5 common privacy mistakes (and how to fix them)

Most people who care about privacy think they're more protected than they are. That's not a criticism — it's a natural result of how privacy tools are marketed. "Use a VPN and stay safe" sounds complete. It isn't. Here are five mistakes that leave people significantly more exposed than they realise, and what to actually do about them.

1. Treating a VPN as complete privacy protection

VPNs are genuinely useful — they encrypt your traffic from your device to the VPN server, and they hide your IP address from the sites you visit. That's meaningful. But what they don't do is equally important to understand.

A VPN does not hide you from:

• The VPN provider itself — you're trading your ISP's visibility for the VPN provider's visibility
• Websites that track you via cookies, fingerprinting, or logged-in accounts
• Google and Meta, who track you across most of the web regardless of IP address
• Your device — if your phone or laptop is configured to report back to its OS vendor, a VPN doesn't stop that

VPNs are one layer of protection, not a complete solution. They work well in combination with other measures — particularly privacy-focused DNS and a de-Googled device.

2. Assuming "private browsing" is private

Incognito mode (in Chrome) or Private Browsing (in Firefox/Safari) does one specific thing: it doesn't save your browsing history, cookies, or form data to your local device after you close the window. That's it.

Your ISP can still see every site you visit. Your employer (if you're on a work network) can still see every site you visit. The websites you visit still see your IP address and can fingerprint your browser. Google still logs searches made through its search engine. "Private browsing" is a misleading name for what is, essentially, automatic history-clearing.

3. Using a Google or Apple account on your phone

If your phone is linked to a Google or Apple account, your activity is being tracked, catalogued, and used for advertising and product improvement — by default. This includes:

• Location history (Google Maps, Apple Maps, even when you're not actively using them)
• App usage data
• Voice assistant recordings (both Google Assistant and Siri)
• Purchase history via linked payment methods
• Contacts, calendar events, and communications

The most effective solution is a phone with no Google services at the OS level. Norypt Phones run without any Google services — most apps still work via a sandboxed compatibility layer, but none of the telemetry infrastructure is present.

4. Neglecting your home network

You configure privacy on your laptop and phone. But your smart TV, your Amazon Echo, your video doorbell, and your kids' tablets are all also on your network — and almost none of them have privacy settings worth the name. They transmit usage data, voice recordings, and behavioural telemetry constantly.

The most practical solution is network-level blocking: a privacy router that stops known tracking and telemetry domains before they can leave your network, for every device at once. This approach protects devices you can't individually configure — smart TVs in particular are notoriously aggressive data collectors, and there's no way to opt out through the device's settings alone.

A privacy router configured with NextDNS or AdGuard DNS blocks tens of thousands of tracking domains automatically, with no per-device configuration required.

5. Using the same email for everything

Your email address is your primary identity on the internet. When you use the same address for every service — your bank, your social media, your shopping, your newsletters — you make it trivial for data brokers to link all of those accounts into a single profile. When any one of those services is breached (and they are breached, regularly), your email address is exposed and tied to all the others.

The fix is email aliasing: using a different email address for each service, all of which forward to your real inbox. Services like SimpleLogin (open source, Proton-owned) or Apple's Hide My Email make this straightforward. When a service gets breached or starts spamming you, you simply disable that alias — your real address is never exposed.

This doesn't require changing your email provider. It's a layer on top of whatever you already use.

The bigger picture

Privacy isn't about being paranoid or invisible. It's about understanding what data you're generating, who has access to it, and making deliberate choices about that. None of the fixes above are difficult. The hardest part is usually just knowing what the actual risks are — which is exactly what the Privacy Academy is here for.

One more: using SMS for two-factor authentication

SMS-based two-factor authentication is significantly weaker than authenticator apps or hardware keys, yet it remains the most widely deployed form of 2FA. The vulnerability is SIM swapping — an attacker who convinces your carrier to port your number receives all your SMS codes and can reset access to any account that uses your number for recovery. If you use SMS 2FA on your email or bank account, that's the weakest link in your security setup. Switch to an authenticator app (Aegis on Android, Raivo on iOS) for any account that allows it. Treat SMS 2FA as a last resort, not a standard.

If you're ready to address the hardware layer — where the biggest gaps usually are — explore Norypt's range of pre-configured privacy devices.