Your privacy checklist, ordered by impact.

Your search queries reveal health concerns, political views, financial stress, and relationship problems. Google retains and profiles every search — it knows more about you than your closest friends.

Your phone's advertising ID (IDFA on iOS, GAID on Android) is a persistent identifier shared with every app. Location data brokers like Fog Data Science use it to build movement profiles sold to law enforcement. It's a social security number for ads.

SMS and standard messaging are plaintext for your carrier. WhatsApp has E2EE but Meta collects metadata (who, when, how often). Your messaging app choice determines who can read your conversations and who profits from the social graph they build.

Without a password manager, you're reusing passwords or using weak ones. Credential stuffing attacks exploit exactly this — breached passwords from one site tried everywhere else. A password manager is the highest-leverage privacy tool you can adopt.

SMS 2FA is vulnerable to SIM swapping — a trivial social engineering attack where someone convinces your carrier to transfer your number. Not all 2FA is equal: SMS < TOTP < hardware keys.

Using one email everywhere creates a universal identifier. A data breach at Service A exposes your presence on Service B. One address per service means zero cross-service correlation.

DNS queries are plaintext by default. Even with HTTPS, your ISP sees every domain you resolve. HTTPS encrypts the content of your connection, but the destination leaks through DNS — like sending a sealed letter with the address visible.

Apple Notes, Google Keep, Notion, and Evernote can read your notes. Journals, passwords, medical notes, legal strategies — stored in plaintext on someone else's server. Your most private thoughts deserve encryption.

Over-permissioned apps harvest data far beyond their function. A flashlight app reading your contacts. A weather app tracking your location 24/7. Each unnecessary permission is a data exfiltration channel.

Browser extensions can read every page you visit, modify requests, and exfiltrate data. The Stylish extension sold browsing history of 2M+ users. Each extension is a potential backdoor you installed yourself.

Private browsing only clears local history and cookies when you close the window. Your ISP, employer, and every site you visit still see everything. Google settled a $5B lawsuit over misleading users about this.

Even with end-to-end encryption, email metadata — who emailed whom, when, and subject lines — is visible to servers. Metadata reveals your social graph, communication patterns, and relationships. Everyone reads envelopes.

Your phone broadcasts the names of previously connected networks. An attacker nearby learns: "home_wifi_john", "Marriott_NYC", "hospital_guest". This is physical-world location history leaking from your pocket.

Contacting a service to delete your data confirms you have an account. In adversarial contexts (journalist, activist), the deletion request itself is evidence of association. The privacy action reduces privacy.

Full-disk encryption on your phone is moot if iCloud or Google automatically backs up photos, messages, and app data in a form Apple/Google can access. Cloud backup is the #1 law enforcement access path. You encrypted your phone, then handed the keys to Apple.

Google Drive, Dropbox, and iCloud can read your files. They comply with law enforcement requests, train AI on your documents, and profile you for advertising. Cloud convenience without encryption means your files belong to someone else.

Gmail scans email for ad targeting. But paid doesn't automatically mean private — some paid providers still log IP addresses, cooperate broadly with law enforcement, or lack real end-to-end encryption. Don't conflate 'paid' with 'private'.

Email attachments are unencrypted. Google Drive sharing links expose your Google account. WeTransfer scans uploads. Sending a file 'quickly' often means sending it through a company that can read, scan, and retain it indefinitely.

Google Calendar knows your doctor appointments, therapy sessions, AA meetings, and custody schedules. Calendar metadata reveals health conditions, relationships, routines, and vulnerabilities — often more sensitive than email content.

'Sign in with Google/Facebook' gives the identity provider a log of every service you use and when. One account suspension cascades everywhere. Convenience is surveillance.

Even E2EE messengers leak metadata: who you talk to, when, how often, group memberships. WhatsApp encrypts content but Meta harvests everything else. As former NSA and CIA director Michael Hayden stated: 'We kill people based on metadata' — referring to drone targeting decisions informed by communications metadata. The content is secondary.

Your browser is as unique as a fingerprint — even without cookies. Canvas, WebGL, fonts, and screen resolution combine into a near-unique identifier that tracks you across sites.

Third-party cookies are dying, but tracking adapted. Fingerprinting, CNAME cloaking, bounce tracking, and login-based tracking (Google/Facebook SSO) replaced cookies. The tracking industry moves faster than regulation.

Your browser history is a medical record, a political profile, and a financial audit in one place. Visiting health sites, pharmacy pages, or support forums — all logged and potentially sold to data brokers, insurers, or employers.

A VPN shifts trust from your ISP to the VPN provider. 'No-log' is marketing unless independently audited. If the VPN logs, you've just moved surveillance from one entity to another — and potentially a less regulated one.

Your phone number is persistent, tied to real identity (SIM registration laws in EU), and used as recovery/2FA everywhere. SIM swap attacks exploit this. Phone numbers are more dangerous than email addresses as identifiers — and harder to change.

Reusing usernames across platforms creates a public link graph. OSINT tools like Sherlock and Maigret automate this in seconds. Passwords get all the attention, but usernames are the overlooked attack surface — they're public by design.

Starting a VPN right after a news event, subscribing to encrypted email after a breakup, signing up for a health app after a diagnosis — the timing of subscriptions correlates with life events. Data brokers perform temporal correlation analysis.

Even with encrypted DNS, the TLS handshake's Server Name Indication (SNI) sends the destination domain in plaintext. Your ISP can still see which sites you visit. Encrypted Client Hello (ECH) fixes this, but adoption is patchy.

ISP-provided routers often have remote management backdoors, outdated firmware, and default credentials. Everyone secures their laptop but nobody secures the box everything flows through. Your router is the weakest link.

Stock Android phones home to Google constantly — location, app usage, diagnostics, Wi-Fi networks. De-Googled ROMs remove this telemetry while maintaining security. If you care about mobile privacy, this is the most impactful change.