The Privacy Audit: 10 Things to Change on Your Phone and Computer Today
You do not need to move to a cabin in the woods to improve your privacy. Most of the biggest wins take less than ten minutes each. The problem is not that privacy is hard — it is that nobody gives you a clear, prioritized list of what to do first.
This is that list. Ten changes you can make today, ranked by impact, with time estimates for each. No jargon, no paranoia, just practical steps that meaningfully reduce how much of your life is being tracked, sold, and profiled.
Total time if you do everything: about 2-3 hours. But even doing the first three items puts you ahead of 90% of people.
1. Switch Your Browser (15 minutes)
Why it matters: Your browser is the single biggest tracking vector on your computer. Chrome is built by an advertising company. Every extension, every site visit, every search — Google sees it all.
What to do:
- Desktop: Install Firefox or Brave. Both block trackers by default. Firefox is backed by a nonprofit (Mozilla). Brave is Chromium-based, so everything that works in Chrome works in Brave — minus the surveillance.
- iPhone: Switch to Safari (it already has strong tracking prevention) or Firefox.
- Android: Install Brave or Firefox.
After installing:
- Set your new browser as the system default
- Import bookmarks and passwords from Chrome
- Install uBlock Origin (Firefox) or use Brave's built-in ad blocker
- Disable "search suggestions" in the address bar (these send every keystroke to a server)
Quick wins inside your new browser:
- Enable HTTPS-Only mode (Firefox: Settings → Privacy → HTTPS-Only Mode)
- Disable third-party cookies
- Set browser to clear cookies on close (or use containers/profiles for different activities)
2. Use a Password Manager (20 minutes)
Why it matters: If you reuse passwords — and statistically, you do — a single data breach at one service gives attackers access to every account that shares that password. Password reuse is the most common way accounts get compromised. It is not even close.
What to do:
- Install a password manager: 1Password, Bitwarden, or Proton Pass
- Install the browser extension and the mobile app
- Start with your most critical accounts: email, banking, investment accounts
- For each account, generate a new unique password (the manager creates and stores them)
- Over the next week, change passwords as you log into sites naturally — no need to do everything at once
Which one:
- 1Password ($2.99/month) — the most polished experience, excellent family sharing, Watchtower feature alerts you to breached passwords
- Bitwarden (free tier available) — open source, audited, great if budget matters
- Proton Pass (included with Proton plans) — integrates with Proton ecosystem, includes email aliases
3. Enable Two-Factor Authentication on Everything (30 minutes)
Why it matters: Even with unique passwords, accounts can be compromised through phishing, SIM swapping, or server-side breaches. 2FA means a stolen password alone is not enough — the attacker also needs your second factor.
What to do:
- Install an authenticator app: Authy, Ente Auth, or the 2FA feature built into 1Password
- Enable 2FA on these accounts first (highest impact):
- Email (this is the master key — if someone has your email, they can reset everything)
- Banking and financial accounts
- Cloud storage (Google Drive, iCloud, Dropbox)
- Social media
- Password manager itself
- Use the authenticator app, not SMS. SMS-based 2FA is better than nothing but vulnerable to SIM swapping attacks.
- Save your recovery codes in your password manager. If you lose your phone, these codes are the only way back in.
Do not skip your email account. If an attacker controls your email, they can reset the password on every other account you own. Your email is the single most important account to protect.
4. Change Your DNS (5 minutes)
Why it matters: Every time you visit a website, your device asks a DNS server to translate the domain name (like "example.com") into an IP address. By default, this request goes to your internet provider — which means your ISP sees every website you visit, even if the site itself uses HTTPS.
What to do:
On your phone:
- iPhone: Settings → Wi-Fi → tap your network → Configure DNS → Manual → add
1.1.1.1and1.0.0.1(Cloudflare) or9.9.9.9(Quad9) - Android: Settings → Network → Private DNS → set to
one.one.one.oneordns.quad9.net
On your computer:
- Mac: System Settings → Network → Wi-Fi → Details → DNS → add
1.1.1.1and1.0.0.1 - Windows: Settings → Network → Change adapter options → right-click your connection → Properties → IPv4 → set DNS to
1.1.1.1and1.0.0.1
Better option: Install the Cloudflare 1.1.1.1 app (free) or Quad9 app. These encrypt your DNS queries (DNS-over-HTTPS), which prevents your ISP from seeing even the DNS requests themselves.
5. Set Up a VPN (10 minutes)
Why it matters: A VPN encrypts all traffic between your device and the VPN server. Your ISP can see that you are connected to a VPN, but cannot see what sites you visit or what data you transfer. It also prevents websites from seeing your real IP address (and therefore your approximate location).
What to do:
- Subscribe to a reputable VPN: NordVPN, Proton VPN, or Mullvad
- Install the app on your phone and computer
- Connect and leave it running
Which one:
- NordVPN — fastest speeds, largest server network, good apps, frequent discounts
- Proton VPN — Swiss jurisdiction, open source, integrates with Proton ecosystem, has a free tier
- Mullvad — accepts cash payment, no email required to sign up, extreme privacy focus
Important: A VPN does not make you anonymous. It shifts trust from your ISP to the VPN provider. Choose one with a verified no-logs policy (NordVPN, Proton VPN, and Mullvad have all been independently audited).
6. Switch Your Search Engine (2 minutes)
Why it matters: Google Search logs every query, ties it to your profile, and uses it to target ads. Your search history is one of the most revealing datasets about you — it captures what you are curious about, worried about, and interested in, often in real time.
What to do:
- Set your default search engine to DuckDuckGo, Startpage, or Brave Search
- DuckDuckGo: does not track you, good results, uses Bing's index
- Startpage: serves Google results without tracking, best result quality
- Brave Search: independent index, no tracking, improving rapidly
In your browser: Settings → Search Engine → change default. Takes about 30 seconds.
You can always add !g to a DuckDuckGo search to redirect to Google for the occasional query where DuckDuckGo falls short. You get privacy by default and Google when you need it.
7. Audit App Permissions on Your Phone (15 minutes)
Why it matters: Many apps request permissions they do not need. A flashlight app does not need your contacts. A weather app does not need constant location access. Each unnecessary permission is a data collection point.
What to do:
iPhone:
- Settings → Privacy & Security → go through each category:
- Location Services: Set most apps to "While Using" or "Never." Very few apps need "Always."
- Contacts, Calendars, Photos: Revoke access for any app that does not obviously need it
- Tracking: Toggle off "Allow Apps to Request to Track" at the top. This alone is significant.
- Settings → Privacy & Security → App Privacy Report → review which apps are accessing what
Android:
- Settings → Privacy → Permission Manager → go through each category
- Apply the same logic: "While Using" instead of "Always," revoke permissions that do not make sense
- Settings → Privacy → Ads → delete advertising ID
Rules of thumb:
- Social media apps do not need microphone access (unless you actively record video)
- Shopping apps do not need location access
- Games do not need contacts, camera, or microphone
- When in doubt, revoke the permission. The app will ask again if it genuinely needs it.
8. Switch to Private Email (1-2 hours)
Why it matters: Your email provider sees every message you receive, including password resets, financial statements, and medical correspondence. Gmail uses this data to build your advertising profile.
What to do:
- Create an account with Proton Mail (recommended), Tuta, or Mailfence
- Set up forwarding from your current email to your new address
- Over the next 2-4 weeks, update your email address on services as they send you messages
- Keep your old email active but dormant
This is the most time-consuming item on the list, but it is also one of the most impactful. We have a complete migration guide in our article on the best private email providers.
9. Encrypt Your Cloud Storage (20 minutes)
Why it matters: Google Drive, iCloud, and Dropbox can all access your files. "Encrypted at rest" means encrypted with their keys, not yours — they can decrypt and read your files if required by law enforcement or compelled by a court order.
What to do:
Option A — Switch providers:
- Proton Drive (included with Proton plans) — end-to-end encrypted, the provider cannot read your files
- Tresorit — end-to-end encrypted, Swiss jurisdiction, good for business use
Option B — Encrypt within your current provider:
- Cryptomator (free, open source) — creates an encrypted vault inside your existing Google Drive, Dropbox, or iCloud. Files are encrypted before they leave your device. The cloud provider sees only encrypted blobs.
- Install Cryptomator, create a vault in your cloud storage folder, move sensitive files into the vault
Option B is the quickest win. You keep your existing cloud storage but add a layer of encryption that the provider cannot bypass.
10. Lock Down Social Media Privacy Settings (20 minutes)
Why it matters: Social media platforms collect and share more data than most people realize. Even if you do not post much, your profile, connections, and browsing behavior within the platform are used for profiling and ad targeting.
What to do:
Facebook/Meta:
- Settings → Privacy → review each section. Set profile visibility to "Friends" not "Public"
- Settings → Ads → Ad Preferences → turn off all ad targeting categories
- Settings → Apps and Websites → remove any apps you no longer use (each one has API access to your data)
- Off-Facebook Activity → clear history and disable future tracking (this stops Meta from collecting data about your activity on other websites)
Instagram:
- Settings → Privacy → Private Account (if appropriate for your use case)
- Settings → Ads → Minimum data sharing
X (Twitter):
- Settings → Privacy and Safety → disable personalization and data
- Settings → Privacy → Location → disable precise location
LinkedIn:
- Settings → Visibility → reduce profile visibility to connections only
- Settings → Data Privacy → disable data sharing with third-party researchers
- Settings → Advertising Data → turn off all toggles
General rule: For any social media platform, go to the privacy or data settings and turn off every optional data sharing toggle. The defaults are always set to maximize data collection.
The Priority Order
If you only have 30 minutes, do these three:
- Switch your browser (15 min)
- Change your DNS (5 min)
- Switch your search engine (2 min)
These three changes eliminate the majority of casual tracking with minimal effort.
If you have a weekend, do all ten. Print this article (or save it locally) and check off each item. By Sunday evening, your digital footprint will be dramatically smaller than it was on Friday.
Privacy is not about perfection. It is about raising the cost and reducing the convenience of surveilling you. Every item on this list does that. Start anywhere. Start today.
Get The Private Intelligence — weekly
AI tools, privacy guides, and workflow tips for people who want to use AI powerfully without giving up their data. Join 1,000+ readers.
Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.