🛡️ Digital Privacy & Security Glossary

Anonymity is the state in which an individual's identity cannot be linked to their actions, communications, or online presence. True anonymity requires not only concealing your real name but also preventing any combination of technical signals — IP address, device fingerprint, writing style, behavioural patterns — from being correlated back to you. In practice, absolute anonymity is extremely difficult to achieve on the modern internet: even encrypted traffic reveals timing patterns, and many anonymising tools have known limitations. Tools like Tor provide strong anonymity by routing traffic through multiple relays and stripping identifying headers, but remain vulnerable to traffic-analysis attacks at scale. Anonymity is distinct from pseudonymity (using a consistent false identity) and privacy (controlling who sees your real-identity data).

Asymmetric encryption uses a mathematically linked pair of keys — a public key and a private key — where data encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. Because the public key can be freely distributed without compromising security, asymmetric cryptography solves the key-distribution problem that limits symmetric encryption: two parties who have never communicated before can establish a secure channel without a pre-shared secret. RSA, ECDSA, and the newer X25519 elliptic-curve algorithms are common asymmetric schemes. In practice, asymmetric encryption is used to securely exchange a symmetric session key (e.g., in TLS), to sign digital documents, and to encrypt email (PGP/GPG). Its main limitation is computational cost, which is orders of magnitude higher than symmetric algorithms like AES.

Behavioral tracking is the systematic collection and analysis of a user's online actions — pages visited, links clicked, search queries, scroll depth, mouse movements, purchase history, and dwell time — to build detailed profiles used for targeted advertising, risk scoring, and personalisation. Unlike static identifiers such as cookies or IP addresses, behavioral signals reveal intent, preferences, and habits, making them extremely valuable to data brokers, advertisers, and insurers. Advanced behavioral analytics can infer sensitive attributes such as political affiliation, health conditions, pregnancy, and sexual orientation from browsing patterns alone, even when users believe their activity is private. Regulatory frameworks such as GDPR and CCPA require explicit consent for behavioral profiling, but enforcement is inconsistent and data collected before regulations applied often persists in legacy datasets.

Tracker blockers and browser extensions like uBlock Origin, Privacy Badger, and Brave Shields reduce behavioral tracking by blocking the JavaScript beacons and third-party requests that harvest this data. However, server-side tracking — where behavioral data is inferred from server logs rather than client-side scripts — is much harder to block and increasingly common.

Browser fingerprinting is a tracking technique that identifies users by collecting and combining dozens of technical attributes about their browser and device — such as screen resolution, installed fonts, timezone, language settings, canvas rendering output, WebGL renderer, audio processing characteristics, and hardware concurrency — to produce a unique identifier. Unlike cookies, this fingerprint is not stored on the user's device, cannot be cleared, and persists across private/incognito sessions, making it extremely difficult to block without degrading the browsing experience. Research by the EFF's Cover Your Tracks project found that over 80% of browsers produce a unique fingerprint, and the average browser reveals roughly 18 bits of identifying entropy — sufficient to single out one user among hundreds of thousands.

You can measure your own fingerprint uniqueness using our Fingerprint Tester. Protective measures include using Brave Browser (which randomises fingerprint attributes), enabling Firefox's resist-fingerprinting mode (privacy.resistFingerprinting), or using the Tor Browser, which standardises all fingerprint attributes to make users indistinguishable from one another.

Canvas fingerprinting is a specific browser fingerprinting technique that renders a predefined image or text string onto an HTML5 <canvas> element and reads back the resulting pixel data as a Base64-encoded hash. Because GPU, graphics driver, operating system, and font rendering engine differences cause subtly different pixel outputs across devices, the resulting hash is device-specific and stable. First documented at scale by Mowery & Shacham (2012), a Princeton study found canvas fingerprinting active on over 5% of the top 100,000 websites by 2014. The technique requires no permissions, is invisible to the user, and cannot be defeated by clearing cookies or using private browsing. Brave Browser mitigates canvas fingerprinting by introducing subtle randomisation into canvas output each session.

The California Consumer Privacy Act (effective January 2020, strengthened by Proposition 24/CPRA in 2023) grants California residents the right to know what personal information is collected about them, the right to delete it, the right to correct inaccurate data, and the right to opt out of the sale or sharing of their data. Browser fingerprint data qualifies as personal information under the CCPA because it can reasonably be linked to a specific consumer or household. Businesses subject to the CCPA that use fingerprinting for advertising or analytics must disclose this in their privacy policy and must honour opt-out requests submitted via the Global Privacy Control (GPC) browser signal. Non-compliance can result in penalties of up to $7,500 per intentional violation, enforced by the California Privacy Protection Agency (CPPA).

A cookie is a small text file that a website stores in your browser to remember information between sessions — login state, language preferences, shopping cart contents, or a unique advertising identifier. First-party cookies are set by the site you are visiting and are generally necessary for site functionality. Third-party cookies are set by external domains (typically ad networks) embedded on the page and have historically been the primary mechanism for cross-site tracking, allowing advertisers to follow a user across thousands of websites. Unlike fingerprints, cookies are visible, can be inspected in browser developer tools, and can be deleted. Major browsers are phasing out third-party cookies — Safari and Firefox block them by default, and Chrome's Privacy Sandbox rollout is replacing them with privacy-preserving alternatives. The gap left by cookies is being filled by fingerprinting and server-side tracking.

Cross-site tracking refers to any technique that allows an entity to observe or link a user's activity across multiple, unrelated websites — effectively building a browsing history without the user's awareness or consent. Historically enabled by third-party cookies, cross-site tracking now also uses fingerprinting, login tracking (identifying users via shared login services like "Sign in with Google"), link decoration (adding unique parameters to URLs that destinations can read back), bounce tracking (redirecting users through intermediary pages that set identifiers), and CNAME cloaking (disguising third-party trackers as first-party requests using DNS). GDPR and CCPA require consent for cross-site tracking; browsers are deploying technical mitigations including partitioned storage (Storage Partitioning) and link-decoration stripping.

Dark patterns are user interface design choices that deliberately manipulate users into taking actions they would not choose if the interface were neutral — such as subscribing to a service, sharing more data than necessary, or declining privacy protections. In a privacy context, common dark patterns include: pre-ticked consent checkboxes; consent banners that make "Accept All" one click but "Reject All" require navigating three sub-menus; confusing toggle states (a slider that looks "on" but means "off"); and confirmation shaming (labelling the decline option as "No, I don't want to save money"). The EU's Data Protection Authorities have taken enforcement action against several major platforms for using dark patterns in consent flows under GDPR. The FTC and Canadian OPC have also issued guidance flagging deceptive interface design as an unfair or deceptive trade practice.

A data breach is a security incident in which protected, confidential, or sensitive information is accessed, disclosed, or stolen by an unauthorised party. Breaches can result from external attacks (SQL injection, credential stuffing, ransomware), insider threats, misconfigured cloud storage buckets, or lost physical devices. The consequences for affected individuals include identity theft, account takeover, targeted phishing, insurance fraud, and reputational harm. The severity depends on what data was exposed: hashed passwords are far less dangerous than plaintext passwords or social security numbers. Under GDPR, organisations must report breaches to supervisory authorities within 72 hours and notify affected individuals without undue delay. Canada's PIPEDA (and Quebec's Law 25) require breach notifications when there is a "real risk of significant harm." You can check if your email appears in known breaches using services like HaveIBeenPwned.

Recommended actions after a breach: immediately change passwords for the affected service and any accounts sharing that password, enable two-factor authentication, monitor credit reports for fraudulent activity, and consider placing a credit freeze with Canadian credit bureaus (Equifax and TransUnion) if financial data was exposed.

Data minimization is a foundational privacy principle — codified in Article 5(1)(c) of the GDPR — that states organisations should only collect and process personal data that is adequate, relevant, and limited to what is strictly necessary for the stated purpose. By reducing the volume of data collected, organisations reduce their attack surface (less sensitive data to breach), lower compliance burden, and build user trust. In practice, data minimization means asking only for required form fields, deleting data once its purpose is fulfilled, and avoiding the temptation to collect "just in case" data for undefined future use. Privacy-by-design frameworks embed data minimization as a default architectural constraint rather than an afterthought. For individuals, data minimization means voluntarily providing less information than asked for and preferring services that require minimal data to function.

Differential privacy is a mathematical framework for publishing statistics about a dataset while providing rigorous, provable guarantees that any individual record's inclusion or exclusion cannot be reliably detected by an adversary. The core mechanism involves adding carefully calibrated random noise to query results, governed by a privacy budget parameter ε (epsilon): smaller ε values mean stronger privacy protection but less accurate statistics. Apple uses differential privacy to collect aggregate usage data from iOS and macOS devices while ensuring individual users' data cannot be reconstructed. The US Census Bureau applied differential privacy to the 2020 Decennial Census data. Differential privacy is distinct from anonymization: anonymization attempts to remove identifiers but is vulnerable to re-identification attacks, while differential privacy provides an algorithmic, worst-case guarantee regardless of what auxiliary information an attacker may possess.

DNS over HTTPS (DoH) encrypts Domain Name System queries by sending them inside standard HTTPS traffic to a DoH-compatible resolver, preventing your Internet Service Provider, network administrators, or eavesdroppers from observing which hostnames you are looking up. Traditional DNS queries are transmitted in plaintext UDP and are routinely logged by ISPs, monitored by employer networks, and used to build browsing profiles. DoH resolvers available to consumers include Cloudflare (1.1.1.1), Google (8.8.8.8), and NextDNS. Firefox enables DoH by default in Canada, routing queries through Cloudflare. While DoH hides query content from the network path, it transfers DNS visibility to the DoH resolver — so choosing a trustworthy resolver (one with a no-logs policy and third-party audit) is essential. DoH does not prevent website servers from seeing your IP address, nor does it encrypt the SNI (Server Name Indication) field in the TLS handshake — a gap addressed by Encrypted Client Hello (ECH).

End-to-end encryption ensures that data is encrypted on the sender's device and can only be decrypted by the intended recipient — no intermediate server, service provider, or network node has access to the plaintext content. This is in contrast to encryption in transit (e.g., HTTPS), where the service provider's server can see unencrypted data once it arrives. Messaging apps like Signal, WhatsApp, and iMessage (with E2EE enabled) implement true end-to-end encryption using the Signal Protocol, which provides forward secrecy (each session uses freshly generated keys). For email, E2EE requires PGP/GPG or S/MIME, which have low adoption due to key-management complexity; Proton Mail offers E2EE between Proton accounts with automatic key management. Critically, E2EE only protects data in transit — once decrypted on the recipient's device, it can be screenshot, forwarded, or backed up to unencrypted cloud storage.

FIDO2 is an open authentication standard developed by the FIDO Alliance and the W3C, designed to replace passwords with cryptographic credentials bound to a specific device or platform authenticator. Its browser-facing component, WebAuthn, allows websites to authenticate users using a private key stored securely in a device's hardware (secure enclave, TPM chip) or a roaming authenticator (hardware security key like a YubiKey). Authentication is performed with a public-key challenge-response: the website sends a challenge, the authenticator signs it with the private key, and the website verifies the signature against the stored public key — no password is ever transmitted or stored server-side. Passkeys are the consumer-friendly implementation of FIDO2, syncing credentials via Apple Keychain, Google Password Manager, or 1Password across a user's devices. FIDO2 is phishing-resistant by design because credentials are bound to the origin domain, preventing use on lookalike phishing sites.

The General Data Protection Regulation (EU Regulation 2016/679) is the European Union's comprehensive data protection law, in force since May 25, 2018. It grants individuals (data subjects) the right to access their personal data, the right to rectification, the right to erasure ("right to be forgotten"), the right to data portability, and the right to object to automated decision-making. Organisations that process EU residents' data — regardless of where the organisation is located — must have a lawful basis for processing (consent, contract, legitimate interest, etc.), implement privacy-by-design measures, appoint a Data Protection Officer in certain cases, and conduct Data Protection Impact Assessments for high-risk processing. Fines can reach €20 million or 4% of global annual turnover, whichever is greater. The GDPR has influenced privacy legislation worldwide, including Quebec's Law 25, Brazil's LGPD, and India's DPDP Act.

For browser fingerprinting specifically, EU regulators have consistently held that fingerprinting constitutes the processing of personal data and the reading of terminal equipment, requiring valid consent under both GDPR and the ePrivacy Directive — even if the resulting identifier is not immediately linked to a name.

A cryptographic hash function is a deterministic algorithm that takes an input of arbitrary length and produces a fixed-size output (the hash or digest) such that: (1) the same input always produces the same hash; (2) it is computationally infeasible to reverse the hash to recover the input (pre-image resistance); (3) it is infeasible to find two different inputs that produce the same hash (collision resistance). Common algorithms include SHA-256 (used in Bitcoin and TLS certificates), SHA-3, and BLAKE3. Hash functions are used to verify data integrity, store passwords (combined with salting and stretching algorithms like bcrypt or Argon2), generate fingerprint identifiers, and sign digital documents. MD5 and SHA-1 are deprecated for security purposes because practical collision attacks exist. Password hashes without salting are vulnerable to precomputed rainbow-table attacks; bcrypt, scrypt, and Argon2 are recommended for password storage.

HTTPS is the secure version of HTTP, the protocol used to transfer data between your browser and a web server. It wraps HTTP inside a TLS (Transport Layer Security) session that provides three guarantees: confidentiality (data is encrypted and cannot be read by eavesdroppers on the network path), integrity (data cannot be modified in transit without detection), and authentication (the server's identity is verified by a certificate signed by a trusted Certificate Authority). HTTPS protects against passive surveillance, man-in-the-middle attacks on public Wi-Fi, and ISP content injection. As of 2025, HTTPS is used by over 95% of page loads in Chrome. The padlock icon in browsers indicates a valid TLS connection, but does not guarantee the site itself is legitimate — phishing sites routinely obtain valid TLS certificates. HSTS (HTTP Strict Transport Security) prevents downgrade attacks by instructing browsers to always use HTTPS for a given domain.

Incognito (Chrome), Private Window (Firefox/Safari), and InPrivate (Edge) modes open a temporary browser session that does not save browsing history, cookies, form data, or passwords to the local device after the session closes. This provides limited local privacy — useful for shared computers, gift shopping, or accessing paywalled content. However, incognito mode does not hide your IP address from websites, your ISP, or network monitors; does not prevent browser fingerprinting (your fingerprint remains the same in incognito); does not block tracking pixels or analytics scripts; and does not prevent websites from logging your visit server-side. A 2022 Google class-action lawsuit (Calhoun v. Google) revealed that Chrome's incognito mode continued to send data to Google Analytics and other Google services, resulting in a $5 billion settlement. For meaningful tracking protection, use a VPN combined with a fingerprint-hardening browser, or the Tor Browser.

Malware (malicious software) is any program intentionally designed to harm, disrupt, or gain unauthorised access to a computer system or its data. Categories include: viruses (self-replicating code that attaches to legitimate files), worms (self-propagating over networks), Trojans (malicious code disguised as legitimate software), spyware (silently monitoring user activity and exfiltrating data), adware (injecting unwanted advertisements), ransomware (encrypting files and demanding payment), keyloggers (capturing keystrokes including passwords), and rootkits (hiding deep in the OS to evade detection). Delivery vectors include phishing emails, malicious attachments, drive-by downloads from compromised websites, and infected USB drives. Effective defences include keeping software patched, using reputable endpoint security, avoiding suspicious downloads, and running as a non-administrator user to limit damage from successful infections.

Metadata is data about data — information that describes the context, structure, or properties of a piece of content rather than its substance. In a privacy context, metadata is often far more revealing than content: the fact that you called a crisis hotline at 2 a.m. is more sensitive than whatever you said. Email metadata includes sender, recipient, timestamp, subject line, IP addresses, and mail server routing — all transmitted unencrypted even when message body encryption is used. Photo EXIF metadata can contain GPS coordinates of where the image was taken, camera make and model, and exact timestamp — publishing photos without stripping EXIF can inadvertently reveal home addresses. Communications metadata is routinely collected by ISPs, telecom providers, and law-enforcement agencies under metadata-retention laws (contested in many jurisdictions). Edward Snowden's NSA revelations documented that the US government's PRISM programme collected vast quantities of communications metadata under the premise that metadata is less sensitive than content — a claim privacy advocates dispute strongly.

Multi-factor authentication requires users to verify their identity using two or more factors from distinct categories: something you know (password, PIN), something you have (hardware key, phone with authenticator app, one-time SMS code), and something you are (fingerprint, face ID). Requiring multiple factors means that compromising one factor alone — e.g., stealing a password through phishing — is insufficient to access the account. Not all MFA is equally secure: SMS-based codes (OTPs) are vulnerable to SIM-swapping attacks, and app-based TOTP codes (Google Authenticator, Aegis) can be phished by real-time proxy attacks. Hardware security keys (YubiKey) and FIDO2 passkeys provide the strongest MFA because they are cryptographically bound to the legitimate origin domain and cannot be phished. Enabling any form of MFA is still dramatically better than using only a password: Microsoft reports that MFA blocks over 99.9% of account compromise attacks.

OSINT refers to intelligence gathered from publicly available sources: social media profiles, news articles, public records, domain registration databases (WHOIS), court filings, company registers, satellite imagery, and forum posts. Security professionals use OSINT for penetration testing (enumerating an organisation's exposed attack surface), journalists use it to verify identities and trace financial flows, and threat actors use it to craft targeted spear-phishing attacks. Common OSINT tools include Maltego, Shodan (indexing internet-connected devices), theHarvester (enumerating emails and subdomains), and Google Dorking (advanced search operators to find sensitive exposed data). From a personal privacy standpoint, minimising your digital footprint — setting social media profiles to private, opting out of data-broker databases, using separate email addresses per service — reduces the information available for OSINT reconnaissance against you.

A passphrase is a password composed of a sequence of random words rather than a single complex string. The Diceware method — choosing words at random using dice from a curated wordlist — produces passphrases like "correct-horse-battery-staple" that are both highly secure (high entropy) and easier to memorise than character-soup equivalents. A four-word Diceware passphrase drawn from a 7,776-word list provides approximately 51 bits of entropy; six words provides ~77 bits, exceeding the security of most random 12-character passwords. Length beats complexity: "purple-tiger-monday-keyboard" is harder to crack by brute force than "P@$$w0rd!2024" even though the latter looks more complex. Passphrases work best as master passwords for password managers, full-disk encryption, or GPG keys — contexts where you need to remember the credential. For other accounts, use a password manager to generate and store truly random unique passwords.

A password manager is a software application that generates, stores, and autofills strong unique passwords for every account, protected by a single master password (ideally a strong passphrase). Because humans cannot memorise hundreds of complex unique passwords, most people reuse passwords — a practice that turns every data breach into a cascading credential-stuffing attack against all their other accounts. Password managers solve this by managing complexity on the user's behalf: they can generate 20+ character random strings like K#7mP!qzV2&nXwL9 for every site without the user ever needing to remember them. Leading password managers include Bitwarden (open-source, audited), 1Password, Dashlane, and KeePass (local-only). Key features to look for: zero-knowledge architecture (the provider cannot see your vault), independent security audits, breach-monitoring integration, and browser autofill support. Our Password Security tool can evaluate the strength of your passwords.

The most important security practice for a password manager is protecting its master password with MFA (preferably a hardware key or FIDO2 passkey) and ensuring the master password itself is a strong, unique passphrase not used anywhere else.

Personally Identifiable Information is any data that can be used, alone or in combination, to identify a specific individual. Direct PII includes names, social insurance numbers (SIN), passport numbers, email addresses, and phone numbers. Indirect PII — also called quasi-identifiers — includes data points that are not uniquely identifying on their own (birthdate, postal code, gender) but can be combined to re-identify individuals: a landmark Carnegie Mellon study found that 87% of the US population can be uniquely identified using just ZIP code, birthdate, and gender. Online PII now routinely includes IP addresses, device fingerprints, account usernames, and cookie identifiers. Under GDPR, any data from which a natural person is identifiable — including browser fingerprints, even if not linked to a name — constitutes personal data subject to data-protection obligations. Privacy regulations impose strict requirements on the collection, storage, processing, and deletion of PII.

Phishing is a social engineering attack in which an attacker impersonates a trusted entity — a bank, government agency, employer, or popular service — to deceive victims into revealing credentials, transferring money, or installing malware. Standard phishing uses mass-sent emails with generic lures; spear phishing targets specific individuals with personalised messages leveraging OSINT-gathered context; whaling targets executives; vishing (voice phishing) uses phone calls; and smishing uses SMS. Phishing URLs often use lookalike domains (paypa1.com, amazon-security.info), Unicode homograph attacks (using visually identical characters from other alphabets), or compromised legitimate domains. Recognising phishing requires checking the actual URL (not just the displayed text), being sceptical of urgency and threats, and verifying requests through a separate trusted channel. FIDO2/passkey authentication is the only credential type that provides complete phishing immunity, as keys are bound to the legitimate domain.

Privacy by Design is a framework developed by Ontario's former Information and Privacy Commissioner, Ann Cavoukian, in the 1990s, which holds that privacy should be embedded into systems and business processes from the outset — not bolted on as a compliance afterthought. Its seven foundational principles include: proactive not reactive privacy protection; privacy as the default (users should get maximum privacy without taking any action); privacy embedded into design; full functionality (no false trade-off between privacy and usability); end-to-end lifecycle protection; visibility and transparency; and respect for user privacy. GDPR Article 25 codified a legal requirement for "data protection by design and by default." In practice, PbD means architects and developers are responsible for asking "what data do we actually need?" before building, choosing encryption over plaintext storage, and setting collection to off by default rather than requiring users to opt out.

A privacy policy is a legal document that discloses what personal data an organisation collects, for what purposes, how it is stored and protected, with whom it is shared, how long it is retained, and what rights users have regarding their data. Under GDPR, CCPA, PIPEDA (Canada), and Quebec's Law 25, privacy policies are legally mandatory for organisations that collect personal data, and they must be written in clear, plain language — not legalese designed to obscure rather than inform. Common problems with privacy policies include: being too long to read realistically (the average privacy policy takes 16 minutes to read); using vague language ("may share with partners"); setting default opt-ins; and updating policies unilaterally without meaningful user notification. The nonprofit Terms of Service; Didn't Read (ToS;DR) project grades and summarises privacy policies to make them accessible. A policy that says nothing meaningful is not the same as actually protecting your privacy.

Ransomware is a category of malware that encrypts the victim's files — or threatens to publish them — and demands a ransom payment (typically in cryptocurrency) in exchange for the decryption key. Modern ransomware operations follow a "double extortion" model: attackers first exfiltrate sensitive data, then encrypt it, threatening to publish the stolen data on a leak site if the ransom is not paid, pressuring victims even if they have backups. Ransomware-as-a-Service (RaaS) groups like LockBit, ALPHV/BlackCat, and Cl0p operate like professional criminal enterprises with support desks, affiliate programmes, and negotiation portals. The Colonial Pipeline attack (2021) shut down fuel supplies to the US East Coast; the Medibank breach (2022) exposed health records of 9.7 million Australians. Defences include offline and immutable backups (the 3-2-1 rule: 3 copies, 2 media types, 1 offsite), network segmentation, timely patching, and MFA on all remote access systems.

Social engineering is the manipulation of people — rather than systems — to divulge confidential information or perform actions that benefit an attacker. It exploits psychological principles: authority (impersonating a manager or government official), urgency (creating time pressure that bypasses rational evaluation), reciprocity, social proof, and fear. Beyond phishing, social engineering techniques include pretexting (building a fabricated scenario — e.g., calling as "IT support" to reset credentials), baiting (leaving infected USB drives in a parking lot), tailgating (following an authorised person through a secure door), and vishing (phone-based manipulation). The 2020 Twitter hack — in which attackers gained access to accounts including Barack Obama, Elon Musk, and Joe Biden to run a Bitcoin scam — was executed entirely through social engineering of Twitter employees, with no technical exploit required. Effective defences are organisational: security awareness training, verification protocols, and a culture where employees feel safe reporting suspicious requests without fear of embarrassment.

TLS (Transport Layer Security) is the cryptographic protocol that secures communications between clients and servers on the internet — the foundation of HTTPS, secure email, and VPN protocols. SSL (Secure Sockets Layer) is the predecessor to TLS; the term "SSL" persists colloquially but SSL 3.0 and all TLS versions prior to 1.2 are deprecated and insecure. TLS 1.3 (2018) is the current standard, offering improved performance (1-RTT handshake), stronger cipher suites (only AEAD ciphers), and perfect forward secrecy (PFS) by default, meaning past sessions cannot be decrypted even if the server's private key is later compromised. A TLS certificate, issued by a Certificate Authority (CA), binds a public key to a domain name, allowing browsers to verify they are talking to the legitimate server. Let's Encrypt provides free, automated TLS certificates, dramatically increasing HTTPS adoption since its launch in 2016.

A threat model is a structured analysis of who might want to attack you, what assets they are after, what capabilities they have, and what defences are appropriate given your specific risk profile. Effective privacy and security decisions depend on threat modelling because universal "maximum security" is both impractical and often counterproductive. A journalist protecting sources from a nation-state adversary has fundamentally different requirements than a parent wanting to prevent their browser history from being seen by advertisers. The Electronic Frontier Foundation's threat modelling framework asks five questions: What do you want to protect? From whom? How likely is a successful attack? How bad would the consequences be? How much effort are you willing to spend? Matching defences to actual threats prevents security fatigue (over-hardening to irrelevant threats) while ensuring critical risks are addressed.

A tracker blocker is a tool — browser extension, DNS filter, or built-in browser feature — that prevents third-party tracking scripts, analytics beacons, advertising pixels, and fingerprinting scripts from loading on web pages. Extension-based blockers (uBlock Origin, Privacy Badger, Ghostery) use filter lists such as EasyPrivacy, EasyList, and DuckDuckGo's Tracker Radar to identify and block known trackers. DNS-based blockers (Pi-hole, NextDNS, AdGuard Home) operate at the network level, blocking tracker domains before any data is sent. Browser-native solutions (Safari's Intelligent Tracking Prevention, Firefox's Enhanced Tracking Protection, Brave Shields) apply tracker blocking by default without requiring additional extensions. Tracker blocking measurably improves page load speed (many trackers add hundreds of milliseconds), reduces data consumption, and prevents behavioural profiling — studies find tracker blockers prevent connections to 50–80 third-party data collectors on average news websites.

Two-factor authentication (2FA) is the specific case of multi-factor authentication using exactly two factors. The most common implementation combines a password (something you know) with a time-based one-time password (TOTP) generated by an authenticator app (something you have). TOTP codes rotate every 30 seconds using the HMAC-SHA1 algorithm and a shared secret seeded during setup, meaning a stolen code is useless after it expires. 2FA via authenticator apps (Google Authenticator, Aegis, Authy) is significantly more secure than SMS codes, which are vulnerable to SIM-swapping. Enabling 2FA on email accounts is especially critical because email is the recovery mechanism for virtually all other accounts — an attacker who controls your email inbox can reset passwords for banks, social media, and government services. See also: FIDO2 / WebAuthn for phishing-resistant alternatives to TOTP.

A VPN encrypts your internet traffic and routes it through a server in a location you choose, masking your real IP address from websites you visit and hiding your browsing activity from your ISP. This protects against passive surveillance on public Wi-Fi networks, ISP data harvesting, and geo-restrictions on content. However, VPNs are frequently misunderstood: they shift trust from your ISP to the VPN provider, who can log your traffic unless they have a genuinely audited no-log policy. A VPN does not make you anonymous — websites can still fingerprint your browser, track you via cookies if you're logged in, or identify you through behavioural patterns. VPN providers vary dramatically in trustworthiness: providers headquartered in 14-Eyes surveillance alliance countries are subject to national-security data requests, and free VPNs often monetise user data — the very activity users are trying to prevent. Reputable options with independent audits include Mullvad, ProtonVPN, and IVPN. The WireGuard protocol offers significantly better performance and a smaller, more auditable codebase than older OpenVPN and IPSec implementations.

WebRTC (Web Real-Time Communication) is a browser API that enables peer-to-peer audio, video, and data channels — used by video conferencing tools like Google Meet, Jitsi, and Discord. During the ICE (Interactive Connectivity Establishment) negotiation process, WebRTC queries the operating system for all network interfaces and IP addresses, including internal LAN addresses and the public IP assigned by the ISP. Because this query bypasses the VPN tunnel's routing rules in some configurations, websites can use a small JavaScript snippet to discover your real IP address even while you are connected to a VPN. WebRTC leaks are not universal — they depend on OS, browser, and VPN client configuration — but represent a significant privacy risk for VPN users relying on IP masking. Mitigations include disabling WebRTC in Firefox (media.peerconnection.enabled: false), using the WebRTC Network Limiter extension in Chrome, or using a VPN client that handles WebRTC leak prevention at the OS level.

A zero-day vulnerability is a security flaw in software that is unknown to the vendor and therefore unpatched — the term "zero-day" refers to the zero days of warning the vendor has had to fix it. Zero-days are valuable commodities: nation-state intelligence agencies, defence contractors (Zerodium, Crowdfenders), and criminal organisations pay hundreds of thousands to millions of dollars for reliable zero-days in high-value targets like iOS, Chrome, or Windows. Once a zero-day is weaponised into an exploit, it can be used to silently compromise fully patched, up-to-date systems. High-profile zero-days include the FORCEDENTRY exploit used to deliver the Pegasus spyware against journalists and activists through iMessage without any user interaction (a "zero-click" exploit). Defences against zero-days rely on defence-in-depth: sandboxing (limiting the blast radius of a compromise), network segmentation, rapid patch deployment for discovered vulnerabilities, and anomaly-detection monitoring rather than solely signature-based defences.

A zero-knowledge proof is a cryptographic protocol in which one party (the prover) can convince another party (the verifier) that a statement is true, without revealing any information beyond the truth of the statement itself. The classic illustration: Alice can prove to Bob that she knows the colour of a balloon without ever telling Bob the colour, through an interactive challenge-response process. In practice, ZKPs enable privacy-preserving authentication (proving you are over 18 without revealing your birthdate), private blockchain transactions (Zcash, Tornado Cash), anonymous credential systems, and password verification without transmitting the password. zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) and zk-STARKs are efficient non-interactive variants used in blockchain scaling and privacy applications. ZKPs represent a fundamentally different approach to identity verification: you can prove you have the right without revealing who you are.