Threat profile: the normal user

You’re not paranoid. You have nothing to hide — or at least nothing unusual. But you also don’t love the idea that an ad network knows you were searching for travel insurance last night, that your phone tracks your location while you sleep, or that your ten-year-old password has turned up in three data breaches.

Those aren’t hypothetical risks. They’re already reality for most people.

What are your real threats?

Data harvesting by tech companies Google, Meta, Amazon and others build detailed profiles of your habits, preferences, location, and social network. This is used for targeted advertising — but the same profile can be passed to government agencies, acquired in a corporate takeover, or leaked in a hack.

Data breaches Websites get hacked. Email addresses and passwords end up on the dark web. If you use the same password on multiple sites, one breach gives access to everything.

Phishing Fake emails, fake SMS, fake WhatsApp messages that send you to a bogus login page. Much more convincing now thanks to AI. They catch people who consider themselves too smart to fall for it.

Unsecured accounts Email account, bank account, government login — if any one of them is compromised without a second factor, you have a serious problem.

Tracking via browser and apps Every site you visit builds a profile. Every app with unnecessary permissions shares more than you know.

What you do NOT need to worry about

For the normal user, targeted government surveillance is not a realistic risk. You don’t need a Faraday bag for your grocery run. You don’t need Tor to read your email.

The threats facing you are mass and automated — not personal and targeted.

Behaviour checklist — do this now

Sorted by impact:

Right now (< 1 hour, free)

Install a password manager (KeePassXC or Bitwarden)
Change your email password to a unique, generated one
Enable two-factor authentication on your email account
Install uBlock Origin in your browser
Switch your search engine to DuckDuckGo or Startpage
Review your app permissions — revoke anything unnecessary

This weekend (< 2 hours, free)

Change passwords for your bank, government login, and social media
Enable 2FA on your bank and government accounts (where possible)
Check whether your email address has appeared in a breach: haveibeenpwned.com
Turn off WhatsApp backups (they are not encrypted in Google Drive)
Set DNS to Quad9 on your phone: Settings → Network → Private DNS → dns.quad9.net

This month

Replace Chrome with Firefox (with uBlock Origin and tracking protection set to Strict)
Make a backup strategy for your password manager
Go through your social media privacy settings

Tools that help

Problem	Solution	Cost
Reused passwords	KeePassXC / Bitwarden	Free
No second factor	Aegis (Android, TOTP)	Free
Browser tracking	Firefox + uBlock Origin	Free
DNS monitoring by your provider	Quad9 DNS	Free
WhatsApp metadata	Signal (for contacts who also use it)	Free
Phone tracking	Restrict app permissions	Free

When hardware actually adds something

Once the basics are solid and you want to go further:

Privacy screen — if you regularly work in busy public places (train, coffee shop). Prevents shoulder surfing.

Hardware security key (YubiKey) — stronger than TOTP for accounts that support it. Useful if your email or cloud storage is particularly sensitive.

USB data blocker — if your phone ever charges via public USB ports.

You don’t need GrapheneOS, a Faraday bag, or a VPN as a normal user. Get the basics solid first.

Next step

Once you’ve worked through the checklist and want more:

iPhone privacy settings — concrete steps for iOS users
Android privacy without a custom ROM — concrete steps for regular Android phones
Security as a habit — how to build privacy habits into daily use
App hardening guide — deeper per-app configuration
Two-factor authentication guide — all options explained
Which network setup fits your threat profile? — free steps for your router\n- All security guides — overview of all security guides

Reviews: