it is not enough.
What about anti-viruses, how a safety guide don't even mention them?
Most features advertised by anti-virus companies are basic common sense and far from something meaningful, however, any anti-virus that can analyze the behavior of applications at runtime is a great idea if believe you need one(sometimes you don't). It's the same marketing issue that happens with VPNs over and over again, exaggerated advertisement is promoted to create sales and attempt to make people pay for useless things bundled together.
Your password is not safe at all
As time passes, more websites have databases compromised, it's nothing new and sometimes it is not even the website's fault, security problems arrive, and when they happen the damage is already done but there is one thing that should be done more often: acknowledging the data was stolen.
If you have no idea your password was leaked years ago, there is no way you could stop using it, so you'll keep using the same password on every website(this is not recommended) while someone already has your password in a list to go through and attempt to get access of your account illegally in another website, this makes you an easy target for attacks and it is difficult to know exactly what or why it is happening.
But there is a website where you can know(almost certainly) if your password or another sensitive data was leaked, this website is called Have I Been Pwned, it keeps a lot of leaked data and searches through it to help you know if your data has been compromised, it says which website was affected by the specified incident and what kind of data was compromised.
If your password or any other sensitive data is there, you must consider changing it, it is dangerous to keep using compromised passwords and the website mentioned is something to check on sometimes, even more, when something significant like the Facebook incident happens.
No matter if your data is on the list or not, it is a great idea to change your password often and not use the same password for too many websites, or even for more than one website. You also must consider avoiding putting your password on any random website that you see around, there are still lazy applications that do not encrypt your password at their database or use outdated algorithms to do so.
Back in the day a lot of websites could go with basic encryption being used on user passwords, however as time passes computer hardware got faster and faster, the old ways of encrypting passwords are not safe enough anymore. Modern techniques are available for developers to use, however, it is not possible to know what kind of encryption will be used for your password and how your data will be handled on the servers of the applications you use. Using a popular application is a good way to put at least some trust in the product, it is not necessarily true that a popular app will be secure, but it's one of the few ways to know.
Your network has to be secure
We covered some browser-related issues and how to mitigate them, but it is almost all useless if the network you're using is not safe. Accessing the internet on a public WiFi is a good way to let everyone who wants to take a look at your data, the more used a public network is, the higher are the chances of someone with bad intentions be looking at your data, and it is that easy, the router/modem sends data to all devices and by activating promiscuous mode, one can look at all traffic going through the network.
It is not something new or a vulnerability, it is simply how it works, the way it would work and there is a whole lot of other threats that can happen in a local network, this kind of tactic is called man-in-the-middle, as one must be connected to the local network to be able to do such attacks or have access to it somehow.
If you must use a public network sometimes, this is a good use case for a VPN, it can help with most of the problems that arrive however you may want to pay for a VPN where you could use for sensitive data if it what you're going to use this public network for and it has to be a provider that you trust.
There are a whole lot of things on the networking side, but if you're using the internet in a private network it makes it easier to be safe, you also have to make sure that the people around you are not going to compromise your network security, as if someones else machine gets compromised, it might as well attempt to do something with the network, although it isn't likely to happen to the normal user, it is something to keep in mind.
One solution for overall network security is Pi-Hole, it will block ads by filtering them in your DNS, it also can block malicious websites and trackers, being a very good way to enforce overall security in your network, while not disrupting anyone, unless they enjoy ads.
It is completely free, you don't have to run it on a Raspberry yet it is a good idea to use one, you can run it on a simple computer or a Docker container if you want to but it has to be something that you know it will be stable for long periods, so you don't have to worry about it a lot later.
With all the benefits Pi-Hole can give you, it is something worth taking a look at, and also it is a good way to get into Raspberries if you want to use one and don't know how to start, however, it is better if you don't use it for something else while using Pi-Hole as it must do its thing.
Of course, there are more safety matters when it comes down to the network, however, for the normal users, it shouldn't be that big of a problem, not setting 123456 as your WiFi password is already a great start.
So most ways of getting internet privacy are free?
Yes, this topic is full of buzzwords and shady marketing propaganda around it, while the truth is: there is no ancient magical formula for privacy online that will instantly make you anonymous and safe, and anyone selling that is probably just trying to get your money with a mediocre product.
Privacy and safety online is a big topic and even governments attempted to address some issues, you can know the big of a problem you have when even governments finally recognize that something is going wrong on the internet.
I hope this will help someone to learn something about privacy, there is a lot more to this topic and this article is written thinking about the regular user, who is often attacked with buzzwords, nonsense, and scams.