01 Why Online Privacy Is Harder Than It Used to Be
Ten years ago, blocking cookies was a meaningful privacy step. Today, tracking systems have evolved well beyond cookie dependence. Browser fingerprinting identifies you from hardware and software signals without storing anything on your device — your browser's GPU renderer, screen resolution, and audio processing behaviour combine into an identifier that persists even after you clear your history. Third-party cookies are being phased out across browsers, but the advertising industry has already moved to fingerprinting and cohort-based targeting as replacements.
At the same time, the number of tracking vectors has increased. Your IP address, ISP, and approximate location are visible on every connection. Your DNS queries — the lookups your browser makes before it even connects to a site — are often unencrypted and visible to your ISP and network operator. Mobile apps request permissions far beyond their core function and share data with dozens of third-party SDKs running inside them. Account-based tracking by major platforms follows you across every site where their code is embedded, regardless of your IP or device configuration.
None of this means privacy is hopeless. It means the approach has to be layered — different tools covering different vectors — and the decisions have to be informed by what each tool actually protects against. That is what this guide covers.
02 Start Here — Know What You Are Already Exposing
Before adding any privacy tools, it is worth knowing your current baseline. Most people are surprised by the specific detail their browser exposes on every site visit — not just an IP address, but an ISP name, approximate city, connection type, VPN or proxy status, GPU model, screen configuration, and browser fingerprint signals, all readable by any site without any permission prompt.
IntelReap reads these signals and shows you exactly what your connection exposes to the websites you visit — your public IP, ISP, routing path, and the full set of identifiers your browser transmits. Running this before making any changes gives you a precise starting point, so you can measure whether the steps you take are actually reducing your exposure rather than guessing.
The baseline check matters: Many people add a VPN and assume they are now private, when in reality their browser fingerprint, account sessions, and DNS queries are still fully visible. Knowing the specific vectors you need to address is more useful than applying generic advice.
03 VPNs — What They Protect and What They Do Not
A VPN does three things: it replaces your public IP address with the VPN server's IP, it encrypts traffic between your device and the VPN server so your ISP cannot read it, and it changes your apparent geographic location. These are genuinely useful protections. Your ISP cannot log your browsing destinations. Websites see the VPN server's IP instead of yours. Surveillance at the network level — by your ISP, a public Wi-Fi operator, or a network-level monitor — cannot read your traffic content.
What a VPN does not do is equally important to understand. It does not prevent browser fingerprinting — your GPU renderer, screen resolution, and installed fonts are identical whether the VPN is active or not. It does not clear cookies or account sessions. It does not prevent tracking by platforms where you are logged in. And it shifts trust rather than removing it: your VPN provider can see your traffic in place of your ISP. Choose a provider with an independently audited no-logs policy, not just a self-declared one. For a full breakdown of the limits, our guide on what a VPN actually changes about your connection covers each vector specifically.
04 Your Browser Is the Biggest Privacy Variable
Your choice of browser and how you configure it matters more than almost any other single decision. The default configurations of Chrome, Edge, and Safari permit significant third-party tracking. Firefox and Brave are meaningfully better out of the box, and they are meaningfully better still with a few targeted settings changes.
Firefox — most configurable
In Firefox, go to Settings → Privacy & Security and set Enhanced Tracking Protection to Strict. Enable DNS over HTTPS in the Network Settings section. In about:config, set privacy.resistFingerprinting to true — this normalises many fingerprinting signals to standard values. Install uBlock Origin from the Firefox Add-ons store; in its settings, enable the Extra lists including uBlock filters — Annoyances and EasyPrivacy. These three changes together block the vast majority of third-party trackers and significantly reduce your fingerprint entropy.
Brave — least configuration required
Brave blocks third-party ads and trackers by default with no extension needed, and its Shields feature includes fingerprint randomisation — introducing slight variation in canvas, WebGL, and audio fingerprint outputs on each session. Go to brave://settings/shields and confirm Fingerprinting is set to Standard or Strict. Enable Brave's built-in VPN or configure DNS-over-HTTPS under brave://settings/privacy. For most users Brave requires the least setup to achieve a strong privacy baseline.
Chrome and Edge — possible but limited
Both support extensions including uBlock Origin, which provides significant tracker blocking. But neither browser offers fingerprint resistance, and both have built-in telemetry and data collection that cannot be fully disabled by the user. They are meaningfully less private than Firefox or Brave even with the best extension configuration, because the underlying engines are designed for a different set of trade-offs.
05 Passwords and Accounts — The Most Overlooked Privacy Problem
Most real-world privacy breaches that affect ordinary people are not surveillance events. They are compromised accounts — usually from a reused password exposed in a data breach at one service being tested against other services automatically. This is called credential stuffing, and it is vastly more common than targeted tracking or ISP surveillance for most individuals.
A password manager solves this completely. Use a unique randomly generated password for every account — the manager stores and fills them, so the memorisation burden is zero. Bitwarden is free, open source, and independently audited. 1Password and Dashlane offer polished paid alternatives. Beyond the password manager, enable two-factor authentication on every account that supports it — especially email, banking, and social media accounts. A hardware key (YubiKey) is the most phishing-resistant form; an authenticator app (Aegis on Android, Ente Auth on iOS) is a solid middle ground. SMS-based 2FA is better than nothing but vulnerable to SIM-swapping attacks.
06 DNS Privacy — The Tracking Vector Most Guides Skip
Every time your browser loads a website, it first sends a DNS query to look up the site's IP address. By default this query travels in plain text, visible to your ISP and any network operator between you and the DNS resolver. Your ISP can log every domain you visit from a DNS record alone — without needing to decrypt any of your HTTPS traffic.
DNS-over-HTTPS (DoH) encrypts these queries and sends them to a resolver of your choice rather than your ISP's default. In Firefox it is in Settings → General → Network Settings → Enable DNS over HTTPS. In Chrome it is in Settings → Privacy and security → Security → Use secure DNS. Cloudflare's 1.1.1.1 is the most widely used privacy-focused resolver; NextDNS offers more control including per-device filtering rules and query logging you control. Neither charges for basic use. This is a five-minute change that closes a tracking vector most privacy guides do not even mention.
07 Mobile Privacy — What Most Guides Miss
Mobile devices introduce tracking vectors that desktop browsers do not face. Apps can request background location access, access to contacts and photos, and persistent identifiers like the advertising ID — all of which browsers cannot access. The advertising ID (IDFA on iOS, GAID on Android) is a platform-level identifier that ad networks use to link your behaviour across apps, and it is not affected by VPNs or browser settings at all.
On iOS, go to Settings → Privacy & Tracking and disable Allow Apps to Request to Track. This prevents apps from accessing the IDFA entirely. Go to Settings → Privacy & Security → Location Services and review every app's location permission — set all non-essential apps to Never or While Using. On Android, go to Settings → Privacy → Ads and delete your advertising ID. Review app permissions in Settings → Apps → select each app → Permissions, and revoke anything that is not essential to the app's function. These steps reduce mobile tracking more than any VPN or browser change because they address the vectors that are unique to the mobile environment. If you want to see exactly which network-level signals your own device exposes once you are back on a desktop or laptop connection, our guide on finding the IP address of any device on your network is a useful companion reference.
See Your Full Privacy Exposure Right Now
IntelReap's Security panel analyses your connection and browser for privacy leaks, tracking exposure, VPN detection status, and security signals — showing you the complete picture of what you are exposing on every site visit, free and in-browser.
08 The Privacy Stack — A Layered Approach That Actually Works
Privacy is not a single setting. Every tracking vector requires a specific countermeasure. Here is the layered stack in priority order — start at the top and work down, since the higher entries have the largest impact per unit of effort.
| Layer | Tool / Setting | Protects Against | Does NOT Protect Against | Cost |
|---|---|---|---|---|
| 1 — Accounts | Password manager + 2FA | Credential stuffing, account takeover | Tracking, fingerprinting | Free (Bitwarden) |
| 2 — Browser | Brave or Firefox + uBlock Origin | Third-party trackers, ad networks, some fingerprinting | IP tracking, DNS logging, account tracking | Free |
| 3 — DNS | DNS-over-HTTPS (Cloudflare / NextDNS) | ISP DNS logging, DNS-based tracking | IP tracking, fingerprinting, account tracking | Free |
| 4 — IP / Network | Paid VPN (audited no-logs) | ISP traffic visibility, IP tracking, geolocation | Fingerprinting, cookie tracking, account tracking | Paid (~£3–8/mo) |
| 5 — Fingerprint | Firefox resistFingerprinting / Brave Shields | Canvas, WebGL, audio fingerprinting | IP tracking, account tracking, DNS logging | Free |
| 6 — Mobile IDs | Disable advertising ID + audit app permissions | Cross-app advertising tracking, background data collection | Browser tracking on mobile, account tracking | Free |
| 7 — Email | Email aliases (SimpleLogin / Apple Hide My Email) | Email-based tracking, spam, data breach exposure | Account tracking, browser fingerprinting | Freemium |
Check Whether Your VPN Is Actually Protecting You
IntelReap's VPN & Proxy panel analyses your connection and reports whether it appears as a VPN, data centre, proxy, or residential IP — exactly what websites see. If your VPN is leaking your real identity, this will show it.
No single privacy tool closes all tracking vectors. The goal is layered coverage — each tool addressing a specific vector the others do not touch — not the illusion of complete invisibility from one setting.
This guide draws on EFF privacy research, Mozilla Foundation browser privacy documentation, GDPR and CCPA regulatory guidance, independently audited VPN provider reports, and live browser signal data reviewed across multiple device and browser configurations.