AI has changed what privacy means. It was always true that data could be misused, sold, or stolen. What’s new is the scale and sophistication of inference. A language model trained on your emails can reconstruct your personality, relationships, political views, and health concerns from patterns you wouldn’t consciously notice. A system that processes your purchase history, location data, and browsing habits can infer things you haven’t told anyone.
The response to this is not technophobia. It’s calibrated, practical measures that reduce your exposure without making digital life unusable.
Understand your threat model
Privacy measures are not one-size-fits-all. The relevant questions:
- Who are you protecting against? Advertisers and data brokers? Your employer? A stalker? A government?
- What data matters most? Financial information? Location? Health data? Professional communications?
- What are you willing to trade off? Convenience, cost, time?
Most people’s threat model is: data brokers selling their information, targeted advertising, and the general risk of data breach exposure. The measures below address that model. People with higher-risk situations (journalists, activists, abuse survivors) need more than this — consult resources like the EFF’s Surveillance Self-Defence guide.
Communications
End-to-end encrypted messaging: Signal — Signal is the gold standard for private messaging. Messages are encrypted on your device; Signal cannot read them, and cannot be compelled to produce them. The protocol is open source and audited. Use it for anything sensitive.
Email encryption is complicated. Standard email (Gmail, Outlook) is processed by the provider and routinely used for ad targeting, spam detection, and, depending on jurisdiction, law enforcement access. For truly private email, options include:
- ProtonMail / Tuta — end-to-end encrypted email, zero-knowledge at rest. The trade-off is limited integration with external email clients.
- SimpleLogin — email aliasing service that creates disposable addresses. Forward to your real inbox; block and delete aliases that get spammed.
For most people: use Gmail for low-stakes communication, use email aliases for signups (so you can trace and cut off spam sources), and use Signal for anything you wouldn’t want a third party to read.
Video calls. Standard Zoom and Teams calls are not end-to-end encrypted by default. For sensitive calls, Signal’s video calling or Jitsi Meet (self-hosted) provide encrypted alternatives.
Data minimisation
The most effective privacy protection is data that doesn’t exist.
Use email aliases for every signup. Services like SimpleLogin, Apple’s Hide My Email, and DuckDuckGo Email Protection let you create disposable addresses for each service. When a company sells your data or gets breached, the exposure is contained to that alias, which you can delete.
Use a password manager. Using unique, strong passwords for every service limits breach exposure: a leaked password from one service cannot be used to access another. 1Password and Bitwarden are both excellent.
Opt out of data broker profiles. Data brokers (Spokeo, BeenVerified, Whitepages, and dozens more) aggregate and sell personal information. In many jurisdictions you have the right to opt out. Services like DeleteMe or Incogni automate removal requests across the major brokers; they’re not free but save significant time.
Review app permissions. On iOS and Android, periodically review which apps have location, microphone, camera, and contact access. Most apps request more than they need. Revoke permissions that aren’t necessary for the app’s core function.
Browsing
DNS over HTTPS. Your DNS queries (the lookups that translate domain names to IP addresses) are visible to your ISP by default. Configuring DNS over HTTPS (using Cloudflare’s 1.1.1.1 or Quad9’s 9.9.9.9) encrypts these queries. Most modern browsers and operating systems support this natively.
A privacy-respecting browser. Firefox with uBlock Origin (content and ad blocking) is the most practical choice for privacy on desktop. Brave is a reasonable alternative. Safari has strong tracking protection built in. Chrome’s Privacy Sandbox changes have not eliminated the fundamental tension between a Google browser and user privacy.
Search engine. DuckDuckGo, Brave Search, and Kagi are the main privacy-respecting search alternatives. Kagi (paid) has the best search quality of the three. For general searching, DuckDuckGo is good enough and free.
Browser fingerprinting. Your browser exposes a unique “fingerprint” based on its configuration, installed fonts, screen resolution, and dozens of other attributes. This can track you even without cookies. Privacy Badger (EFF), Brave’s built-in fingerprint protection, and Firefox’s fingerprint resistance mode mitigate this.
AI tools and your data
The use of AI tools raises specific privacy concerns:
What you put into an LLM goes somewhere. When you paste a document into ChatGPT, Claude, or Gemini, you’re sending that text to a third party. Most providers use this data to improve their models unless you opt out or use an API key with a data opt-out. Read the privacy policies. For sensitive work (legal documents, financial data, personal information), use a self-hosted model (Ollama + Llama or Mistral runs on a modern laptop) or ensure you’re on an enterprise tier with clear data handling terms.
Voice assistants. Always-on wake word detection involves continuous audio processing. Whether that processing happens on-device or in the cloud varies by product and setting. If you have concerns, disable voice assistants when not in use, or use a model that processes on-device (recent Pixel and Apple devices do this for basic queries).
AI-powered apps. Many consumer apps (photo editors, note-taking tools, email clients) have added AI features that upload your content to the cloud for processing. Review what data is being sent and whether it’s necessary for the feature you’re using.
Device security
Full-disk encryption. Enable it. It’s on by default on modern iOS and Android devices. On macOS it’s FileVault; on Windows it’s BitLocker. Encrypted storage means a stolen device’s data is inaccessible without your password.
Strong passcodes. Six-digit PINs are crackable; alphanumeric passcodes are significantly stronger. On mobile, a PIN is the only thing standing between your data and someone who has your physical device.
2FA everywhere. Use an authenticator app (Authy, 1Password’s TOTP, or the Apple/Google built-ins) rather than SMS 2FA. SMS is vulnerable to SIM-swapping attacks. Hardware keys (YubiKey) are the strongest option for critical accounts.
Keep software updated. The overwhelming majority of successful exploits target known, already-patched vulnerabilities. Auto-updates for your OS and apps are your first line of defence.
The pragmatic position
Perfect privacy is incompatible with a useful digital life. The goal is not to disappear; it’s to be a less attractive target and to limit the blast radius when things go wrong.
Start with the high-impact basics: a password manager, unique email aliases, a VPN on public networks, and privacy-respecting defaults in your browser. Each of these takes under an hour to set up and significantly reduces your exposure. Add measures as your threat model warrants it.
The AI systems that process personal data will continue to get more capable. The data you don’t give them can’t be used against you.