Toolery
Security April 28, 2026 10 min read

Privacy Online Isn't About Hiding: Why It Matters for Everyone

Privacy isn't a feature for people with something to hide. Here's what actually leaks when you load a webpage — and the layered tech that protects it.

YOU HTTPS / TLS 1.3 Encrypted DNS (DoH) ECH Anti-tracking Aliases & relays Local-first tools Privacy is a stack, not a switch.

Would you read your bank balance aloud at a coffee shop? Recite your social security number to a stranger in line? Hand a doctor's note to the next person you interview with? Probably not — and not because any of it is shameful. Different audiences, different appropriate disclosures.

That's privacy. It isn't a feature for people with something to hide. It's the default for everyone, eroded one default-on toggle at a time.

The "I have nothing to hide" line gets repeated as if it settles the argument. It doesn't. Most of what we call private isn't shameful — it's just contextually inappropriate outside its intended audience. Your salary, your health conditions, the medications you take, the places you go on Saturday afternoons, the search history of someone considering leaving an abusive partner. None of these are secrets. All of them are private.

What "Nothing to Hide" Actually Misses

The argument confuses secrecy with privacy. Secrecy is hiding wrongdoing. Privacy is choosing your audience.

A few examples that aren't about hiding anything:

  • Your resident registration number in Korea, or your SSN in the US, isn't shameful. You still don't post it on Instagram.
  • Your bank balance isn't a secret. You still wouldn't paint it on your front door.
  • The fact that you searched for "how to leave a controlling partner" at 2am isn't wrongdoing. The wrong audience seeing it can get someone killed.
  • Looking up cancer symptoms isn't a confession. Health insurers and prospective employers seeing it changes your life.
  • Browsing job listings while still employed isn't dishonest. Your current boss seeing it ends a paycheck.

Privacy is the precondition for those decisions to be yours. Without it, every action is performed for the worst-case observer.

For a more thorough version of this argument, the "Nothing to Hide" essay by Robin Doherty is the cleanest writeup we've seen.

What Actually Leaks When You Load a Webpage

Think about a single web request. You type example.com. By the time the page renders, you've broadcast far more than the URL.

Your browser ISP / network CDN / hosting 3rd-party trackers Ad exchanges Fingerprint JS Data brokers cross-site identity One page load. Five+ different observers. One identity stitched together.

For each request the browser makes, the following is observable to someone:

  • DNS query — your ISP's resolver sees every domain you ever visit, in plaintext, unless you've changed something.
  • SNI in the TLS handshake — the hostname is sent in the clear before the encrypted session starts. Anyone on your network can read it.
  • Your IP address — hands the destination server a rough geolocation and a stable identifier across requests.
  • HTTP headers — User-Agent, Accept-Language, Referer. Often enough to narrow you to a small group.
  • Cookies and embedded third parties — the page you visited may load 30+ scripts from ad networks, analytics, social embeds, each with its own cookie and access to the page.
  • Fingerprinting scripts — canvas rendering, audio context, font list, WebGL renderer, screen size, timezone, hardware concurrency. Stable enough to identify you across sessions even with cookies cleared.

A Princeton study measured tracking across the top 10,000 sites and found fingerprinting scripts on roughly 88% of them. Combining browser and device characteristics produces a unique identifier with around 99% accuracy, no cookies needed.

88%
of top 10,000 sites run fingerprinting scripts
~99%
identification accuracy combining browser + device fingerprints
375M
individuals affected by US data-breach filings in 2025
$21B
estimated US identity-theft cost from data-broker breaches

The data doesn't sit still either. In January 2025 the FTC settled with Mobilewalla, a broker that had collected over 500 million consumer identifiers tied to precise location data — without anonymization. In the same month, hackers claimed to have stolen location-history data from Gravy Analytics, including coordinates that could re-identify military personnel and out gay people in countries where being gay is illegal. A separate October 2025 incident exposed roughly 2 billion email addresses pulled from broker databases.

That's the threat surface. Now the layers that actually do something about it.

Layer 1: HTTPS / TLS 1.3

HTTPS is the floor. TLS encrypts the body of the request and the response, so anyone passively observing your network — the coffee-shop Wi-Fi, your ISP, a national observer — can't read what page you fetched or what you typed into a form.

What HTTPS still leaks:

  • The destination IP address, because the network has to route the packet.
  • The SNI field of the TLS handshake, which says which hostname you're connecting to. Sent in the clear.
  • The DNS query that resolved the hostname to an IP, also in the clear by default.

So a network observer who only sees HTTPS already knows: which sites you visit, when, how long you stayed, and roughly how much data moved. Not the contents — but enough to build a profile.

The good news: TLS 1.3, which is now the default in every major browser, encrypts the server certificate itself. The remaining leaks are SNI and DNS, which the next two layers fix.

Layer 2: Encrypted DNS (DoH and DoT)

By default, your device asks the local resolver — usually your ISP — to translate example.com into an IP address. That request is plaintext UDP on port 53. Your ISP can log every domain you ever visit, sell aggregated browsing patterns to advertisers, or hand the logs over on subpoena.

DNS over HTTPS (DoH) wraps DNS queries inside an ordinary HTTPS connection to a resolver you choose. Major browsers — Chrome, Firefox, Edge, Safari — all support it. DNS over TLS (DoT) does the same thing but on a dedicated port; it's more common on routers and mobile OSes.

Worth knowing: server-side support is now near-universal at the public-resolver level, but client-side rollout is uneven. Many users are still hitting their ISP's resolver because they never changed the default.

A few resolvers worth pointing at:

  • Cloudflare 1.1.1.1 — fast, claims not to log queries, audited.
  • Quad9 (9.9.9.9) — Swiss-based, blocks known malware domains.
  • NextDNS — configurable, includes ad and tracker blocking at the resolver level.

To turn it on: in Firefox, Settings → Privacy & Security → "Enable DNS over HTTPS using" → pick a provider. In Chrome, Settings → Privacy and security → Security → "Use secure DNS." Both take less than a minute.

Layer 3: ECH (Encrypted Client Hello)

Even with HTTPS and DoH, one leak survives: the SNI field of the TLS handshake. The browser still has to tell the server which hostname it wants a certificate for, and that field travels in the clear.

Encrypted Client Hello closes that gap. The server publishes a public key in a DNS HTTPS record. The browser fetches it (over DoH) and uses it to encrypt the entire ClientHello, SNI included. To a network observer, every TLS handshake to a CDN now looks identical.

Status as of 2026:

  • Firefox 119+ — ECH on by default since October 2023.
  • Chrome — supported since October 2023, rolling out gradually.
  • Cloudflare — ECH enabled by default for every customer since late 2023, which means a large fraction of the public web already supports the server side.
  • Safari — still in development.

ECH is the missing piece that makes the encrypted-transport story complete. It also requires DoH; the public key lives in DNS, so DNS encryption isn't optional once you want SNI hidden.

Layer 4: Cookies, Fingerprinting, and Supercookies

Transport encryption stops the network from spying. It does nothing about the destination site, or the dozens of third parties it embeds, building a profile on you.

Third-party cookies were the original mechanism. Apple's Safari and Mozilla's Firefox have blocked them by default for years. Google announced multi-stage Chrome deprecation, then in April 2025 reversed course and decided to keep them indefinitely. So the cookie problem hasn't gone away — it's just been ratified.

More importantly, the ad-tech industry has moved on. Browser fingerprinting is now the dominant cross-site identity layer. A fingerprint script asks the browser dozens of small questions:

  • Render this 2D canvas — exact pixel output varies by GPU, driver, font hinting.
  • Play this short audio buffer — slight differences in DSP reveal the device.
  • List your installed fonts, your timezone, your screen resolution, your battery level.
  • Report navigator.hardwareConcurrency, available RAM, WebGL renderer string.

Each answer alone is uninteresting. The combination is unique, and stable across cookie clears, incognito mode, even some VPNs.

Supercookies are the older sibling: HSTS pin abuse, ETag header tracking, cache-based identifiers, browser storage that survives "clear cookies." Browsers have fixed most of these, but the category keeps regenerating.

You can test your own browser against any of these:

  • browserleaks.com — the most comprehensive battery of leaks: WebRTC, canvas, audio, fonts, timezone.
  • amiunique.org — shows how unique your fingerprint is against their dataset.
  • EFF's Cover Your Tracks — same idea, plus a tracker-blocking effectiveness test.

Run one of them once. The result tends to motivate the rest of this list.

Layer 5: Defenses That Actually Work

A practical stack, sorted by effort-to-impact:

  1. Install uBlock Origin. A single browser extension that blocks ad and tracker network requests at the source. The single highest-leverage move on this list. The blocklists used (EasyList, EasyPrivacy) are maintained by volunteers and updated continuously.
  2. Use a privacy-respecting browser. Firefox with strict tracking protection, or Brave, or a hardened Chromium build. Edge and stock Chrome are not in this category.
  3. Turn on HTTPS-only mode and DoH. Both are toggles in modern browsers. Five seconds each.
  4. Disable third-party cookies. In Chrome, Settings → Privacy and security → Cookies → "Block third-party cookies." In Firefox, it's already on under Strict mode.
  5. Use email aliases for new signups. Services like addy.io, SimpleLogin, or Apple's Hide My Email give you a unique forwarding address per site. When that address starts getting spam, you know exactly who leaked or sold your data, and you delete the alias.
  6. Be skeptical of VPNs. A VPN moves trust from your ISP to the VPN provider. It does not add privacy by itself. If you don't have a specific reason to trust the provider more than your ISP, you're shuffling, not improving.
  7. Resist fingerprinting only if it matters to you. Tor Browser is the best at this; Brave randomizes some signals; Firefox's resistFingerprinting flag breaks some sites. Real tradeoffs — pick based on threat model.

Layer 6: The Underrated Defense — Don't Send the Data at All

The most private network request is the one you never make.

A surprising amount of what people do online doesn't need to be online. Calculators, unit converters, JSON formatters, image compressors, color pickers, password generators, QR generators — modern browsers can run all of these locally, without sending your input to a server. The whole computation happens in JavaScript on your machine; no upload, no log, no third party.

Compare that to "free online tool" sites that require uploading your file or pasting your text into their server. That data has now left your machine. Whatever the privacy policy says, the bytes are out of your control.

The team built Toolery's tools to run client-side for exactly this reason — but the principle is the point, not the site. Whenever you can use a tool that doesn't touch a network, do.

A 30-Minute Privacy Checkup

If you only do one thing this week, do this list. None of it requires technical expertise; all of it compounds.

  1. Enable DoH in your browser (Settings → Privacy → Secure DNS).
  2. Install uBlock Origin. Default settings are fine.
  3. Test yourself on browserleaks.com or coveryourtracks.eff.org. See where you actually leak.
  4. Set up email aliases on addy.io or SimpleLogin. Use them for every new signup from now on.
  5. Audit one data broker. Search your name on Spokeo, BeenVerified, or Whitepages. Submit the opt-out form. Repeat for 2–3 more if you have time.
  6. Check your ISP's default DNS — most are still unencrypted. Switch the device or router to 1.1.1.1, 9.9.9.9, or NextDNS.
  7. Turn on automatic updates for your browser and OS. Most fingerprinting and tracking defenses ship in browser updates.

That's a Saturday afternoon. The result outlasts everything you'll buy this year.

Privacy Is a Default We Never Had

The original web didn't ship with privacy. It shipped with HTTP — readable by anyone in the path. Encryption arrived in pieces: SSL, then TLS, then HTTPS Everywhere, then DoH, then ECH. Each piece was a default that didn't exist before someone fought for it.

The same is true of cookie restrictions, third-party blocking, fingerprint resistance. None of these defaults appeared because the industry decided they should. They appeared because users, browser engineers, and a handful of stubborn organizations made noise.

"Nothing to hide" assumes privacy is about you. It isn't. It's about the structure of a society where every person — including the ones who do have something to hide, like dissidents, journalists, abuse survivors, whistleblowers — can act without permission from the worst-case observer.

That structure isn't given. It's defaulted. And the defaults are still being decided.

Related Reading