AI-assisted content. This post was researched and written with AI assistance and reviewed for accuracy. All technical claims are based on documented sources. We believe in transparency about how our content is produced.
- What are you actually protecting against?
- Beginner — the basics everyone should do
- VPNs explained honestly
- DNS — the internet's phone book and why it matters
- Intermediate — going further
- Browser fingerprinting — the tracking you can't block with a VPN
- Metadata — content versus context
- The _NSAKEY — when backdoors are built in
- Tor — what it does and what it doesn't
- Expert level — going dark
- Your router is the front door
1. What are you actually protecting against?
Before anything else you need a threat model. That sounds technical but it just means: who are you trying to hide from, and what are you trying to hide? The answer changes everything about what you need to do.
There are roughly four levels of adversary, each requiring a different response:
| Adversary | What they can see | What stops them |
|---|---|---|
| Advertisers and data brokers | Your browsing habits, location, purchases, social connections | Browser settings, ad blockers, VPN, private DNS |
| Your ISP | Every website you visit, when, for how long | VPN, encrypted DNS, HTTPS |
| Hackers on the same network | Unencrypted traffic, login credentials on HTTP sites | HTTPS, VPN on public WiFi, not reusing passwords |
| Government and intelligence agencies | Potentially everything — metadata, traffic patterns, device identifiers | Tor, air-gapped devices, operational security — very difficult |
Most people need protection from the first two. Very few people need protection from the last one — and if you do, a consumer VPN is not going to help you. Be honest with yourself about what you actually need.
2. Beginner — the basics everyone should do
BeginnerThese five things cost nothing, take under an hour, and protect you from the vast majority of everyday threats. If you do nothing else in this guide, do these.
Use HTTPS everywhere
The padlock in your browser address bar means the connection between you and that website is encrypted. Nobody between you and the site — your ISP, your router, anyone on the same WiFi — can read what you're sending and receiving. HTTP without the S means everything is in plain text. Anyone on the network can read it.
Modern browsers now default to HTTPS and warn you when a site isn't using it. If you see "Not Secure" in the address bar on a site where you're entering any personal information — leave immediately.
Use a password manager
The single biggest cause of account compromise is password reuse. People use the same password on multiple sites. One site gets breached, that password gets sold, criminals try it on your email, your bank, your Amazon account. A password manager generates a unique random password for every site and remembers them all. You only need to remember one master password.
Bitwarden is free, open source, and excellent. 1Password is paid but very good. Do not use the same password on more than one site. Ever.
Enable two-factor authentication
Two-factor authentication (2FA) means that even if someone has your password, they still can't log in without a second code — usually from your phone. Enable it on your email first, then your bank, then everything else. An authenticator app like Google Authenticator or Authy is more secure than SMS codes, but SMS is still much better than nothing.
Keep software updated
The vast majority of successful attacks exploit known vulnerabilities in old software. When your phone or computer asks you to update, do it. The update almost always patches security holes that are actively being exploited. Delaying updates is one of the most common and most avoidable security mistakes.
Be careful on public WiFi
Public WiFi — in coffee shops, hotels, airports — is untrusted. Anyone on the same network can potentially intercept unencrypted traffic. HTTPS protects the content of your connections but not the fact that you made them. Use a VPN on public WiFi or avoid sensitive activities like banking entirely until you are on a trusted network.
3. VPNs explained honestly
Beginner — IntermediateA VPN — Virtual Private Network — is probably the most misunderstood security tool available to consumers. The marketing around VPNs is extraordinarily misleading. Let us be straight about what they actually do.
When you connect to the internet normally, your traffic goes from your device to your ISP, then out to the internet. Your ISP can see every website you visit. Websites can see your real IP address, which reveals your rough location and ISP.
When you use a VPN, your traffic is encrypted and sent to a VPN server first. Your ISP can see that you are connected to a VPN server but cannot see what websites you are visiting. Websites see the VPN server's IP address, not yours.
Fig 1. Without a VPN your ISP sees everything. With a VPN they see only that you are connected to a VPN server — not what you are doing.
A VPN does not make you anonymous. It moves trust from your ISP to your VPN provider — who now sees all your traffic instead. It does not protect against browser fingerprinting, malware, phishing, or weak passwords. It does not hide you from a determined government. Free VPNs are almost always monetising your data — they are the product. The marketing claim that VPNs give you "complete privacy" is false.
Trustworthy VPN providers have independently audited no-log policies — meaning they genuinely do not keep records of what you do. Mullvad, ProtonVPN and IVPN are consistently recommended by security researchers. They are paid services. If a VPN is free, you are the product.
4. DNS — the internet's phone book and why it matters
BeginnerDNS stands for Domain Name System. When you type rocketrouters.co.uk into your browser, your device needs to find out what IP address that corresponds to — like looking up a phone number for a name. It sends a DNS query to a DNS server, which returns the answer.
By default, your DNS queries go to your ISP's DNS servers — unencrypted. Your ISP can see every domain name you look up even if the actual connection is encrypted with HTTPS. DNS queries are the metadata of your browsing — they reveal what sites you visited even if not what you did on them.
Encrypted DNS — DNS over HTTPS (DoH) or DNS over TLS (DoT) — encrypts those queries so your ISP cannot read them. You can enable this in your browser settings, your operating system, or ideally at your router level so all devices on your network are protected automatically.
Good encrypted DNS providers: Cloudflare (1.1.1.1), NextDNS, or your VPN provider's DNS if you use one. On your router, look for DNS over HTTPS settings in the network configuration.
5. Intermediate — going further
IntermediateUse a privacy-focused browser
Chrome is made by Google, whose business model is advertising based on your data. Firefox is open source and privacy-respecting with the right settings. Brave is built on Chrome's engine but strips all tracking by default. For maximum privacy, use Firefox with uBlock Origin installed.
Search engines
Google records every search you make, ties it to your account and browsing history, and uses it to build an advertising profile. DuckDuckGo does not track searches. Startpage returns Google results without the tracking. Kagi is a paid search engine with no advertising.
Gmail scans your email to build advertising profiles. ProtonMail and Tutanota are end-to-end encrypted email providers based in Switzerland and Germany respectively. Your email provider cannot read your messages. Neither can anyone who intercepts them in transit.
Messaging
SMS text messages are not encrypted. WhatsApp has end-to-end encryption for messages but its metadata — who you talk to, when, how often — is visible to Meta. Signal is end-to-end encrypted, open source, collects essentially no metadata, and is recommended by security researchers worldwide. If you care about private communication, use Signal.
6. Browser fingerprinting — the tracking you cannot block with a VPN
IntermediateThis is the one most people do not know about and cannot easily fix. Even with a VPN and private browsing mode, websites can often identify you uniquely through browser fingerprinting.
Your browser reveals an enormous amount of information about your system — your screen resolution, installed fonts, browser plugins, graphics card, time zone, language settings, and dozens of other attributes. Individually none of these are unique. Combined, they create a fingerprint that is often unique to you across the entire internet.
You can test your own fingerprint at coveryourtracks.eff.org. Most people are surprised to find they are uniquely identifiable even in private browsing mode with a VPN running.
The Tor Browser is specifically designed to make all users look identical to websites, which defeats fingerprinting. Firefox with the right settings (resist fingerprinting enabled) helps. Brave has built-in fingerprint randomisation. Using a common screen resolution and avoiding unusual plugins also reduces uniqueness.
7. Metadata — content versus context
IntermediateThere is a famous quote attributed to former NSA director Michael Hayden: "We kill people based on metadata." It was meant to reassure people that the NSA was not reading their messages. It had the opposite effect on anyone paying attention.
Metadata is not the content of your communications — it is everything around them. Who you called. When. For how long. From where. Who you email. How often. What time. What size attachment.
Metadata is in many ways more revealing than content. The content of a phone call tells you what was said. The metadata tells you that you called an oncologist three times last week, then called a lawyer, then called your family members one by one. Nobody needs to read your messages to know a great deal about your life.
Encryption protects content. Very little protects metadata. Your phone company has it. Your email provider has it. Your ISP has it. Signal minimises the metadata it collects. Tor obscures some of it. But eliminating metadata entirely is extremely difficult for ordinary users.
8. The _NSAKEY — when backdoors are built in
Intermediate — AdvancedIn 1999, a security researcher named Andrew Fernandes at Cryptonym was reverse engineering Windows NT 4.0 Service Pack 5 when he found something remarkable. Inside the Windows cryptography module was a second cryptographic key alongside Microsoft's own. It was literally named _NSAKEY in the binary code.
Microsoft's explanation was that this was a backup key required for US export compliance — American cryptography export laws at the time required that the NSA be able to decrypt communications. Nobody was fully satisfied with that explanation. The name alone was remarkable. You do not accidentally name a variable _NSAKEY.
Whether the key was a deliberate backdoor, a compliance mechanism, or something else entirely was never definitively established. Microsoft denied it was a backdoor. The timing — the height of the crypto wars when the US government was fighting hard against strong public encryption — made scepticism reasonable.
Closed-source software from any vendor — including Microsoft, Apple and Google — can contain capabilities you cannot see, cannot audit, and cannot verify. This is not a conspiracy theory. It is a structural feature of proprietary software. Open source software can also contain backdoors, but they can be found and removed. Closed source backdoors are permanent until the vendor removes them.
The Snowden revelations in 2013 confirmed what many had suspected — that US intelligence agencies had relationships with major technology companies, had inserted backdoors into encryption standards, and had access to data on a scale that most people had not imagined. PRISM, XKeyscore, Bullrun — these are documented programmes, not speculation.
The practical implication is not that you should assume everything is compromised — that leads to paralysis. It is that open source, audited software is more trustworthy than closed source alternatives, and that trust in any single vendor should be proportionate to the stakes involved.
9. Tor — what it does and what it does not
IntermediateTor — The Onion Router — was originally developed by the US Naval Research Laboratory to protect government communications. It is now maintained by the non-profit Tor Project and used by journalists, activists, privacy advocates and ordinary people worldwide.
Tor works by routing your traffic through a series of three volunteer-operated servers — called nodes or relays — each of which knows only the previous and next hop, not the full path. Your traffic is encrypted in layers — like an onion — and each relay peels one layer. No single relay knows both who you are and where you are going.
Fig 2. Tor's three-relay design means no single node has the full picture. Your entry node knows your IP but not your destination. Your exit node knows your destination but not your IP.
Tor's real limitations: it is slow — routing through three relays adds significant latency. Exit nodes can be operated by hostile actors who monitor unencrypted traffic leaving the network. Tor protects your network-level anonymity but does not protect against mistakes — logging into your real accounts, enabling JavaScript, downloading files that phone home. The Tor Browser disables these risks by default.
Tor is genuinely the best tool available for network-level anonymity for ordinary users. It was not broken by the Snowden revelations — NSA documents showed they found it very difficult to deanonymise Tor users at scale. But it is not magic and it requires discipline to use correctly.
10. Expert level — going dark
ExpertAt expert level, the threat model shifts. You are no longer protecting against advertisers or even your ISP. You are considering adversaries with significant resources — intelligence agencies, state-level actors, sophisticated criminal organisations.
At this level, the software you run matters less than your operational security — the habits and procedures that prevent mistakes. The majority of people who have been successfully identified while using strong technical privacy tools were caught not because the tools failed but because they made human errors.
Device hygiene
Use dedicated devices for sensitive activities. A laptop used only for private activities, never logged into personal accounts, purchased with cash. Tails OS — a live operating system that runs from a USB drive, leaves no trace on the host machine, and routes all traffic through Tor by default. Qubes OS for compartmentalisation — running different activities in separate isolated virtual machines so a compromise in one cannot spread to others.
Physical security
Full disk encryption — BitLocker on Windows, FileVault on Mac, LUKS on Linux — protects data if your device is seized or stolen. Use a strong passphrase, not a PIN. Enable it. Without full disk encryption, physical access to a device is game over regardless of software security.
Network-level measures
Running your own DNS resolver rather than using a third party. Running your own VPN server rather than trusting a commercial provider — a VPS in a jurisdiction with strong privacy laws, running WireGuard, controlled entirely by you. Network-level blocking of tracking domains using Pi-hole or similar at the router level, so every device on your network is protected automatically.
The open source principle
At expert level, the _NSAKEY lesson becomes directly relevant. Every piece of software in your security stack should be open source and ideally independently audited. Signal, ProtonMail, WireGuard, OpenVPN, Firefox, Linux — all open source. The cryptography should be standard and well-reviewed — AES-256, ChaCha20, RSA-4096, Ed25519. Roll-your-own cryptography is almost always weaker than established standards regardless of how clever the implementation.
Compartmentalisation
Separate identities for separate activities. A persona used for private activities should never touch your real identity — different devices, different networks, different accounts, different writing styles. The human tendency to reuse usernames, phrases, and habits across identities is one of the most common deanonymisation vectors.
Against a determined nation-state adversary with full access to internet infrastructure, complete anonymity is extremely difficult to achieve and maintain indefinitely. The goal at expert level is not perfection — it is raising the cost of identification high enough that casual surveillance becomes impractical, and targeted surveillance requires significant dedicated resources. That is achievable. Perfect invisibility is not.
11. Your router is the front door
IntermediateEvery device on your network goes through your router. A compromised, poorly configured or outdated router exposes everything on your network regardless of what security measures individual devices take. Your router is not just an internet connection — it is the single most important security device in your home or office.
Keep your router firmware updated. Change the default admin password immediately — default credentials are publicly documented and the first thing attackers try. Disable WPS — Wi-Fi Protected Setup is a convenience feature with known security vulnerabilities. Use WPA3 encryption for WiFi where your devices support it. Disable remote management unless you specifically need it.
A router running OpenWrt gives you far more control over network-level security than stock firmware — DNS over HTTPS at the network level, network-wide ad and tracking domain blocking via adblock packages, proper firewall configuration, VPN at the router level so all devices are protected without needing individual VPN apps. The OpenWrt guide on this blog covers the setup in detail.
Perfect security does not exist. Every security measure is a trade-off between protection and convenience. The goal is not to be unhackable — it is to be a harder target than whoever is next to you. Use strong unique passwords. Enable two-factor authentication. Keep software updated. Use HTTPS. Those four things alone put you ahead of the overwhelming majority of people, and they cost nothing but a small amount of time.