Simple steps to protect your privacy and control what the internet knows about you.
This isn’t about going “off the grid.” It’s about making it harder for companies, hackers, and even governments to track what you do online.
Each section gives you the best tools in its category, why they’re trusted, what country they’re based in (jurisdiction), and quick steps to get started.
1. Burner Phones — A Separate Number You Control
A burner phone is a basic phone you use only for certain calls or apps — not tied to your personal number or accounts. The goal is to keep parts of your life separate from the rest.
What to look for:
- Removable battery (so you can fully power it off).
- Removable SIM card (your number).
- Cheap and easy to replace if lost or stolen.
Zero Lux Picks:
Nokia 6300 4G — Made in Finland (EU)
- Removable battery, 4G LTE, runs simple versions of apps like Signal.
Alcatel GO FLIP 4 — TCL, China-owned
- Clamshell flip phone with removable battery, VoLTE-capable.
Sonim XP3plus — U.S.-based
- Rugged and weather-resistant, long battery life.
Jurisdiction note: Where the phone is made matters less than how you buy and use it. Buy in cash, use a prepaid SIM, and never link it to your personal accounts.
Quick setup:
- Buy the phone in-store with cash.
- Get a prepaid SIM (Tello, Mint, Lycamobile) without giving personal info.
- Use only for the apps or contacts you want separate.
2. Browsers — Separate Tools for Separate Tasks
Your browser is how most tracking happens. Cookies, hidden scripts, and “fingerprinting” connect your activity across sites. The fix: use different browsers for different purposes so they can’t all be linked.
Zero Lux Picks:
Firefox (Hardened) — U.S.
- Open-source, customizable for privacy.
- Use “Multi-Account Containers” to keep work, personal, and shopping separate.
Brave — U.S.
- Blocks trackers by default, works with Chrome extensions.
Tor Browser — U.S.-based project, global network
- Routes traffic through multiple relays to hide your location.
Mullvad Browser — Sweden + U.S. (Tor Project)
- Tor-level privacy setup without Tor’s slower speeds — best with a VPN.
Quick setup:
- Use Firefox for everyday browsing.
- Use Brave for sites that require Chrome compatibility.
- Use Tor only for sensitive or anonymous searches.
Jurisdiction note: The U.S. allows subpoenas, but open-source browsers can be checked for hidden tracking. Sweden has no data retention laws for browsers.
3. VPNs — Hide Your Location
A VPN (Virtual Private Network) sends your internet traffic through a private server before it reaches the site or app you’re using. This hides your real location from trackers.
Zero Lux Picks:
Mullvad VPN — Sweden
- No email or name required, random account number.
- Accepts cash by mail.
- Proven no-logs policy.
ProtonVPN — Switzerland
- Strong Swiss privacy laws.
- Open-source apps with audits.
- Option to route through Tor.
IVPN — Gibraltar
- No logs, random account ID.
- Multi-hop routing with good speed.
Quick setup:
- Pick a VPN and sign up (Mullvad allows totally anonymous sign-up).
- Install the app on your devices.
- Always connect before doing anything sensitive.
Jurisdiction note: Switzerland is outside U.S./EU surveillance agreements. Sweden and Gibraltar have no laws forcing VPNs to log user activity.
4. Secure Messaging — Keep Conversations Private
Even if your messages are encrypted, metadata (who you talk to, when, and where) can still be collected. Choose apps that limit both content and metadata access.
Zero Lux Picks:
Signal — U.S.
- End-to-end encrypted, open-source.
- Stores only account creation date and last connection time.
Session — Australia
- No phone number needed.
- Routes messages through a network to hide location.
Wire — Switzerland
- End-to-end encrypted, strong privacy laws.
- Great for secure group chats and file sharing.
Why Not WhatsApp or Telegram?
WhatsApp (U.S., Meta-owned) — Encryption is strong, but it collects metadata and stores unencrypted backups by default.
Telegram (UAE/global) — Not encrypted by default, and most chats are stored on their servers.
Quick setup:
- Install at least two secure messengers (Signal + Session).
- Use a separate number (from your burner phone) for sign-up.
- Enable disappearing messages where possible.
5. Passwords & Account Security
A single leaked password can undo every other privacy measure.
Zero Lux Picks:
- Password manager: Bitwarden (U.S., open-source), 1Password (Canada), KeePassXC (open-source, global community).
- Two-factor authentication: Use an authenticator app (Aegis, Authy) or a hardware key (YubiKey) — never rely on SMS codes.
Quick setup:
- Install a password manager.
- Give every account a unique password.
- Add two-factor authentication wherever possible.
6. Data Storage & File Handling
If someone gets your device or cloud account, they shouldn’t be able to read your files.
Zero Lux Picks:
- Encryption: VeraCrypt (open-source), FileVault (Mac), BitLocker (Windows).
- Secure cloud: Proton Drive (Switzerland), Tresorit (Switzerland).
Quick setup:
- Encrypt your laptop’s hard drive in system settings.
- Use encrypted cloud storage for sensitive files.
- Securely wipe old devices before selling or recycling.
7. Your Personal Privacy Plan
You don’t need every tool in this guide — focus on what fits your needs.
- If you just want less tracking, start with a private browser and a VPN.
- If you want separate online identities, add a burner phone and secure messengers.
- If you handle sensitive info, use the full setup: burner, private browsers, VPN, encrypted messaging, and secure storage.
Zero Lux Digital Privacy Scorecard
| Module / Step | Points | Threats Mitigated | |
|---|---|---|---|
| Burner Phone | 15 | Phone number tracking, SIM-linked identity, contact linking | |
| Browser Compartmentalization | 15 | Cookie tracking, browser fingerprinting, cross-site profiling | |
| VPN Use | 15 | IP-based location tracking, ISP logging, geofencing | |
| Secure Messaging | 15 | Message interception, metadata leaks, contact correlation | |
| Password Manager + 2FA | 15 | Account hacking, credential stuffing, phishing success | |
| Encrypted Storage | 15 | Device seizure, lost/stolen device data access, cloud breaches | |
| Personal Privacy Plan | 10 | Overlap exposure, operational slip-ups |
Total Possible: 100 points
Threat Levels:
- 0–40: Low protection
- 41–70: Moderate protection
- 71–90: High protection
- 91–100: Very high protection
Important Note on Limits of Privacy Tools
Scoring 100 points means you’ve built a strong defense against:
- Advertisers and data brokers
- Criminal hackers
- Stalkers or harassment
- Routine corporate or government data collection
What Nation-State Surveillance Looks Like
These are examples of real tools and capabilities used by governments and intelligence agencies. They’re rarely deployed against the general public, but show why no system is truly “unhackable.”
Commercial Spyware Platforms
- Pegasus (NSO Group) – Zero-click phone infections; full access to messages, calls, mic, camera, and files.
- Predator (Cytrox) – Similar to Pegasus; often delivered through malicious links or network injection.
- Reign (QuaDream) – Stealth mobile surveillance with long-term persistence.
Custom Government Malware / Implants
- QUANTUM Insert / FoxAcid (NSA) – Injects malicious code into web traffic to deliver exploits.
- Weeping Angel (CIA) – Turns certain smart TVs into covert microphones.
- Vault 7 toolkit (CIA) – Exploits for phones, routers, and IoT devices.
Network-Level Collection Systems
- XKEYSCORE (NSA) – Searches and analyzes global internet traffic.
- TURBULENCE / TURMOIL / TURBINE – Captures and injects packets at scale.
- Lawful Intercept Systems – Built into telecoms for real-time capture of calls and messages.
Device & Firmware Exploitation
- Baseband exploits – Target phone modems to bypass OS security.
- UEFI/BIOS implants – Survive full OS reinstalls.
- Hardware implants – Tiny physical devices that intercept or alter data.
Geolocation & Bulk Data Tools
- CO-TRAVELER (NSA) – Tracks phone locations globally via cell towers.
- Stingrays / IMSI Catchers – Fake cell towers that capture calls, texts, and metadata.
- International Data-Sharing Alliances – Agreements (Five Eyes, Nine Eyes, Fourteen Eyes) to exchange raw communications data.
What this guide does:
- Closes the “easy” and “medium” risk gaps most people leave open.
- Makes you much harder and more expensive to target.
- Reduces the amount of data even an advanced adversary could gather.
What this guide cannot do:
- Prevent compromise from zero-day exploits deployed by state-level actors.
- Stop lawful intercept orders at the carrier or internet backbone level.
- Detect or remove sophisticated spyware without professional forensic tools.
Bottom line: The goal is risk reduction, not risk elimination. These measures remove you from the pool of “easy targets” and force an adversary to dedicate significant resources — something usually reserved for a very small number of people.