The privacy industry wants you to think this is complicated. It isn’t. Most of the surveillance you’re exposed to daily can be neutralized for less than you spend on a streaming service.
Here’s the stack. Exact tools, exact costs, no filler.
DNS: NextDNS — $2/month
Every website you visit starts with a DNS query — your device asking a resolver “what’s the IP for google.com?” By default that resolver is your ISP, and your ISP sells that data. NextDNS routes those queries over encrypted DNS-over-HTTPS or DNS-over-TLS, blocks trackers and ad networks at the DNS level before they ever load, and logs nothing you don’t explicitly tell it to. Install it on your router and every device on your network is covered. One config, everywhere.
Alternatives: Quad9 (free, no logging, blocks malware domains), Cloudflare 1.1.1.1 (fast but you’re trusting a US company).
VPN: Mullvad — $5/month
Not all VPNs are created equal. Most are data harvesting operations dressed up in privacy marketing. Mullvad is different in ways that actually matter: no account required (you get a random number), accepts cash and Monero, independently audited, based in Sweden outside Five Eyes jurisdiction, and has a proven no-logs policy — when Swedish police raided their servers in 2023 they found nothing because there was nothing to find.
A VPN doesn’t make you anonymous. It moves trust from your ISP to the VPN provider. With Mullvad, that’s a reasonable trade. With ExpressVPN or NordVPN, it isn’t.
What it covers: hides your traffic from your ISP, masks your IP from websites, protects you on public WiFi.
What it doesn’t cover: browser fingerprinting, logged-in account activity, DNS leaks if configured wrong.
Email Aliasing: SimpleLogin — free tier covers most people
Your real email address is a tracking vector. Every service you hand it to can sell it, breach it, or spam it. SimpleLogin lets you generate unique aliases per service — so when Company X gets breached, you know exactly who leaked it, you burn that alias, and your real address stays clean.
The free tier gives you 15 aliases. The paid tier ($4/month bundled with Proton) is unlimited. Pair it with Proton Mail for an inbox that doesn’t read your email to sell ads.
Phone Numbers: MySudo — $1/month
Some services demand a phone number. Give them one that doesn’t exist in your real identity. MySudo issues you real VOIP numbers with working SMS and calls. Use one number per category — shopping, accounts, dating apps, whatever — and burn it when it’s compromised.
This alone stops a significant chunk of the data broker pipeline. Most brokers link records by phone number. Break that link and their profile on you fragments.
Total: ~$8-10/month
What this covers:
- ISP can’t see your DNS queries or browsing traffic
- Tracker networks blocked before they load
- Your real email address never touches third-party services
- Phone number tied to your identity never leaves your control
- Every breach is traceable and contained
What it doesn’t cover:
- Browser fingerprinting (use Firefox with uBlock Origin)
- Logged-in Google/Meta activity
- Physical surveillance
- Nation-state adversaries
This isn’t the paranoid stack. This is the baseline. The floor, not the ceiling. If you’re doing nothing right now, this ten dollars a month moves you from fully exposed to reasonably hardened against the threats that actually affect ordinary people.
Start here. Add layers as your threat model demands.