Most people assume that if they’re not doing anything wrong, they have nothing to worry about. That thinking made sense twenty years ago. It doesn’t anymore.
Right now, foreign governments, shady data brokers, and surveillance-based apps are quietly building detailed profiles on ordinary Americans your location history, your health habits, who you call, what you buy, where your kids go to school. Not because you’re a target. Because you’re easy.
Data sovereignty: the idea that you should have control over your own information and that your data should be subject to your country’s laws, not someone else’s, has become one of the defining security issues of our time. And unlike most national security problems, this one has a personal dimension. There are things you can do about it today. Not next year. Today.
Here’s what actually matters, broken down without the jargon.
Start With the Obvious: Delete the High Risk Apps
This is the one most people skip because they don’t want to give up their apps. But it matters.
TikTok is the most discussed example, and there’s a reason for that. ByteDance, TikTok’s parent company, is subject to Chinese law, which requires it to cooperate with state intelligence operations. Whether or not you believe TikTok is actively spying on you, the legal framework exists for it to happen, and there’s no meaningful way for you to know if it is or isn’t.
Same goes for Temu, Shein, and CapCut. These apps request permissions that go well beyond what they need to function — contact lists, device identifiers, clipboard access. The Temu app specifically has been flagged by security researchers for behaving more like spyware than a shopping platform.
Delete them. If you can’t live without browsing Temu, use a browser instead of the app. You lose convenience, they lose persistent access to your device.
Switch the Defaults You Use Every Day
The services most people use by default. Gmail, Google Search, Chrome are free because your data is the product. That’s not a conspiracy theory, it’s their business model. The problem isn’t just that Google profits from your data. It’s that your data ends up in systems that can be subpoenaed, breached, or compelled under foreign jurisdiction if it routes through the wrong infrastructure.
Some easy swaps that most people don’t notice after a week:
- Search: Switch to Brave Search or DuckDuckGo. Both work fine for everyday searches. You won’t miss Google for most things.
- Browser: Firefox or Brave. Both block trackers by default that Chrome allows.
- Email: Proton Mail is the most credible alternative — based in Switzerland, end to end encrypted, and not built on an advertising model.
- DNS: This one’s a little nerdy but worth doing. Your DNS resolver is like a log of every website you visit. Switch to Quad9 (9.9.9.9) or NextDNS in your router settings (most routers have this under WAN or Internet settings — look for DNS fields) and you’ve closed off a major data collection point most people never think about.
You don’t have to switch everything at once. Pick one and get comfortable with it.
Stop Reusing Passwords
If your password for one account gets leaked (and statistically, at least one of yours already has) attackers try it everywhere. Email. Banking. Social media. This is called credential stuffing, and it’s one of the most common ways accounts get taken over.
The fix is straightforward: use a password manager and give every account a unique password. Bitwarden is free, open source, and has been independently audited. 1Password is excellent if you want to pay for a more polished experience.
Go to haveibeenpwned.com right now and check your email address. If it shows up in breaches (most people do), start changing those passwords first.
Make Two Factor Authentication Actually Strong
Most people who have 2FA enabled are using SMS, a text message with a code. That’s better than nothing, but SMS can be intercepted and SIM swap attacks (where someone tricks your carrier into transferring your number to their device) are more common than you’d think.
Upgrade to an authenticator app like Aegis (Android) or 2FAS or Ente Auth (both open source and available on iOS and Android), or better yet, a hardware key like a YubiKey (Commission Link, Please and Thank you). Hardware keys are nearly impossible to phish because they require physical possession. For high value accounts (email, banking, work accounts) this is worth the $60.
Your Home Network Is Probably Wide Open
Your router is the front door to everything on your network. Most people set it up once, never touch it again, and are still running the factory default username and password years later.
- Change the default admin credentials on your router. Seriously.
- Check your router’s firmware — most routers have an update option buried in the admin panel. If you haven’t updated in years, you’re running known vulnerabilities.
- Look at who made your router. TP Link, one of the most popular home router brands, is facing a proposed federal ban backed by multiple U.S. agencies including the Departments of Commerce, Homeland Security, Justice, and Defense over national security concerns tied to the Chinese government. The state of Texas has gone further, with the governor banning TP Link products for state employees and the attorney general filing a lawsuit against the company. This doesn’t mean your TP Link router is compromised today, but it’s worth knowing when you’re shopping for your next one. Asus, Netgear, or a pfSense based setup are safer bets.
Encrypt Before You Upload to the Cloud
If you’re storing sensitive files in Google Drive, Dropbox, or OneDrive (tax returns, medical documents, anything you’d be uncomfortable with a stranger reading) understand that those companies can access your files and can be compelled to hand them over.
Two options:
- Switch to Proton Drive or Tresorit, which are end to end encrypted by design — the company can’t read your files even if it wanted to.
- Or use Veracrypt to encrypt a container of sensitive files before uploading them anywhere.
For most people, Proton Drive is the simpler path. Worth noting: if you’re already using Proton Mail, Proton offers Drive, VPN, and calendar as a bundled ecosystem under one account, which makes the switch easier.
Use a VPN — But Choose It Carefully
A VPN hides your internet traffic from your ISP and makes it harder to track your browsing across sites. The catch is that a bad VPN just shifts the trust problem. instead of your ISP seeing everything, now your VPN provider does.
Avoid free VPNs. Many of them, particularly ones with vague ownership, are data collection operations themselves.
Mullvad and ProtonVPN are the most credible options. Both have been independently audited and have published transparent no log policies. Mullvad doesn’t even require an email address to sign up.
Your Data Is Already for Sale — Get It Off the Market
Data brokers (companies like Spokeo, WhitePages, BeenVerified, and Intelius) collect and sell personal information including your address, relatives, phone number, income estimates, and political affiliation. This data ends up in the hands of scammers, foreign intelligence analysts, and anyone else willing to pay a few dollars per record.
You can opt out manually, which is tedious but free. Start with:
- Spokeo.com/optout
- WhitePages.com/suppression requests
- BeenVerified.com/opt out
- Intelius.com/opt out
- MyLife.com (requires a direct email request)
Or pay for a service like DeleteMe ($129/year) or Kanary to automate ongoing removals. These aren’t perfect, but they significantly reduce your surface area.
If you’re in California, Virginia, Colorado, or Texas, you have additional legal rights under state privacy laws to demand deletion.
Freeze Your Credit — This Takes 15 Minutes
A credit freeze prevents anyone from opening new accounts in your name, even if they have your Social Security number. It doesn’t affect your existing credit. It’s free. And it’s one of the most effective things you can do against identity fraud, which is often downstream of the kind of data harvesting we’re talking about.
Freeze at all three bureaus:
- Equifax: equifax.com/personal/credit report services
- Experian: experian.com/freeze
- TransUnion: transunion.com/credit freeze
You can temporarily lift it when you need to apply for credit. Takes a few minutes.
Move Sensitive Conversations to Signal
Text messages are not encrypted end to end by default. Neither are most DMs on Instagram, Facebook Messenger, or Discord. Your carrier can read your texts. Law enforcement can subpoena them. So can foreign governments if they gain access to the right infrastructure, which has already happened. In 2024, the Salt Typhoon campaign, carried out by hackers tied to China’s Ministry of State Security, compromised at least nine major U.S. telecom providers including AT&T, Verizon, and T Mobile. The attackers accessed call metadata, intercepted communications of government officials and political figures, and even breached the lawful wiretap systems that law enforcement relies on. Senator Mark Warner called it the worst telecom hack in our nation’s history.
Signal is different. It’s open source, independently audited, and designed so that even Signal itself can’t read your messages. It works exactly like a regular texting app.
You don’t have to move every conversation to Signal. But sensitive ones — anything involving work, finances, health, family logistics — belong there.
Lock Down App Permissions on Your Phone
Before you install anything new, take ten minutes to audit what’s already on your phone. Both iOS and Android let you review which apps have access to your location, camera, microphone, contacts, and files — and most people have never looked.
On iPhone, go to Settings > Privacy & Security and walk through each category. On Android, go to Settings > Privacy > Permission Manager. Revoke anything that doesn’t make sense. A weather app doesn’t need your contacts. A calculator doesn’t need your microphone.
While you’re there, disable ad tracking. On iPhone, go to Settings > Privacy & Security > Tracking and turn off “Allow Apps to Request to Track.” On Android, go to Settings > Privacy > Ads and delete your advertising ID. These are small changes that cut off a significant amount of data collection happening in the background.
The Realistic Starting Point
If you’re staring at this list feeling overwhelmed, here’s the short version. Do these five things this week:
- Delete TikTok, Temu, CapCut, and any other apps from foreign owned companies you don’t genuinely need
- Download Signal and start using it for conversations that matter
- Set up Bitwarden and change the passwords on your email and banking accounts
- Freeze your credit at all three bureaus
- Check haveibeenpwned.com for your email and act on what you find
None of this requires being a security expert. None of it costs more than a few hours. The goal isn’t to disappear from the internet — it’s to stop being the easiest possible target.
Your data has value. Other people are already treating it that way. It’s time you did too.
Speaking of privacy. We built our phishing scanner with privacy in mind. The websites you submit are not thrown into a site like Virustotal. where they get to do whatever they want with the data. we prefer to handle your data as if it was our own. That information is not sold to anyone. That is why we ask for you to leave a tip
Buy us a coffee IT Knowledge bases
Have questions about any of these tools or steps? Reach out through the contact page. We cover data privacy, vulnerability research, and IT security at itknowledgebases.com.
Leave a Reply
You must be logged in to post a comment.