Wrote this on the old sub before it got banned, posting it here following a suggestion from /u/Beatnik. It's a bit messy and doesn't cover everything; feel free to ask any questions or similar.
Beyond simply your IP and the cookies you send - mainly, for the later, through embedded scripts and images from third party domains such as analytics companies and Facebook and the like (most of which will fully cooperate with the NSA through PRISM), there are a few other methods that can be used to track you online, such as fingerprinting and cache analysis. As for fingerprinting, you can see a demo of it here on the website of the EFF; it'll also tell you how unique you are based on collected information.
- Stop using intrusive social media platforms such as Facebook or Twitter. You can use reddit, but be very careful about doxxing.
- Disable the cache of your browser. It'll slow down things a bit but nothing too serious.
- Use a VPN. A trustworthy one (yes, it costs a bit more).
- Use Firefox, not proprietary browsers such as Chrome, and when opting for Firefox, take a look at this - be aware that some of those will disable features though, such as zoom levels being consistent depending on the domain name. This will take care of most of fingerprinting. Always keep your browser up to date. Using the ESR edition of Firefox is much safer, too (less potentially exploitable flaws due to new or modified code from new features).
- Enable Javascript only selectively with noscript. Be careful with what you enable. Be aware that this will break many websites, but ideally if you need to access such a website you should try to enable domains selectively until you get a minimal usable interface on the website. Reddit, as an example, can be mostly browsed without any javascript (through old.reddit.com) with a few exceptions; you can't comment without it though. Javascript is the main source of modern 0day flaws in browser; if such a flaw is discovered (or already has been discreetly by intelligence agencies), it can be used to not only doxx you but actually infect you with monitoring software or worse.
- On the subject of noscript, by default it whitelists a few domains it thinks are important for the majority of users, such as youtube ones and some google ones; disable those upon install, ideally.
- Be aware that chapo.chat is not currently usable without Javascript; use it on a dedicated browser profile where you do nothing else. And apply the other measures too except for noscript on this one, of course.
- Use ublock origin, privacy badger and https everywhere, obviously.
- Use several, separated firefox profiles for different activities: one for reddit, one for shopping online, etc.
- Any browser profile you use that can be connected in any way to your real identity (say, one where you made a traditional online payment) is to be considered compromised, just in case.
- Enable the password-protected password manager of Firefox if you want it to remember passwords (which is OK for common stuff); do not use said manager without setting a global password. Some security flaws can be exploited in a limited way, such as reading the internal files of your firefox profile; if such a things happens and you defined a master password, the password database of your browser profile is encrypted and can't be read easily.
- For more important passwords, use an external password manager (meaning a different software than the browser). Pick a free software one (I use a GPG encrypted sqlite file, for example, but there are more user-friendly options).
- If you can, use Linux/BSD OSes. If you're worried about video games, it's 2020: almost all of them work fine with dxvk under Linux if you're prepared to work a bit on it. This is less related to online privacy and anonymity, but also: do use full disk encryption (through LUKS on Linux) with a complex key. This protects you in case of police search of if you lose your laptop in the wild.
- Use a user-agent switcher on all your firefox profiles, especially if you're on Linux/BSD: completes the fingerprinting protection. Pretend you're the most common UA, under Windows.
- For more dangerous stuff, hacktivism and the like: use tor on top of the above, ideally on top of using public access points or close wifi ones you hack. Change the way you write comments and your usual writing habits when you change identities (this is harder than it sounds). Using a cleanly installed virtual machine (or a live CD such as tails) is also heavily recommended for these purposes.
Be aware that some of these takes a bit of effort, of course (such as noscript using whitelisting or switching to Linux).
Note that applying all of these, including the very last item of the list and assuming you never enable javascript, effectively makes you truly anonymous online (or as close as possible). If you enable JS, you can potentially be breached through an exploitable 0day flaw if one exists. Security flaws that are fully exploitable (in the "run shellcode" sense) and do not go through the JS engine are effectively unheard of in browsers these days.
Any suggestions for VPNs?
Your best bet is VPNs that actually were subpoenaed by law enforcement and demonstrably couldn't give them the stuff they asked, because it tends to show (not 100% but close) that they really don't keep logs. That has happened with PIA and ExpressVPN (I use the later; the first one is a bit more shrouded in secrecy, though it did get subpoenaed several times without results too), and a few others. I've also heard good things about this list though I can't vouch for it personally.
our site does not have a javascript free version at the moment
This is something that has been concerning to me since I first registered here, yes; but I took a very quick look at the lemmy code a few days ago and the workload to implement such a thing is non-negligible. It'd be great, though. Unrelated, but there's also some funky - minor - stuff happening when you browse here with many tabs opened (especially the notifications when you receive a message).
And I've edited the post accordingly, thanks.
That's amazing - I could contribute in terms of skill but my free time is already limited as it is right now. You're doing awesome work, thanks !
Thanks for the information! I have a question tho. How do you start fixing things after you already made a bunch of mistakes. Like, I made a new gmail and such for chapo.chat related stuff, but I know my Reddit/Facebook/Google/etc. is already tied together and probably has a bunch of Amazon info mixed in as well. Is there any way to fix that kind of stuff or is it just gonna be make new accounts and do better next time?
The later, I'm afraid. You want to decrease links between any two identities as much as possible.
Though it's for you to judge the risk (I prefer to err on the paranoid side, but to each his own); it also depends on what you're actually doing online. Shitposting here doesn't necessarily require the same level of opsec than defacing a website or setting up an online space to organize, for example.
There is an extension called uBlock so you might wanna edit the post to indicate that you meant uBlock Origin.