I’m not a rampant activist by any means. Over the last few months, though, I’ve become increasingly unsettled by the way some corporations and governments gather and use our data. While I have nothing to hide (cough) I believe my data is mine. I’m happy to share some of it, given a choice, but often we have no choice in the matter.

So, I’ve been steadily piecing together a personal toolkit of privacy and encryption tools. I thought I’d share what I currently use for a number of reasons:

  • There may be people out there who, like me initially, aren’t sure what they can do
  • I’m not an infosec specialist. I could be missing better tools and, if you’re reading this, I’d love to hear your suggestions in the comments
  • There’s a possibility that some of the things I’m doing are not as safe as I think they are – again, if you can improve the toolkit I’d really appreciate it

I’m not going to talk about privacy on social networks like Facebook because, well, there is none. It’s a free service and Facebook’s business model is to sell you – your data. If you’re uploading personal information there, you only have yourself to blame.


I switched my default search engine on computers and smartphone to DuckDuckGo. Unlike other search engines, they don’t track everything you search for. The image search function isn’t quite as good as Google but otherwise I have no complaints.


Don’t use the same password everywhere. Make sure you have complex passwords. That’s the advice but if you have several hundred logins you’ll go mad without a way to manage them. There are many options but I like 1Password because of the interface, iOS integration, browser extension and sync across devices.

Adblock Plus

Online ads typically track your behaviour around the web so that you can be profiled and served more ads. Many people find they interrupt your activities, slow down browsing and use up your precious mobile data. I’m not going to get into the ethics of blocking ads here, just pointing out that Adblock Plus have a great browser extension and iPhone app.


Tor is a browser (and other tools) that allows you to browse the internet and hidden services anonymously. The technical details are on their website so I won’t go into it here. Worth noting that they currently have a Tor Messenger service in beta.

Signal 2.0

Open Whisper Systems have a mobile app that allows you to make phone calls and send text messages using end-to-end encryption. Edward Snowden likes it.


GPGTools have a suite of encryption tools called GPG Suite that allow you to encrypt files and email using either PGP or S/MIME. If you want my public key so you can send me encrypted email, it’s here in ASC format.

Open Rights Group

Not really a tool but a really worthwhile organisation that tries to preserve and promote your rights in a digital age.

==UPDATE 20151116==

Some great comments from Richard Hewitt (currently working in information security for The Engine Group), published here with his approval.

I personally don’t like Tor. You can’t trust the exit nodes, the latency is horrendous and you really really can’t trust the exit nodes. Like ever.

If your objective is simply avoiding bulk surveillance, and you aren’t trying to be a cyber criminal or otherwise doing something illegal, then the following works real well:

  1. Take out a small linux vitrual server with a provider of your choice. Main thing you want to choose is which country the VPS is located in. You could use Amazon EC2 or anything. You could even club together with other like minded enthusiasts – cost would be like a dollar a month.
  2. SSH into the box, and install chromium or ice weasel.
  3. Use the client from http://mobaxterm.mobatek.net/ to SSH into the box again.
  4. Run Chromium from the command line. Automagically, a chromium browser will appear on your desktop as if you were running it locally. But really it’s running on your VPS.
  5. All your browsing traffic is originating and terminating on the VPS – where ever in the world that happens to be – and the only traffic from your home IP is SSH traffic – which is encrypted.

Targeted surveillance (e.g. if you REALLY were a bad guy) would still get you. But bulk surveillance is trivially thwarted doing this. And you aren’t trusting your data to a tor exit node. Did I mention not to trust those?

There’s lots of ways to skin this cat. You can also set up the Squid caching proxy server on the remote VPS and use SSH tunneling to connect your local browsers to the cache over SSH. That’s more work than the above but works a lot better for sound/video etc.

Please, if you have any suggestions for improving this toolkit I’d really like to know. Please drop me a line in the comments if you don’t mind it being public. If you’d rather stay off the record then you can use Signal or my PGP key.

Image credit: Jim Sanborn