Each shared identifier is a data point that brokers use to link your accounts into a unified profile. Using unique credentials per service means a breach at one company cannot be cross-referenced to expose your activity elsewhere.

Reused passwords are one of the most common causes of account takeover. A password manager generates and stores unique, random passwords so you never have to reuse or remember them.

SMS-based 2FA is vulnerable to SIM-swapping attacks, where an attacker convinces your carrier to transfer your number to their device. An offline authenticator app (like Aegis) generates codes locally and cannot be intercepted over the network.

Once a data profile is built on you, you cannot undo it. The time to implement privacy measures is before your data is collected — not after a breach. Privacy is something you protect in advance, not something you recover after the fact.

Periodically go through the apps on your phone and review what each one can access — location, microphone, camera, contacts, photos. Revoke anything that doesn't have a clear, ongoing need. Many apps accumulate permissions over time that they no longer use for their stated function.

Chrome and Google Search are the two most significant everyday data collection points for most people. Switching to Brave (browser) and Brave Search or Startpage is one of the highest-impact, lowest-effort changes you can make.

A VPN masks your IP address from every website you visit, preventing sites and data brokers from easily building a location and identity profile. VPN selection matters enormously — much of the industry is made up of scam apps. Only use audited, reputable providers like Mullvad or ProtonVPN.

DNS-level blocking (via pfSense or a Pi-hole setup) stops tracker and ad requests before they leave your network entirely — more effective than browser-based blocking alone, and it protects every device on your network including smart TVs and IoT devices.

Your ISP can see every domain name you look up even if the page content is encrypted. Switching to an encrypted DNS resolver like Quad9, and enabling DNS-over-HTTPS or DNS-over-TLS, prevents this passive surveillance of your browsing habits.

Invidious or NewPipe are privacy-respecting ways to watch YouTube content without Google tracking your viewing habits, building an ad profile, or requiring a login.

Extensions can read everything on every page you visit. Many legitimate-looking extensions are data collectors or outright malicious — and checking permissions alone is not enough to assess safety. Use as few extensions as possible.

Modern connected cars collect and transmit location data, driving behavior, voice recordings, and in some cases video footage. Some manufacturers explicitly include data collection on sexual activity in their terms of service. This data is shared with third parties and often sold.

When you plug in or pair via Bluetooth, your car ingests your contacts, messages, call history, and photos — and shares that data with third parties via manufacturer apps. Treat your car's infotainment system as untrusted.

Prevents your car from automatically connecting to networks or devices without your knowledge.

Emergency response and remote start services require your car to be trackable at all times. These services share location data continuously and are not end-to-end encrypted, meaning anything accessible remotely — cameras, microphones, maps — can also be accessed by the companies providing the service.

This site shows what data your specific make and model collects, and helps you opt out of some collection where that option exists.

Research by Privacy4Cars found that fewer than one in twenty dealerships proactively inform customers about data collection. Seek out dealerships that disclose this and respect your right to privacy.

GrapheneOS is a hardened Android operating system that removes Google's tracking infrastructure, sandboxes apps more aggressively, and gives you granular control over what each app can access. Install it yourself to guarantee the integrity of the installation.

Rebooting clears memory-resident trackers, resets certain attack vectors (particularly those that require persistent access), and resolves accumulated software issues. A simple, often overlooked privacy and security habit.

Only enable connectivity when you need it — particularly in unfamiliar locations or when you don't want your movement logged.

Use a physical webcam cover. Software-based camera indicators can be bypassed; a physical cover cannot.

Public USB ports at airports, hotels, and cafes can transfer data as well as power — a data blocker passes only the power pins.

A USB-C to ethernet adapter eliminates WiFi-based location tracking and reduces your wireless attack surface entirely.

Your keyboard has access to everything you type — passwords, messages, credit card numbers, search queries. Many popular third-party keyboards quietly transmit keystrokes. On GrapheneOS, open-source options like OpenBoard or FlorisBoard have no network permissions.

Your personal email address is a powerful linking identifier — every company you give it to can potentially share or sell it, and data brokers use it to stitch your activities together into a detailed profile. Don't reuse the same address twice.

Generate a unique forwarding address on the fly for each signup or purchase. If one address starts receiving spam, you know exactly who sold it, and you can disable it without touching your real inbox.

If you own a domain, configure it so that any address @yourdomain.com lands in one inbox. You can hand out unique addresses (e.g. amazon@yourdomain.com) without pre-creating them, and migrate email providers without losing your addresses.

A custom domain decouples your identity from any single provider. If you ever need to switch email services, your address stays the same. It's the email equivalent of owning rather than renting.

Each credit or debit card transaction is shared with your bank, the card network, the merchant, the point-of-sale system, the retailer's bank, and any financial apps you use — and all of those entities share it further. The result is a detailed, timestamped record of everywhere you go and everything you buy.

Cash is the most private payment method available — it leaves no digital record and requires no identification.

Privacy.com cards can be set to work only with a specific merchant, capped at a specific spending limit, or generated as single-use. This prevents merchants from charging you again, and prevents your real card details from being exposed in a data breach.

Traditional payment methods make it risky to support certain causes — your bank and the card network can see exactly who you donated to. Privacy-preserving cryptocurrencies can make these transactions more private.

Most people think of GPS as the main tracking method, but your phone also reveals location through cell tower triangulation (even without GPS), WiFi scanning (your device broadcasts its MAC address and logs nearby networks), and Bluetooth beacons. These methods work even when you think location is "off."

Airplane Mode is the most effective way to stop cellular and WiFi tracking simultaneously. Note that on some devices, GPS can still function in Airplane Mode.

When WiFi is on, your phone scans for networks and logs their locations even if you don't connect. Bluetooth beacons in shops and airports can silently track your movement.

Go through your app permissions and revoke location access from any app that doesn't have a clear, immediate need for it. Most apps that request location do so for data collection rather than functionality.

A Faraday bag blocks all wireless signals — GPS, cellular, Bluetooth, NFC, and WiFi. Useful for travel, sensitive meetings, or any situation where you want to be certain your device cannot be tracked or remotely accessed.

Appending _nomap or _optout to your home WiFi network's SSID signals to Google and Microsoft's location databases that your network should not be used to locate devices. A small step that reduces how your home network contributes to location tracking of others.

Most online checkout forms ask for far more personal information than the transaction actually requires. Provide the minimum necessary to complete the purchase, and use privacy tools to avoid linking the purchase back to your real identity.

A PMB is rented from a Commercial Mail Receiving Agency (CMRA) like The UPS Store. Unlike a PO Box, it provides a real street address that all carriers can deliver to. You can set it up under an alternate recipient name, so your home address and real name are never attached to your purchases.

Services like Privacy.com generate single-use or merchant-locked card numbers linked to your real bank account. The virtual card carries no real name or address. At checkout, if a billing name and address are required, you can enter anything — the card will still process.

Create a SimpleLogin alias specifically for the merchant, then disable or delete it once the order is complete. This prevents the merchant from emailing you, selling your address, or linking the purchase to other accounts.

When a phone number is required, use a virtual number from Cloaked or MySudo rather than your real cell. You can close the number after the purchase is complete.

Shops, pharmacies, and websites routinely ask for your name, phone number, email, and address when none of it is required for the transaction. You are generally not obligated to provide this.

For any delivery, subscription, or registration where you don't want your home address on record, use a PMB at a CMRA like The UPS Store. You can list an alternate recipient name, and all major carriers can deliver there — unlike a PO Box.

Shoulder surfing is a real and underestimated threat. Thieves watch people enter their phone PINs — via CCTV or in person — and then steal the device to drain banking apps. A privacy screen prevents anyone beside or behind you from seeing your display.

These cameras are mounted on street corners, utility poles, police cars, and even garbage trucks. They scan and log every license plate they see, feeding into cloud databases that record your vehicle's location over time. The data is retained for months or years and is accessible to law enforcement and private parties.

The more people use privacy-preserving practices and tools, the less suspicious they appear — and the stronger the overall privacy ecosystem becomes for everyone, including the most vulnerable members of society. Every choice you make either funds companies that protect people or companies that normalize surveillance.

Your cell number is more valuable to advertisers, data brokers, and criminals than your credit card number — because you keep it for decades and hand it to everyone. It becomes a permanent unique identifier that links your medical records, shopping history, social media, and government accounts into one profile.

Services like MySudo (US) or Cloaked let you generate multiple virtual phone numbers. Assign a different number to different areas of your life — one for shopping, one for healthcare, one for work, one for social signups. If any one number is compromised, you close it without disrupting anything else.

Consider using a mobile hotspot as a separate SIM-carrying device, keeping your main phone internet-only. This separates your cellular identity (tied to your real name via your carrier) from your app activity and online behavior.

For situations where you don't want your personal number attached. Pay with cash where possible.

The goal is to ensure that a breach, leak, or data sale in one area of your life doesn't expose everything else. Using different numbers, emails, and usernames per context is the core of this approach — building separate proxy identities for different areas of your life.