The modern Internet is a scary place. Many people feel downright fatalistic about it, thinking that maintaining any sort of security or privacy is utterly hopeless. Others put their trust in woefully incomplete solutions. I want to go over various tools available, both the useful and the not-so-much.

Transit security is overrated

The most popular way of trying to ensure Internet security is with a VPN. It’s not hard to see why. They are easy to set up, are effective against a popular villain (ISPs), and have many commercial providers pushing them. But as I’ve discussed before, they aren’t as effective as you might think. I want to expand a bit more on that.

Imagine you were running a (physical) mail system, and you want to harvest as much information as possible about the senders and recipients of mail. Naturally you could look at the mail itself. But there’s a problem. The mail carries a gigantic amount of information stored in many different ways, used for many different purposes. You can design some heuristics to extract some information, but it’s woefully incomplete. Even if you read every piece of mail, it would be essentially impossible to process more than a small fraction of it. And it gets worse, because most of the mail is encrypted now. There’s practically nothing you can do with the contents.

There is another source of information: the label. This mail system doesn’t have names on the envelopes but it does have addresses that can easily gathered. Unfortunately this information is of limited use as well. You can establish some name–address mappings, but it’s always changing and many names are often behind the same address. With enough effort you can get some information but not a lot.

This is similar to the view your ISP has of network traffic. Yes it is possible for them to gather information on you, but it’s quite limited once you dig in deep. A VPN isn’t bad for protecting against this, but it’s of limited value in the overall picture of things.

Protect your DNS!

One powerful tool that ISPs has is the Domain Name System. This is what turns names into addresses. Whenever you open a URL in your browser, it first needs to take the domain name portion (like en.wikipedia.org) and find the IP address that corresponds to it. This is because Internet traffic routing uses these addresses to get the data you send to the website, and the data it sends back to you. DNS servers (or “name servers”) perform this conversion.

On a default Internet setup your DNS server will unfortunately be one run by your ISP. This is a big problem for several reasons. Many ISPs will now manipulate the results they give. If you look up a domain that isn’t registered in the domain system, they might redirect you to their own page with ads. If the domain hosts a website being censored by the ISPs government, they may return no or a fake result. And of course ISPs can use/sell the list of domains being accessed.

Worse still, this bad behavior by your ISP is often not prevented by a VPN. Your DNS requests will go over the VPN, come out the server at the other end, and then go right back to the ISP!

Luckily there are ways to fix this. One way is Cloudflare’s DNS service, which provides great instructions on how to set it up. There are other providers you can find as well, if you search for privacy-protecting DNS. You can also run your own DNS server but I won’t get into that here.

Websites are the worst

The real problem with Internet privacy is the websites you browse themselves. They have access to the unencrypted information that your ISP doesn’t and they are able to gather better information about you using cookies and other tracking methods. Certain sites – social media being the most prominent example – are able to use what you send and look at to build more data about you. And VPNs do almost nothing at all to prevent this. VPNs hide your IP address from the site, but that’s only one small piece of information. Everything else gets to them unhindered.

The easiest way to fix this is with browser extensions. Privacy Badger is one popular extension that blocks many different web trackers. Disconnect is another. And because most of the tracking is done via ads, using an adblocker like uBlock Origin is another possible tool you can use.

These tools are very useful, but they don’t stop data collection and usage done by the site itself. Here there is not much you can do except control what you give to and view from the site in question.

Maximum security!

For when you need as much security as possible, one of the most powerful tools available is Tails OS. This is an entirely separate operating system for your computer. For that reason it’s somewhat inconvenient to use, but it offers more than anything else I’ve discussed here. It forces all network connections to go over the Tor network, which is like a VPN on steroids. And the fact that it’s a separate OS means everything you do there is isolated. You shouldn’t use it as your normal system – that would somewhat defeat the purpose – but for something that needs to be separated there’s nothing better.

Real safety is difficult

Staying safe online is not simple. There’s no single solution that works for everything, for everyone. You need to look at what your actual goals and adversaries are, because that determines what to do.