You asked us for it, and now we’re thrilled to announce the official launch of our online shop, where you can buy ExpressVPN’s Aircove routers directly from us.

We opened the ExpressVPN Store to provide greater convenience to users, allowing you to easily purchase our signature Aircove products straight from the source. The store also makes Aircove available to people from more countries than ever before.

To celebrate this milestone, we’re offering a limited-time promotion of 10% off all Aircove products purchased through the ExpressVPN Store. Applied automatically at checkout, the month-long offer is available up till June 13, 2024. There’s never been a better time to protect your entire household with our award-winning VPN routers.

Here’s what’s currently available to buy in the ExpressVPN Store:

Aircove

Our groundbreaking router is the world’s very first Wi-Fi router with built-in VPN functionality. Aircove comes preinstalled with ExpressVPN’s proprietary software, bringing the full benefits of a VPN to every device on your network. You’ll also be able to enjoy features such as our ad blocker, tracker blocker, and parental controls, just like on our apps. Getting protected is as easy as connecting to the internet. (An active ExpressVPN subscription is required for VPN functionality.)

Learn More About Aircove

Aircove Go

The portable version of our Aircove router, Aircove Go lets you enjoy all the benefits of ExpressVPN in one palm-sized package by adding VPN encryption to any Wi-Fi connection—perfect for when you’re out and about. Even if you’re not traveling, Aircove Go can be easily integrated into your home setup to provide VPN protection wherever and whenever you need it.

Learn More About Aircove Go

The launch of our store allows for users in more countries to buy Aircove products, adding Australia, France, New Zealand, and Switzerland to the list of available countries. Here’s the full list of countries where you can buy Aircove and Aircove Go via the ExpressVPN Store:

Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Cyprus, Czech Republic, Denmark, Estonia, France, Finland, Germany, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, United Kingdom, United States.

We’re proud to offer more ways for people around the world to seamlessly protect their digital lives. Visit the ExpressVPN Store now to browse our products. 

The post ExpressVPN launches an online store appeared first on ExpressVPN Blog.

​​Domain Name System hijacking (DNS hijacking) is a tactic used to redirect you to websites different from the ones you intend to visit, usually to steal your personal data, display unwanted ads, or impose internet censorship. 

Jump to…
What is DNS?
How DNS hijacking works
Why are DNSs hijacked?
Common types of DNS hijacking attacks
How to detect DNS hijacking
Ways to prevent DNS hijacking
DNS hijacking vs DNS spoofing vs cache poisoning
Real-world examples of DNS hijacking

What is DNS?

The Domain Name System (DNS) is the part of the internet that translates human-friendly domains (such as www.expressvpn.com) to computer-friendly IP addresses (long strings of numbers), which in turn allow your computer to connect where it needs to and load the correct pages.

Every time you try to visit a web page by clicking on a link or typing in a URL, a DNS lookup occurs before you are brought to the correct web page. Your ISP and Wi-Fi admin can see what you’re looking at through DNS information. When you connect with ExpressVPN turned on, our servers handle all of your DNS requests—not your ISP. In fact, because ExpressVPN secures your traffic, your ISP can’t even tell if you make a DNS request. We never log DNS requests, and when we look up a name on your behalf, all any other DNS server can see is our server address—they can never see you.

Want to know more about what a DNS does? Watch the video below:

How DNS hijacking works

When a computer reaches out to a DNS server to find a website, it doesn’t check whether it’s connecting to the correct server. This enables attackers to imitate the DNS server and deliver incorrect responses.

It is also possible for a DNS server itself to poison its records. This means replacing the IP address of the site you want to visit with that of another site or simply removing the IP address altogether. This is similar to altering a phone book, removing certain names or companies or swapping a listing’s address to that of another company.

DNS hijacking makes it possible for a sophisticated attacker to impersonate websites, gathering personal information such as passwords and IP addresses.

Why are DNSs hijacked?

As DNS is one of the most important aspects of the internet, it’s subsequently a target of various forms of attack for a range of reasons, like the following:

Display ads to generate revenue

Attackers can hijack your DNS to display unwanted ads and generate revenue using a technique known as pharming. In a less fraudulent sense, your internet service provider can also manipulate your DNS requests to show ads to you.

Steal your personal information

DNS hijackers will redirect you to fake websites that look like legitimate ones, aiming to steal your login credentials and other of your personal data. This is a common technique known as phishing.

Government or organizational censorship

Governments can use DNS hijacking to suppress political opposition or prohibit certain online content. Users won’t be able to access the censored website and will be redirected to a different website. Schools and organizations can also manipulate DNS requests to prevent inappropriate content from showing to their users.

Common types of DNS hijacking attacks

Local DNS hijack

Attackers start by installing malware on a user’s computer. The attacker can then change your DNS settings and redirect you to malicious websites, usually to steal your personal data.

Router DNS hijack

An attacker can change your router’s DNS settings by exploiting software vulnerabilities. They can also break into your router’s configuration page with the default username and password. This allows them to redirect you to malicious websites to obtain your personal information or do harm to your device. That’s why it’s important to keep your router updated to repair vulnerabilities. (ExpressVPN for routers updates automatically to save you the hassle!)

Router vulnerabilities

This vulnerability also goes through the router. In this case, attackers take advantage of a vulnerability in your router, and they change your DNS configurations to hijack them. Ensure your router’s firmware is always up to date to mitigate this risk.

Man-in-the-middle DNS attacks

A man-in-the-middle (MITM) attack intercepts the communication between you and another party, which is usually a website or application you’re trying to access. Instead of seeing the real website, you’ll be presented with a malicious one.

Rogue DNS server attacks

This happens when an attacker hacks a DNS server and changes its DNS records. Your DNS requests will return with malicious sites.

How to detect DNS hijacking

There are usually some telltale signs your DNS has been hijacked. For starters, websites can load more slowly than usual, or you may see random pop-ups that say your computer is infected. Of course, these signs aren’t enough, and thankfully, there are tools you can use to verify if your DNS has been hijacked.

Use the ping command

You can detect DNS hijacking by running a ping command, which essentially tests whether an IP address exists. If you ping a non-existent domain name and it resolves, there’s a good chance your DNS is hijacked. If it doesn’t resolve, this means your DNS is safe.

Ensure you try to ping a web domain that doesn’t exist. Otherwise, you will get a response and get a false positive.

On Mac

1. Open Terminal.
2. Enter the following command: ping [a random website name].

If it says “cannot resolve,” your DNS is safe.

On Windows

1. Open the Command Prompt.
2. Enter the following command: ping [a random website name].

If it says “cannot resolve,” your DNS is safe.

On Linux

1. Open Terminal.
2. Enter the following command: ping [a random website name].

If it says “cannot resolve,” your DNS is safe because the random domain you tried to ping will not match any actual IP addresses.

Check DNS settings on your router

This process involves accessing your router’s admin panel through its IP address, typically found in your device’s network settings. Once logged in, navigate to the DNS settings to see which DNS servers your router is configured to use. Verify that these servers are legitimate and authorized, often provided by your Internet Service Provider (ISP) or a trusted third-party service like Google DNS or OpenDNS. Checking these settings manually gives you control and a clear understanding of your network’s security status.

Use WhoIsMyDNS.com

WhoIsMyDNS shows you the DNS servers you’re using and the company that owns them. Unless you’re connected to a VPN, you’ll be using the IP addresses of the DNS servers provided by your internet service provider. If you don’t recognize the company name, there’s probably something wrong with your DNS.

Check your URLs

URLs or uniform resource locators is the technical term for an internet address. It’s what you type on the address bar of your web browser to go to a website. It’s important that if you’re suspicious, you check the entire URL once your browser’s loaded the website you’re trying to visit. If it’s even slightly different (imagine expressvon.com instead of expressvpn.com), your DNSs could be compromised.

Ways to prevent DNS hijacking

Thankfully, there are ways to prevent DNS hijacking.

For general internet users

Here are a couple of things you can do to prevent DNS hijacking:

• Change your router’s default username and password. This prevents attackers from trying to access your router’s settings with the default login credentials commonly used for routers.
• Ensure your software is up to date. This includes operating systems and any applications you use, as they’re all potentially vectors for an attack. Additionally, check your router’s firmware is also up to date.
• Install antivirus software. Antivirus software can detect and eliminate malware that performs DNS hijacking. Some antivirus software performs constant scans, detecting attacks at the moment they occur.
• Use a VPN. ExpressVPN runs its own encrypted, secure DNS servers, so when you’re connected to ExpressVPN, you automatically use these servers. No one else can get hold of your information or hijack your connection. This also ensures you can’t be censored by a government or your internet service provider.
• If your ISP’s DNS servers aren’t safe, use an alternative DNS service like Google Public DNS, OpenDNS, or Cloudflare DNS.

If you do all of the above, you will have a multi-layered defense against DNS hijacking.

For name servers and resolvers

• Shut down unneeded DNS resolvers. Also, legitimate resolvers should be placed behind a firewall.
• Restrict access to a name server. Network security measures should be used.
• Take precautions against cache poisoning. For example, use a random source port and query ID. Also, randomize upper and lower cases in domain names.
• Patch known vulnerabilities. Hackers actively exploit vulnerabilities in DNS servers.
• Separate the authoritative nameserver from the DNS resolver. A DDoS attack happening on one won’t affect the other one.

For website owners

If you use a Domain Name Registrar, a business that registers a domain name on your behalf, take the following steps to avoid DNS redirection:

Limit DNS access

Limit DNS access to only a few members of the IT team. Make sure they use two-factor authentication whenever accessing the domain name server registrar.

Enable client lock

Some DNS registrars support client lock, which prevents changes to your DNS records without approval. If your DNS registrar supports it, you should enable this option.

Use a DNS registrar that supports DNSSEC

DNSSEC stands for Domain Name System Security Extensions. It makes it more difficult for hackers to intercept your DNS requests. If your DNS registrar supports DNSSEC, make sure to enable this option.

DNS hijacking vs DNS spoofing vs cache poisoning

DNS hijacking, DNS spoofing, and cache poisoning are all methods of cyber manipulation involving the Domain Name System (DNS), but they differ in their mechanisms and impact:

• DNS hijacking: This occurs when an attacker redirects queries to a DNS server to a malicious DNS server, often by altering DNS settings on a network device such as a router. This can lead the user to fraudulent websites without their knowledge, potentially resulting in the theft of sensitive information.
• DNS spoofing: Also known as DNS cache spoofing, this involves corrupting the DNS query process by inserting false information into the cache of a DNS resolver. This misleads users into visiting a spoofed site rather than the legitimate one they intended to visit, similar to hijacking but often occurs at the resolver level rather than at the user’s device.
• Cache poisoning: A specific form of DNS spoofing, cache poisoning involves sending corrupt DNS cache data to a DNS resolver. This incorrect information is then stored in the DNS cache, causing users who query the resolver to receive incorrect responses and directing them to unauthorized or malicious websites.

Real-world examples of DNS hijacking

There are many real-life examples of DNS hijacking. We’ve collated a few significant ones below:

The Sea Turtle campaign

In early 2017, a mysterious group called Sea Turtle targeted 40 organizations spreading across 13 countries, primarily in the Middle East and North Africa. They compromised third parties that handled the victims’ DNS queries, redirecting them to fake websites to steal their login credentials.

The Twitter, New York Times & Huffington Post DNS hijack

In 2013, a group of hackers called the Syrian Electronic Army hijacked the DNS servers of Twitter, the New York Times, and the Huffington Post among other media outlets.

The ICANN DNS hijack attack

The Internet Corporation for Assigned Names and Numbers (ICANN) was hijacked by a Turkish hacker group, NetDevilz, in 2018. Its site users were redirected to a page that says “You think that you control the domains but you don’t! Everybody knows wrong.”

A DNS attack against WikiLeaks

In 2017, a Saudi Arabian-based hacker group known as OurMine compromised the DNS servers of WikiLeaks, directing its users to a fake website.

The post What is DNS hijacking? appeared first on ExpressVPN Blog.

When you browse the web, your privacy is at stake. Trackers, cookies, and fingerprinting techniques allow companies to collect your personal data for profit. Hackers also exploit browser vulnerabilities to steal sensitive information. Choosing the best browser for privacy is crucial to safeguard your online identity. 

In this article, we rank the best and worst browsers for privacy in 2024. Through extensive research and testing, we assess each browser’s approach to blocking trackers, preventing fingerprinting, and ensuring secure browsing. Whether you prioritize anonymity or seek a balance of privacy and usability, our recommendations will help you make an informed choice.

Best (and worst) browsers for privacy and security in 2024

15. Microsoft Edge
14. SeaMonkey
13. Apple Safari
12. Google Chrome
11. Waterfox
10. GNU IceCat
9. Iridium
8. Opera
7. Vivaldi
6. Pale Moon
5. LibreWolf
4. Chromium
3. Brave
2. Mozilla Firefox
1. Tor Browser
Honorable mention: DuckDuckGo

Best browsers for privacy in 2024

15. Microsoft Edge

✓ Chromium-based
✓ Partially open-source
✗ Collects user data

Microsoft has been keen to make Edge the browser of choice among Windows users, having retired Internet Explorer. Since its launch in 2015, Edge has expanded beyond Windows 10 to more operating systems, including Mac, Android, and iOS.

Microsoft clearly wants this browser to have the edge on its predecessor in terms of page load speeds, but what about its security and privacy?

The good

This year Microsoft made a significant shift in Edge’s design—as of January 2020, the browser is Chromium-based, which means part of its code is open-source. The browser itself updates its software at least once a week, mainly consisting of security updates. We can’t overstate enough how important it is to update your apps and devices even if it’s tedious to do so. It’s good to see that Edge is coming out with regular updates to patch security issues.

Microsoft has also rolled out Automatic Profile Switching, which is supposed to help switch between your work and non-work accounts easily.  Additionally, Edge offers some basic privacy features like the ability to block pop-ups and send “Do Not Track” requests. It also runs in a sandbox environment to minimize the risk of malicious sites affecting users.

The bad

However, Edge is only updated twice a year, which is infrequent compared to other modern browsers that receive updates monthly. This is concerning given how rapidly malware, scams, and privacy violations evolve. The limited extension support in Edge, while reducing the risk of installing malicious extensions, is also an inconvenience for users.

Another fundamental flaw in Edge’s security recently came to light when security researchers revealed that Edge “send[s] persistent identifiers than can be used to link requests (and associated IP address/location) to backend servers.”

A company spokeswoman told ZDNet that “Microsoft Edge sends diagnostic data used for product improvement purposes, which includes a device identifier. On Windows, this identifier enables a single-click ability to delete the related diagnostic data associated with the device ID stored on Microsoft servers at any time (from Windows settings), something which is not offered by all vendors.”

She added: “Microsoft Edge asks for permission to collect diagnostic data for product improvement purposes and provides the capability to turn it off at any later point. This diagnostic data may contain information about websites you visit. However, it is not used to track your browsing history or URLs specifically tied to you.”

Regardless, such data collection can reveal much about the user’s identity, and not much can really be done about it. Furthermore, as both of Microsoft’s browsers are closed-source, there’s no telling what types of surveillance widgets might lurk within them.

You can see more on what Edge collects here, but the fact that the browser can identify your device alone is worrisome, and we’d avoid using it.

Would we recommend this browser? No.

14. Mozilla SeaMonkey

✓ Browser and email client in one
✗ Occasionally resource-heavy

Unlike other entries on this list, SeaMonkey is a full suite of programs that include a browser, mail client, and WYSIWYG HTML editor. It is a community-driven project that was originally based on the now-defunct Mozilla Application Suite. SeaMonkey was established in 2005 after Mozilla began developing Firefox and Thunderbird email client.

The good

It’s a one-stop shop for browsing the internet that’s designed to be speedy and feature-rich. This includes built-in pop-up blockers and auto cookie clearing after each session. It is also generally seen as quite safe.

The bad

It’s quite clunky to use. Also, security updates must be performed manually which may be quite a bit of hassle. SeaMonkey may also have some issues detecting and blocking ransomware.

Would we recommend this browser? No.

13. Apple Safari

✓ Runs pages in a sandbox
✓ Stops malicious code accessing user data
✗ Not open-source

Safari is only available on Apple products now, but for a short while it was found on PCs. Safari is the default browser for Mac, but like Microsoft’s Edge it plays second fiddle to Google Chrome in its popularity.

The good

Safari prevents suspicious sites from loading and alerts you to the potential danger. By running web pages in a sandbox, Safari also prevents malicious code on one page from affecting the entire browser or accessing your data.

Safari offers a range of useful extensions to safeguard your privacy. It has features like a password generator that creates long randomized passwords, and a private browsing mode that uses DuckDuckGo by default. DuckDuckGo is an anonymized, privacy-oriented alternative to Google that doesn’t track you the same way.

In the few years since Safari’s Intelligent Tracking Prevention (ITP) feature launched, the browser appears to have prevented websites from tracking users, making it difficult for advertisers to target. It also helps camouflage digital fingerprinting and prevents third-party sites from leaving data in your cache by default, helping you stay anonymous online. In addition, Safari offers a range of useful extensions to safeguard your privacy.

The bad

Like Chrome and Edge, Safari is not open-source, so outsiders can’t scrutinize any of its code. Safari updates are offered at very irregular intervals, which is surprising given that it’s made by the world’s largest technology company. When compared with its rivals, Safari updates much more slowly. Mac users are arguably exposed to fewer internet vulnerabilities than PC users, but the lower frequency is still troubling.

Researchers from Google’s Information Security Engineering team recently found several security issues in the above-mentioned ITP anti-tracking system, claiming ITP actually leaks Safari users’ web-browsing habits. Some of these issues were addressed in later Apple security updates, but that may not be enough to quell suspicions of the browser.

While Safari’s private browsing mode aims to protect user privacy, Apple has been caught collecting browsing history even when the feature is enabled. Until Apple addresses these issues, users should be cautious about relying solely on Safari’s private mode for sensitive browsing.

Would we recommend this browser? Not until we see an open-source version, and even then maybe not.

12. Google Chrome

✓ Automatic updates
✓ Partially open-source
✗ Tracks a great deal of user data

Over a decade has passed since the launch of Google Chrome, and it has since become the undisputed leader in browser market share, at almost 80%. Given its reputation for speed and the prevalence of Google services in our lives (web search, YouTube, Gmail, Google Docs, etc.), it’s no surprise Chrome has become the most widely used web browser today. But how does it perform on your privacy and security?

The good

In addition to leading its competitors in update frequency and scanning for harmful downloads, Google automatically updates Chrome to the latest version every six to eight weeks, ensuring its users are always enjoying the latest browsing features. Part of its code is also open-source, which allows users to scrutinize, and also adopt, parts of its code.

Google has also encouraged hackers to find vulnerabilities in its own browser so the company can improve its product.

The bad

While the browser does offer the usual pop-up blocker and allows users to send a “do not track” request along with their browser traffic (which, by the way, does very little to stop sites from tracking you), one simply cannot ignore that Chrome belongs to the company that makes millions from knowing everything about you.

From automatically signing you in to the browser to a fishy location history policy, Google seems to be developing the habit of rolling out something unpopular before reeling it back in another update. There are ways around this, but Google is still using Chrome to learn about you and then monetizing that information.

Google did announce that they would eventually force third-party cookies to identify themselves on Chrome, but no word on when that will happen, nor whether this would actually stop trackers.

Chrome also boasts an extensive library of browser extensions, which offer a range of additional functionalities but at the cost of reduced privacy. Furthermore, since Chrome is a closed-source browser, no one can crack it open to see what (if anything) is hidden in the code. That said, this is no problem if you trust Google’s stance on privacy, and there is also an open-sourced version of Chrome available.

Would we recommend this browser? Not unless you want Google tracking everything, no.

11. Waterfox

✓ No telemetry
✓ Highly customizable
✗ Owned by an advertising company

As the name would suggest, Waterfox is based on Firefox. The philosophy behind Waterfox is the goal of achieving a balance between privacy and useability. As stated on the Waterfox website: “Too much focus on privacy and the web becomes too broken to use. Too little and data leakage happens.” Waterfox has been designed so that only users know what they are doing inside their browsers.

The good

As a Firefox fork, Waterfox is compatible with all Firefox add-ons and themes. Further, like other forks of Firefox, it is easily customizable and offers decent privacy. Waterfox uses the same Gecko web rendering engine as Firefox and includes a clear, reassuring privacy policy.

The browser’s Enhanced Tracking Protection is identical to Firefox’s, which claims to protect against social media trackers, cross-site tracking cookies, fingerprinters, crypto miners, and trackers hidden in ads, videos, and other content. It also syncs data across devices and uses Oblivious DNS to hide website requests from ISPs.

The bad

As of late 2019, Waterfox is owned by an advertising company called System1. What that means for the browser still remains to be seen. Additionally, Waterfox is updated less frequently than Firefox, so it might not be the most secure browser.

Also, Waterfox’s webpage data runs through Google’s SafeBrowsing service, although you can opt out of this if you wish. Despite the browser’s claim of fingerprinting protection, the EFF’s Cover Your Tracks test reports a unique fingerprint with Waterfox’s default privacy setting.

Would we recommend this browser? No.

10. GNU IceCat

✓ No telemetry
✓ Improvement on Chromium base
✗ Infrequent updates

The GNUzilla IceCat project is part of the GNU Project and has been developed as an entirely free version of Firefox. To clarify, Firefox and its source code from the Mozilla project are free to access and modify, but there are some limitations involved that are affected by the third freedom of the Four Essential Freedoms of Free Software.

The good

As mentioned above, IceCat is part of the GNU Project and thus carries that spirit over to the browser. IceCat is privacy forward, and it has ad blockers and open-source features alternative to those of Firefox enabled by default.

The bad

IceCat releases seem to be intermittent, and compatibility for add-ons and themes may not be fully supported. There also seems to be an issue with bloatware included with the browser, which presents a mild inconvenience to completely remove.

Would we recommend this browser? No.

9. Iridium

✓ No telemetry
✓ Improvement on Chromium base
✗ Infrequent updates

Iridium is a Chromium-based browser that describes itself as a “browser securing your privacy.” 

The good

Heaps of great privacy features including: No telemetry, third-party cookies blocked by default, site data is purged at the end of each session, password storage disabled by default, and autofill disabled by default. Iridium has been designed to be more secure than a degoogled Chromium browser and is also compatible with a variety of Chrome extensions. It’s Git repositories are available for public scrutiny.

The bad

Updates are few and far between and must be applied manually, which can be cumbersome. It can also be buggy at times with compatibility issues with plugins on certain sites.

Would we recommend this browser? Maybe.

Iridium Browser download

• For PC
• For Mac
• For Linux (openSUSE, Fedora, RHEL/CentOS)

8. Opera

✓ Built-in ad blocker
✓ Chromium-based
✗ Built-in VPN logs usage

The creator of the CSS web standard, Hakon Wium Lie, developed Opera in 1995. Over the years, Opera has adopted much of Chromium’s open-source code into its software, which allows for greater scrutiny and has contributed to its reputation as a popular privacy-oriented browser.

The good

The Opera browser has a built-in ad blocker and uses a tracker blocker that takes from the EasyPrivacy Tracking Protection List, which can help protect users from seeing ads and being tracked by advertisers and other websites.

Opera continues to push the boundaries with unique features like a free built-in VPN, Opera GX gaming browser, and the latest Opera One with tile-like tab management, an AI chat sidebar, and a multithreaded compositor for faster rendering.

Opera also provides protection against web tracking, as validated by the EFF’s Cover Your Tracks test. However, it lacks specific anti-fingerprinting features, which means it presents a unique fingerprint.

The bad

Despite its feature set, Opera shares some drawbacks common in mainstream browsers. Its default window caches user data, a practice that can be adjusted in settings for enhanced privacy. Moreover, the opt-out approach to privacy settings may not suit everyone, particularly those who prefer a more straightforward, privacy-by-default browsing experience.

Opera’s ownership and the implications for privacy have also stirred concerns. Acquired in 2016 by a company based in a country known for privacy issues, and coupled with the VPN’s logging practices, users should exercise caution and consider their privacy needs when choosing Opera.

Would we recommend this browser? No.

7. Vivaldi

✓ Highly customizable
✓ Chromium-based
✗ Minor telemetry issues

Co-founded by Jon Stephenson von Tezchner (the co-founder and ex-CEO of Opera) Vivaldi was developed with the tech-skewed in mind—with an additional emphasis on ex-Opera users who weren’t enamored of the browser’s changes over time.

The good

Vivaldi offers unparalleled customization, allowing users to modify nearly every aspect of the interface. It includes built-in blockers for ads and trackers, and uses DuckDuckGo as the default search engine in incognito mode. As a Chromium-based browser, it is compatible with Chrome extensions.

Vivaldi provides additional privacy by disabling the Idle API to prevent behavioral tracking and potential keyloggers. The EFF’s Cover Your Tracks test indicated strong protection against web tracking with Vivaldi’s tracking protection enabled, although a unique fingerprint was still detectable.

The bad

Despite strong tracking protection, the EFF’s Cover Your Tracks test detected a unique fingerprint for Vivaldi. The browser’s privacy policy also outlines minor telemetry issues, stating that a unique user ID, version, CPU architecture, screen resolution, and time since the last message are sent to Vivaldi’s Iceland-based servers every 24 hours.

Vivaldi claims to anonymize user IP addresses by removing the last octet and storing only the approximate location for determining the total number of active users and their geographical distribution. However, this data collection may still raise privacy concerns for some users.

Would we recommend this browser? No.

6. Pale Moon

✓ Designed for useability
✓ Open source
✗ Compatibility issues

Another Firefox fork, the Pale Moon web browser has been developed with a focus on customization and ease of use. It has also been developed to support add-ons that are no longer supported by Firefox.  

The good

Pale Moon is designed with useability in mind with a no frills approach. In other words, Pale Moon has been designed to eschew bloatware. Further, as a Firefox fork it is compatible with Firefox add-ons and themes. It is also highly customizable, with their motto being: “Your browser, your way.”

The bad

Updates are few and far between. In terms of its no-frills approach, you may find that support for certain types of streaming video to be an issue.

Would we recommend this browser? Maybe. If anything, it would serve great as an extra browser.

Pale Moon Browser download

• For PC
• For Linux

5. LibreWolf

✓ Tailored for privacy

That’s right, we’ve got another Firefox fork coming at you! LibreWolf, as the name would imply, is a browser that’s focused on privacy, security, and freedom. While it sports a minimalist interface with standard features like bookmarks, tabs, and browsing history, don’t let its simplicity fool you – this browser packs a punch when it comes to protecting your online privacy.

The good

LibreWolf is a pretty decent privacy-focused browser with a host of great features. With no telemetry, built-in ad blocking, and a firewall, you can browse the web without worrying about being tracked. It also defaults to privacy-conscious search engines like DuckDuckGo, Searx, and Qwant, with DuckDuckGo being the primary choice.

What’s more, LibreWolf comes with the uBlock anti-tracking extension pre-installed, giving you an extra layer of protection right out of the box. It even goes the extra mile by disabling Google Safe Browsing, a feature that’s enabled in standard Firefox, to ensure that no data is sent to external servers.

But don’t just take our word for it – LibreWolf has received top marks on PrivacyTests.org and demonstrated strong protection against web tracking in the EFF’s Cover Your Tracks fingerprinting test. And, with great community support and an open-source codebase, you can trust that LibreWolf will continue to evolve and improve over time.

The bad

Nothing comes to mind.

Would we recommend this browser? Yes!

LibreWolf Browser download

• For PC
• For Mac
• For Linux (Arch, Debian, Gentoo, Fedora, Other)

4. Chromium

✓ Completely open source
✗ Lacks official builds

Initially developed by Google, Chromium is a free and open-source codebase that serves as the framework for a wide variety of browsers such as Chrome, Vivaldi, Edge, Opera, and Brave. There is no official Chromium build from Google and any release using this name or logo is done so by third parties such as The Chromium Projects. 

The good

Chromium is essentially a degoogled Chrome as it does not rely on Google web services. It is lightweight, minimal, and free from trackers. While Chromium has connections to Google, the tech giant does not control how others use Chromium’s open-source code, so it’s not necessarily subject to the company’s data-gathering methods.

The bad

Aside from a few extra steps in installing and setting it up, Chromium is also a less polished browser, and you will need to do quite a lot of manual work to customize it and make it run smoothly. You will also have to invest more time in learning its functionalities and finding out the most recent updates and risks.

The frequency of Chromium’s updates is unmatched, with a new one being released every day. This is great for patching up vulnerabilities as soon as they emerge, but the updates require manual installation, which means that end-users must be vigilant to stay as secure as possible.

Moreover, many malicious Chromium-based browsers are available online. They might infect you with malware, steal your browsing data, and flood you with pop-ups and unwanted redirects. If your browser is acting suspiciously, it’s important to take steps to uninstall any potential Chromium malware.

Would we recommend this browser? If you can handle making a few tweaks here and there, yes!

Chromium Browser download

• For PC
• For Mac
• For Android
• For iOS
• For Linux

3. Brave

✓ Built-in ad blocker
✓ Customizable privacy settings
✗ Tor tab doesn’t meet Tor’s privacy standards

Brave was founded in 2016 by Brenden Eich, the former Mozilla head who also created JavaScript. While relatively new on the scene, Brave packs quite a punch in its fast-performing, privacy-focused, and minimalistic design. Having moved on from perpetual beta to a fully-fledged browser, it’s set to show us how it fares as a privacy-oriented product.

The good

Brave has several features that keep your browsing activity private, with a default ad blocker that also stops ads from tracking your online behavior, as well as a function to secure unencrypted sites with HTTPS when necessary.

Brave’s security settings allow you to select what data you want to delete whenever you close the app, block fingerprinting attempts, and keep scripts from loading. Brave settings provide plenty of ways to customize your browsing experience to be as secure as you want it.

In December 2018, Brave fully transitioned to the Chromium codebase, making it easier for users to carry over their Chrome extensions—though they should be wary of what data third-party extensions collect. What’s more, Brave has gone a step further by removing certain Google integrations and other code from the original Chromium to enhance privacy. This includes account integration, background sync, and inline extensions.

The browser also boasts advanced privacy features such as aggressive tracker-blocking, ad-blocking, and anti-fingerprinting capabilities. Notably, Brave’s fingerprinting protections randomize browser feature outputs to prevent device identification.

The bad

Brave’s new Tor tab may be private, but it falls short of Tor’s own privacy standards with a customizable window size that could be used to fingerprint your browsing. Additionally, some users have reported issues related to the compute resources used by Brave, which could be a concern for those who prioritize efficiency and performance in their browser.

The questionable

Brave has taken a unique approach to advertising by launching its own ad program in April 2019. While this move attracted some criticism, Brave’s advertising model aims to redefine web commerce and user engagement with ads. Users can opt-in to view privacy-protecting ads and earn cryptocurrency (BAT – Basic Attention Tokens) as a reward. These ads appear as push notifications, which can be disabled at any time.

Brave’s cryptocurrency, called the Basic Attention Token (or BAT), does allow users to anonymously pay publishers for their content through micro-donations and get a percentage of it back.

A Brave developer has told ExpressVPN that 300 million BAT has been placed into a User Growth Pool to distribute to Brave users monthly as free grants and referral rewards, although this in itself seems to be a work in progress. The inclusion of a cryptocurrency within a browser is certainly novel, but it looks like it will take some time before it starts functioning as intended.

The company also recently faced controversy when it was discovered that the browser autocompleted URLs with affiliate links without users’ explicit consent. This practice raised questions about transparency and trust, as it seemed to go against Brave’s mission of prioritizing user privacy, leading to concerns about the company’s culture and values.

Would we recommend this browser? Yes, although be wary of using their BAT currency.

Brave Browser download

• For PC
• For Mac
• For Android
• For iOS
• For Linux

2. Mozilla Firefox

✓ Open-source
✓ Highly customizable privacy settings
✓ Lightweight

Of all the browsers featured in this ranking, Firefox is the only one that is developed by a nonprofit organization, Mozilla. The browser is well known for its customizability and has long been a favored alternative to its brethren from Google, Microsoft, and Apple.

The good

Mozilla Firefox is regularly updated with the latest security and browsing features, despite not being as frequent as Google Chrome. One of its key features is the Enhanced Tracking Protection, which blocks various trackers, including social media and cross-site tracking cookies. It also offers a “strict” mode for aggressive tracking prevention, enhancing user privacy at the potential cost of breaking some sites.

Firefox has adopted techniques from Tor to block browser fingerprinting, an increasingly common type of tracking, and sends DNS queries to a secure resolver service. It has also introduced the Encrypted Client Hello feature, which encrypts parts of the connection process for added privacy.

Accessibility is another focus of Firefox, making it a suitable choice for users with disabilities. It offers a range of security features, including phishing and malware protection, blocking reported attack sites, and warning users about sites trying to install add-ons. Firefox is relatively lightweight compared to its competitors and features “Content Blocking” to block all detected trackers. It also allows users to compartmentalize their browsers, preventing platforms like Facebook from tracking activity outside of their platform.

Uniquely, Firefox is the only widely used web browser that is completely open-source, allowing anyone to examine its source code for potential tracking software, adding a layer of trust and security. While it emphasizes its default settings and strong privacy protection, Firefox also allows detailed customization of privacy and security settings, including blocking cookies and third-party trackers.

Firefox offers a variety of security-focused add-ons, such as ad-blockers and password managers, to enhance browsing safety. Mobile users can benefit from Firefox Focus, a privacy browser for Android and iOS with automatic tracker-blocking and ad-blocking, designed for a more private mobile browsing experience.

The bad

Firefox is a robust, secure, and private browser, you just need to manually customize its settings. Having said that, there has been some recent controversy with Firefox sending user queries to Mozilla servers. Mozilla has since clarified that this is an “opt-in experience” designed to provide more personalized ads and suggestions.

Some users have also raised concerns about data collection through Firefox’s telemetry and Pocket features. However, both can be disabled in the browser’s settings if you prefer not to have any browsing data sent to Mozilla.

Would we recommend this browser? Yes.

Firefox Browser download

• For PC
• For Mac
• For Android
• For iOS
• For Linux

1. Tor Browser

✓ Hard to track and trace traffic
✗ Law enforcement wary of Tor users

Developed by The Tor Project in 2002, and based on Firefox’s browser, Tor Browser was built for users to access the internet anonymously via the Tor network. Your activity and identity are masked by Tor, which encrypts your traffic in at least three layers by “bouncing your communications around a distributed network of relays” selected from thousands of volunteer computers.

Read: A beginner’s guide to Tor

The good

Most of Tor’s updates follow Firefox’s bug fixes and security patches. These frequent updates, which align with Firefox’s update schedule, are incredibly important to prevent anyone from exploiting bugs and security flaws in older versions of the Tor Browser, ensuring the browser remains secure against potential vulnerabilities.

The Tor Browser’s privacy is aided very much by its security—no one watching your connection can track your internet activity, nor can they identify you unless you explicitly identify yourself. Additionally, Tor does not track your browsing history and clears your cookies after every session. Tor also protects users from sites that try to fingerprint browsing history with its integration of NoScript. Based on tests of unique browser fingerprinting, only Tor can reduce the uniqueness of your fingerprint.

The process of bouncing your data through several relays makes it incredibly difficult for anyone to trace you and your activity. It’s not completely secure, as an FBI bust on the infamous Silk Road marketplace proved, but unless you’re running a high-profile and illegal operation on the Tor network, it’s unlikely that resources will be spent tracking down your browsing habits.

Another unique aspect of the Tor Browser is its ability to access not just the standard web but also the deep and dark web through its onion protocol, which can be important for users seeking anonymity beyond standard browsing. Furthermore, the browser’s default search engine, DuckDuckGo, enhances user privacy by not logging or storing search queries.

Read more: The best onion sites on the dark web

The bad

The Tor browser may actually be secure to a fault: Internet speed is likely to be affected as it routes traffic over three different hops through the Tor network, and it may break some sites because of its NoScript feature. Additionally, setting Tor to its highest privacy settings, such as disabling JavaScript, can affect the functionality of many websites, highlighting the trade-off between security and usability.

Be aware that law enforcement and ISPs can see who uses Tor, even if they don’t know what you’re doing on it. For maximum security, consider running Tor on the Tails operating system, which leaves no trace and enhances privacy even further. Alternatively, connect to a VPN first, and then start up the browser for increased anonymity.

Read more: How to combine Tor with a VPN

Would we recommend this browser? Yes. Just be careful about how you use it, like with any other browser.

Tor Browser download

• For PC
• For Mac
• For Android
• For Linux

Honorable mention: DuckDuckGo

✓ Excellent privacy
✗ Search results can be a bit broad

DuckDuckGo is a popular privacy-focused search engine that offers robust features to protect user privacy. While DuckDuckGo isn’t strictly a browser, it provides the DuckDuckGo Privacy Essentials plugin for Chrome, Chromium-based browsers, Firefox, and related browser types. This plugin sets DuckDuckGo as the default search engine and blocks hidden trackers on websites. The plugin also forces HTTPS connections and provides a privacy score for sites visited.

In addition to the plugin, DuckDuckGo offers a mobile browser for Android and iOS, making it accessible across different operating systems. The mobile browser includes email protection settings, AI experiments, website protection and blockers, and web encryption. It also features automatic cookie consent management and supports the Global Privacy Control standard. Another notable feature is the Duck Player, which allows for ad-free YouTube video playback.

Despite its strong privacy features, some users have noted that search results can be a bit broad compared to other search engines. The browser’s design elements have also been described as bland by some users. Additionally, there have been complaints of censorship, which DuckDuckGo has denied.

Would we recommend DuckDuckGo? Absolutely.

Browser privacy showdown: a head-to-head comparison

How your browser reveals your privacy to trackers

Every time you browse the web, you leave behind a trail of digital footprints that can be used to track and profile your online behavior. Websites employ various methods to collect data about your activities, interests, and identity, often without your explicit consent or knowledge.

Through the use of cookies – First-party cookies are set by the website you visit and can remember your preferences, login information, and browsing behavior on that particular site. However, third-party tracking cookies from advertising networks can follow you across multiple websites, collecting data on your browsing habits.

IP address tracking – Whenever you interact with a website, your IP address is automatically identified, allowing tracking tools to record your movements across the web. IP tracking can extract information like your location, company, and contact details from public databases, even without the use of cookies.

Browser fingerprinting – Websites can identify and track you based on your browser’s unique configuration settings, such as screen size, installed fonts, plugins, and more. This technique creates a distinctive profile that can follow you across different websites, making it difficult to hide or change your identity online.

Location tracking – Websites can request access to your precise geolocation through your browser or infer your general location from your IP address. This location data is valuable for serving localized content and advertisements tailored to your area.

User-agent tracking – Your browser sends details about your device and software in the user-agent string with every request, which can be used to profile and identify you.

Nearly every aspect of your interaction with a website can be tracked and analyzed, including your clicks, navigation patterns, location, IP address, and browser details. This data is pieced together to form a comprehensive picture of your online behavior and interests, primarily for targeted advertising purposes.

The best browser add-ons for privacy and security

If you don’t want to give up Chrome (or another browser we gave a poor ranking to) but still want to improve your privacy and security, here are a few browser extensions that will serve you well:

uBlock Origin

Though commonly used for blocking ads, uBlock Origin also blocks trackers and other content—with plenty of room to customize your own filter list—all while conserving CPU and memory efficiency.

Privacy Badger

The Electronic Frontier Foundation’s Privacy Badger blocks third-party trackers. Note that Privacy Badger only blocks trackers, not ads; one of their goals is to incentivize more advertisers to prioritize your privacy.

ExpressVPN’s browser extensions

Okay, we’re obviously biased here. But not for nothing: ExpressVPN’s browser extensions for Chrome, Firefox, and Edge go beyond VPN protection with location spoofing and WebRTC blocking.

Tips for safe browsing

A secure web browser is an excellent privacy tool, but it isn’t everything. No matter which browser you end up using, consider these tips for safe browsing:

Think twice about storing passwords in your browser

Many modern browsers offer to save your passwords and autofill them later. It’s a convenient feature, but it’s not quite as secure as using a dedicated password manager.

That’s because browsers often don’t require you to authenticate before accessing saved passwords. They’re also more prone to malware that can extract passwords from your browser’s storage.

Consider using multiple browsers

Many of the browsers above offer anti-tracking features, and they work great. But if you really want to take matters into your own hands, try using two different browsers: one for casual web browsing, and one for logging into social media and other sites that are known to track you (like Facebook and Google).

If you’re using Firefox, you can also use an add-on to compartmentalize your browsing within a single browser.

Restrict tracking with browser settings

Cookies can be useful for remembering preferences, but they also allow sites to track you across the web. For more privacy, consider disabling third-party cookies or even all cookies in your browser settings.

Search engines like Google can also gather a lot of data about you from your searches. Delete your search history and voice search data periodically, especially if you’ve searched for sensitive topics.

Keep your browser collection lean

Having multiple browsers installed, especially old and unused ones, expands your attack surface. Uninstall browsers you no longer need, as outdated software can have unpatched vulnerabilities that hackers could exploit.

Cultivate good browsing habits

We can fall into bad habits online without realizing it – procrastinating on browser updates, mindlessly clicking links, using weak or recycled passwords. Make a conscious effort to break these habits. Keep your browser updated, think before you click, and use strong, unique passwords.

Know the limits of “private browsing” mode

Most browsers offer a “private browsing” (a.k.a. “incognito”) mode that doesn’t save your browsing history. This hides your activity from people who use your device, but it does NOT hide your activity from:

• Websites you visit
• Your network operator (e.g. your school or work)
• Your ISP

Even when you use private browsing mode, websites you visit will still see your IP address, and third parties like your Wi-Fi network operator and your ISP will still see what websites you visit.

If you want to hide your IP address from websites, and hide your browsing activity from your ISP, you’ll need one final tool in your belt…

Use a VPN for added privacy

Many of the browsers we’ve listed here will give you a secure and private browsing experience, but the best way to protect all of your traffic—including all the other apps on your device that use the internet—is to use a VPN.

Instead of fiddling with customized browser settings, all you need to do is hit “connect,” and let our VPN safeguard your privacy and security as you enjoy the internet—from any device.

The post Ranked: Best (and worst) browsers for privacy in 2024 appeared first on ExpressVPN Blog.

• Advanced AI is producing highly realistic digital doubles, raising important questions about identity security and personal privacy.
  .
• The creation of AI doppelgängers prompts significant ethical concerns, especially regarding authenticity and the lack of consent in replicating someone’s likeness.
  .
• Current legal frameworks struggle to address the unique issues posed by AI-generated images, revealing a pressing need for updated regulations to protect individual rights.
  .
• ExpressVPN, known for its premium VPN download, investigates the evolving world of AI doppelgängers, emphasizing the need for user consent and robust privacy protections.
  .
• While AI doppelgängers could revolutionize personalized learning and mental health support, their development and use require careful ethical consideration and strong regulatory oversight to ensure they benefit society without compromising individual privacy.

Remember Lensa AI? Back in December 2022, social media feeds were inundated with oddly beautiful images of our friends in fantastical settings, thanks to an AI-powered photo app that was all the rage at the time. 

While making those images was fun, what if your face were used in a similar way but without your permission? That’s a real possibility, with many people now having used services that scan their faces and few regulations overseeing what is and is not permissible when it comes to owning your likeness. 

Welcome to the world of AI-generated doppelgängers, where your digital twin might already exist in the vast networks of the internet without you even realizing it. What implications do AI doppelgängers hold for personal identity when your face can be duplicated without your consent? And how do we handle the fading line between the real and the artificially generated?

Let’s find out. 

Jump to…
How AI-generated faces have evolved
The phenomenon of doppelgängers
Legal and ethical implications
Addressing the challenges of AI doppelgängers
How you can protect your digital identity
Can having an AI doppelgänger ever be a good thing?

How AI-generated faces have evolved

The journey of AI in creating hyperrealistic faces traces back to significant advancements in machine learning, particularly with the introduction of Generative Adversarial Networks (GANs) in the mid-2010s. Initially developed to create digital art, GANs involve two neural networks competing against each other—one generates new images, while the other evaluates their realism. This technology quickly extended beyond art, enhancing computer vision systems and providing realistic simulations for AI training.

The application of GANs reached a new level of public interaction with the launch of the website ThisPersonDoesNotExist by software developer Phillip Wang. On the site, every refresh generates a new face, lifelike yet completely fictional, showcasing the power and creativity of GAN technology. Wang, inspired by a conversation with AI researcher Ian Goodfellow, used a model developed by Nvidia A.I. Labs to train his algorithm with over 70,000 high-resolution images, resulting in faces that challenge our notions of originality and authenticity.

Hyperrealism in action  

Today’s AI-generated faces, which in studies are guessed to be real even more than actual human faces, are crafted not just to amaze but to be used in materials like advertising and marketing visuals. Not only do they look real but they can also be created quickly and at almost no cost. These digital beings offer an efficient alternative to human models.

A prime example of AI efficiency in the commercial sphere is Aitana Lopez, an entirely AI-generated model with over 311,000 followers on Instagram. Created by The Clueless, a Barcelona design agency, Lopez serves as an influencer who interacts with fans and promotes real products. The agency said that they created Lopez because the character offers reliability and efficiency, reducing the costs and logistical challenges of hiring human models. 

The phenomenon of AI doppelgängers

As we’ve seen with the evolution of AI-generated faces, the capabilities of AI have reached impressive new heights, leveraging advanced algorithms to produce hyperrealistic digital figures. This transition from traditional digital art to creating lifelike, interactive models showcases a significant leap in AI technology. But as we explore this further, we encounter a phenomenon that merges the fantastical with the familiar—AI doppelgängers.

The concept of a doppelgänger—someone who eerily mirrors your appearance but isn’t related—stems from the German “double walker,” ghost doubles traditionally served as ominous harbingers believed to foretell a person’s misfortune or demise. Today, this ancient concept has undergone a technological transformation. Using AI, likenesses of real people are being created digitally, potentially to lead a separate online existence.

For instance, in the entertainment industry, AI has been used to create digital versions of deceased actors for movies, bringing nostalgic characters back to the screen. A notable example is Peter Cushing in Star Wars: Rogue One, where AI and CGI were used to recreate his appearance as Grand Moff Tarkin, despite the actor having passed away in 1994. 

We’re feeding AI our digital selves

Apps like Lensa AI popularized turning ordinary selfies into stylized portraits reminiscent of high-fantasy realms. These apps utilize advanced AI algorithms trained on vast datasets of artistic styles and human features, allowing them to replicate and reimagine our faces in various creative forms. 

This initial fascination has since transitioned into more serious applications. AI now helps us curate our professional images; it crafts the perfect LinkedIn headshot, tailors resumes and even produces personalized video content for branding. What began as a fun experiment with our digital identities has evolved into a tool for personal and professional self-presentation.

In customer service, AI doppelgängers are also becoming a reality. Companies are employing AI-driven digital agents that can interact with customers using the facial expressions and voices of human customer service representatives, providing a personalized and engaging customer experience.

The same technology is also helping us create deepfakes. These highly realistic and convincing AI-generated images, videos and voice clips can falsely depict anyone in fabricated scenarios. 

With every selfie uploaded, every voice clip shared, and every video posted, we are actively contributing to the AI that learns relentlessly from our digital breadcrumbs. When we upload photos to social media or directly into AI systems, these images are stored and they undergo a transformation that turns them from snapshots into valuable data for AI training. Here’s how this process works:

1. Our digital uploads provide the raw material for AI learning.
2. These images are then tagged and categorized, sometimes even anonymized, to prepare them for the next stages.
3. The tagged images feed algorithms like GANs, which progressively learn to recognize and replicate human features.
4. AI uses this training to create new, unique faces that may be eerily lifelike, familiar, or stylistically altered but based on real people.

This means that AI can potentially create an AI version of you with only slight differences—i.e., your AI doppelgänger—and you may never know anything about it. This raises significant ethical concerns about who controls and uses our digital likenesses. When AI can replicate our faces for advertisements or political campaigns without our explicit consent, it blurs the lines between personal autonomy and technological exploitation.

This underscores urgent questions: who truly controls these AI-generated images? Who owns the rights to these digital identities? 

Legal and ethical implications of AI doppelgängers

The rise of AI doppelgängers ushers in a slew of legal and ethical challenges, especially concerning ownership and control. These digital entities, which resemble real individuals, navigate a murky area between original creation and direct replication, exposing significant gaps in current copyright and identity rights frameworks.

Legal uncertainties 

Current legal systems are ill-equipped to handle the novel issues posed by AI. In the U.S., for example, the reliance on antiquated copyright laws means that significant aspects of AI-generated content remain largely untested in courts. This scenario mirrors early legal challenges faced during the advent of AI art, suggesting that society needs new legal precedents to clarify copyright in the era of AI.

Take the case of Scarlett Johansson, who filed a lawsuit against an AI app named Lisa AI: 90s Yearbook & Avatar for using her likeness without permission in their advertising. The app created an ad that made it appear as if Johansson endorsed the product, leading to confusion and potential damage to her reputation. The legal action taken by Johansson led to the removal of the advertisement from online platforms, highlighting the legal battles faced by celebrities as they navigate the unauthorized use of their digital likenesses.

Meanwhile, the EU’s AI Act, although a step toward regulatory clarity, still lacks specific provisions for the ownership of AI-generated content, indicating a piecemeal approach to emerging challenges​.

Copyright complexities

The challenge with AI-generated content is pinpointing originality and authorship. Given that AI often remixes existing data to create something new, we’re left wondering: is the output original, or just a derivative of its training data? The U.S. “fair use” doctrine provides some leeway for using copyrighted material to create transformative works, but the boundaries of what is considered “transformative” remains a hot topic for legal debate.

Recognizing these issues, some companies are forging partnerships to ensure that original creators are compensated for the use of their work in training AI models​—but this is only a small handful of organizations. 

Ethical considerations 

Beyond legalities, the ethical implications are profound. If an AI can create a lookalike that almost perfectly mimics a person without their consent, it challenges the very notion of personal identity. This not only sparks a debate over the ethical use of this type of technology but also poses practical risks to privacy, security, and freedom. 

For example, an AI-generated video might show a person engaging in behavior they never actually did, such as attending controversial events or engaging in illegal activities. This kind of misuse can lead to public embarrassment, stigmatization, or severe personal consequences without the person ever having participated in the depicted actions.

Additionally, in severe cases, a digital doppelgänger could be used to access a secure facility or digital accounts, leading to identity theft or unauthorized access to sensitive information. The implications are especially dire in contexts involving national security or corporate espionage.

Risks of misuse  

The advent of digital doppelgängers also brings with it significant risks of misuse. Unauthorized use of someone’s digital likeness for advertisements or political campaigns without consent infringes on personal rights and blurs ethical lines. This not only poses risks of impersonation and fraud but also impacts personal and professional reputations, calling for stringent legal protections to safeguard individuals against such abuses.

For example, there have been widespread concerns about the potential use of deepfakes to fabricate statements or actions by political figures. The fear is that these videos could be used to mislead voters or tarnish the reputation of political opponents, especially as the technology becomes more accessible and convincing. 

Addressing the challenges of AI doppelgängers

As AI becomes increasingly skilled at creating digital doubles that are almost indistinguishable from real humans, the urgency for actionable solutions intensifies. The big question we face is: can our legal systems and personal practices evolve quickly enough to keep pace with these technological leaps?

Revamping legal frameworks 

The rise of AI-generated likenesses calls for a pressing reevaluation of existing legal frameworks. This includes recognizing and categorizing digital personas as distinct entities, which may require new rights and protections. For instance, legislation could be proposed to recognize the creation of a digital double as a “digital birth,” which could grant individuals legal rights over any AI-generated image that closely resembles them.

• Legislative actions: Immediate and proactive legislative measures are necessary to regulate the use of AI in creating likenesses. Our laws need to clearly outline what counts as unauthorized use of digital images, ensuring that individuals maintain control over their digital identities. One approach could be to establish a registry where individuals can claim and manage AI-generated images of themselves.

• Consent and ownership: Establishing clear guidelines on consent and ownership is essential. Individuals must have the right to be informed and to consent before their likenesses are used or replicated. This includes making it clear how their data is being used to train AI models, ensuring transparency and control.

Strengthening global cooperation

The global nature of digital technology and AI means that addressing these challenges also can’t be confined to any one country. International collaboration is vital to developing comprehensive regulations that protect digital identities across borders.

• International standards: We need a unified set of international standards and regulations that govern the creation and use of digital likenesses. These standards should aim to harmonize approaches to digital rights and privacy, ensuring protection for individuals worldwide.
• Cross-border legal frameworks: Efforts should also focus on establishing cross-border legal frameworks that address and penalize the unauthorized use of digital likenesses internationally. This would help prevent entities from exploiting regulatory gaps between different jurisdictions.

How you can protect your digital identity 

While society pushes for better legal reforms concerning AI, there are proactive steps you can take now to safeguard your online identity: 

• Be selective with your data: Think twice before sharing personal information and photos online. Each piece of data can be used to train AI systems, including creating digital likenesses. Limit sharing to essential instances and prefer secure, privacy-respecting platforms whenever possible.
• Review and restrict app permissions: Regularly audit the permissions you’ve granted to mobile apps and online services. Restrict access to your camera, microphone, and photo library unless absolutely necessary—and always be wary of apps requesting more information than they need to function.
• Use data masking tools: Consider using services that mask or alter your photos slightly to prevent AI from accurately using them to create digital models. These tools can subtly change image details in ways invisible to the human eye but disruptive to AI algorithms.
• Engage in digital clean-ups: Periodically review your online presence. Remove old accounts and unnecessary photos from social media, and consider cleaning up digital footprints that no longer serve a purpose but could be exploited.
• Advocate for better policies: Stay informed about digital privacy policies and support legislation that protects personal data. Participate in campaigns and sign petitions that call for stricter regulations on AI-generated content and better transparency in how personal data is used.
• Educate yourself and your community: Knowledge is power. Take advantage of free resources to learn more about AI technology and its privacy implications. Share this knowledge in your community to raise awareness and help others understand the risks and defenses against AI misuse.
• Monitor for misuse: Set up Google Alerts for your name and regularly search for your images online to see if they appear in contexts you haven’t authorized. Various tools and platforms can help you monitor where and how your likeness is being used.

Can having an AI doppelgänger ever be a good thing?

As we’ve seen, AI-generated doppelgängers raise significant concerns about privacy and the control of personal data. The ability of AI to replicate our very likenesses so accurately presents a host of ethical questions that demand careful consideration and rigorous oversight. But alongside these challenges, could there be positive uses for this technology? Potentially, yes.

AI doppelgängers could, for instance, revolutionize the way we learn and interact with information. Personalized learning assistants, tailored to match the learning styles and paces of individual students, could make education more accessible and effective for everyone. These AI entities could simulate different teaching methodologies to find the one that works best for each learner, potentially transforming educational outcomes.

In terms of mental health, AI doppelgängers might one day serve as therapeutic aids. They could be programmed to provide psychological support, practice conversations, or help individuals develop social skills in a low-pressure environment. For those dealing with isolation or specific mental health conditions, a responsive AI that understands and reacts with empathy could be a significant source of support.

Moreover, AI doppelgängers could assist in professional environments, handling routine tasks and interactions that allow human employees to focus on more complex, creative work. This could lead to increased workplace efficiency and allow workers to engage more deeply with aspects of their jobs that require human insight and creativity.

However, for these benefits to be fully realized without compromising our ethical standards, strong regulations and clear guidelines must first be firmly in place. This framework must ensure transparency in how AI doppelgängers are developed and used, with strict measures to protect individuals’ data and prevent misuse. It’s only under these conditions that the positive potential of AI doppelgängers can be harnessed safely and effectively.

What do you think about AI doppelgängers? Could the benefits of this type of technology ever outweigh the ethical and legal concerns it raises? Let us know in the comments below. 

The post Do you have an AI-generated look-alike living online? appeared first on ExpressVPN Blog.

Few malicious software types are as invasive as stalkerware. If someone has installed it on your phone, they are able to monitor not just your location but also what you are typing into your device. Find out how these apps work and what to do if you’re being stalked with one.

Jump to…
What is stalkerware?
Types of stalkerware apps and their common functionalities
How to detect and remove stalkerware apps on your mobile devices
Ways to protect yourself against stalkerware

What is stalkerware?

Stalkerware is a form of commercially available spyware that lets you monitor people, especially those you have a personal relationship with, such as employees, spouses, or intimate partners. 

Stalkerware use is increasing: In 2021, cybersecurity service Malwarebytes revealed that stalkerware detections hit an all-time high for smartphones with 54,677 alerts reported. Stalkerware apps tend to affect phones since people take their smartphones everywhere they go. The amount of data collected from a smartphone is usually far more valuable than data from a PC or laptop.

The main difference between stalkerware and spyware is that stalkerware is generally used by individuals while spyware is used by government and law enforcement agencies.

Stalkerware isn’t just unethical, it’s also just plain creepy. In this post, we explain the different types of stalkerware, how they work, and how to protect yourself from such apps.

3 types of stalkerware apps and their common functionalities

Cybersecurity experts have not provided exact names for different types of stalkerware apps. However, they can be sorted by the types of information collected.

Apps that monitor communications

This class of stalkerware is designed to record phone calls and log keystrokes of every message and email you send. 

Apps that track location

An app may keep track of GPS coordinates or guess your location based on the Wi-Fi networks you connect to. Location data can reveal a lot of information about a person and their habits.

Apps that steal files and intimate data

These apps watch your devices for any changes and transmit them to a server the stalker can access. This is a significant privacy invasion but is also particularly dangerous if a victim has sensitive photographs, video, and other types of recordings that could be used against them. 

Two of the most common stalkerware apps, Cerberus and Reptillicus, operate in stealth mode. They allow users to read messages from third-party messengers like WhatsApp and Telegram, text messages, and view photos and videos in media galleries. Some stalkerware apps allow users to track calendar events, take screenshots, access contact lists, and even take front camera photos.

How is stalkerware installed?

For someone to install stalkerware on your phone, they most likely need to do so physically on your device. This is why you should never leave your phone unattended and unlocked or lend your phone to anyone to use, especially if that person might have reason to stalk you. Note that because iPhone apps must be downloaded from the App Store, it is more difficult for someone to download malicious software onto an iPhone.

Someone could take your phone and install a stalkerware app from the App Store and Play Store, although they are given innocuous descriptions like “family tracker”. Stalkerware may also be sideloaded onto a phone, by connecting it with a cable to the attacker’s computer. Both of these methods require the attacker to have direct physical access to your phone.

The stalker might also install the software on your phone through a link. They could also attempt to trick you into installing it on your own device through a link.

Common stalkerware apps to know of

Here’s a list of some of the more common stalkerware apps:

• Cerberus
• Reptillicus
• Track My Phones
• AndroidLost
• MobileTracker Free
• Hoverwatch
• wSpy

How to identify and remove stalkerware on iOS

Scan for unfamiliar apps

One of the best ways to determine if there is stalkerware on your phone is to check for unfamiliar apps manually. If you don’t remember installing an app, it might be worth clicking on it and checking the app yourself. If you’re still unsure if an app is stalkerware, you could search for its name online for more information. 

Check for unknown configuration profiles 

Head to Settings > General > VPN & Device Management to check for these configuration profiles. If you spot a profile, you can click on it and find out what it does and delete it, if necessary. 

Search for signs of a jailbreak

While it’s difficult for anyone to install stalkerware on iPhones because of app limitations set by Apple, it’s still possible if a hacker can jailbreak a phone and install stalkerware. One sign that your phone has been jailbroken is if you’ve got an alternative app store installed, such as Cydia, instead of Apple’s official App Store. 

Perform a privacy audit

Some Apple data-sharing features like Family Sharing, Find Me, and Shared Albums risk being taken advantage of by malicious individuals. To protect its consumers, Apple has published a privacy checklist that consumers can follow to perform privacy audits. 

Lock down iCloud

If you suspect your phone has been tampered with, resetting your iCloud password to protect any sensitive data you might have is best. Additionally, you’ll want to enable two-factor authentication (2FA) for your Apple ID, too.

How to identify and remove stalkerware on Android

Run Google Play Protect

Google’s Play Protect is a service that runs safety checks on apps downloaded from the Google Play Store before they’re downloaded onto your phone. The service also checks your device for potentially harmful apps. 

Check the accessibility services on your phone

Stalkerware apps rely on access to your camera, microphone, and certain folders to do their jobs well. You can check if your phone has stalkerware apps by heading to the Accessibility settings on your device to see which apps can access certain functions. 

See if a device administrator  has been installed

Device administration access is assigned to some pre-installed applications on Android devices, and this sort of access allows apps to write, erase, and transfer data from the device if it’s stolen or gone missing. Stalkerware apps require access to these administration settings to be able to write and transfer data from one device to another. 

Manually run checks on apps

A great way to ensure you know all your downloaded apps is to check through them individually. Most stalkerware apps don’t appear on the homescreen of smartphones, but they might still appear on the device’s wider app list.

What do I do if there’s stalkerware on my phone?

Here’s what you can do if you suspect stalkerware on your phone:

Prioritize your safety

Consider your safety first. Stalkerware can be a sign of an abusive relationship or one that’s intrusive. If you’re concerned about your physical safety, reach out to a domestic violence hotline or organization for help and guidance.

Identify and remove the stalkerware

First, scan your phone for malware by downloading a reputable mobile security app or antivirus software. Some popular options include Malwarebytes and Bitdefender Mobile Security.

Next, review the permissions granted to your apps in your phone’s settings. Look for apps with excessive permissions, such as access to your location, microphone, camera, or call logs, that you don’t recognize or haven’t authorized. Uninstall any suspicious apps.

Change your passwords

Finally, change your passwords. Reset your passwords for all your online accounts, especially those you accessed on your phone. Use strong, unique passwords for each account, and consider enabling two-factor authentication for added security

How to protect yourself against stalkerware 

There are several simple ways to protect yourself against stalkerware:

• Change all your passwords and enable multi-factor authentication on your trusted devices.
• Avoid rooting or jailbreaking your device. Rooting or jailbreaking a device removes operating system restrictions to allow third-party app installations, bypassing built-in security measures. Stalkerware features often require this bypass. On iPhones, stalkerware installation usually requires jailbreaking. Rooted or jailbroken phones are more vulnerable to viruses, malware, and stalkerware.
• Don’t leave your smartphone or other devices unattended. 
• Make it a point to periodically check through apps on your phone and remove unnecessary apps.
• Ensure that your operating system and apps are up to date so any known vulnerabilities are patched.
• As a last resort, back up your data and perform a factory reset on your device to start afresh. Remember that you should only install essential apps with a fresh install/factory reset of your device’s operating system.

The post How to find and remove stalkerware apps appeared first on ExpressVPN Blog.

You’re in your favorite cafe, sipping coffee while working online. Suddenly, your VPN disconnects without you realizing it. Normally, this might leave your browsing unsecured, meaning your activity could be observed by third parties like the internet service provider, the Wi-Fi admin, or attackers. But not if you have a kill switch.

A VPN is designed to protect your online privacy, and a VPN kill switch maintains that protection by instantly stopping all internet traffic going to and from your device if your VPN connection fails. This feature is essential for anyone serious about securing their personal information against inadvertent leaks.

However, while many VPN services include kill switches, they’re not all equally reliable. ExpressVPN sets itself apart with Network Lock, which is activated by default, providing a superior protective response that ensures your data stays secure—even if your internet connection becomes unstable.

Join us as we explore how kill switches work, discuss the different types available, and explain why Network Lock offers unmatched security that you can depend on.

What is a VPN kill switch?

A VPN kill switch is a feature that safeguards your digital activity from accidental exposure. Here’s how it works: While a VPN encrypts your internet traffic and shields it within a protective VPN tunnel, there are moments when the VPN connection might fail. When this happens, your device could automatically switch back to an unsecured internet connection, risking exposure of your IP address and data transmissions. If your VPN has a kill switch, it reacts to dropped VPN connections by cutting out the internet on your device entirely, so that you do not take the risk of an unprotected connection.

However, a proper VPN kill switch like Network Lock does more than just react to connection interruptions. It also blocks any traffic on your device from traveling outside of the VPN tunnel. This means that you are protected even if a malicious app or misconfiguration attempts to divert your traffic outside the VPN. If you have a kill switch like Network Lock enabled, your traffic will be blocked rather than be allowed to take a non-VPN route.

Why do I need a VPN kill switch?

You may not feel it necessary to turn on your kill switch if you are engaging in low-risk activities like scrolling on social media or browsing your favorite websites. In these cases, if your VPN connection drops, you’ll continue browsing as normal without a VPN until the connection is restored. 

But for situations where security is paramount or if you want as much privacy as possible, a kill switch ensures security, privacy, and peace of mind by taking you off the internet for as long as you are unprotected by the VPN.

Here are a few reasons to use a VPN with a kill switch enabled:

Identity protection

A kill switch shields your online identity by preventing exposure of your real IP address. This protects you from unwanted tracking and exposure of your real location, as your real IP address can be connected back to you.

Data privacy

A kill switch ensures consistent encryption of your data transmission. In the event of a VPN disconnection, it prevents data from potentially reverting to a non-encrypted state, thus protecting it from interception by third parties.

Prevent monitoring

In regions with internet censorship or monitoring, a kill switch is essential. It prevents your connections from defaulting to potentially monitored or restricted states, safeguarding you from surveillance.

Thwart attacks

Public Wi-Fi in places like coffee shops or airports might be unsecured, making you vulnerable to man-in-the-middle and other attacks. Ensure your online safety with a VPN, plus a kill switch that shuts keeps you off the internet if the VPN drops.

The different types of VPN kill switches

VPN kill switches are primarily categorized into two types: application-level and system-level, each suited for different security needs.

Application-level VPN kill switches

Application-level kill switches provide selective protection. They allow you to choose specific applications to disconnect from the internet if your VPN connection drops. This targeted approach lets you safeguard critical activities like browsing and banking, while less sensitive applications, such as music streaming, continue uninterrupted. However, this flexibility can come at the cost of comprehensive security, as non-selected applications remain unprotected.

System-level VPN kill switches

System-level kill switches offer the most robust protection by blocking all internet traffic if your VPN connection fails. This comprehensive approach is meant to guarantee that no data escapes your device outside the secure VPN tunnel, effectively preventing any potential data leaks across all applications. With these kill switches in place, any network traffic not routed through the VPN is blocked, ensuring your device never sends unencrypted data. 

Which type of kill switch should you choose?

While application-level kill switches are suitable for users who want control over specific applications, system-level kill switches are generally recommended for their better security. They ensure that every bit of data transmitted is encrypted and secure, making them the best choice for those who prioritize complete privacy and protection. ExpressVPN’s Network Lock works as a system-level VPN kill switch that ensures you are fully protected by blocking all traffic if your VPN connection drops.

When does a VPN kill switch get activated?

A VPN kill switch activates automatically to protect your data whenever your secure VPN connection is interrupted. Here are the key situations that may cause this to happen:

• VPN connection drops: The most common scenario for kill switch activation is when your VPN connection suddenly drops due to server problems or connectivity issues.
• Switching between VPN servers: When you change from one VPN server to another, there may be a brief period when no VPN is enabled. The kill switch steps in during this transition to prevent any data leaks.
• Network changes: If you switch from one network to another, such as changing from your home Wi-Fi to mobile data, you might go unprotected by the VPN for a few seconds. The kill switch ensures that these transitions don’t expose your personal data.
• Malicious attempts at bypassing VPN: A kill switch takes action not just when VPN is dropped. It also responds when traffic tries to divert from the VPN tunnel. If malicious apps or misconfigurations attempt to drive your traffic outside the VPN, that traffic will be blocked by the kill switch.
• Device sleep and wake-up transitions: Devices can lose their VPN connections when they go into sleep mode or wake up. To prevent any accidental data exposure, the kill switch activates until the VPN connection is re-established.
• Unstable internet connections: An unstable internet connection could mean an unstable VPN connection. The kill switch will activate under such circumstances to maintain the security of your data.

Are VPN kill switches turned on by default?

Not all VPN providers enable their kill switches by default. But defaulting to “off” is a design choice that can pose a risk to users if they aren’t aware that they need to activate this security feature manually. The absence of an automatically enabled kill switch means that if your VPN connection drops unexpectedly, your data could leak without your knowledge, exposing your personal information and online activities.

The primary concern here is the accidental exposure of your real IP address and other sensitive data during VPN downtimes. These leaks are particularly problematic on unsecured public Wi-Fi networks, which would allow your activity to be seen by third parties. 

ExpressVPN’s proactive approach: Network Lock

Unlike many other providers, ExpressVPN’s Network Lock feature is enabled by default across all compatible platforms including Mac, Windows, Linux, and routers (on Android and iOS, we offer a feature similar to a kill switch called Network Protection). Network Lock immediately halts all internet traffic if your VPN connection drops, providing comprehensive leak protection, ensuring no data escapes. This default setting is a key part of our commitment to user safety, reflecting our dedication to providing robust, reliable protection without requiring manual setup. 

How does ExpressVPN’s kill switch work?

Network Lock goes beyond most kill switches by being proactive rather than reactive:

Robust firewall rules

Network Lock begins with a “block everything” firewall rule on all desktop platforms. A second rule then allows only VPN-routed traffic. These rules stay active through the entire connection cycle, including during reconnects and disruptions, ensuring consistent protection.

Comprehensive traffic management

Network Lock covers all types of network traffic—IPv4, IPv6, and DNS requests—to prevent any data from leaking outside the VPN tunnel. This total coverage ensures your personal information and activities remain private, even amid network instability or when switching Wi-Fi networks.

Should you ever disable the VPN kill switch?

While it’s advisable to keep the kill switch enabled to secure your data continuously, there may be specific scenarios where you might need to disable it temporarily. This might be necessary for troubleshooting connection issues or adjusting certain network settings. However, disabling the kill switch exposes you to the risk of data leaks if your VPN connection drops unexpectedly.

For these reasons, we strongly recommend keeping your kill switch active at all times, across all devices and VPN protocols, to ensure the highest level of data protection.

How to choose the right VPN kill switch 

It’s clear that a kill switch is an important part of maintaining your online privacy and security. So, before choosing a VPN, check whether a kill switch is offered and how it functions across different devices and operating systems. Here are key factors to consider:

Default activation

Check if the kill switch is enabled by default. A kill switch that requires manual activation might not protect you if you forget to turn it on. For example, ExpressVPN’s Network Lock is on by default, providing immediate protection without any additional setup.

Level of protection

Understand the level of security provided by the kill switch. It should ideally block all internet traffic if your VPN connection drops, preventing any data leaks. This is particularly important in environments where network stability is a concern.

Platform availability

Check if the kill switch is supported on all the devices and platforms you plan to use, such as Windows, Mac, Linux, and routers. If a kill switch isn’t available on a specific device, ensure there’s a comparable feature like ExpressVPN’s Network Protection in place.

User control

Consider how much control you have over the kill switch settings. You might prefer the ability to toggle the feature on or off depending on your specific needs.

Transparency and trust

Choose a VPN provider that’s transparent about how their kill switch works and the limitations it might have on different platforms. Trustworthy providers will provide detailed information about their security features, helping you make an informed decision.

Read more: ExpressVPN’s statement and assessment of the TunnelVision technique

The post What’s a VPN kill switch, and how does it work? appeared first on ExpressVPN Blog.

You may be hearing reports of a new vulnerability called TunnelVision that can allow an attacker to bypass VPN protection under certain circumstances. We’d like to take a moment to explain the report and reassure you of the security of the ExpressVPN apps and services. 

On May 6, 2024, a paper titled “TunnelVision – How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak” revealed a technique that would allow an attacker to circumvent VPN protection in some specific situations. The researchers reached out to us prior to the publication of the paper, and we’ve had time to do extensive testing on our own. 

After a thorough evaluation, we can confirm that the technique described in the paper has minimal impact on ExpressVPN users, thanks to the robust design of our kill switch, Network Lock. We detail our investigation and how it relates to ExpressVPN’s apps on each platform we support below.

But before we get into the technical details, we’d like to emphasize that this issue can only occur if multiple specific conditions are met. 

If you’re at home and no one has hacked your router, you’re safe. If you’re connecting by cellular network and not anyone else’s Wi-Fi, you’re safe. If the Wi-Fi network you’re joining is not controlled by a malicious actor, you’re safe. If you’re on a laptop and your kill switch is on, you’re safe. And so on. In practice it takes quite a combination of factors, all existing simultaneously, for this issue to present any risk at all. 

What’s TunnelVision about?

The issue raised by the researchers arises from DHCP (Dynamic Host Configuration Protocol), a feature inherent in networking devices like routers. This protocol is used to automatically configure your device so that it can connect to the network and the internet beyond. 

Part of this configuration is to tell your device exactly where it should send traffic so that it can reach the internet.

There’s a lesser-known DHCP feature, however, known as Option 121, which enables setting alternative routes for specific destinations—say, the IP addresses that host www.google.com. Any device that supports Option 121 has the potential to have these additional gateways added, diverting the traffic that otherwise would follow the default path.

When you connect with ExpressVPN, we set our own routes to tell your device that it should talk to the internet over the VPN connection. This works because our routes are more specific than the default route, and so they take precedence.

However, with Option 121, it is possible for an even more specific route to be set—one that is more specific than ours—causing traffic that should flow over the VPN to instead flow via this more specific route. It’s important to note that this “preference for the specific” is not in itself a vulnerability; it is fundamental to how networking works. It can cause undesired behavior, unless specific mitigations have been put in place to prevent it. ExpressVPN has long recognized the risk of such a problem (either because of a malicious attacker or simply from an honest misconfiguration), and that is why we ship our apps with Network Lock enabled by default.

In their TunnelVision paper, the researchers assert that it is possible to induce a leak of VPN traffic when using something called DHCP Option 121 classless static routes, and that this affects all VPN providers and VPN protocols that support such routes.

To put this simply, it means that under certain conditions (and only when you connect to a network you don’t control, like hotel or airport Wi-Fi), an attacker with control of the Wi-Fi router could designate that any traffic bound for a particular destination be diverted outside the VPN.  

It takes a specific sequence of conditions to be met for anyone to be affected by this issue, and ExpressVPN’s customers are among the best protected, in part because of the strength and structure of Network Lock. 

TunnelVision’s impact on ExpressVPN

The potential of this technique depends on the operating system or device being used. 

Starting with our desktop users: thanks to Network Lock, the ExpressVPN kill switch on Mac, Windows, Linux, and routers, the potential for exposure is limited. Whether you use Mac or Windows our investigations found that this technique could only pose a threat if our kill switch, Network Lock, had been manually disabled by a user. As Network Lock is enabled by default, users who have never modified their settings cannot be affected. 

So if you, like many ExpressVPN users, simply open your app, hit the big On button, and occasionally change locations, then you have never been exposed to this issue. The way we designed our kill switch ensures that our desktop users are defended against this technique and other attacks that attempt to force traffic outside of the VPN.

When Network Lock is on, we found that leaks do not occur. Traffic bound for the destination designated by an attacker would result in “denial of service”—it would simply be blocked, resulting in a blank webpage or error message. Traffic that was headed to any other destination (in other words, anywhere not specified for diversion by the attacker) would pass through the VPN as normal. However, if a user has manually turned Network Lock off, then the traffic would indeed be allowed to pass via the diverted route, causing a leak. 

As such, we highly recommend that all ExpressVPN users enable the kill switch at all times. We’re also adding new reminders in our apps to encourage users to keep the kill switch toggled on. 

On Aircove and Aircove Go routers, you cannot be vulnerable as the kill switch is always on and cannot be disabled.

Now to mobile users. On Android, you cannot have been exposed, regardless of your kill switch setting, because DHCP Option 121 is not supported on that platform at all. But on iOS, there is some degree of vulnerability, even with our kill switch activated. This is due to a longstanding limitation set by Apple itself, which effectively makes an ironclad kill switch impossible. Still, using a 4G or 5G cellular connection instead of Wi-Fi is fully effective in preventing this attack.

How we built and designed Network Lock to protect users

As we’ve explained, Network Lock is the ExpressVPN kill switch on Mac, Windows, Linux, and routers. It keeps user data safe by blocking all internet traffic until protection is restored. A similar feature is available under the Network Protection settings of our iOS and Android apps. We offer these features because a reliable kill switch is an essential feature of a VPN, key to protecting users and ensuring their privacy. That’s why we also turn our kill switch on by default and have spent a lot of time investing in its reliability since we first rolled it out in 2015. 

We also made a lot of careful engineering and design decisions to implement the feature. Our Network Lock feature prevents all types of traffic including IPv4, IPv6, and DNS from leaking outside of the VPN, such as when the user’s internet connection is disrupted, when switching between Wi-Fi networks, and other various scenarios where other VPNs might leak. 

Our kill switch functionality on router firmware and all desktop platforms works by applying a “block everything” firewall rule followed by a rule that permits traffic exclusively through the VPN tunnel. These kill switch rules are first engaged when the VPN connects, and they remain active during reconnect cycles and unexpected disconnects. This is exactly what the researchers are referencing in the “Industry Impact” section of their report when they state that they “have observed a mitigation from some VPN providers that drops traffic to non-VPN interfaces via firewall rules.”

This setup safeguards against the TunnelVision exploit and similar threats. It blocks any traffic trying to bypass the VPN, including any routes that TunnelVision may have introduced. 

What this means for the VPN industry 

Fundamentally, the TunnelVision research highlights how important it is that VPNs meet a standard of excellence when it comes to privacy and security design. 

Since there isn’t a single standard industry implementation of a kill switch, the devil is in the details. It becomes more important than ever to pick a premium VPN provider that prioritizes both security and ease of use. We appreciate the efforts of the researchers in highlighting the importance of a reliable kill switch when consumers are selecting a VPN. 

We also thank them for their industry-wide effort toward responsible disclosure of this issue—continued security research, delivered in a responsible manner, is an important facet of a healthy cybersecurity landscape. We want to encourage our users, industry partners and researchers to continue to push for a deeper understanding of the technologies underlying privacy and security solutions. 

The post TunnelVision: ExpressVPN’s statement and assessment of the technique appeared first on ExpressVPN Blog.

While we are quietly delighted whenever we add a server location to ExpressVPN, sometimes a new location is just worth shouting about a little more than others. We’ve recently added Osaka to our list of Japanese server locations, which joins Tokyo and Shibuya.

What makes it noteworthy? A former capital of Japan and the country’s third-largest city, Osaka is an enviable place to travel to or live in, offering a rich combination of historical sites, vibrant nightlife, specialty foods, and unique culture. And an Osaka VPN benefits residents and travelers alike, providing online security while allowing them to use the internet as if they are there, even when they’re away.  

With an Osaka VPN, residents who are traveling can easily access their services from home, such as banking sites, as well as stream (via TVer) Osaka area-specific TV channels like Osaka TV, Kansai TV, ABC TV, and MBS. ExpressVPN also works well with Netflix, Hulu, Abema, U-NEXT, and other services providing extensive Japanese content.

If you’re about to visit the Osaka area, a VPN can help you access Japanese websites for tasks like hotel bookings and ticket bookings in advance. Japanese websites are often significantly different from their English versions, providing greater convenience to both Japanese residents abroad and foreigners.

While we recommend keeping a VPN on at all times for privacy and security, an Osaka VPN could mean a more optimal experience for those based near Osaka, as their IP address would reflect a closer approximation to their physical location. This means your searches continue to show local results when your VPN is enabled.

ExpressVPN is proud to have one of the largest, most far-reaching networks of VPN servers, with server locations in 105 countries and many of those countries featuring multiple locations. We’ve also upgraded to 10Gbps servers in most places, meaning faster speeds for you.

The post Welcoming Osaka as our newest VPN server location appeared first on ExpressVPN Blog.

Every year, World Password Day nudges us to tighten up our digital defenses. Initiated to raise awareness about the role passwords play in safeguarding our private information, this day also serves as a reminder of our ongoing battle against cyber threats. 

But why do we lean so heavily on passwords, and why do they need to be so complex? As World Password Day approaches on May 2, we explore the history of password security, tracing its origins back to the earliest days of digital authentication. We’ll uncover how major data breaches have not only exposed vulnerabilities but have also catalyzed significant changes in the strategies we use to manage and secure our passwords. 

From simple strings of characters to today’s robust multi-factor authentication systems, join us as we explore the innovations that have shaped how we protect our digital lives today.

Jump to…
What were the first passwords?
Major data breaches: A timeline
The evolution of digital passwords
Best practices for password management
The rise of passwordless authentication

What were the first passwords?

Long before the dawn of the internet and the digital convenience we now take for granted, passwords were already a part of society’s security measures.

Ancient times 

Tracing back to the times of ancient civilizations, passwords played an important role in maintaining confidentiality and securing communications. Roman military practices, for example, utilized “watchwords” to manage access through secured zones, ensuring that only those with the correct phrases could pass—effectively distinguishing friend from foe.

Cryptographic contributions (14th-17th century)

The medieval period marked significant advancements in the complexity of passwords with the rise of cryptography. In the 14th century, the Egyptian scholar Ahmad al-Qalqashandi’s writings on cryptology laid down fundamental concepts that transformed secure communication. During the Renaissance, innovators like Leon Battista Alberti propelled these ideas further, developing polyalphabetic ciphers that enhanced the security of messages, setting the stage for the sophisticated encryption techniques we use today. 

Read more: How encryption has shaped history and will define the future

Seals and signatures (19th century)

In the 19th century, officials used physical measures like wax seals on important decrees and letters to demonstrate authenticity. Like passwords, they provided assurance of identity. Of course, one main difference is they were not kept secret but rather were valued for their uniqueness, as their intricacies made them difficult to reproduce. In that sense, perhaps they can be compared to biometrics like fingerprints.

Speakeasies and secret codes (1920s)

During the Roaring Twenties in the U.S., the Prohibition era saw passwords assume a secretive role within the underground speakeasy scene. Access to these hidden bars required a whispered password, ensuring that only trusted individuals could take part in the covert nightlife, reflecting the passwords’ role in controlling access to restricted activities.

Military use of passwords (1940s)

During World War 2, particularly during the Battle of Normandy, military use of passwords evolved to include a password and a counter password system. This system was essential in verifying identities under the stress of wartime conditions, with famous instances like the use of a device known as a “cricket” in place of a password system by American paratroopers during D-Day serving as unique, temporary methods of identification.

The dawn of the digital password (1960s)

The transition to digital passwords occurred in the 1960s with the development of the Compatible Time-Sharing System (CTSS) by Fernando Corbató at MIT. It was born out of necessity with the advent of early computer systems. This innovation introduced password-protected user accounts, enabling multiple users to securely share system resources—an essential step towards the data privacy and security protocols we have today. 

Network security and the digital age (1970s-2000s)

As technology progressed through the 1970s and 1980s, the widespread adoption of passwords became essential for accessing resources in multi-user systems and networks like the ARPANET, the precursor to the internet. This necessity expanded in the 1990s and 2000s with the internet’s rise, establishing passwords as a fundamental component of digital security—crucial for protecting everything from email accounts to online banking.

However, as security measures like passwords evolved, so did the tactics of cybercriminals attempting to steal or bypass them.

How 10 major data breaches influenced password security practices

Data breaches across the globe have had a profound impact on how we handle our digital keys. Here’s a closer look at how some of the biggest breaches in history have transformed the way we manage password security:

1. TRW (1984)

Known as the first major data breach in history, the credit reporting agency TRW Information Systems (now Experian) experienced a significant incident in 1984 when a credit file password was stolen from a Sears store in Sacramento, California. This password allowed unauthorized access to the credit histories of approximately 90 million people. The stolen password was then posted on an electronic bulletin board, accessible to a wide audience for over a month before the breach was noticed and reported. The breach led to the exposure of sensitive data including names, addresses, social security numbers, and credit scores.

Response

The TRW breach led to major changes in how passwords and data security were managed, marking a shift towards more complex digital keys. It also influenced the development of stricter computer crime laws, including the Computer Fraud and Abuse Act of 1986, which strengthened legal protections against unauthorized computer and network access. This event catalyzed the cybersecurity industry, enhancing awareness about the risks of inadequate password management and data protection.

2. Yahoo (2013 and 2014)

The Yahoo data breaches affected nearly all user accounts across two separate incidents. Known as the most significant data breach in history, the 2013 breach affected every single Yahoo account—all 3 billion of them. The data included names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, security questions and answers. The 2014 breach compromised around 500 million accounts with similar personal data exposed. These breaches were significant not only because of their scale but also because of the nature of the data stolen, which directly impacted the security of the affected accounts. They also notably impacted Yahoo’s valuation during its acquisition by Verizon, leading to a reduction in the purchase price by 350 million USD.

Response

An analysis of the breached data revealed an alarming number of accounts were protected by simple passwords like “123456” or “password”. Yahoo and the broader tech industry were pushed towards adopting more robust security measures, including enhanced encryption for passwords and the adoption of more secure multi-factor authentication (MFA) processes.

3. MySpace (2013)

In June 2013, MySpace experienced a major data breach that affected approximately 360 million accounts. The breach exposed a huge amount of personal data, including usernames, passwords, and email addresses. The data stolen was from the platform’s older version, before a significant site redesign that occurred later that month. The cybercriminal behind this attack, known by the alias “Peace,” is the same person linked to other high-profile breaches. 

Response

The MySpace breach occurred when awareness of digital privacy and security was heightening but still not at the forefront of social media users’ minds. The scale of the breach made it one of the most significant of its time—spotlighting the vulnerabilities of stored user data, especially passwords.

In response to the breach, MySpace invalidated all passwords for accounts created before the 2013 redesign, emphasizing the need for strong, regularly updated passwords. The breach underscored the importance of sturdy security measures and led to increased adoption of better practices across the industry, such as hashed and salted passwords, which are more resistant to hacking.

4. Adult Friend Finder Network (2016)

In 2016, the Adult Friend Finder Network suffered a massive data breach that exposed over 412 million accounts. The breach involved multiple sites within the network, including AdultFriendFinder.com, and resulted from a local file inclusion vulnerability. The exposed data included usernames, emails, login dates, and passwords, many of which were stored in plaintext or hashed using the weak SHA-1 algorithm, making them easy to crack. This breach was significant not only because of the volume of data exposed but also because it included details from accounts that had been deleted by users but were still retained by the company.

Response

After the breach, the Friend Finder Network took immediate steps to secure its systems, including patching the vulnerability and implementing site-wide password resets. The incident underscored the necessity for stronger security measures, such as the use of solid hashing algorithms and regular updating and auditing of security practices. It also highlighted the importance of ethical data retention practices, particularly concerning deleted accounts.

5. VKontakte (2016)

In June 2016, VKontakte (VK.com), a popular Russian social networking platform, experienced a significant data breach. A hacker acquired account details of over 100 million users, which included names, email addresses, and plaintext passwords. This data was then offered for sale on the dark web. The breach highlighted the platform’s inadequate security measures, as the passwords were stored without encryption. The exposure of plaintext passwords posed a severe risk, potentially allowing attackers easy access to users’ accounts not only on VK but also on other platforms where users might have reused passwords.

Response

The breach served as a sobering reminder of the importance of strong password management and security measures. It prompted VK and other companies to reassess and strengthen their cybersecurity strategies, particularly focusing on the encryption of passwords and using more sophisticated authentication methods to better protect user data.

6. Aadhaar (2018)

In 2018, the Aadhaar database, which contains the biometric and personal information of over 1.1 billion Indian citizens, experienced a major data breach. This breach exposed sensitive information such as names, addresses, and other demographic details. The breach had significant implications for data security in India, raising concerns about the protection of personal information in large government databases.

Response

In response to the breach, there was increased scrutiny and calls for stronger data protection laws in India. The incident spurred discussions about implementing more robust security practices, including adopting better password management and authentication technologies to safeguard sensitive information. The breach also highlighted the need for continuous improvements in security infrastructure, and regulatory frameworks to protect personal data from unauthorized access.

7. Marriott International (2018)

The Marriott International data breach in 2018 was big news, affecting approximately 500 million guests. The breach originated in the systems of the Starwood Hotels group, which Marriott had acquired in 2016. The attackers had unauthorized access to the Starwood guest reservation database since 2014, but the breach wasn’t detected until September 2018 after Marriott received alerts from an internal security tool. The compromised information included names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, date of birth, gender, and arrival and departure information. For many guests, encrypted payment card data was also compromised, with encryption keys being stolen.

Response

In response to the breach, Marriott not only addressed the immediate data exposure but also reviewed and strengthened their password and authentication systems to prevent these types of incidents in the future. However, Marriott also faced legal and regulatory repercussions, including a substantial fine under the GDPR in the UK due to the involvement of EU citizens’ data.

8. LinkedIn (2012 and 2021)

LinkedIn suffered two significant data security incidents, one in 2012 and another in 2021. In 2012, hackers compromised LinkedIn’s network, leading to the exposure of 167 million user accounts, which included usernames, email addresses, and hashed passwords. This breach became public knowledge in 2016 when stolen data surfaced on the dark web. The 2021 incident involved the exposure of data scraped from around 700 million user profiles, which was then sold online. This dataset included email addresses, full names, phone numbers, physical addresses, geolocation records, and other professional details. 

Response

The 2012 breach had a direct impact on password security as it demonstrated that hashed passwords that aren’t salted allow hackers to easily unscramble the passwords. This prompted LinkedIn to improve its hashing algorithms and introduce two-factor authentication (2FA) to bolster account security. The 2021 incident led to further scrutiny and calls for better protection against unauthorized data scraping, including reevaluating how user data is accessed and used by third-party apps and services.

9. Facebook (2019)

In 2019, a significant data breach exposed the personal details of approximately 540 million Facebook users stored on Amazon’s cloud computing service. This incident involved two third-party Facebook app developers, Cultura Colectiva, and an app called “At the Pool.” The exposed data included account names, IDs, comments, reactions, and unprotected passwords for about 22,000 users from the “At the Pool” app. The breach primarily stemmed from improperly secured databases that were publicly accessible without proper protections​. 

Response

Following the breach, there was a notable push within the tech community for stricter controls and monitoring of third-party developers to prevent similar incidents. Facebook increased its scrutiny and auditing of apps on its platform, attempting to tighten access to user data. The breach also accelerated discussions around the necessity of strong password management and the implementation of MFA to enhance security. These measures are aimed at minimizing the risk of unauthorized access, even when user data is inadvertently exposed by third-party partners.

Read more: How to recover a hacked Facebook account

10. Alibaba (2019)

In 2019, one of the largest data breaches in history occurred involving Alibaba Cloud, where data from a Shanghai police database containing information on one billion Chinese citizens was left unsecured and publicly accessible for more than a year. This massive trove of 23TB of data included sensitive personal information such as names, birthdates, addresses, and national identification numbers. The breach was exposed when an anonymous user advertised selling this data for 10 bitcoin on a hacker forum​. 

The exposure of such a huge amount of sensitive data not only placed individuals’ privacy at risk but also highlighted significant vulnerabilities in data security practices at Alibaba Cloud. This incident brought immense scrutiny from the Chinese government and the public, emphasizing the critical need for stringent security measures, especially when handling sensitive information on such a large scale. The breach had potential repercussions for the privacy of over 70% of the Chinese population, considering the scale of data involved​. 

Response

In light of the breach, Alibaba Cloud was compelled to reassess and fortify its password and authentication systems, among many other things. The incident also influenced stronger industry-wide practices around password security, urging other cloud platforms to strengthen their safeguards against similar vulnerabilities. 

The evolution of digital passwords 

While data breaches have undeniably served as a catalyst for reshaping password management practices, the evolution of these policies isn’t solely driven by reactionary measures to cyber incidents. Technological advancements and ongoing research also play important roles, pushing the boundaries of what’s possible in cybersecurity. Institutions like the National Institute of Standards and Technology (NIST) sit at the forefront of this movement, continuously adapting guidelines to stay one step ahead of emerging threats.

Back in the early days of digital authentication, crafting a password was simple—a straightforward word or a basic string of numbers often did the trick. But as the internet took off, so did cyber threats, necessitating a seismic shift in how we think about securing our digital doors. Initially, institutions like NIST championed complex passwords packed with a mix of numbers, symbols, and both uppercase and lowercase letters. This complexity was meant to thwart brute-force attacks, where attackers try every possible combination, and dictionary attacks, which deploy common words and phrases to breach accounts.

However, the focus solely on complexity began to shift as research showed that length and unpredictability could offer better security. NIST’s 2017 guidelines marked a significant transformation in password security philosophy, advocating for longer passphrases that are easier for users to remember yet hard for attackers to guess. These guidelines moved away from mandatory complex character combinations, highlighting instead the importance of password length and the avoidance of predictable patterns.

The risk of password breaches, whether through social engineering or the use of weak passwords, has driven changes in authentication practices. No longer is a lone password for authentication considered secure. Multi-factor authentication, often in the form of one-time passwords, biometrics, authenticator app, or hardware key, are now seen as indispensable, especially in a work setting. 

Best practices for password management

Nowadays, managing a slew of passwords has become a common headache for many of us. This often leads to “password fatigue,” where the effort to remember several complex passwords results in unsafe practices like reusing the same password across multiple sites. This scenario is far from ideal as it presents a significant security risk—one compromised password can potentially give attackers access to numerous accounts.

Read more: How much time do you waste resetting your passwords?

To combat these issues, there’s been significant progress in password management technology. Password managers now play a role in helping to keep track of our passwords by storing them in encrypted formats. One primary password gets you access to all your passwords. Not only do you no longer have to remember every password but this system also enables you to create complex, long, nonsensical passwords that would take hundreds of years to crack. 

Furthermore, technologies like 2FA and MFA are becoming standard, adding an extra layer of security that goes beyond the traditional password. There are also proactive steps that individuals and organizations can take right now to safeguard their digital lives:

The future of passwordless authentication

While society has made major improvements in managing passwords, the traditional password system is on its way out because it simply can’t keep up with today’s security threats. Passwords are a hassle to manage, easy to forget, and all too often, they’re the weak link that hackers exploit. That’s why big tech companies like Apple, Google, and Microsoft are pushing for a shift to something better: passkeys.

Passkeys cut out the need for the passwords we struggle to remember and instead use a pair of cryptographic keys. The public key lives on the server and the private key stays with you, locked in your device, often secured further with something like your fingerprint, face ID, or a PIN. 

Passwordless authentication is not susceptible to the main risks associated with setting passwords. For someone to log in as you, they would need to have your physical device. Even then, without your biometrics (or PIN) they wouldn’t be able to gain access. And using passkeys means data breaches won’t compromise your login: If someone hacks into a company server, for instance, they wouldn’t be able to discover your password—because it doesn’t exist.

However, while passkeys offer significant advantages, widespread adoption hasn’t kicked off yet. Many users and organizations need time to understand how they work and integrate them into their systems, which involves both financial and logistical considerations. Plus, many still prefer the familiarity of traditional passwords, despite their shortcomings.

For now, while we’re in this transition phase, keeping your current passwords randomly generated and secure is key. The simplest way to do that? You guessed it: with a password manager.

The post How data breaches shaped the way we use passwords today appeared first on ExpressVPN Blog.

We’ve all been there: You’re about to meet up with someone but your phone is dying. So you just have to go old school and estimate when you’ll arrive and trust that you’ll find them without a problem. Or you turn off your phone for a while to conserve power.

The anxiety of watching your battery drain is a feeling you could do without. Here are some tips that could stop the power hemorrhaging when you’re in the red, reduce gradual battery drain over the day, and generally improve the state of your battery for greater endurance.

Jump to…
Settings to use less battery on your phone
How to keep your battery healthy
Phone always dying? Tips for old batteries

Settings to use less battery on your phone

You might be expending more power than you realized from features on your phone that you aren’t even using. Here are a few of the big ones to turn off—or enable.

Use low-energy mode

If your phone’s power is in dire straits and you need it to hold out for longer, the most comprehensive, easiest thing to do is switch to low-energy mode. With this setting, various functionality will be lowered or turned off to save power. Your phone might stop constantly checking for new messages, slow down performance, disable voice assistance, and adjust various other settings. It’s a convenient setting that does a lot with one toggle.

On iPhone:
Go to Settings > Battery, and toggle on Low Power Mode

On Android:
Go to Settings > Battery, and toggle on Battery Saver Mode

Use Airplane mode

Airplane mode shuts down all communication-related activity on your phone, including Wi-Fi, Bluetooth, and mobile data. This is a quick alternative to powering down your phone entirely if your battery is draining fast. The battery consumption will slow down to almost nothing, if you don’t use it for any other tasks.

On iPhone:
Go to Control Center and tap the airplane symbol

On Android:
Go to Settings > Network & internet > Airplane mode, and toggle on Airplane mode

Use Wi-Fi rather than mobile data

In general, Wi-Fi uses less power than mobile data. That’s because on data connections, your phone is constantly searching for the strongest signal and switching between cellular towers. Mobile data is also transmitted farther than Wi-Fi. So turn off data whenever you are within range of a Wi-Fi connection you trust to conserve power.

On iPhone:
Go to Control Center and ensure Wi-Fi is turned on (optionally, turn off mobile data to ensure it is not used)

On Android:
Go to Settings > Network & internet > Wi-Fi, and toggle on Wi-Fi

Let your screen lock sooner

Sure, having your screen go dark every 30 seconds can be annoying if you’re trying to follow a cooking recipe online. But if you consistently find that your phone’s battery is draining too quickly, shortening the time it takes your screen to lock when there’s no activity can be part of the solution.

On iPhone:
Go to Settings > Display & Brightness > Auto-Lock, and choose a duration of inactivity before your screen locks

On Android:
Go to Settings > Display > Screen Timeout, and choose the time for your screen to remain on

Limit push notifications

Every time you get a notification on your phone, the screen lights up, using a bit of power. This is why reducing the number of notifications you get can save battery. That said, there is also the benefit of simplifying and reclaiming peace in your digital life—because do you really need to know that someone has “liked” your Instagram post or the latest news item in your area?

On iPhone:
Go to Settings > Notifications, then select each app and toggle off Allow Notifications

On Android:
Go to Settings > Notifications > App settings, then go through each app and toggle off notifications 

Turn the brightness down

Your screen is a major source of battery use on your phone, requiring continuous illumination to display content. Higher brightness settings require more power, as they demand more energy to illuminate the screen. Keeping your screen brightness at a lower level can help conserve battery power.

On iPhone:
Go to Control Center and drag along the brightness level bar to the desired brightness. 

On Android:
Go to Quick Settings and drag along the brightness level bar to the desired brightness.

Turn on auto-brightness

Auto-brightness, also called adaptive brightness, adjusts the screen brightness based on ambient light conditions, ensuring that the display remains easy to read in various environments. By dynamically adjusting screen brightness according to ambient light, auto brightness helps conserve battery power, using only as much brightness as is needed for comfortable usage.

On iPhone:
Go to Settings > Accessibility > Display & Text Size, then toggle on Auto-Brightness

On Android:
Go to Settings > Display, and toggle on Adaptive brightness

Use dark themes

Yes, we’re still talking about screen brightness. Dark themes use dark backgrounds with light text and elements, which can reduce the overall brightness of the screen. Using dark themes can save some power, while being more pleasant to look at, especially in the middle of the night. 

On iPhone:
Go to Settings > Display & Brightness, and select Dark to turn on Dark Mode

On Android:
Go to Settings > Accessibility, and toggle on Dark theme.

Turn off some sounds and vibrations

A lot of people find unnecessary clicks and vibrations on their phones intrusive and turn them off. Doing so also has the benefit of saving energy. Common ones to turn off are keyboard clicks and the lock sound and short vibrations (haptic feedback) during those actions.

On iPhone:
Go to Settings > Sounds and Haptics, and toggle off Keyboard Clicks, Lock Sound, and System Haptics

On Android:
Go to Settings > Keyboard & input method, and select a keyboard to adjust. You’ll be able to change the sound profile and toggle off haptic feedback on keypress.

Identify apps that drain your battery

It’s possible to see which apps are using the largest portions of your battery. In most cases, you’ll be shown the apps you use most. But if there are any apps that seem to be contributing to excessive power drain beyond normal usage, it might be a sign to stop using or removing them. VPN apps you’ve downloaded can be a big source of battery consumption, so if you need to save battery, turning off your VPN for a while would likely help.

On iPhone:
Go to Settings > Battery, and at the bottom it will show you the battery usage by app

On Android:
Go to Settings > Battery and device care > Battery > View details, and you’ll be shown battery usage by app since the last full charge

Turn off location services

Location services are convenient for weather apps, map apps, and the like, but can consume a lot of battery. Location services rely on GPS, which requires continuous communication with satellites. Moreover, many apps and services use location data in the background. If you choose to use location services in high-accuracy mode (which pinpoints your location more precisely), that’s another factor increasing battery use.

On iPhone:
Go to Settings > Privacy & Security > Location Services. From there, you can control which apps use location services, if at all.

On Android:
Go to Settings > Connections (or Privacy) > Location, and toggle off Location services.

Quit all apps you aren’t using

While it’s generally not necessary to quit apps running in the background (and indeed keeping them open can be helpful), there is a case for quitting them to reduce battery consumption. Other reasons include freeing up RAM to improve your device’s performance and possibly strengthening your privacy.

On iPhone:
Swipe up from the bottom of the screen and pause in the middle of the screen, then swipe side to side to see the apps that are open. To quit an app, swipe up on the app’s preview.

On Android:
Go to Quick Settings > # active apps, and close each active app by tapping Stop.

Don’t let background apps refresh

Background App Refresh is a feature on smartphones that allows apps to update their content in the background periodically, even when you’re not actively using them. This is why when you open social media, email, news, or weather apps, you might see that the latest information is immediately visible. Turning off background app refresh might mean that you have to wait a moment or two longer for an app to fetch information, and it might mean you don’t get notified of updates.

On iPhone:
Go to Settings > General > Background App Refresh. From the list of apps shown, use the toggle to turn Background App Refresh on or off for each app.

On Android:
Go to Settings > Apps & Notifications > See All Apps. Select an app, then select Mobile Data & Wi-Fi and toggle off Background Data.

How to keep your battery healthy

Phone batteries degrade over time and usually last two to five years, depending on use. Apart from simply using less battery by performing the tips above, there are a few ways to treat your batteries better so a charge will continue to last long.

• Avoid hot environments. Try not to leave your phone in the sun or in the car on a hot day, etc. 
• Don’t leave it uncharged for long periods. If you aren’t using your device for a while, it’s still important to keep it charged. A battery left uncharged (or low charged) for a few months could stop taking a charge altogether. A battery will slowly “discharge” over time, so you’ll need to charge it periodically, even if not in use.
• Do not leave it charging fully. Leaving a phone plugged in after it reaches 100% charge can lead to trickle charging, which can cause a slight increase in temperature and contribute to long-term wear on the battery.
• Use the official charger. Phone chargers provided by the manufacturer are engineered to deliver the correct voltage and current levels required to charge your phone safely and efficiently. Using a non-official charger, especially one with different specifications, can lead to greater wear and tear on your battery.

Phone always dying? Tips for old batteries

If you find that you’re frequently in need of a charge while you’re away from home, that could mean your battery is getting old and worn, or you simply use more power than most people. Here are a few practical tips to reduce some of that anxiety from a draining battery.

• Get your battery checked. Take your phone in for a check up. Repair and service centers have tools to check the health of your battery, so you’ll know within minutes if it’s the battery or something else.
• Get a new battery! They cost about 50-100 USD. If you’re using an older device, getting a new battery can significantly improve your experience and extend how long you can use the same device, making it worth the cost.
• Carry a power bank. A power bank will relieve a lot of worry. They can be quite compact and inexpensive.
• Carry a charger. There are power outlets in cafes and lots of other public places.

The post How to make your phone battery last longer appeared first on ExpressVPN Blog.