Online Privacy Guide

Third-party cookies

When you visit a website that loads content from a third-party (an ad network, a social media button), that third party can set a cookie in your browser. The next time you visit any other site that loads content from the same third party, they recognize your cookie and log your visit — building a profile of your browsing across thousands of sites. This is the foundation of behavioral advertising.

Browser fingerprinting

Every browser has a unique combination of properties: screen resolution, installed fonts, time zone, language settings, hardware concurrency, GPU model, and more. A JavaScript fingerprinting script can collect dozens of these signals and compute a hash that uniquely identifies your browser — without setting any cookies, surviving clears and private mode.

Tracking pixels

Invisible 1×1 pixel images embedded in websites and emails. When your browser loads the pixel, a request goes to the tracker's server, logging your IP address, browser, time of access, and (for emails) whether you opened the message. Used widely for email open rate tracking and cross-site visit logging.

Link tracking and UTM parameters

URLs shared in emails, social posts, and ads often contain tracking parameters (utm_source, fbclid, gclid, etc.) that identify the specific campaign and link you clicked. When you share that URL, the tracking data travels with it. Privacy-respecting tools can strip these parameters before the request reaches the destination site.

Supercookies and HSTS sniffing

Advanced trackers use storage mechanisms that survive regular cookie clearing: localStorage, IndexedDB, service workers, cached resources, and even HTTP Strict Transport Security records. "Evercookies" synchronize across multiple storage mechanisms so deleting one doesn't remove the tracker.

Cross-device tracking

Advertisers link your phone, laptop, and tablet together using deterministic signals (same Google account, same WiFi network) and probabilistic signals (similar browsing patterns, time zones, location data). This allows them to show coordinated ads across all your devices and measure which device led to a purchase.

What they collect

• Name, age, address history
• Phone numbers and email addresses
• Estimated income and credit range
• Purchasing habits and interests
• Political and religious affiliations
• Health conditions (inferred)

Who buys it

• Advertisers and marketers
• Employers running background checks
• Insurance companies for risk pricing
• Lenders assessing creditworthiness
• Landlords screening tenants
• Law enforcement agencies

What you can do

• Opt out directly from major brokers
• Use data removal services (automated opt-outs)
• Use alias email addresses for signups
• Limit public social media profiles
• Freeze your credit bureau reports

DNS over HTTPS (DoH)

Encrypts DNS lookups inside HTTPS traffic, making them indistinguishable from regular web requests. Your ISP cannot see which domains you're resolving. Supported natively in Firefox, Chrome, and Windows 11. Use providers like Cloudflare (1.1.1.1), NextDNS, or Quad9 — they offer additional filtering features and don't sell your data.

DNS over TLS (DoT)

Encrypts DNS over TLS on port 853. Provides similar protection to DoH but is more easily identified and potentially blocked by network operators. Preferred for system-wide configuration on Android and supported by many enterprise firewalls. Works at the OS level rather than per-browser like DoH.

Password manager basics

A password manager generates, stores, and auto-fills unique, long, random passwords for every site. You only need to remember one strong master password. Reputable options include Bitwarden (open source, free tier), 1Password, and Proton Pass. They encrypt your vault before it leaves your device.

• Use 16+ character random passwords for every site
• Never reuse passwords across different services
• Enable breach monitoring to know when your credentials appear in leaks

Two-factor authentication (2FA)

2FA adds a second verification step beyond your password. Even if your password is stolen, an attacker cannot log in without the second factor. Not all 2FA methods are equal.

iOS privacy settings

• App Tracking Transparency — Always select "Ask App Not to Track." iOS 14.5+ requires apps to request permission before using the IDFA (advertising identifier). Most users who see this prompt deny tracking.
• Location permissions — Audit under Settings → Privacy → Location Services. Set most apps to "Never" or "While Using." Very few apps need "Always."
• Mail Privacy Protection — Enable in Mail → Privacy Protection to prevent email tracking pixels from loading and mask your IP from senders.
• iCloud Private Relay — Available with iCloud+ subscription, routes Safari traffic through Apple's relay network to hide your IP from websites and your ISP from your browsing.

Android privacy settings

• Advertising ID — Go to Settings → Privacy → Ads and opt out of ads personalization or delete your Advertising ID entirely. Android 12+ lets you delete it permanently.
• Permission audit — Settings → Privacy → Permission Manager. Revoke location, microphone, and camera access from apps that don't need them.
• Private DNS — Settings → Network → Private DNS. Set to a DNS over TLS provider (dns.cloudflare.com, dns.google, or your preferred provider).
• Google activity controls — myaccount.google.com/data-and-privacy to review and limit what Google collects from your account.

Use an alias service

Services like SimpleLogin, AnonAddy, or Apple's Hide My Email generate unique alias addresses that forward to your real inbox. When a service sells your email or gets breached, you can disable that alias without exposing your real address. Use a different alias for every signup.

Encrypted email providers

Proton Mail and Tutanota offer end-to-end encryption for messages sent between users on the same platform, and store messages in encrypted format that the provider cannot read. Both offer free tiers. Neither scans your email for advertising purposes.