Privacy Tech That Actually Works

Remember when GDPR was going to save us from invasive tracking? We were promised control over our data, transparency about how it’s used, and the right to be forgotten. What we got instead was thousands of annoying cookie banners with dark patterns designed to make “Accept All” easier than actually protecting yourself. Companies still collect the same data—they just make you click a button first. Privacy theater at scale. This is the fundamental problem with most “privacy tools” in 2025: visible measures that make us feel protected while doing little to actually stop surveillance. From VPNs promising “military-grade encryption” (spoiler: AES is a public standard, not a military secret) to antivirus software that can’t catch zero-days, the privacy industry is full of security theater. Let’s cut through the marketing noise and talk about what actually works.

What is Security Theater?

Security theater is any measure that creates the feeling of improved security without meaningfully reducing actual risk. Bruce Schneier coined the term in his 2003 book “Beyond Fear” (Schneier, 2003), but it’s become disturbingly relevant in the privacy tech space.

Here’s how to spot it:

Can you prove it mitigates actual threats? If the answer is vague marketing speak about “advanced protection,” it’s probably theater.

Can it be easily bypassed? Browser “incognito mode” is a perfect example—it hides your history from family members but does nothing against ISPs, trackers, or fingerprinting.

Does it require perfect human performance? Mandatory monthly password changes sound secure until you realize people just increment a number at the end (Password123 → Password124).

Is it effective only if the adversary doesn’t notice the weakness? That’s not security, that’s hoping nobody looks too closely.

Does it exist purely for compliance? If the primary justification is “we need this to check a box,” it’s probably not protecting you.

The Privacy Theater Hall of Shame

Let’s call out some common offenders:

Cookie consent banners: As mentioned, these are compliance theater. Dark patterns make declining harder than accepting, and companies collect the data anyway—they just have legal cover now.

VPN marketing: “Military-grade encryption!” “Browse anonymously!” Most VPN marketing is pure snake oil. AES-256 is a public standard. And if you’re logged into your Gmail account, you’re not anonymous regardless of your VPN.

Password complexity requirements without context: GCHQ explicitly advised against mandatory monthly password rotations back in 2015. (NCSC, 2015) Organizations still require them because it feels like security.

Antivirus as your primary defense: Signature-based detection can’t catch novel attacks. By the time your antivirus knows about a threat, thousands of systems are already compromised.

Email “read receipt disabled”: Tracking pixels still work. You’ve hidden one vector while leaving dozens open.

Case Study: Singapore’s TraceTogether Debacle

Singapore’s COVID-19 contact tracing system demonstrates how privacy promises fail even in well-intentioned government programs.

In March 2020, Singapore launched TraceTogether, one of the world’s first COVID-19 contact tracing apps. Minister Vivian Balakrishnan explicitly promised: “TraceTogether data is purely for contact-tracing. Period.” (Asia Society, 2022; Ponnudurai, 2021) The government heavily promoted the system, eventually making it mandatory for many situations to achieve 78% adoption. (Balakrishnan, 2021)

In January 2021, the Ministry of Home Affairs quietly revealed that police could actually access TraceTogether data under Singapore’s Criminal Procedure Code. The data had already been used in a murder investigation in May 2020—before the public knew this was even possible. (South China Morning Post, 2021a; O’Neill, 2021b)

Public backlash was immediate. Minister Balakrishnan admitted to Parliament: “Perhaps I was so enamoured by what I thought was the ingenuity and brilliance of this that I got blindsided. I regret the consternation and anxiety caused.” (Ponnudurai, 2021) He hadn’t considered the CPC when making his “Period.” promise.

The government scrambled to pass emergency legislation limiting police access to seven categories of serious offenses (murder, terrorism, kidnapping, etc.). (South China Morning Post, 2021b) But the damage was done—trust eroded, and the incident became a cautionary tale cited in other countries considering similar systems. (Wikipedia, 2025)

The NRIC Masking Farce

Singapore’s handling of National Registration Identity Card (NRIC) numbers provides another lesson in privacy theater. For years, the Personal Data Protection Commission (PDPC) guidelines recommended masking NRIC numbers—showing only the last three digits and checksum (e.g., “567A” instead of “S1234567A”). (PDPC, 2019; CASE, 2022)

In December 2024, the government reversed course entirely. The Ministry of Digital Development and Information announced that masked NRIC numbers actually provide a “false sense of security.” (Kennedys Law, 2025) Using basic algorithms, anyone could reverse-engineer the full NRIC from a masked number, especially with knowledge of birth year. The masking was security theater—visible protection that didn’t actually protect.

Worse, organizations had been using full or partial NRIC numbers as passwords or default credentials for years. The PDPC and Cyber Security Agency issued urgent advisories in 2024-2025 warning organizations to immediately stop this practice. (PDPC, 2024b; Privacy Ninja, 2025) Using a national ID number as a password is equivalent to using your name as a password—it’s publicly available information.

The pattern is consistent: compliance measures (masking), broken promises (TraceTogether), and regulatory frameworks that didn’t account for actual threats (NRIC as authentication). Privacy theater at the government level.

The pattern is clear: measures that are highly visible, require minimal understanding, and create a false sense of security are rarely the ones that actually protect you.

Understanding Your Actual Threat Model

Before throwing money at privacy tools, you need to understand what you’re protecting against. Most people face mass surveillance, not targeted attacks.

Threats You’re Actually Facing:

1. Mass surveillance capitalism: Google, Facebook, Amazon, and countless data brokers collecting everything to build advertising profiles. This is ubiquitous, automated, and economically motivated.

2. ISP/network monitoring: Your internet provider can see and sell your browsing metadata. They don’t care about you specifically—they care about aggregate data they can monetize.

3. Credential theft: Password reuse, phishing, and data breaches. Google found that 41% of security compromises in 2022 traced back to weak or stolen passwords. This is the low-hanging fruit attackers go after.

4. Device compromise: Malware, ransomware, and physical access to your devices. Usually opportunistic rather than targeted.

5. State-level surveillance: Varies wildly by jurisdiction. In some countries, this is routine. In others, it requires warrants and oversight (in theory).

Threats You’re Probably NOT Facing:

Nation-state targeted attacks: If the NSA wants your data specifically, these tools won’t save you. That’s a completely different threat model requiring operational security way beyond this article’s scope.

Physical coercion: As XKCD illustrated with the “$5 wrench attack,” all the encryption in the world doesn’t help if someone threatens you physically.

Social engineering: Technology can’t fix human trust and manipulation. That requires awareness and training.

Compromised hardware: If your threat model includes hardware backdoors, you need airgapped systems and a very different lifestyle.

Being realistic about your threat model prevents both paranoia and complacency. Most of us need protection from mass surveillance and opportunistic attacks, not from nation-states.

Tools That Actually Work

Let’s break this down by category, focusing on what’s proven effective and avoiding the theater.

Foundation Layer: Everyone Needs This

Password Managers

If you do nothing else, use a password manager. Unique passwords for every site prevent credential stuffing attacks. Auto-fill prevents phishing (the password manager won’t fill credentials on fake sites).

What works: Bitwarden (open source, audited, sustainable business model) or KeePassXC (fully offline, complete control over your data).

Common mistake: Using a weak master password. If your master password is compromised, everything is compromised. Make it strong. Write it down and keep it somewhere safe if needed—physical security often trumps memorization requirements.

Evidence this matters: Google’s analysis found 41% of compromises in 2022 involved weak passwords. (Google Cloud Security Team, 2023) Mandiant’s M-Trends 2023 report showed adversaries leveraged stolen credentials 14% of the time, up from 9% in 2021. (Mandiant, 2023)

Hardware Security Keys

Two-factor authentication is essential, but SMS-based 2FA is vulnerable to SIM-swapping attacks. App-based 2FA (Google Authenticator, Authy) is better but still phishable. Hardware security keys are phishing-resistant.

What works: YubiKey or Google Titan Security Key

Cost: $30-50 one-time investment. Buy two—keep one as a backup.

Why it matters: Even if attackers have your password, they can’t log in without physical access to your key. This stops the vast majority of credential-based attacks.

Email Aliasing

Use a unique email address for every service. When you get spam, you know who sold your data. When there’s a breach, you can burn that specific alias without changing your primary email.

What works: SimpleLogin, AnonAddy, or built-in options like Proton’s alias feature or Apple’s Hide My Email.

Free options exist for all of these. The privacy protection is worth the minor hassle of setup.

Communication Privacy

Encrypted Messaging

If you’re still using SMS for sensitive conversations, stop. SMS is unencrypted and easily intercepted.

What works: Signal

Why: End-to-end encryption by default, minimal metadata collection, open source protocol (so security researchers can verify claims), and a non-profit structure that doesn’t depend on surveillance capitalism.

Don’t trust: WhatsApp might use the Signal protocol, but it’s owned by Meta. You’re trusting Facebook with your privacy. Hard pass.

For work: Element (Matrix protocol) offers federation and self-hosting options, which matters for organizational control.

Email Encryption

Email is fundamentally not private. Even with encryption, metadata (who, when, subject line) leaks everywhere. But you can reduce exposure.

What works: ProtonMail or Tuta

Limitation: Messages are only encrypted to other users on the same service. Cross-service email is still unencrypted. This is why PGP failed—it was too complex for normal humans to use correctly.

Reality check: If you need truly private communication, use Signal. Email is for convenience and professional correspondence, not confidential conversations.

Browsing Protection

DNS-Level Blocking

Block trackers and ads before they even load. This works network-wide, not just in your browser.

What works: NextDNS (easy setup, generous free tier) or Pi-hole (self-hosted, complete control)

Why it matters: Reduces attack surface, improves performance, blocks malware domains. The limitation is that it doesn’t prevent browser fingerprinting—it just reduces the number of trackers that get a chance to run.

Browser Choice

Your browser is your primary interface to the internet. Choose wisely.

Best: Firefox with hardening (use the arkenfox user.js configuration for enhanced privacy)

Good enough: Brave (solid privacy out of the box, Chromium compatibility for sites that don’t work well with Firefox)

Avoid: Chrome—Google’s entire business model is surveillance. Using Chrome for privacy is like hiring a fox to guard the henhouse.

For anonymity needs: Tor Browser

Reality: Complete protection from browser fingerprinting is extremely difficult. Modern fingerprinting techniques can identify you even with aggressive privacy settings. (Eckersley, 2010) The goal is to raise the bar, not achieve perfection.

Browser Extensions

Extensions can enhance privacy, but they can also track you. Use sparingly.

Worth using: uBlock Origin (best ad blocker), Privacy Badger (EFF’s tracker blocker)

Advice: Fewer extensions is better. Each one is additional attack surface and potential tracking vector. Always review permissions before installing.

VPNs: Controversial Territory

VPN marketing is out of control. Let’s be clear about what they actually do.

When VPNs Actually Help:

  • Public WiFi: Encrypts your traffic from local snoopers
  • ISP monitoring: Hides DNS queries and metadata from your provider (though HTTPS already encrypts content)
  • Geo-blocking: Access region-locked content

What VPNs DON’T Do:

  • Make you anonymous: You’re still logging into Gmail, Netflix, and Facebook with your real identity
  • Prevent tracking: Cookies, browser fingerprints, and login sessions persist regardless of IP address
  • Protect from malware: That’s not what they’re designed for
  • Stop your OS from phoning home: Windows telemetry and macOS analytics still work fine over VPN

If You Must Use a VPN:

Avoid: Free VPNs (you’re the product—they’re likely selling your data) and US-based providers (jurisdiction issues with surveillance laws)

Consider: Mullvad (anonymous signup, accepts cash, no-logs policy) or IVPN (transparent about limitations, independently audited)

Or: Roll your own with WireGuard on a VPS if you have the technical skills. This gives you control but limited geographic diversity.

The truth about VPNs: They shift trust from your ISP to your VPN provider. Unless you have specific needs (geo-blocking, hostile ISP), the privacy benefit is marginal.

Operating System Level

Desktop

Linux: Best privacy by default, but requires technical competence and willingness to deal with compatibility issues.

macOS: Better than Windows, but still calls home extensively. Apple’s privacy marketing is better than their actual privacy practices.

Windows: Telemetry nightmare. Requires extensive hardening to be remotely privacy-respecting.

Reality: Most people won’t switch OS purely for privacy. Focus on application-level protections instead.

Mobile

GrapheneOS (Pixel phones): Best balance of privacy and security. Actively developed, thoroughly hardened.

CalyxOS: More user-friendly than GrapheneOS, slightly less secure.

iOS: Better than stock Android, but you’re locked into Apple’s walled garden. They can still see everything you do.

Stock Android: Avoid if possible. Google’s mobile OS is designed around data collection.

The Inconvenient Truth About Metadata

Even with encryption, metadata tells a story. This is the hardest problem in privacy tech.

Your VPN hides your IP address, but Netflix still knows you logged in from a specific device at a specific time. Signal encrypts your messages, but the server knows you and your contact communicate regularly. HTTPS encrypts content, but SNI (Server Name Indication) reveals which sites you’re visiting. Email encryption hides the message body, but to/from/subject/time are all visible.

There is no perfect solution. Tor helps with traffic analysis resistance, but it requires significant lifestyle changes and many sites block Tor exit nodes. Trade-offs are inevitable.

The goal isn’t perfect privacy (impossible) but meaningful privacy (achievable). Understand what protection you’re actually getting.

Practical Implementation: Start Here

Don’t try to implement everything at once. That’s how people burn out and go back to zero privacy protection.

Low Friction, High Impact (Do This Week):

  1. Install a password manager (Bitwarden or KeePassXC)
  2. Generate unique passwords for critical accounts (email, banking, social media)
  3. Enable 2FA on those same accounts
  4. Switch to Firefox or Brave
  5. Install uBlock Origin

This takes maybe 2-3 hours total and stops the majority of common attacks.

Medium Effort (Do This Month):

  1. Get a hardware security key for main accounts

  2. Switch to privacy-respecting services:

    • Email: ProtonMail or Tuta
    • Search: DuckDuckGo or Brave Search
    • Maps: OpenStreetMap
  3. Set up DNS filtering (NextDNS is easiest)
  4. Review app permissions on your phone (most apps don’t need camera, microphone, location, and contacts)

High Commitment (If You’re Serious):

  1. De-Google your life: migrate photos, docs, calendar
  2. Install GrapheneOS or CalyxOS on Android
  3. Self-host services (Nextcloud for files, Matrix for messaging)
  4. Use Tor for sensitive browsing

What to Skip:

Don’t obsess over VPN choice—the differences between reputable providers are marginal.

Don’t try to be anonymous while logged into personal accounts—you’re not fooling anyone.

Don’t go down the cryptocurrency rabbit hole for normal transactions—legal and practical issues outweigh privacy benefits for most use cases.

Don’t adopt extreme OPSEC that makes your life unlivable—threat modeling exists for a reason.

The Business Model Problem

Here’s an uncomfortable truth: if it’s free, you’re probably the product.

Gmail, Facebook, and Chrome aren’t free because Google is generous. They’re free because surveillance capitalism is the business model. Your data is the product being sold.

Even “privacy-focused” companies with VC funding have questionable incentives. Their exit strategy usually involves acquisition by companies that definitely aren’t privacy-respecting.

Sustainable privacy tools have clear business models: subscriptions (Proton, Mullvad), donations (Signal, Tor Project), or self-hosting (Matrix, Nextcloud).

Red Flags:

  • Closed source “privacy” tools (trust us, we’re private!)
  • Free VPNs (they’re selling something—probably your data)
  • Companies based in Five Eyes countries with track records of cooperating with surveillance
  • Marketing that promises complete anonymity
  • History of selling to surveillance vendors or law enforcement

Green Flags:

  • Open source with regular independent audits
  • Clear, sustainable business model that isn’t advertising
  • Transparent about limitations (no tool is perfect)
  • Doesn’t claim to protect against nation-state actors
  • Active development community and security research engagement

Why Free and Open Source Software Matters

There’s a reason every tool I’ve recommended so far is either fully open source or has open source alternatives. FOSS isn’t just an ideological preference—it’s a practical security requirement.

Verifiability Over Trust

Closed source privacy tools ask you to trust their marketing claims. Open source tools let security researchers verify those claims. When ProtonMail says they use end-to-end encryption, independent auditors can examine the code and confirm it. When a closed source VPN claims “no-logs,” you’re taking their word for it (Hill, 2020).

The privacy industry is full of companies that promised privacy and later betrayed users. Lavabit shut down rather than compromise user privacy under government pressure in 2013.(Schneier, 2003) Hushmail handed over encryption keys to law enforcement despite marketing themselves as secure. (Levine, 2014) TrueCrypt mysteriously shut down with cryptic warnings. (Franceschi-Bicchierai, 2014) Closed source tools can hide backdoors, intentional or otherwise.

Open source means bugs and vulnerabilities get found faster. Thousands of eyes examining the code beats a small internal security team. When Heartbleed hit OpenSSL in 2014, the entire community mobilized to patch it. (Goodin, 2014) When proprietary software has vulnerabilities, users are at the mercy of vendor timelines.

Community-Driven Development

FOSS projects aren’t beholden to venture capitalists demanding 10x returns. Signal operates as a non-profit. Bitwarden’s open source model means even if the company disappears, the software continues. KeePassXC is maintained by volunteers who have no financial incentive to betray users.

This matters because privacy-focused startups with VC funding have predictable exit strategies: acquisition by companies that definitely don’t respect privacy, or pivoting to advertising models. FOSS projects can’t be acquired and forced to compromise.

Auditability in Practice

Look at the difference between Bitwarden and LastPass. Both are password managers. Bitwarden is open source and has undergone multiple independent security audits. (Bitwarden, 2024) When researchers find issues, they’re addressed publicly.

LastPass is proprietary. In 2022, they had a massive breach that exposed encrypted password vaults.(Gatlan, 2022) The company’s initial disclosures downplayed the severity. Users discovered the full scope through investigative reporting, not company transparency. With closed source, you’re trusting the vendor to tell you the truth about breaches.

The GPL and User Freedom

The GNU General Public License and similar copyleft licenses ensure modifications remain open. You can fork the project if the original developers go rogue. You can audit the code before deploying it in your environment. You can modify it to fit your specific threat model.

This is why Signal’s protocol is GPL—anyone can implement it, verify it, improve it. (Porter, 2021; Marlinspike, 2016) The protocol itself has been adopted by WhatsApp (though Meta’s implementation is closed, which is why we don’t recommend it), Google, and others. The openness of the protocol doesn’t weaken security; it strengthens it through peer review.

Exceptions and Caveats

Open source isn’t automatically secure. Poorly written FOSS can be worse than well-designed proprietary software. Abandoned projects accumulate vulnerabilities. The key is open source plus active maintenance, plus independent audits.

Some hybrid approaches work: Brave is open source built on Chromium. ProtonMail’s clients are open source even though their server code is proprietary (though they’ve published the crypto implementation for verification). The more of the stack that’s auditable, the better.

Practical Implications

When choosing privacy tools:

  1. Prefer fully open source: Both client and server code available
  2. Accept hybrid if necessary: Client open source, server proprietary but audited
  3. Avoid fully closed source: No way to verify security claims

This isn’t ideological purity—it’s risk management. In privacy and security, trust must be earned through transparency, not demanded through marketing.

When to Actually Worry

Not everyone needs the same level of privacy protection. Be honest about your threat model.

You Probably Need This Article If:

  • You reuse passwords across sites
  • You use SMS for 2FA
  • Your primary email is @gmail.com
  • You use Chrome as your main browser
  • You’ve never reviewed app permissions

This is most people. The basics matter.

You Need More Than This Article If:

  • You’re a journalist working in a hostile country
  • You’re a political dissident
  • You handle classified government or corporate data
  • You’re actually targeted by nation-state actors
  • You’re Edward Snowden

If this describes you, you need operational security training, not a blog post. Seek professional help from organizations like EFF or Access Now.

Perfect is the Enemy of Good

Let’s recap the key points:

  1. Most privacy violations are mass surveillance, not targeted attacks. The tools to counter mass surveillance are accessible and effective.
  2. Basic hygiene stops 90% of threats. Password manager, 2FA, ad blocking—these aren’t sexy, but they work.
  3. Open source tools with clear business models are safer bets. You can verify claims, and there’s no incentive to betray users.
  4. Perfect privacy requires giving up modern convenience. You can have privacy or convenience, but rarely both. Choose your battles.
  5. Threat modeling helps prioritize. What are YOU protecting against? Tailor your approach accordingly.

The real problem is that technology can only solve technical problems. Privacy requires systemic change: stronger regulation, different business models, and cultural shifts away from surveillance capitalism. Individual tools are band-aids on a broken system.

But band-aids are better than bleeding out.

What to Do Next

Don’t get overwhelmed. Pick ONE thing from the “Start Here” list today. Set a calendar reminder to review your privacy practices quarterly. Share this knowledge—privacy is collective, not individual. Support privacy-respecting businesses with your wallet. Contact your representatives about surveillance regulation.

Most importantly: don’t let perfect be the enemy of good. Every improvement matters, even if it’s not comprehensive. The goal isn’t to become a ghost online (impossible for most people) but to raise the cost of surveillance to the point where mass collection becomes economically unfeasible.

Start small. Build habits. Be realistic about trade-offs. And stop trusting marketing that promises perfect privacy—it doesn’t exist.

References

Asia Society. (2022, July 11). Background: Data privacy and protection in Singapore. Asia Society Policy Institute. https://asiasociety.org/policy-institute/raising-standards-data-ai-southeast-asia/data/singapore

Balakrishnan, V. (2021, January 5). Clarification on the usage of TraceTogether data [Speech]. Ministry of Digital Development and Information. https://www.mddi.gov.sg/newsroom/20210105

Bitwarden. (2024). Security audits and assessments. Bitwarden Security. https://bitwarden.com/help/is-bitwarden-audited/

Consumers Association of Singapore. (2022, July 12). Privacy policy. https://www.case.org.sg/dataprotection/

Cimpanu, R. (2020, August 14). Firefox maker Mozilla is trying a new way of getting your attention. ZDNet.

Cox, J. (2019, January 8). I gave a bounty hunter $300. Then he located our phone. Vice Motherboard.

Eckersley, P. (2010, May). How unique is your web browser? Electronic Frontier Foundation. https://www.eff.org/deeplinks/2010/05/how-unique-your-web-browser

Franceschi-Bicchierai, L. (2014, May 28). The TrueCrypt doomsday scenario has arrived. Vice Motherboard.

Gatlan, S. (2022, December 22). LastPass: Hackers stole customer vault data in cloud storage breach. BleepingComputer. https://www.bleepingcomputer.com/news/security/lastpass-hackers-stole-customer-vault-data-in-cloud-storage-breach/

Goodin, D. (2014, April 7). Critical crypto bug in OpenSSL opens two-thirds of the web to eavesdropping. Ars Technica.

Google Cloud Security Team. (2023, September 22). How leaders can reduce risk by shutting down security theater. Google Cloud Blog. https://cloud.google.com/blog/transform/how-leaders-can-reduce-risk-shutting-down-security-theater

Hill, K. (2020, September). The case for open source security tools. Electronic Frontier Foundation. https://www.eff.org/deeplinks/2020/09/case-open-source-security-tools

Kennedys Law. (2025, July 1). Authentication versus identification and the use of the Singapore NRIC number. https://www.kennedyslaw.com/en/thought-leadership/article/2025/authentication-versus-identification-and-the-use-of-the-singapore-nric-number/

Levine, Y. (2014, March 18). The untold story of Hushmail, the FBI’s ‘secure’ email service. Pando.

Lyon, G. (2023). Privacy Guides: Open source privacy tools. https://www.privacyguides.org

Mandiant. (2023). M-Trends 2023 [Cyber security report]. https://www.mandiant.com/m-trends

Marlinspike, M. (2016, September 27). Technology preview: Private contact discovery for Signal. Signal Blog. https://signal.org/blog/private-contact-discovery/

National Cyber Security Centre. (2015). Password administration for system owners. UK National Cyber Security Centre. https://www.ncsc.gov.uk/collection/passwords/updating-your-approach

O’Neill, P. H. (2021a, January 11). Broken promises: How Singapore lost trust on contact tracing privacy. MIT Technology Review. https://www.technologyreview.com/2021/01/11/1016004/singapore-tracetogether-contact-tracing-police/

O’Neill, P. H. (2021b, January 5). Singapore’s police now have access to contact tracing data. MIT Technology Review. https://www.technologyreview.com/2021/01/05/1015734/singapore-contact-tracing-police-data-covid/

Personal Data Protection Commission Singapore. (2018, August 31). Advisory guidelines on the PDPA for NRIC and other national identification numbers. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Advisory-Guidelines-for-NRIC-Numbers—310818.pdf

Personal Data Protection Commission Singapore. (2019, July). Gearing up for Sept 1 when NRIC guidelines kick in. https://www.pdpc.gov.sg/-/media/Files/PDPC/DPO-Connect/July-19/Gearing-Up-For-Sept-1-When-NRIC-Guidelines-Kick-In

Personal Data Protection Commission Singapore. (2024a, July 24). Guide to basic anonymisation. https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/guide-to-basic-anonymisation-(updated-24-july-2024).pdf

Personal Data Protection Commission Singapore. (2024b, December). PDPC’s reply to media queries on the use of NRIC numbers. https://www.pdpc.gov.sg/news-and-events/press-room/2024/12/pdpcs-reply-to-media-queries-on-the-use-of-nric-numbers

Ponnudurai, P. (2021, February 10). COVID app triggers overdue debate on privacy in Singapore. Al Jazeera. https://www.aljazeera.com/news/2021/2/10/covid-app-triggers-overdue-debate-on-privacy-in-singapore

Porter, J. (2021, January 12). Signal is finally bringing its secure messaging to the masses. The Verge.

Privacy Ninja. (2025, July 3). Advisory: 3 critical lessons from the PDPC-CSA warning on NRIC use. https://www.privacy.com.sg/resources/advisory-pdpc-and-csa-on-nric-use/

Privacy Tools Team. (2025). Best privacy tools & software guide in 2025. PrivacyTools.io. https://www.privacytools.io/

Roy-Choudhury, A. (2021, May 24). Tackling privacy & digital divide in Covid-19 tech. GovInsider. https://govinsider.asia/inclusive-gov/data-privacy-digital-divide-remain-concerns-in-tech-led-fight-against-covid-19-amit-roy-choudhury/

Schneier, B. (2003). Beyond fear: Thinking sensibly about security in an uncertain world. Copernicus Books.

Snowden, E. (2019). Permanent record. Metropolitan Books.

South China Morning Post. (2021a, January 5). Coronavirus: TraceTogether data used in murder case, Singapore minister says as he defends police access to contact-tracing programme. https://www.scmp.com/week-asia/health-environment/article/3116541/coronavirus-tracetogether-data-used-murder-case

South China Morning Post. (2021b, February 2). Coronavirus: Singapore limits police use of TraceTogether contact-tracing data to seven types of criminal offences. https://www.scmp.com/week-asia/politics/article/3120212/coronavirus-singapore-limit-police-use-tracetogether-contact

Whittaker, Z. (2019, January 28). A fitness app’s data breach has exposed military bases and spy outposts. TechCrunch.

Wikipedia. (2025, October 9). TraceTogether. https://en.wikipedia.org/wiki/TraceTogether

Yeo, V. (2021). Singapore’s updated TraceTogether privacy policy could erode public trust. CSIS New Perspectives on Asia. https://www.csis.org/blogs/new-perspectives-asia/singapores-updated-tracetogether-privacy-policy-could-erode-public

Zuboff, S. (2019). The age of surveillance capitalism: The fight for a human future at the new frontier of power. PublicAffairs.

Resources

Privacy Tools Mentioned:

Password Managers:

  • Bitwarden - Open source, audited, sustainable business model
  • KeePassXC - Fully offline, complete user control

Email Services:

  • ProtonMail - Swiss-based, end-to-end encryption
  • Tuta - German-based, open source email encryption

Messaging:

  • Signal - Gold standard for encrypted messaging
  • Element - Federated Matrix protocol, self-hostable

Browsers:

  • Firefox - Customizable, privacy-respecting
  • Brave - Privacy by default, Chromium-based
  • Tor Browser - Anonymity-focused

DNS & Network:

  • NextDNS - Cloud DNS filtering
  • Pi-hole - Network-wide ad/tracker blocking

Email Aliasing:

Hardware Security:

Further Reading:

Privacy & Security Guides:

  • EFF’s Surveillance Self-Defense: https://ssd.eff.org
  • Privacy Guides: https://www.privacyguides.org
  • Bruce Schneier’s Security Blog: https://www.schneier.com
  • Techlore Privacy Resources: https://techlore.tech

Books:

  • Schneier, B. (2003). Beyond Fear: Thinking Sensibly About Security in an Uncertain World
  • Snowden, E. (2019). Permanent Record
  • Zuboff, S. (2019). The Age of Surveillance Capitalism
  • O’Neill, C. (2016). Weapons of Math Destruction

Organizations Working on Privacy:

  • Electronic Frontier Foundation (EFF): https://www.eff.org
  • Privacy International: https://privacyinternational.org
  • Access Now: https://www.accessnow.org
  • Free Software Foundation: https://www.fsf.org

Key Privacy Regulations:

  • GDPR (EU General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • Digital Markets Act (EU)

Community Resources:

  • r/privacy - Reddit privacy community
  • r/privacytoolsIO - Privacy tools discussion
  • Privacy Guides Forum: https://discuss.privacyguides.net
  • Techlore Discord & Forums

The privacy fight isn’t about achieving perfection—it’s about making surveillance expensive, inconvenient, and unprofitable. Every tool you adopt is a vote for a different kind of internet. Make it count.