Online privacy is not a one-day project. It is a series of small decisions that add up. The checklist below takes about thirty minutes to complete and protects you against roughly 90% of the threats a normal person faces. None of it requires technical skill.

Email (5 minutes)

  • Enable two-factor authentication on your primary email. Use the Google Authenticator or Authy app, not SMS — SIM-swap attacks against Pakistani numbers are real.
  • Set up account recovery: a secondary email AND a phone number. Without both, losing access to one is permanent lockout.
  • Audit "logged-in devices" at myaccount.google.com/security. Sign out of anything you do not recognise.

Browser (5 minutes)

  • Install uBlock Origin for ad and tracker blocking.
  • Enable HTTPS-only mode (Chrome: Settings → Privacy → Security → Always use secure connections).
  • Turn off third-party cookies.
  • Set Do Not Track on. It is not enforced everywhere, but it costs nothing.

Passwords (5 minutes)

  • Install a password manager (Bitwarden free, 1Password paid).
  • Change the password on your three most critical accounts (email, primary bank, primary social) to long, randomly generated passwords stored in the manager.
  • Check haveibeenpwned.com for your email — if it appears in any breach, change the password on those specific services immediately.

Phone (5 minutes)

  • Enable biometric unlock (Face ID / fingerprint) plus a 6-digit PIN. Four-digit PINs are crackable in minutes.
  • Turn on device encryption (default on iPhone, may need to enable on older Androids).
  • Enable "Find My" / "Find My Device" with remote wipe capability.
  • Review app permissions: Settings → Privacy → Location/Camera/Microphone. Revoke anything that does not need the access.

Social media (5 minutes)

  • Set Instagram and Facebook to private if you do not run a public page.
  • Remove your phone number from public-facing fields.
  • Turn off "suggest my account to others" (Instagram → Settings → Account suggestions → off).
  • On WhatsApp, restrict profile photo, last seen, and status to "My Contacts" (not everyone).

What to never post (lifetime habit)

The technical settings only protect you against opportunistic attackers. Behavioural privacy matters more. The list below is short but important:

  • Never post your boarding pass. The barcode contains your full name, frequent flyer number, and booking reference — enough to cancel your return flight from a hotel Wi-Fi.
  • Never post your home address, even partially. "Look at our new house at [neighbourhood]" + Google Earth = exact coordinates.
  • Never post real-time travel photos from an empty house. Post them after you return.
  • Never post CNIC, passport, or driving licence photos, even partially redacted. The redaction is often reversible.
  • Never confirm your mother's maiden name, first school, or first car in fun "viral quizzes." Those are security questions.

Banking specific (5 minutes)

  • Enable transaction notifications for every debit/credit. Catch fraud within minutes, not at end-of-month.
  • Set per-transaction limits on your debit card via the bank app, especially for online use.
  • Use a separate "online" debit card with a low balance for daily online spending; keep your salary account isolated.
  • Bookmark your bank's official site. Type the URL only from the bookmark — never via search or email link.

Annual review

Once a year, repeat the checklist. It takes thirty minutes. Privacy is not a destination; it is a maintenance habit.