Buy Now

Winston's master guide to protecting your online privacy (Part 1)

You know how bad rampant information sharing is for you and your family. It changes how you think and slowly bends your mind over time, making you susceptible to influence by advertisers and political interests. It exposes you to online identity theft and can ruin your finances. If you've ever been in a lawsuit, then you know the opposing side will use anything they can find about you online against you. And finally, over sharing online has been shown to generally lead to unhappiness.

So in this master guide, we're going to walk you through some important steps you can start taking right now to reduce your data footprint.

Step 1: Recover all your past email addresses

Most of us have long forgotten email addresses from school or other services (MySpace anyone?) that we've accumulated over the years. The first thing someone will do to learn more about you is to dig up those old accounts. 

Ideally, you'll still be able to recover those email accounts. You'll need them for step 2.

Step 2: Identify the services you used to use

Do this by first going through your old accounts (if you have access) and see who has been sending you email.

Next, perform a google search with each address, enclosing it in quotes to ensure you only get exact matches.

Step 3: Replace old posts and personal information with non-searchable text

This gets a little tedious but it maximizes the chances of permanently erasing your old data. It's really important because there are automated bots which continually crawl the web and you'll want to ensure that they first overwrite your old data with nonsense before deleting it. This helps to ensure it won't be recoverable.

So go through all your old posts and replace them with a few characters or nonsense of your choice. An ellipsis ("...") is ideal for this as it's hard to search. 

Step 3b: Just for reddit...

Reddit makes it really hard to remove old posts. Fortunately, there's a Chrome extension that will do the dirty work for you:

Nuke Reddit History

Step 4: (Wait then...) Delete those old accounts

Wait a few weeks for the bots to overwrite their copies of your old information then delete your accounts. If there's no function for that, email the site operator and request them to do so.

IMPORTANT: Don't delete your email accounts. Just the accounts for other sites and services you've used in the past and no longer want.

Step 5: Change passwords on compromised accounts

Visit and search for each one of your email addresses. You might be shocked to see how many times your account was compromised if it's been in use for awhile.

At a minimum, you should immediately change all passwords on the affected accounts with randomly generated ones (a different one for each account). You might want to change your primary email address altogether.

Next, do a similar search using Yahoo or Bing for your email addresses and password. You're looking for dumps of your accounts. If you find any, repeat this step.

Note: Do NOT Google - they do a good job of hiding these results. 

Step 6: De-Index personal data

If your searches have turned up some personal data you would rather not share and you aren't able to delete the original account, then you can request Google to de-index it.

Google Content Removal Request 

Step 7: Restrict data sharing on Facebook

Go to your privacy settings here:

It's worth going through these. At a minimum, we suggest these settings:

  • Who can see your future posts? Friends
  • Limit the audience for posts you've shared with friends of friends or Public? Click and approve
  • Who can see the people, Pages and lists you follow? Only Me
  • Who can send you friend requests? Friends of friends
  • Who can see your friends list? Only Me
  • Who can look you up using the email address you provided? Only Me
  • Who can look you up using the phone number you provided? Only Me
  • Do you want search engines outside of Facebook to link to your profile? No

Next, click on "Ads" on the same page. The URL for this is currently:

Do the following:

  • "Your Interests" - hover over each section and click "X" to delete. Be sure to check all of the tabs, especially "Lifestyle and Culture" because this contains political interests.
  • "Whose website, app or store you've interacted with" - Delete any and all, unless you wish to support or hear from the businesses on there (you've probably forgotten about most of them)
  • Carefully review the "Your Information" section and untoggle each, unless you wish to see advertising related to them.
  • Repeat for "Your Categories" - Some of these might be desirable but I would at a minimum delete any with political associations as these will be used to influence your vote.
  • Ad Settings - Set "Ads based on data from partners" and "Ads based on data from Partners" to Not Allowed. Set "Ads that include your social actions" to "No One".
  • In "Ad Topics", set "Social Issues, Elections or Politics" to "See Fewer" if it appears.

Step 8: If you don't use FB, block it entirely (advanced)

Little known fact: deleting your social media account doesn't really do much, other than depriving the platform of a tiny amount of revenue. Facebook and Google collect shadow profiles so even if you don't use their services, they still are gathering an incredible amount of data about you.

A good example of this is Facebook's "social graph", an AI that literally watches what you do, reads over your shoulder, and gradually learns how to press your buttons. Want to learn how it works? Watch "The Social Dilemma" on Netflix. 

We're less concerned about how it works here than just disabling it. This is tough because it operates on the majority of mobile apps, smart devices, televisions, tablets and computers. It's even buried in Windows.

This step is one of those that might be out of reach of many but as we get more than a few technically inclined readers here, this is the blocklist you want to enforce to completely disable Facebook on your network:

Take the above list, drop it in your hosts file (to protect your computer) or your local DNS server (or a pihole) and that will do the trick. 

Obligatory self-promotion: If you want to keep using Facebook but stop them from tracking you all over the web and on all your devices, then our product, Winston, is probably worth considering. We also block tens of thousands of other data collection methods and backdoors without breaking the web. It even makes browsing faster!

Step 9: Reduce Google data collection

Visit Google's Activity Controls and turn "Web & App Activity" off:

Step 10: Delete old emails

Remember that lawsuit problem we mentioned in the opening paragraph? One of the first things an attorney will do when they go after you is to subpoena your old emails and believe me, they will use them against you. You can no longer legally delete them at that point.

So while you're doing all of these other steps, go through and permanently delete all of your old emails (especially business accounts). Then dump your trash.

While you're at it...

Step 11: Consider switching email providers

There are two good choices for this:

  • ProtonMail 
  • Helm - even better, if you like devices and tinkering with things

You don't want to be using big corporate email if you have a choice. 

Step 12: Install a Password Manager

So far, we've used the same methods that a cybercriminal would use to gain access to your past, your email and probably your identity and finances.

Re-using old passwords is the single best way to roll out the red carpet to them. So get yourself a password manager and start generating unique passwords for every site you use.

Lastpass is great.

Step 13: Switch to DuckDuckGo

It's not privacy proof or perfect but it's a lot better than using a search engine that is deeply tied into almost every aspect of your life.

Step 14: VPNs... maybe.

VPNs will cloak your IP address for non-web protocols, like file sharing. They also let you unblock content in other countries. 

What they don't do is provide much privacy protection. We've already talked about how the big tech companies can identify you through a VPN. That's because IP cloaking is a necessary step... but not a sufficient one.

For instance, Facebook will track pageviews across sites by IP address and user agent. A VPN will block that. However, it won't stop the cookies and identifiers lifted from form fields that you fill out from being used to track you.

So if you say, place an order from Target or some other eCommerce site online with a Facebook pixel installed, your name, age, gender, phone number, email and address will all be hashed in a unique identifier that will sync across your devices and browsers, even on different IP addresses.

So consider IP cloaking as a mandatory first step but realize that it has very serious limits, especially when it comes to clearnet (internet) activity.

Shameless plug #2: We give you up to 30 IP addresses at a time and Winston just runs in the background without any help from you. 

Have more tips you think we should share? Shoot us a line and let us know!