From the Rubble | Natural Series Extensions | Part 3

TLDR: Privacy isn’t a binary state - it’s a spectrum, and most people are at zero without knowing it. This article covers the practical baseline: browser hardening, DNS privacy, threat modeling so you know what you’re actually protecting against, the difference between privacy and anonymity, and the ten changes you can make today that cover 80% of your exposure. You don’t need to be technical. You need to understand what’s happening and make deliberate choices.

Privacy Is Not Paranoia

Let’s get the framing right before anything else.

Privacy is not about having something to hide. Privacy is about having something to protect.

Your medical history. Your financial situation. Your family’s location. Your political views. Your religious beliefs. Your relationships. Your communications with your doctor, your lawyer, your therapist. The contents of your home.

These things belong to you. The fact that technology makes them trivially collectible doesn’t mean you’re obligated to share them. The fact that most people haven’t thought carefully about what they’re giving away doesn’t make giving it away wise.

The argument “I have nothing to hide” concedes the premise that privacy is for people with secrets. It isn’t. Privacy is for everyone who has ever wanted a conversation that wasn’t broadcast, a thought that wasn’t indexed, a decision that wasn’t logged.

That’s everyone.

Threat Modeling - Know What You’re Actually Protecting Against

Before you change anything, spend five minutes on threat modeling. It sounds technical. It isn’t.

Threat modeling is just answering four questions:

What are you protecting? Your browsing history. Your communications. Your location. Your financial data. Your identity. Your family’s privacy. Your professional communications. Pick the things that actually matter to you.

Who are you protecting it from? This is where most people stop thinking clearly. The answer is not “the NSA” for most people. The realistic threats are:

  • Data brokers building and selling profiles on you
  • Advertisers tracking you across the web
  • Your ISP selling your browsing history
  • Companies collecting and monetizing your health data
  • Hackers targeting weak passwords and unencrypted data
  • Employers or potential employers accessing your online activity
  • Law enforcement in scenarios you might not anticipate

For most people, the biggest threat is commercial surveillance - the vast ecosystem of companies whose business model is knowing everything about you. State-level surveillance is real but affects a smaller subset of people in ways that require more advanced countermeasures.

What’s the realistic impact if your protection fails? Targeted manipulation. Financial fraud. Identity theft. Insurance discrimination. Professional consequences. Doxxing. Stalking. The impact varies dramatically by what you’re protecting and who you’re protecting it from.

What level of friction are you willing to accept? Perfect privacy requires significant lifestyle changes. Meaningful privacy improvement requires much less. Know where your line is before you start, or you’ll build a system you don’t actually use.

The rest of this article is calibrated for the realistic threat model: commercial surveillance and data broker ecosystems, with secondary attention to preventing common attacks. State-level adversaries require more.

Your Browser Is the Biggest Leak

More of your digital life flows through your browser than any other single piece of software. It’s where you log into accounts, conduct searches, read content, shop, bank, and communicate. It’s also where the most comprehensive surveillance infrastructure in consumer technology lives.

The browser tracking stack:

Cookies: Small files stored by websites to track your session and activity. Third-party cookies - placed by advertisers rather than the site you’re visiting - are the primary mechanism for cross-site behavioral tracking. You visit a news site, an ad cookie is placed. You visit a retail site, the same ad network sees you. Over time they build a profile of everywhere you’ve been.

Browser fingerprinting: Even without cookies, your browser is uniquely identifiable through the combination of your OS, browser version, screen resolution, installed fonts, timezone, language settings, and dozens of other signals. This fingerprint is stable across sessions and can track you even in incognito mode. The EFF’s Cover Your Tracks tool (coveryourtracks.eff.org) shows you exactly how trackable your current browser is.

Login-based tracking: When you’re logged into Google, Facebook, or any major platform, they track your activity across every site that includes their tracking pixels, social buttons, or ad infrastructure - which is most of the web. Being logged out of these accounts while browsing matters.

The sovereign browser stack:

Firefox is the recommendation for daily use. Open source, actively developed, strong privacy defaults that can be further hardened, and not owned by an advertising company (unlike Chrome). Chromium-based browsers - Brave, Edge, Chrome - have their own considerations but Firefox is the cleaner choice for sovereignty-aligned use.

Firefox hardening settings (go to about:config):

privacy.trackingprotection.enabled = true
privacy.trackingprotection.socialtracking.enabled = true
geo.enabled = false
media.navigator.enabled = false
network.cookie.cookieBehavior = 1

Essential extensions:

  • uBlock Origin - the gold standard ad and tracker blocker. Blocks ads, tracking scripts, malware domains. Free, open source, maintained by a volunteer. Install this before anything else.
  • Firefox Multi-Account Containers - isolates your browsing into separate containers. Your Google container can’t see your banking container. Facebook is permanently isolated. Compartmentalization without logging out.
  • LocalCDN - serves common web resources locally instead of loading them from Google, Cloudflare, or other CDN providers that can track requests.

For high-sensitivity browsing: Use the Tor Browser for anything you don’t want tied to your IP or browser identity. Not for daily use - for specific sessions that warrant it.

Search Engines - Stop Feeding the Machine

Google Search builds a profile of you from your queries. Every search is logged, timestamped, tied to your account or your IP, and used to refine the behavioral model that drives Google’s advertising business. Your search history is a remarkably intimate record of your concerns, questions, interests, and intentions.

Alternatives:

Mullvad Leta - Mullvad’s search engine, only accessible through Mullvad VPN, no logging Kagi - paid search engine ($10/month), no ads, no tracking, genuinely excellent results SearXNG - self-hostable meta search engine that queries multiple engines without exposing you to any of them individually Brave Search - independent search index, no Google dependency, reasonable privacy posture

The honest assessment: none of them are as good as Google for raw search quality on obscure queries. Kagi is the closest. For the vast majority of searches - the ones that don’t require Google’s depth - the alternatives work well and the privacy improvement is immediate.

Start by changing your default search engine in Firefox to one of the above. The habit change is minimal. The data you stop feeding Google is not.

DNS Privacy - The Layer Everyone Ignores

Every time you type a URL or click a link, your device asks a DNS server to translate the domain name into an IP address. By default, that request goes to your ISP’s DNS servers. Your ISP logs every domain you query, tied to your account, with timestamps.

This means your ISP has a complete log of every website you’ve attempted to visit - independent of whether you actually loaded the site, independent of HTTPS encryption, independent of any other privacy measures you’ve taken. DNS queries are unencrypted by default and visible to anyone between your device and the DNS server.

The fix at the router level (covered in Episode 2, worth repeating here):

Change your router’s DNS to Quad9 (9.9.9.9). This replaces your ISP’s logging DNS with a Swiss nonprofit’s non-logging DNS for every device on your network. Five-minute change. Covers everything.

DNS-over-HTTPS (DoH) - the deeper fix:

DoH encrypts DNS queries so they’re not readable in transit - not by your ISP, not by anyone between you and the DNS resolver. Firefox supports DoH natively:

Settings → Privacy & Security → DNS over HTTPS → Enable

Configure it to use Mullvad’s DoH server or Quad9’s DoH endpoint for the combination of encryption and non-logging.

The combination of Quad9 at the router level (covers all devices) plus DoH in Firefox (encrypts the queries themselves) handles the DNS privacy problem for home use.

Password Hygiene - The Unsexy but Critical Part

Most people’s biggest security vulnerability isn’t their operating system or their browser. It’s their passwords.

The statistics on password reuse are grim. A significant percentage of people use the same password across multiple accounts. When any of those accounts is breached - and breaches happen constantly - the credential gets added to lists that attackers use to try against other services. One breach cascades to everything that shared the password.

Bitwarden - covered in Episode 0 - solves this. One strong master password. Unique, randomly generated passwords for every account. Automatic fill across devices.

The password hygiene baseline:

  • Unique password for every account (Bitwarden generates these)
  • Master password that’s long (four random words is better than a complex short password) and not used anywhere else
  • Two-factor authentication on everything important: email, banking, password manager, any account that could be used to recover other accounts
  • Hardware security key (Yubikey) for maximum 2FA security on critical accounts

Check your existing exposure:

Go to haveibeenpwned.com and enter every email address you use. It shows you which breaches your addresses have appeared in. If any of those breaches involved services where you reused a password - change the password everywhere you used it, now.

The Ten Changes That Cover 80% of Your Exposure

For people who want the practical list without reading the full article:

  1. Install Firefox as your primary browser if you’re on Chrome or Edge
  2. Install uBlock Origin in Firefox immediately
  3. Install Firefox Multi-Account Containers and isolate Google and Facebook
  4. Change your default search engine to Kagi, Brave Search, or SearXNG
  5. Install Bitwarden and start generating unique passwords for new accounts
  6. Change your router DNS to Quad9 (9.9.9.9)
  7. Enable DNS-over-HTTPS in Firefox using Mullvad or Quad9’s DoH
  8. Enable two-factor authentication on email, banking, and your password manager
  9. Check haveibeenpwned.com for your addresses and change any reused passwords from breached services
  10. Install Signal and use it for conversations that matter

None of these require technical expertise. All of them are reversible if you change your mind. Together they meaningfully reduce your exposure to the commercial surveillance ecosystem and the most common attack vectors.

The Difference Between Privacy and Anonymity

These are not the same thing and the confusion between them leads to bad security decisions.

Privacy means controlling who has access to your information. Using Signal is private - your messages are encrypted and Signal can’t read them. But Signal knows your phone number. You’re not anonymous to Signal.

Anonymity means not being identifiable at all. Tor, properly used, provides anonymity - the destination website doesn’t know who you are. But Tor doesn’t provide privacy in the sense that the content of your communications is protected from everyone - only from network observers.

You can have privacy without anonymity (Signal: encrypted but your number is known). You can have anonymity without privacy (public WiFi with Tor: no one knows it’s you, but your traffic isn’t encrypted at the exit). You can have neither (SMS on a carrier network: your carrier knows who you are and can read the content). You can approach both (Tor Browser to a site over HTTPS: anonymity from the network, privacy for the content).

Understand which one you actually need for a given situation before choosing the tool.

Privacy Is a Practice, Not a Product

This is the part most privacy guides skip.

You can install all the right tools and still undermine your privacy through behavior. Logging into Google while using Firefox with uBlock Origin. Using Signal but screenshotting sensitive conversations. Using a VPN but staying logged into Facebook the whole time.

Privacy is a practice - a set of habits that become automatic over time. The tools enable the practice. They don’t replace it.

The practice develops the same way any discipline develops: start with the highest-leverage changes, build the habits, add sophistication as the basics become automatic. You’re not trying to achieve perfect privacy in a weekend. You’re building a different relationship with your data over time.

The sovereignty framing is useful here: you’re not trying to become invisible. You’re trying to be deliberate about what you share, with whom, under what conditions. That’s what it means to own your data rather than letting others own it for you.

Resources

From the Rubble is written by Kala - veteran, 30-year conspiracy realist. Digital sovereignty, health sovereignty, and the overlap between them. No corporate funding. No ads. No permission required.