Media Den

Taking Back Your Privacy: Practical Steps for Everyday Browsing

May 2026 · Practical Privacy

Every time you open a browser, you leave a trail. Your internet service provider (ISP) can see which sites you visit. Advertising networks track you across those sites using cookies and fingerprinting, building a profile of your interests, location, and habits. Data brokers collect and sell this information. When a service you use suffers a breach, your credentials end up in databases that attackers use to try logging into your other accounts.

None of this requires you to do anything wrong. It is the default behavior of the internet as it exists today. The good news is that a handful of straightforward changes can reduce your exposure significantly. None of the steps below require technical expertise. Each one addresses a specific, well-documented threat.

Browse Wisely

Use a pseudonym on any account with a public profile. If a stranger can connect your username to your real name, they can find your employer, your location, and your other accounts. Avoid reusing the same username across platforms.

Be cautious with links and attachments. If a link arrives unexpectedly, even from someone you know, verify it before clicking. Do not download files from sources you do not recognize. Most malware and phishing attacks rely on a single moment of inattention.

Use a VPN

A VPN (virtual private network) encrypts your internet traffic and routes it through a server operated by the VPN provider. Without a VPN, your ISP can see every domain you connect to and can log that data, sell it to advertisers, or hand it to authorities. With a VPN, your ISP sees only that you are connected to the VPN server. The sites you visit see the VPN server's address instead of yours.

The tradeoff is that you are trusting the VPN provider instead of your ISP. Choose a provider with a verified no-logs policy.^[1] Mullvad is a strong choice: it does not require an email address or account name to sign up, accepts cash payments, and has been independently audited. Its servers run in RAM only, so data does not persist after a reboot.^[2]

DNS-Level Blocking

Every time you visit a website, your device first looks up the site's address through the Domain Name System (DNS). By default, these lookups go through your ISP's DNS servers, which means your ISP can log every domain you request. DNS-level blocking replaces your ISP's DNS with a resolver that filters out known advertising and tracking domains before they load.

NextDNS is a hosted option that works on any device with no hardware required. You create a configuration, add blocklists, and point your device's DNS settings to NextDNS's servers. For a self-hosted option, Pi-hole runs on a small computer on your local network and filters DNS queries for every device connected to it. Both approaches block ads and trackers at the network level, covering apps and devices that do not support browser extensions.

Switch to Firefox

Google Chrome is built by an advertising company. Its business model depends on collecting data about what you do online. Firefox is built by Mozilla, a nonprofit organization.^[3] Firefox includes Enhanced Tracking Protection by default, which blocks third-party tracking cookies, fingerprinting scripts, and cryptominers.^[4]

Chrome's Manifest V3 extension platform restricts the capabilities of content-blocking extensions. Firefox continues to support the more capable Manifest V2 APIs,^[5] which means ad blockers like uBlock Origin work at full effectiveness on Firefox but not on Chrome.

Install uBlock Origin

uBlock Origin is a free, open-source browser extension that blocks ads, trackers, and malicious domains. It uses filter lists (sets of rules that identify known advertising and tracking resources) to prevent those resources from loading. Pages load faster because the blocked content never downloads.

Install it from Firefox Add-ons. The default filter lists are effective out of the box. For most people, no configuration is needed beyond installing it.

Enable HTTPS-Only Mode

HTTPS encrypts the connection between your browser and the website you are visiting. Without it, anyone on the same network (a coffee shop, an airport, a hotel) can read exactly what you send and receive. Most websites now support HTTPS, but some still default to unencrypted HTTP if you do not specifically request the secure version.

Firefox, Chrome, and Safari all include an HTTPS-only mode that automatically upgrades connections to HTTPS and warns you before loading any site that does not support it. In Firefox, go to Settings, then Privacy & Security, and enable HTTPS-Only Mode.

Use a Private Search Engine

Google Search logs your queries, your clicks, your location, and your device information. It uses this data to build an advertising profile tied to your account.^[6] Switching to a search engine that does not track you removes one of the largest single sources of data collection in everyday browsing.

Kagi is a paid search engine (starting at $5/month) that collects no personal data and shows no ads. Because it is funded by subscriptions rather than advertising, its results are ranked by relevance rather than by ad spend. For a free alternative, DuckDuckGo is a decent option.

Use a Password Manager

When a website is breached, the attacker gets a list of email addresses and passwords. If you use the same password on multiple sites, a single breach gives the attacker access to all of them. This is called credential stuffing, and it is one of the most common ways accounts are compromised.^[7]

A password manager generates a unique, random password for every account and stores them in an encrypted vault. You remember one master password; the manager fills in the rest. Bitwarden is open source, has been independently audited,^[8] and its free tier includes unlimited passwords across all your devices.

Enable Two-Factor Authentication

A password alone is not enough. If your password is leaked in a breach or guessed through a phishing attack, two-factor authentication (2FA) adds a second check: a temporary code from an app on your phone, or a tap on a physical security key. Even if someone has your password, they cannot log in without the second factor.

Use an authenticator app (such as Aegis on Android or the built-in Passwords app on iOS) rather than SMS codes. SMS messages can be intercepted through SIM-swapping attacks, where an attacker convinces your carrier to transfer your phone number to their device.^[9] For the highest level of protection, hardware security keys (such as a YubiKey) are resistant to phishing because they verify the website's identity before responding.

Use Signal for Messaging

Standard SMS text messages are not encrypted. Your carrier can read them, store them, and hand them over to law enforcement without your knowledge. Signal is a free messaging app that uses end-to-end encryption: only you and the person you are messaging can read the content.^[10] Signal's protocol is open source, has been formally audited, and is used as the foundation for encryption in WhatsApp and Google Messages. Unlike those services, Signal collects almost no metadata. It does not store your contacts, your message history, or your group memberships on its servers.

Strip Photo Metadata Before Sharing

Every photo you take with a smartphone embeds metadata called EXIF data. This typically includes the GPS coordinates where the photo was taken, the date and time, the device model, and camera settings. When you share a photo online, anyone who downloads it can extract this information. A photo of your home reveals your address. A photo of your workplace reveals where you work.

Before sharing photos publicly, strip the EXIF data. Most operating systems have built-in tools for this (on macOS, Preview can remove location data; on iOS, you can disable location sharing when sending a photo). For a more thorough approach, dedicated tools remove all metadata fields at once.