Reference
Privacy Glossary
Plain-language definitions for the terms that come up most often in privacy and security. No jargon, no filler.
25 terms
B
Browser Fingerprinting
A tracking technique that identifies you by collecting details about your browser and device — like your screen size, installed fonts, and graphics settings — and combining them into a unique "fingerprint." Unlike cookies, you cannot delete a fingerprint, and it follows you across websites even in private browsing mode.
C
D
Data Broker
A company that collects personal information from public records, social media, loyalty programs, and other sources, then packages and sells that data to advertisers, employers, insurers, or anyone willing to pay. Most people have profiles at dozens of data brokers without knowing it.
Data Minimization
A privacy principle that says services should only collect the personal data they actually need to function, and nothing more. A flashlight app that asks for your contacts is violating data minimization; a navigation app that asks for your location is not.
DNS (Domain Name System)
The internet's address book. When you type a website address, your device asks a DNS server to look up the numeric IP address behind it. By default, these lookups are unencrypted and visible to your ISP, revealing every domain you visit even if the content of those visits is encrypted.
DNS Leak
When your device sends DNS lookups outside an encrypted tunnel — such as a VPN — exposing the websites you visit to your ISP or other observers. A DNS leak can occur even when everything else about your VPN connection is working correctly.
Do Not Track
A browser setting that sends a signal to websites asking them not to track your activity. In practice, it is almost entirely ineffective because websites are not legally required to honor it, and the vast majority simply ignore the request.
E
End-to-End Encryption (E2EE)
A method of encrypting messages or files so that only the sender and recipient can read them. The service provider in the middle — whether an email company, messaging app, or cloud storage provider — cannot read your data even if they wanted to, or were ordered to by a court.
F
Five Eyes / Nine Eyes / Fourteen Eyes
Intelligence-sharing alliances between groups of countries. Five Eyes includes the US, UK, Canada, Australia, and New Zealand. Nine Eyes adds Denmark, France, the Netherlands, and Norway. Fourteen Eyes expands further to include Germany, Belgium, Italy, Spain, and Sweden. VPN providers based in these countries may be compelled to hand over user data and share it with partner governments.
H
HTTPS
The secure version of HTTP, the protocol used to transfer web pages. When a site uses HTTPS, the connection between your browser and the web server is encrypted, preventing anyone in the middle from reading or altering the data. Look for a padlock icon in your browser's address bar.
I
IP Address
A unique number assigned to your internet connection that identifies your device on the internet. Your IP address can reveal your approximate location and is logged by nearly every website you visit. It is one of the primary ways you are identified and tracked online.
ISP (Internet Service Provider)
The company that provides your internet connection at home or on mobile — for example, Comcast, AT&T, or Verizon. Your ISP can see every unencrypted DNS request and website connection you make, and in many countries is legally allowed to log and sell that browsing data.
M
Metadata
Data about your data. When you send an email, metadata includes who you emailed, when, how often, and from where — even if the content of the email is encrypted. Intelligence agencies and advertisers often consider metadata more valuable than content because it reveals patterns of behavior at scale.
O
Open Source
Software whose source code is publicly available for anyone to read, audit, and verify. For privacy and security tools, open source is important because independent researchers can confirm that the software does what it claims and contains no hidden tracking or backdoors.
P
Password Manager
An application that stores and generates strong, unique passwords for all your accounts, protected behind one master password. Using a password manager is one of the highest-impact steps you can take for your security, since it eliminates the need to reuse passwords across sites.
Phishing
A type of attack where someone impersonates a trusted entity — a bank, employer, or service — to trick you into handing over credentials or clicking a malicious link. Phishing most commonly happens via email, but also occurs through SMS ("smishing") and voice calls ("vishing").
PII (Personally Identifiable Information)
Any information that can be used on its own or with other data to identify a specific person. This includes obvious identifiers like your name and Social Security number, but also less obvious ones like your IP address, device ID, or a combination of age, ZIP code, and gender.
Privacy Policy
A legal document that explains what data a company collects, how it uses that data, and who it shares it with. Privacy policies are often long and written in opaque legal language — a company with genuinely strong privacy practices will typically have a short, plain-language policy.
S
SSL/TLS Certificate
A digital certificate that authenticates a website's identity and enables an encrypted HTTPS connection. When your browser connects to a site, it verifies the certificate to confirm you are talking to the real site and not an impersonator. The padlock icon in your browser means a valid certificate is present.
T
Two-Factor Authentication (2FA)
A login method that requires two forms of proof: something you know (your password) and something you have (a one-time code from an app or SMS). Even if an attacker steals your password, they cannot log in without the second factor. App-based 2FA is significantly more secure than SMS-based 2FA.
V
VPN (Virtual Private Network)
A service that encrypts your internet traffic and routes it through a server in another location, hiding your real IP address and preventing your ISP from seeing which sites you visit. A VPN shifts trust from your ISP to the VPN provider — you are not anonymous, you have just moved who can see your traffic.
W
Warrant Canary
A public statement, usually updated regularly, where a company confirms it has not received any secret government orders or gag orders compelling it to hand over user data. If the canary statement disappears or is not updated, it signals that the company may have received such an order without being able to say so directly.
WebRTC Leak
WebRTC is a browser technology used for video calls and peer-to-peer connections. It can expose your real IP address even when you are using a VPN, because it bypasses normal network routing. Browsers like Firefox allow you to disable WebRTC entirely, while others require an extension.
Z
Zero-Knowledge Architecture
A system design where the service provider mathematically cannot access your data, even if they try. Your data is encrypted on your device before it is sent, using a key only you hold. This is different from a company that promises not to look at your data but technically could.
Social Engineering
Manipulating people rather than systems to gain access to information or accounts. Attackers exploit trust, urgency, fear, or authority — for example, impersonating IT support to get an employee to reveal their password. Most major data breaches involve a social engineering component.