Advanced Privacy & Security Configurations

Start here first

This guide assumes you already have a password manager and MFA set up across your main accounts. If you haven’t done that yet, start with the foundational guide →.

🚨

Incident Response

For active account compromises, refer to the Incident Response Guide →.

1. Network-level data control Setup: ~15 mins

Most tracking happens before you ever click anything - it runs at the network level the moment a page loads. Two layers stop most of it: your browser (blocks scripts in the tab) and your DNS (blocks connections before they even start).

uBlock Origin

Browser Layer

An open-source extension that blocks tracking scripts and advertising code from executing within the browser window.

NextDNS

Network Layer

A DNS-level firewall that prevents connections to known tracking and malware domains before data leaves the device.

Implementing a DNS Firewall

NextDNS

>NextDNS is a DNS-level firewall you control. Route your traffic through it and you block ads and telemetry across every device on your network - including smart TVs, phones, and anything else that doesn’t support browser extensions.

Review NextDNS Configuration ↗

Distinction between DNS Filtering and VPNs

DNS Filtering: Focuses on preventing connections to specific domains used for tracking or malware. It does not typically encrypt all traffic or hide the user’s IP address from destination sites.

VPN: Encrypts all data between the device and the VPN provider, hiding the user’s IP address and browsing activity from the local network operator.

Network Configuration Audit

Router Protocols

Disable UPnP (Universal Plug and Play): Restricts IoT devices from automatically opening firewall ports to the public internet.
Band Separation: Use separate SSIDs for 2.4GHz and 5GHz bands to improve connection stability for legacy hardware.
IoT Network Isolation: Put smart devices on a guest network so a compromised thermostat can't reach your laptop.
Credential Audit: Ensure administrative access to the router is protected by a unique, complex passphrase.

2. Mobile device security configurations Setup: ~20 mins

Your phone knows where you’ve been, what you’ve searched, and who you talk to. The defaults share more of that than you’d want. These settings take about 20 minutes and don’t break anything.

Advanced Account Protection Protocols

Apple iCloud:

Enable Advanced Data Protection. This turns on end-to-end encryption for most iCloud data - only your trusted devices hold the decryption keys, not Apple.

Google Accounts:

Enroll in the Advanced Protection Program. This enforces the use of hardware security keys and limits the scope of third-party application access to account data.

iOS Configuration Audit

Mobile Hardening

Filter Unknown Senders: Enable this in Messages settings. Texts from unknown numbers go to a separate folder and can't load link previews - reduces phishing exposure significantly.
Lock Screen access: Disable Control Center and USB accessories when the phone is locked. Prevents someone from toggling Airplane Mode or pulling data over USB without unlocking first.
Stolen Device Protection: Set to "Always" - not just "Away from Familiar Locations." This enforces Face ID delays for account changes even at home.
Significant Locations: Off. Settings → Privacy & Security → Location Services → System Services. Your phone has been building a history of everywhere you go.
App Tracking: Settings → Privacy & Security → Tracking → disable "Allow Apps to Request to Track." Done.

Stripping location data from photos

Every photo your phone takes embeds GPS coordinates by default. When you text or post it, that data goes with it. Easy to remove before sending.

On iOS: Tap share → Options at the top → toggle Location off before you send it.

Takes two extra taps. Worth making it a habit for anything you’re sharing publicly or with people you don’t fully trust.

3. Hardware and application audits Setup: ~20 mins

Most people have apps with permissions they’ve forgotten about, cloud sync enabled on things they don’t use, and no encryption on their drive. This pass catches all of it.

Physical and Digital Verification

Physical Sensor Blocks: Use a webcam cover on laptops and monitors - a $3 slider beats any software privacy setting.
Audio Permission Review: Audit and restrict application access to integrated microphones.
Enforced Encryption: Ensure FileVault (macOS) or BitLocker (Windows) is active to prevent data recovery from stolen hardware.
OAuth Audit: Review and revoke permissions for applications utilizing "Sign in with Google" or similar centralized identity providers.
HTTPS Enforcement: Configure browsers to default to secure connections for all web requests.

4. Identity compartmentalization Setup: ~25 mins

If every service knows your real name and email, a breach at any one of them connects back to all the others. The fix is to use different identifiers for different tiers of trust - and keep your real identity off anything you don’t need it on.

Email aliasing

Your real email should be known only to institutions you actually trust. Everything else gets an alias you can kill the moment it starts getting abused.

Primary Identifiers

Core Services

Restricted to financial institutions, government agencies, and family contacts.

Aliased Identifiers

Secondary Services

Use these for retail, entertainment, and app signups you don’t fully trust.

🍎

Native Solutions

Hide My Email

>iCloud+ provides a utility to generate unique email addresses for every service, forwarding messages to a primary inbox without disclosing its address.

➕

Protocol-based

Sub-addressing

>Using ‘plus addressing’ (e.g., name+service@provider.com) allows users to identify the source of incoming mail and implement automated filtering.

Encrypted Communications

Signal Protocol

Signal provides audited end-to-end encryption for messaging and voice calls, significantly reducing metadata exposure compared to traditional SMS.

Review Signal Protocol ↗

Carrier Port Protections

Establishing a port freeze or a secondary PIN with a mobile carrier prevents unauthorized number transfers.

Verizon Port Protection

Authentication Hardware

Hardware-based authentication provides high resistance to phishing by requiring physical presence to authorize account access.

YubiKey 5C NFC

>A physical key that cryptographically verifies the destination domain before authorizing a login. It is a standard for protecting high-value accounts such as primary email and financial portals.

Review Hardware Options ↗

Technical Review →

Machine Learning Opt-Outs

Google: Review and disable "Gemini Apps Activity" in account history settings.
LinkedIn: Disable "Data for Generative AI Improvement" in privacy settings.
Meta: Access the Privacy Center to object to the use of personal data for model training.
Robots.txt: For domain operators, include directives to disallow GPTBot and other automated crawlers.

Automated Data Removal

Ongoing monitoring and deletion requests are necessary to address the frequent aggregation of personal records by data brokers.

Shows you exactly where your data appears, then handles removal automatically - with an option for manual oversight on stubborn brokers.

Review Optery Audit ↗

A managed service that focus on consistent deletion requests and reporting across a wide range of aggregate sites.

Review DeleteMe Services ↗

🏛️

California Residents: DROP Utility

>The California Privacy Protection Agency provides the Delete Request and Opt-Out Platform (DROP). This utility allows residents to submit deletion requests to all registered brokers through a single government interface.

Access DROP Utility ↗

5. Financial insulation Setup: ~30 mins

Isolating primary credit accounts from individual merchant breaches reduces the risk of fraudulent activity.

Virtual Payment Infrastructure

Privacy.com

>Privacy.com lets you create a unique virtual card per merchant. If a vendor gets breached, that card number is useless everywhere else - your actual bank account stays isolated.

Review Virtual Card Features ↗

Maintenance Schedule

Digital privacy requires regular audits to maintain the integrity of the established configuration.

Audit Schedule

Quarterly audit of application accounts and credential volume.
Review of automated data removal status and broker exposure.
Verification of device software and firmware versioning.

Table of Contents

Advanced Privacy & Security Configurations

Start here first

1. Network-level data control Setup: ~15 mins

uBlock Origin

NextDNS

Implementing a DNS Firewall

NextDNS

Distinction between DNS Filtering and VPNs

Network Configuration Audit

Router Protocols

2. Mobile device security configurations Setup: ~20 mins

Advanced Account Protection Protocols

iOS Configuration Audit

Mobile Hardening

Stripping location data from photos

3. Hardware and application audits Setup: ~20 mins

Physical and Digital Verification

4. Identity compartmentalization Setup: ~25 mins

Email aliasing

Primary Identifiers

Aliased Identifiers

Native Solutions

Protocol-based

Encrypted Communications

Signal Protocol

Carrier Port Protections

Authentication Hardware

YubiKey 5C NFC

Machine Learning Opt-Outs

Automated Data Removal

California Residents: DROP Utility

5. Financial insulation Setup: ~30 mins

Virtual Payment Infrastructure

Privacy.com

Maintenance Schedule

Audit Schedule

Frequently asked questions

Written by Jason