Protecting Your Privacy Online
1. Introduction
2. Web Surfing
3. Email
4. Phone
5. Instant Messaging
6. File Sharing

Technical Difficulty
Beginner
Intermediate
Advanced
Software Supported
OS Supported
iPhone
Android
Windows
OSX
Linux
Firefox
Safari
Chrome
Opera
Introduction
Web Surfing
Email
Phone
Instant Messaging
File Sharing
 
 
 
 
 
Internet Explorer
Silent Circle



       Silent Circle offers some ultra secure phone handsets called the Black Phone.  This uses a custom version of Android  hardened to resist hackers and comes with encryption built in, though voice calls  are only encrypted if the other person also has a Black Phone or is using the Silent Phone VOIP app. 
VOIP


       If you can't or don't want to use your cell phone, VOIP (Voice over Internet) is another option.  VOIP allows you to have a 2 way audio conversation over the internet with other VOIP users and even regular phones as well.  Some services include video.  Skype is a popular example, but Skype is no good for privacy because it has been modified to allow interception/surveillance by Big Brother.  Instead we can use another VOIP provider with encryption that will make our conversations truly private.  Be warned that setting up VOIP can be technically complex and online documentation is lacking, so if you are looking for an easy solution, one of the phone based alternatives above is better.

       First set up an account with a VOIP provider.  Linphone and Ekiga are both good options and both provide a "softphone" or software phone that resides on your computer which you can use to make calls to other VOIP users or regular telephone numbers.  Both include a video chat option.  Be aware that by default voice calls are not encrypted.  You need to set up encryption first.  ZRTP is the best option if your VOIP provider supports it.



Anonymous Voice Conversations


       Skype is reported to work well over Tor, however Skype is not the best choice for privacy because of the backdoorTorFone is a better option.
       Recent disclosures have illuminated the fact that all internet activity is subject to surveillance of the national spy agencies for several large countries (US, UK, New Zealand, Australia, Canada, probably Russia, China as well).  You may wonder if it is possible to do anything to prevent this, whether it is possible to have a private conversation on the internet at all.  It is possible but requires some additional protective measures you may not be familiar with.  This guide aims to educate you to take back your privacy using simple language and step by step instructions you don't need to be an expert to understand.  Only a few best-of-breed solutions, out of the dozens available, will be presented for simplicity.  If you have needs that are not addressed here, an excellent compendium of free, open source, privacy oriented software can be found at: http://prism-break.org. Another excellent resource with simple, easy to understand how-tos is https://securityinabox.org/en.  Another great guide with links to privacy software and service providers is at https://www.privacytools.io  Don't let the length of this guide worry you.  You can start small, making changes to the internet services you use most frequently.  Each step provides a significant benefit.
Encryption

       Encryption is just another word for code, and it has been around as long as the written word.  A simple code, called substitution, would be to change letters to numbers.  A = 1, B = 2, C = 3, and so on.  Using this code, the message "Encryption protects privacy" would become "5 14 3 18 25 16 20 9 15 14 16 18 15 20 5 3 20 19 16 18 9 22 1 3 25".  Such a simple code would be quite easy to break but serves as an example.  Most encryption ciphers in use today, with names like AES-256 and Blowfish, operate on a similar principle.  They convert letters to numbers, perform a complex series of mathematical operations on those numbers, then convert the result into machine-speak, like Base64, before transmitting it over the internet.  The receiver must then perform the exact same series of mathematical operations -in reverse- to decode the message.  The exact series of steps to encode and decode messages is known as the key, and both the sender and receiver must have this key to communication using encryption.  Without the key, an eavesdropper who intercepts the message will see this:

7+0lpMfPDceSgDJMtNzgwjNaPYXECTEMtogJcEnWr8nqCrltQIxHXfG8lzSRQtl3
rJua3O/++Xun39xLYFFWeTjPp+tcP+JspthHJ8DLikQVtsuEhBBcu2fJF5hRaZ/f
8ziLgMt2IjVbQAXsYNg8rsyTlNVqfKdI3l+dyHkBKbJ+2r7nL1YJikf+ZWBcj/eg
MPEVmE2j3y0YSvMqY

       Thankfully you don't need an advanced mathematics degree to use high level encryption, as there is software available, free to use, which will perform all the advanced calculations, manage your keys, and transmit them securely to the intended recipient.  All you have to do is feed it the raw message, i.e. plaintext, and out pops the encrypted ciphertext.
Anonymity


       When you send an encrypted message to someone, you have privacy because no one else can read it, but you don't have anonymity because an eavesdropper can see that a message was sent even if he can't read it.  Quite a lot can be guessed based on frequency and timing of messages between various persons.  This may or may not concern you, but it is important to at least note the difference between privacy and anonymity, as it will come up in later sections.  Some tools provide privacy, some anonymity, and using them in combination can provide both together.
       Every time you open a new web page, whether you are using Chrome or Firefox or something else, not only the page you requested, but several dozen others also open simultaneously behind the scenes.  This is because it has become common for web pages to embed javascript and other more arcane web technologies into each page.  Some of these scripts are to add additional functionality to the site, some are for visitor tracking or advertising.  Each of these invisible mini-pages reads and sets "cookies", a  unique identifier to track you as you move from page to page, server to server across the internet. 

       For example, if you visit a pharmacy web page to order medication and do a google search and both google and the pharmacy use the same ad network, the advertiser will be able to see not only your google search terms but also which drugs you viewed on the pharmacy website.  This type of data can be gathered over long periods of time to build up an accurate and detailed portfolio of information about you.  This information portfolio can be bought, sold, and shared with a wide variety of corporations and government agencies.  It can also be linked to your real identity in many cases.

Learn More

A neat tool that let's you investigate your "digital shadow" or what information you leave behind on the internet that others can collect is here.
Tracking-Cookie Blockers


       If you don't want the entire world of advertising and government to know you are pregnant, have herpes, or are considering divorce, you will need to install and use some type tracker blocking software. 
Disconnect.Me



       Disconnect.Me keeps a list of privacy invading tracker scripts across the internet and automatically blocks them.  This shouldn't really impact your normal web surfing much or at all.
       
No Script



        No Script will block javascript, java applets, and flash.  Rather than using a known blacklist like Cookie Blockers, No Script just blocks everything until you approve each site.  This can break some sites' functionality, so you may have to unblock the site you are visiting if things don't display properly.  Sometimes this is not enough and you will have to unblock one (or more) of the 3rd party web addresses that are embedded into the site, which can be a bit confusing.  I feel it is a small price to pay for not getting infected just from surfing the net. 

       To install, go to the NoScript download page here  and click "Install". If a warning pop up appears, click "Allow".  Once it is installed you can change the settings by clicking the little "S" icon.  If you need to unblock something, click the S icon and start picking names off the list to Allow until the site works.  You can make your choices temporary or permanent.  The default options for No Script are pretty good, but if you want a little more privacy it is recommended to go into Options menu, select Whitelist, and take Google, Microsoft, and Yahoo out of the whitelist.  This will block those companies from tracking you and executing scripts which are normally allowed by default.  Only available for Firefox.

HTTPS Everywhere



       HTTPS is the encrypted version of the standard HTTP protocol which is used to load web pages from the internet.  Every time you load a web page you are using either HTTP (unencrypted) or HTTPS (encrypted) to do so.  The difference can be seen mainly from the address in the address bar and the little lock icon.  Anything sent over regular HTTP can be seen by any router in your communication path or anyone who has a tap on any of the dozens of transmission lines that carry your data from your home to the server you are communicating with over the web.

       Since the spying revelations, many companies have announced they are moving to HTTPS by default, including Yahoo and Hotmail.  This is a very good thing because it means that snoops will no longer be able to intercept your messages to grandma just by sniffing the packets on the undersea internet cables. 

       The HTTPS Everywhere plugin sets HTTPS by default for every site you connect to.  Not every site supports HTTPS at all, but for the ones that do you can be assured your browser will encrypt your traffic to and from those sites.  Not only does using HTTPS protect you from snoops, but it also protects you from certain types of attacks which have been revealed are favorites of the spy agencies where your internet traffic is tampered with and malware silently inserted into an ongoing conversation between your computer and an internet server.  HTTPS is very easy to use and will have no noticeable effect on the load times of your web pages, so it is very highly recommended.

Anonymous Web Browsing


       Every time you connect to a server on the internet, you have to provide your IP address in order for the reply to reach you.  Your IP address is assigned by your Internet Service Provider (ISP) and operates the same way as your mailing address.  A location where servers you connect to on the internet can send data and webpages intended for you.  It is uniquely identifiable and can be tied to a particular city, state, and country by anyone using tools like these.  IP Geolocation   In addition, most governments will have access to a master list showing everyone's IP address and billing information, ie credit card data, home address, etc.  So everything you do on the internet and every site you visit can be tied directly to you, or whoever pays for your internet.
Tor



       If, in addition to protecting the content of your communications using encryption, you also want to preserve your anonymity you have a few options to mask your identity.  Tor is the most commonly thought of application for this and it provides very good anonymity.  Probably the best anonymity you can get, provided you follow all the guidelines in the Tor documentation.  

       To install Tor, go to the download page here.  There are installation instructions for Windows, Mac, and Linux.  You will notice there are two links for each version.  One is the installer file itself, listed as "32-bit" or "64 bit".  The other says "sig" and is a PGP signature that proves the Tor software you are installing hasn't been tampered with.  PGP is explained below, but you can find step by step instructions on verifying the .sig file here.
VPN


       Tor is unfortunately very slow.  Too slow for regular daily use.  Tor is for special occasions when you need the best protection available.  VPN, or Virtual Private Network, is a secure encrypted connection between your computer and a server hosted by your VPN service.  All your internet traffic is sent though this encrypted "tunnel" to the VPN company who forwards your traffic onto its destination and forwards the return traffic back to you through the tunnel.  To anyone using a geolocation service, it appears as if you are physically located in the same building as the VPN provider, along with all the other VPN users.  These other users are what really provides your anonymity in a way that simply going to a friend's house or a library won't. 

Learn More
       If you go to a friend's house and connect to a service already associated to you, say by having paid for it with a credit card or using your real name, (ie joe.smith@yahoo.com) then other services you use, (ie notmyrealemail@yahoo.com) can be tied to your real identity.  The number of people who use the internet at your friend's house is not that large, just you, your friend and maybe your friend's roommates, so it doesn't take a whole lot of guesswork to draw a connection between your internet activity on various sites using different usernames, email addresses, etc.  When you use a VPN, hundreds or thousands of other people all around the world are also using the same provider simultaneously.  It becomes very difficult to look at one communications session and definitively connect it to another.  You get lost in the crowd and only the VPN provider can tell your traffic from all the others.  So for this reason it is essential to choose a good VPN provider who can be trusted to keep your information safe.  Many have strict privacy policies and turn off all logging on their servers, so even if they are given a subpoena for data they have nothing to give.  However given the explosion of interest in VPNs recently a lot of unscrupulous providers have sprung up to take advantage of the unwary.  Do some research before trusting them with your privacy and wallet.  VPN providers typically offer several options including PPTP, L2TP, and OpenVPN.  OpenVPN is by far the most secure and other options should not be used.


A good discussion of the pros and cons of various VPN providers:
https://torrentfreak.com/vpn-services-anonymous-review-2017-170304/

Another good comparison site:
https://thatoneprivacysite.net/vpn-section/
       Email has so completely woven itself into our lives it has almost completely replaced traditional mail.  Yet it does not have the same protections as traditional mail.  In the US and many other countries it is a serious crime to open someone's mail without permission, but email is not accorded the same protections.  Email left on a mail server in the US for more than 180 days is considered "abandoned" and may be read at will without need for warrant or subpoena.  In addition, many free email providers, such as Google, will read users' email for use in targeted advertising.  For this reason it is recommended to not use webmail and instead download all your mail to your personal computer using a mail client such as Claws, Eudora, Thunderbird, etc.  Outlook and Outlook Express are not recommended due to a large number of security vulnerabilities in those products.  Despite this, I know it can be a pain to switch your normal mail habits, and so will provide instructions on how use encryption for all the most common products.

Learn More
POP/IMAP/SMTP


       By default most mail clients will download mail using secure POP3 or IMAP protocol and send mail using secure SMTP protocol.  This has changed recently and vastly improves your email privacy.  However, some older mail clients and mobile mail clients still use the older unprotected versions of these protocols.   These unprotected transport methods don't utilize any form of encryption, so your mail is open for anyone to read who can see the traffic flashing by.  It is comparable in many ways to writing on a postcard.  The mailman can read it, all the workers in the mail processing center can read it, the drivers in the delivery vans can read it.  If you want to keep your email private you will need to put it in a sealed envelope.  In the case of email, the sealed envelope is called TLS and every major mail client already has it built in.  You just need to specify that TLS should be used.  You do that by changing the port number for incoming and outgoing email and the mail program (usually) recognizes you want to use secure transport for sending and receiving.  The simplest thing to do is look at the existing setup and change the unencrypted port number to the encrypted number and your mail client will do the rest.

                                  Open                Encrypted
POP3                        110                        995
IMAP                         143                        993
SMTP                        25                          465

Of course you have to consider not only whether encryption isbeing used between your computer and the mail server, but also when the mail server talks to another mail server.  Like if you use Gmail and your friend uses Yahoo, when you send an email to your friend, do Gmail and Yahoo use encryption when they talk to each other?  For the larger mail providers the answer is generally yes, but smaller mail services such as those used by a business for in-house mail, the results are mixed.  If you want to know if a particular server supports encrypted mail transfers, follow the instructions here.


PRISM


       If you are using HTTPS to connect to your webmail or TLS to download mail from your mail server you will be protected from anyone tapping into the internet transport infrastructure to capture data, but large US based mail providers such as Microsoft's Hotmail/Outlook, Yahoo, Google's GMail, and Apple are all part of a program called PRISM which voluntarily shares user account data, contacts, and email with the NSA.  So after you go to the trouble to encrypt your connection to your mail provider, they turn around and hand the unencrypted emails over to the US government.  It is still a good idea to use HTTPS and TLS because there are other snoops in the world besides the NSA, but if you want to keep your email private from the US Gov some additional steps are required.
PGP/GPG



       PGP (Pretty Good Privacy) is basically military grade encryption for regular people.  It is so powerful, the US government filed criminal charges against its creator, Phil Zimmerman.  There is an amusing (or scary) tale behind it, but the end result is that Big Brother failed to shut down PGP and it has continued on through many revisions and turned into an open standard, OpenPGP, of which GPG or GnuPG is the most common software currently in use.

       It is unfortunately not very user friendly software.  Very few people are comfortable working with a command line interface.  Several attempts have been made to come up with a graphical user interface, Enigmail and Kleopatra for example, but these interfaces can be frustrating or difficult in their own right, so it is advisable to learn at least the basic GPG commands.

       Once you understand how to use it, it is extremely powerful.  You can verify that software you download from the internet hasn't been tampered with.  You can sign messages in a way that no one can impersonate you and the recipient can verify they haven't been altered.  You can encrypt your messages (or files) so that the best code breaking computers in the world can't decipher them.  All this results from a mathematical theorem called Public Key Encryption or Asymmetric Encryption.  The basics of it is you have 2 keys, a public key you give to others so they can encrypt messages only you can decrypt and a private key that allows you to decrypt them.  In most other encryption systems you have to find a way to share the same key with whoever you want to communicate with, not so with PGP.  The 2 keys used by PGP are mathematically related so that one decrypts what the other encrypts, the private decodes the public and the public decodes the private, so you use the public key to encrypt messages and the private key to sign them.  The software keeps track of all the keys so you don't need to worry about it, but if you want a more detailed explanation, this one is pretty good.  All modern Linux versions include GPG by default.  Windows and Mac users will need to download it. 
Download GPG for Windows
http://gpg4win.org/download.html

Install and Setup Help for Windows
http://gpg4win.org/doc/en/gpg4win-compendium_11.html

Instructions on Verifying Your Download
http://gnupg.org/download/integrity_check.html

Download GPG for Mac
http://www.gpgtools.org/gpgsuite.html

Install and Setup Help for Mac
http://support.gpgtools.org/kb/how-to/first-steps-where-do-i-start-where-do-i-begin
Note: You may need to change your security settings to allow you to install GPG.  You can find instructions how to do so here.
GPG Command Line


GPG on the command line takes a huge number of possible switches and arguments.  You only need to concern yourself with a handful of these:

-e or -d encrypts or decrypts, respectively
--gen-key creates a new key pair.  You only need to use this the first time.
-u if you have more than one key pair this allows you to specify which to use when decrypting a message.
-r who the recipient of the message is if you are sending
--send-keys sends your public key to a keyserver so others can look you up and send you encrypted messages.  Think of it like a phone book for PGP users. 
--search-keys search by email address or name to see if your friend has a key on the keyserver
--recv-keys requests the public key for a particular user.
--keyserver lets you specify which keyserver to use for sending/recieving/searching
--sign-key validates that you are *sure* this key belongs to a particular user and is not a phony.  Prevents error messages about unsigned keys, but is not otherwise required.
-a output ascii text for use in mail readers, web browsers, etc.  You will almost always want to use this option as you can't copy/paste without it.
--export use this to send someone your public key directly without using a keyserver.  You'll also want to add the -a to put it in ascii text the recipient can read, ie gpg -a --export
--import use this if your friend sends you her public key directly without using a keyserver
--verify use this to verify a signature

This is a pretty good walkthrough of the steps to take to set up GPG for a first time user:
http://aplawrence.com/Basics/gpg.html

A more detailed walkthrough is here:
http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto.html
GPG Tips


Example: gpg -a -e -r myfriend@yahoo.com email.txt

       This command will encrypt a text file containing a message named "email.txt" (which must already exist) with the public key for "myfriend@yahoo.com" (which you must have already been imported) and output the encrypted result in ascii formatted text to the screen.  You don't need to specify the -r as gpg will ask you who the recipient is if you don't and you don't even need to put in email.txt.  If you don't specify a file to be encrypted gpg will sit and wait while you type a message, then to end you hit the Control key and D at the same time.  Most of the options are like this.  If it needs more information, it will ask, otherwise it will just make the best guess and if it guesses wrong you can try again and be more specific in the command by using switches like -r and -u. The command   
gpg -a -e -r myfriend@yahoo.com email.txt > email.asc   
will do the same thing only it will output the encrypted ascii text to a file called email.asc.

       Keys are generally specified by an 8 character alphanumeric (hex) identifier, such as D59B88A1  In many cases GPG will correctly guess which key you mean to operate on based on the options you select.  For example, if you just type gpg --export and you only have one keypair, it will automatically select the public key for that key pair.  If you have more than one key pair, you can specify the key you want to --send-key or --recv-key or --export by using the hex identifier thusly:
gpg --recv-key D59B88A1 --keyserver hkp://keys.gnupg.net/

       If you don't like to manage keys on the command line, you can search for, send and receive keys in your web browser by going to https://pgp.mit.edu/.  However if you are using the command line you must use the hkp:// as shown above.  When specifying the user to send/encrypt or receive/decrypt you can use either email address or hex identifier, i.e.
gpg -d -u myemail@yahoo.com encrypted.txt    OR     gpg -d -u D59B88A1 encrypted.txt
Enigmail



       Enigmail is a plugin for Thunderbird, a free open source mail reader for Linux, Mac, or Windows.  Enigmail is only a front end for GPG.  It manages the keys and selects the right one to encrypt or decrypt based on email address and some internal logic, but it does not always do this correctly, so it is a good idea to know how to use the command line interface of GPG.  If Enigmail doesn't work you can always use GPG to encrypt/decrypt and copy/paste into or out of your email program using ascii text.  Even though Enigmail is not 100% perfect it does save you some headache if you are not comfortable with a command line interface, as it mostly does a good job of keeping track of your keys and using the right one automatically when you click the "Encrypt" button.

Instructions on installing Enigmail
https://www.enigmail.net/documentation/Installation_of_Enigmail
Mailvelope



       Users of webmail actually do have an option to use GPG more or less seamlessly using Mailvelope.   It intercepts the create new message screen from several popular webmail providers (Gmail, Hotmail, Yahoo, GMX) and opens a text window instead, automatically encrypting the message when you are ready to send and inserting it back into the browser window.  You can download it here.  Instructions for installing on Chrome are here.  Firefox users will need to download the .xpi file and double click to install.
Paid Providers


       It is better to control your own encryption keys, however you can use private encrypted email service providers who will take care of the encryption and decryption for you if you find doing it yourself to be too complex.  Some of these are Protonmail, Lavabit, Countermail and Hushmail.  However be aware that when you pay a 3rd party for encryption services you have to trust them not to hand over your keys to Big Brother should he come calling.  Of these services, Protonmail is the best because they offer a free version of the mail service and are located in Switzerland which has strong privacy protection laws.

A good comparison of email providers is at:
https://thatoneprivacysite.net/email-section/



Disposable Email Accounts


       It seems that most every site on the net these days requires you to create an account and log in to download, post, or use the site.  You may not want to give out your real email to everyone who asks.  You can get spam or worse, and it's counter to our goal of remaining anonymous.  An easy solution is to use a disposable email provider, such as Mailinator or GuerrillaMail.  These services will receive any email sent to any address at any of their many domains like "thisisnotmyrealemail.com".  You can enter a fake email address on any signup form without having to set it up on the mail provider in advance, such as fake123@mailinator.com.  Then just go to mailinator.com and type in "fake123" into the inbox prompt and you will see the test email the website sent to make sure you gave them a "real" email address.  You can use a different fake address for every site and make it really hard to correlate your activities between sites.  If you need to keep track of the horde of different logins a password vault like KeePass will do the trick. Be aware that the IP address you use to access the disposable email account can still be used to identify you, so its value for anonymity is limited unless combined with either Tor or a VPN.
       Instant Messaging (IM) provides one of the easiest ways to have a private conversation on the internet, because many popular IM software clients have already implemented support for encryption.  This gives you plenty of options based on convenience and features.  Most IM clients are "multi-protocol" which means that you can communicate with friends even if they don't use the same software.  However, all commercially produced software is subject to laws which require a "backdoor" to be built into the encryption to allow Big Brother to eavesdrop.  For this reason, free open source software which is not subject to these laws is preferred, and for IM use, the ability to utilize the OTR protocol is critical.  You can find out if your favorite IM client supports OTR here: https://en.wikipedia.org/wiki/Off-the-Record_Messaging#Client_support
OTR



       Off The Record (OTR) is an open source encryption protocol designed to be used with instant messaging.  It is much more secure than any of the vendor specific, closed source encryption products and has become the standard for encryption in IM.  Besides simply encrypting your messages, it has two other features worth mentioning.  First is that, unlike email encryption using PGP, there is no way to prove who said what after the fact, which is why it is called "off the record".  The mechanism for this is technically complex, but what it means is that anything you say in an OTR protected IM session cannot legally be used against you later.  The other noteworthy feature is that it uses Perfect Forward Secrecy, which means that even if Big Brother gets hold of your encryption key, he can't decrypt past messages, only future ones. 

Learn More

Anonymous Messaging


         Many IM clients support proxying connections over Tor.  You can find a complete list here: https://en.wikipedia.org/wiki/Comparison_of_instant_messaging_clients#Features  Just look under the proxy heading for "socks".  Both you and whoever you want to communicate anonymously with will need to use Tor to set up anonymous accounts for this to be effective.  Setting up an account using Tor may be difficult as the large providers create obstacles to setting up an account under Tor.  Often they will require phone verification, which defeats the purpose of anonymity.  ICQ allows account creation using Tor, at least for now.  However, be warned that software not intended for use with Tor sometimes "leaks" identifying information.
       If you use a search engine to search for "secure file sharing" you will see dozens of companies offering that as a service.  Some of the big ones are Dropbox, SkyDrive, and Google Drive.  These days everyone promises to use encryption to protect your files, but they don't provide details as to how exactly this works much less give you the ability to verify.  This requires a great deal of trust in the company to not only not hand over your data to Big Brother, but also to adequately protect it from hackers.  However, if you do all the encryption and decryption on your own computer, that alleviates much of the risk as all the data you are handing over to these companies is already securely encrypted before they see it.
Paid Services



       Some providers offer client-side encryption, which means that the encryption process is run on your local machine and in some cases the key is stored on your machine as well.  This is much more secure than putting all your trust in the storage provider, but since you are using their proprietary closed-source software you still have to place some trust in the provider.   Client side encryption is used by the more secure cloud storage/file sharing providers, such as Least Authority and  SpiderOak. If you are not comfortable following the instructions for using Veracrypt containers, these companies can provide a higher level of security than you will find elsewhere.





Anonymous File Sharing


       Anonymous file sharing poses the same problems as any other anonymous communications as far as the IP address used to connect to the file sharing service potentially giving away your real identity.  However, not only does the connection to/from the file hosting service have to be anonymous, but you also need to transmit and receive the passwords and/or encryption keys anonymously.  Tor is what most people think of when they think of anonymity, but Tor is more suited to web browsing than file sharing.  Freenet and I2P are set up with file sharing in mind and use many of the same anonymity concepts as Tor such as onion routing and layered encryption.  The difference is that with Freenet and I2P everyone is a router.  Files are split into tiny chunks and spread across the entire network with every node hosting a randomly selected portion of the total file, making it impossible to censor anything without taking down the entire network. 

Restroshare can also be used over Tor for anonymous file sharing. Documentation is here:
https://github.com/RetroShare/retroshare-tor-documentation

https://retroshare.readthedocs.io/en/latest/tutorial/tor-hidden-rs-node/
Jackpair



       Jackpair is an ingenious little hardware device that encrypts your voice before it even gets sent to your phone.  You just plug a regular phone into it and it applies encryption automagically.  The recipient must have a Jackpair device also.  You read aloud the key fingerprint for the encryption to verify the connection has not been intercepted and the hardware handles all the encryption transparently so you can just talk normally.  What makes it a bit more clever than other solutions is the dedicated hardware.  An encryption app installed on your phone can be circumvented if the phone has a backdoor installed to steal the encryption key.  Jackpair doesn't require you to trust your handset maker, and when used on a dedicated secure phone with the handset microphone covered or removed, it is just about as foolproof as you can get.  At least in theory.  It works with any device that takes has a standard headphone jack, so it should work equally well over any Skype-like service or even walkie talkies, ham radio, etc.  However it is not yet available for sale.  It has been in development for years and sadly may never make it to market.
Ricochet Messenger


       Ricochet is being designed from the ground up as a fully anonymous IM client that works over Tor and has encryption built in for both privacy and anonymity.  The advantage over just using a regular chat client over Tor is that it is all peer to peer with no centralized server keeping track of users.  It currently only supports chat but the developers have plans to add support for file transfer, group chats, and voice communicartions, all encrypted and anonymized.  The software is all open source.
Privacy Badger

       
       Privacy Badger is a great tool from the EFF which blocks tracking cookies very much like Disconnect.Me.  You won't need both so choose the one you like best.
Script Blockers


       Javascript is what lets a website do fancy things like respond to your mouse movements or play videos.  However they can also do less cute things like infect your computer with malware or fingerprint your browser by reading the display resolution or canvas depth.  As more and more people use ad-blockers web companies are using more of these other tricks to identify and track users.  Also criminals will hack websites and place malicious javascript hidden in the webpage.  It's a lot safer and more private to disable javascript but this break the functionality of many pages, so this is for more advanced users who are willing to put up with some inconvenience.
Script Safe


       
       Script Safe has similar functionality to No Script, but it includes additional blocking options for specific privacy intrusive options like browser fingerprinting through canvas depth.  This means you can unblock javascript but still keep blocking these more privacy invasive functions.  Like No Script you will need to unblock web addresses one at a time to get sites to display and function properly.  Only available for Chrome.
Other Web Browser Privacy Extensions
Anonymous Email


       Even if you don't put your real name on an email account, it can be tied to your real identity by recording the IP address you use to connect to it.  Despite the availability of IP masking, such as VPN and Tor, anonymous email is surprisingly difficult to set up.  In theory you can simply connect to a webmail provider using Tor, create a new account which cannot be traced back to you since you are using Tor, and then only ever send mail from that account while connected through Tor.  However, all the major webmail providers will not allow new accounts to be set up using Tor and even trying to access a previously set up account using Tor will often result in that account getting "locked" by the provider.  The reason being that Tor IP addresses are, for the most part, well known by webmail providers who actively restrict any connection coming from those IP addresses.  There are a handful of smaller webmail providers who do not use these restrictions, but finding them is hit or miss. 

Here is a useful comparison of email providers free and paid:
https://thatoneprivacysite.net/email-section/
Claws Mail


       Claws Mail is probably the best mail client for encryption because it has support for GPG built in and the encryption works seamlessly with little fuss. You do need to enable the PGP plugins and depending on your OS you may need to install them separately.  If you are using Linux look for a package called claws-mail-plugins or something similar.

Instructions on setting up Claws Mail to use encryption.
https://www.ghacks.net/2009/07/11/encrypting-email-in-claws-mail/
 
       If you are like most, you spend far more time on your phone than using a desktop computer or laptop.  Thankfully there are a lot of options to help you maintain your privacy on your phone whether you are making phone calls, sending text messages, or surfing the web.
Hardware Devices
Custom Android ROMs


       Most phone handset manufacturers leave a lot to be desired when it comes to privacy. Apple and Google phones send lots of user tracking data back to Apple and Google respectively.  Your cloud backups are stored with them and they will happily hand those backups over to law enforcement.  They monitor your physical location constantly.  They monitor your app usage. Other handset makers, particularly those in China like Huwei and BLU leave glaring security holes and backdoors in addition to sending private data like browsing history and location history to the handset manufacturer.  Even worse most every app you install wants access to loads of data about you to report it back to the app developer.  Don't like it, don't use the app, because your phone doesn't give you many options to control which apps can access your data. 

       It can be very difficult to have any privacy on a smart phone if you are using the stock firmware from a major provider.  Thankfully,  you don't need to buy a new phone to get privacy protection. You can download a custom ROM and load it onto a phone you already own.  This is not for the faint of heart because you can "brick" the phone, ie render it inoperable and is best attempted by those with some level of technical skill, who have read the instructions and documentation.  But there are several free open source firmware images, known as ROMs, which will allow you much more control over your phone and what information apps are allowed to access, while also protecting your privacy from the hardware manufacturer.


CopperheadOS


LineageOS


Replicant


However, be aware that many apps you will want to use, especially those from Google Play app store, require Google Play to be installed and Google Play monitors and tracks your app usage and sends the data to Google.  It is possible to use something called fake gapps to circumvent this restriction but it is too technically complex to get into here.
Privacy Apps


       There are a lot of messaging apps these days which claim to be secure or use encryption.  Many of them have either not been independently tested or have been tested and found to be flawed.  Only the most secure apps will be presented.  A special note about Whatsapp:  Whatsapp uses the same secure encryption protocol as Signal, making it very secure, and your friends probably already use it, making it convenient.  They claim to be unable to read your messages, and en executive in Facebook Brasil even went to jail for defying a court order demanding decrypted user data.  However, be aware that if you use a cloud backup Whatsapp messages are stored on the backup in unencrypted form, meaning Apple or Google can read them. Also, Facebook owns Whatsapp and they have changed their privacy policy many times.  It may be they decide to weaken their stance at some point in the future, and they can see who you are talking to and how often.  Facebook uses this data to build a profile of you.   Try to get your friends to use one of the more secure solutions below.
Signal


       The Signal app is built around a very well designed encryption protocol designed by Whisper Systems to provide end to end encryption using keys stored on your phone, not on a server somewhere, using forward secrecy to protect old messages in case there is breach at some point in the future.  The whole thing is open source and has been independently audited and proven to be highly secure.  The only catch is you cannot set up your own servers.  You must use the servers provided by Whisper Systems, which requires you to trust them at least a little bit, though even they cannot read your messages because of how the protocol is designed.  They can see who you send messages to, but trusting a small company who has promised never to sell or give out this information is different than trusting a huge company like Facebook which is actively engaged in monetizing every scrap of data they can find and have broken privacy promises in the past. 

       For such a small developer the app is surprisingly polished and easy to use.  It has most of the features you would find in Whatsapp, including encrypted file attachment and encrypted voice messages.  The only thing missing is group chats, though this may change in future versions.  The developers are constantly adding new features.  They also have Signal for the desktop, but it must be paired with a phone in order to operate, unlike some other secure messaging software.
Orbot


       Orbot is Tor for Android.  It has all the same privacy and anonymity as the desktop Tor but with the convenience of an app for your phone.  It is very easy to setup and will automatically detect compatible apps which will gain the anonymity protection of Tor if you choose to run them through Orbot.  Your other apps connect to the internet through Tor and your identity is masked as long as you don't use them to connect without Orbot.  Instructions for setting up Orbot are here

       Tor is not magic.  You have to use it properly to gain the benefits of anonymity.  That means if you were previously using an app without Tor protection you have to remove the app and completely reinstall it with a new user account and only use it with Tor from then on.  Orbot is mainly used with chat apps, most other apps don't work with it.  There is also Orweb, a web browser just for Orbot and surfing the web while using Tor, just like the Tor Browser on your desktop.
Chat Secure


       Chat Secure was originally developed in partnership with The Guardian Project but has since spun off and split into multiple competing projects.  What is now called Chat Secure is the IOS version of the original Chat Secure.  Chat Secure is another great option for secure and private instant messaging, much like Signal, but with an added bonus.  It was designed to work in combination with Orbot to add an extra layer of anonymity that Signal can't provide.  It is open source and completely decentralized so there is no single server collecting messages for everyone. It has been independently audited and found to offer the highest security and privacy.
Anonymity Apps
Conversations


       Conversartions is the Android version of Chat Secure after the project split.  It offers the same features, and same proven security and privacy.  However, since the projects are separate now, over time they may develop different feature sets.  Conversations also works with Orbot to provide anonymity.  Instructions are here.
Jitsi


       Jitsi is a popular, well supported application that allows both voice and text and is secured by OTR.  SecurityinaBox has some good instuctions on setting it up.

Instructions for Windows

Instructions for Linux

Instructions for Mac
Retroshare

       

       Retroshare is a new approach to file sharing that doesn't rely on any centralized servers.  This is known as peer-to-peer sharing, which has been done before, but not previously with security and privacy as the primary concern.  Retroshare actually offers much more than just file sharing and aims to be an all-in-one social platform that includes IM, forums, channels, and variety of private, semi-public, and public communication methods, all protected by encryption. 


Setting Up an Encrypted Container


       Rather than encrypting individual files, veracrypt uses "containers" that can store many files and directories.  Think of it like putting your valuables into a safe.  The container will be protected with a password, a key file, or both.  A key file is just a regular file that you designate as the "key" to unlock the container.  It's not required, but adds a lot of extra protection.  Don't leave the key file inside the container, or you won't be able to open it again.  Before you can put anything inside, you need to have the safe itself, so our first step is to create the container.  Follow the instructions here

       Make sure to create a container big enough to hold all the data you intend to put in it plus whatever you might add to it in the future.  Every time you change one of the files on your local machine and want to put it on your file sharing site you will have to upload the whole container all over again, so it is probably best to make a few smaller containers with different types of files (music, office files, etc) than one big container with everything.  You can, if you want, make lots of little containers just big enough for one or a few files, but that is a lot of work. 

       The container includes a copy of the encryption key protected by the password you chose when setting up the container.  Since you will be giving the container (and encryption key) to a company to hold for you they will have the opportunity to try to guess the password you used and lots of time to do so, so make sure you pick a really good password.  20 characters at a minimum.  30 is better.  30 + a key file is even better, just make sure to keep multiple copies of the key somewhere safe.  Note that the key file is different than the encryption key, even though the terms are similar.  The encryption key is the actual code to use to translate the data from encrypted to decrypted, where the keyfile is something that protects that code.  Its like putting the key to your safe into another smaller safe.

       Open and close the container a few times to get the hang of things.  Veracrypt calls open and close "Mount" and "Dismount".  Now you are ready fill it up with all your precious data and lock it up.  Once the data is encrypted, if you want to share it, you can send it off to whatever cloud provider you like best and it will remain protected and unreadable by anyone without the password and/or keyfile.  You'll need to get the password and/or keyfile to whoever you intend to share the data with via some private method such as encrypted email or IM.
A Note For Travellers

       It has become increasingly common for travellers to have their laptops and other digital devices searched at international borders.  All the instructions on how to set up encrypted communications only protect your messages in transit.  Once they arrive at their destination, they are decrypted and often saved to the hard drive in decrypted form.  If anyone takes your computer and physically examines it, they will be able to read saved (and possibly deleted) messages.  To prevent this, you will need to set up full disk encryption on your computer hard drive.  You can find out more here.
Veracrypt


       Veracrypt is the successor to Truecrypt.  Truecrypt was a highly respected disk encryption program which even the FBI was unable to crack. The developers mysteriously closed down the project for reasons unknown but suspected to involve government pressure to include a backdoor.  Since the program was all open source a different group, not in the US and not subject to the same government pressure took the Truecrypt source code, fixed some bugs and rebranded it Veracrypt.  It is now even more secure than before and has been independently audited.  It supports full disk encryption on Windows.  Even if someone gains physical control over your computer they will be unable to read your files.   It can be somewhat complicated and non-intuitive to use however.  Here are some good guides to get you started.

Veracrypt on Windows

Veracrypt on Linux

Veracrypt on Mac


Instructions on verifying your download.