Digital security without buying anything
Most privacy gains come from behaviour, not hardware. What can you do today without spending a single euro?
Digital security without buying anything
A Faraday bag does nothing if you share your location through every app. A privacy screen protects nothing if your password is “welcome01”. Hardware is the last layer, not the first.
This article is the first layer.
Where does most of your data actually go?
Before changing anything, it helps to know where the biggest leaks are.
Your passwords Data breaches happen constantly. If you reuse the same password across multiple sites, one breach is enough to open all your accounts. This is by far the biggest risk for most people.
Your phone Default Android sends your location, app usage, and search behaviour to Google. Default iOS does the same for Apple. Most apps request more permissions than they need.
Your browser Every site you visit sees your IP address, browser, screen size, operating system, and more. Advertising networks link this to a profile — without you ever logging in.
Email Email is inherently insecure as a transport medium. The content is visible to your email provider. Tracking pixels tell senders when you open a message.
Social media and apps WhatsApp, Instagram, TikTok, Facebook — all these apps collect metadata about who you communicate with, when, for how long, and from where.
What you can do today — free
1. Install a password manager
KeePassXC (desktop) or KeePassDX (Android) — free, open-source, no cloud.
What it does: generates unique, strong passwords for every site. You don’t need to remember them — the manager does.
Steps:
- Download KeePassXC from keepassxc.org
- Create a new database with a strong master password (20+ characters, passphrase or random string)
- Add your existing accounts — start with email, banking, and social media
- Change each password to a generated 20+ character password
This takes an hour. The risk drops immediately.
Bitwarden is an alternative if you want sync between devices — open-source, free tier, self-hosting possible.
2. Enable two-factor authentication
A password alone isn’t enough. Add a second factor: a code that changes every 30 seconds, generated on your phone.
Aegis (Android) — open-source TOTP app, free via F-Droid or Play Store. Export a backup of your codes regularly.
Enable 2FA on: email, banking (where possible), social media, password manager, cloud services.
Avoid SMS as a second factor if you can choose — SIM swapping is a known attack. A TOTP app is better.
See the two-factor authentication guide.
3. Clean up app permissions
Go through your installed apps and revoke permissions you don’t understand or don’t need.
Android: Settings → Privacy → Permission manager → go through each category
Ask for each permission: does this app actually need this?
- A flashlight app doesn’t need location
- A calculator doesn’t need contacts
- A game doesn’t need the microphone
If an app demands a permission it logically doesn’t need: remove the app or find an alternative.
4. Switch or configure your browser
Firefox is free and more privacy-friendly than Chrome when properly configured.
Minimum changes:
- Settings → Privacy & Security → Enhanced Tracking Protection → Strict
- Install uBlock Origin (free, open-source)
- Disable telemetry (Settings → Firefox Data Collection → uncheck all)
See the app hardening guide for the full Firefox configuration.
Brave is an alternative that blocks more by default. Note that Brave is a commercial company with its own advertising model.
5. Switch your search engine
Google links every search query to your profile.
Alternatives:
- DuckDuckGo — no tracking, results based on Bing, free
- Startpage — Google results via a proxy, no tracking, free
- Brave Search — own index, no Google dependency, free
Change your default search engine in your browser: Settings → Search engine → choose your alternative.
Costs nothing. Immediately changes what gets tracked about you.
6. Replace WhatsApp — or limit it
WhatsApp is end-to-end encrypted for messages. But metadata — who you message, when, how long, how often — goes to Meta.
Signal is the best alternative. Same ease of use, stronger privacy guarantees, open-source protocol. Free.
If the people around you won’t switch: install Signal alongside WhatsApp and use it for those who have it.
Minimum WhatsApp restrictions:
- WhatsApp → Settings → Privacy → Last seen → Nobody
- Settings → Privacy → Profile photo → My contacts
- Settings → Privacy → Read receipts → Off
- Settings → Chats → Backup → Off (backups are not encrypted when going to Google Drive)
7. Change your DNS
Default DNS comes from your provider. They see every domain name you look up.
Switch to Quad9 (free, no logging, filters malware):
Android: Settings → Network → Private DNS → dns.quad9.net
Windows: Network settings → Ethernet/Wi-Fi → DNS → Manual → 9.9.9.9
Firefox: about:preferences#privacy → Enable DNS over HTTPS → Quad9
8. Lock your screen with a PIN
Not a pattern (visible smudges), not face recognition alone (no legal protection), but a PIN of six or more digits.
Settings → Security → Screen lock → PIN
Set auto-lock to Immediately or 30 seconds.
Least effort, most impact
If you only do three things, do these:
- Password manager with unique passwords per account
- Two-factor authentication on your email and banking
- uBlock Origin in your browser
These three steps address 80% of the actual risk for the average user. They’re free. Together they take an hour.
Everything after that — GrapheneOS, VPN, hardware security keys, Faraday bags — is a supplement to an already solid foundation. Not a replacement for a missing foundation.
GDPR: what are your rights?
If you live in the Netherlands or EU, you have rights under the General Data Protection Regulation (GDPR):
- Right of access — every company must tell you what data they hold
- Right to erasure — you can ask for your data to be deleted
- Right to portability — you can request your data in a usable format
- Right to object — you can object to profiling for advertising purposes
Practically: go to major services (Google, Meta, Microsoft) and download your data. You’ll be surprised how much there is.
In the Netherlands, complaints can be filed with the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
When hardware actually helps
Behaviour is the foundation. Hardware adds something where behaviour falls short:
- Faraday bag — signal isolation when you genuinely don’t want to be tracked (border crossing, sensitive meeting)
- Privacy screen — visual shielding in crowded places
- Hardware security key — stronger than TOTP for account security
- GrapheneOS phone — when you want to stop sending data to Google at OS level
But these are supplements. Not a replacement for strong passwords and two-factor authentication.
See also: