Scope: This repository documents best practices for achieving the highest practical level of digital privacy and anonymity using consumer hardware and open-source software.
Non-goals: This guide does not guarantee protection against targeted nation-state adversaries, physical compromise, or illegal activity. It focuses on defense against ISPs, advertisers, data brokers, mass surveillance, and opportunistic attacks.
Privacy begins with understanding your adversary.
- Internet Service Providers (ISPs)
- Websites and tracking networks
- Advertising platforms
- Data brokers
- Local network attackers
- Mass, non-targeted surveillance
- Targeted nation-state operations
- Physical device seizure
- Supply-chain compromise
- Zero-day exploitation
Privacy is layered. No single tool is sufficient.
Recommended characteristics:
- Old laptop (preferably pre-2018)
- Mechanical HDD (no SSD)
- No biometric hardware
- No discrete GPU
- Minimal peripherals
Why avoid SSDs:
- Wear-leveling prevents reliable erasure
- Data remnants persist after formatting
- Destruction is difficult to verify
Rules:
- Never log into real-identity accounts
- Never reuse for personal computing
- Never connect to cloud services
- Update BIOS if possible
- Disable:
- Secure Boot (unless required)
- Intel AMT / ME (if supported)
- Bluetooth
- Webcam (or physically remove)
- Thunderbolt
- Set a strong BIOS password
Use case: High-risk or short-lived sessions
Properties:
- Runs from USB
- Tor-enforced networking
- RAM wiped on shutdown
- No logs by default
Limitations:
- Not suitable for daily use
- Limited software persistence
- Slower performance
Recommended distributions:
- Debian (minimal)
- Fedora (SELinux enabled)
- Arch Linux (advanced users)
Avoid:
- Ubuntu (telemetry history)
- Any distro requiring online accounts
Disk setup:
- Full disk encryption (LUKS)
- Strong passphrase (20+ characters)
ip link showInstall macchanger:
sudo apt install macchangerGenerate a random MAC address:
sudo macchanger -r wlan0Set a random vendor MAC:
sudo macchanger -A wlan0Best practices:
- Change MAC before connecting
- Never reuse MACs across locations
- Disable Wi-Fi before spoofing
Preferred:
- Public Wi-Fi
- Libraries
- Cafes (paid preferred)
Avoid:
- Home networks
- Work or school networks
- Personal hotspots
Why Mullvad:
- No email required
- Anonymous account number
- Cash and Monero accepted
- Independently audited
- No-logs policy
Configuration:
- WireGuard protocol
- Kill switch enabled
- Block LAN access
- Disable IPv6
| Configuration | Use Case |
|---|---|
| VPN → Tor | Hide Tor usage from ISP |
| Tor → VPN | Rare, advanced scenarios |
Note: Tails enforces Tor-only routing.
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1Persist via /etc/sysctl.conf.
Use only:
- Mullvad DNS
- NextDNS (anonymous profile)
- DNS over HTTPS (DoH)
Never use ISP DNS resolvers.
Rules:
- Do not install extensions
- Do not resize the window
- Do not log into personal accounts
- Use default security levels
Required settings:
- Disable telemetry
- Enable HTTPS-only mode
- Enable privacy.resistFingerprinting
- Use container tabs
Recommended extensions:
- uBlock Origin
- NoScript (advanced users)
- ClearURLs
- Temporary Containers
- One identity per purpose
- One email per service
- One password per account
- Use password managers (KeePassXC)
Never:
- Reuse usernames
- Link phone numbers
- Cross-login identities
exiftool -all= file.jpgshred -u -z file.txtPreferred methods:
- Cash
- Monero
Avoid:
- Credit cards
- PayPal
- KYC-required services
- Cover webcam
- Disable microphone when possible
- Power off when not in use
- Never leave device unattended
- Logging into real-identity accounts
- Browser fingerprint inconsistency
- Reusing usernames
- Over-customizing Tor Browser
- Trusting a single privacy tool
Privacy is a process, not a product.
Assume:
- You will make mistakes
- Tools can fail
- Correlation is the primary risk
Minimize attack surface, compartmentalize aggressively, and reassess regularly.
This guide is provided for educational purposes only.
The authors assume no liability for misuse.