Skip to main content
NEWIntroducing Norypt MDM — anonymity-first mobile device management for activists, journalists & privacy teams.Learn more →
Guide

A Beginner's Guide to Online Privacy

Online privacy for beginners: browser choice, encrypted email, private search, passwords, 2FA, open Wi-Fi risks, and how to spot phishing calls. No technical background needed.

9 min read11 March 2026Norypt TeamUpdated 18 March 2026

Online privacy does not require a technical background. A small number of deliberate changes — the browser you use, how you manage passwords, the email provider you trust — collectively reduce your exposure far more than any single dramatic move. This beginner's guide to online privacy covers the practical fundamentals, in order of impact.

Use a privacy-oriented browser

Your browser is the window through which most of your online activity passes. Standard browsers like Chrome collect browsing history, search queries, and behavioural data to build advertising profiles. A privacy-oriented browser blocks this by default.

  • Firefox — open source, highly configurable, strong extension ecosystem. Set your default search engine to a private alternative and enable Enhanced Tracking Protection.
  • Brave — Chromium-based with aggressive tracker and ad blocking built in. No configuration needed to get meaningful protection out of the box.
  • Tor Browser — routes all traffic through the Tor network, providing the strongest anonymity. Slower, but appropriate when anonymity is more important than speed.

Whichever browser you choose, avoid logging in to the browser with a Google or Microsoft account — this links your browsing history to your identity and effectively undoes the privacy benefits.

Use a secure, encrypted email provider

Standard email providers like Gmail scan the contents of your emails to serve targeted advertisements. If you would not hand your correspondence to a third-party advertiser, reconsider using these services for sensitive communication.

Encrypted email providers use end-to-end encryption, meaning only you and your recipient can read the contents — not the provider, not the server, not anyone who intercepts the connection. Well-regarded options include:

  • Proton Mail — Swiss-based, end-to-end encrypted, zero-access to message contents. Free tier available.
  • Tuta (formerly Tutanota) — German-based, end-to-end encrypted, open-source clients. Also encrypts your calendar and contacts.

Note that encryption only protects messages between users on the same encrypted platform. If you send an email from Proton Mail to a Gmail address, Gmail receives it in plaintext. For maximum protection, encourage contacts to use the same provider.

Use private search engines

Google processes billions of queries daily and links each one to your account or IP address, building a profile of your interests, health concerns, political views, and purchasing intentions over time. Private search engines do not store your queries or build profiles.

  • DuckDuckGo — most widely used private search engine. No tracking, no search history. Results quality is good for most everyday searches.
  • Startpage — shows Google results without passing your data to Google. Best of both worlds if you prefer Google's result quality.
  • Brave Search — independent index, no tracking. Fast and increasingly comprehensive.

Basics of online privacy and security

Create a unique, long password for each account

Reusing passwords is the single most common cause of account compromise. When a service is breached — and major breaches happen every month — attackers test the stolen credentials against every other major site. A password reused across five services means a breach of any one of them compromises all five.

The solution is a password manager (Bitwarden, 1Password, or KeePassXC) that generates and stores a unique, random password for every account. You remember one strong master password; the manager handles the rest. A strong password is at least 16 characters, randomly generated, and contains no words or personal references.

Think carefully before disclosing your location

Location data is among the most sensitive categories of personal information. It reveals your home address, workplace, medical appointments, religious attendance, and daily routine. Before granting any app location access, ask whether the feature genuinely requires it. Most apps that request location do not need precise, continuous access — they need it once, or not at all.

On Android (especially GrapheneOS), you can grant approximate location instead of precise, and revoke access when the app is not in use. On iOS, use the "While Using" and "Approximate Location" options. Review your location permissions periodically — apps accumulate access over time and rarely release it voluntarily.

Enable two-factor authentication on every account

Two-factor authentication (2FA) requires a second proof of identity — typically a time-based code from an app — in addition to your password. Even if an attacker obtains your password, they cannot access your account without the second factor.

Prefer an authenticator app (Aegis on Android, Raivo on iOS, or Bitwarden's built-in authenticator) over SMS codes. SMS 2FA is better than nothing, but SIM-swap attacks — where an attacker convinces your mobile provider to transfer your number to their SIM — allow interception of SMS codes. App-based codes are not vulnerable to this.

Never do anything sensitive on open Wi-Fi

Public Wi-Fi networks in cafés, airports, and hotels are unencrypted and shared. Anyone on the same network can observe your traffic — login credentials, session tokens, content of unencrypted pages. Even with HTTPS, open Wi-Fi exposes which sites you visit, the timing of your requests, and potentially session identifiers.

If you must use public Wi-Fi, route your traffic through a VPN first. A VPN encrypts everything between your device and the VPN server, making your traffic opaque to other network users. Never log into banking, email, or any account containing sensitive data without this protection in place. At home, a privacy router with a built-in VPN protects every device on your network automatically — phone, laptop, and anything else — without configuring each device separately.

Install software updates immediately

The majority of successful cyberattacks exploit known vulnerabilities — flaws that have already been discovered, documented, and patched. The update contains the patch. Delaying installation means running software with publicly documented security holes. Attackers actively scan for unpatched systems because they are reliably easier targets than up-to-date ones.

Enable automatic updates for your operating system and all installed applications. Treat security updates as mandatory, not optional. If an update is described as addressing a "critical vulnerability," installing it within hours — not days — is the appropriate response.

Cover your webcam when not in use

Remote Access Trojans (RATs) and some forms of malware can activate your webcam silently, without the indicator light turning on — a capability that has been publicly demonstrated and is not theoretical. A physical cover — a sticker, a piece of opaque tape, or a purpose-built slider — costs nothing and provides a guarantee that no software can override. This is not paranoia; it is a simple, free mitigation for a real risk.

Understand the cost of "free" services

When you use a service without paying for it, the business model is almost always advertising — which requires building a detailed profile of who you are, what you're interested in, and how to influence your behaviour. Your data is not incidental; it is the product being sold. This is not a conspiracy — it is disclosed in terms of service that almost nobody reads.

The practical implication: every "free" service you use is a data collection operation. Email, social media, search, maps, cloud storage — each one extracts behavioural data in exchange for access. Being aware of this allows you to make deliberate choices about which trade-offs are acceptable to you.

Be aware of phishing calls and social engineering

Phone-based fraud — vishing (voice phishing) — is one of the most effective attack vectors because it bypasses technical defences entirely and exploits human trust. Attackers call posing as bank fraud departments, government agencies, or tech support teams, and use urgency and authority to extract sensitive information.

The rule is simple: no legitimate organisation will ever ask for the following over the phone:

  • Your full PIN or card number
  • Your online banking username and password
  • Your two-factor authentication code
  • Your social security or national insurance number
  • Any request to "confirm" sensitive data by repeating it back to the caller

If you receive such a call, hang up. Call the organisation back using the number published on their official website — not the number the caller provides. Banks lose millions per year to this attack; it works because the attacker sounds professional and creates a sense of urgency. Knowing the script makes it much easier to recognise and exit.

Where to go from here

These fundamentals protect against the most common threats most people face. For more advanced topics — threat modelling, device-level encryption, anonymous connectivity — see the Privacy Academy.

If you want hardware that handles the technical layer for you: every Norypt Phone arrives pre-configured with GrapheneOS and privacy defaults set correctly from day one. The Norypt Privacy Router applies VPN and tracker blocking to every device in your home automatically. The Norypt eSIM gives you anonymous mobile data in 160+ countries with no identity verification required. And the Norypt Secure Laptop ships with full-disk encryption and a hardened OS pre-configured — no technical setup needed.

Ready to take control?

Every Norypt device arrives pre-configured, verified, and ready to use — no technical knowledge required.

Related Product

Norypt

Norypt Pixel Secure

The practical steps in this guide are already built into every Norypt phone — pre-configured, verified, and ready from day one.

From €800

See details